From 8780a673235317d2ecc296c76b976f2e3ed06c04 Mon Sep 17 00:00:00 2001 From: Christoph Badura Date: Tue, 13 Apr 2021 18:44:04 +0200 Subject: [PATCH 01/44] run information gathering commands even in check mode avoids ansible aborting with "undefined variable" errors in check mode. Signed-off-by: Christoph Badura --- tasks/prelim.yml | 1 + tasks/section1.yml | 12 ++++++++++++ tasks/section2.yml | 2 ++ tasks/section3.yml | 12 ++++++++++++ tasks/section4.yml | 8 +++++++- tasks/section5.yml | 10 ++++++++++ tasks/section6.yml | 27 +++++++++++++++++++++++++-- 7 files changed, 69 insertions(+), 3 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 76d6f6bf..a610a8bb 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -44,6 +44,7 @@ - name: "PRELIM | List users accounts" command: "awk -F: '{print $1}' /etc/passwd" changed_when: false + check_mode: false register: ubtu20cis_users when: - ubtu20cis_rule_6_2_8 or diff --git a/tasks/section1.yml b/tasks/section1.yml index 4cc31c84..ee5100f2 100644 --- a/tasks/section1.yml +++ b/tasks/section1.yml @@ -252,6 +252,7 @@ shell: mount | grep "on /var " changed_when: false failed_when: false + check_mode: false args: warn: false register: ubtu20cis_1_1_10_var_mounted @@ -277,6 +278,7 @@ shell: mount | grep "on /var/tmp " changed_when: false failed_when: false + check_mode: false args: warn: false register: ubtu20cis_1_1_11_var_tmp_mounted @@ -326,6 +328,7 @@ shell: mount | grep "on /var/log " changed_when: false failed_when: false + check_mode: false register: ubtu20cis_1_1_15_var_log_mounted args: warn: false @@ -351,6 +354,7 @@ shell: mount | grep "on /var/log/audit " changed_when: false failed_when: false + check_mode: false register: ubtu20cis_1_1_16_var_log_audit_mounted args: warn: false @@ -375,6 +379,7 @@ shell: mount | grep "on /home" changed_when: false failed_when: false + check_mode: false register: ubtu20cis_1_1_17_home_mounted args: warn: false @@ -453,6 +458,7 @@ - name: "1.1.22 | PATCH | Ensure sticky bit is set on all world-writable directories" shell: df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null | xargs -I '{}' chmod a+t '{}' failed_when: ubtu20cis_1_1_22_status.rc>0 + check_mode: false register: ubtu20cis_1_1_22_status when: - ubtu20cis_rule_1_1_22 @@ -509,6 +515,7 @@ command: apt-cache policy changed_when: false failed_when: false + check_mode: false register: ubtu20cis_1_2_1_apt_policy - name: "1.2.1 | AUDIT | Ensure package manager repositories are configured | Message out repository configs" @@ -533,6 +540,7 @@ command: apt-key list changed_when: false failed_when: false + check_mode: false register: ubtu20cis_1_2_2_apt_gpgkeys - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | Message out apt gpg keys" @@ -641,6 +649,7 @@ command: /bin/true changed_when: false failed_when: false + check_mode: false when: - ubtu20cis_rule_1_5_1 tags: @@ -656,6 +665,7 @@ - name: "1.5.2 | AUDIT | Ensure permissions on bootloader config are configured | Check for Grub file" stat: path: /boot/grub/grub.cfg + check_mode: false register: ubtu20cis_1_5_2_grub_cfg_status - name: "1.5.2 | PATCH | Ensure permissions on bootloader config are configured | Set permissions" @@ -694,6 +704,7 @@ shell: "journalctl | grep 'protection: active'" changed_when: false failed_when: false + check_mode: false register: ubtu20cis_1_6_1_xdnx_status - name: "1.6.1 | AUDIT | Ensure XD/NX support is enabled | Alert if XD/NX is not enabled" @@ -788,6 +799,7 @@ shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' changed_when: false failed_when: false + check_mode: false register: ubtu20cis_1_7_1_2_cmdline_settings - name: "1.7.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist" diff --git a/tasks/section2.yml b/tasks/section2.yml index 360144ca..365091c9 100644 --- a/tasks/section2.yml +++ b/tasks/section2.yml @@ -95,6 +95,7 @@ shell: grep {{ ubtu20cis_chrony_user }} /etc/passwd changed_when: false failed_when: false + check_mode: false register: ubtu20cis_2_2_1_3_chrony_user_status - name: "2.2.1.3 | PATCH | Ensure chrony is configured | Set chrony.conf file" @@ -548,6 +549,7 @@ shell: lsof -i -P -n | grep -v "(ESTABLISHED)" changed_when: false failed_when: false + check_mode: false register: ubtu20cis_2_4_services - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Message out running services" diff --git a/tasks/section3.yml b/tasks/section3.yml index 6f2c66ad..ca6b1c36 100644 --- a/tasks/section3.yml +++ b/tasks/section3.yml @@ -5,6 +5,7 @@ shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' changed_when: false failed_when: false + check_mode: false register: ubtu20cis_3_1_1_grub_cmdline_linux_settings - name: "3.1.1 | PATCH | Disable IPv6 | Add ipv6.disable if does not exist" @@ -44,6 +45,7 @@ shell: dpkg -l | grep network-manager changed_when: false failed_when: false + check_mode: false register: ubtu20cis_3_1_2_network_manager_status - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wireless if network-manager installed" @@ -528,12 +530,14 @@ command: ss -4tuln changed_when: false failed_when: false + check_mode: false register: ubtu20cis_3_5_1_6_open_listen_ports - name: "3.5.1.6 | AUDIT | Ensure firewall rules exist for all open ports | Get list of firewall rules" command: ufw status changed_when: false failed_when: false + check_mode: false register: ubtu20cis_3_5_1_6_firewall_rules - name: "3.5.1.6 | AUDIT | Ensure firewall rules exist for all open ports | Message out settings" @@ -634,6 +638,7 @@ # command: "nft create table {{ ubtu20cis_nftables_table_name }}" # changed_when: ubtu20cis_3_5_2_4_new_table.rc == 0 # failed_when: false + # check_mode: false # register: ubtu20cis_3_5_2_4_new_table when: - ubtu20cis_rule_3_5_2_4 @@ -684,18 +689,21 @@ # shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' # changed_when: false # failed_when: false + # check_mode: false # register: ubtu20cis_3_5_2_6_loopback_iif_status # - name: "3.5.2.6 | AUDIT | Ensure loopback traffic is configured | Get input iif lo accept status" # shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' # changed_when: false # failed_when: false + # check_mode: false # register: ubtu20cis_3_5_2_6_loopback_input_drop_status # - name: "3.5.2.6 | AUDIT | Ensure loopback traffic is configured | Get input iif lo accept status" # shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' # changed_when: false # failed_when: false + # check_mode: false # register: ubtu20cis_3_5_2_6_loopback_ipv6_drop_status # - name: "3.5.2.6 | PATCH | Ensure loopback traffic is configured | Loopback iif lo accept" @@ -946,12 +954,14 @@ command: ss -4tuln changed_when: false failed_when: false + check_mode: false register: ubtu20cis_3_5_3_2_4_open_ports - name: "3.5.3.2.4 | AUDIT | Ensure firewall rules exist for all open ports | Get list of rules" command: iptables -L INPUT -v -n changed_when: false failed_when: false + check_mode: false register: ubtu20cis_3_5_3_2_4_current_rules - name: "3.5.3.2.4 | AUDIT | Ensure firewall rules exist for all open ports | Alert about settings" @@ -1113,12 +1123,14 @@ command: ss -6tuln changed_when: false failed_when: false + check_mode: false register: ubtu20cis_3_5_3_3_4_open_ports - name: "3.5.3.3.4 | AUDIT | Ensure IPv6 firewall rules exist for all open ports | Get list of rules" command: ip6tables -L INPUT -v -n changed_when: false failed_when: false + check_mode: false register: ubtu20cis_3_5_3_3_4_current_rules - name: "3.5.3.3.4 | AUDIT | Ensure IPv6 firewall rules exist for all open ports | Alert about settings" diff --git a/tasks/section4.yml b/tasks/section4.yml index 4184b32a..8b6c8e5e 100644 --- a/tasks/section4.yml +++ b/tasks/section4.yml @@ -32,6 +32,7 @@ shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' changed_when: false failed_when: false + check_mode: false register: ubtu20cis_4_1_1_3_cmdline_settings - name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add setting if doesn't exist" @@ -66,6 +67,7 @@ shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' changed_when: false failed_when: false + check_mode: false register: ubtu20cis_4_1_1_4_cmdline_settings - name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Add setting if doesn't exist" @@ -285,7 +287,7 @@ shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done register: priv_procs changed_when: no - check_mode: no + check_mode: false - name: "4.1.11 | PATCH | Ensure use of privileged commands is collected | Set privileged rules" template: @@ -440,12 +442,14 @@ shell: grep -r "*.emerg" /etc/* | cut -f1 -d":" changed_when: false failed_when: false + check_mode: false register: ubtu20cis_4_2_1_3_rsyslog_config_path - name: "4.2.1.3 | AUDIT | Ensure logging is configured | Gather rsyslog current config" command: "cat {{ ubtu20cis_4_2_1_3_rsyslog_config_path.stdout }}" changed_when: false failed_when: false + check_mode: false register: ubtu20cis_4_2_1_3_rsyslog_config - name: "4.2.1.3 | AUDIT | Ensure logging is configured | Message out config" @@ -605,6 +609,7 @@ - name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured" command: find /var/log -type f -exec chmod g-wx,o-rwx "{}" + -o -type d -exec chmod g-w,o-rwx "{}" + changed_when: ubtu20cis_4_2_3_logfile_perms_status.rc == 0 + check_mode: false register: ubtu20cis_4_2_3_logfile_perms_status when: - ubtu20cis_rule_4_2_3 @@ -621,6 +626,7 @@ - name: "4.3 | PATCH | Ensure logrotate is configured | Get logrotate files" find: paths: /etc/logrotate.d/ + check_mode: false register: ubtu20cis_4_3_logrotate_files - name: "4.3 | PATCH | Ensure logrotate is configured | Set rotation configurations" diff --git a/tasks/section5.yml b/tasks/section5.yml index 4900c7ac..904d19f6 100644 --- a/tasks/section5.yml +++ b/tasks/section5.yml @@ -565,6 +565,7 @@ command: grep 'password.*requisite.*pam_pwquality.so' /etc/pam.d/common-password changed_when: false failed_when: false + check_mode: false register: ubtu20cis_5_3_1_pam_pwquality_state - name: "5.3.1 | PATCH | Ensure password creation requirements are configured | Set retry to 3 if pwquality exists" @@ -615,12 +616,14 @@ command: /bin/true changed_when: false failed_when: false + check_mode: false # block: # - name: "5.3.2 | AUDIT | Ensure lockout for failed password attempts is configured | Confirm pam_tally2.so module in common-auth" # # command: grep 'auth.*required.*pam_tally2.so' /etc/pam.d/common-auth # command: grep 'auth.*required.*pam_tally2.so' /etc/pam.d/common-account # changed_when: false # failed_when: false + # check_mode: false # register: ubtu20cis_5_3_2_pam_tally2_state # - name: "SCORED | 5.3.2 | PATCH | Ensure lockout for failed password attempts is configured | Set pam_tally2.so settings if exists" @@ -672,6 +675,7 @@ command: grep 'password.*required.*pam_pwhistory.so' /etc/pam.d/common-password changed_when: false failed_when: false + check_mode: false register: ubtu20cis_5_3_3_pam_pwhistory_state - name: "5.3.3 | PATCH | Ensure password reuse is limited | Set remember value if pam_pwhistory exists" @@ -705,6 +709,7 @@ shell: grep -E '^\s*password\s+(\S+\s+)+pam_unix\.so\s+(\S+\s+)*sha512\s*(\S+\s*)*(\s+#.*)?$' /etc/pam.d/common-password changed_when: false failed_when: false + check_mode: false register: ubtu20cis_5_3_4_pam_unix_state - name: "5.3.4 | PATCH | Ensure password hashing algorithm is SHA-512 | Set hashing if pam_unix.so exists" @@ -833,12 +838,14 @@ shell: echo $(($(date --utc --date "$1" +%s)/86400)) changed_when: false failed_when: false + check_mode: false register: ubtu20cis_5_4_1_5_current_time - name: "5.4.1.5 | PATCH | Ensure all users last password change date is in the past | Get list of users with last changed PW date in future" shell: "cat /etc/shadow | awk -F: '{if($3>{{ ubtu20cis_5_4_1_5_current_time.stdout }})print$1}'" changed_when: false failed_when: false + check_mode: false register: ubtu20cis_5_4_1_5_user_list - name: "5.4.1.5 | PATCH | Ensure all users last password change date is in the past | Warn about users" @@ -926,6 +933,7 @@ shell: grep -E '^session.*optional.*pam_umask.so' /etc/pam.d/common-session changed_when: false failed_when: false + check_mode: false register: ubtu20cis_5_4_4_umask_pam_status - name: "5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive" @@ -984,6 +992,7 @@ command: cat /etc/securetty changed_when: false failed_when: false + check_mode: false register: ubtu20cis_5_5_terminal_list - name: "5.5 | AUDIT | Ensure root login is restricted to system console | Message out list" @@ -1008,6 +1017,7 @@ command: grep 'auth.*required.*pam_wheel' /etc/pam.d/su changed_when: false failed_when: false + check_mode: false register: ubtu20cis_5_6_pam_wheel_status - name: "5.6 | PATCH | Ensure access to the su command is restricted | Create empty sugroup" diff --git a/tasks/section6.yml b/tasks/section6.yml index f7b976da..3c1c7452 100644 --- a/tasks/section6.yml +++ b/tasks/section6.yml @@ -5,12 +5,14 @@ command: ls -a /bin/ changed_when: false failed_when: false + check_mode: false register: ubtu20cis_6_1_1_packages # - name: "NOTSCORED | 6.1.1 | AUDIT | Audit system file permissions | Audit the packages" # command: dpkg --verify {{ item }} # changed_when: false # failed_when: false + # check_mode: false # with_items: # - "{{ ubtu18cis_6_1_1_packages.stdout_lines }}" # register: ubtu18cis_6_1_1_packages_audited @@ -157,6 +159,7 @@ shell: find {{ item.mount }} -xdev -type f -perm -0002 changed_when: false failed_when: false + check_mode: false register: ubtu20cis_6_1_10_wwf with_items: - "{{ ansible_mounts }}" @@ -183,6 +186,7 @@ shell: find {{ item.mount }} -xdev -nouser changed_when: false failed_when: false + check_mode: false register: ubtu20cis_6_1_11_no_user_items with_items: - "{{ ansible_mounts }}" @@ -225,6 +229,7 @@ shell: find {{ item.mount }} -xdev -nogroup changed_when: false failed_when: false + check_mode: false register: ubtu20cis_6_1_12_ungrouped_items with_items: - "{{ ansible_mounts }}" @@ -268,6 +273,7 @@ shell: find {{ item.mount }} -xdev -type f -perm -4000 changed_when: false failed_when: false + check_mode: false register: ubtu20cis_6_1_13_suid_executables with_items: - "{{ ansible_mounts }}" @@ -311,6 +317,7 @@ shell: find {{ item }} -xdev -type f -perm -2000 changed_when: false failed_when: false + check_mode: false register: ubtu20cis_6_1_14_sgid_executables with_items: - "{{ ansible_mounts }}" @@ -342,7 +349,7 @@ shell: awk -F":" '($2 == "" ) { print $1 }' /etc/shadow register: ubtu20cis_6_2_1_empty_password_acct changed_when: no - check_mode: no + check_mode: false - name: "6.2.1 | PATCH | Ensure password fields are not empty | Lock users with empty password" user: @@ -367,6 +374,7 @@ shell: awk -F":" '($3 == 0 && $1 != \"root\") {i++;print $1 }' /etc/passwd changed_when: false failed_when: false + check_mode: false register: ubtu20cis_6_2_2_uid_0_notroot - name: "6.2.2 | PATCH | Ensure root is the only UID 0 account | Lock UID 0 users" @@ -412,29 +420,34 @@ command: /bin/true changed_when: false failed_when: false + check_mode: false # block: # - name: "6.2.3 | PATCH | Ensure root PATH Integrity | Determine empty value" # shell: 'echo $PATH | grep ::' # changed_when: False # failed_when: ubtu20cis_6_2_3_path_colon.rc == 0 + # check_mode: false # register: ubtu20cis_6_2_3_path_colon # - name: "6.2.3 | PATCH | Ensure root PATH Integrity | Determine colon end" # shell: 'echo $PATH | grep :$' # changed_when: False # failed_when: ubtu20cis_6_2_3_path_colon_end.rc == 0 + # check_mode: false # register: ubtu20cis_6_2_3_path_colon_end # - name: "6.2.3 | PATCH | Ensure root PATH Integrity | Determine working dir" # shell: echo "$PATH" # changed_when: False # failed_when: '"." in ubtu20cis_6_2_3_working_dir.stdout_lines' + # check_mode: false # register: ubtu20cis_6_2_3_working_dir # - debug: var=ubtu20cis_6_2_3_working_dir # - name: "6.2.3 | PATCH | Ensure root PATH Integrity | Check paths" # stat: # path: "{{ item }}" + # check_mode: false # register: ubtu20cis_6_2_3_path_stat # with_items: # - "{{ ubtu20cis_6_2_3_working_dir.stdout.split(':') }}" @@ -472,7 +485,7 @@ block: &u20s_homedir_audit - name: "6.2.4 | PATCH | Ensure all users' home directories exist | Find users missing home directories" shell: pwck -r | grep -P {{ ld_regex | quote }} - check_mode: no + check_mode: false register: ubtu20cis_users_missing_home changed_when: ubtu20cis_6_2_4_audit | length > 0 # failed_when: 0: success, 1: no grep match, 2: pwck found something @@ -520,12 +533,14 @@ stat: path: "{{ item }}" with_items: "{{ ubtu20cis_passwd | selectattr('uid', '>=', 1000) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" + check_mode: false register: ubtu20cis_6_2_5_audit - name: "6.2.5 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive | Find home directories more 750" command: find -H {{ item.0 | quote }} -not -type l -perm /027 register: ubtu20cis_6_2_4_patch_audit changed_when: ubtu20cis_6_2_4_patch_audit.stdout != "" + check_mode: false when: - item.1.exists with_together: @@ -602,6 +617,7 @@ shell: find /home/ -name "\.*" -perm /g+w,o+w changed_when: no failed_when: no + check_mode: false register: ubtu20cis_6_2_7_audit - name: "6.2.7 | AUDIT | Ensure users' dot files are not group or world-writable | Alert on files found" @@ -701,6 +717,7 @@ shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}' changed_when: false failed_when: false + check_mode: false register: ubtu20cis_6_2_12_passwd_gid_check - name: "6.2.12 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files" @@ -727,6 +744,7 @@ shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd" changed_when: false failed_when: false + check_mode: false register: ubtu20cis_6_2_13_user_uid_check - name: "6.2.13 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist" @@ -753,6 +771,7 @@ shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group" changed_when: no failed_when: no + check_mode: false register: ubtu20cis_6_2_14_user_user_check - name: "6.2.14 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist" @@ -779,6 +798,7 @@ shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd" changed_when: no failed_when: no + check_mode: false register: ubtu20cis_6_2_15_user_username_check - name: "6.2.15 | AUDIT | Ensure no duplicate user names exist | Print message that no duplicate user names exist" @@ -805,6 +825,7 @@ shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d' changed_when: false failed_when: false + check_mode: false register: ubtu20cis_6_2_16_group_group_check - name: "6.2.16 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist" @@ -831,12 +852,14 @@ shell: grep ^shadow /etc/group | cut -f3 -d":" changed_when: false failed_when: false + check_mode: false register: ubtu20cis_6_2_17_shadow_gid - name: "6.2.17 | AUDIT | Ensure shadow group is empty | List of users with Shadow GID" shell: awk -F":" '($4 == "{{ ubtu20cis_6_2_17_shadow_gid.stdout }}") { print }' /etc/passwd | cut -f1 -d":" changed_when: false failed_when: false + check_mode: false register: ubtu20cis_6_2_17_users_shadow_gid - name: "6.2.17 | AUDIT | Ensure shadow group is empty | Message on no users" From f8428dfc009b9d0b64ad243dd25b12644105f6e1 Mon Sep 17 00:00:00 2001 From: Christoph Badura Date: Wed, 14 Apr 2021 15:47:10 +0200 Subject: [PATCH 02/44] gather more subsets to avoid undefind ansible_* variables Signed-off-by: Christoph Badura --- tasks/main.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index cc0d47a8..2b8e374e 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,8 +1,12 @@ --- # - debug: var=ansible_facts - name: Gather distribution info + # we need: + # - hardware for ansible_mounts + # - platform for ansible_architecture (ansible internal) + # - virtual for ansible_virtualization_type setup: - gather_subset: distribution,!all,!min + gather_subset: distribution,hardware,platform,virtual,!all,!min when: - ansible_distribution is not defined tags: From 597304cd2eec12ad6527291a75427539f515c657 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 3 May 2021 08:40:35 -0400 Subject: [PATCH 03/44] updated readme and contributing Signed-off-by: George Nalen --- CONTRIBUTING.rst | 7 +++++-- README.md | 2 +- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst index a5c4e034..76c3a8a4 100644 --- a/CONTRIBUTING.rst +++ b/CONTRIBUTING.rst @@ -5,9 +5,12 @@ Rules ----- 1) All commits must be GPG signed (details in Signing section) 2) All commits must have Signed-off-by (Signed-off-by: Joan Doe ) in the commit message (details in Signing section) -3) All work is done in your own branch +3) All work is done in your own branch or own fork +4) Pull requests + a) From within the repo: All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing + b) From a forked repo: All pull requests will go into a staging branch within the repo. There are automated checks for signed commits, signoff in commit message, and functional testing when going from staging to devel 4) All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing) -5) Be open and nice to eachother +5) Be open and nice to each other Workflow -------- diff --git a/README.md b/README.md index d96fb7ba..793eca37 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ Ubuntu 20 CIS ![Release](https://img.shields.io/github/v/release/ansible-lockdown/UBUNTU20-CIS?style=plastic) -Configure Ubuntu 20 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant. There are some intrusive tasks that have a toggle in defaults main.yml to disable to automated fix +Configure Ubuntu 20 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) v1.1.0 compliant. There are some intrusive tasks that have a toggle in defaults main.yml to disable to automated fix Caution(s) ------- From b6bf037150f91fc0a33f8a8e2f8a85cc52248bbb Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 3 May 2021 08:49:04 -0400 Subject: [PATCH 04/44] updated defaults/main section labels Signed-off-by: George Nalen --- defaults/main.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index e0164f13..f4f40716 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -47,8 +47,8 @@ ubtu20cis_system_is_container: false system_is_ec2: false # Section 1 Fixes -# Section 1 is Iniitial setup (FileSystem Configuration, Configure Software Updates, Configure sudo, Filesystem Integrity Checking, Secure Boot Settings, -# Additional Process Hardening, Mandatory Access Control, and Warning Banners) +# Section 1 is Iniitial setup (FileSystem Configuration, Configure Software Updates, Filesystem Integrity Checking, Secure Boot Settings, +# Additional Process Hardening, Mandatory Access Control, Command Line Warning Banners, and GNOME Display Manager) ubtu20cis_rule_1_1_1_1: true ubtu20cis_rule_1_1_1_2: true ubtu20cis_rule_1_1_1_3: true @@ -107,7 +107,7 @@ ubtu20cis_rule_1_9: true ubtu20cis_rule_1_10: true # Section 2 Fixes -# Section 2 is Services (inetd, special purpose, and service clients) +# Section 2 is Services (Special Purpose Services, and service clients) ubtu20cis_rule_2_1_1: true ubtu20cis_rule_2_1_2: true ubtu20cis_rule_2_2_1_1: true @@ -139,7 +139,7 @@ ubtu20cis_rule_2_3_6: true ubtu20cis_rule_2_4: true # Section 3 Fixes -# Section 3 is Network Configuration (disable unused networks, network parameters (host and router), uncommon network protocols, and firewall configuration) +# Section 3 is Network Configuration (Disable Unused Networks, Network Parameters (Host Only), Network Parameters (Host and Router), Uncommon Network Protocols, and Firewall Configuration) ubtu20cis_rule_3_1_1: true ubtu20cis_rule_3_1_2: true ubtu20cis_rule_3_2_1: true @@ -187,7 +187,7 @@ ubtu20cis_rule_3_5_3_3_3: true ubtu20cis_rule_3_5_3_3_4: true # Section 4 Fixes -# Section 4 is Logging and Auditing (configure system accounting (auditd) and configure logging) +# Section 4 is Logging and Auditing (Configure System Accounting (auditd), Configure Data Retention, and Configure Logging) ubtu20cis_rule_4_1_1_1: true ubtu20cis_rule_4_1_1_2: true ubtu20cis_rule_4_1_1_3: true @@ -224,8 +224,8 @@ ubtu20cis_rule_4_3: true ubtu20cis_rule_4_4: true # Section 5 Fixes -# Section 5 is Access, Authentication, and Authorization (configure cron, configure ssh server, configure PAM -# and user accounts and environment) +# Section 5 is Access, Authentication, and Authorization (Configure time-based job schedulers, Configure sudo, Configure SSH Server, configure PAM +# and User Accounts and Environment) ubtu20cis_rule_5_1_1: true ubtu20cis_rule_5_1_2: true ubtu20cis_rule_5_1_3: true @@ -274,7 +274,7 @@ ubtu20cis_rule_5_5: true ubtu20cis_rule_5_6: true # Section 6 Fixes -# Section is Systme Maintenance (system file permissions and user and group settings) +# Section is Systme Maintenance (System File Permissions and User and Group Settings) ubtu20cis_rule_6_1_1: true ubtu20cis_rule_6_1_2: true ubtu20cis_rule_6_1_3: true From 3501995e36b67085bb80d0a3a8cc7feb8cf05b85 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 3 May 2021 10:06:38 -0400 Subject: [PATCH 05/44] updated section 1 1.1.1.1 through 1.1.24 Signed-off-by: George Nalen --- tasks/section1.yml | 1042 ++++++++++++++++++++++---------------------- 1 file changed, 533 insertions(+), 509 deletions(-) diff --git a/tasks/section1.yml b/tasks/section1.yml index ee5100f2..55e1f643 100644 --- a/tasks/section1.yml +++ b/tasks/section1.yml @@ -114,58 +114,82 @@ - rule_1.1.1.5 - hfsplus -- name: "1.1.1.6 | PATCH | Ensure mounting of udf filesystems is disabled" +- name: "MANUAL | 1.1.1.6 | PATCH | Ensure mounting of squashfs filesystems is disabled" block: - - name: "1.1.1.6 | PATCH | Ensure mounting of udf filesystems is disabled | Edit modprobe config" + - name: "MANUAL | 1.1.1.6 | PATCH | Ensure mounting of squashfs filesystems is disabled | Edit modprobe config" lineinfile: - dest: /etc/modprobe.d/udf.conf - regexp: "^(#)?install udf(\\s|$)" - line: install udf /bin/true + dest: /etc/modprobe.d/squashfs.conf + regexp: "^(#)?install squashfs(\\s|$)" + line: install squashfs /bin/true create: yes - - name: "1.1.1.6 | PATCH | Ensure mounting of udf filesystems is disabled | Disable udf" + - name: "MANUAL | 1.1.1.6 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs" modprobe: - name: udf + name: squashfs state: absent when: ansible_connection != 'docker' when: - ubtu20cis_rule_1_1_1_6 tags: - - level1-server - - level1-workstation + - level2-server + - level2-workstation + - manual - patch - rule_1.1.1.6 - - udf + - squashfs -# ----------- -# ----------- -# Flagged as disruptive due to UEFI systems for EFI boot partitions being FAT. Also flash drives are also generally formatted in FAT -# ----------- -# ----------- -- name: "1.1.1.7 | PATCH | Ensure mounting of FAT filesystems is limited" +- name: "1.1.1.7 | PATCH | Ensure mounting of udf filesystems is disabled" block: - - name: "1.1.1.7 | PATCH | Ensure mounting of FAT filesystems is limited | Edit modprobe config" + - name: "1.1.1.7 | PATCH | Ensure mounting of udf filesystems is disabled | Edit modprobe config" lineinfile: - dest: /etc/modprobe.d/vfat.conf - regexp: "^(#)?install vfat(\\s|$)" - line: install vfat /bin/true + dest: /etc/modprobe.d/udf.conf + regexp: "^(#)?install udf(\\s|$)" + line: install udf /bin/true create: yes - - name: "1.1.1.7 | PATCH | Ensure mounting of FAT filesystems is limited | Disable FAT" + - name: "1.1.1.7 | PATCH | Ensure mounting of udf filesystems is disabled | Disable udf" modprobe: - name: vfat + name: udf state: absent when: ansible_connection != 'docker' when: - ubtu20cis_rule_1_1_1_7 - - ubtu20cis_disruption_high tags: - - level2-server - - level2-workstation - - manual + - level1-server + - level1-workstation - patch - rule_1.1.1.7 - - vfat + - udf + +# # ----------- +# # ----------- +# # Flagged as disruptive due to UEFI systems for EFI boot partitions being FAT. Also flash drives are also generally formatted in FAT +# # ----------- +# # ----------- +# - name: "1.1.1.7 | PATCH | Ensure mounting of FAT filesystems is limited" +# block: +# - name: "1.1.1.7 | PATCH | Ensure mounting of FAT filesystems is limited | Edit modprobe config" +# lineinfile: +# dest: /etc/modprobe.d/vfat.conf +# regexp: "^(#)?install vfat(\\s|$)" +# line: install vfat /bin/true +# create: yes + +# - name: "1.1.1.7 | PATCH | Ensure mounting of FAT filesystems is limited | Disable FAT" +# modprobe: +# name: vfat +# state: absent +# when: ansible_connection != 'docker' +# when: +# - ubtu20cis_rule_1_1_1_7 +# - ubtu20cis_disruption_high +# tags: +# - level2-server +# - level2-workstation +# - manual +# - patch +# - rule_1.1.1.7 +# - vfat - name: "1.1.2 | PATCH | Ensure /tmp is configured" mount: @@ -299,9 +323,9 @@ - var/tmp - name: | - "1.1.12 | PATCH | Ensure nodev option set on /var/tmp partition" - "1.1.13 | PATCH | Ensure nosuid option set on /var/tmp partition" - "1.1.14 | PATCH | Ensure noexec option set on /var/tmp partition" + "1.1.12 | PATCH | Ensure /var/tmp partition includes the nodev option" + "1.1.13 | PATCH | Ensure /var/tmp partition includes the nosuid option" + "1.1.14 | PATCH | Ensure /var/tmp partition includes the noexec option" mount: name: /var/tmp src: "{{ ubtu20cis_vartmp['source'] }}" @@ -398,7 +422,7 @@ - audit - /home -- name: "1.1.18 | PATCH | Ensure nodev option set on /home partition" +- name: "1.1.18 | PATCH | Ensure /home partition includes the nodev option" mount: name: "/home" src: "{{ item.device }}" @@ -418,7 +442,7 @@ - name: "1.1.19 | AUDIT | Ensure nodev option set on removable media partitions" debug: - msg: "Warning!!!! Not relevent control" + msg: "Warning!!!! Not relevant control" when: - ubtu20cis_rule_1_1_19 tags: @@ -431,7 +455,7 @@ - name: "1.1.20 | AUDIT | Ensure nosuid option set on removable media partitions" debug: - msg: "Warning!!!! Not relevent control" + msg: "Warning!!!! Not relevant control" when: - ubtu20cis_rule_1_1_20 tags: @@ -444,7 +468,7 @@ - name: "1.1.21 | AUDIT | Ensure noexec option set on removable media partitions" debug: - msg: "Warning!!!! Not relevent control" + msg: "Warning!!!! Not relevant control" when: - ubtu20cis_rule_1_1_21 tags: @@ -509,478 +533,478 @@ - rule_1.1.24 - usb_storage -- name: "1.2.1 | AUDIT | Ensure package manager repositories are configured" - block: - - name: "1.2.1 | AUDIT | Ensure package manager repositories are configured | Get repositories" - command: apt-cache policy - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_1_2_1_apt_policy - - - name: "1.2.1 | AUDIT | Ensure package manager repositories are configured | Message out repository configs" - debug: - msg: - - "Alert!!!! Below are the apt package repositories" - - "Please review to make sure they conform to your sites policies" - - "{{ ubtu20cis_1_2_1_apt_policy.stdout_lines }}" - when: - - ubtu20cis_rule_1_2_1 - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_1.2.1 - - apt - -- name: "1.2.2 | AUDIT | Ensure GPG keys are configured" - block: - - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | Get apt gpg keys" - command: apt-key list - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_1_2_2_apt_gpgkeys - - - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | Message out apt gpg keys" - debug: - msg: - - "Alert!!!! Below are the apt gpg kyes configured" - - "Please review to make sure they are configured" - - "in accordance with site policy" - - "{{ ubtu20cis_1_2_2_apt_gpgkeys.stdout_lines }}" - when: - - ubtu20cis_rule_1_2_2 - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_1.2.2 - - gpg - - keys - -- name: "1.3.1 | PATCH | Ensure sudo is installed" - apt: - name: "{{ ubtu20cis_sudo_package }}" - state: present - when: - - ubtu20cis_rule_1_3_1 - tags: - - level1-server - - level1-workstation - - scored - - patch - - rule_1.3.1 - - sudo - -- name: "1.3.2 | PATCH | Ensure sudo commands use pty" - lineinfile: - path: /etc/sudoers - regexp: '^Defaults use_' - line: 'Defaults use_pty' - insertafter: '^Defaults' - when: - - ubtu20cis_rule_1_3_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.3.2 - - sudo - -- name: "1.3.3 | PATCH | Ensure sudo log file exists" - lineinfile: - path: /etc/sudoers - regexp: '^Defaults logfile' - line: 'Defaults logfile="{{ ubtu20cis_sudo_logfile }}"' - insertafter: '^Defaults' - when: - - ubtu20cis_rule_1_3_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.3.3 - - sudo - -- name: "1.4.1 | PATCH | Ensure AIDE is installed" - apt: - name: ['aide', 'aide-common'] - state: present - when: - - ubtu20cis_rule_1_4_1 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.4.1 - - aide - -- name: "1.4.2 | PATCH | Ensure filesystem integrity is regularly checked" - cron: - name: Run AIDE integrity check - cron_file: "{{ ubtu20cis_aide_cron['cron_file'] }}" - user: "{{ ubtu20cis_aide_cron['cron_user'] }}" - minute: "{{ ubtu20cis_aide_cron['aide_minute'] | default('0') }}" - hour: "{{ ubtu20cis_aide_cron['aide_hour'] | default('5') }}" - day: "{{ ubtu20cis_aide_cron['aide_day'] | default('*') }}" - month: "{{ ubtu20cis_aide_cron['aide_month'] | default('*') }}" - weekday: "{{ ubtu20cis_aide_cron['aide_weekday'] | default('*') }}" - job: "{{ ubtu20cis_aide_cron['aide_job'] }}" - when: - - ubtu20cis_rule_1_4_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.4.2 - - cron - -# --------------- -# --------------- -# The RHEL7 based control uses a custom module, grub_crypt -# I need to research best way to set grub pw for Ubuntu using the -# grub-mkpasswd-pbkdf2 command and passing the data at the same time. -# --------------- -# --------------- -- name: "1.5.1 | PATCH | Ensure bootloader password is set" - command: /bin/true - changed_when: false - failed_when: false - check_mode: false - when: - - ubtu20cis_rule_1_5_1 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.5.1 - - grub - - notimplemented - -- name: "1.5.2 | PATCH | Ensure permissions on bootloader config are configured" - block: - - name: "1.5.2 | AUDIT | Ensure permissions on bootloader config are configured | Check for Grub file" - stat: - path: /boot/grub/grub.cfg - check_mode: false - register: ubtu20cis_1_5_2_grub_cfg_status - - - name: "1.5.2 | PATCH | Ensure permissions on bootloader config are configured | Set permissions" - file: - path: /boot/grub/grub.cfg - owner: root - group: root - mode: 0600 - when: - - ubtu20cis_1_5_2_grub_cfg_status.stat.exists - when: - - ubtu20cis_rule_1_5_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.5.2 - - grub - -- name: "1.5.3 | PATCH | Ensure authentication required for single user mode" - user: - name: root - password: "{{ ubtu20cis_root_pw }}" - when: - - ubtu20cis_rule_1_5_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.5.3 - - passwd - -- name: "1.6.1 | AUDIT | Ensure XD/NX support is enabled" - block: - - name: "1.6.1 | AUDIT | Ensure XD/NX support is enabled | Find status of XD/NX" - shell: "journalctl | grep 'protection: active'" - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_1_6_1_xdnx_status - - - name: "1.6.1 | AUDIT | Ensure XD/NX support is enabled | Alert if XD/NX is not enabled" - debug: - msg: - - "ALERT!!!!You do not have XD/NX (Execute Disable/No Execute) enabled" - - "To conform to CIS standards this needs to be enabled" - when: "'active'not in ubtu20cis_1_6_1_xdnx_status.stdout" - when: - - ubtu20cis_rule_1_6_1 - tags: - - level1-server - - level1-workstation - - audit - - rule_1.6.1 - - xd/nx - -- name: "1.6.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled" - block: - - name: "1.6.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled | Set ASLR settings" - lineinfile: - path: /etc/sysctl.conf - regexp: '^kernel.randomize_va_space' - line: 'kernel.randomize_va_space = 2' - - - name: "1.6.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled | Set active kernel parameter" - sysctl: - name: kernel.randomize_va_space - value: '2' - when: - - ubtu20cis_rule_1_6_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.6.2 - - aslr - -- name: "1.6.3 | PATCH | Ensure prelink is disabled" - block: - - name: "1.6.3 | PATCH | Ensure prelink is disabled | Restore binaries to normal" - command: prelink -ua - changed_when: false - failed_when: false - - - name: "1.6.3 | PATCH | Ensure prelink is disabled | Remove prelink package" - apt: - name: prelink - state: absent - when: - - ubtu20cis_rule_1_6_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.6.3 - - prelink - -- name: "1.6.4 | PATCH | Ensure core dumps are restricted" - sysctl: - name: fs.suid_dumpable - value: '0' - state: present - reload: yes - sysctl_set: yes - ignoreerrors: yes - when: - - ubtu20cis_rule_1_6_4 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.6.4 - - coredump - -- name: "1.7.1.1 | PATCH | Ensure AppArmor is installed" - apt: - name: ['apparmor', 'apparmor-utils'] - state: present - when: - - ubtu20cis_rule_1_7_1_1 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.7.1.1 - - apparmor - -- name: "1.7.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration" - block: - - name: "1.7.1.2 | AUDIT | Ensure AppArmor is enabled in the bootloader configuration | Get current settings" - shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_1_7_1_2_cmdline_settings - - - name: "1.7.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist" - lineinfile: - path: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX' - line: 'GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor {{ ubtu20cis_1_7_1_2_cmdline_settings.stdout }}"' - insertafter: '^GRUB_' - when: - - "'apparmor' not in ubtu20cis_1_7_1_2_cmdline_settings.stdout" - - "'security' not in ubtu20cis_1_7_1_2_cmdline_settings.stdout" - notify: grub update - - - name: "1.7.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist | Replace apparmor settings when exists" - replace: - path: /etc/default/grub - regexp: "{{ item.regexp }}" - replace: "{{ item.replace }}" - with_items: - - { regexp: 'apparmor=\S+', replace: 'apparmor=1' } - - { regexp: 'security=\S+', replace: 'security=apparmor' } - when: - - "'apparmor' in ubtu20cis_1_7_1_2_cmdline_settings.stdout" - - "'security' in ubtu20cis_1_7_1_2_cmdline_settings.stdout" - notify: grub update - when: - - ubtu20cis_rule_1_7_1_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.7.1.2 - - apparmor - -- name: "1.7.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode" - command: aa-enforce /etc/apparmor.d/* - failed_when: false - when: - - ubtu20cis_rule_1_7_1_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.7.1.3 - - apparmor - -- name: "1.7.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing" - command: aa-enforce /etc/apparmor.d/* - failed_when: false - when: - - ubtu20cis_rule_1_7_1_4 - tags: - - level2-server - - level2-workstation - - scored - - patch - - rule_1.7.1.4 - - apparmor - - -- name: "1.8.1.1 | PATCH | Ensure message of the day is configured properly" - template: - src: etc/motd.j2 - dest: /etc/motd - when: - - ubtu20cis_rule_1_8_1_1 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.8.1.1 - - motd - -- name: "1.8.1.2 | PATCH | Ensure local login warning banner is configured properly" - template: - src: etc/issue.j2 - dest: /etc/issue - when: - - ubtu20cis_rule_1_8_1_2 - tags: - - level1-server - - level1-workstation - - patch - - banner - -- name: "1.8.1.3 | PATCH | Ensure remote login warning banner is configured properly" - template: - src: etc/issue.net.j2 - dest: /etc/issue.net - when: - - ubtu20cis_rule_1_8_1_3 - tags: - - level1-server - - level1-workstation - - patch - - banner - -- name: "1.8.1.4 | PATCH | Ensure permissions on /etc/motd are configured" - file: - path: /etc/motd - owner: root - group: root - mode: 0644 - when: - - ubtu20cis_rule_1_8_1_4 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.8.1.4 - - permissions - - motd - -- name: "1.8.1.5 | PATCH | Ensure permissions on /etc/issue are configured" - file: - path: /etc/issue - owner: root - group: root - mode: 0644 - when: - - ubtu20cis_rule_1_8_1_5 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.8.1.5 - - permissions - - banner - -- name: "1.8.1.6 | PATCH | Ensure permissions on /etc/issue.net are configured" - file: - path: /etc/issue.net - owner: root - group: root - mode: 0644 - when: - - ubtu20cis_rule_1_8_1_6 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.8.1.6 - - permissions - - banner - -- name: "1.9 | PATCH | Ensure updates, patches, and additional security software are installed" - apt: - name: "*" - state: latest - when: - - ubtu20cis_rule_1_9 - tags: - - level1-server - - level1-workstation - - manual - - patch - - rule_1.9 - - patching - -- name: "1.10 | PATCH | Ensure GDM is removed or login is configured" - block: - - name: "1.10 | PATCH | Ensure GDM is removed or login is configured" - lineinfile: - path: /etc/gdm3/greeter.dconf-defaults - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: "{{ item.insertafter }}" - create: yes - owner: root - group: root - mode: 0644 - with_items: - - { regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]', insertafter: EOF } - - { regexp: 'banner-message-enable', line: 'banner-message-enable=true', insertafter: '\[org\/gnome\/login-screen\]'} - - { regexp: 'banner-message-text', line: 'banner-message-text={{ ubtu20cis_warning_banner }}', insertafter: 'banner-message-enable' } - - when: - - ubtu20cis_rule_1_10 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.10 - - gdm +# - name: "1.2.1 | AUDIT | Ensure package manager repositories are configured" +# block: +# - name: "1.2.1 | AUDIT | Ensure package manager repositories are configured | Get repositories" +# command: apt-cache policy +# changed_when: false +# failed_when: false +# check_mode: false +# register: ubtu20cis_1_2_1_apt_policy + +# - name: "1.2.1 | AUDIT | Ensure package manager repositories are configured | Message out repository configs" +# debug: +# msg: +# - "Alert!!!! Below are the apt package repositories" +# - "Please review to make sure they conform to your sites policies" +# - "{{ ubtu20cis_1_2_1_apt_policy.stdout_lines }}" +# when: +# - ubtu20cis_rule_1_2_1 +# tags: +# - level1-server +# - level1-workstation +# - manual +# - audit +# - rule_1.2.1 +# - apt + +# - name: "1.2.2 | AUDIT | Ensure GPG keys are configured" +# block: +# - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | Get apt gpg keys" +# command: apt-key list +# changed_when: false +# failed_when: false +# check_mode: false +# register: ubtu20cis_1_2_2_apt_gpgkeys + +# - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | Message out apt gpg keys" +# debug: +# msg: +# - "Alert!!!! Below are the apt gpg kyes configured" +# - "Please review to make sure they are configured" +# - "in accordance with site policy" +# - "{{ ubtu20cis_1_2_2_apt_gpgkeys.stdout_lines }}" +# when: +# - ubtu20cis_rule_1_2_2 +# tags: +# - level1-server +# - level1-workstation +# - manual +# - audit +# - rule_1.2.2 +# - gpg +# - keys + +# - name: "1.3.1 | PATCH | Ensure sudo is installed" +# apt: +# name: "{{ ubtu20cis_sudo_package }}" +# state: present +# when: +# - ubtu20cis_rule_1_3_1 +# tags: +# - level1-server +# - level1-workstation +# - scored +# - patch +# - rule_1.3.1 +# - sudo + +# - name: "1.3.2 | PATCH | Ensure sudo commands use pty" +# lineinfile: +# path: /etc/sudoers +# regexp: '^Defaults use_' +# line: 'Defaults use_pty' +# insertafter: '^Defaults' +# when: +# - ubtu20cis_rule_1_3_2 +# tags: +# - level1-server +# - level1-workstation +# - patch +# - rule_1.3.2 +# - sudo + +# - name: "1.3.3 | PATCH | Ensure sudo log file exists" +# lineinfile: +# path: /etc/sudoers +# regexp: '^Defaults logfile' +# line: 'Defaults logfile="{{ ubtu20cis_sudo_logfile }}"' +# insertafter: '^Defaults' +# when: +# - ubtu20cis_rule_1_3_3 +# tags: +# - level1-server +# - level1-workstation +# - patch +# - rule_1.3.3 +# - sudo + +# - name: "1.4.1 | PATCH | Ensure AIDE is installed" +# apt: +# name: ['aide', 'aide-common'] +# state: present +# when: +# - ubtu20cis_rule_1_4_1 +# tags: +# - level1-server +# - level1-workstation +# - patch +# - rule_1.4.1 +# - aide + +# - name: "1.4.2 | PATCH | Ensure filesystem integrity is regularly checked" +# cron: +# name: Run AIDE integrity check +# cron_file: "{{ ubtu20cis_aide_cron['cron_file'] }}" +# user: "{{ ubtu20cis_aide_cron['cron_user'] }}" +# minute: "{{ ubtu20cis_aide_cron['aide_minute'] | default('0') }}" +# hour: "{{ ubtu20cis_aide_cron['aide_hour'] | default('5') }}" +# day: "{{ ubtu20cis_aide_cron['aide_day'] | default('*') }}" +# month: "{{ ubtu20cis_aide_cron['aide_month'] | default('*') }}" +# weekday: "{{ ubtu20cis_aide_cron['aide_weekday'] | default('*') }}" +# job: "{{ ubtu20cis_aide_cron['aide_job'] }}" +# when: +# - ubtu20cis_rule_1_4_2 +# tags: +# - level1-server +# - level1-workstation +# - patch +# - rule_1.4.2 +# - cron + +# # --------------- +# # --------------- +# # The RHEL7 based control uses a custom module, grub_crypt +# # I need to research best way to set grub pw for Ubuntu using the +# # grub-mkpasswd-pbkdf2 command and passing the data at the same time. +# # --------------- +# # --------------- +# - name: "1.5.1 | PATCH | Ensure bootloader password is set" +# command: /bin/true +# changed_when: false +# failed_when: false +# check_mode: false +# when: +# - ubtu20cis_rule_1_5_1 +# tags: +# - level1-server +# - level1-workstation +# - patch +# - rule_1.5.1 +# - grub +# - notimplemented + +# - name: "1.5.2 | PATCH | Ensure permissions on bootloader config are configured" +# block: +# - name: "1.5.2 | AUDIT | Ensure permissions on bootloader config are configured | Check for Grub file" +# stat: +# path: /boot/grub/grub.cfg +# check_mode: false +# register: ubtu20cis_1_5_2_grub_cfg_status + +# - name: "1.5.2 | PATCH | Ensure permissions on bootloader config are configured | Set permissions" +# file: +# path: /boot/grub/grub.cfg +# owner: root +# group: root +# mode: 0600 +# when: +# - ubtu20cis_1_5_2_grub_cfg_status.stat.exists +# when: +# - ubtu20cis_rule_1_5_2 +# tags: +# - level1-server +# - level1-workstation +# - patch +# - rule_1.5.2 +# - grub + +# - name: "1.5.3 | PATCH | Ensure authentication required for single user mode" +# user: +# name: root +# password: "{{ ubtu20cis_root_pw }}" +# when: +# - ubtu20cis_rule_1_5_3 +# tags: +# - level1-server +# - level1-workstation +# - patch +# - rule_1.5.3 +# - passwd + +# - name: "1.6.1 | AUDIT | Ensure XD/NX support is enabled" +# block: +# - name: "1.6.1 | AUDIT | Ensure XD/NX support is enabled | Find status of XD/NX" +# shell: "journalctl | grep 'protection: active'" +# changed_when: false +# failed_when: false +# check_mode: false +# register: ubtu20cis_1_6_1_xdnx_status + +# - name: "1.6.1 | AUDIT | Ensure XD/NX support is enabled | Alert if XD/NX is not enabled" +# debug: +# msg: +# - "ALERT!!!!You do not have XD/NX (Execute Disable/No Execute) enabled" +# - "To conform to CIS standards this needs to be enabled" +# when: "'active'not in ubtu20cis_1_6_1_xdnx_status.stdout" +# when: +# - ubtu20cis_rule_1_6_1 +# tags: +# - level1-server +# - level1-workstation +# - audit +# - rule_1.6.1 +# - xd/nx + +# - name: "1.6.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled" +# block: +# - name: "1.6.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled | Set ASLR settings" +# lineinfile: +# path: /etc/sysctl.conf +# regexp: '^kernel.randomize_va_space' +# line: 'kernel.randomize_va_space = 2' + +# - name: "1.6.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled | Set active kernel parameter" +# sysctl: +# name: kernel.randomize_va_space +# value: '2' +# when: +# - ubtu20cis_rule_1_6_2 +# tags: +# - level1-server +# - level1-workstation +# - patch +# - rule_1.6.2 +# - aslr + +# - name: "1.6.3 | PATCH | Ensure prelink is disabled" +# block: +# - name: "1.6.3 | PATCH | Ensure prelink is disabled | Restore binaries to normal" +# command: prelink -ua +# changed_when: false +# failed_when: false + +# - name: "1.6.3 | PATCH | Ensure prelink is disabled | Remove prelink package" +# apt: +# name: prelink +# state: absent +# when: +# - ubtu20cis_rule_1_6_3 +# tags: +# - level1-server +# - level1-workstation +# - patch +# - rule_1.6.3 +# - prelink + +# - name: "1.6.4 | PATCH | Ensure core dumps are restricted" +# sysctl: +# name: fs.suid_dumpable +# value: '0' +# state: present +# reload: yes +# sysctl_set: yes +# ignoreerrors: yes +# when: +# - ubtu20cis_rule_1_6_4 +# tags: +# - level1-server +# - level1-workstation +# - patch +# - rule_1.6.4 +# - coredump + +# - name: "1.7.1.1 | PATCH | Ensure AppArmor is installed" +# apt: +# name: ['apparmor', 'apparmor-utils'] +# state: present +# when: +# - ubtu20cis_rule_1_7_1_1 +# tags: +# - level1-server +# - level1-workstation +# - patch +# - rule_1.7.1.1 +# - apparmor + +# - name: "1.7.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration" +# block: +# - name: "1.7.1.2 | AUDIT | Ensure AppArmor is enabled in the bootloader configuration | Get current settings" +# shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' +# changed_when: false +# failed_when: false +# check_mode: false +# register: ubtu20cis_1_7_1_2_cmdline_settings + +# - name: "1.7.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist" +# lineinfile: +# path: /etc/default/grub +# regexp: '^GRUB_CMDLINE_LINUX' +# line: 'GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor {{ ubtu20cis_1_7_1_2_cmdline_settings.stdout }}"' +# insertafter: '^GRUB_' +# when: +# - "'apparmor' not in ubtu20cis_1_7_1_2_cmdline_settings.stdout" +# - "'security' not in ubtu20cis_1_7_1_2_cmdline_settings.stdout" +# notify: grub update + +# - name: "1.7.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist | Replace apparmor settings when exists" +# replace: +# path: /etc/default/grub +# regexp: "{{ item.regexp }}" +# replace: "{{ item.replace }}" +# with_items: +# - { regexp: 'apparmor=\S+', replace: 'apparmor=1' } +# - { regexp: 'security=\S+', replace: 'security=apparmor' } +# when: +# - "'apparmor' in ubtu20cis_1_7_1_2_cmdline_settings.stdout" +# - "'security' in ubtu20cis_1_7_1_2_cmdline_settings.stdout" +# notify: grub update +# when: +# - ubtu20cis_rule_1_7_1_2 +# tags: +# - level1-server +# - level1-workstation +# - patch +# - rule_1.7.1.2 +# - apparmor + +# - name: "1.7.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode" +# command: aa-enforce /etc/apparmor.d/* +# failed_when: false +# when: +# - ubtu20cis_rule_1_7_1_3 +# tags: +# - level1-server +# - level1-workstation +# - patch +# - rule_1.7.1.3 +# - apparmor + +# - name: "1.7.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing" +# command: aa-enforce /etc/apparmor.d/* +# failed_when: false +# when: +# - ubtu20cis_rule_1_7_1_4 +# tags: +# - level2-server +# - level2-workstation +# - scored +# - patch +# - rule_1.7.1.4 +# - apparmor + + +# - name: "1.8.1.1 | PATCH | Ensure message of the day is configured properly" +# template: +# src: etc/motd.j2 +# dest: /etc/motd +# when: +# - ubtu20cis_rule_1_8_1_1 +# tags: +# - level1-server +# - level1-workstation +# - patch +# - rule_1.8.1.1 +# - motd + +# - name: "1.8.1.2 | PATCH | Ensure local login warning banner is configured properly" +# template: +# src: etc/issue.j2 +# dest: /etc/issue +# when: +# - ubtu20cis_rule_1_8_1_2 +# tags: +# - level1-server +# - level1-workstation +# - patch +# - banner + +# - name: "1.8.1.3 | PATCH | Ensure remote login warning banner is configured properly" +# template: +# src: etc/issue.net.j2 +# dest: /etc/issue.net +# when: +# - ubtu20cis_rule_1_8_1_3 +# tags: +# - level1-server +# - level1-workstation +# - patch +# - banner + +# - name: "1.8.1.4 | PATCH | Ensure permissions on /etc/motd are configured" +# file: +# path: /etc/motd +# owner: root +# group: root +# mode: 0644 +# when: +# - ubtu20cis_rule_1_8_1_4 +# tags: +# - level1-server +# - level1-workstation +# - patch +# - rule_1.8.1.4 +# - permissions +# - motd + +# - name: "1.8.1.5 | PATCH | Ensure permissions on /etc/issue are configured" +# file: +# path: /etc/issue +# owner: root +# group: root +# mode: 0644 +# when: +# - ubtu20cis_rule_1_8_1_5 +# tags: +# - level1-server +# - level1-workstation +# - patch +# - rule_1.8.1.5 +# - permissions +# - banner + +# - name: "1.8.1.6 | PATCH | Ensure permissions on /etc/issue.net are configured" +# file: +# path: /etc/issue.net +# owner: root +# group: root +# mode: 0644 +# when: +# - ubtu20cis_rule_1_8_1_6 +# tags: +# - level1-server +# - level1-workstation +# - patch +# - rule_1.8.1.6 +# - permissions +# - banner + +# - name: "1.9 | PATCH | Ensure updates, patches, and additional security software are installed" +# apt: +# name: "*" +# state: latest +# when: +# - ubtu20cis_rule_1_9 +# tags: +# - level1-server +# - level1-workstation +# - manual +# - patch +# - rule_1.9 +# - patching + +# - name: "1.10 | PATCH | Ensure GDM is removed or login is configured" +# block: +# - name: "1.10 | PATCH | Ensure GDM is removed or login is configured" +# lineinfile: +# path: /etc/gdm3/greeter.dconf-defaults +# regexp: "{{ item.regexp }}" +# line: "{{ item.line }}" +# insertafter: "{{ item.insertafter }}" +# create: yes +# owner: root +# group: root +# mode: 0644 +# with_items: +# - { regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]', insertafter: EOF } +# - { regexp: 'banner-message-enable', line: 'banner-message-enable=true', insertafter: '\[org\/gnome\/login-screen\]'} +# - { regexp: 'banner-message-text', line: 'banner-message-text={{ ubtu20cis_warning_banner }}', insertafter: 'banner-message-enable' } + +# when: +# - ubtu20cis_rule_1_10 +# tags: +# - level1-server +# - level1-workstation +# - patch +# - rule_1.10 +# - gdm From c90df5ec6e65bee8b48dba4d395de4816babf248 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 3 May 2021 10:49:10 -0400 Subject: [PATCH 06/44] Section 1 updated to v1.1.0 Signed-off-by: George Nalen --- defaults/main.yml | 43 ++- handlers/main.yml | 3 + tasks/section1.yml | 878 +++++++++++++++++++++++++-------------------- 3 files changed, 517 insertions(+), 407 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index f4f40716..a0b4751f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -83,28 +83,33 @@ ubtu20cis_rule_1_2_1: true ubtu20cis_rule_1_2_2: true ubtu20cis_rule_1_3_1: true ubtu20cis_rule_1_3_2: true -ubtu20cis_rule_1_3_3: true +# ubtu20cis_rule_1_3_3: true ubtu20cis_rule_1_4_1: true ubtu20cis_rule_1_4_2: true +ubtu20cis_rule_1_4_3: true +ubtu20cis_rule_1_4_4: true ubtu20cis_rule_1_5_1: true ubtu20cis_rule_1_5_2: true ubtu20cis_rule_1_5_3: true -ubtu20cis_rule_1_6_1: true -ubtu20cis_rule_1_6_2: true -ubtu20cis_rule_1_6_3: true -ubtu20cis_rule_1_6_4: true -ubtu20cis_rule_1_7_1_1: true -ubtu20cis_rule_1_7_1_2: true -ubtu20cis_rule_1_7_1_3: true -ubtu20cis_rule_1_7_1_4: true -ubtu20cis_rule_1_8_1_1: true -ubtu20cis_rule_1_8_1_2: true -ubtu20cis_rule_1_8_1_3: true -ubtu20cis_rule_1_8_1_4: true -ubtu20cis_rule_1_8_1_5: true -ubtu20cis_rule_1_8_1_6: true +ubtu20cis_rule_1_5_4: true +ubtu20cis_rule_1_6_1_1: true +ubtu20cis_rule_1_6_1_2: true +ubtu20cis_rule_1_6_1_3: true +ubtu20cis_rule_1_6_1_4: true +ubtu20cis_rule_1_7_1: true +ubtu20cis_rule_1_7_2: true +ubtu20cis_rule_1_7_3: true +ubtu20cis_rule_1_7_4: true +ubtu20cis_rule_1_7_5: true +ubtu20cis_rule_1_7_6: true +ubtu20cis_rule_1_8_1: true +ubtu20cis_rule_1_8_2: true +ubtu20cis_rule_1_8_3: true +ubtu20cis_rule_1_8_4: true +# ubtu20cis_rule_1_8_1_5: true +# ubtu20cis_rule_1_8_1_6: true ubtu20cis_rule_1_9: true -ubtu20cis_rule_1_10: true +# ubtu20cis_rule_1_10: true # Section 2 Fixes # Section 2 is Services (Special Purpose Services, and service clients) @@ -382,7 +387,7 @@ ubtu20cis_sudo_package: "sudo" # ubtu20cis_sudo_logfile is the path and file name of the sudo log file ubtu20cis_sudo_logfile: "/var/log/sudo.log" -# Control 1.4.2 +# Control 1.3.2 # These are the crontab settings for file system integrity enforcement ubtu20cis_aide_cron: cron_user: root @@ -394,13 +399,13 @@ ubtu20cis_aide_cron: aide_month: '*' aide_weekday: '*' -# Control 1.5.3 +# Control 1.4.4 # THIS VARAIBLE SHOULD BE CHANGED AND INCORPROATED INTO VAULT # THIS VALUE IS WHAT THE ROOT PW WILL BECOME!!!!!!!! # HAVING THAT PW EXPOSED IN RAW TEXT IS NOT SECURE!!!! ubtu20cis_root_pw: "Password1" -# Control 1.8.1.1 +# Control 1.8.2 # This will be the motd banner must not contain the below items in order to be compliant with Ubuntu 20 CIS # \m, \r, \s, \v or references to the OS platform ubtu20cis_warning_banner: | diff --git a/handlers/main.yml b/handlers/main.yml index ac85ee64..846e700b 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -53,3 +53,6 @@ service: name: sshd state: restarted + +- name: reload gdm + command: dpkg-reconfigure gdm3 \ No newline at end of file diff --git a/tasks/section1.yml b/tasks/section1.yml index 55e1f643..d9b68781 100644 --- a/tasks/section1.yml +++ b/tasks/section1.yml @@ -533,57 +533,57 @@ - rule_1.1.24 - usb_storage -# - name: "1.2.1 | AUDIT | Ensure package manager repositories are configured" -# block: -# - name: "1.2.1 | AUDIT | Ensure package manager repositories are configured | Get repositories" -# command: apt-cache policy -# changed_when: false -# failed_when: false -# check_mode: false -# register: ubtu20cis_1_2_1_apt_policy - -# - name: "1.2.1 | AUDIT | Ensure package manager repositories are configured | Message out repository configs" -# debug: -# msg: -# - "Alert!!!! Below are the apt package repositories" -# - "Please review to make sure they conform to your sites policies" -# - "{{ ubtu20cis_1_2_1_apt_policy.stdout_lines }}" -# when: -# - ubtu20cis_rule_1_2_1 -# tags: -# - level1-server -# - level1-workstation -# - manual -# - audit -# - rule_1.2.1 -# - apt +- name: "1.2.1 | AUDIT | Ensure package manager repositories are configured" + block: + - name: "1.2.1 | AUDIT | Ensure package manager repositories are configured | Get repositories" + command: apt-cache policy + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_1_2_1_apt_policy -# - name: "1.2.2 | AUDIT | Ensure GPG keys are configured" -# block: -# - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | Get apt gpg keys" -# command: apt-key list -# changed_when: false -# failed_when: false -# check_mode: false -# register: ubtu20cis_1_2_2_apt_gpgkeys - -# - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | Message out apt gpg keys" -# debug: -# msg: -# - "Alert!!!! Below are the apt gpg kyes configured" -# - "Please review to make sure they are configured" -# - "in accordance with site policy" -# - "{{ ubtu20cis_1_2_2_apt_gpgkeys.stdout_lines }}" -# when: -# - ubtu20cis_rule_1_2_2 -# tags: -# - level1-server -# - level1-workstation -# - manual -# - audit -# - rule_1.2.2 -# - gpg -# - keys + - name: "1.2.1 | AUDIT | Ensure package manager repositories are configured | Message out repository configs" + debug: + msg: + - "Alert!!!! Below are the apt package repositories" + - "Please review to make sure they conform to your sites policies" + - "{{ ubtu20cis_1_2_1_apt_policy.stdout_lines }}" + when: + - ubtu20cis_rule_1_2_1 + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_1.2.1 + - apt + +- name: "1.2.2 | AUDIT | Ensure GPG keys are configured" + block: + - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | Get apt gpg keys" + command: apt-key list + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_1_2_2_apt_gpgkeys + + - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | Message out apt gpg keys" + debug: + msg: + - "Alert!!!! Below are the apt gpg kyes configured" + - "Please review to make sure they are configured" + - "in accordance with site policy" + - "{{ ubtu20cis_1_2_2_apt_gpgkeys.stdout_lines }}" + when: + - ubtu20cis_rule_1_2_2 + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_1.2.2 + - gpg + - keys # - name: "1.3.1 | PATCH | Ensure sudo is installed" # apt: @@ -629,359 +629,461 @@ # - rule_1.3.3 # - sudo -# - name: "1.4.1 | PATCH | Ensure AIDE is installed" -# apt: -# name: ['aide', 'aide-common'] -# state: present -# when: -# - ubtu20cis_rule_1_4_1 -# tags: -# - level1-server -# - level1-workstation -# - patch -# - rule_1.4.1 -# - aide - -# - name: "1.4.2 | PATCH | Ensure filesystem integrity is regularly checked" -# cron: -# name: Run AIDE integrity check -# cron_file: "{{ ubtu20cis_aide_cron['cron_file'] }}" -# user: "{{ ubtu20cis_aide_cron['cron_user'] }}" -# minute: "{{ ubtu20cis_aide_cron['aide_minute'] | default('0') }}" -# hour: "{{ ubtu20cis_aide_cron['aide_hour'] | default('5') }}" -# day: "{{ ubtu20cis_aide_cron['aide_day'] | default('*') }}" -# month: "{{ ubtu20cis_aide_cron['aide_month'] | default('*') }}" -# weekday: "{{ ubtu20cis_aide_cron['aide_weekday'] | default('*') }}" -# job: "{{ ubtu20cis_aide_cron['aide_job'] }}" -# when: -# - ubtu20cis_rule_1_4_2 -# tags: -# - level1-server -# - level1-workstation -# - patch -# - rule_1.4.2 -# - cron - -# # --------------- -# # --------------- -# # The RHEL7 based control uses a custom module, grub_crypt -# # I need to research best way to set grub pw for Ubuntu using the -# # grub-mkpasswd-pbkdf2 command and passing the data at the same time. -# # --------------- -# # --------------- -# - name: "1.5.1 | PATCH | Ensure bootloader password is set" -# command: /bin/true -# changed_when: false -# failed_when: false -# check_mode: false -# when: -# - ubtu20cis_rule_1_5_1 -# tags: -# - level1-server -# - level1-workstation -# - patch -# - rule_1.5.1 -# - grub -# - notimplemented +- name: "1.3.1 | PATCH | Ensure AIDE is installed" + apt: + name: ['aide', 'aide-common'] + state: present + when: + - ubtu20cis_rule_1_3_1 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.3.1 + - aide + +- name: "1.3.2 | PATCH | Ensure filesystem integrity is regularly checked" + cron: + name: Run AIDE integrity check + cron_file: "{{ ubtu20cis_aide_cron['cron_file'] }}" + user: "{{ ubtu20cis_aide_cron['cron_user'] }}" + minute: "{{ ubtu20cis_aide_cron['aide_minute'] | default('0') }}" + hour: "{{ ubtu20cis_aide_cron['aide_hour'] | default('5') }}" + day: "{{ ubtu20cis_aide_cron['aide_day'] | default('*') }}" + month: "{{ ubtu20cis_aide_cron['aide_month'] | default('*') }}" + weekday: "{{ ubtu20cis_aide_cron['aide_weekday'] | default('*') }}" + job: "{{ ubtu20cis_aide_cron['aide_job'] }}" + when: + - ubtu20cis_rule_1_3_2 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.3.2 + - cron -# - name: "1.5.2 | PATCH | Ensure permissions on bootloader config are configured" -# block: -# - name: "1.5.2 | AUDIT | Ensure permissions on bootloader config are configured | Check for Grub file" -# stat: -# path: /boot/grub/grub.cfg -# check_mode: false -# register: ubtu20cis_1_5_2_grub_cfg_status - -# - name: "1.5.2 | PATCH | Ensure permissions on bootloader config are configured | Set permissions" -# file: -# path: /boot/grub/grub.cfg -# owner: root -# group: root -# mode: 0600 -# when: -# - ubtu20cis_1_5_2_grub_cfg_status.stat.exists -# when: -# - ubtu20cis_rule_1_5_2 -# tags: -# - level1-server -# - level1-workstation -# - patch -# - rule_1.5.2 -# - grub +- name: "AUTOMATED | 1.4.1 | PATCH | Ensure permissions on bootloader config are not overridden" + block: + - name: "AUTOMATED | 1.4.1 | PATCH | Ensure permissions on bootloader config are not overridden | Change chmod setting" + replace: + path: /usr/sbin/grub-mkconfig + regexp: 'chmod\s\d\d\d\s\${grub_cfg}.new' + replace: 'chmod 400 ${grub_cfg}.new' -# - name: "1.5.3 | PATCH | Ensure authentication required for single user mode" -# user: -# name: root -# password: "{{ ubtu20cis_root_pw }}" -# when: -# - ubtu20cis_rule_1_5_3 -# tags: -# - level1-server -# - level1-workstation -# - patch -# - rule_1.5.3 -# - passwd + - name: "AUTOMATED | 1.4.1 | PATCH | Ensure permissions on bootloader config are not overridden | Remove check on password" + lineinfile: + path: /usr/sbin/grub-mkconfig + regexp: 'if \[ \"x\$\{grub_cfg\}\" != "x" \] && ! grep "\^password" \${grub_cfg}.new' + line: if [ "x${grub_cfg}" != "x" ]; then + when: + - ubtu20cis_rule_1_4_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.4.1 + - grub + +# --------------- +# --------------- +# The RHEL7 based control uses a custom module, grub_crypt +# I need to research best way to set grub pw for Ubuntu using the +# grub-mkpasswd-pbkdf2 command and passing the data at the same time. +# --------------- +# --------------- +- name: "1.4.2 | PATCH | Ensure bootloader password is set" + command: /bin/true + changed_when: false + failed_when: false + check_mode: false + when: + - ubtu20cis_rule_1_4_2 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.4.2 + - grub + - notimplemented -# - name: "1.6.1 | AUDIT | Ensure XD/NX support is enabled" -# block: -# - name: "1.6.1 | AUDIT | Ensure XD/NX support is enabled | Find status of XD/NX" -# shell: "journalctl | grep 'protection: active'" -# changed_when: false -# failed_when: false -# check_mode: false -# register: ubtu20cis_1_6_1_xdnx_status - -# - name: "1.6.1 | AUDIT | Ensure XD/NX support is enabled | Alert if XD/NX is not enabled" -# debug: -# msg: -# - "ALERT!!!!You do not have XD/NX (Execute Disable/No Execute) enabled" -# - "To conform to CIS standards this needs to be enabled" -# when: "'active'not in ubtu20cis_1_6_1_xdnx_status.stdout" -# when: -# - ubtu20cis_rule_1_6_1 -# tags: -# - level1-server -# - level1-workstation -# - audit -# - rule_1.6.1 -# - xd/nx +- name: "1.4.3 | PATCH | Ensure permissions on bootloader config are configured" + block: + - name: "1.4.3 | AUDIT | Ensure permissions on bootloader config are configured | Check for Grub file" + stat: + path: /boot/grub/grub.cfg + check_mode: false + register: ubtu20cis_1_4_3_grub_cfg_status + + - name: "1.4.3 | PATCH | Ensure permissions on bootloader config are configured | Set permissions" + file: + path: /boot/grub/grub.cfg + owner: root + group: root + mode: 0400 + when: + - ubtu20cis_1_4_3_grub_cfg_status.stat.exists + when: + - ubtu20cis_rule_1_4_3 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.4.3 + - grub -# - name: "1.6.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled" -# block: -# - name: "1.6.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled | Set ASLR settings" -# lineinfile: -# path: /etc/sysctl.conf -# regexp: '^kernel.randomize_va_space' -# line: 'kernel.randomize_va_space = 2' - -# - name: "1.6.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled | Set active kernel parameter" -# sysctl: -# name: kernel.randomize_va_space -# value: '2' -# when: -# - ubtu20cis_rule_1_6_2 -# tags: -# - level1-server -# - level1-workstation -# - patch -# - rule_1.6.2 -# - aslr +- name: "1.4.4 | PATCH | Ensure authentication required for single user mode" + user: + name: root + password: "{{ ubtu20cis_root_pw }}" + when: + - ubtu20cis_rule_1_4_4 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.4.4 + - passwd -# - name: "1.6.3 | PATCH | Ensure prelink is disabled" -# block: -# - name: "1.6.3 | PATCH | Ensure prelink is disabled | Restore binaries to normal" -# command: prelink -ua -# changed_when: false -# failed_when: false - -# - name: "1.6.3 | PATCH | Ensure prelink is disabled | Remove prelink package" -# apt: -# name: prelink -# state: absent -# when: -# - ubtu20cis_rule_1_6_3 -# tags: -# - level1-server -# - level1-workstation -# - patch -# - rule_1.6.3 -# - prelink +- name: "1.5.1 | AUDIT | Ensure XD/NX support is enabled" + block: + - name: "1.5.1 | AUDIT | Ensure XD/NX support is enabled | Find status of XD/NX" + shell: "journalctl | grep 'protection: active'" + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_1_5_1_xdnx_status -# - name: "1.6.4 | PATCH | Ensure core dumps are restricted" -# sysctl: -# name: fs.suid_dumpable -# value: '0' -# state: present -# reload: yes -# sysctl_set: yes -# ignoreerrors: yes -# when: -# - ubtu20cis_rule_1_6_4 -# tags: -# - level1-server -# - level1-workstation -# - patch -# - rule_1.6.4 -# - coredump + - name: "1.5.1 | AUDIT | Ensure XD/NX support is enabled | Alert if XD/NX is not enabled" + debug: + msg: + - "ALERT!!!!You do not have XD/NX (Execute Disable/No Execute) enabled" + - "To conform to CIS standards this needs to be enabled" + when: "'active'not in ubtu20cis_1_6_1_xdnx_status.stdout" + when: + - ubtu20cis_rule_1_5_1 + tags: + - level1-server + - level1-workstation + - audit + - rule_1.5.1 + - xd/nx -# - name: "1.7.1.1 | PATCH | Ensure AppArmor is installed" -# apt: -# name: ['apparmor', 'apparmor-utils'] -# state: present -# when: -# - ubtu20cis_rule_1_7_1_1 -# tags: -# - level1-server -# - level1-workstation -# - patch -# - rule_1.7.1.1 -# - apparmor +- name: "1.5.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled" + block: + - name: "1.5.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled | Set ASLR settings" + lineinfile: + path: /etc/sysctl.conf + regexp: '^kernel.randomize_va_space' + line: 'kernel.randomize_va_space = 2' + + - name: "1.5.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled | Set active kernel parameter" + sysctl: + name: kernel.randomize_va_space + value: '2' + when: + - ubtu20cis_rule_1_5_2 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.5.2 + - aslr -# - name: "1.7.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration" -# block: -# - name: "1.7.1.2 | AUDIT | Ensure AppArmor is enabled in the bootloader configuration | Get current settings" -# shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' -# changed_when: false -# failed_when: false -# check_mode: false -# register: ubtu20cis_1_7_1_2_cmdline_settings - -# - name: "1.7.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist" -# lineinfile: -# path: /etc/default/grub -# regexp: '^GRUB_CMDLINE_LINUX' -# line: 'GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor {{ ubtu20cis_1_7_1_2_cmdline_settings.stdout }}"' -# insertafter: '^GRUB_' -# when: -# - "'apparmor' not in ubtu20cis_1_7_1_2_cmdline_settings.stdout" -# - "'security' not in ubtu20cis_1_7_1_2_cmdline_settings.stdout" -# notify: grub update - -# - name: "1.7.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist | Replace apparmor settings when exists" -# replace: -# path: /etc/default/grub -# regexp: "{{ item.regexp }}" -# replace: "{{ item.replace }}" -# with_items: -# - { regexp: 'apparmor=\S+', replace: 'apparmor=1' } -# - { regexp: 'security=\S+', replace: 'security=apparmor' } -# when: -# - "'apparmor' in ubtu20cis_1_7_1_2_cmdline_settings.stdout" -# - "'security' in ubtu20cis_1_7_1_2_cmdline_settings.stdout" -# notify: grub update -# when: -# - ubtu20cis_rule_1_7_1_2 -# tags: -# - level1-server -# - level1-workstation -# - patch -# - rule_1.7.1.2 -# - apparmor +- name: "1.5.3 | PATCH | Ensure prelink is not installed" + block: + - name: "1.5.3 | PATCH | Ensure prelink is not installed | Restore binaries to normal" + command: prelink -ua + changed_when: false + failed_when: false -# - name: "1.7.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode" -# command: aa-enforce /etc/apparmor.d/* -# failed_when: false -# when: -# - ubtu20cis_rule_1_7_1_3 -# tags: -# - level1-server -# - level1-workstation -# - patch -# - rule_1.7.1.3 -# - apparmor + - name: "1.5.3 | PATCH | Ensure prelink is not installed| Remove prelink package" + apt: + name: prelink + state: absent + when: + - ubtu20cis_rule_1_5_3 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.5.3 + - prelink -# - name: "1.7.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing" -# command: aa-enforce /etc/apparmor.d/* -# failed_when: false -# when: -# - ubtu20cis_rule_1_7_1_4 -# tags: -# - level2-server -# - level2-workstation -# - scored -# - patch -# - rule_1.7.1.4 -# - apparmor +- name: "1.5.4 | PATCH | Ensure core dumps are restricted" + sysctl: + name: fs.suid_dumpable + value: '0' + state: present + reload: yes + sysctl_set: yes + ignoreerrors: yes + when: + - ubtu20cis_rule_1_5_4 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.5.4 + - coredump +- name: "1.6.1.1 | PATCH | Ensure AppArmor is installed" + apt: + name: ['apparmor', 'apparmor-utils'] + state: present + when: + - ubtu20cis_rule_1_6_1_1 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.6.1.1 + - apparmor -# - name: "1.8.1.1 | PATCH | Ensure message of the day is configured properly" -# template: -# src: etc/motd.j2 -# dest: /etc/motd -# when: -# - ubtu20cis_rule_1_8_1_1 -# tags: -# - level1-server -# - level1-workstation -# - patch -# - rule_1.8.1.1 -# - motd +- name: "1.6.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration" + block: + - name: "1.6.1.2 | AUDIT | Ensure AppArmor is enabled in the bootloader configuration | Get current settings" + shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_1_6_1_2_cmdline_settings -# - name: "1.8.1.2 | PATCH | Ensure local login warning banner is configured properly" -# template: -# src: etc/issue.j2 -# dest: /etc/issue -# when: -# - ubtu20cis_rule_1_8_1_2 -# tags: -# - level1-server -# - level1-workstation -# - patch -# - banner + - name: "1.6.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist" + lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX' + line: 'GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor {{ ubtu20cis_1_6_1_2_cmdline_settings.stdout }}"' + insertafter: '^GRUB_' + when: + - "'apparmor' not in ubtu20cis_1_6_1_2_cmdline_settings.stdout" + - "'security' not in ubtu20cis_1_6_1_2_cmdline_settings.stdout" + notify: grub update + + - name: "1.6.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist | Replace apparmor settings when exists" + replace: + path: /etc/default/grub + regexp: "{{ item.regexp }}" + replace: "{{ item.replace }}" + with_items: + - { regexp: 'apparmor=\S+', replace: 'apparmor=1' } + - { regexp: 'security=\S+', replace: 'security=apparmor' } + when: + - "'apparmor' in ubtu20cis_1_6_1_2_cmdline_settings.stdout" + - "'security' in ubtu20cis_1_6_1_2_cmdline_settings.stdout" + notify: grub update + when: + - ubtu20cis_rule_1_6_1_2 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.6.1.2 + - apparmor -# - name: "1.8.1.3 | PATCH | Ensure remote login warning banner is configured properly" -# template: -# src: etc/issue.net.j2 -# dest: /etc/issue.net -# when: -# - ubtu20cis_rule_1_8_1_3 -# tags: -# - level1-server -# - level1-workstation -# - patch -# - banner - -# - name: "1.8.1.4 | PATCH | Ensure permissions on /etc/motd are configured" -# file: -# path: /etc/motd -# owner: root -# group: root -# mode: 0644 -# when: -# - ubtu20cis_rule_1_8_1_4 -# tags: -# - level1-server -# - level1-workstation -# - patch -# - rule_1.8.1.4 -# - permissions -# - motd - -# - name: "1.8.1.5 | PATCH | Ensure permissions on /etc/issue are configured" -# file: -# path: /etc/issue -# owner: root -# group: root -# mode: 0644 -# when: -# - ubtu20cis_rule_1_8_1_5 -# tags: -# - level1-server -# - level1-workstation -# - patch -# - rule_1.8.1.5 -# - permissions -# - banner - -# - name: "1.8.1.6 | PATCH | Ensure permissions on /etc/issue.net are configured" -# file: -# path: /etc/issue.net -# owner: root -# group: root -# mode: 0644 -# when: -# - ubtu20cis_rule_1_8_1_6 -# tags: -# - level1-server -# - level1-workstation -# - patch -# - rule_1.8.1.6 -# - permissions -# - banner +- name: "1.6.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode" + command: aa-enforce /etc/apparmor.d/* + failed_when: false + when: + - ubtu20cis_rule_1_6_1_3 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.6.1.3 + - apparmor -# - name: "1.9 | PATCH | Ensure updates, patches, and additional security software are installed" -# apt: -# name: "*" -# state: latest -# when: -# - ubtu20cis_rule_1_9 -# tags: -# - level1-server -# - level1-workstation -# - manual -# - patch -# - rule_1.9 -# - patching +- name: "1.6.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing" + command: aa-enforce /etc/apparmor.d/* + failed_when: false + when: + - ubtu20cis_rule_1_6_1_4 + tags: + - level2-server + - level2-workstation + - scored + - patch + - rule_1.6.1.4 + - apparmor + + +- name: "1.7.1 | PATCH | Ensure message of the day is configured properly" + template: + src: etc/motd.j2 + dest: /etc/motd + when: + - ubtu20cis_rule_1_7_1 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.7.1 + - motd + +- name: "1.7.2 | PATCH | Ensure local login warning banner is configured properly" + template: + src: etc/issue.j2 + dest: /etc/issue + when: + - ubtu20cis_rule_1_7_2 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.7.2 + - banner + +- name: "1.7.3 | PATCH | Ensure remote login warning banner is configured properly" + template: + src: etc/issue.net.j2 + dest: /etc/issue.net + when: + - ubtu20cis_rule_1_7_3 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.7.3 + - banner + +- name: "1.7.4 | PATCH | Ensure permissions on /etc/motd are configured" + file: + path: /etc/motd + owner: root + group: root + mode: 0644 + when: + - ubtu20cis_rule_1_7_4 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.7.4 + - permissions + - motd + +- name: "1.7.5 | PATCH | Ensure permissions on /etc/issue are configured" + file: + path: /etc/issue + owner: root + group: root + mode: 0644 + when: + - ubtu20cis_rule_1_7_5 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.7.5 + - permissions + - banner + +- name: "1.7.6 | PATCH | Ensure permissions on /etc/issue.net are configured" + file: + path: /etc/issue.net + owner: root + group: root + mode: 0644 + when: + - ubtu20cis_rule_1_7_6 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.7.6 + - permissions + - banner + +- name: "MANUAL | 1.8.1 | PATCH | Ensure GNOME Display Manager is removed" + apt: + name: gdm3 + state: absent + when: + - ubtu20cis_rule_1_8_1 + - ubtu20cis_disruption_high + tags: + - level2-server + - manual + - patch + - rule_1.8.1 + - gnome + +- name: "AUTOMATED | 1.8.2 | PATCH | Ensure GDM login banner is configured" + lineinfile: + path: /etc/gdm3/greeter.dconf-defaults + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + create: yes + owner: root + group: root + mode: 0644 + notify: reload gdm + with_items: + - { regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]', insertafter: EOF } + - { regexp: 'banner-message-enable', line: 'banner-message-enable=true', insertafter: '\[org\/gnome\/login-screen\]'} + - { regexp: 'banner-message-text', line: 'banner-message-text={{ ubtu20cis_warning_banner }}', insertafter: 'banner-message-enable' } + when: + - ubtu20cis_rule_1_8_2 + - ubtu18cis_desktop_required + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.8.2 + - gnome + +- name: "AUTOMATED | 1.8.3 | PATCH | Ensure disable-user-list is enabled" + lineinfile: + path: /etc/gdm3/greeter.dconf-defaul + regexp: '^disable-user-list=' + line: 'disable-user-list=true' + insertafter: 'banner-message-text=' + create: yes + owner: root + group: root + mode: 0644 + notify: reload gdm + when: + - ubtu20cis_rule_1_8_3 + - ubtu20cis_desktop_required + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.8.3 + - gdm3 + +- name: "AUTOMATED | 1.8.4 | PATCH | Ensure XDCMP is not enabled" + lineinfile: + path: /etc/gdm3/custom.conf + regexp: '^Enable=true' + state: absent + when: + - ubtu20cis_rule_1_8_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.8.4 + - xdcmp + +- name: "1.9 | PATCH | Ensure updates, patches, and additional security software are installed" + apt: + name: "*" + state: latest + when: + - ubtu20cis_rule_1_9 + tags: + - level1-server + - level1-workstation + - manual + - patch + - rule_1.9 + - patching # - name: "1.10 | PATCH | Ensure GDM is removed or login is configured" # block: From 5437b239c8b15791799cfdee53a9d99f4e0c0975 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 3 May 2021 11:07:20 -0400 Subject: [PATCH 07/44] Updated Section 1 with automated/manual labels and tags Signed-off-by: George Nalen --- tasks/section1.yml | 219 ++++++++++++++++++++++++++------------------- 1 file changed, 129 insertions(+), 90 deletions(-) diff --git a/tasks/section1.yml b/tasks/section1.yml index d9b68781..761fb02f 100644 --- a/tasks/section1.yml +++ b/tasks/section1.yml @@ -1,14 +1,14 @@ --- -- name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled" +- name: "AUTOMATED | 1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled" block: - - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Edit modprobe config" + - name: "AUTOMATED | 1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Edit modprobe config" lineinfile: dest: /etc/modprobe.d/cramfs.conf regexp: "^(#)?install cramfs(\\s|$)" line: install cramfs /bin/true create: yes - - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Disable cramfs" + - name: "AUTOMATED | 1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Disable cramfs" modprobe: name: cramfs state: absent @@ -18,20 +18,21 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_1.1.1.1 - cramfs -- name: "1.1.1.2 | PATCH | Ensure mounting of freevxfs filesystems is disabled" +- name: "AUTOMATED | 1.1.1.2 | PATCH | Ensure mounting of freevxfs filesystems is disabled" block: - - name: "SCORED | 1.1.1.2 | PATCH | Ensure mounting of freevxfs filesystems is disabled | Edit modprobe config" + - name: "AUTOMATED | 1.1.1.2 | PATCH | Ensure mounting of freevxfs filesystems is disabled | Edit modprobe config" lineinfile: dest: /etc/modprobe.d/freevxfs.conf regexp: "^(#)?install freevxfs(\\s|$)" line: install freevxfs /bin/true create: yes - - name: "1.1.1.2 | PATCH | Ensure mounting of freevxfs filesystems is disabled | Disable freevxfs" + - name: "AUTOMATED | 1.1.1.2 | PATCH | Ensure mounting of freevxfs filesystems is disabled | Disable freevxfs" modprobe: name: freevxfs state: absent @@ -41,20 +42,21 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_1.1.1.2 - freevxfs -- name: "1.1.1.3 | PATCH | Ensure mounting of jffs2 filesystems is disabled" +- name: "AUTOMATED | 1.1.1.3 | PATCH | Ensure mounting of jffs2 filesystems is disabled" block: - - name: "1.1.1.3 | PATCH | Ensure mounting of jffs2 filesystems is disabled | Edit modprobe config" + - name: "AUTOMATED | 1.1.1.3 | PATCH | Ensure mounting of jffs2 filesystems is disabled | Edit modprobe config" lineinfile: dest: /etc/modprobe.d/jffs2.conf regexp: "^(#)?install jffs2(\\s|$)" line: install jffs2 /bin/true create: yes - - name: "1.1.1.3 | PATCH | Ensure mounting of jffs2 filesystems is disabled | Disable jffs2" + - name: "AUTOMATED | 1.1.1.3 | PATCH | Ensure mounting of jffs2 filesystems is disabled | Disable jffs2" modprobe: name: jffs2 state: absent @@ -64,20 +66,21 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_1.1.1.3 - jffs2 -- name: "1.1.1.4 | PATCH | Ensure mounting of hfs filesystems is disabled" +- name: "AUTOMATED | 1.1.1.4 | PATCH | Ensure mounting of hfs filesystems is disabled" block: - - name: "1.1.1.4 | PATCH | Ensure mounting of hfs filesystems is disabled | Edit modprobe config" + - name: "AUTOMATED | 1.1.1.4 | PATCH | Ensure mounting of hfs filesystems is disabled | Edit modprobe config" lineinfile: dest: /etc/modprobe.d/hfs.conf regexp: "^(#)?install hfs(\\s|$)" line: install hfs /bin/true create: yes - - name: "1.1.1.4 | PATCH | Ensure mounting of hfs filesystems is disabled | Disable hfs" + - name: "AUTOMATED | 1.1.1.4 | PATCH | Ensure mounting of hfs filesystems is disabled | Disable hfs" modprobe: name: hfs state: absent @@ -87,20 +90,21 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_1.1.1.4 - hfs -- name: "1.1.1.5 | PATCH | Ensure mounting of hfsplus filesystems is disabled" +- name: "AUTOMATED | 1.1.1.5 | PATCH | Ensure mounting of hfsplus filesystems is disabled" block: - - name: "1.1.1.5 | PATCH | Ensure mounting of hfsplus filesystems is disabled | Edit modprobe config" + - name: "AUTOMATED | 1.1.1.5 | PATCH | Ensure mounting of hfsplus filesystems is disabled | Edit modprobe config" lineinfile: dest: /etc/modprobe.d/hfsplus.conf regexp: "^(#)?install hfsplus(\\s|$)" line: install hfsplus /bin/true create: yes - - name: "1.1.1.5 | PATCH | Ensure mounting of hfsplus filesystems is disabled | Disable hfsplus" + - name: "AUTOMATED | 1.1.1.5 | PATCH | Ensure mounting of hfsplus filesystems is disabled | Disable hfsplus" modprobe: name: hfsplus state: absent @@ -110,6 +114,7 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_1.1.1.5 - hfsplus @@ -138,16 +143,16 @@ - rule_1.1.1.6 - squashfs -- name: "1.1.1.7 | PATCH | Ensure mounting of udf filesystems is disabled" +- name: "AUTOMATED | 1.1.1.7 | PATCH | Ensure mounting of udf filesystems is disabled" block: - - name: "1.1.1.7 | PATCH | Ensure mounting of udf filesystems is disabled | Edit modprobe config" + - name: "AUTOMATED | 1.1.1.7 | PATCH | Ensure mounting of udf filesystems is disabled | Edit modprobe config" lineinfile: dest: /etc/modprobe.d/udf.conf regexp: "^(#)?install udf(\\s|$)" line: install udf /bin/true create: yes - - name: "1.1.1.7 | PATCH | Ensure mounting of udf filesystems is disabled | Disable udf" + - name: "AUTOMATED | 1.1.1.7 | PATCH | Ensure mounting of udf filesystems is disabled | Disable udf" modprobe: name: udf state: absent @@ -157,6 +162,7 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_1.1.1.7 - udf @@ -191,7 +197,7 @@ # - rule_1.1.1.7 # - vfat -- name: "1.1.2 | PATCH | Ensure /tmp is configured" +- name: "AUTOMATED | 1.1.2 | PATCH | Ensure /tmp is configured" mount: path: /tmp src: /tmp @@ -203,14 +209,15 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_1.1.2 - tmp - name: | - "1.1.3 | PATCH | Ensure nodev option set on /tmp partition" - "1.1.4 | PATCH | Ensure nosuid option set on /tmp partition" - "1.1.5 | PATCH | Ensure noexec option set on /tmp partition" + "AUTOMATED | 1.1.3 | PATCH | Ensure nodev option set on /tmp partition" + "AUTOMATED | 1.1.4 | PATCH | Ensure nosuid option set on /tmp partition" + "AUTOMATED | 1.1.5 | PATCH | Ensure noexec option set on /tmp partition" mount: name: /tmp src: /tmp @@ -225,13 +232,14 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_1.1.3 - rule_1.1.4 - rule_1.1.5 - tmp -- name: "1.1.6 | PATCH | Ensure /dev/shm is configured" +- name: "AUTOMATED | 1.1.6 | PATCH | Ensure /dev/shm is configured" mount: name: /dev/shm src: /dev/shm @@ -243,14 +251,15 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_1.1.6 - dev_shm - name: | - "1.1.7 | PATCH | Ensure nodev option set on /dev/shm partition" - "1.1.8 | PATCH | Ensure nosuid option set on /dev/shm partition" - "1.1.9 | PATCH | Ensure noexec option set on /dev/shm partition" + "AUTOMATED | 1.1.7 | PATCH | Ensure nodev option set on /dev/shm partition" + "AUTOMATED | 1.1.8 | PATCH | Ensure nosuid option set on /dev/shm partition" + "AUTOMATED | 1.1.9 | PATCH | Ensure noexec option set on /dev/shm partition" mount: name: /dev/shm src: /dev/shm @@ -264,15 +273,16 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_1.1.7 - rule_1.1.8 - rule_1.1.9 - dev_shm -- name: "1.1.10 | AUDIT | Ensure separate partition exists for /var" +- name: "AUTOMATED | 1.1.10 | AUDIT | Ensure separate partition exists for /var" block: - - name: "1.1.10 | AUDIT | Ensure separate partition exists for /var | Gather /var partition" + - name: "AUTOMATED | 1.1.10 | AUDIT | Ensure separate partition exists for /var | Gather /var partition" shell: mount | grep "on /var " changed_when: false failed_when: false @@ -281,7 +291,7 @@ warn: false register: ubtu20cis_1_1_10_var_mounted - - name: "| 1.1.10 | AUDIT | Ensure separate partition exists for /var | Alert if /var partition does not exist" + - name: "AUTOMATED | 1.1.10 | AUDIT | Ensure separate partition exists for /var | Alert if /var partition does not exist" debug: msg: - "ALERT!!!! There is no separate partition for /var" @@ -292,13 +302,14 @@ tags: - level2-server - level2-workstation + - automated - audit - rule_1.1.10 - var -- name: "1.1.11 | AUDIT | Ensure separate partition exists for /var/tmp" +- name: "AUTOMATED | 1.1.11 | AUDIT | Ensure separate partition exists for /var/tmp" block: - - name: "1.1.11 | AUDIT | Ensure separate partition exists for /var/tmp | Gather /var/tmp partition" + - name: "AUTOMATED | 1.1.11 | AUDIT | Ensure separate partition exists for /var/tmp | Gather /var/tmp partition" shell: mount | grep "on /var/tmp " changed_when: false failed_when: false @@ -307,7 +318,7 @@ warn: false register: ubtu20cis_1_1_11_var_tmp_mounted - - name: "1.1.11 | AUDIT | Ensure separate partition exists for /var/tmp | Alert if /var/tmp partition does not exist" + - name: "AUTOMATED | 1.1.11 | AUDIT | Ensure separate partition exists for /var/tmp | Alert if /var/tmp partition does not exist" debug: msg: - "ALERT!!!! There is no separate partition for /var/tmp" @@ -318,14 +329,15 @@ tags: - level2-server - level2-workstation + - automated - audit - rule_1.1.11 - var/tmp - name: | - "1.1.12 | PATCH | Ensure /var/tmp partition includes the nodev option" - "1.1.13 | PATCH | Ensure /var/tmp partition includes the nosuid option" - "1.1.14 | PATCH | Ensure /var/tmp partition includes the noexec option" + "AUTOMATED | 1.1.12 | PATCH | Ensure /var/tmp partition includes the nodev option" + "AUTOMATED | 1.1.13 | PATCH | Ensure /var/tmp partition includes the nosuid option" + "AUTOMATED | 1.1.14 | PATCH | Ensure /var/tmp partition includes the noexec option" mount: name: /var/tmp src: "{{ ubtu20cis_vartmp['source'] }}" @@ -340,15 +352,16 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_1.1.12 - rule_1.1.13 - rule_1.1.14 - var/tmp -- name: "1.1.15 | AUDIT | Ensure separate partition exists for /var/log" +- name: "AUTOMATED | 1.1.15 | AUDIT | Ensure separate partition exists for /var/log" block: - - name: "1.1.15 | AUDIT | Ensure separate partition exists for /var/log | Gather /var/log partition" + - name: "AUTOMATED | 1.1.15 | AUDIT | Ensure separate partition exists for /var/log | Gather /var/log partition" shell: mount | grep "on /var/log " changed_when: false failed_when: false @@ -357,7 +370,7 @@ args: warn: false - - name: "1.1.15 | AUDIT | Ensure separate partition exists for /var/log | Alert if /var/log partition does not exist" + - name: "AUTOMATED | 1.1.15 | AUDIT | Ensure separate partition exists for /var/log | Alert if /var/log partition does not exist" debug: msg: - "ALERT!!!! There is no separate partition for /var/log" @@ -368,13 +381,14 @@ tags: - level2-server - level2-workstation + - automated - audit - rule_1.1.15 - var/log -- name: "1.1.16 | AUDIT | Ensure separate partition exists for /var/log/audit" +- name: "AUTOMATED | 1.1.16 | AUDIT | Ensure separate partition exists for /var/log/audit" block: - - name: "1.1.16 | AUDIT | Ensure separate partition exists for /var/log/audit | Gather /var/log/audit" + - name: "AUTOMATED | 1.1.16 | AUDIT | Ensure separate partition exists for /var/log/audit | Gather /var/log/audit" shell: mount | grep "on /var/log/audit " changed_when: false failed_when: false @@ -383,7 +397,7 @@ args: warn: false - - name: "1.1.16 | AUDIT | Ensure separate partition exists for /var/log/audit | Alert if /var/log/audit partition does not exist" + - name: "AUTOMATED | 1.1.16 | AUDIT | Ensure separate partition exists for /var/log/audit | Alert if /var/log/audit partition does not exist" debug: msg: - "ALERT!!!! There is no separate partition for /var/log/audit" @@ -394,12 +408,13 @@ tags: - level2-server - level2-workstation + - automated - audit - var/log/audit -- name: "1.1.17 | AUDIT | Ensure separate partition exists for /home" +- name: "AUTOMATED | 1.1.17 | AUDIT | Ensure separate partition exists for /home" block: - - name: "1.1.17 | AUDIT | Ensure separate partition exists for /home | Gather /home" + - name: "AUTOMATED | 1.1.17 | AUDIT | Ensure separate partition exists for /home | Gather /home" shell: mount | grep "on /home" changed_when: false failed_when: false @@ -408,7 +423,7 @@ args: warn: false - - name: "1.1.17 | AUDIT | Ensure separate partition exists for /home | Alert if /home partition does not exist" + - name: "AUTOMATED | 1.1.17 | AUDIT | Ensure separate partition exists for /home | Alert if /home partition does not exist" debug: msg: - "ALERT!!!! There is no separate partition for /home" @@ -419,10 +434,11 @@ tags: - level2-server - level2-workstation + - automated - audit - /home -- name: "1.1.18 | PATCH | Ensure /home partition includes the nodev option" +- name: "AUTOMATED | 1.1.18 | PATCH | Ensure /home partition includes the nodev option" mount: name: "/home" src: "{{ item.device }}" @@ -436,11 +452,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_1.1.18 - /home -- name: "1.1.19 | AUDIT | Ensure nodev option set on removable media partitions" +- name: "MANUAL | 1.1.19 | AUDIT | Ensure nodev option set on removable media partitions" debug: msg: "Warning!!!! Not relevant control" when: @@ -453,7 +470,7 @@ - rule_1.1.19 - removable_media -- name: "1.1.20 | AUDIT | Ensure nosuid option set on removable media partitions" +- name: "MANUAL | 1.1.20 | AUDIT | Ensure nosuid option set on removable media partitions" debug: msg: "Warning!!!! Not relevant control" when: @@ -466,7 +483,7 @@ - rule_1.1.20 - removable_media -- name: "1.1.21 | AUDIT | Ensure noexec option set on removable media partitions" +- name: "MANUAL | 1.1.21 | AUDIT | Ensure noexec option set on removable media partitions" debug: msg: "Warning!!!! Not relevant control" when: @@ -479,7 +496,7 @@ - rule_1.1.21 - removable_media -- name: "1.1.22 | PATCH | Ensure sticky bit is set on all world-writable directories" +- name: "AUTOMATED | 1.1.22 | PATCH | Ensure sticky bit is set on all world-writable directories" shell: df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null | xargs -I '{}' chmod a+t '{}' failed_when: ubtu20cis_1_1_22_status.rc>0 check_mode: false @@ -489,11 +506,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_1.1.22 - sticky_bit -- name: "1.1.23 | PATCH | Disable Automounting" +- name: "AUTOMATED | 1.1.23 | PATCH | Disable Automounting" service: name: autofs state: stopped @@ -505,20 +523,21 @@ tags: - level1-server - level2-workstation + - automated - patch - rule_1.1.23 - automounting -- name: "1.1.24 | PATCH | Disable USB Storage" +- name: "AUTOMATED | 1.1.24 | PATCH | Disable USB Storage" block: - - name: "1.1.24 | PATCH | Disable USB Storage | Set modprobe config" + - name: "AUTOMATED | 1.1.24 | PATCH | Disable USB Storage | Set modprobe config" lineinfile: path: /etc/modprobe.d/usb_storage.conf regexp: '^install usb-storage' line: 'install usb-storage /bin/true' create: yes - - name: "1.1.24 | PATCH | Disable USB Storage | Remove usb-storage module" + - name: "AUTOMATED | 1.1.24 | PATCH | Disable USB Storage | Remove usb-storage module" modprobe: name: usb-storage state: absent @@ -529,20 +548,21 @@ tags: - level1-server - level2-workstation + - automated - patch - rule_1.1.24 - usb_storage -- name: "1.2.1 | AUDIT | Ensure package manager repositories are configured" +- name: "MANUAL | 1.2.1 | AUDIT | Ensure package manager repositories are configured" block: - - name: "1.2.1 | AUDIT | Ensure package manager repositories are configured | Get repositories" + - name: "MANUAL 1.2.1 | AUDIT | Ensure package manager repositories are configured | Get repositories" command: apt-cache policy changed_when: false failed_when: false check_mode: false register: ubtu20cis_1_2_1_apt_policy - - name: "1.2.1 | AUDIT | Ensure package manager repositories are configured | Message out repository configs" + - name: "MANUAL 1.2.1 | AUDIT | Ensure package manager repositories are configured | Message out repository configs" debug: msg: - "Alert!!!! Below are the apt package repositories" @@ -558,16 +578,16 @@ - rule_1.2.1 - apt -- name: "1.2.2 | AUDIT | Ensure GPG keys are configured" +- name: "MANUAL | 1.2.2 | AUDIT | Ensure GPG keys are configured" block: - - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | Get apt gpg keys" + - name: "MANUAL | 1.2.2 | AUDIT | Ensure GPG keys are configured | Get apt gpg keys" command: apt-key list changed_when: false failed_when: false check_mode: false register: ubtu20cis_1_2_2_apt_gpgkeys - - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | Message out apt gpg keys" + - name: "MANUAL | 1.2.2 | AUDIT | Ensure GPG keys are configured | Message out apt gpg keys" debug: msg: - "Alert!!!! Below are the apt gpg kyes configured" @@ -629,7 +649,7 @@ # - rule_1.3.3 # - sudo -- name: "1.3.1 | PATCH | Ensure AIDE is installed" +- name: "AUTOMATED | 1.3.1 | PATCH | Ensure AIDE is installed" apt: name: ['aide', 'aide-common'] state: present @@ -638,11 +658,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_1.3.1 - aide -- name: "1.3.2 | PATCH | Ensure filesystem integrity is regularly checked" +- name: "AUTOMATED | 1.3.2 | PATCH | Ensure filesystem integrity is regularly checked" cron: name: Run AIDE integrity check cron_file: "{{ ubtu20cis_aide_cron['cron_file'] }}" @@ -658,6 +679,7 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_1.3.2 - cron @@ -692,7 +714,7 @@ # grub-mkpasswd-pbkdf2 command and passing the data at the same time. # --------------- # --------------- -- name: "1.4.2 | PATCH | Ensure bootloader password is set" +- name: "AUTOMATED | 1.4.2 | PATCH | Ensure bootloader password is set" command: /bin/true changed_when: false failed_when: false @@ -702,20 +724,21 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_1.4.2 - grub - notimplemented -- name: "1.4.3 | PATCH | Ensure permissions on bootloader config are configured" +- name: "AUTOMATED | 1.4.3 | PATCH | Ensure permissions on bootloader config are configured" block: - - name: "1.4.3 | AUDIT | Ensure permissions on bootloader config are configured | Check for Grub file" + - name: "AUTOMATED | 1.4.3 | AUDIT | Ensure permissions on bootloader config are configured | Check for Grub file" stat: path: /boot/grub/grub.cfg check_mode: false register: ubtu20cis_1_4_3_grub_cfg_status - - name: "1.4.3 | PATCH | Ensure permissions on bootloader config are configured | Set permissions" + - name: "AUTOMATED | 1.4.3 | PATCH | Ensure permissions on bootloader config are configured | Set permissions" file: path: /boot/grub/grub.cfg owner: root @@ -728,11 +751,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_1.4.3 - grub -- name: "1.4.4 | PATCH | Ensure authentication required for single user mode" +- name: "AUTOMATED | 1.4.4 | PATCH | Ensure authentication required for single user mode" user: name: root password: "{{ ubtu20cis_root_pw }}" @@ -741,20 +765,21 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_1.4.4 - passwd -- name: "1.5.1 | AUDIT | Ensure XD/NX support is enabled" +- name: "MANUAL | 1.5.1 | AUDIT | Ensure XD/NX support is enabled" block: - - name: "1.5.1 | AUDIT | Ensure XD/NX support is enabled | Find status of XD/NX" + - name: "MANUAL | 1.5.1 | AUDIT | Ensure XD/NX support is enabled | Find status of XD/NX" shell: "journalctl | grep 'protection: active'" changed_when: false failed_when: false check_mode: false register: ubtu20cis_1_5_1_xdnx_status - - name: "1.5.1 | AUDIT | Ensure XD/NX support is enabled | Alert if XD/NX is not enabled" + - name: "MANUAL | 1.5.1 | AUDIT | Ensure XD/NX support is enabled | Alert if XD/NX is not enabled" debug: msg: - "ALERT!!!!You do not have XD/NX (Execute Disable/No Execute) enabled" @@ -765,19 +790,20 @@ tags: - level1-server - level1-workstation + - manual - audit - rule_1.5.1 - xd/nx -- name: "1.5.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled" +- name: "AUTOMATED | 1.5.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled" block: - - name: "1.5.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled | Set ASLR settings" + - name: "AUTOMATED | 1.5.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled | Set ASLR settings" lineinfile: path: /etc/sysctl.conf regexp: '^kernel.randomize_va_space' line: 'kernel.randomize_va_space = 2' - - name: "1.5.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled | Set active kernel parameter" + - name: "AUTOMATED | 1.5.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled | Set active kernel parameter" sysctl: name: kernel.randomize_va_space value: '2' @@ -786,18 +812,19 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_1.5.2 - aslr -- name: "1.5.3 | PATCH | Ensure prelink is not installed" +- name: "AUTOMATED | 1.5.3 | PATCH | Ensure prelink is not installed" block: - - name: "1.5.3 | PATCH | Ensure prelink is not installed | Restore binaries to normal" + - name: "AUTOMATED | 1.5.3 | PATCH | Ensure prelink is not installed | Restore binaries to normal" command: prelink -ua changed_when: false failed_when: false - - name: "1.5.3 | PATCH | Ensure prelink is not installed| Remove prelink package" + - name: "AUTOMATED | 1.5.3 | PATCH | Ensure prelink is not installed| Remove prelink package" apt: name: prelink state: absent @@ -806,11 +833,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_1.5.3 - prelink -- name: "1.5.4 | PATCH | Ensure core dumps are restricted" +- name: "AUTOMATED | 1.5.4 | PATCH | Ensure core dumps are restricted" sysctl: name: fs.suid_dumpable value: '0' @@ -823,11 +851,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_1.5.4 - coredump -- name: "1.6.1.1 | PATCH | Ensure AppArmor is installed" +- name: "AUTOMATED | 1.6.1.1 | PATCH | Ensure AppArmor is installed" apt: name: ['apparmor', 'apparmor-utils'] state: present @@ -836,20 +865,21 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_1.6.1.1 - apparmor -- name: "1.6.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration" +- name: "AUTOMATED | 1.6.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration" block: - - name: "1.6.1.2 | AUDIT | Ensure AppArmor is enabled in the bootloader configuration | Get current settings" + - name: "AUTOMATED | 1.6.1.2 | AUDIT | Ensure AppArmor is enabled in the bootloader configuration | Get current settings" shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' changed_when: false failed_when: false check_mode: false register: ubtu20cis_1_6_1_2_cmdline_settings - - name: "1.6.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist" + - name: "AUTOMATED | 1.6.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist" lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX' @@ -860,7 +890,7 @@ - "'security' not in ubtu20cis_1_6_1_2_cmdline_settings.stdout" notify: grub update - - name: "1.6.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist | Replace apparmor settings when exists" + - name: "AUTOMATED | 1.6.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist | Replace apparmor settings when exists" replace: path: /etc/default/grub regexp: "{{ item.regexp }}" @@ -877,11 +907,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_1.6.1.2 - apparmor -- name: "1.6.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode" +- name: "AUTOMATED | 1.6.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode" command: aa-enforce /etc/apparmor.d/* failed_when: false when: @@ -889,11 +920,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_1.6.1.3 - apparmor -- name: "1.6.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing" +- name: "AUTOMATED | 1.6.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing" command: aa-enforce /etc/apparmor.d/* failed_when: false when: @@ -901,13 +933,14 @@ tags: - level2-server - level2-workstation + - automated - scored - patch - rule_1.6.1.4 - apparmor -- name: "1.7.1 | PATCH | Ensure message of the day is configured properly" +- name: "AUTOMATED | 1.7.1 | PATCH | Ensure message of the day is configured properly" template: src: etc/motd.j2 dest: /etc/motd @@ -916,11 +949,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_1.7.1 - motd -- name: "1.7.2 | PATCH | Ensure local login warning banner is configured properly" +- name: "AUTOMATED | 1.7.2 | PATCH | Ensure local login warning banner is configured properly" template: src: etc/issue.j2 dest: /etc/issue @@ -929,11 +963,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_1.7.2 - banner -- name: "1.7.3 | PATCH | Ensure remote login warning banner is configured properly" +- name: "AUTOMATED | 1.7.3 | PATCH | Ensure remote login warning banner is configured properly" template: src: etc/issue.net.j2 dest: /etc/issue.net @@ -942,11 +977,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_1.7.3 - banner -- name: "1.7.4 | PATCH | Ensure permissions on /etc/motd are configured" +- name: "AUTOMATED | 1.7.4 | PATCH | Ensure permissions on /etc/motd are configured" file: path: /etc/motd owner: root @@ -957,12 +993,13 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_1.7.4 - permissions - motd -- name: "1.7.5 | PATCH | Ensure permissions on /etc/issue are configured" +- name: "AUTOMATED | 1.7.5 | PATCH | Ensure permissions on /etc/issue are configured" file: path: /etc/issue owner: root @@ -973,12 +1010,13 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_1.7.5 - permissions - banner -- name: "1.7.6 | PATCH | Ensure permissions on /etc/issue.net are configured" +- name: "AUTOMATED | 1.7.6 | PATCH | Ensure permissions on /etc/issue.net are configured" file: path: /etc/issue.net owner: root @@ -989,6 +1027,7 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_1.7.6 - permissions @@ -1071,7 +1110,7 @@ - rule_1.8.4 - xdcmp -- name: "1.9 | PATCH | Ensure updates, patches, and additional security software are installed" +- name: "MANUAL | 1.9 | PATCH | Ensure updates, patches, and additional security software are installed" apt: name: "*" state: latest From aaba54cc41cf0132cdf9c62e11aae08a6c364f1e Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 3 May 2021 11:09:22 -0400 Subject: [PATCH 08/44] Updated section 1 to remove empty string compares Signed-off-by: George Nalen --- tasks/section1.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/section1.yml b/tasks/section1.yml index 761fb02f..8ab04bb0 100644 --- a/tasks/section1.yml +++ b/tasks/section1.yml @@ -296,7 +296,7 @@ msg: - "ALERT!!!! There is no separate partition for /var" - "Please create a separate partition for /var" - when: ubtu20cis_1_1_10_var_mounted.stdout == "" + when: ubtu20cis_1_1_10_var_mounted.stdout | length == 0 when: - ubtu20cis_rule_1_1_10 tags: @@ -323,7 +323,7 @@ msg: - "ALERT!!!! There is no separate partition for /var/tmp" - "Please create a separate partition for /var/tmp" - when: ubtu20cis_1_1_11_var_tmp_mounted.stdout == "" + when: ubtu20cis_1_1_11_var_tmp_mounted.stdout | length == 0 when: - ubtu20cis_rule_1_1_11 tags: @@ -375,7 +375,7 @@ msg: - "ALERT!!!! There is no separate partition for /var/log" - "Please create a separate partition for /var/log" - when: ubtu20cis_1_1_15_var_log_mounted.stdout == "" + when: ubtu20cis_1_1_15_var_log_mounted.stdout | length == 0 when: - ubtu20cis_rule_1_1_15 tags: From c418d1ee78d97243b1d38c9d520058092f1376e9 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 3 May 2021 11:09:46 -0400 Subject: [PATCH 09/44] Updated section 1 to remove empty string compares part 2 Signed-off-by: George Nalen --- tasks/section1.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section1.yml b/tasks/section1.yml index 8ab04bb0..aa01d3c4 100644 --- a/tasks/section1.yml +++ b/tasks/section1.yml @@ -402,7 +402,7 @@ msg: - "ALERT!!!! There is no separate partition for /var/log/audit" - "Please create a separate partition for /var/log/audit" - when: ubtu20cis_1_1_16_var_log_audit_mounted.stdout == "" + when: ubtu20cis_1_1_16_var_log_audit_mounted.stdout | length == 0 when: - ubtu20cis_rule_1_1_16 tags: @@ -428,7 +428,7 @@ msg: - "ALERT!!!! There is no separate partition for /home" - "Please create a separate partition for /home" - when: ubtu20cis_1_1_17_home_mounted.stdout == "" + when: ubtu20cis_1_1_17_home_mounted.stdout | length == 0 when: - ubtu20cis_rule_1_1_17 tags: From 381686b09481a540bfc3e36104ee39b2f8805da4 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 3 May 2021 11:34:29 -0400 Subject: [PATCH 10/44] updated section 1 for running Signed-off-by: George Nalen --- defaults/main.yml | 4 ++++ tasks/prelim.yml | 2 +- tasks/section1.yml | 4 ++-- tasks/section4.yml | 2 +- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index a0b4751f..c1940832 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -350,6 +350,10 @@ ubtu20cis_ipv6_required: false # false means you do not require X Windows enabled ubtu20cis_xwindows_required: false +# ubtu20cis_desktop_required is the toggle for requiring desktop environments. True means you use a desktop and will not disable/remove needed items to run a desktop (not recommented for servers) +# false means you do not require a desktop +ubtu20cis_desktop_required: false + # Section 1 Control Variables # Control 1.1.2/1.1.3/1.1.4/1.1.5 # ubtu20cis_tmp_fstab_options are the file system options for the fstabs configuration diff --git a/tasks/prelim.yml b/tasks/prelim.yml index a610a8bb..f059ae08 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -3,7 +3,7 @@ apt: update_cache: yes when: - - ubtu20cis_rule_1_4_1 + - ubtu20cis_rule_1_3_1 - name: "PRELIM | Check for autofs service" shell: "systemctl show autofs | grep LoadState | cut -d = -f 2" diff --git a/tasks/section1.yml b/tasks/section1.yml index aa01d3c4..16a06b78 100644 --- a/tasks/section1.yml +++ b/tasks/section1.yml @@ -784,7 +784,7 @@ msg: - "ALERT!!!!You do not have XD/NX (Execute Disable/No Execute) enabled" - "To conform to CIS standards this needs to be enabled" - when: "'active'not in ubtu20cis_1_6_1_xdnx_status.stdout" + when: "'active'not in ubtu20cis_1_5_1_xdnx_status.stdout" when: - ubtu20cis_rule_1_5_1 tags: @@ -1064,7 +1064,7 @@ - { regexp: 'banner-message-text', line: 'banner-message-text={{ ubtu20cis_warning_banner }}', insertafter: 'banner-message-enable' } when: - ubtu20cis_rule_1_8_2 - - ubtu18cis_desktop_required + - ubtu20cis_desktop_required tags: - level1-server - level1-workstation diff --git a/tasks/section4.yml b/tasks/section4.yml index 8b6c8e5e..14f633bf 100644 --- a/tasks/section4.yml +++ b/tasks/section4.yml @@ -544,7 +544,7 @@ regexp: "{{ item.regexp }}" line: "{{ item.line }}" with_items: - - { regexp: '^\$ModLoad|^#\$ModLoad', line: '$ModLoad imtc' } + - { regexp: '^\$ModLoad|^#\$ModLoad', line: '$ModLoad imtcp' } - { regexp: '^\$InputTCPServerRun|^#\$InputTCPServerRun', line: '$InputTCPServerRun 514' } notify: restart rsyslog when: ubtu20cis_system_is_log_server From 57198c78fad74eee013b44af24fb40c1e7c85c6d Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 3 May 2021 12:03:00 -0400 Subject: [PATCH 11/44] updated section 2 to v1.1.0 Signed-off-by: George Nalen --- defaults/main.yml | 46 ++++---- tasks/section2.yml | 257 ++++++++++++++++++++++----------------------- 2 files changed, 149 insertions(+), 154 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index c1940832..725a83b8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -113,35 +113,35 @@ ubtu20cis_rule_1_9: true # Section 2 Fixes # Section 2 is Services (Special Purpose Services, and service clients) -ubtu20cis_rule_2_1_1: true -ubtu20cis_rule_2_1_2: true +# ubtu20cis_rule_2_1_1: true +# ubtu20cis_rule_2_1_2: true ubtu20cis_rule_2_2_1_1: true ubtu20cis_rule_2_2_1_2: true ubtu20cis_rule_2_2_1_3: true ubtu20cis_rule_2_2_1_4: true +ubtu20cis_rule_2_1_2: true +ubtu20cis_rule_2_1_3: true +ubtu20cis_rule_2_1_4: true +ubtu20cis_rule_2_1_5: true +ubtu20cis_rule_2_1_6: true +ubtu20cis_rule_2_1_7: true +ubtu20cis_rule_2_1_8: true +ubtu20cis_rule_2_1_9: true +ubtu20cis_rule_2_1_10: true +ubtu20cis_rule_2_1_11: true +ubtu20cis_rule_2_1_12: true +ubtu20cis_rule_2_1_13: true +ubtu20cis_rule_2_1_14: true +ubtu20cis_rule_2_1_15: true +ubtu20cis_rule_2_1_16: true +ubtu20cis_rule_2_1_17: true +ubtu20cis_rule_2_2_1: true ubtu20cis_rule_2_2_2: true ubtu20cis_rule_2_2_3: true ubtu20cis_rule_2_2_4: true ubtu20cis_rule_2_2_5: true ubtu20cis_rule_2_2_6: true -ubtu20cis_rule_2_2_7: true -ubtu20cis_rule_2_2_8: true -ubtu20cis_rule_2_2_9: true -ubtu20cis_rule_2_2_10: true -ubtu20cis_rule_2_2_11: true -ubtu20cis_rule_2_2_12: true -ubtu20cis_rule_2_2_13: true -ubtu20cis_rule_2_2_14: true -ubtu20cis_rule_2_2_15: true -ubtu20cis_rule_2_2_16: true -ubtu20cis_rule_2_2_17: true -ubtu20cis_rule_2_3_1: true -ubtu20cis_rule_2_3_2: true -ubtu20cis_rule_2_3_3: true -ubtu20cis_rule_2_3_4: true -ubtu20cis_rule_2_3_5: true -ubtu20cis_rule_2_3_6: true -ubtu20cis_rule_2_4: true +ubtu20cis_rule_2_3: true # Section 3 Fixes # Section 3 is Network Configuration (Disable Unused Networks, Network Parameters (Host Only), Network Parameters (Host and Router), Uncommon Network Protocols, and Firewall Configuration) @@ -346,10 +346,6 @@ ubtu20cis_ipv4_required: true ubtu20cis_ipv6_required: false # Other system wide variables -# ubtu20cis_xwindows_required is the toggle for requiring x windows. True means you use X Windoes (not recommented for servers) -# false means you do not require X Windows enabled -ubtu20cis_xwindows_required: false - # ubtu20cis_desktop_required is the toggle for requiring desktop environments. True means you use a desktop and will not disable/remove needed items to run a desktop (not recommented for servers) # false means you do not require a desktop ubtu20cis_desktop_required: false @@ -416,7 +412,7 @@ ubtu20cis_warning_banner: | Authorized uses only. All activity may be monitored and reported. # Section 2 Control Variables -# Control 2.2.1.1 +# Control 2.1.1.1 # ubtu20cis_time_sync_tool is the tool in which to synchronize time # The two options are chrony, ntp, or systemd-timesyncd ubtu20cis_time_sync_tool: "ntp" diff --git a/tasks/section2.yml b/tasks/section2.yml index 365091c9..3ab52d42 100644 --- a/tasks/section2.yml +++ b/tasks/section2.yml @@ -1,51 +1,51 @@ --- -- name: "2.1.1 | PATCH | Ensure xinetd is not installed" - apt: - name: xinetd - state: absent - when: - - ubtu20cis_rule_2_1_1 - tags: - - level1-server - - level1-workstation - - patch - - rule_2.1.1 - - xinetd - -- name: "2.1.2 | PATCH | Ensure openbsd-inetd is not installed" - apt: - name: openbsd-inetd - state: absent - when: - - ubtu20cis_rule_2_1_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_2.1.2 - - openbsd-inetd - -- name: "2.2.1.1 | PATCH | Ensure time synchronization is in use" +# - name: "2.1.1 | PATCH | Ensure xinetd is not installed" +# apt: +# name: xinetd +# state: absent +# when: +# - ubtu20cis_rule_2_1_1 +# tags: +# - level1-server +# - level1-workstation +# - patch +# - rule_2.1.1 +# - xinetd + +# - name: "2.1.2 | PATCH | Ensure openbsd-inetd is not installed" +# apt: +# name: openbsd-inetd +# state: absent +# when: +# - ubtu20cis_rule_2_1_2 +# tags: +# - level1-server +# - level1-workstation +# - patch +# - rule_2.1.2 +# - openbsd-inetd + +- name: "2.1.1.1 | PATCH | Ensure time synchronization is in use" apt: name: "{{ ubtu20cis_time_sync_tool }}" state: present when: - - ubtu20cis_rule_2_2_1_1 + - ubtu20cis_rule_2_1_1_1 tags: - level1-server - level1-workstation - patch - - rule_2.2.1.1 + - rule_2.1.1.1 - chrony -- name: "2.2.1.2 | PATCH | Ensure systemd-timesyncd is configured" +- name: "2.1.1.2 | PATCH | Ensure systemd-timesyncd is configured" block: - - name: "2.2.1.2 | PATCH | Ensure systemd-timesyncd is configured | Remove ntp and chrony" + - name: "2.1.1.2 | PATCH | Ensure systemd-timesyncd is configured | Remove ntp and chrony" apt: name: ['ntp', 'chrony'] state: absent - - name: "2.2.1.2 | PATCH | Ensure systemd-timesyncd is configured | Set configuration for systemd-timesyncd" + - name: "2.1.1.2 | PATCH | Ensure systemd-timesyncd is configured | Set configuration for systemd-timesyncd" lineinfile: path: /etc/systemd/timesyncd.conf regexp: "{{ item.regexp }}" @@ -57,48 +57,48 @@ - { regexp: '^#FallbackNTP|^FallbackNTP', line: 'FallbackNTP={{ ubtu20cis_ntp_fallback_server_list }}', insertafter: '\[Time\]' } - { regexp: '^#RootDistanceMaxSec|^RootDistanceMaxSec', line: 'RootDistanceMaxSec=1', insertafter: '\[Time\]'} - - name: "2.2.1.2 | PATCH | Ensure systemd-timesyncd is configured | Start and enable the systemd-timesyncd service" + - name: "2.1.1.2 | PATCH | Ensure systemd-timesyncd is configured | Start and enable the systemd-timesyncd service" systemd: name: systemd-timesyncd.service state: started enabled: yes masked: no - - name: "2.2.1.2 | PATCH | Ensure systemd-timesyncd is configured | Set timedatectl to ntp" + - name: "2.1.1.2 | PATCH | Ensure systemd-timesyncd is configured | Set timedatectl to ntp" command: timedatectl set-ntp true when: - - ubtu20cis_rule_2_2_1_2 + - ubtu20cis_rule_2_1_1_2 - ubtu20cis_time_sync_tool == "systemd-timesyncd" tags: - level1-server - level1-workstation - manual - patch - - rule_2.2.1.2 + - rule_2.1.1.2 - systemd-timesyncd -- name: "2.2.1.3 | PATCH | Ensure chrony is configured" +- name: "2.1.1.3 | PATCH | Ensure chrony is configured" block: - - name: "2.2.1.3 | PATCH | Ensure chrony is configured | Remove ntp" + - name: "2.1.1.3 | PATCH | Ensure chrony is configured | Remove ntp" apt: name: ntp state: absent - - name: "2.2.1.3 | PATCH | Ensure chrony is configured | Disable/Mask systemd-timesyncd" + - name: "2.1.1.3 | PATCH | Ensure chrony is configured | Disable/Mask systemd-timesyncd" systemd: name: systemd-timesyncd state: stopped enabled: no masked: yes - - name: "2.2.1.3 | AUDIT | Ensure chrony is configured | Check for chrony user" + - name: "2.1.1.3 | AUDIT | Ensure chrony is configured | Check for chrony user" shell: grep {{ ubtu20cis_chrony_user }} /etc/passwd changed_when: false failed_when: false check_mode: false - register: ubtu20cis_2_2_1_3_chrony_user_status + register: ubtu20cis_2_1_1_3_chrony_user_status - - name: "2.2.1.3 | PATCH | Ensure chrony is configured | Set chrony.conf file" + - name: "2.1.1.3 | PATCH | Ensure chrony is configured | Set chrony.conf file" template: src: chrony.conf.j2 dest: /etc/chrony/chrony.conf @@ -106,12 +106,12 @@ group: root mode: 0644 - - name: "2.2.1.3 | PATCH | Ensure chrony is configured | Create chrony user" + - name: "2.1.1.3 | PATCH | Ensure chrony is configured | Create chrony user" user: name: "{{ ubtu20cis_chrony_user }}" shell: /usr/sbin/nologin system: true - when: ubtu20cis_2_2_1_3_chrony_user_status.stdout != "" + when: ubtu20cis_2_1_1_3_chrony_user_status.stdout != "" - name: "2.2.1.3 | PATCH | Ensure chrony is configured | Set option to use chrony user" lineinfile: @@ -119,30 +119,30 @@ regexp: '^DAEMON_OPTS' line: 'DAEMON_OPTS="-u _chrony"' when: - - ubtu20cis_rule_2_2_1_3 + - ubtu20cis_rule_2_1_1_3 - ubtu20cis_time_sync_tool == "chrony" tags: - level1-server - level1-workstation - patch - - rule_2.2.1.3 + - rule_2.1.1.3 - chrony -- name: "2.2.1.4 | PATCH | Ensure ntp is configured" +- name: "2.1.1.4 | PATCH | Ensure ntp is configured" block: - - name: "2.2.1.4 | PATCH | Ensure ntp is configured | Remove chrony" + - name: "2.1.1.4 | PATCH | Ensure ntp is configured | Remove chrony" apt: name: chrony state: absent - - name: "2.2.1.4 | PATCH | Ensure ntp is configured | Disable/Mask systemd-timesyncd" + - name: "2.1.1.4 | PATCH | Ensure ntp is configured | Disable/Mask systemd-timesyncd" systemd: name: systemd-timesyncd state: stopped enabled: no masked: yes - - name: "2.2.1.4 | PATCH | Ensure ntp is configured | Set ntp.conf settings" + - name: "2.1.1.4 | PATCH | Ensure ntp is configured | Set ntp.conf settings" template: src: ntp.conf.j2 dest: /etc/ntp.conf @@ -150,7 +150,7 @@ group: root mode: 0644 - - name: "2.2.1.4 | PATCH | Ensure ntp is configured | Modify sysconfig/ntpd" + - name: "2.1.1.4 | PATCH | Ensure ntp is configured | Modify sysconfig/ntpd" lineinfile: path: /etc/sysconfig/ntpd regexp: "{{ item.regexp }}" @@ -160,235 +160,234 @@ - { regexp: '^OPTIONS', line: 'OPTIONS="-u ntp:ntp"'} - { regexp: '^NTPD_OPTIONS', line: 'NTPD_OPTIONS="-u ntp:ntp"' } - - name: "2.2.1.4 | PATCH | Ensure ntp is configured | Modify /etc/init.d/npt" + - name: "2.1.1.4 | PATCH | Ensure ntp is configured | Modify /etc/init.d/npt" lineinfile: path: /etc/init.d/ntp regexp: '^RUNAUSER' line: 'RUNAUSER=npt' when: - - ubtu20cis_rule_2_2_1_4 + - ubtu20cis_rule_2_1_1_4 - ubtu20cis_time_sync_tool == "ntp" tags: - level1-server - level1-workstation - patch - - rule_2.2.1.4 + - rule_2.1.1.4 - ntp -- name: "2.2.2 | PATCH | Ensure X Window System is not installed" +- name: "2.1.2 | PATCH | Ensure X Window System is not installed" apt: name: xserver-xorg* state: absent when: - - ubtu20cis_rule_2_2_2 - - not ubtu20cis_xwindows_required + - ubtu20cis_rule_2_1_2 + - not ubtu20cis_desktop_required tags: - level1-server - - patch - - rule_2.2.2 + - rule_2.1.2 - xwindows -- name: "2.2.3 | PATCH | Ensure Avahi Server is not installed" +- name: "2.1.3 | PATCH | Ensure Avahi Server is not installed" block: - - name: "2.2.3 | PATCH | Ensure Avahi Server is not installed | Stop/Disable avahi-daemon.service" + - name: "2.1.3 | PATCH | Ensure Avahi Server is not installed | Stop/Disable avahi-daemon.service" service: name: avahi-daemon.service state: stopped enabled: no when: avahi_service_status.stdout == "loaded" - - name: "2.2.3 | PATCH | Ensure Avahi Server is not installed | Stop/Disable avahi-daemon.socket" + - name: "2.1.3 | PATCH | Ensure Avahi Server is not installed | Stop/Disable avahi-daemon.socket" service: name: avahi-daemon.socket state: stopped enabled: no when: avahi_service_status.stdout == "loaded" - - name: "2.2.3 | PATCH | Ensure Avahi Server is not installed | Remove avahi-daemon" + - name: "2.1.3 | PATCH | Ensure Avahi Server is not installed | Remove avahi-daemon" apt: name: avahi-daemon state: absent when: - - ubtu20cis_rule_2_2_3 + - ubtu20cis_rule_2_1_3 - not ubtu20cis_avahi_server tags: - level1-server - level1-workstation - patch - - rule_2.2.3 + - rule_2.1.3 - avahi - services -- name: "2.2.4 | PATCH | Ensure CUPS is not installed" +- name: "2.1.4 | PATCH | Ensure CUPS is not installed" apt: name: cups state: absent when: - - ubtu20cis_rule_2_2_4 + - ubtu20cis_rule_2_1_4 - not ubtu20cis_cups_server tags: - level1-server - level2-workstation - patch - - rule_2.2.4 + - rule_2.1.4 - cups - services -- name: "2.2.5 | PATCH | Ensure DHCP Server is not installed" +- name: "2.1.5 | PATCH | Ensure DHCP Server is not installed" apt: name: isc-dhcp-server state: absent when: - - ubtu20cis_rule_2_2_5 + - ubtu20cis_rule_2_1_5 - not ubtu20cis_dhcp_server tags: - level1-server - level1-workstation - patch - - rule_2.2.5 + - rule_2.1.5 - dhcp - services -- name: "2.2.6 | PATCH | Ensure LDAP server is not installed" +- name: "2.1.6 | PATCH | Ensure LDAP server is not installed" apt: name: slapd state: absent when: - - ubtu20cis_rule_2_2_6 + - ubtu20cis_rule_2_1_6 - not ubtu20cis_ldap_server tags: - level1-server - level1-workstation - patch - - rule_2.2.6 + - rule_2.1.6 - ldap - services -- name: "2.2.7 | PATCH | Ensure NFS is not installed" +- name: "2.1.7 | PATCH | Ensure NFS is not installed" apt: name: rpcbind state: absent when: - - ubtu20cis_rule_2_2_7 + - ubtu20cis_rule_2_1_7 - not ubtu20cis_nfs_server tags: - level1-server - level1-workstation - patch - - rule_2.2.7 + - rule_2.1.7 - nfs - rpc - services -- name: "2.2.8 | PATCH | Ensure DNS Server is not installed" +- name: "2.1.8 | PATCH | Ensure DNS Server is not installed" apt: name: bind9 state: absent when: - - ubtu20cis_rule_2_2_8 + - ubtu20cis_rule_2_1_8 - not ubtu20cis_dns_server tags: - level1-server - level1-workstation - patch - - rule_2.2.8 + - rule_2.1.8 - dns - service -- name: "2.2.9 | PATCH | Ensure FTP Server is not installed" +- name: "2.1.9 | PATCH | Ensure FTP Server is not installed" apt: name: vsftpd state: absent when: - - ubtu20cis_rule_2_2_9 + - ubtu20cis_rule_2_1_9 - not ubtu20cis_vsftpd_server tags: - level1-server - level1-workstation - patch - - rule_2.2.9 + - rule_2.1.9 - ftp - service -- name: "2.2.10 | PATCH | Ensure HTTP server is not installed" +- name: "2.1.10 | PATCH | Ensure HTTP server is not installed" apt: name: apache2 state: absent when: - - ubtu20cis_rule_2_2_10 + - ubtu20cis_rule_2_1_10 - not ubtu20cis_httpd_server tags: - level1-server - level1-workstation - patch - - rule_2.2.10 + - rule_2.1.10 - httpd - service -- name: "2.2.11 | PATCH | Ensure IMAP and POP3 server are not installed" +- name: "2.1.11 | PATCH | Ensure IMAP and POP3 server are not installed" apt: name: ['dovecot-imapd', 'dovecot-pop3d'] state: absent when: - - ubtu20cis_rule_2_2_11 + - ubtu20cis_rule_2_1_11 - not ubtu20cis_dovecot_server tags: - level1-server - level1-workstation - patch - - rule_2.2.11 + - rule_2.1.11 - dovecot - service -- name: "2.2.12 | PATCH | Ensure Samba is not installed" +- name: "2.1.12 | PATCH | Ensure Samba is not installed" apt: name: samba state: absent when: - - ubtu20cis_rule_2_2_12 + - ubtu20cis_rule_2_1_12 - not ubtu20cis_smb_server tags: - level1-server - level1-workstation - patch - - rule_2.2.12 + - rule_2.1.12 - samba - service -- name: "2.2.13 | PATCH | Ensure HTTP Proxy Server is not installed" +- name: "2.1.13 | PATCH | Ensure HTTP Proxy Server is not installed" apt: name: squid state: absent when: - - ubtu20cis_rule_2_2_13 + - ubtu20cis_rule_2_1_13 - not ubtu20cis_squid_server tags: - level1-server - level1-workstation - patch - - rule_2.2.13 + - rule_2.1.13 - http_proxy - service -- name: "2.2.14 | PATCH | Ensure SNMP Server is not installed" +- name: "2.1.14 | PATCH | Ensure SNMP Server is not installed" apt: name: snmpd state: absent when: - - ubtu20cis_rule_2_2_14 + - ubtu20cis_rule_2_1_14 - not ubtu20cis_snmp_server tags: - level1-server - level1-workstation - patch - - rule_2.2.14 + - rule_2.1.14 - snmp - service -- name: "2.2.15 | PATCH | Ensure mail transfer agent is configured for local-only mode" +- name: "2.1.15 | PATCH | Ensure mail transfer agent is configured for local-only mode" block: - - name: "2.2.15 | PATCH | Ensure mail transfer agent is configured for local-only mode | Make changes if exim4 installed" + - name: "2.1.15 | PATCH | Ensure mail transfer agent is configured for local-only mode | Make changes if exim4 installed" lineinfile: path: /etc/exim4/update-exim4.conf.conf regexp: "{{ item.regexp }}" @@ -408,7 +407,7 @@ notify: restart exim4 when: ubtu20_cis_mail_transfer_agent == "exim4" - - name: "2.2.15 | PATCH | Ensure mail transfer agent is configured for local-only mode | Make changes if postfix is installed" + - name: "2.1.15 | PATCH | Ensure mail transfer agent is configured for local-only mode | Make changes if postfix is installed" lineinfile: path: /etc/postfix/main.cf regexp: '^(#)?inet_interfaces' @@ -416,134 +415,134 @@ notify: restart postfix when: ubtu20_cis_mail_transfer_agent == "postfix" - - name: "2.2.15 | PATCH | Ensure mail transfer agent is configured for local-only mode | Message out other main agents" + - name: "2.1.15 | PATCH | Ensure mail transfer agent is configured for local-only mode | Message out other main agents" debug: msg: - "Warning!! You are not using either exim4 or postfix" - "Please review your vendors documentation to configure local-only mode" when: ubtu20_cis_mail_transfer_agent == "other" when: - - ubtu20cis_rule_2_2_15 + - ubtu20cis_rule_2_1_15 tags: - level1-server - level1-workstation - scored - patch - - rule_2.2.15 + - rule_2.1.15 - postfix -- name: "2.2.16 | PATCH | Ensure rsync service is not installed" +- name: "2.1.16 | PATCH | Ensure rsync service is not installed" apt: name: rsync state: absent when: - - ubtu20cis_rule_2_2_16 + - ubtu20cis_rule_2_1_16 - not ubtu20cis_rsync_server tags: - level1-server - level1-workstation - patch - - rule_2.2.16 + - rule_2.1.16 - rsync -- name: "2.2.17 | PATCH | Ensure NIS Server is not installed" +- name: "2.1.17 | PATCH | Ensure NIS Server is not installed" apt: name: nis state: absent when: - - ubtu20cis_rule_2_2_17 + - ubtu20cis_rule_2_1_17 - not ubtu20cis_nis_server tags: - level1-server - level1-workstation - - rule_2.2.17 + - rule_2.1.17 - nis - service -- name: "2.3.1 | PATCH | Ensure NIS Client is not installed" +- name: "2.2.1 | PATCH | Ensure NIS Client is not installed" apt: name: nis state: absent when: - - ubtu20cis_rule_2_3_1 + - ubtu20cis_rule_2_2_1 - not ubtu20cis_nis_required tags: - level1-server - level1-workstation - - rule_2.3.1 + - rule_2.2.1 - nis -- name: "2.3.2 | PATCH | Ensure rsh client is not installed" +- name: "2.2.2 | PATCH | Ensure rsh client is not installed" apt: name: rsh-client state: absent when: - - ubtu20cis_rule_2_3_2 + - ubtu20cis_rule_2_2_2 - not ubtu20cis_rsh_required tags: - level1-server - level1-workstation - patch - - rule_2.3.2 + - rule_2.2.2 - rsh -- name: "2.3.3 | PATCH | Ensure talk client is not installed" +- name: "2.2.3 | PATCH | Ensure talk client is not installed" apt: name: talk state: absent when: - - ubtu20cis_rule_2_3_3 + - ubtu20cis_rule_2_2_3 - not ubtu20cis_talk_required tags: - level1-server - level1-workstation - patch - - rule_2.3.3 + - rule_2.2.3 - talk -- name: "2.3.4 | PATCH | Ensure telnet client is not installed" +- name: "2.2.4 | PATCH | Ensure telnet client is not installed" apt: name: telnet state: absent when: - - ubtu20cis_rule_2_3_4 + - ubtu20cis_rule_2_2_4 - not ubtu20cis_telnet_required tags: - level1-server - level1-workstation - patch - - rule_2.3.4 + - rule_2.2.4 - telnet -- name: "2.3.5 | PATCH | Ensure LDAP client is not installed" +- name: "2.2.5 | PATCH | Ensure LDAP client is not installed" apt: name: ldap-utils state: absent when: - - ubtu20cis_rule_2_3_5 + - ubtu20cis_rule_2_2_5 - not ubtu20cis_ldap_clients_required tags: - level1-server - level1-workstation - patch - - rule_2.3.5 + - rule_2.2.5 - ldap -- name: "2.3.6 | PATCH | Ensure RPC is not installed" +- name: "2.2.6 | PATCH | Ensure RPC is not installed" apt: name: rpcbind state: absent when: - - ubtu20cis_rule_2_3_6 + - ubtu20cis_rule_2_2_6 - not ubtu20cis_rpc_required tags: - level1-server - level1-workstation - patch - - rule_2.3.6 + - rule_2.2.6 - rpbc -- name: "2.4 | AUDIT | Ensure nonessential services are removed or masked" +- name: "2.3 | AUDIT | Ensure nonessential services are removed or masked" block: - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Check for services" shell: lsof -i -P -n | grep -v "(ESTABLISHED)" From 4b12a4ba3f1529b41ccbe1962b158eff47884c92 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 3 May 2021 15:36:45 -0400 Subject: [PATCH 12/44] updated section 2 for running Signed-off-by: George Nalen --- .DS_Store | Bin 8196 -> 8196 bytes defaults/main.yml | 15 ++++++++------- tasks/prelim.yml | 2 +- 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/.DS_Store b/.DS_Store index 18b55040a9f7ef87194ae8e3bb21903b33b26446..65b247f9f66373f49f0554e2803405f42c5481fd 100644 GIT binary patch delta 34 qcmZp1XmOa}&nUDpU^hRb&}JTiBaEAW2_9tHJdvl2c{97jUv>b|9SjWs delta 65 zcmZp1XmOa}&nUbxU^hRb@Ma!?BaG6l3~3CR3^@#`48@)~`N>H+`AG~63<3-cjIEmw V3SMB^d_=~9d13?4W_F3c>;PUK68-=H diff --git a/defaults/main.yml b/defaults/main.yml index 725a83b8..5260037a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -115,10 +115,10 @@ ubtu20cis_rule_1_9: true # Section 2 is Services (Special Purpose Services, and service clients) # ubtu20cis_rule_2_1_1: true # ubtu20cis_rule_2_1_2: true -ubtu20cis_rule_2_2_1_1: true -ubtu20cis_rule_2_2_1_2: true -ubtu20cis_rule_2_2_1_3: true -ubtu20cis_rule_2_2_1_4: true +ubtu20cis_rule_2_1_1_1: true +ubtu20cis_rule_2_1_1_2: true +ubtu20cis_rule_2_1_1_3: true +ubtu20cis_rule_2_1_1_4: true ubtu20cis_rule_2_1_2: true ubtu20cis_rule_2_1_3: true ubtu20cis_rule_2_1_4: true @@ -142,6 +142,7 @@ ubtu20cis_rule_2_2_4: true ubtu20cis_rule_2_2_5: true ubtu20cis_rule_2_2_6: true ubtu20cis_rule_2_3: true +ubtu20cis_rule_2_4: true # Section 3 Fixes # Section 3 is Network Configuration (Disable Unused Networks, Network Parameters (Host Only), Network Parameters (Host and Router), Uncommon Network Protocols, and Firewall Configuration) @@ -417,13 +418,13 @@ ubtu20cis_warning_banner: | # The two options are chrony, ntp, or systemd-timesyncd ubtu20cis_time_sync_tool: "ntp" -# Control 2.2.1.2 +# Control 2.1.1.2 # ubtu20cis_ntp_server_list is the list ntp servers # ubtu20cis_ntp_fallback_server_list is the list of fallback NTP servers ubtu20cis_ntp_server_list: "0.debian.pool.ntp.org 1.debian.pool.ntp.org" ubtu20cis_ntp_fallback_server_list: "2.debian.pool.ntp.org 3.debian.pool.ntp.org" -# Control 2.2.1.3/2.2.1.4 +# Control 2.1.1.3/2.1.1.4 # ubtu20cis_chrony_server_options is the server options for chrony ubtu20cis_chrony_server_options: "minpoll 8" # ubtu20cis_time_synchronization_servers are the synchronization servers @@ -437,7 +438,7 @@ ubtu20cis_chrony_user: "_chrony" # ubtu20cis_ntp_server_options is the server options for ntp ubtu20cis_ntp_server_options: "iburst" -# Control 2.2.15 +# Control 2.1.15 # ubtu20_cis_mail_transfer_agent is the mail transfer agent in use # The options are exim4, postfix or other ubtu20_cis_mail_transfer_agent: "other" diff --git a/tasks/prelim.yml b/tasks/prelim.yml index f059ae08..0c26bdbf 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -21,7 +21,7 @@ changed_when: false check_mode: false when: - - ubtu20cis_rule_2_2_3 + - ubtu20cis_rule_2_1_3 tags: - skip_ansible_lint From aedff2e52efbe2c0c591f4f19b1611ddd950b4c4 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 3 May 2021 15:39:44 -0400 Subject: [PATCH 13/44] Updated section 2 to remove empty string compares Signed-off-by: George Nalen --- tasks/section2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section2.yml b/tasks/section2.yml index 3ab52d42..de0a783f 100644 --- a/tasks/section2.yml +++ b/tasks/section2.yml @@ -111,7 +111,7 @@ name: "{{ ubtu20cis_chrony_user }}" shell: /usr/sbin/nologin system: true - when: ubtu20cis_2_1_1_3_chrony_user_status.stdout != "" + when: ubtu20cis_2_1_1_3_chrony_user_status.stdout | length > 0 - name: "2.2.1.3 | PATCH | Ensure chrony is configured | Set option to use chrony user" lineinfile: From 170000f3cd09905e543d58f415c81754ec1e9c47 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 3 May 2021 16:10:36 -0400 Subject: [PATCH 14/44] updated section 2 automated/manual labels Signed-off-by: George Nalen --- tasks/section2.yml | 123 +++++++++++++++++++++++++++------------------ 1 file changed, 74 insertions(+), 49 deletions(-) diff --git a/tasks/section2.yml b/tasks/section2.yml index de0a783f..61d37dd0 100644 --- a/tasks/section2.yml +++ b/tasks/section2.yml @@ -25,7 +25,7 @@ # - rule_2.1.2 # - openbsd-inetd -- name: "2.1.1.1 | PATCH | Ensure time synchronization is in use" +- name: "AUTOMATED | 2.1.1.1 | PATCH | Ensure time synchronization is in use" apt: name: "{{ ubtu20cis_time_sync_tool }}" state: present @@ -34,18 +34,19 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_2.1.1.1 - chrony -- name: "2.1.1.2 | PATCH | Ensure systemd-timesyncd is configured" +- name: "AUTOMATED | 2.1.1.2 | PATCH | Ensure systemd-timesyncd is configured" block: - - name: "2.1.1.2 | PATCH | Ensure systemd-timesyncd is configured | Remove ntp and chrony" + - name: "AUTOMATED | 2.1.1.2 | PATCH | Ensure systemd-timesyncd is configured | Remove ntp and chrony" apt: name: ['ntp', 'chrony'] state: absent - - name: "2.1.1.2 | PATCH | Ensure systemd-timesyncd is configured | Set configuration for systemd-timesyncd" + - name: "AUTOMATED | 2.1.1.2 | PATCH | Ensure systemd-timesyncd is configured | Set configuration for systemd-timesyncd" lineinfile: path: /etc/systemd/timesyncd.conf regexp: "{{ item.regexp }}" @@ -57,14 +58,14 @@ - { regexp: '^#FallbackNTP|^FallbackNTP', line: 'FallbackNTP={{ ubtu20cis_ntp_fallback_server_list }}', insertafter: '\[Time\]' } - { regexp: '^#RootDistanceMaxSec|^RootDistanceMaxSec', line: 'RootDistanceMaxSec=1', insertafter: '\[Time\]'} - - name: "2.1.1.2 | PATCH | Ensure systemd-timesyncd is configured | Start and enable the systemd-timesyncd service" + - name: "AUTOMATED | 2.1.1.2 | PATCH | Ensure systemd-timesyncd is configured | Start and enable the systemd-timesyncd service" systemd: name: systemd-timesyncd.service state: started enabled: yes masked: no - - name: "2.1.1.2 | PATCH | Ensure systemd-timesyncd is configured | Set timedatectl to ntp" + - name: "AUTOMATED | 2.1.1.2 | PATCH | Ensure systemd-timesyncd is configured | Set timedatectl to ntp" command: timedatectl set-ntp true when: - ubtu20cis_rule_2_1_1_2 @@ -72,33 +73,34 @@ tags: - level1-server - level1-workstation + - automated - manual - patch - rule_2.1.1.2 - systemd-timesyncd -- name: "2.1.1.3 | PATCH | Ensure chrony is configured" +- name: "AUTOMATED | 2.1.1.3 | PATCH | Ensure chrony is configured" block: - - name: "2.1.1.3 | PATCH | Ensure chrony is configured | Remove ntp" + - name: "AUTOMATED | 2.1.1.3 | PATCH | Ensure chrony is configured | Remove ntp" apt: name: ntp state: absent - - name: "2.1.1.3 | PATCH | Ensure chrony is configured | Disable/Mask systemd-timesyncd" + - name: "AUTOMATED | 2.1.1.3 | PATCH | Ensure chrony is configured | Disable/Mask systemd-timesyncd" systemd: name: systemd-timesyncd state: stopped enabled: no masked: yes - - name: "2.1.1.3 | AUDIT | Ensure chrony is configured | Check for chrony user" + - name: "AUTOMATED | 2.1.1.3 | AUDIT | Ensure chrony is configured | Check for chrony user" shell: grep {{ ubtu20cis_chrony_user }} /etc/passwd changed_when: false failed_when: false check_mode: false register: ubtu20cis_2_1_1_3_chrony_user_status - - name: "2.1.1.3 | PATCH | Ensure chrony is configured | Set chrony.conf file" + - name: "AUTOMATED | 2.1.1.3 | PATCH | Ensure chrony is configured | Set chrony.conf file" template: src: chrony.conf.j2 dest: /etc/chrony/chrony.conf @@ -106,14 +108,14 @@ group: root mode: 0644 - - name: "2.1.1.3 | PATCH | Ensure chrony is configured | Create chrony user" + - name: "AUTOMATED | 2.1.1.3 | PATCH | Ensure chrony is configured | Create chrony user" user: name: "{{ ubtu20cis_chrony_user }}" shell: /usr/sbin/nologin system: true when: ubtu20cis_2_1_1_3_chrony_user_status.stdout | length > 0 - - name: "2.2.1.3 | PATCH | Ensure chrony is configured | Set option to use chrony user" + - name: "AUTOMATED | 2.2.1.3 | PATCH | Ensure chrony is configured | Set option to use chrony user" lineinfile: path: /etc/default/chrony regexp: '^DAEMON_OPTS' @@ -124,25 +126,26 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_2.1.1.3 - chrony -- name: "2.1.1.4 | PATCH | Ensure ntp is configured" +- name: "AUTOMATED | 2.1.1.4 | PATCH | Ensure ntp is configured" block: - - name: "2.1.1.4 | PATCH | Ensure ntp is configured | Remove chrony" + - name: "AUTOMATED | 2.1.1.4 | PATCH | Ensure ntp is configured | Remove chrony" apt: name: chrony state: absent - - name: "2.1.1.4 | PATCH | Ensure ntp is configured | Disable/Mask systemd-timesyncd" + - name: "AUTOMATED | 2.1.1.4 | PATCH | Ensure ntp is configured | Disable/Mask systemd-timesyncd" systemd: name: systemd-timesyncd state: stopped enabled: no masked: yes - - name: "2.1.1.4 | PATCH | Ensure ntp is configured | Set ntp.conf settings" + - name: "AUTOMATED | 2.1.1.4 | PATCH | Ensure ntp is configured | Set ntp.conf settings" template: src: ntp.conf.j2 dest: /etc/ntp.conf @@ -150,7 +153,7 @@ group: root mode: 0644 - - name: "2.1.1.4 | PATCH | Ensure ntp is configured | Modify sysconfig/ntpd" + - name: "AUTOMATED | 2.1.1.4 | PATCH | Ensure ntp is configured | Modify sysconfig/ntpd" lineinfile: path: /etc/sysconfig/ntpd regexp: "{{ item.regexp }}" @@ -160,7 +163,7 @@ - { regexp: '^OPTIONS', line: 'OPTIONS="-u ntp:ntp"'} - { regexp: '^NTPD_OPTIONS', line: 'NTPD_OPTIONS="-u ntp:ntp"' } - - name: "2.1.1.4 | PATCH | Ensure ntp is configured | Modify /etc/init.d/npt" + - name: "AUTOMATED | 2.1.1.4 | PATCH | Ensure ntp is configured | Modify /etc/init.d/npt" lineinfile: path: /etc/init.d/ntp regexp: '^RUNAUSER' @@ -171,11 +174,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_2.1.1.4 - ntp -- name: "2.1.2 | PATCH | Ensure X Window System is not installed" +- name: "AUTOMATED | 2.1.2 | PATCH | Ensure X Window System is not installed" apt: name: xserver-xorg* state: absent @@ -184,27 +188,28 @@ - not ubtu20cis_desktop_required tags: - level1-server + - automated - patch - rule_2.1.2 - xwindows -- name: "2.1.3 | PATCH | Ensure Avahi Server is not installed" +- name: "AUTOMATED | 2.1.3 | PATCH | Ensure Avahi Server is not installed" block: - - name: "2.1.3 | PATCH | Ensure Avahi Server is not installed | Stop/Disable avahi-daemon.service" + - name: "AUTOMATED | 2.1.3 | PATCH | Ensure Avahi Server is not installed | Stop/Disable avahi-daemon.service" service: name: avahi-daemon.service state: stopped enabled: no when: avahi_service_status.stdout == "loaded" - - name: "2.1.3 | PATCH | Ensure Avahi Server is not installed | Stop/Disable avahi-daemon.socket" + - name: "AUTOMATED | 2.1.3 | PATCH | Ensure Avahi Server is not installed | Stop/Disable avahi-daemon.socket" service: name: avahi-daemon.socket state: stopped enabled: no when: avahi_service_status.stdout == "loaded" - - name: "2.1.3 | PATCH | Ensure Avahi Server is not installed | Remove avahi-daemon" + - name: "AUTOMATED | 2.1.3 | PATCH | Ensure Avahi Server is not installed | Remove avahi-daemon" apt: name: avahi-daemon state: absent @@ -214,12 +219,13 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_2.1.3 - avahi - services -- name: "2.1.4 | PATCH | Ensure CUPS is not installed" +- name: "AUTOMATED | 2.1.4 | PATCH | Ensure CUPS is not installed" apt: name: cups state: absent @@ -229,12 +235,13 @@ tags: - level1-server - level2-workstation + - automated - patch - rule_2.1.4 - cups - services -- name: "2.1.5 | PATCH | Ensure DHCP Server is not installed" +- name: "AUTOMATED | 2.1.5 | PATCH | Ensure DHCP Server is not installed" apt: name: isc-dhcp-server state: absent @@ -244,12 +251,13 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_2.1.5 - dhcp - services -- name: "2.1.6 | PATCH | Ensure LDAP server is not installed" +- name: "AUTOMATED | 2.1.6 | PATCH | Ensure LDAP server is not installed" apt: name: slapd state: absent @@ -259,12 +267,13 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_2.1.6 - ldap - services -- name: "2.1.7 | PATCH | Ensure NFS is not installed" +- name: "AUTOMATED | 2.1.7 | PATCH | Ensure NFS is not installed" apt: name: rpcbind state: absent @@ -274,13 +283,14 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_2.1.7 - nfs - rpc - services -- name: "2.1.8 | PATCH | Ensure DNS Server is not installed" +- name: "AUTOMATED | 2.1.8 | PATCH | Ensure DNS Server is not installed" apt: name: bind9 state: absent @@ -290,12 +300,13 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_2.1.8 - dns - service -- name: "2.1.9 | PATCH | Ensure FTP Server is not installed" +- name: "AUTOMATED | 2.1.9 | PATCH | Ensure FTP Server is not installed" apt: name: vsftpd state: absent @@ -305,12 +316,13 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_2.1.9 - ftp - service -- name: "2.1.10 | PATCH | Ensure HTTP server is not installed" +- name: "AUTOMATED | 2.1.10 | PATCH | Ensure HTTP server is not installed" apt: name: apache2 state: absent @@ -320,12 +332,13 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_2.1.10 - httpd - service -- name: "2.1.11 | PATCH | Ensure IMAP and POP3 server are not installed" +- name: "AUTOMATED | 2.1.11 | PATCH | Ensure IMAP and POP3 server are not installed" apt: name: ['dovecot-imapd', 'dovecot-pop3d'] state: absent @@ -335,12 +348,13 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_2.1.11 - dovecot - service -- name: "2.1.12 | PATCH | Ensure Samba is not installed" +- name: "AUTOMATED | 2.1.12 | PATCH | Ensure Samba is not installed" apt: name: samba state: absent @@ -350,12 +364,13 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_2.1.12 - samba - service -- name: "2.1.13 | PATCH | Ensure HTTP Proxy Server is not installed" +- name: "AUTOMATED | 2.1.13 | PATCH | Ensure HTTP Proxy Server is not installed" apt: name: squid state: absent @@ -365,12 +380,13 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_2.1.13 - http_proxy - service -- name: "2.1.14 | PATCH | Ensure SNMP Server is not installed" +- name: "AUTOMATED | 2.1.14 | PATCH | Ensure SNMP Server is not installed" apt: name: snmpd state: absent @@ -380,14 +396,15 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_2.1.14 - snmp - service -- name: "2.1.15 | PATCH | Ensure mail transfer agent is configured for local-only mode" +- name: "AUTOMATED | 2.1.15 | PATCH | Ensure mail transfer agent is configured for local-only mode" block: - - name: "2.1.15 | PATCH | Ensure mail transfer agent is configured for local-only mode | Make changes if exim4 installed" + - name: "AUTOMATED | 2.1.15 | PATCH | Ensure mail transfer agent is configured for local-only mode | Make changes if exim4 installed" lineinfile: path: /etc/exim4/update-exim4.conf.conf regexp: "{{ item.regexp }}" @@ -407,7 +424,7 @@ notify: restart exim4 when: ubtu20_cis_mail_transfer_agent == "exim4" - - name: "2.1.15 | PATCH | Ensure mail transfer agent is configured for local-only mode | Make changes if postfix is installed" + - name: "AUTOMATED | 2.1.15 | PATCH | Ensure mail transfer agent is configured for local-only mode | Make changes if postfix is installed" lineinfile: path: /etc/postfix/main.cf regexp: '^(#)?inet_interfaces' @@ -415,7 +432,7 @@ notify: restart postfix when: ubtu20_cis_mail_transfer_agent == "postfix" - - name: "2.1.15 | PATCH | Ensure mail transfer agent is configured for local-only mode | Message out other main agents" + - name: "AUTOMATED | 2.1.15 | PATCH | Ensure mail transfer agent is configured for local-only mode | Message out other main agents" debug: msg: - "Warning!! You are not using either exim4 or postfix" @@ -426,12 +443,13 @@ tags: - level1-server - level1-workstation + - automated - scored - patch - rule_2.1.15 - postfix -- name: "2.1.16 | PATCH | Ensure rsync service is not installed" +- name: "AUTOMATED | 2.1.16 | PATCH | Ensure rsync service is not installed" apt: name: rsync state: absent @@ -441,11 +459,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_2.1.16 - rsync -- name: "2.1.17 | PATCH | Ensure NIS Server is not installed" +- name: "AUTOMATED | 2.1.17 | PATCH | Ensure NIS Server is not installed" apt: name: nis state: absent @@ -455,6 +474,7 @@ tags: - level1-server - level1-workstation + - automated - rule_2.1.17 - nis - service @@ -472,7 +492,7 @@ - rule_2.2.1 - nis -- name: "2.2.2 | PATCH | Ensure rsh client is not installed" +- name: "AUTOMATED | 2.2.2 | PATCH | Ensure rsh client is not installed" apt: name: rsh-client state: absent @@ -482,11 +502,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_2.2.2 - rsh -- name: "2.2.3 | PATCH | Ensure talk client is not installed" +- name: "AUTOMATED | 2.2.3 | PATCH | Ensure talk client is not installed" apt: name: talk state: absent @@ -496,11 +517,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_2.2.3 - talk -- name: "2.2.4 | PATCH | Ensure telnet client is not installed" +- name: "AUTOMATED | 2.2.4 | PATCH | Ensure telnet client is not installed" apt: name: telnet state: absent @@ -510,11 +532,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_2.2.4 - telnet -- name: "2.2.5 | PATCH | Ensure LDAP client is not installed" +- name: "AUTOMATED | 2.2.5 | PATCH | Ensure LDAP client is not installed" apt: name: ldap-utils state: absent @@ -524,11 +547,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_2.2.5 - ldap -- name: "2.2.6 | PATCH | Ensure RPC is not installed" +- name: "AUTOMATED | 2.2.6 | PATCH | Ensure RPC is not installed" apt: name: rpcbind state: absent @@ -538,20 +562,21 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_2.2.6 - rpbc -- name: "2.3 | AUDIT | Ensure nonessential services are removed or masked" +- name: "MANUAL | 2.3 | AUDIT | Ensure nonessential services are removed or masked" block: - - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Check for services" + - name: "MANUAL | 2.4 | AUDIT | Ensure nonessential services are removed or masked | Check for services" shell: lsof -i -P -n | grep -v "(ESTABLISHED)" changed_when: false failed_when: false check_mode: false register: ubtu20cis_2_4_services - - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Message out running services" + - name: "MANUAL | 2.4 | AUDIT | Ensure nonessential services are removed or masked | Message out running services" debug: msg: - "Warning!! Below are the running services. Please review and remove as well as mask un-needed services" From 5a2164432465c69deee42b92f260d524c7f1ec3b Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 3 May 2021 16:41:06 -0400 Subject: [PATCH 15/44] updated section 3 to v1.1.0 Signed-off-by: George Nalen --- tasks/section3.yml | 380 ++++++++++++++++++++++++++++----------------- 1 file changed, 239 insertions(+), 141 deletions(-) diff --git a/tasks/section3.yml b/tasks/section3.yml index ca6b1c36..5da66dc4 100644 --- a/tasks/section3.yml +++ b/tasks/section3.yml @@ -409,7 +409,7 @@ - rule_3.4.4 - tipc -- name: "3.5.1.1 | PATCH | Ensure Uncomplicated Firewall is installed" +- name: "3.5.1.1 | PATCH | Ensure ufw is installed" apt: name: ufw state: present @@ -424,7 +424,22 @@ - apt - ufw -- name: "3.5.1.2 | PATCH | Ensure iptables-persistent is not installed" +# - name: "3.5.1.1 | PATCH | Ensure Uncomplicated Firewall is installed" +# apt: +# name: ufw +# state: present +# when: +# - ubtu20cis_rule_3_5_1_1 +# - ubtu20cis_firewall_package == "ufw" +# tags: +# - level1-server +# - level1-workstation +# - patch +# - rule_3.5.1.1 +# - apt +# - ufw + +- name: "3.5.1.2 | PATCH | Ensure iptables-persistent is not installed with ufw" apt: name: iptables-persistent state: absent @@ -494,9 +509,9 @@ - rule_3.5.1.4 - ufw -- name: "3.5.1.5 | PATCH | Ensure outbound connections are configured" +- name: "3.5.1.5 | PATCH | Ensure ufw outbound connections are configured" block: - - name: "3.5.1.5 | PATCH | Ensure outbound connections are configured | Custom ports" + - name: "3.5.1.5 | PATCH | Ensure ufw outbound connections are configured | Custom ports" ufw: rule: allow direction: out @@ -506,7 +521,7 @@ notify: reload ufw when: ubtu20cis_ufw_allow_out_ports != "all" - - name: "3.5.1.5 | PATCH | Ensure outbound connections are configured | Allow all" + - name: "3.5.1.5 | PATCH | Ensure ufw outbound connections are configured | Allow all" ufw: rule: allow direction: out @@ -524,23 +539,23 @@ - rule_3.5.1.5 - ufw -- name: "3.5.1.6 | AUDIT | Ensure firewall rules exist for all open ports" +- name: "3.5.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports" block: - - name: "3.5.1.6 | AUDIT | Ensure firewall rules exist for all open ports | Get list of open ports" + - name: "3.5.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Get list of open ports" command: ss -4tuln changed_when: false failed_when: false check_mode: false register: ubtu20cis_3_5_1_6_open_listen_ports - - name: "3.5.1.6 | AUDIT | Ensure firewall rules exist for all open ports | Get list of firewall rules" + - name: "3.5.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Get list of firewall rules" command: ufw status changed_when: false failed_when: false check_mode: false register: ubtu20cis_3_5_1_6_firewall_rules - - name: "3.5.1.6 | AUDIT | Ensure firewall rules exist for all open ports | Message out settings" + - name: "3.5.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Message out settings" debug: msg: - "ALERT!!!!Below are the listening ports and firewall rules" @@ -560,7 +575,7 @@ - rule_3.5.1.6 - ufw -- name: "3.5.1.7 | PATCH | Ensure default deny firewall policy" +- name: "3.5.1.7 | PATCH | Ensure ufw default deny firewall policy" ufw: default: deny direction: "{{ item }}" @@ -600,7 +615,7 @@ - rule_3.5.2.1 - nftables -- name: "3.5.2.2 | AUDIT | Ensure Uncomplicated Firewall is not installed or disabled" +- name: "3.5.2.2 | AUDIT | Ensure ufw is uninstalled or disabled with nftables" debug: msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" # apt: @@ -616,7 +631,7 @@ - rule_3.5.2.2 - nftables -- name: "3.5.2.3 | AUDIT | Ensure iptables are flushed" +- name: "3.5.2.3 | AUDIT | Ensure iptables are flushed with nftables" debug: msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" # iptables: @@ -632,7 +647,7 @@ - rule_3.5.2.3 - nftables -- name: "3.5.2.4 | AUDIT | Ensure a table exists" +- name: "3.5.2.4 | AUDIT | Ensure a nftables table exists" debug: msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" # command: "nft create table {{ ubtu20cis_nftables_table_name }}" @@ -650,23 +665,23 @@ - rule_3.5.2.4 - nftables -- name: "3.5.2.5 | AUDIT | Ensure base chains exist" +- name: "3.5.2.5 | AUDIT | Ensure nftables base chains exist" debug: msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" # block: - # - name: "3.5.2.5 | PATCH | Ensure base chains exist | Input entry" + # - name: "3.5.2.5 | PATCH | Ensure nftables base chains exist | Input entry" # shell: 'nft create chain {{ ubtu20cis_nftables_table_name }} input { type filter hook input priority 0 \; }' # changed_when: ubtu20cis_3_5_2_5_base_chains_input.rc == 0 # failed_when: false # register: ubtu20cis_3_5_2_5_base_chains_input - # - name: "3.5.2.5 | PATCH | Ensure base chains exist | Forward entry" + # - name: "3.5.2.5 | PATCH | Ensure nftables base chains exist | Forward entry" # shell: 'nft create chain {{ ubtu20cis_nftables_table_name }} forward { type filter hook forward priority 0 \; }' # changed_when: ubtu20cis_3_5_2_5_base_chains_forward.rc == 0 # failed_when: false # register: ubtu20cis_3_5_2_5_base_chains_forward - # - name: "3.5.2.5 | PATCH | Ensure base chains exist | Output entry" + # - name: "3.5.2.5 | PATCH | Ensure nftables base chains exist | Output entry" # shell: 'nft create chain {{ ubtu20cis_nftables_table_name }} output { type filter hook output priority 0 \; }' # changed_when: ubtu20cis_3_5_2_5_base_chains_output.rc == 0 # failed_when: false @@ -681,39 +696,39 @@ - rule_3.5.2.5 - nftables -- name: "3.5.2.6 | AUDIT | Ensure loopback traffic is configured" +- name: "3.5.2.6 | AUDIT | Ensure nftables loopback traffic is configured" debug: msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" # block: - # - name: "3.5.2.6 | AUDIT | Ensure loopback traffic is configured | Get input iif lo accept status" + # - name: "3.5.2.6 | AUDIT | Ensure nftables loopback traffic is configured | Get input iif lo accept status" # shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' # changed_when: false # failed_when: false # check_mode: false # register: ubtu20cis_3_5_2_6_loopback_iif_status - # - name: "3.5.2.6 | AUDIT | Ensure loopback traffic is configured | Get input iif lo accept status" + # - name: "3.5.2.6 | AUDIT | Ensure nftables loopback traffic is configured | Get input iif lo accept status" # shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' # changed_when: false # failed_when: false # check_mode: false # register: ubtu20cis_3_5_2_6_loopback_input_drop_status - # - name: "3.5.2.6 | AUDIT | Ensure loopback traffic is configured | Get input iif lo accept status" + # - name: "3.5.2.6 | AUDIT | Ensure nftables loopback traffic is configured | Get input iif lo accept status" # shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' # changed_when: false # failed_when: false # check_mode: false # register: ubtu20cis_3_5_2_6_loopback_ipv6_drop_status - # - name: "3.5.2.6 | PATCH | Ensure loopback traffic is configured | Loopback iif lo accept" + # - name: "3.5.2.6 | PATCH | Ensure nftables loopback traffic is configured | Loopback iif lo accept" # command: 'nft add rule inet {{ ubtu20cis_nftables_table_name }} input iif lo accept' # changed_when: ubtu20cis_3_5_2_6_loopback_iif.rc == 0 # failed_when: false # register: ubtu20cis_3_5_2_6_loopback_iif # when: "'iif \"lo\" accept' not in ubtu20cis_3_5_2_6_loopback_iif_status.stdout" - # - name: "3.5.2.6 | PATCH | Ensure loopback traffic is configured | Loopback input drop" + # - name: "3.5.2.6 | PATCH | Ensure nftables loopback traffic is configured | Loopback input drop" # command: 'nft add rule inet {{ ubtu20cis_nftables_table_name }} input ip saddr 127\.0\.0\.0\/8 counter drop' # changed_when: ubtu20cis_3_5_2_6_loopback_input_drop.rc == 0 # failed_when: false @@ -722,7 +737,7 @@ # - "'ip saddr 127.0.0.0/8' not in ubtu18cis_3_5_3_4_loopback_input_drop_status.stdout" # - "'drop' not in ubtu20cis_3_5_2_6_loopback_input_drop_status.stdout" - # - name: "3.5.2.6 | PATCH | Ensure loopback traffic is configured | Loopback ipv6 drop" + # - name: "3.5.2.6 | PATCH | Ensure nftables loopback traffic is configured | Loopback ipv6 drop" # command: 'nft add rule inet {{ ubtu20cis_nftables_table_name }} input ip6 saddr ::1 counter drop' # changed_when: ubtu20cis_3_5_2_6_loopback_ipv6_drop.rc == 0 # failed_when: false @@ -740,7 +755,7 @@ - rule_3.5.2.6 - nftables -- name: "3.5.2.7 | AUDIT | Ensure outbound and established connections are configured" +- name: "3.5.2.7 | AUDIT | Ensure nftables outbound and established connections are configured" debug: msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" when: @@ -754,7 +769,7 @@ - rule_3.5.2.7 - nftables -- name: "3.5.2.8 | AUDIT | Ensure default deny firewall policy" +- name: "3.5.2.8 | AUDIT | Ensure nftables default deny firewall policy" debug: msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" when: @@ -811,7 +826,7 @@ - rule_3.5.3.1.1 - iptables -- name: "3.5.3.1.2 | PATCH | Ensure nftables is not installed" +- name: "3.5.3.1.2 | PATCH | Ensure nftables is not installed with iptables" apt: name: nftables state: absent @@ -825,7 +840,7 @@ - rule_3.5.3.1.2 - iptables -- name: "3.5.3.1.3 | PATCH | Ensure Uncomplicated Firewall is not installed or disabled" +- name: "3.5.3.1.3 | PATCH | Ensure ufw is uninstalled or disabled with iptables" apt: name: ufw state: absent @@ -839,89 +854,89 @@ - rule_3.5.3.1.3 - iptables -# --------- -# --------- -# Unsuer about the _v6 when being there, revisit and confirm if it's needed for all ipv4 iptables tasks -# --------- -# --------- -- name: "3.5.3.2.1 | PATCH | Ensure default deny firewall policy" +# # --------- +# # --------- +# # Unsure about the _v6 when being there, revisit and confirm if it's needed for all ipv4 iptables tasks +# # --------- +# # --------- +# - name: "3.5.3.2.1 | PATCH | Ensure default deny firewall policy" +# block: +# - name: "3.5.3.2.1 | PATCH | Ensure default deny firewall policy | Configure SSH to be allowed in" +# iptables: +# chain: INPUT +# protocol: tcp +# destination_port: 22 +# jump: ACCEPT +# ctstate: 'NEW,ESTABLISHED' + +# - name: "3.5.3.2.1 | PATCH | Ensure default deny firewall policy | Configure SSH to be allowed out" +# iptables: +# chain: OUTPUT +# protocol: tcp +# source_port: 22 +# jump: ACCEPT +# ctstate: 'NEW,ESTABLISHED' + +# - name: "3.5.3.2.1 | PATCH | Ensure default deny firewall policy | Enable apt traffic" +# iptables: +# chain: INPUT +# ctstate: 'ESTABLISHED' +# jump: ACCEPT + +# - name: "3.5.3.2.1 | PATCH | Ensure default deny firewall policy | Set drop items" +# iptables: +# policy: DROP +# chain: "{{ item }}" +# with_items: +# - INPUT +# - FORWARD +# - OUTPUT +# when: +# - ubtu20cis_rule_3_5_3_2_1 +# - ubtu20cis_firewall_package == "iptables" +# - ubtu20cis_ipv4_required +# - not system_is_ec2 +# tags: +# - level1-server +# - level1-workstation +# - patch +# - rule_3.5.3.2.1 +# - iptables + +- name: "3.5.3.2.1 | PATCH | Ensure iptables loopback traffic is configured" block: - - name: "3.5.3.2.1 | PATCH | Ensure default deny firewall policy | Configure SSH to be allowed in" - iptables: - chain: INPUT - protocol: tcp - destination_port: 22 - jump: ACCEPT - ctstate: 'NEW,ESTABLISHED' - - - name: "3.5.3.2.1 | PATCH | Ensure default deny firewall policy | Configure SSH to be allowed out" - iptables: - chain: OUTPUT - protocol: tcp - source_port: 22 - jump: ACCEPT - ctstate: 'NEW,ESTABLISHED' - - - name: "3.5.3.2.1 | PATCH | Ensure default deny firewall policy | Enable apt traffic" - iptables: - chain: INPUT - ctstate: 'ESTABLISHED' - jump: ACCEPT - - - name: "3.5.3.2.1 | PATCH | Ensure default deny firewall policy | Set drop items" - iptables: - policy: DROP - chain: "{{ item }}" - with_items: - - INPUT - - FORWARD - - OUTPUT - when: - - ubtu20cis_rule_3_5_3_2_1 - - ubtu20cis_firewall_package == "iptables" - - ubtu20cis_ipv4_required - - not system_is_ec2 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.5.3.2.1 - - iptables - -- name: "3.5.3.2.2 | PATCH | Ensure loopback traffic is configured" - block: - - name: "3.5.3.2.2 | PATCH | Ensure loopback traffic is configured | INPUT loopback ACCEPT" + - name: "3.5.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | INPUT loopback ACCEPT" iptables: action: append chain: INPUT in_interface: lo jump: ACCEPT - - name: "3.5.3.2.2 | PATCH | Ensure loopback traffic is configured | OUTPUT loopback ACCEPT" + - name: "3.5.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT" iptables: action: append chain: OUTPUT out_interface: lo jump: ACCEPT - - name: "3.5.3.2.2 | PATCH | Ensure loopback traffic is configured | OUTPUT loopback ACCEPT" + - name: "3.5.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT" iptables: action: append chain: INPUT source: 127.0.0.0/8 jump: DROP when: - - ubtu20cis_rule_3_5_3_2_2 + - ubtu20cis_rule_3_5_3_2_1 - ubtu20cis_firewall_package == "iptables" - ubtu20cis_ipv4_required tags: - level1-server - level1-workstation - patch - - rule_3.5.3.2.2 + - rule_3.5.3.2.1 - iptables -- name: "3.5.3.2.3 | PATCH | Ensure outbound and established connections are configured" +- name: "3.5.3.2.2 | PATCH | Ensure iptables outbound and established connections are configured" iptables: action: append chain: '{{ item.chain }}' @@ -937,7 +952,7 @@ - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } when: - - ubtu20cis_rule_3_5_3_2_3 + - ubtu20cis_rule_3_5_3_2_2 - ubtu20cis_firewall_package == "iptables" - ubtu20cis_ipv4_required tags: @@ -945,26 +960,71 @@ - level1-workstation - manual - patch + - rule_3.5.3.2.2 + - iptables + +- name: "3.5.3.2.3 | PATCH | Ensure iptables default deny firewall policy" + block: + - name: "3.5.3.2.3 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed in" + iptables: + chain: INPUT + protocol: tcp + destination_port: 22 + jump: ACCEPT + ctstate: 'NEW,ESTABLISHED' + + - name: "3.5.3.2.3 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed out" + iptables: + chain: OUTPUT + protocol: tcp + source_port: 22 + jump: ACCEPT + ctstate: 'NEW,ESTABLISHED' + + - name: "3.5.3.2.3 | PATCH | Ensure iptables default deny firewall policy | Enable apt traffic" + iptables: + chain: INPUT + ctstate: 'ESTABLISHED' + jump: ACCEPT + + - name: "3.5.3.2.3 | PATCH | Ensure iptables default deny firewall policy | Set drop items" + iptables: + policy: DROP + chain: "{{ item }}" + with_items: + - INPUT + - FORWARD + - OUTPUT + when: + - ubtu20cis_rule_3_5_3_2_3 + - ubtu20cis_firewall_package == "iptables" + - ubtu20cis_ipv4_required + - not system_is_ec2 + tags: + - level1-server + - level1-workstation + - patch - rule_3.5.3.2.3 - iptables -- name: "3.5.3.2.4 | AUDIT | Ensure firewall rules exist for all open ports" + +- name: "3.5.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports" block: - - name: "3.5.3.2.4 | AUDIT | Ensure firewall rules exist for all open ports | Get list of open ports" + - name: "3.5.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of open ports" command: ss -4tuln changed_when: false failed_when: false check_mode: false register: ubtu20cis_3_5_3_2_4_open_ports - - name: "3.5.3.2.4 | AUDIT | Ensure firewall rules exist for all open ports | Get list of rules" + - name: "3.5.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of rules" command: iptables -L INPUT -v -n changed_when: false failed_when: false check_mode: false register: ubtu20cis_3_5_3_2_4_current_rules - - name: "3.5.3.2.4 | AUDIT | Ensure firewall rules exist for all open ports | Alert about settings" + - name: "3.5.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Alert about settings" debug: msg: - "ALERT!!!!Below is the list the open ports and current rules" @@ -1005,55 +1065,54 @@ register: ubtu20cis_iptables_save when: - ubtu20cis_firewall_package == "iptables" - # - not ubtu18cis_iptables_v6 - ubtu20cis_save_iptables_cis_rules - ubtu20cis_rule_3_5_3_2_1 or ubtu20cis_rule_3_5_3_2_2 or ubtu20cis_rule_3_5_3_2_3 or ubtu20cis_rule_3_5_3_2_4 -- name: "3.5.3.3.1 | PATCH | Ensure IPv6 default deny firewall policy" - block: - - name: "3.5.3.3.1 | PATCH | Ensure IPv6 default deny firewall policy | Configure SSH to be allowed out" - iptables: - chain: OUTPUT - protocol: tcp - source_port: 22 - jump: ACCEPT - ctstate: 'NEW,ESTABLISHED' - ip_version: ipv6 - - - name: "3.5.3.3.1 | PATCH | Ensure IPv6 default deny firewall policy | Enable apt traffic" - iptables: - chain: INPUT - ctstate: 'ESTABLISHED' - jump: ACCEPT - ip_version: ipv6 - - - name: "3.5.3.3.1 | PATCH | Ensure IPv6 default deny firewall policy | Set drop items" - iptables: - policy: DROP - chain: "{{ item }}" - ip_version: ipv6 - with_items: - - INPUT - - FORWARD - - OUTPUT - when: - - ubtu20cis_rule_3_5_3_3_1 - - ubtu20cis_firewall_package == "iptables" - - ubtu20cis_ipv6_required - - not ubtu20cis_ipv4_required - tags: - - level1-server - - level1-workstation - - patch - - rule_3.5.3.3.1 - - ip6tables - -- name: "3.5.3.3.2 | PATCH | Ensure IPv6 loopback traffic is configured" +# - name: "3.5.3.3.1 | PATCH | Ensure IPv6 default deny firewall policy" +# block: +# - name: "3.5.3.3.1 | PATCH | Ensure IPv6 default deny firewall policy | Configure SSH to be allowed out" +# iptables: +# chain: OUTPUT +# protocol: tcp +# source_port: 22 +# jump: ACCEPT +# ctstate: 'NEW,ESTABLISHED' +# ip_version: ipv6 + +# - name: "3.5.3.3.1 | PATCH | Ensure IPv6 default deny firewall policy | Enable apt traffic" +# iptables: +# chain: INPUT +# ctstate: 'ESTABLISHED' +# jump: ACCEPT +# ip_version: ipv6 + +# - name: "3.5.3.3.1 | PATCH | Ensure IPv6 default deny firewall policy | Set drop items" +# iptables: +# policy: DROP +# chain: "{{ item }}" +# ip_version: ipv6 +# with_items: +# - INPUT +# - FORWARD +# - OUTPUT +# when: +# - ubtu20cis_rule_3_5_3_3_1 +# - ubtu20cis_firewall_package == "iptables" +# - ubtu20cis_ipv6_required +# - not ubtu20cis_ipv4_required +# tags: +# - level1-server +# - level1-workstation +# - patch +# - rule_3.5.3.3.1 +# - ip6tables + +- name: "3.5.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured" block: - - name: "3.5.3.3.2 | PATCH | Ensure IPv6 loopback traffic is configured | INPUT loopback ACCEPT" + - name: "3.5.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback ACCEPT" iptables: action: append chain: INPUT @@ -1061,7 +1120,7 @@ jump: ACCEPT ip_version: ipv6 - - name: "3.5.3.3.2 | PATCH | Ensure IPv6 loopback traffic is configured | OUTPUT loopback ACCEPT" + - name: "3.5.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | OUTPUT loopback ACCEPT" iptables: action: append chain: OUTPUT @@ -1069,7 +1128,7 @@ jump: ACCEPT ip_version: ipv6 - - name: "3.5.3.3.2 | PATCH | Ensure IPv6 loopback traffic is configured | INPUT loopback drop" + - name: "3.5.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback drop" iptables: action: append chain: INPUT @@ -1077,7 +1136,7 @@ jump: DROP ip_version: ipv6 when: - - ubtu20cis_rule_3_5_3_3_2 + - ubtu20cis_rule_3_5_3_3_1 - ubtu20cis_firewall_package == "iptables" - ubtu20cis_ipv6_required - not ubtu20cis_ipv4_required @@ -1085,10 +1144,10 @@ - level1-server - level1-workstation - patch - - rule_3.5.3.3.2 + - rule_3.5.3.3.1 - ip6tables -- name: "3.5.3.3.3 | PATCH | Ensure IPv6 outbound and established connections are configured" +- name: "3.5.3.3.2 | PATCH | Ensure ip6tables outbound and established connections are configured" iptables: action: append chain: '{{ item.chain }}' @@ -1105,7 +1164,7 @@ - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } when: - - ubtu20cis_rule_3_5_3_3_3 + - ubtu20cis_rule_3_5_3_3_2 - ubtu20cis_firewall_package == "iptables" - ubtu20cis_ipv6_required - not ubtu20cis_ipv4_required @@ -1114,26 +1173,65 @@ - level1-workstation - manual - patch + - rule_3.5.3.3.2 + - ip6tables + +- name: "3.5.3.3.3 | PATCH | Ensure ip6tables default deny firewall policy" + block: + - name: "3.5.3.3.3 | PATCH | Ensure ip6tables default deny firewall policy | Configure SSH to be allowed out" + iptables: + chain: OUTPUT + protocol: tcp + source_port: 22 + jump: ACCEPT + ctstate: 'NEW,ESTABLISHED' + ip_version: ipv6 + + - name: "3.5.3.3.3 | PATCH | Ensure ip6tables default deny firewall policy | Enable apt traffic" + iptables: + chain: INPUT + ctstate: 'ESTABLISHED' + jump: ACCEPT + ip_version: ipv6 + + - name: "3.5.3.3.3 | PATCH | Ensure ip6tables default deny firewall policy | Set drop items" + iptables: + policy: DROP + chain: "{{ item }}" + ip_version: ipv6 + with_items: + - INPUT + - FORWARD + - OUTPUT + when: + - ubtu20cis_rule_3_5_3_3_3 + - ubtu20cis_firewall_package == "iptables" + - ubtu20cis_ipv6_required + - not ubtu20cis_ipv4_required + tags: + - level1-server + - level1-workstation + - patch - rule_3.5.3.3.3 - ip6tables -- name: "3.5.3.3.4 | AUDIT | Ensure IPv6 firewall rules exist for all open ports" +- name: "3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports" block: - - name: "3.5.3.3.4 | AUDIT | Ensure IPv6 firewall rules exist for all open ports | Get list of open ports" + - name: "3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of open ports" command: ss -6tuln changed_when: false failed_when: false check_mode: false register: ubtu20cis_3_5_3_3_4_open_ports - - name: "3.5.3.3.4 | AUDIT | Ensure IPv6 firewall rules exist for all open ports | Get list of rules" + - name: "3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of rules" command: ip6tables -L INPUT -v -n changed_when: false failed_when: false check_mode: false register: ubtu20cis_3_5_3_3_4_current_rules - - name: "3.5.3.3.4 | AUDIT | Ensure IPv6 firewall rules exist for all open ports | Alert about settings" + - name: "3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Alert about settings" debug: msg: - "ALERT!!!!Below is the list the open ports and current rules" From 77d3f7d3361d8dde9cfe934fbfb0bc5c5f09bf08 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 3 May 2021 17:01:10 -0400 Subject: [PATCH 16/44] updated section 3 automated/manual labels Signed-off-by: George Nalen --- tasks/section3.yml | 228 ++++++++++++++++++++++++++------------------- 1 file changed, 133 insertions(+), 95 deletions(-) diff --git a/tasks/section3.yml b/tasks/section3.yml index 5da66dc4..e78465e0 100644 --- a/tasks/section3.yml +++ b/tasks/section3.yml @@ -1,14 +1,14 @@ --- -- name: "3.1.1 | PATCH | Disable IPv6" +- name: "MANUAL | 3.1.1 | PATCH | Disable IPv6" block: - - name: "3.1.1 | AUDIT | Disable IPv6 | Get currnet GRUB_CMDLINE_LINUX settings" + - name: "MANUAL | 3.1.1 | AUDIT | Disable IPv6 | Get currnet GRUB_CMDLINE_LINUX settings" shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' changed_when: false failed_when: false check_mode: false register: ubtu20cis_3_1_1_grub_cmdline_linux_settings - - name: "3.1.1 | PATCH | Disable IPv6 | Add ipv6.disable if does not exist" + - name: "MANUAL | 3.1.1 | PATCH | Disable IPv6 | Add ipv6.disable if does not exist" lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX' @@ -16,7 +16,7 @@ when: "'ipv6.disable' not in ubtu20cis_3_1_1_grub_cmdline_linux_settings.stdout" notify: grub update - - name: "3.1.1 | PATCH | Disable IPv6 | Set ipv6.disable to 1 if exists" + - name: "MANUAL | 3.1.1 | PATCH | Disable IPv6 | Set ipv6.disable to 1 if exists" replace: path: /etc/default/grub regexp: 'ipv6\.disable=.' @@ -24,7 +24,7 @@ when: "'ipv6.disable' in ubtu20cis_3_1_1_grub_cmdline_linux_settings.stdout" notify: grub update - - name: "3.1.1 | PATCH | Disable IPv6 | Remove net.ipv6.conf.all.disable_ipv6" + - name: "MANUAL | 3.1.1 | PATCH | Disable IPv6 | Remove net.ipv6.conf.all.disable_ipv6" lineinfile: path: /etc/sysctl.conf regexp: '^net.ipv6.conf.all.disable_ipv6.*' @@ -35,26 +35,27 @@ tags: - level2-server - level2-workstation + - manual - patch - rule_3.1.1 - ipv6 -- name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled" +- name: "AUTOMATED | 3.1.2 | PATCH | Ensure wireless interfaces are disabled" block: - - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Check for network-manager tool" + - name: "AUTOMATED | 3.1.2 | PATCH | Ensure wireless interfaces are disabled | Check for network-manager tool" shell: dpkg -l | grep network-manager changed_when: false failed_when: false check_mode: false register: ubtu20cis_3_1_2_network_manager_status - - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wireless if network-manager installed" + - name: "AUTOMATED | 3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wireless if network-manager installed" command: nmcli radio all off changed_when: ubtu20cis_3_1_2_nmcli_radio_off.rc == 0 register: ubtu20cis_3_1_2_nmcli_radio_off when: ubtu20cis_3_1_2_network_manager_status.stdout != "" - - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Warn about wireless if network-manager not installed" + - name: "AUTOMATED | 3.1.2 | PATCH | Ensure wireless interfaces are disabled | Warn about wireless if network-manager not installed" debug: msg: "ALERT!!!! You need to disable wireless interfaces manually since network-manager is not installed" when: ubtu20cis_3_1_2_network_manager_status.stdout == "" @@ -63,11 +64,12 @@ tags: - level1-server - level2-workstation + - automated - patch - rule_3.1.2 - wireless -- name: "3.2.1 | PATCH | Ensure packet redirect sending is disabled" +- name: "AUTOMATED | 3.2.1 | PATCH | Ensure packet redirect sending is disabled" sysctl: name: "{{ item }}" value: '0' @@ -85,14 +87,15 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_3.2.1 - packet_redirect - sysctl -- name: "3.2.2 | PATCH | Ensure IP forwarding is disabled" +- name: "AUTOMATED | 3.2.2 | PATCH | Ensure IP forwarding is disabled" block: - - name: "3.2.2 | PATCH | Ensure IP forwarding is disabled | IPv4 settings" + - name: "AUTOMATED | 3.2.2 | PATCH | Ensure IP forwarding is disabled | IPv4 settings" sysctl: name: net.ipv4.ip_forward value: '0' @@ -103,7 +106,7 @@ notify: - sysctl flush ipv4 route table - - name: "3.2.2 | PATCH | Ensure IP forwarding is disabled | IPv6 settings" + - name: "AUTOMATED | 3.2.2 | PATCH | Ensure IP forwarding is disabled | IPv6 settings" sysctl: name: net.ipv6.conf.all.forwarding value: '0' @@ -120,14 +123,15 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_3.2.2 - ip_forwarding - sysctl -- name: "3.3.1 | PATCH | Ensure source routed packets are not accepted" +- name: "AUTOMATED | 3.3.1 | PATCH | Ensure source routed packets are not accepted" block: - - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv4 settings" + - name: "AUTOMATED | 3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv4 settings" sysctl: name: "{{ item }}" value: '0' @@ -140,7 +144,7 @@ - net.ipv4.conf.default.accept_source_route notify: sysctl flush ipv4 route table - - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6 settings" + - name: "AUTOMATED | 3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6 settings" sysctl: name: "{{ item }}" value: '0' @@ -159,14 +163,15 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_3.3.1 - routed_packets - sysctl -- name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted" +- name: "AUTOMATED | 3.3.2 | PATCH | Ensure ICMP redirects are not accepted" block: - - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv4 settings" + - name: "AUTOMATED | 3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv4 settings" sysctl: name: "{{ item }}" value: '0' @@ -179,7 +184,7 @@ - net.ipv4.conf.default.accept_redirects notify: sysctl flush ipv4 route table - - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6 settings" + - name: "AUTOMATED | 3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6 settings" sysctl: name: "{{ item }}" value: '0' @@ -197,12 +202,13 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_3.3.2 - icmp - sysctl -- name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted" +- name: "AUTOMATED | 3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted" sysctl: name: "{{ item }}" value: '0' @@ -219,12 +225,13 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_3.3.3 - icmp - sysctl -- name: "3.3.4 | PATCH | Ensure suspicious packets are logged" +- name: "AUTOMATED | 3.3.4 | PATCH | Ensure suspicious packets are logged" sysctl: name: "{{ item }}" value: '1' @@ -241,12 +248,13 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_3.3.4 - suspicious_packets - sysctl -- name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored" +- name: "AUTOMATED | 3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored" sysctl: name: net.ipv4.icmp_echo_ignore_broadcasts value: '1' @@ -260,12 +268,13 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_3.3.5 - icmp - sysctl -- name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored" +- name: "AUTOMATED | 3.3.6 | PATCH | Ensure bogus ICMP responses are ignored" sysctl: name: net.ipv4.icmp_ignore_bogus_error_responses value: '1' @@ -279,12 +288,13 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_3.3.6 - icmp - sysctl -- name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" +- name: "AUTOMATED | 3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" sysctl: name: "{{ item }}" value: '1' @@ -301,12 +311,13 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_3.3.7 - reverse_path_filtering - sysctl -- name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled" +- name: "AUTOMATED | 3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled" sysctl: name: net.ipv4.tcp_syncookies value: '1' @@ -320,12 +331,13 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_3.3.8 - tcp_syn_cookies - sysctl -- name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" +- name: "AUTOMATED | 3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" sysctl: name: "{{ item }}" value: '0' @@ -343,13 +355,14 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_3.3.9 - ipv6 - router_advertisements - sysctl -- name: "3.4.1 | PATCH | Ensure DCCP is disabled" +- name: "AUTOMATED | 3.4.1 | PATCH | Ensure DCCP is disabled" lineinfile: path: /etc/modprobe.d/dccp.conf regexp: '^(#)?install dccp(\\s|$)' @@ -360,11 +373,12 @@ tags: - level2-server - level2-workstation + - automated - patch - rule_3.4.1 - DCCP -- name: "3.4.2 | PATCH | Ensure SCTP is disabled" +- name: "AUTOMATED | 3.4.2 | PATCH | Ensure SCTP is disabled" lineinfile: path: /etc/modprobe.d/sctp.conf regexp: "^(#)?install sctp(\\s|$)" @@ -375,11 +389,12 @@ tags: - level2-server - level2-workstation + - automated - patch - rule_3.4.2 - sctp -- name: "3.4.3 | PATCH | Ensure RDS is disabled" +- name: "AUTOMATED | 3.4.3 | PATCH | Ensure RDS is disabled" lineinfile: path: /etc/modprobe.d/rds.conf regexp: '^(#)?install rds(\\s|$)' @@ -390,11 +405,12 @@ tags: - level2-server - level2-workstation + - automated - patch - rule_3.4.3 - rds -- name: "3.4.4 | PATCH | Ensure TIPC is disabled" +- name: "AUTOMATED | 3.4.4 | PATCH | Ensure TIPC is disabled" lineinfile: path: /etc/modprobe.d/tipc.conf regexp: '^(#)?install tipc(\\s|$)' @@ -405,11 +421,12 @@ tags: - level2-server - level2-workstation + - automated - patch - rule_3.4.4 - tipc -- name: "3.5.1.1 | PATCH | Ensure ufw is installed" +- name: "AUTOMATED | 3.5.1.1 | PATCH | Ensure ufw is installed" apt: name: ufw state: present @@ -419,6 +436,7 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_3.5.1.1 - apt @@ -439,7 +457,7 @@ # - apt # - ufw -- name: "3.5.1.2 | PATCH | Ensure iptables-persistent is not installed with ufw" +- name: "AUTOMATED | 3.5.1.2 | PATCH | Ensure iptables-persistent is not installed with ufw" apt: name: iptables-persistent state: absent @@ -449,12 +467,13 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_3.5.1.2 - ufw # Adding the allow OpenSSH rule while enabling ufw to allow ansible to run after enabling -- name: "3.5.1.3 | PATCH | Ensure ufw service is enabled" +- name: "AUTOMATED | 3.5.1.3 | PATCH | Ensure ufw service is enabled" ufw: rule: allow name: OpenSSH @@ -465,34 +484,35 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_3.5.1.3 - ufw -- name: "3.5.1.4 | PATCH | Ensure loopback traffic is configured" +- name: "AUTOMATED | 3.5.1.4 | PATCH | Ensure loopback traffic is configured" block: - - name: "3.5.1.4 | PATCH | Ensure loopback traffic is configured | Set allow in ufw rules" + - name: "AUTOMATED | 3.5.1.4 | PATCH | Ensure loopback traffic is configured | Set allow in ufw rules" ufw: rule: allow direction: in interface: lo notify: reload ufw - - name: "3.5.1.4 | PATCH | Ensure loopback traffic is configured | Set allow out ufw rules" + - name: "AUTOMATED | 3.5.1.4 | PATCH | Ensure loopback traffic is configured | Set allow out ufw rules" ufw: rule: allow direction: out interface: lo notify: reload ufw - - name: "3.5.1.4 | PATCH | Ensure loopback traffic is configured | Set deny ufw rules IPv4" + - name: "AUTOMATED | 3.5.1.4 | PATCH | Ensure loopback traffic is configured | Set deny ufw rules IPv4" ufw: rule: deny direction: in from_ip: 127.0.0.0/8 notify: reload ufw - - name: "3.5.1.4 | PATCH | Ensure loopback traffic is configured | Set deny ufw rules IPv6" + - name: "AUTOMATED | 3.5.1.4 | PATCH | Ensure loopback traffic is configured | Set deny ufw rules IPv6" ufw: rule: deny direction: in @@ -505,13 +525,14 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_3.5.1.4 - ufw -- name: "3.5.1.5 | PATCH | Ensure ufw outbound connections are configured" +- name: "MANUAL | 3.5.1.5 | PATCH | Ensure ufw outbound connections are configured" block: - - name: "3.5.1.5 | PATCH | Ensure ufw outbound connections are configured | Custom ports" + - name: "MANUAL | 3.5.1.5 | PATCH | Ensure ufw outbound connections are configured | Custom ports" ufw: rule: allow direction: out @@ -521,7 +542,7 @@ notify: reload ufw when: ubtu20cis_ufw_allow_out_ports != "all" - - name: "3.5.1.5 | PATCH | Ensure ufw outbound connections are configured | Allow all" + - name: "MANUAL | 3.5.1.5 | PATCH | Ensure ufw outbound connections are configured | Allow all" ufw: rule: allow direction: out @@ -539,23 +560,23 @@ - rule_3.5.1.5 - ufw -- name: "3.5.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports" +- name: "MANUAL | 3.5.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports" block: - - name: "3.5.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Get list of open ports" + - name: "MANUAL | 3.5.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Get list of open ports" command: ss -4tuln changed_when: false failed_when: false check_mode: false register: ubtu20cis_3_5_1_6_open_listen_ports - - name: "3.5.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Get list of firewall rules" + - name: "MANUAL | 3.5.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Get list of firewall rules" command: ufw status changed_when: false failed_when: false check_mode: false register: ubtu20cis_3_5_1_6_firewall_rules - - name: "3.5.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Message out settings" + - name: "MANUAL | 3.5.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Message out settings" debug: msg: - "ALERT!!!!Below are the listening ports and firewall rules" @@ -575,7 +596,7 @@ - rule_3.5.1.6 - ufw -- name: "3.5.1.7 | PATCH | Ensure ufw default deny firewall policy" +- name: "AUTOMATED | 3.5.1.7 | PATCH | Ensure ufw default deny firewall policy" ufw: default: deny direction: "{{ item }}" @@ -590,6 +611,7 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_3.5.1.7 - ufw @@ -599,7 +621,7 @@ # NFTables is unsupported with this role. However I have the actions commented out as a guide # --------------- # --------------- -- name: "3.5.2.1 | AUDIT | Ensure nftables is installed" +- name: "AUTOMATED | 3.5.2.1 | AUDIT | Ensure nftables is installed" debug: msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" # apt: @@ -611,11 +633,12 @@ tags: - level1-server - level1-workstation + - automated - audit - rule_3.5.2.1 - nftables -- name: "3.5.2.2 | AUDIT | Ensure ufw is uninstalled or disabled with nftables" +- name: "AUTOMATED | 3.5.2.2 | AUDIT | Ensure ufw is uninstalled or disabled with nftables" debug: msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" # apt: @@ -627,11 +650,12 @@ tags: - level1-server - level1-workstation + - automated - audit - rule_3.5.2.2 - nftables -- name: "3.5.2.3 | AUDIT | Ensure iptables are flushed with nftables" +- name: "MANUAL | 3.5.2.3 | AUDIT | Ensure iptables are flushed with nftables" debug: msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" # iptables: @@ -647,7 +671,7 @@ - rule_3.5.2.3 - nftables -- name: "3.5.2.4 | AUDIT | Ensure a nftables table exists" +- name: "AUTOMATED | 3.5.2.4 | AUDIT | Ensure a nftables table exists" debug: msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" # command: "nft create table {{ ubtu20cis_nftables_table_name }}" @@ -661,27 +685,28 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_3.5.2.4 - nftables -- name: "3.5.2.5 | AUDIT | Ensure nftables base chains exist" +- name: "AUTOMATED | 3.5.2.5 | AUDIT | Ensure nftables base chains exist" debug: msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" # block: - # - name: "3.5.2.5 | PATCH | Ensure nftables base chains exist | Input entry" + # - name: "AUTOMATED | 3.5.2.5 | PATCH | Ensure nftables base chains exist | Input entry" # shell: 'nft create chain {{ ubtu20cis_nftables_table_name }} input { type filter hook input priority 0 \; }' # changed_when: ubtu20cis_3_5_2_5_base_chains_input.rc == 0 # failed_when: false # register: ubtu20cis_3_5_2_5_base_chains_input - # - name: "3.5.2.5 | PATCH | Ensure nftables base chains exist | Forward entry" + # - name: "AUTOMATED | 3.5.2.5 | PATCH | Ensure nftables base chains exist | Forward entry" # shell: 'nft create chain {{ ubtu20cis_nftables_table_name }} forward { type filter hook forward priority 0 \; }' # changed_when: ubtu20cis_3_5_2_5_base_chains_forward.rc == 0 # failed_when: false # register: ubtu20cis_3_5_2_5_base_chains_forward - # - name: "3.5.2.5 | PATCH | Ensure nftables base chains exist | Output entry" + # - name: "AUTOMATED | 3.5.2.5 | PATCH | Ensure nftables base chains exist | Output entry" # shell: 'nft create chain {{ ubtu20cis_nftables_table_name }} output { type filter hook output priority 0 \; }' # changed_when: ubtu20cis_3_5_2_5_base_chains_output.rc == 0 # failed_when: false @@ -692,43 +717,44 @@ tags: - level1-server - level1-workstation + - automated - audit - rule_3.5.2.5 - nftables -- name: "3.5.2.6 | AUDIT | Ensure nftables loopback traffic is configured" +- name: "AUTOMATED | 3.5.2.6 | AUDIT | Ensure nftables loopback traffic is configured" debug: msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" # block: - # - name: "3.5.2.6 | AUDIT | Ensure nftables loopback traffic is configured | Get input iif lo accept status" + # - name: "AUTOMATED | 3.5.2.6 | AUDIT | Ensure nftables loopback traffic is configured | Get input iif lo accept status" # shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' # changed_when: false # failed_when: false # check_mode: false # register: ubtu20cis_3_5_2_6_loopback_iif_status - # - name: "3.5.2.6 | AUDIT | Ensure nftables loopback traffic is configured | Get input iif lo accept status" + # - name: "AUTOMATED | 3.5.2.6 | AUDIT | Ensure nftables loopback traffic is configured | Get input iif lo accept status" # shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' # changed_when: false # failed_when: false # check_mode: false # register: ubtu20cis_3_5_2_6_loopback_input_drop_status - # - name: "3.5.2.6 | AUDIT | Ensure nftables loopback traffic is configured | Get input iif lo accept status" + # - name: "AUTOMATED | 3.5.2.6 | AUDIT | Ensure nftables loopback traffic is configured | Get input iif lo accept status" # shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' # changed_when: false # failed_when: false # check_mode: false # register: ubtu20cis_3_5_2_6_loopback_ipv6_drop_status - # - name: "3.5.2.6 | PATCH | Ensure nftables loopback traffic is configured | Loopback iif lo accept" + # - name: "AUTOMATED | 3.5.2.6 | PATCH | Ensure nftables loopback traffic is configured | Loopback iif lo accept" # command: 'nft add rule inet {{ ubtu20cis_nftables_table_name }} input iif lo accept' # changed_when: ubtu20cis_3_5_2_6_loopback_iif.rc == 0 # failed_when: false # register: ubtu20cis_3_5_2_6_loopback_iif # when: "'iif \"lo\" accept' not in ubtu20cis_3_5_2_6_loopback_iif_status.stdout" - # - name: "3.5.2.6 | PATCH | Ensure nftables loopback traffic is configured | Loopback input drop" + # - name: "AUTOMATED | 3.5.2.6 | PATCH | Ensure nftables loopback traffic is configured | Loopback input drop" # command: 'nft add rule inet {{ ubtu20cis_nftables_table_name }} input ip saddr 127\.0\.0\.0\/8 counter drop' # changed_when: ubtu20cis_3_5_2_6_loopback_input_drop.rc == 0 # failed_when: false @@ -737,7 +763,7 @@ # - "'ip saddr 127.0.0.0/8' not in ubtu18cis_3_5_3_4_loopback_input_drop_status.stdout" # - "'drop' not in ubtu20cis_3_5_2_6_loopback_input_drop_status.stdout" - # - name: "3.5.2.6 | PATCH | Ensure nftables loopback traffic is configured | Loopback ipv6 drop" + # - name: "3AUTOMATED | .5.2.6 | PATCH | Ensure nftables loopback traffic is configured | Loopback ipv6 drop" # command: 'nft add rule inet {{ ubtu20cis_nftables_table_name }} input ip6 saddr ::1 counter drop' # changed_when: ubtu20cis_3_5_2_6_loopback_ipv6_drop.rc == 0 # failed_when: false @@ -751,11 +777,12 @@ tags: - level1-server - level1-workstation + - automated - audit - rule_3.5.2.6 - nftables -- name: "3.5.2.7 | AUDIT | Ensure nftables outbound and established connections are configured" +- name: "MANUAL | 3.5.2.7 | AUDIT | Ensure nftables outbound and established connections are configured" debug: msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" when: @@ -769,7 +796,7 @@ - rule_3.5.2.7 - nftables -- name: "3.5.2.8 | AUDIT | Ensure nftables default deny firewall policy" +- name: "AUTOMATED | 3.5.2.8 | AUDIT | Ensure nftables default deny firewall policy" debug: msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" when: @@ -778,11 +805,12 @@ tags: - level1-server - level1-workstation + - automated - audit - rule_3.5.2.8 - nftables -- name: "3.5.2.9 | AUDIT | Ensure nftables service is enabled" +- name: "AUTOMATED | 3.5.2.9 | AUDIT | Ensure nftables service is enabled" debug: msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" # service: @@ -795,11 +823,12 @@ tags: - level1-server - level1-workstation + - automated - audit - rule_3.5.2.9 - nftables -- name: "3.5.2.10 | AUDIT | Ensure nftables rules are permanent" +- name: "AUTOMATED | 3.5.2.10 | AUDIT | Ensure nftables rules are permanent" debug: msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" when: @@ -808,11 +837,12 @@ tags: - level1-server - level1-workstation + - automated - audit - rule_3.5.2.10 - nftables -- name: "3.5.3.1.1 | PATCH | Ensure iptables packages are installed" +- name: "AUTOMATED | 3.5.3.1.1 | PATCH | Ensure iptables packages are installed" apt: name: ['iptables', 'iptables-persistent'] state: present @@ -822,11 +852,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_3.5.3.1.1 - iptables -- name: "3.5.3.1.2 | PATCH | Ensure nftables is not installed with iptables" +- name: "AUTOMATED | 3.5.3.1.2 | PATCH | Ensure nftables is not installed with iptables" apt: name: nftables state: absent @@ -836,11 +867,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_3.5.3.1.2 - iptables -- name: "3.5.3.1.3 | PATCH | Ensure ufw is uninstalled or disabled with iptables" +- name: "AUTOMATED | 3.5.3.1.3 | PATCH | Ensure ufw is uninstalled or disabled with iptables" apt: name: ufw state: absent @@ -850,6 +882,7 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_3.5.3.1.3 - iptables @@ -903,23 +936,23 @@ # - rule_3.5.3.2.1 # - iptables -- name: "3.5.3.2.1 | PATCH | Ensure iptables loopback traffic is configured" +- name: "AUTOMATED | 3.5.3.2.1 | PATCH | Ensure iptables loopback traffic is configured" block: - - name: "3.5.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | INPUT loopback ACCEPT" + - name: "AUTOMATED | 3.5.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | INPUT loopback ACCEPT" iptables: action: append chain: INPUT in_interface: lo jump: ACCEPT - - name: "3.5.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT" + - name: "AUTOMATED | 3.5.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT" iptables: action: append chain: OUTPUT out_interface: lo jump: ACCEPT - - name: "3.5.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT" + - name: "AUTOMATED | 3.5.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT" iptables: action: append chain: INPUT @@ -932,11 +965,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_3.5.3.2.1 - iptables -- name: "3.5.3.2.2 | PATCH | Ensure iptables outbound and established connections are configured" +- name: "MANUAL | 3.5.3.2.2 | PATCH | Ensure iptables outbound and established connections are configured" iptables: action: append chain: '{{ item.chain }}' @@ -963,9 +997,9 @@ - rule_3.5.3.2.2 - iptables -- name: "3.5.3.2.3 | PATCH | Ensure iptables default deny firewall policy" +- name: "AUTOMATED | 3.5.3.2.3 | PATCH | Ensure iptables default deny firewall policy" block: - - name: "3.5.3.2.3 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed in" + - name: "AUTOMATED | 3.5.3.2.3 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed in" iptables: chain: INPUT protocol: tcp @@ -973,7 +1007,7 @@ jump: ACCEPT ctstate: 'NEW,ESTABLISHED' - - name: "3.5.3.2.3 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed out" + - name: "AUTOMATED | 3.5.3.2.3 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed out" iptables: chain: OUTPUT protocol: tcp @@ -981,13 +1015,13 @@ jump: ACCEPT ctstate: 'NEW,ESTABLISHED' - - name: "3.5.3.2.3 | PATCH | Ensure iptables default deny firewall policy | Enable apt traffic" + - name: "AUTOMATED | 3.5.3.2.3 | PATCH | Ensure iptables default deny firewall policy | Enable apt traffic" iptables: chain: INPUT ctstate: 'ESTABLISHED' jump: ACCEPT - - name: "3.5.3.2.3 | PATCH | Ensure iptables default deny firewall policy | Set drop items" + - name: "AUTOMATED | 3.5.3.2.3 | PATCH | Ensure iptables default deny firewall policy | Set drop items" iptables: policy: DROP chain: "{{ item }}" @@ -1003,28 +1037,29 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_3.5.3.2.3 - iptables -- name: "3.5.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports" +- name: "AUTOMATED | 3.5.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports" block: - - name: "3.5.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of open ports" + - name: "AUTOMATED | 3.5.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of open ports" command: ss -4tuln changed_when: false failed_when: false check_mode: false register: ubtu20cis_3_5_3_2_4_open_ports - - name: "3.5.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of rules" + - name: "AUTOMATED | 3.5.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of rules" command: iptables -L INPUT -v -n changed_when: false failed_when: false check_mode: false register: ubtu20cis_3_5_3_2_4_current_rules - - name: "3.5.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Alert about settings" + - name: "AUTOMATED | 3.5.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Alert about settings" debug: msg: - "ALERT!!!!Below is the list the open ports and current rules" @@ -1040,6 +1075,7 @@ tags: - level1-server - level1-workstation + - automated - audit - rule_3.5.3.2.4 - iptables @@ -1110,9 +1146,9 @@ # - rule_3.5.3.3.1 # - ip6tables -- name: "3.5.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured" +- name: "AUTOMATED | 3.5.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured" block: - - name: "3.5.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback ACCEPT" + - name: "AUTOMATED | 3.5.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback ACCEPT" iptables: action: append chain: INPUT @@ -1120,7 +1156,7 @@ jump: ACCEPT ip_version: ipv6 - - name: "3.5.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | OUTPUT loopback ACCEPT" + - name: "AUTOMATED | 3.5.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | OUTPUT loopback ACCEPT" iptables: action: append chain: OUTPUT @@ -1128,7 +1164,7 @@ jump: ACCEPT ip_version: ipv6 - - name: "3.5.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback drop" + - name: "AUTOMATED | 3.5.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback drop" iptables: action: append chain: INPUT @@ -1143,11 +1179,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_3.5.3.3.1 - ip6tables -- name: "3.5.3.3.2 | PATCH | Ensure ip6tables outbound and established connections are configured" +- name: "MANUAL | 3.5.3.3.2 | PATCH | Ensure ip6tables outbound and established connections are configured" iptables: action: append chain: '{{ item.chain }}' @@ -1176,7 +1213,7 @@ - rule_3.5.3.3.2 - ip6tables -- name: "3.5.3.3.3 | PATCH | Ensure ip6tables default deny firewall policy" +- name: "AUTOMATED | 3.5.3.3.3 | PATCH | Ensure ip6tables default deny firewall policy" block: - name: "3.5.3.3.3 | PATCH | Ensure ip6tables default deny firewall policy | Configure SSH to be allowed out" iptables: @@ -1187,14 +1224,14 @@ ctstate: 'NEW,ESTABLISHED' ip_version: ipv6 - - name: "3.5.3.3.3 | PATCH | Ensure ip6tables default deny firewall policy | Enable apt traffic" + - name: "AUTOMATED | 3.5.3.3.3 | PATCH | Ensure ip6tables default deny firewall policy | Enable apt traffic" iptables: chain: INPUT ctstate: 'ESTABLISHED' jump: ACCEPT ip_version: ipv6 - - name: "3.5.3.3.3 | PATCH | Ensure ip6tables default deny firewall policy | Set drop items" + - name: "AUTOMATED | 3.5.3.3.3 | PATCH | Ensure ip6tables default deny firewall policy | Set drop items" iptables: policy: DROP chain: "{{ item }}" @@ -1211,27 +1248,28 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_3.5.3.3.3 - ip6tables -- name: "3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports" +- name: "AUTOMATED | 3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports" block: - - name: "3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of open ports" + - name: "AUTOMATED | 3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of open ports" command: ss -6tuln changed_when: false failed_when: false check_mode: false register: ubtu20cis_3_5_3_3_4_open_ports - - name: "3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of rules" + - name: "AUTOMATED | 3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of rules" command: ip6tables -L INPUT -v -n changed_when: false failed_when: false check_mode: false register: ubtu20cis_3_5_3_3_4_current_rules - - name: "3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Alert about settings" + - name: "AUTOMATED | 3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Alert about settings" debug: msg: - "ALERT!!!!Below is the list the open ports and current rules" @@ -1248,7 +1286,7 @@ tags: - level1-server - level1-workstation - - notscored + - automated - audit - rule_3.5.4.2.3 - ip6tables From d56138bf03d767533fbe6ff81e0e3055bb25eab0 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 3 May 2021 17:02:36 -0400 Subject: [PATCH 17/44] updated section 3 to remove empty string compares Signed-off-by: George Nalen --- tasks/section3.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section3.yml b/tasks/section3.yml index e78465e0..11ff5be5 100644 --- a/tasks/section3.yml +++ b/tasks/section3.yml @@ -53,12 +53,12 @@ command: nmcli radio all off changed_when: ubtu20cis_3_1_2_nmcli_radio_off.rc == 0 register: ubtu20cis_3_1_2_nmcli_radio_off - when: ubtu20cis_3_1_2_network_manager_status.stdout != "" + when: ubtu20cis_3_1_2_network_manager_status.stdout | length > 0 - name: "AUTOMATED | 3.1.2 | PATCH | Ensure wireless interfaces are disabled | Warn about wireless if network-manager not installed" debug: msg: "ALERT!!!! You need to disable wireless interfaces manually since network-manager is not installed" - when: ubtu20cis_3_1_2_network_manager_status.stdout == "" + when: ubtu20cis_3_1_2_network_manager_status.stdout | length == 0 when: - ubtu20cis_rule_3_1_2 tags: From 385c9fad0e2101dcf176ea2806585945906e46cf Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 4 May 2021 08:10:44 -0400 Subject: [PATCH 18/44] removed unneeded section 3 vars from defaults/main Signed-off-by: George Nalen --- defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 5260037a..b6264903 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -444,9 +444,9 @@ ubtu20cis_ntp_server_options: "iburst" ubtu20_cis_mail_transfer_agent: "other" # Section 3 Control Variables -# Control 3.1.2 -# ubtu20cis_install_network_manager determines if this role can install network manager -ubtu20cis_install_network_manager: true +# # Control 3.1.2 +# # ubtu20cis_install_network_manager determines if this role can install network manager +# ubtu20cis_install_network_manager: true # ubtu20cis_firewall_package is the toggle for which firewall system is in use # The valid options to use are ufw, nftables, or iptables From a9603c59038ee0d275a125642a9e8c095c3b42a6 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 4 May 2021 08:25:06 -0400 Subject: [PATCH 19/44] added var back into defaults/main Signed-off-by: George Nalen --- defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index b6264903..5260037a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -444,9 +444,9 @@ ubtu20cis_ntp_server_options: "iburst" ubtu20_cis_mail_transfer_agent: "other" # Section 3 Control Variables -# # Control 3.1.2 -# # ubtu20cis_install_network_manager determines if this role can install network manager -# ubtu20cis_install_network_manager: true +# Control 3.1.2 +# ubtu20cis_install_network_manager determines if this role can install network manager +ubtu20cis_install_network_manager: true # ubtu20cis_firewall_package is the toggle for which firewall system is in use # The valid options to use are ufw, nftables, or iptables From 683ad3606b57d31ec9d947271d5321b0d82d58cd Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 4 May 2021 08:50:53 -0400 Subject: [PATCH 20/44] updated section 4 to v1.1.0 Signed-off-by: George Nalen --- tasks/section4.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section4.yml b/tasks/section4.yml index 14f633bf..0708201c 100644 --- a/tasks/section4.yml +++ b/tasks/section4.yml @@ -357,7 +357,7 @@ - rule_4.1.14 - auditd -- name: "4.1.15 | PATCH | Ensure system administrator actions (sudolog) are collected" +- name: "4.1.15 | PATCH | Ensure system administrator command executions (sudo) are collected" template: src: audit/ubtu20cis_4_1_15_actions.rules.j2 dest: /etc/audit/rules.d/actions.rules From 8b389857e65c5201eff9026e0a6e53e122fa51dc Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 4 May 2021 09:00:58 -0400 Subject: [PATCH 21/44] updated section 3 automated/manual labels Signed-off-by: George Nalen --- tasks/section4.yml | 128 ++++++++++++++++++++++++++++----------------- 1 file changed, 79 insertions(+), 49 deletions(-) diff --git a/tasks/section4.yml b/tasks/section4.yml index 0708201c..a8c4eeef 100644 --- a/tasks/section4.yml +++ b/tasks/section4.yml @@ -1,5 +1,5 @@ --- -- name: "4.1.1.1 | PATCH | Ensure auditd is installed" +- name: "AUTOMATED | 4.1.1.1 | PATCH | Ensure auditd is installed" apt: name: ['auditd', 'audispd-plugins'] state: present @@ -8,11 +8,12 @@ tags: - level2-server - level2-workstation + - automated - patch - rule_4.1.1.1 - auditd -- name: "4.1.1.2 | PATCH | Ensure auditd service is enabled" +- name: "AUTOMATED | 4.1.1.2 | PATCH | Ensure auditd service is enabled" service: name: auditd state: started @@ -22,20 +23,21 @@ tags: - level2-server - level2-workstation + - automated - patch - rule_4.1.1.2 - auditd -- name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" +- name: "AUTOMATED | 4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" block: - - name: "4.1.1.3 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX" + - name: "AUTOMATED | 4.1.1.3 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX" shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' changed_when: false failed_when: false check_mode: false register: ubtu20cis_4_1_1_3_cmdline_settings - - name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add setting if doesn't exist" + - name: "AUTOMATED | 4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add setting if doesn't exist" lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' @@ -43,7 +45,7 @@ when: "'audit=' not in ubtu20cis_4_1_1_3_cmdline_settings.stdout" notify: grub update - - name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Update setting if exists" + - name: "AUTOMATED | 4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Update setting if exists" replace: dest: /etc/default/grub regexp: 'audit=([0-9]+)' @@ -57,20 +59,21 @@ tags: - level2-server - level2-workstation + - automated - patch - rule_4_1_1_3 - auditd -- name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient" +- name: "AUTOMATED | 4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient" block: - - name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Get current GRUB_CMDLINE_LINUX" + - name: "AUTOMATED | 4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Get current GRUB_CMDLINE_LINUX" shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' changed_when: false failed_when: false check_mode: false register: ubtu20cis_4_1_1_4_cmdline_settings - - name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Add setting if doesn't exist" + - name: "AUTOMATED | 4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Add setting if doesn't exist" lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' @@ -78,7 +81,7 @@ notify: grub update when: "'audit_backlog_limit=' not in ubtu20cis_4_1_1_4_cmdline_settings.stdout" - - name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Update setting if exists" + - name: "AUTOMATED | 4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Update setting if exists" replace: dest: /etc/default/grub regexp: 'audit_backlog_limit=([0-9]+)' @@ -91,11 +94,12 @@ tags: - level2-server - level2-workstation + - automated - patch - rule_4.1.1.4 - auditd -- name: "4.1.2.1 | PATCH | Ensure audit log storage size is configured" +- name: "AUTOMATED | 4.1.2.1 | PATCH | Ensure audit log storage size is configured" lineinfile: dest: /etc/audit/auditd.conf regexp: "^max_log_file( |=)" @@ -107,11 +111,12 @@ tags: - level2-server - level2-workstation + - automated - patch - rule_4.1.2.1 - auditd -- name: "4.1.2.2 | PATCH | Ensure audit logs are not automatically deleted" +- name: "AUTOMATED | 4.1.2.2 | PATCH | Ensure audit logs are not automatically deleted" lineinfile: path: /etc/audit/auditd.conf regexp: '^max_log_file_action' @@ -122,11 +127,12 @@ tags: - level2-server - level2-workstation + - automated - patch - rule_4.1.2.2 - auditd -- name: "4.1.2.3 | PATCH | Ensure system is disabled when audit logs are full" +- name: "AUTOMATED | 4.1.2.3 | PATCH | Ensure system is disabled when audit logs are full" lineinfile: path: /etc/audit/auditd.conf regexp: "{{ item.regexp }}" @@ -141,11 +147,12 @@ tags: - level2-server - level2-workstation + - automated - patch - rule_4.1.2.3 - auditd -- name: "4.1.3 | PATCH | Ensure events that modify date and time information are collected" +- name: "AUTOMATED | 4.1.3 | PATCH | Ensure events that modify date and time information are collected" template: src: audit/ubtu20cis_4_1_3_timechange.rules.j2 dest: /etc/audit/rules.d/time-change.rules @@ -158,11 +165,12 @@ tags: - level2-server - level2-workstation + - automated - patch - rule_4.1.3 - auditd -- name: "4.1.4 | PATCH | Ensure events that modify user/group information are collected" +- name: "AUTOMATED | 4.1.4 | PATCH | Ensure events that modify user/group information are collected" template: src: audit/ubtu20cis_4_1_4_identity.rules.j2 dest: /etc/audit/rules.d/identity.rules @@ -175,11 +183,12 @@ tags: - level2-server - level2-workstation + - automated - patch - rule_4.1.4 - auditd -- name: "4.1.5 | PATCH | Ensure events that modify the system's network environment are collected" +- name: "AUTOMATED | 4.1.5 | PATCH | Ensure events that modify the system's network environment are collected" template: src: audit/ubtu20cis_4_1_5_systemlocale.rules.j2 dest: /etc/audit/rules.d/system-locale.rules @@ -192,11 +201,12 @@ tags: - level2-server - level2-workstation + - automated - patch - rule_4.1.5 - auditd -- name: "4.1.6 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" +- name: "AUTOMATED | 4.1.6 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" template: src: audit/ubtu20cis_4_1_6_macpolicy.rules.j2 dest: /etc/audit/rules.d/MAC-policy.rules @@ -209,11 +219,12 @@ tags: - level2-server - level2-workstation + - automated - patch - rule_4.1.6 - auditd -- name: "4.1.7 | PATCH | Ensure login and logout events are collected" +- name: "AUTOMATED | 4.1.7 | PATCH | Ensure login and logout events are collected" template: src: audit/ubtu20cis_4_1_7_logins.rules.j2 dest: /etc/audit/rules.d/logins.rules @@ -226,11 +237,12 @@ tags: - level2-server - level2-workstation + - automated - patch - rule_4.1.7 - auditd -- name: "4.1.8 | PATCH | Ensure session initiation information is collected" +- name: "AUTOMATED | 4.1.8 | PATCH | Ensure session initiation information is collected" template: src: audit/ubtu20cis_4_1_8_session.rules.j2 dest: /etc/audit/rules.d/session.rules @@ -243,11 +255,12 @@ tags: - level2-server - level2-workstation + - automated - patch - rule_4.1.8 - auditd -- name: "4.1.9 | PATCH | Ensure discretionary access control permission modification events are collected" +- name: "AUTOMATED | 4.1.9 | PATCH | Ensure discretionary access control permission modification events are collected" template: src: audit/ubtu20cis_4_1_9_permmod.rules.j2 dest: /etc/audit/rules.d/perm_mod.rules @@ -260,11 +273,12 @@ tags: - level2-server - level2-workstation + - automated - patch - rule_4.1.9 - auditd -- name: "4.1.10 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected" +- name: "AUTOMATED | 4.1.10 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected" template: src: audit/ubtu20cis_4_1_10_access.rules.j2 dest: /etc/audit/rules.d/access.rules @@ -277,19 +291,20 @@ tags: - level2-server - level2-workstation + - automated - patch - rule_4.1.10 - auditd -- name: "4.1.11 | PATCH | Ensure use of privileged commands is collected" +- name: "AUTOMATED | 4.1.11 | PATCH | Ensure use of privileged commands is collected" block: - - name: "4.1.11 | AUDIT | Ensure use of privileged commands is collected | Get list of privileged programs" + - name: "AUTOMATED | 4.1.11 | AUDIT | Ensure use of privileged commands is collected | Get list of privileged programs" shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done register: priv_procs changed_when: no check_mode: false - - name: "4.1.11 | PATCH | Ensure use of privileged commands is collected | Set privileged rules" + - name: "AUTOMATED | 4.1.11 | PATCH | Ensure use of privileged commands is collected | Set privileged rules" template: src: audit/ubtu20cis_4_1_11_privileged.rules.j2 dest: /etc/audit/rules.d/privileged.rules @@ -302,11 +317,12 @@ tags: - level2-server - level2-workstation + - automated - patch - rule_4.1.11 - auditd -- name: "4.1.12 | PATCH | Ensure successful file system mounts are collected" +- name: "AUTOMATED | 4.1.12 | PATCH | Ensure successful file system mounts are collected" template: src: audit/ubtu20cis_4_1_12_audit.rules.j2 dest: /etc/audit/rules.d/audit.rules @@ -319,11 +335,12 @@ tags: - level2-server - level2-workstation + - automated - patch - rule_4.1.12 - auditd -- name: "4.1.13 | PATCH | Ensure file deletion events by users are collected" +- name: "AUTOMATED | 4.1.13 | PATCH | Ensure file deletion events by users are collected" template: src: audit/ubtu20cis_4_1_13_delete.rules.j2 dest: /etc/audit/rules.d/delete.rules @@ -336,11 +353,12 @@ tags: - level2-server - level2-workstation + - automated - patch - rule_4.1.13 - auditd -- name: "4.1.14 | PATCH | Ensure changes to system administration scope (sudoers) is collected" +- name: "AUTOMATED | 4.1.14 | PATCH | Ensure changes to system administration scope (sudoers) is collected" template: src: audit/ubtu20cis_4_1_14_scope.rules.j2 dest: /etc/audit/rules.d/scope.rules @@ -353,11 +371,12 @@ tags: - level2-server - level2-workstation + - automated - patch - rule_4.1.14 - auditd -- name: "4.1.15 | PATCH | Ensure system administrator command executions (sudo) are collected" +- name: "AUTOMATED | 4.1.15 | PATCH | Ensure system administrator command executions (sudo) are collected" template: src: audit/ubtu20cis_4_1_15_actions.rules.j2 dest: /etc/audit/rules.d/actions.rules @@ -370,11 +389,12 @@ tags: - level2-server - level2-workstation + - automated - patch - rule_4.1.15 - auditd -- name: "4.1.16 | PATCH | Ensure kernel module loading and unloading is collected" +- name: "AUTOMATED | 4.1.16 | PATCH | Ensure kernel module loading and unloading is collected" template: src: audit/ubtu20cis_4_1_16_modules.rules.j2 dest: /etc/audit/rules.d/modules.rules @@ -387,11 +407,12 @@ tags: - level2-server - level2-workstation + - automated - patch - rule_4.1.16 - auditd -- name: "4.1.17 | PATCH | Ensure the audit configuration is immutable" +- name: "AUTOMATED | 4.1.17 | PATCH | Ensure the audit configuration is immutable" template: src: audit/ubtu20cis_4_1_17_99finalize.rules.j2 dest: /etc/audit/rules.d/99-finalize.rules @@ -404,12 +425,13 @@ tags: - level2-server - level2-workstation + - automated - scored - patch - rule_4.1.17 - auditd -- name: "4.2.1.1 | PATCH | Ensure rsyslog is installed" +- name: "AUTOMATED | 4.2.1.1 | PATCH | Ensure rsyslog is installed" apt: name: rsyslog state: present @@ -418,12 +440,13 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_4.2.1.1 - rsyslog - apt -- name: "4.2.1.2 | PATCH | Ensure rsyslog Service is enabled" +- name: "AUTOMATED | 4.2.1.2 | PATCH | Ensure rsyslog Service is enabled" service: name: rsyslog enabled: yes @@ -432,34 +455,35 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_4.2.1.2 - rsyslog -- name: "4.2.1.3 | PATCH | Ensure logging is configured" +- name: "MANUAL | 4.2.1.3 | PATCH | Ensure logging is configured" block: - - name: "4.2.1.3 | AUDIT | Ensure logging is configured | Find configuration file" + - name: "MANUAL | 4.2.1.3 | AUDIT | Ensure logging is configured | Find configuration file" shell: grep -r "*.emerg" /etc/* | cut -f1 -d":" changed_when: false failed_when: false check_mode: false register: ubtu20cis_4_2_1_3_rsyslog_config_path - - name: "4.2.1.3 | AUDIT | Ensure logging is configured | Gather rsyslog current config" + - name: "MANUAL | 4.2.1.3 | AUDIT | Ensure logging is configured | Gather rsyslog current config" command: "cat {{ ubtu20cis_4_2_1_3_rsyslog_config_path.stdout }}" changed_when: false failed_when: false check_mode: false register: ubtu20cis_4_2_1_3_rsyslog_config - - name: "4.2.1.3 | AUDIT | Ensure logging is configured | Message out config" + - name: "MANUAL | 4.2.1.3 | AUDIT | Ensure logging is configured | Message out config" debug: msg: - "Alert!!!Below is the current logging configurations for rsyslog, please review" - "{{ ubtu20cis_4_2_1_3_rsyslog_config.stdout_lines }}" when: not ubtu20cis_rsyslog_ansible_managed - - name: "4.2.1.3 | PATCH | Ensure logging is configured | Automated rsyslog configuration" + - name: "MANUAL | 4.2.1.3 | PATCH | Ensure logging is configured | Automated rsyslog configuration" lineinfile: path: "{{ ubtu20cis_4_2_1_3_rsyslog_config_path.stdout }}" regexp: "{{ item.regexp }}" @@ -494,7 +518,7 @@ - rule_4.2.1.3 - rsyslog -- name: "4.2.1.4 | PATCH | Ensure rsyslog default file permissions configured" +- name: "AUTOMATED | 4.2.1.4 | PATCH | Ensure rsyslog default file permissions configured" lineinfile: path: /etc/rsyslog.conf regexp: '^\$FileCreateMode|^#\$FileCreateMode' @@ -505,11 +529,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_4.2.1.4 - rsyslog -- name: "4.2.1.5 | PATCH | Ensure rsyslog is configured to send logs to a remote log host" +- name: "AUTOMATED | 4.2.1.5 | PATCH | Ensure rsyslog is configured to send logs to a remote log host" blockinfile: path: /etc/rsyslog.conf block: | @@ -521,13 +546,14 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_4.2.1.5 - rsyslog -- name: "4.2.1.6 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts" +- name: "MANUAL | 4.2.1.6 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts" block: - - name: "4.2.1.6 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts | When not a log host" + - name: "MANUAL | 4.2.1.6 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts | When not a log host" replace: path: /etc/rsyslog.conf regexp: '({{ item }})' @@ -538,7 +564,7 @@ notify: restart rsyslog when: not ubtu20cis_system_is_log_server - - name: "4.2.1.6 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts | When a log server" + - name: "MANUAL | 4.2.1.6 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts | When a log server" lineinfile: path: /etc/rsyslog.conf regexp: "{{ item.regexp }}" @@ -558,7 +584,7 @@ - rule_4.2.1.6 - rsyslog -- name: "4.2.2.1 | PATCH | Ensure journald is configured to send logs to rsyslog" +- name: "AUTOMATED | 4.2.2.1 | PATCH | Ensure journald is configured to send logs to rsyslog" lineinfile: path: /etc/systemd/journald.conf regexp: '^ForwardToSyslog|^#ForwardToSyslog' @@ -569,6 +595,7 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_4.2.2.1 - rsyslog @@ -590,7 +617,7 @@ - rsyslog - journald -- name: "4.2.2.3 | PATCH | Ensure journald is configured to write logfiles to persistent disk" +- name: "AUTOMATED | 4.2.2.3 | PATCH | Ensure journald is configured to write logfiles to persistent disk" lineinfile: path: /etc/systemd/journald.conf regexp: '^Storage|^#Storage' @@ -601,12 +628,13 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_4.2.2.3 - rsyslog - journald -- name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured" +- name: "AUTOMATED | 4.2.3 | PATCH | Ensure permissions on all logfiles are configured" command: find /var/log -type f -exec chmod g-wx,o-rwx "{}" + -o -type d -exec chmod g-w,o-rwx "{}" + changed_when: ubtu20cis_4_2_3_logfile_perms_status.rc == 0 check_mode: false @@ -616,20 +644,21 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_4.2.3 - logfiles - permissions -- name: "4.3 | PATCH | Ensure logrotate is configured" +- name: "MANUAL | 4.3 | PATCH | Ensure logrotate is configured" block: - - name: "4.3 | PATCH | Ensure logrotate is configured | Get logrotate files" + - name: "MANUAL | 4.3 | PATCH | Ensure logrotate is configured | Get logrotate files" find: paths: /etc/logrotate.d/ check_mode: false register: ubtu20cis_4_3_logrotate_files - - name: "4.3 | PATCH | Ensure logrotate is configured | Set rotation configurations" + - name: "MANUAL | 4.3 | PATCH | Ensure logrotate is configured | Set rotation configurations" replace: path: "{{ item.path }}" regexp: '^(\s*)(daily|weekly|monthly|yearly)$' @@ -647,7 +676,7 @@ - rule_4.3 - logrotate -- name: "4.4 | PATCH | Ensure logrotate assigns appropriate permissions" +- name: "AUTOMATED | 4.4 | PATCH | Ensure logrotate assigns appropriate permissions" lineinfile: path: /etc/logrotate.conf regexp: '^create' @@ -657,6 +686,7 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_4.3 - logrotate From 0a95f755714242c718cd71e75b2e706221bb5071 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 4 May 2021 14:08:26 -0400 Subject: [PATCH 22/44] updated section 6 to v1.1.0 benchmarks Signed-off-by: George Nalen --- defaults/main.yml | 53 ++--- tasks/section5.yml | 506 ++++++++++++++++++++++++--------------------- 2 files changed, 303 insertions(+), 256 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 5260037a..3c9bf782 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -379,15 +379,6 @@ ubtu20cis_vartmp: opts: "defaults,nodev,nosuid,noexec,bind" enabled: false -# Control 1.3.1 -# ubtu20cis_sudo_package is the name of the sudo package to install -# The possible values are "sudo" or "sudo-ldap" -ubtu20cis_sudo_package: "sudo" - -# Control 1.3.3 -# ubtu20cis_sudo_logfile is the path and file name of the sudo log file -ubtu20cis_sudo_logfile: "/var/log/sudo.log" - # Control 1.3.2 # These are the crontab settings for file system integrity enforcement ubtu20cis_aide_cron: @@ -516,31 +507,43 @@ ubtu20cis_logrotate: "daily" ubtu20cis_logrotate_create_settings: "0640 root utmp" # Section 5 Control Variables +# Control 5.2.1 +# ubtu20cis_sudo_package is the name of the sudo package to install +# The possible values are "sudo" or "sudo-ldap" +ubtu20cis_sudo_package: "sudo" + +# Control 5.2.3 +# ubtu20cis_sudo_logfile is the path and file name of the sudo log file +ubtu20cis_sudo_logfile: "/var/log/sudo.log" + # ubtu20cis_sshd will contain all sshd variables. The task association and variable descriptions for each section are listed below -# Control 5.2.4 +# Control 5.3.4 +# allow_users, allow_groups, deny_users, and deny_groups. These are lists of users and groups to allow or deny ssh access to +# These are lists that are just space delimited, for example allow_users: "vagrant ubuntu" for the vagrant and ubuntu users +# Control 5.3.5 # log_level is the log level variable. This needs to be set to VERBOSE or INFO to conform to CIS standards -# Control 5.2.6 +# Control 5.3.7 # max_auth_tries is the max number of authentication attampts per connection. # This value should be 4 or less to conform to CIS standards -# Control 5.2.12 +# Control 5.3.13 # ciphers is a comma seperated list of site approved ciphers # ONLY USE STRONG CIPHERS. Weak ciphers are listed below # DO NOT USE: 3des-cbc, aes128-cbc, aes192-cbc, and aes256-cbc -# Control 5.2.13 +# Control 5.3.14 # MACs is the comma seperated list of site approved MAC algorithms that SSH can use during communication # ONLY USE STRONG ALGORITHMS. Weak algorithms are listed below # DO NOT USE: hmac-md5, hmac-md5-96, hmac-ripemd160, hmac-sha1, hmac-sha1-96, umac-64@openssh.com, umac-128@openssh.com, hmac-md5-etm@openssh.com, # hmac-md5-96-etm@openssh.com, hmac-ripemd160-etm@openssh.com, hmac-sha1-etm@openssh.com, hmac-sha1-96-etm@openssh.com, umac-64-etm@openssh.com, umac-128-etm@openssh.com -# Control 5.2.14 +# Control 5.3.15 # kex_algorithms is comma seperated list of the algorithms for key exchange methods # ONLY USE STRONG ALGORITHMS. Weak algorithms are listed below # DO NOT USE: diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1 -# Control 5.2.15 +# Control 5.3.16 # client_alive_interval is the amount of time idle before ssh session terminated. Set to 300 or less to conform to CIS standards # client_alive_count_max will send client alive messages at the configured interval. Set to 3 or less to conform to CIS standards -# Control 5.2.16 +# Control 5.3.17 # login_grace_time is the time allowed for successful authentication to the SSH server. This needs to be set to 60 seconds or less to conform to CIS standards -# Control 5.2.22 +# Control 5.3.22 # max_sessions is the max number of open sessions permitted. Set the value to 4 or less to conform to CIS standards ubtu20cis_sshd: log_level: "INFO" @@ -558,19 +561,19 @@ ubtu20cis_sshd: # deny_users: # deny_groups: -# Control 5.3.3 +# Control 5.4.3 # ubtu20cis_pamd_pwhistory_remember is number of password chnage cycles a user can re-use a password # This needs to be 5 or more to conform to CIS standards ubtu20cis_pamd_pwhistory_remember: 5 # ubtu20cis_pass will be password based variables -# # Control 5.4.1.1 -# max_days forces passwords to expire in configured number of days. Set to 365 or less to conform to CIS standards -# Control 5.4.1.2 +# Control 5.5.1.1 # pass_min_days is the min number of days allowed between changing passwords. Set to 1 or more to conform to CIS standards -# Control 5.4.1.3 +# Control 5.5.1.2 +# max_days forces passwords to expire in configured number of days. Set to 365 or less to conform to CIS standards +# Control 5.5.1.3 # warn_age is how many days before pw expiry the user will be warned. Set to 7 or more to conform to CIS standards -# Control 5.4.1.4 +# Control 5.5.1.4 # inactive the number of days of inactivity before the account will lock. Set to 30 day sor less to conform to CIS standards ubtu20cis_pass: max_days: 365 @@ -578,14 +581,14 @@ ubtu20cis_pass: warn_age: 7 inactive: 30 -# Control 5.4.5 +# Control 5.5.5 # Session timeout setting file (TMOUT setting can be set in multiple files) # Timeout value is in seconds. Set value to 900 seconds or less ubtu20cis_shell_session_timeout: file: /etc/profile.d/tmout.sh timeout: 900 -# Control 5.6 +# Control 5.7 # ubtu20cis_su_group is the su group to use with pam_wheel ubtu20cis_su_group: "wheel" diff --git a/tasks/section5.yml b/tasks/section5.yml index 904d19f6..c889c58c 100644 --- a/tasks/section5.yml +++ b/tasks/section5.yml @@ -149,72 +149,158 @@ - rule_5.1.9 - cron -- name: "5.2.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" +- name: "5.2.1 | PATCH | Ensure sudo is installed" + apt: + name: "{{ ubtu20cis_sudo_package }}" + state: present + when: + - ubtu20cis_rule_5_2_1 + tags: + - level1-server + - level1-workstation + - scored + - patch + - rule_5.2.1 + - sudo + +- name: "5.2.2 | PATCH | Ensure sudo commands use pty" + lineinfile: + path: /etc/sudoers + regexp: '^Defaults use_' + line: 'Defaults use_pty' + insertafter: '^Defaults' + when: + - ubtu20cis_rule_5_2_2 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.2.2 + - sudo + +- name: "5.2.3 | PATCH | Ensure sudo log file exists" + lineinfile: + path: /etc/sudoers + regexp: '^Defaults logfile' + line: 'Defaults logfile="{{ ubtu20cis_sudo_logfile }}"' + insertafter: '^Defaults' + when: + - ubtu20cis_rule_5_2_3 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.2.3 + - sudo + +- name: "5.3.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" file: path: /etc/ssh/sshd_config owner: root group: root mode: 0600 when: - - ubtu20cis_rule_5_2_1 + - ubtu20cis_rule_5_3_1 tags: - level1-server - level1-workstation - patch - - rule_5.2.1 + - rule_5.3.1 - ssh -- name: "5.2.2 | PATCH | Ensure permissions on SSH private host key files are configured" +- name: "5.3.2 | PATCH | Ensure permissions on SSH private host key files are configured" block: - - name: "5.2.2 | AUDIT | Ensure permissions on SSH private host key files are configured | Find ssh_host private keys" + - name: "5.3.2 | AUDIT | Ensure permissions on SSH private host key files are configured | Find ssh_host private keys" find: paths: /etc/ssh patterns: 'ssh_host_*_key' - register: ubtu20cis_5_2_2_ssh_host_priv_keys + register: ubtu20cis_5_3_2_ssh_host_priv_keys - - name: "5.2.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions" + - name: "5.3.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions" file: path: "{{ item.path }}" owner: root group: root mode: 0600 with_items: - - "{{ ubtu20cis_5_2_2_ssh_host_priv_keys.files }}" + - "{{ ubtu20cis_5_3_2_ssh_host_priv_keys.files }}" when: - - ubtu20cis_rule_5_2_2 + - ubtu20cis_rule_5_3_2 tags: - level1-server - level1-workstation - patch - - rule_5.2.2 + - rule_5.3.2 - ssh -- name: "5.2.3 | PATCH | Ensure permissions on SSH public host key files are configured" +- name: "5.3.3 | PATCH | Ensure permissions on SSH public host key files are configured" block: - - name: "5.2.3 | PATCH | Ensure permissions on SSH public host key files are configured | Find ssh_host public keys" + - name: "5.3.3 | AUDIT | Ensure permissions on SSH public host key files are configured | Find ssh_host public keys" find: paths: /etc/ssh patterns: 'ssh_host_*_key.pub' - register: ubtu20cis_5_2_3_ssh_host_pub_keys + register: ubtu20cis_5_3_3_ssh_host_pub_keys - - name: "5.2.3 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions" + - name: "5.3.3 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions" file: path: "{{ item.path }}" owner: root group: root mode: 0644 with_items: - - "{{ ubtu20cis_5_2_3_ssh_host_pub_keys.files }}" + - "{{ ubtu20cis_5_3_3_ssh_host_pub_keys.files }}" when: - - ubtu20cis_rule_5_2_3 + - ubtu20cis_rule_5_3_3 tags: - level1-server - level1-workstation - patch - - rule_5.2.3 + - rule_5.3.3 + - ssh + +- name: "5.3.4 | PATCH | Ensure SSH access is limited" + block: + - name: "5.3.4 | PATCH | Ensure SSH access is limited | Add allowed users" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^AllowUsers|^#AllowUsers' + line: 'AllowUsers {{ ubtu20cis_sshd.allow_users }}' + notify: restart sshd + when: "ubtu20cis_sshd['allow_users']|default('') != ''" + + - name: "5.3.4 | PATCH | Ensure SSH access is limited | Add allowed groups" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^AllowGroups|^#AllowGroups' + line: 'AllowGroups {{ ubtu20cis_sshd.allow_groups }}' + notify: restart sshd + when: "ubtu20cis_sshd['allow_groups']|default('') != ''" + + - name: "5.3.4 | PATCH | Ensure SSH access is limited | Add deny users" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^DenyUsers|^#DenyUsers' + line: 'DenyUsers {{ ubtu20cis_sshd.deny_users }}' + notify: restart sshd + when: "ubtu20cis_sshd['deny_users']|default('') != ''" + + - name: "5.3.4 | PATCH | Ensure SSH access is limited | Add deny groups" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^DenyGroups|^#DenyGroups' + line: 'DenyGroups {{ ubtu20cis_sshd.deny_groups }}' + notify: restart sshd + when: "ubtu20cis_sshd['deny_groups']|default('') != ''" + when: + - ubtu20cis_rule_5_3_4 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.3.4 - ssh -- name: "5.2.4 | PATCH | Ensure SSH LogLevel is appropriate" +- name: "5.3.5 | PATCH | Ensure SSH LogLevel is appropriate" lineinfile: path: /etc/ssh/sshd_config regexp: '^LogLevel|^#LogLevel' @@ -222,30 +308,30 @@ insertafter: '^# Logging' notify: restart sshd when: - - ubtu20cis_rule_5_2_4 + - ubtu20cis_rule_5_3_5 tags: - level1-server - level1-workstation - patch - - rule_5.2.4 + - rule_5.3.5 - ssh -- name: "5.2.5 | PATCH | Ensure SSH X11 forwarding is disabled" +- name: "5.3.6 | PATCH | Ensure SSH X11 forwarding is disabled" lineinfile: path: /etc/ssh/sshd_config regexp: '^X11Forwarding|^#X11Forwarding' line: 'X11Forwarding no' notify: restart sshd when: - - ubtu20cis_rule_5_2_5 + - ubtu20cis_rule_5_3_6 tags: - level2-server - level1-workstation - patch - - rule_5.2.5 + - rule_5.3.6 - ssh -- name: "5.2.6 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" +- name: "5.3.7| PATCH | Ensure SSH MaxAuthTries is set to 4 or less" lineinfile: path: /etc/ssh/sshd_config regexp: '^MaxAuthTries|^#MaxAuthTries' @@ -253,60 +339,60 @@ insertafter: '^# Authentication' notify: restart sshd when: - - ubtu20cis_rule_5_2_6 + - ubtu20cis_rule_5_3_7 tags: - level1-server - level1-workstation - patch - - rule_5.2.6 + - rule_5.3.7 - ssh -- name: "5.2.7 | PATCH | Ensure SSH IgnoreRhosts is enabled" +- name: "5.3.8 | PATCH | Ensure SSH IgnoreRhosts is enabled" lineinfile: path: /etc/ssh/sshd_config regexp: '^IgnoreRhosts|^#IgnoreRhosts' line: 'IgnoreRhosts yes' notify: restart sshd when: - - ubtu20cis_rule_5_2_7 + - ubtu20cis_rule_5_3_8 tags: - level1-server - level1-workstation - patch - - rule_5.2.7 + - rule_5.3.8 - ssh -- name: "5.2.8 | PATCH | Ensure SSH HostbasedAuthentication is disabled" +- name: "5.3.9 | PATCH | Ensure SSH HostbasedAuthentication is disabled" lineinfile: path: /etc/ssh/sshd_config regexp: '^HostbasedAuthentication|^#HostbasedAuthentication' line: 'HostbasedAuthentication no' notify: restart sshd when: - - ubtu20cis_rule_5_2_8 + - ubtu20cis_rule_5_3_9 tags: - level1-server - level1-workstation - patch - - rule_5.2.8 + - rule_5.3.9 - ssh -- name: "5.2.9 | PATCH | Ensure SSH root login is disabled" +- name: "5.3.10 | PATCH | Ensure SSH root login is disabled" lineinfile: path: /etc/ssh/sshd_config regexp: '^PermitRootLogin|^#PermitRootLogin' line: 'PermitRootLogin no' notify: restart sshd when: - - ubtu20cis_rule_5_2_9 + - ubtu20cis_rule_5_3_10 tags: - level1-server - level1-workstation - patch - - rule_5.2.9 + - rule_5.3.10 - ssh -- name: "5.2.10 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" +- name: "5.3.11 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" lineinfile: path: /etc/ssh/sshd_config regexp: '^PermitEmptyPasswords|^#PermitEmptyPasswords' @@ -314,30 +400,30 @@ insertafter: '# To disable tunneled clear text passwords' notify: restart sshd when: - - ubtu20cis_rule_5_2_10 + - ubtu20cis_rule_5_3_11 tags: - level1-server - level1-workstation - patch - - rule_5.2.10 + - rule_5.3.11 - ssh -- name: "5.2.11 | PATCH | Ensure SSH PermitUserEnvironment is disabled" +- name: "5.3.12 | PATCH | Ensure SSH PermitUserEnvironment is disabled" lineinfile: path: /etc/ssh/sshd_config regexp: '^PermitUserEnvironment|^#PermitUserEnvironment' line: 'PermitUserEnvironment no' notify: restart sshd when: - - ubtu20cis_rule_5_2_11 + - ubtu20cis_rule_5_3_12 tags: - level1-server - level1-workstation - patch - - rule_5.2.11 + - rule_5.3.12 - ssh -- name: "5.2.12 | PATCH | Ensure only strong Ciphers are used" +- name: "5.3.13 | PATCH | Ensure only strong Ciphers are used" lineinfile: path: /etc/ssh/sshd_config regexp: '^Ciphers|^#Ciphers' @@ -345,15 +431,15 @@ insertafter: '^# Ciphers and keying' notify: restart sshd when: - - ubtu20cis_rule_5_2_12 + - ubtu20cis_rule_5_3_13 tags: - level1-server - level1-workstation - patch - - rule_5.2.12 + - rule_5.3.13 - ssh -- name: "5.2.13 | PATCH | Ensure only strong MAC algorithms are used" +- name: "5.3.14 | PATCH | Ensure only strong MAC algorithms are used" lineinfile: path: /etc/ssh/sshd_config regexp: '^MACs|^#MACs' @@ -361,15 +447,15 @@ insertafter: '^# Ciphers and keying' notify: restart sshd when: - - ubtu20cis_rule_5_2_13 + - ubtu20cis_rule_5_3_14 tags: - level1-server - level1-workstation - patch - - rule_5.2.13 + - rule_5.3.14 - ssh -- name: "5.2.14 | PATCH | Ensure only strong Key Exchange algorithms are used" +- name: "5.3.15 | PATCH | Ensure only strong Key Exchange algorithms are used" lineinfile: path: /etc/ssh/sshd_config regexp: '^KexAlgorithms|^#KexAlgorithms' @@ -377,15 +463,15 @@ insertafter: '^# Ciphers and keying' notify: restart sshd when: - - ubtu20cis_rule_5_2_14 + - ubtu20cis_rule_5_3_15 tags: - level1-server - level1-workstation - patch - - rule_5.2.14 + - rule_5.3.15 - ssh -- name: "5.2.15 | PATCH | Ensure SSH Idle Timeout Interval is configured" +- name: "5.3.16 | PATCH | Ensure SSH Idle Timeout Interval is configured" lineinfile: path: /etc/ssh/sshd_config regexp: "{{ item.regexp }}" @@ -395,15 +481,15 @@ - { regexp: '^ClientAliveCountMax|^#ClientAliveCountMax', line: 'ClientAliveCountMax {{ ubtu20cis_sshd.client_alive_count_max }}' } notify: restart sshd when: - - ubtu20cis_rule_5_2_15 + - ubtu20cis_rule_5_3_16 tags: - level1-server - level1-workstation - patch - - rule_5.2.15 + - rule_5.3.16 - sshd -- name: "5.2.16 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" +- name: "5.3.17 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" lineinfile: path: /etc/ssh/sshd_config regexp: '^LoginGraceTime|^#LoginGraceTime' @@ -411,54 +497,12 @@ insertafter: '^# Authentication' notify: restart sshd when: - - ubtu20cis_rule_5_2_16 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.2.16 - - ssh - -- name: "5.2.17 | PATCH | Ensure SSH access is limited" - block: - - name: "5.2.17 | PATCH | Ensure SSH access is limited | Add allowed users" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^AllowUsers|^#AllowUsers' - line: 'AllowUsers {{ ubtu20cis_sshd.allow_users }}' - notify: restart sshd - when: "ubtu20cis_sshd['allow_users']|default('') != ''" - - - name: "5.2.17 | PATCH | Ensure SSH access is limited | Add allowed groups" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^AllowGroups|^#AllowGroups' - line: 'AllowGroups {{ ubtu20cis_sshd.allow_groups }}' - notify: restart sshd - when: "ubtu20cis_sshd['allow_groups']|default('') != ''" - - - name: "5.2.17 | PATCH | Ensure SSH access is limited | Add deny users" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^DenyUsers|^#DenyUsers' - line: 'DenyUsers {{ ubtu20cis_sshd.deny_users }}' - notify: restart sshd - when: "ubtu20cis_sshd['deny_users']|default('') != ''" - - - name: "5.2.17 | PATCH | Ensure SSH access is limited | Add deny groups" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^DenyGroups|^#DenyGroups' - line: 'DenyGroups {{ ubtu20cis_sshd.deny_groups }}' - notify: restart sshd - when: "ubtu20cis_sshd['deny_groups']|default('') != ''" - when: - - ubtu20cis_rule_5_2_17 + - ubtu20cis_rule_5_3_17 tags: - level1-server - level1-workstation - patch - - rule_5.2.18 + - rule_5.3.17 - ssh - name: "5.2.18 | PATCH | Ensure SSH warning banner is configured" @@ -469,16 +513,16 @@ insertafter: '^# no default banner path' notify: restart sshd when: - - ubtu20cis_rule_5_2_18 + - ubtu20cis_rule_5_3_18 tags: - level1-server - level1-workstation - scored - patch - - rule_5.2.18 + - rule_5.3.18 - ssh -- name: "5.2.19 | PATCH | Ensure SSH PAM is enabled" +- name: "5.3.19 | PATCH | Ensure SSH PAM is enabled" lineinfile: path: /etc/ssh/sshd_config regexp: '^UsePAM|^#UsePAM' @@ -486,47 +530,47 @@ insertafter: '^# and ChallengeResponseAuthentication' notify: restart sshd when: - - ubtu20cis_rule_5_2_10 + - ubtu20cis_rule_5_3_19 tags: - level1-server - level1-workstation - patch - - rule_5.2.19 + - rule_5.3.19 - ssh - pam -- name: "5.2.20 | PATCH | Ensure SSH AllowTcpForwarding is disabled" +- name: "5.3.20 | PATCH | Ensure SSH AllowTcpForwarding is disabled" lineinfile: path: /etc/ssh/sshd_config regexp: '^AllowTcpForwarding|^#AllowTcpForwarding' line: 'AllowTcpForwarding no' notify: restart sshd when: - - ubtu20cis_rule_5_2_20 + - ubtu20cis_rule_5_3_20 tags: - level2-server - level2-workstation - patch - - rule_5.2.20 + - rule_5.3.20 - ssh -- name: "5.2.21 | PATCH | Ensure SSH MaxStartups is configured" +- name: "5.3.21 | PATCH | Ensure SSH MaxStartups is configured" lineinfile: path: /etc/ssh/sshd_config regexp: '^MaxStartups|^#MaxStartups' line: 'MaxStartups 10:30:60' notify: restart sshd when: - - ubtu20cis_rule_5_2_21 + - ubtu20cis_rule_5_3_21 tags: - level1-server - level1-workstation - scored - patch - - rule_5.2.21 + - rule_5.3.21 - ssh -- name: "5.2.22 | PATCH | Ensure SSH MaxSessions is set to 4 or less" +- name: "5.3.22 | PATCH | Ensure SSH MaxSessions is set to 4 or less" lineinfile: path: /etc/ssh/sshd_config regexp: '^MaxSessions|^#MaxSessions' @@ -534,41 +578,41 @@ insertafter: '^# Authentication' notify: restart sshd when: - - ubtu20cis_rule_5_2_22 + - ubtu20cis_rule_5_3_22 tags: - level1-server - level1-workstation - patch - - rule_5.2.22 + - rule_5.3.22 - ssh -- name: "5.3.1 | PATCH | Ensure password creation requirements are configured" +- name: "5.4.1 | PATCH | Ensure password creation requirements are configured" block: - - name: "SCORED | 5.3.1 | PATCH | Ensure password creation requirements are configured | Install pam_pwquality module" + - name: "SCORED | 5.4.1 | PATCH | Ensure password creation requirements are configured | Install pam_pwquality module" apt: name: libpam-pwquality state: present - - name: "5.3.1 | PATCH | Ensure password creation requirements are configured | Add minlen" + - name: "5.4.1 | PATCH | Ensure password creation requirements are configured | Add minlen" lineinfile: path: /etc/security/pwquality.conf regexp: '^minlen|^# minlen' line: minlen = 14 - - name: "5.3.1 | PATCH | Ensure password creation requirements are configured | Add minclass" + - name: "5.4.1 | PATCH | Ensure password creation requirements are configured | Add minclass" lineinfile: path: /etc/security/pwquality.conf regexp: '^minclass|^# minclass' line: 'minclass = 4' - - name: "5.3.1 | AUDIT | Ensure password creation requirements are configured | Confirm pwquality module in common-password" + - name: "5.4.1 | AUDIT | Ensure password creation requirements are configured | Confirm pwquality module in common-password" command: grep 'password.*requisite.*pam_pwquality.so' /etc/pam.d/common-password changed_when: false failed_when: false check_mode: false - register: ubtu20cis_5_3_1_pam_pwquality_state + register: ubtu20cis_5_4_1_pam_pwquality_state - - name: "5.3.1 | PATCH | Ensure password creation requirements are configured | Set retry to 3 if pwquality exists" + - name: "5.4.1 | PATCH | Ensure password creation requirements are configured | Set retry to 3 if pwquality exists" pamd: name: common-password type: password @@ -576,9 +620,9 @@ module_path: pam_pwquality.so module_arguments: 'retry=3' state: args_present - when: ubtu20cis_5_3_1_pam_pwquality_state.stdout != "" + when: ubtu20cis_5_4_1_pam_pwquality_state.stdout != "" - - name: "5.3.1 | PATCH | Ensure password creation requirements are configured | Set retry to 3 if pwquality does not exist" + - name: "5.4.1 | PATCH | Ensure password creation requirements are configured | Set retry to 3 if pwquality does not exist" pamd: name: common-password type: password @@ -589,14 +633,14 @@ new_module_path: pam_pwquality.so module_arguments: 'retry=3' state: after - when: ubtu20cis_5_3_1_pam_pwquality_state.stdout == "" + when: ubtu20cis_5_4_1_pam_pwquality_state.stdout == "" when: - - ubtu20cis_rule_5_3_1 + - ubtu20cis_rule_5_4_1 tags: - level1-server - level1-workstation - patch - - rule_5.3.1 + - rule_5.4.1 - pam # ------------- @@ -612,21 +656,21 @@ # figure out why pam_deny kills vagrant user. Below is everything working but the pam_deny.so in the last task with_items # ------------- # ------------- -- name: "5.3.2 | PATCH | Ensure lockout for failed password attempts is configured" +- name: "5.4.2 | PATCH | Ensure lockout for failed password attempts is configured" command: /bin/true changed_when: false failed_when: false check_mode: false # block: - # - name: "5.3.2 | AUDIT | Ensure lockout for failed password attempts is configured | Confirm pam_tally2.so module in common-auth" + # - name: "5.4.2 | AUDIT | Ensure lockout for failed password attempts is configured | Confirm pam_tally2.so module in common-auth" # # command: grep 'auth.*required.*pam_tally2.so' /etc/pam.d/common-auth # command: grep 'auth.*required.*pam_tally2.so' /etc/pam.d/common-account # changed_when: false # failed_when: false # check_mode: false - # register: ubtu20cis_5_3_2_pam_tally2_state + # register: ubtu20cis_5_4_2_pam_tally2_state - # - name: "SCORED | 5.3.2 | PATCH | Ensure lockout for failed password attempts is configured | Set pam_tally2.so settings if exists" + # - name: "SCORED | 5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | Set pam_tally2.so settings if exists" # pamd: # # name: common-auth # name: common-account @@ -639,18 +683,18 @@ # silent # deny=5 # unlock_time=900' - # when: ubtu20cis_5_3_2_pam_tally2_state.stdout != "" + # when: ubtu20cis_5_4_2_pam_tally2_state.stdout != "" - # - name: "5.3.2 | PATCH | Ensure lockout for failed password attempts is configured | Set pam_tally2.so settings if does not exist" + # - name: "5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | Set pam_tally2.so settings if does not exist" # lineinfile: # # path: /etc/pam.d/common-auth # path: /etc/pam.d/common-account # # line: 'auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900' # line: 'account required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900' # insertafter: '^# end of pam-auth-update config' - # when: ubtu20cis_5_3_2_pam_tally2_state == "" + # when: ubtu20cis_5_4_2_pam_tally2_state == "" - # - name: "5.3.2 | PATCH | Ensure lockout for failed password attempts is configured | Set pam_deny.so and pam_tally.so" + # - name: "5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | Set pam_deny.so and pam_tally.so" # lineinfile: # path: /etc/pam.d/common-account # regexp: "{{ item.regexp }}" @@ -660,25 +704,25 @@ # # - { regexp: '^accout.*requisite.*pam_deny.so', line: 'account requisite pam_george.so' } # - { regexp: '^account.*required.*pam_tally.so', line: 'account required pam_tally.so' } when: - - ubtu20cis_rule_5_3_2 + - ubtu20cis_rule_5_4_2 tags: - level1-server - level1-workstation - patch - - rule_5.3.2 + - rule_5.4.2 - pamd - notimplemented -- name: "5.3.3 | PATCH | Ensure password reuse is limited" +- name: "5.4.3 | PATCH | Ensure password reuse is limited" block: - - name: "5.3.3 | PATCH | Ensure password reuse is limited | Confirm pam_pwhistory.so in common-password" + - name: "5.4.3 | AUDIT | Ensure password reuse is limited | Confirm pam_pwhistory.so in common-password" command: grep 'password.*required.*pam_pwhistory.so' /etc/pam.d/common-password changed_when: false failed_when: false check_mode: false - register: ubtu20cis_5_3_3_pam_pwhistory_state + register: ubtu20cis_5_4_3_pam_pwhistory_state - - name: "5.3.3 | PATCH | Ensure password reuse is limited | Set remember value if pam_pwhistory exists" + - name: "5.4.3 | PATCH | Ensure password reuse is limited | Set remember value if pam_pwhistory exists" pamd: name: common-password type: password @@ -686,33 +730,33 @@ module_path: pam_pwhistory.so module_arguments: 'remember={{ ubtu20cis_pamd_pwhistory_remember }}' state: args_present - when: ubtu20cis_5_3_3_pam_pwhistory_state.stdout != "" + when: ubtu20cis_5_4_3_pam_pwhistory_state.stdout != "" - - name: "5.3.3 | PATCH | Ensure password reuse is limited | Set remember value if pam_pwhistory does no exist" + - name: "5.4.3 | PATCH | Ensure password reuse is limited | Set remember value if pam_pwhistory does no exist" lineinfile: path: /etc/pam.d/common-password line: 'password required pam_pwhistory.so remember={{ ubtu20cis_pamd_pwhistory_remember }}' insertafter: '^# end of pam-auth-update config' - when: ubtu20cis_5_3_3_pam_pwhistory_state.stdout == "" + when: ubtu20cis_5_4_3_pam_pwhistory_state.stdout == "" when: - - ubtu20cis_rule_5_3_3 + - ubtu20cis_rule_5_4_3 tags: - level1-server - level1-workstation - patch - - rule_5.3.3 + - rule_5.4.3 - pamd -- name: "5.3.4 | PATCH | Ensure password hashing algorithm is SHA-512" +- name: "5.4.4 | PATCH | Ensure password hashing algorithm is SHA-512" block: - - name: "5.3.4 | PATCH | Ensure password hashing algorithm is SHA-512 | Confirm pam_unix.so" + - name: "5.4.4 | AUDIT | Ensure password hashing algorithm is SHA-512 | Confirm pam_unix.so" shell: grep -E '^\s*password\s+(\S+\s+)+pam_unix\.so\s+(\S+\s+)*sha512\s*(\S+\s*)*(\s+#.*)?$' /etc/pam.d/common-password changed_when: false failed_when: false check_mode: false - register: ubtu20cis_5_3_4_pam_unix_state + register: ubtu20cis_5_4_4_pam_unix_state - - name: "5.3.4 | PATCH | Ensure password hashing algorithm is SHA-512 | Set hashing if pam_unix.so exists" + - name: "5.4.4 | PATCH | Ensure password hashing algorithm is SHA-512 | Set hashing if pam_unix.so exists" pamd: name: common-password type: password @@ -720,162 +764,162 @@ module_path: pam_unix.so module_arguments: sha512 state: args_present - when: ubtu20cis_5_3_4_pam_unix_state.stdout != "" + when: ubtu20cis_5_4_4_pam_unix_state.stdout != "" - - name: "5.3.4 | PATCH | Ensure password hashing algorithm is SHA-512 | Set hashing if pam_unix.so does not exist" + - name: "5.4.4 | PATCH | Ensure password hashing algorithm is SHA-512 | Set hashing if pam_unix.so does not exist" lineinfile: path: /etc/pam.d/common-password line: 'password [success=1 default=ignore] pam_unix.so sha512' insertafter: '^# end of pam-auth-update config' - when: ubtu20cis_5_3_4_pam_unix_state.stdout == "" + when: ubtu20cis_5_4_4_pam_unix_state.stdout == "" when: - - ubtu20cis_rule_5_3_4 + - ubtu20cis_rule_5_4_4 tags: - level1-server - level1-workstation - patch - - rule_5.3.4 + - rule_5.4.4 - pamd -- name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less" +- name: "5.5.1.1 | PATCH | Ensure minimum days between password changes is configured" block: - - name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less | Set /etc/login.defs PASS_MAX_DAYS" + - name: "5.5.1.1 | PATCH | Ensure minimum days between password changes is configured | Set /etc/login.defs PASS_MIN_DAYS" lineinfile: path: /etc/login.defs - regexp: '^PASS_MAX_DAYS|^#PASS_MAX_DAYS' - line: 'PASS_MAX_DAYS {{ ubtu20cis_pass.max_days }}' - insertafter: '# Password aging controls' + regexp: '^PASS_MIN_DAYS|^#PASS_MIN_DAYS' + line: 'PASS_MIN_DAYS {{ ubtu20cis_pass.min_days }}' - - name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS" - command: chage --maxdays {{ ubtu20cis_pass.max_days }} {{ item }} + - name: "5.5.1.1 | PATCH | Ensure minimum days between password changes is configured | Set existing users PASS_MIN_DAYS" + command: chage --mindays {{ ubtu20cis_pass.min_days }} {{ item }} failed_when: false with_items: - "{{ ubtu20cis_passwd| selectattr('uid', '>=', 1000) | map(attribute='id') | list }}" when: ubtu20cis_disruption_high when: - - ubtu20cis_rule_5_4_1_1 + - ubtu20cis_rule_5_5_1_1 tags: - level1-server - level1-workstation - patch - - rule_5.4.1.1 + - rule_5.5.1.1 - user - login -- name: "5.4.1.2 | PATCH | Ensure minimum days between password changes is configured" +- name: "5.5.1.2 | PATCH | Ensure password expiration is 365 days or less" block: - - name: "5.4.1.2 | PATCH | Ensure minimum days between password changes is configured | Set /etc/login.defs PASS_MIN_DAYS" + - name: "5.5.1.2 | PATCH | Ensure password expiration is 365 days or less | Set /etc/login.defs PASS_MAX_DAYS" lineinfile: path: /etc/login.defs - regexp: '^PASS_MIN_DAYS|^#PASS_MIN_DAYS' - line: 'PASS_MIN_DAYS {{ ubtu20cis_pass.min_days }}' + regexp: '^PASS_MAX_DAYS|^#PASS_MAX_DAYS' + line: 'PASS_MAX_DAYS {{ ubtu20cis_pass.max_days }}' + insertafter: '# Password aging controls' - - name: "5.4.1.2 | PATCH | Ensure minimum days between password changes is configured | Set existing users PASS_MIN_DAYS" - command: chage --mindays {{ ubtu20cis_pass.min_days }} {{ item }} + - name: "5.5.1.2 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS" + command: chage --maxdays {{ ubtu20cis_pass.max_days }} {{ item }} failed_when: false with_items: - "{{ ubtu20cis_passwd| selectattr('uid', '>=', 1000) | map(attribute='id') | list }}" when: ubtu20cis_disruption_high when: - - ubtu20cis_rule_5_4_1_2 + - ubtu20cis_rule_5_5_1_2 tags: - level1-server - level1-workstation - patch - - rule_5.4.1.1 + - rule_5.5.1.2 - user - login -- name: "5.4.1.3 | PATCH | Ensure password expiration warning days is 7 or more" +- name: "5.5.1.3 | PATCH | Ensure password expiration warning days is 7 or more" block: - - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Set /etc/login.defs PASS_WARN_AGE" + - name: "5.5.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Set /etc/login.defs PASS_WARN_AGE" lineinfile: path: /etc/login.defs regexp: '^PASS_WARN_AGE|^#PASS_WARN_AGE' line: 'PASS_WARN_AGE {{ ubtu20cis_pass.warn_age }}' - - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Set existing users PASS_WARN_AGE" + - name: "5.5.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Set existing users PASS_WARN_AGE" command: chage --warndays {{ ubtu20cis_pass.warn_age }} {{ item }} failed_when: false with_items: - "{{ ubtu20cis_passwd| selectattr('uid', '>=', 1000) | map(attribute='id') | list }}" when: ubtu20cis_disruption_high when: - - ubtu20cis_rule_5_4_1_3 + - ubtu20cis_rule_5_5_1_3 tags: - level1-server - level1-workstation - patch - - rule_5.4.1.3 + - rule_5.5.1.3 - user - login -- name: "5.4.1.4 | PATCH | Ensure inactive password lock is 30 days or less" +- name: "5.5.1.4 | PATCH | Ensure inactive password lock is 30 days or less" block: - - name: "5.4.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set inactive period for new users" + - name: "5.5.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set inactive period for new users" command: useradd -D -f {{ ubtu20cis_pass.inactive }} failed_when: false - - name: "5.4.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set inactive period for existing users" + - name: "5.5.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set inactive period for existing users" command: chage --inactive {{ ubtu20cis_pass.inactive }} {{ item }} failed_when: false with_items: - "{{ ubtu20cis_passwd| selectattr('uid', '>=', 1000) | map(attribute='id') | list }}" when: ubtu20cis_disruption_high when: - - ubtu20cis_rule_5_4_1_4 + - ubtu20cis_rule_5_5_1_4 tags: - level1-server - level1-workstation - patch - - rule_5.4.1.4 + - rule_5.5.1.4 - user - login -- name: "5.4.1.5 | PATCH | Ensure all users last password change date is in the past" +- name: "5.5.1.5 | PATCH | Ensure all users last password change date is in the past" block: - - name: "5.4.1.5 | PATCH | Ensure all users last password change date is in the past | Get current date in Unix Time" + - name: "5.5.1.5 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time" shell: echo $(($(date --utc --date "$1" +%s)/86400)) changed_when: false failed_when: false check_mode: false - register: ubtu20cis_5_4_1_5_current_time + register: ubtu20cis_5_5_1_5_current_time - - name: "5.4.1.5 | PATCH | Ensure all users last password change date is in the past | Get list of users with last changed PW date in future" + - name: "5.5.1.5 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed PW date in future" shell: "cat /etc/shadow | awk -F: '{if($3>{{ ubtu20cis_5_4_1_5_current_time.stdout }})print$1}'" changed_when: false failed_when: false check_mode: false - register: ubtu20cis_5_4_1_5_user_list + register: ubtu20cis_5_5_1_5_user_list - - name: "5.4.1.5 | PATCH | Ensure all users last password change date is in the past | Warn about users" + - name: "5.5.1.5 | PATCH | Ensure all users last password change date is in the past | Warn about users" debug: msg: - "WARNING!!!!The following accounts have the last PW change date in the future" - - "{{ ubtu20cis_5_4_1_5_user_list.stdout_lines }}" - when: ubtu20cis_5_4_1_5_user_list.stdout != "" + - "{{ ubtu20cis_5_5_1_5_user_list.stdout_lines }}" + when: ubtu20cis_5_5_1_5_user_list.stdout != "" - - name: "5.4.1.5 | PATCH | Ensure all users last password change date is in the past | Lock accounts with furtre PW changed dates" + - name: "5.5.1.5 | PATCH | Ensure all users last password change date is in the past | Lock accounts with furtre PW changed dates" command: passwd --expire {{ item }} failed_when: false with_items: - - "{{ ubtu20cis_5_4_1_5_user_list.stdout_lines }}" + - "{{ ubtu20cis_5_5_1_5_user_list.stdout_lines }}" when: - ubtu20cis_disruption_high - - ubtu20cis_5_4_1_5_user_list.stdout != "" + - ubtu20cis_5_5_1_5_user_list.stdout != "" when: - - ubtu20cis_rule_5_4_1_5 + - ubtu20cis_rule_5_5_1_5 tags: - level1-server - level1-workstation - patch - - rule_5.4.1.5 + - rule_5.5.1.5 - user - login -- name: "5.4.2 | PATCH | Ensure system accounts are secured" +- name: "5.5.2 | PATCH | Ensure system accounts are secured" block: - - name: "5.4.2 | PATCH | Ensure system accounts are secured | Set system accounts to login" + - name: "5.5.2 | PATCH | Ensure system accounts are secured | Set system accounts to login" user: name: "{{ item }}" shell: /sbin/nologin @@ -887,7 +931,7 @@ - item != "shutdown" - item != "halt" - - name: "5.4.2 | PATCH | Ensure system accounts are secured | Lock non-root system accounts" + - name: "5.5.2 | PATCH | Ensure system accounts are secured | Lock non-root system accounts" user: name: "{{ item }}" password_lock: true @@ -896,54 +940,54 @@ when: - item != "root" when: - - ubtu20cis_rule_5_4_2 + - ubtu20cis_rule_5_5_2 - ubtu20cis_disruption_high tags: - level1-server - level1-workstation - patch - - rule_5.4.2 + - rule_5.5.2 - user - system -- name: "5.4.3 | PATCH | Ensure default group for the root account is GID 0" +- name: "5.5.3 | PATCH | Ensure default group for the root account is GID 0" block: - - name: "5.4.3 | PATCH | Ensure default group for the root account is GID 0 | Set root group to GUID 0" + - name: "5.5.3 | PATCH | Ensure default group for the root account is GID 0 | Set root group to GUID 0" group: name: root gid: 0 - - name: "5.4.3 | PATCH | Ensure default group for the root account is GID 0 | Set root user to root group" + - name: "5.5.3 | PATCH | Ensure default group for the root account is GID 0 | Set root user to root group" user: name: root group: root when: - - ubtu20cis_rule_5_4_3 + - ubtu20cis_rule_5_5_3 tags: - level1-server - level1-workstation - patch - - rule_5.4.3 + - rule_5.5.3 - user - system -- name: "5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive" +- name: "5.5.4 | PATCH | Ensure default user umask is 027 or more restrictive" block: - - name: "5.4.4 | AUDIT | Ensure default user umask is 027 or more restrictive" + - name: "5.5.4 | AUDIT | Ensure default user umask is 027 or more restrictive" shell: grep -E '^session.*optional.*pam_umask.so' /etc/pam.d/common-session changed_when: false failed_when: false check_mode: false - register: ubtu20cis_5_4_4_umask_pam_status + register: ubtu20cis_5_5_4_umask_pam_status - - name: "5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive" + - name: "5.5.4 | PATCH | Ensure default user umask is 027 or more restrictive" lineinfile: path: /etc/pam.d/common-session line: 'session optional pam_umask.so' insertbefore: '^# end of pam-auth-update config' - when: ubtu20cis_5_4_4_umask_pam_status.stdout != "" + when: ubtu20cis_5_5_4_umask_pam_status.stdout != "" - - name: "5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive" + - name: "5.5.4 | PATCH | Ensure default user umask is 027 or more restrictive" replace: path: "{{ item }}" regexp: '(^\s+umask) 002' @@ -953,15 +997,15 @@ - /etc/profile - /etc/login.defs when: - - ubtu20cis_rule_5_4_4 + - ubtu20cis_rule_5_5_4 tags: - level1-server - level1-workstation - patch - - rule_5.4.4 + - rule_5.5.4 - user -- name: "5.4.5 | PATCH | Ensure default user shell timeout is 900 seconds or less" +- name: "5.5.5 | PATCH | Ensure default user shell timeout is 900 seconds or less" blockinfile: create: yes mode: 0644 @@ -969,7 +1013,7 @@ state: "{{ item.state }}" marker: "# {mark} ANSIBLE MANAGED" block: | - # Set session timeout - CIS ID 5.4.5 + # Set session timeout - CIS ID 5.5.5 TMOUT={{ ubtu20cis_shell_session_timeout.timeout }} readonly TMOUT export TMOUT @@ -978,72 +1022,72 @@ - { dest: /etc/profile, state: "{{ (ubtu20cis_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" } - { dest: /etc/bash.bashrc, state: present } when: - - ubtu20cis_rule_5_4_4 + - ubtu20cis_rule_5_5_4 tags: - level1-server - level1-workstation - patch - - rule_5.4.5 + - rule_5.5.5 - user -- name: "5.5 | AUDIT | Ensure root login is restricted to system console" +- name: "5.6 | AUDIT | Ensure root login is restricted to system console" block: - - name: "5.5 | AUDIT | Ensure root login is restricted to system console | Get list of all terminals" + - name: "5.6 | AUDIT | Ensure root login is restricted to system console | Get list of all terminals" command: cat /etc/securetty changed_when: false failed_when: false check_mode: false - register: ubtu20cis_5_5_terminal_list + register: ubtu20cis_5_6_terminal_list - - name: "5.5 | AUDIT | Ensure root login is restricted to system console | Message out list" + - name: "5.6 | AUDIT | Ensure root login is restricted to system console | Message out list" debug: msg: - "WARNING!!!!Below is the list of conoles with root login access" - "Please review for any conoles that are not in a physically secure location" - - "{{ ubtu20cis_5_5_terminal_list.stdout_lines }}" + - "{{ ubtu20cis_5_6_terminal_list.stdout_lines }}" when: - - ubtu20cis_rule_5_5 + - ubtu20cis_rule_5_6 tags: - level1-server - level1-workstation - manual - audit - - rule_5.5 + - rule_5.6 - user -- name: "5.6 | PATCH | Ensure access to the su command is restricted" +- name: "5.7 | PATCH | Ensure access to the su command is restricted" block: - - name: "5.6 | PATCH | Ensure access to the su command is restricted | Check for pam_wheel.so module" + - name: "5.7 | PATCH | Ensure access to the su command is restricted | Check for pam_wheel.so module" command: grep 'auth.*required.*pam_wheel' /etc/pam.d/su changed_when: false failed_when: false check_mode: false - register: ubtu20cis_5_6_pam_wheel_status + register: ubtu20cis_5_7_pam_wheel_status - - name: "5.6 | PATCH | Ensure access to the su command is restricted | Create empty sugroup" + - name: "5.7 | PATCH | Ensure access to the su command is restricted | Create empty sugroup" group: name: "{{ ubtu20cis_su_group }}" - - name: "5.6 | PATCH | Ensure access to the su command is restricted | Set pam_wheel if exists" + - name: "5.7 | PATCH | Ensure access to the su command is restricted | Set pam_wheel if exists" pamd: name: su type: auth control: required module_path: pam_wheel.so module_arguments: 'use_uid group={{ ubtu20cis_su_group }}' - when: ubtu20cis_5_6_pam_wheel_status.stdout != "" + when: ubtu20cis_5_7_pam_wheel_status.stdout != "" - - name: "5.6 | PATCH | Ensure access to the su command is restricted | Set pam_wheel if does not exist" + - name: "5.7 | PATCH | Ensure access to the su command is restricted | Set pam_wheel if does not exist" lineinfile: path: /etc/pam.d/su line: 'auth required pam_wheel.so use_uid group={{ ubtu20cis_su_group }}' create: yes - when: ubtu20cis_5_6_pam_wheel_status.stdout == "" + when: ubtu20cis_5_7_pam_wheel_status.stdout == "" when: - - ubtu20cis_rule_5_6 + - ubtu20cis_rule_5_7 tags: - level1-server - level1-workstation - patch - - rule_5.6 + - rule_5.7 - user From 3e5d9f9cfbe8cc14367ac1e653d3bda0c644bfd6 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 4 May 2021 14:22:35 -0400 Subject: [PATCH 23/44] updated section 5 automated/manual labels Signed-off-by: George Nalen --- tasks/section5.yml | 255 ++++++++++++++++++++++++++------------------- 1 file changed, 150 insertions(+), 105 deletions(-) diff --git a/tasks/section5.yml b/tasks/section5.yml index c889c58c..7c90ee31 100644 --- a/tasks/section5.yml +++ b/tasks/section5.yml @@ -1,5 +1,5 @@ --- -- name: "5.1.1 | PATCH | Ensure cron daemon is enabled and running" +- name: "AUTOMATED | 5.1.1 | PATCH | Ensure cron daemon is enabled and running" service: name: cron state: started @@ -9,11 +9,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.1.1 - cron -- name: "5.1.2 | PATCH | Ensure permissions on /etc/crontab are configured" +- name: "AUTOMATED | 5.1.2 | PATCH | Ensure permissions on /etc/crontab are configured" file: path: /etc/crontab owner: root @@ -24,11 +25,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.1.2 - cron -- name: "5.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" +- name: "AUTOMATED | 5.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" file: path: /etc/cron.hourly owner: root @@ -39,11 +41,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.1.3 - cron -- name: "5.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" +- name: "AUTOMATED | 5.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" file: path: /etc/cron.daily owner: root @@ -54,11 +57,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.1.4 - cron -- name: "5.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" +- name: "AUTOMATED | 5.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" file: path: /etc/cron.weekly owner: root @@ -69,11 +73,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.1.5 - cron -- name: "5.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" +- name: "AUTOMATED | 5.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" file: path: /etc/cron.monthly owner: root @@ -84,11 +89,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.1.6 - cron -- name: "5.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" +- name: "AUTOMATED | 5.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" file: path: /etc/cron.d owner: root @@ -99,18 +105,19 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.1.7 - cron -- name: "5.1.8 | PATCH | Ensure at/cron is restricted to authorized users" +- name: "AUTOMATED | 5.1.8 | PATCH | Ensure at/cron is restricted to authorized users" block: - - name: "5.1.8 | PATCH | Ensure at/cron is restricted to authorized users | Remove cron.deny" + - name: "AUTOMATED | 5.1.8 | PATCH | Ensure at/cron is restricted to authorized users | Remove cron.deny" file: path: /etc/cron.deny state: absent - - name: "5.1.8 | PATCH | Ensure at/cron is restricted to authorized users | Create cron.allow" + - name: "AUTOMATED | 5.1.8 | PATCH | Ensure at/cron is restricted to authorized users | Create cron.allow" file: path: /etc/cron.allow owner: root @@ -122,18 +129,19 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.1.8 - cron -- name: "5.1.9 | PATCH | Ensure at is restricted to authorized users" +- name: "AUTOMATED | 5.1.9 | PATCH | Ensure at is restricted to authorized users" block: - - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Remove at.deny" + - name: "AUTOMATED | 5.1.9 | PATCH | Ensure at is restricted to authorized users | Remove at.deny" file: path: /etc/at.deny state: absent - - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Create at.allow" + - name: "AUTOMATED | 5.1.9 | PATCH | Ensure at is restricted to authorized users | Create at.allow" file: path: /etc/at.allow owner: root @@ -145,11 +153,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.1.9 - cron -- name: "5.2.1 | PATCH | Ensure sudo is installed" +- name: "AUTOMATED | 5.2.1 | PATCH | Ensure sudo is installed" apt: name: "{{ ubtu20cis_sudo_package }}" state: present @@ -158,12 +167,12 @@ tags: - level1-server - level1-workstation - - scored + - automated - patch - rule_5.2.1 - sudo -- name: "5.2.2 | PATCH | Ensure sudo commands use pty" +- name: "AUTOMATED | 5.2.2 | PATCH | Ensure sudo commands use pty" lineinfile: path: /etc/sudoers regexp: '^Defaults use_' @@ -174,11 +183,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.2.2 - sudo -- name: "5.2.3 | PATCH | Ensure sudo log file exists" +- name: "AUTOMATED | 5.2.3 | PATCH | Ensure sudo log file exists" lineinfile: path: /etc/sudoers regexp: '^Defaults logfile' @@ -189,11 +199,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.2.3 - sudo -- name: "5.3.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" +- name: "AUTOMATED | 5.3.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" file: path: /etc/ssh/sshd_config owner: root @@ -204,19 +215,20 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.3.1 - ssh -- name: "5.3.2 | PATCH | Ensure permissions on SSH private host key files are configured" +- name: "AUTOMATED | 5.3.2 | PATCH | Ensure permissions on SSH private host key files are configured" block: - - name: "5.3.2 | AUDIT | Ensure permissions on SSH private host key files are configured | Find ssh_host private keys" + - name: "AUTOMATED | 5.3.2 | AUDIT | Ensure permissions on SSH private host key files are configured | Find ssh_host private keys" find: paths: /etc/ssh patterns: 'ssh_host_*_key' register: ubtu20cis_5_3_2_ssh_host_priv_keys - - name: "5.3.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions" + - name: "AUTOMATED | 5.3.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions" file: path: "{{ item.path }}" owner: root @@ -229,19 +241,20 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.3.2 - ssh -- name: "5.3.3 | PATCH | Ensure permissions on SSH public host key files are configured" +- name: "AUTOMATED | 5.3.3 | PATCH | Ensure permissions on SSH public host key files are configured" block: - - name: "5.3.3 | AUDIT | Ensure permissions on SSH public host key files are configured | Find ssh_host public keys" + - name: "AUTOMATED | 5.3.3 | AUDIT | Ensure permissions on SSH public host key files are configured | Find ssh_host public keys" find: paths: /etc/ssh patterns: 'ssh_host_*_key.pub' register: ubtu20cis_5_3_3_ssh_host_pub_keys - - name: "5.3.3 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions" + - name: "AUTOMATED | 5.3.3 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions" file: path: "{{ item.path }}" owner: root @@ -254,13 +267,14 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.3.3 - ssh -- name: "5.3.4 | PATCH | Ensure SSH access is limited" +- name: "AUTOMATED | 5.3.4 | PATCH | Ensure SSH access is limited" block: - - name: "5.3.4 | PATCH | Ensure SSH access is limited | Add allowed users" + - name: "AUTOMATED | 5.3.4 | PATCH | Ensure SSH access is limited | Add allowed users" lineinfile: path: /etc/ssh/sshd_config regexp: '^AllowUsers|^#AllowUsers' @@ -268,7 +282,7 @@ notify: restart sshd when: "ubtu20cis_sshd['allow_users']|default('') != ''" - - name: "5.3.4 | PATCH | Ensure SSH access is limited | Add allowed groups" + - name: "AUTOMATED | 5.3.4 | PATCH | Ensure SSH access is limited | Add allowed groups" lineinfile: path: /etc/ssh/sshd_config regexp: '^AllowGroups|^#AllowGroups' @@ -276,7 +290,7 @@ notify: restart sshd when: "ubtu20cis_sshd['allow_groups']|default('') != ''" - - name: "5.3.4 | PATCH | Ensure SSH access is limited | Add deny users" + - name: "AUTOMATED | 5.3.4 | PATCH | Ensure SSH access is limited | Add deny users" lineinfile: path: /etc/ssh/sshd_config regexp: '^DenyUsers|^#DenyUsers' @@ -284,7 +298,7 @@ notify: restart sshd when: "ubtu20cis_sshd['deny_users']|default('') != ''" - - name: "5.3.4 | PATCH | Ensure SSH access is limited | Add deny groups" + - name: "AUTOMATED | 5.3.4 | PATCH | Ensure SSH access is limited | Add deny groups" lineinfile: path: /etc/ssh/sshd_config regexp: '^DenyGroups|^#DenyGroups' @@ -296,11 +310,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.3.4 - ssh -- name: "5.3.5 | PATCH | Ensure SSH LogLevel is appropriate" +- name: "AUTOMATED | 5.3.5 | PATCH | Ensure SSH LogLevel is appropriate" lineinfile: path: /etc/ssh/sshd_config regexp: '^LogLevel|^#LogLevel' @@ -312,11 +327,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.3.5 - ssh -- name: "5.3.6 | PATCH | Ensure SSH X11 forwarding is disabled" +- name: "AUTOMATED | 5.3.6 | PATCH | Ensure SSH X11 forwarding is disabled" lineinfile: path: /etc/ssh/sshd_config regexp: '^X11Forwarding|^#X11Forwarding' @@ -327,11 +343,12 @@ tags: - level2-server - level1-workstation + - automated - patch - rule_5.3.6 - ssh -- name: "5.3.7| PATCH | Ensure SSH MaxAuthTries is set to 4 or less" +- name: "AUTOMATED | 5.3.7 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" lineinfile: path: /etc/ssh/sshd_config regexp: '^MaxAuthTries|^#MaxAuthTries' @@ -343,11 +360,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.3.7 - ssh -- name: "5.3.8 | PATCH | Ensure SSH IgnoreRhosts is enabled" +- name: "AUTOMATED | 5.3.8 | PATCH | Ensure SSH IgnoreRhosts is enabled" lineinfile: path: /etc/ssh/sshd_config regexp: '^IgnoreRhosts|^#IgnoreRhosts' @@ -358,11 +376,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.3.8 - ssh -- name: "5.3.9 | PATCH | Ensure SSH HostbasedAuthentication is disabled" +- name: "AUTOMATED | 5.3.9 | PATCH | Ensure SSH HostbasedAuthentication is disabled" lineinfile: path: /etc/ssh/sshd_config regexp: '^HostbasedAuthentication|^#HostbasedAuthentication' @@ -373,11 +392,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.3.9 - ssh -- name: "5.3.10 | PATCH | Ensure SSH root login is disabled" +- name: "AUTOMATED | 5.3.10 | PATCH | Ensure SSH root login is disabled" lineinfile: path: /etc/ssh/sshd_config regexp: '^PermitRootLogin|^#PermitRootLogin' @@ -388,11 +408,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.3.10 - ssh -- name: "5.3.11 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" +- name: "AUTOMATED | 5.3.11 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" lineinfile: path: /etc/ssh/sshd_config regexp: '^PermitEmptyPasswords|^#PermitEmptyPasswords' @@ -404,11 +425,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.3.11 - ssh -- name: "5.3.12 | PATCH | Ensure SSH PermitUserEnvironment is disabled" +- name: "AUTOMATED | 5.3.12 | PATCH | Ensure SSH PermitUserEnvironment is disabled" lineinfile: path: /etc/ssh/sshd_config regexp: '^PermitUserEnvironment|^#PermitUserEnvironment' @@ -419,11 +441,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.3.12 - ssh -- name: "5.3.13 | PATCH | Ensure only strong Ciphers are used" +- name: "AUTOMATED | 5.3.13 | PATCH | Ensure only strong Ciphers are used" lineinfile: path: /etc/ssh/sshd_config regexp: '^Ciphers|^#Ciphers' @@ -435,11 +458,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.3.13 - ssh -- name: "5.3.14 | PATCH | Ensure only strong MAC algorithms are used" +- name: "AUTOMATED | 5.3.14 | PATCH | Ensure only strong MAC algorithms are used" lineinfile: path: /etc/ssh/sshd_config regexp: '^MACs|^#MACs' @@ -451,11 +475,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.3.14 - ssh -- name: "5.3.15 | PATCH | Ensure only strong Key Exchange algorithms are used" +- name: "AUTOMATED | 5.3.15 | PATCH | Ensure only strong Key Exchange algorithms are used" lineinfile: path: /etc/ssh/sshd_config regexp: '^KexAlgorithms|^#KexAlgorithms' @@ -467,11 +492,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.3.15 - ssh -- name: "5.3.16 | PATCH | Ensure SSH Idle Timeout Interval is configured" +- name: "AUTOMATED | 5.3.16 | PATCH | Ensure SSH Idle Timeout Interval is configured" lineinfile: path: /etc/ssh/sshd_config regexp: "{{ item.regexp }}" @@ -485,11 +511,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.3.16 - sshd -- name: "5.3.17 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" +- name: "AUTOMATED | 5.3.17 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" lineinfile: path: /etc/ssh/sshd_config regexp: '^LoginGraceTime|^#LoginGraceTime' @@ -501,11 +528,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.3.17 - ssh -- name: "5.2.18 | PATCH | Ensure SSH warning banner is configured" +- name: "AUTOMATED | 5.3.18 | PATCH | Ensure SSH warning banner is configured" lineinfile: path: /etc/ssh/sshd_config regexp: '^Banner|^#Banner' @@ -517,12 +545,12 @@ tags: - level1-server - level1-workstation - - scored + - automated - patch - rule_5.3.18 - ssh -- name: "5.3.19 | PATCH | Ensure SSH PAM is enabled" +- name: "AUTOMATED | 5.3.19 | PATCH | Ensure SSH PAM is enabled" lineinfile: path: /etc/ssh/sshd_config regexp: '^UsePAM|^#UsePAM' @@ -534,12 +562,13 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.3.19 - ssh - pam -- name: "5.3.20 | PATCH | Ensure SSH AllowTcpForwarding is disabled" +- name: "AUTOMATED | 5.3.20 | PATCH | Ensure SSH AllowTcpForwarding is disabled" lineinfile: path: /etc/ssh/sshd_config regexp: '^AllowTcpForwarding|^#AllowTcpForwarding' @@ -550,11 +579,12 @@ tags: - level2-server - level2-workstation + - automated - patch - rule_5.3.20 - ssh -- name: "5.3.21 | PATCH | Ensure SSH MaxStartups is configured" +- name: "AUTOMATED | 5.3.21 | PATCH | Ensure SSH MaxStartups is configured" lineinfile: path: /etc/ssh/sshd_config regexp: '^MaxStartups|^#MaxStartups' @@ -565,12 +595,12 @@ tags: - level1-server - level1-workstation - - scored + - automated - patch - rule_5.3.21 - ssh -- name: "5.3.22 | PATCH | Ensure SSH MaxSessions is set to 4 or less" +- name: "AUTOMATED | 5.3.22 | PATCH | Ensure SSH MaxSessions is set to 4 or less" lineinfile: path: /etc/ssh/sshd_config regexp: '^MaxSessions|^#MaxSessions' @@ -582,37 +612,38 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.3.22 - ssh -- name: "5.4.1 | PATCH | Ensure password creation requirements are configured" +- name: "AUTOMATED | 5.4.1 | PATCH | Ensure password creation requirements are configured" block: - - name: "SCORED | 5.4.1 | PATCH | Ensure password creation requirements are configured | Install pam_pwquality module" + - name: "AUTOMATED | 5.4.1 | PATCH | Ensure password creation requirements are configured | Install pam_pwquality module" apt: name: libpam-pwquality state: present - - name: "5.4.1 | PATCH | Ensure password creation requirements are configured | Add minlen" + - name: "AUTOMATED | 5.4.1 | PATCH | Ensure password creation requirements are configured | Add minlen" lineinfile: path: /etc/security/pwquality.conf regexp: '^minlen|^# minlen' line: minlen = 14 - - name: "5.4.1 | PATCH | Ensure password creation requirements are configured | Add minclass" + - name: "AUTOMATED | 5.4.1 | PATCH | Ensure password creation requirements are configured | Add minclass" lineinfile: path: /etc/security/pwquality.conf regexp: '^minclass|^# minclass' line: 'minclass = 4' - - name: "5.4.1 | AUDIT | Ensure password creation requirements are configured | Confirm pwquality module in common-password" + - name: "AUTOMATED | 5.4.1 | AUDIT | Ensure password creation requirements are configured | Confirm pwquality module in common-password" command: grep 'password.*requisite.*pam_pwquality.so' /etc/pam.d/common-password changed_when: false failed_when: false check_mode: false register: ubtu20cis_5_4_1_pam_pwquality_state - - name: "5.4.1 | PATCH | Ensure password creation requirements are configured | Set retry to 3 if pwquality exists" + - name: "AUTOMATED | 5.4.1 | PATCH | Ensure password creation requirements are configured | Set retry to 3 if pwquality exists" pamd: name: common-password type: password @@ -622,7 +653,7 @@ state: args_present when: ubtu20cis_5_4_1_pam_pwquality_state.stdout != "" - - name: "5.4.1 | PATCH | Ensure password creation requirements are configured | Set retry to 3 if pwquality does not exist" + - name: "AUTOMATED | 5.4.1 | PATCH | Ensure password creation requirements are configured | Set retry to 3 if pwquality does not exist" pamd: name: common-password type: password @@ -639,6 +670,7 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.4.1 - pam @@ -656,13 +688,13 @@ # figure out why pam_deny kills vagrant user. Below is everything working but the pam_deny.so in the last task with_items # ------------- # ------------- -- name: "5.4.2 | PATCH | Ensure lockout for failed password attempts is configured" +- name: "AUTOMATED | 5.4.2 | PATCH | Ensure lockout for failed password attempts is configured" command: /bin/true changed_when: false failed_when: false check_mode: false # block: - # - name: "5.4.2 | AUDIT | Ensure lockout for failed password attempts is configured | Confirm pam_tally2.so module in common-auth" + # - name: "AUTOMATED | 5.4.2 | AUDIT | Ensure lockout for failed password attempts is configured | Confirm pam_tally2.so module in common-auth" # # command: grep 'auth.*required.*pam_tally2.so' /etc/pam.d/common-auth # command: grep 'auth.*required.*pam_tally2.so' /etc/pam.d/common-account # changed_when: false @@ -670,7 +702,7 @@ # check_mode: false # register: ubtu20cis_5_4_2_pam_tally2_state - # - name: "SCORED | 5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | Set pam_tally2.so settings if exists" + # - name: "AUTOMATED | 5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | Set pam_tally2.so settings if exists" # pamd: # # name: common-auth # name: common-account @@ -685,7 +717,7 @@ # unlock_time=900' # when: ubtu20cis_5_4_2_pam_tally2_state.stdout != "" - # - name: "5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | Set pam_tally2.so settings if does not exist" + # - name: "AUTOMATED | 5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | Set pam_tally2.so settings if does not exist" # lineinfile: # # path: /etc/pam.d/common-auth # path: /etc/pam.d/common-account @@ -694,7 +726,7 @@ # insertafter: '^# end of pam-auth-update config' # when: ubtu20cis_5_4_2_pam_tally2_state == "" - # - name: "5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | Set pam_deny.so and pam_tally.so" + # - name: "AUTOMATED | 5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | Set pam_deny.so and pam_tally.so" # lineinfile: # path: /etc/pam.d/common-account # regexp: "{{ item.regexp }}" @@ -708,21 +740,22 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.4.2 - pamd - notimplemented -- name: "5.4.3 | PATCH | Ensure password reuse is limited" +- name: "AUTOMATED | 5.4.3 | PATCH | Ensure password reuse is limited" block: - - name: "5.4.3 | AUDIT | Ensure password reuse is limited | Confirm pam_pwhistory.so in common-password" + - name: "AUTOMATED | 5.4.3 | AUDIT | Ensure password reuse is limited | Confirm pam_pwhistory.so in common-password" command: grep 'password.*required.*pam_pwhistory.so' /etc/pam.d/common-password changed_when: false failed_when: false check_mode: false register: ubtu20cis_5_4_3_pam_pwhistory_state - - name: "5.4.3 | PATCH | Ensure password reuse is limited | Set remember value if pam_pwhistory exists" + - name: "AUTOMATED | 5.4.3 | PATCH | Ensure password reuse is limited | Set remember value if pam_pwhistory exists" pamd: name: common-password type: password @@ -732,7 +765,7 @@ state: args_present when: ubtu20cis_5_4_3_pam_pwhistory_state.stdout != "" - - name: "5.4.3 | PATCH | Ensure password reuse is limited | Set remember value if pam_pwhistory does no exist" + - name: "AUTOMATED | 5.4.3 | PATCH | Ensure password reuse is limited | Set remember value if pam_pwhistory does no exist" lineinfile: path: /etc/pam.d/common-password line: 'password required pam_pwhistory.so remember={{ ubtu20cis_pamd_pwhistory_remember }}' @@ -743,20 +776,21 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.4.3 - pamd -- name: "5.4.4 | PATCH | Ensure password hashing algorithm is SHA-512" +- name: "AUTOMATED | 5.4.4 | PATCH | Ensure password hashing algorithm is SHA-512" block: - - name: "5.4.4 | AUDIT | Ensure password hashing algorithm is SHA-512 | Confirm pam_unix.so" + - name: "AUTOMATED | 5.4.4 | AUDIT | Ensure password hashing algorithm is SHA-512 | Confirm pam_unix.so" shell: grep -E '^\s*password\s+(\S+\s+)+pam_unix\.so\s+(\S+\s+)*sha512\s*(\S+\s*)*(\s+#.*)?$' /etc/pam.d/common-password changed_when: false failed_when: false check_mode: false register: ubtu20cis_5_4_4_pam_unix_state - - name: "5.4.4 | PATCH | Ensure password hashing algorithm is SHA-512 | Set hashing if pam_unix.so exists" + - name: "AUTOMATED | 5.4.4 | PATCH | Ensure password hashing algorithm is SHA-512 | Set hashing if pam_unix.so exists" pamd: name: common-password type: password @@ -766,7 +800,7 @@ state: args_present when: ubtu20cis_5_4_4_pam_unix_state.stdout != "" - - name: "5.4.4 | PATCH | Ensure password hashing algorithm is SHA-512 | Set hashing if pam_unix.so does not exist" + - name: "AUTOMATED | 5.4.4 | PATCH | Ensure password hashing algorithm is SHA-512 | Set hashing if pam_unix.so does not exist" lineinfile: path: /etc/pam.d/common-password line: 'password [success=1 default=ignore] pam_unix.so sha512' @@ -777,19 +811,20 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.4.4 - pamd -- name: "5.5.1.1 | PATCH | Ensure minimum days between password changes is configured" +- name: "AUTOMATED | 5.5.1.1 | PATCH | Ensure minimum days between password changes is configured" block: - - name: "5.5.1.1 | PATCH | Ensure minimum days between password changes is configured | Set /etc/login.defs PASS_MIN_DAYS" + - name: "AUTOMATED | 5.5.1.1 | PATCH | Ensure minimum days between password changes is configured | Set /etc/login.defs PASS_MIN_DAYS" lineinfile: path: /etc/login.defs regexp: '^PASS_MIN_DAYS|^#PASS_MIN_DAYS' line: 'PASS_MIN_DAYS {{ ubtu20cis_pass.min_days }}' - - name: "5.5.1.1 | PATCH | Ensure minimum days between password changes is configured | Set existing users PASS_MIN_DAYS" + - name: "AUTOMATED | 5.5.1.1 | PATCH | Ensure minimum days between password changes is configured | Set existing users PASS_MIN_DAYS" command: chage --mindays {{ ubtu20cis_pass.min_days }} {{ item }} failed_when: false with_items: @@ -800,21 +835,22 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.5.1.1 - user - login -- name: "5.5.1.2 | PATCH | Ensure password expiration is 365 days or less" +- name: "AUTOMATED | 5.5.1.2 | PATCH | Ensure password expiration is 365 days or less" block: - - name: "5.5.1.2 | PATCH | Ensure password expiration is 365 days or less | Set /etc/login.defs PASS_MAX_DAYS" + - name: "AUTOMATED | 5.5.1.2 | PATCH | Ensure password expiration is 365 days or less | Set /etc/login.defs PASS_MAX_DAYS" lineinfile: path: /etc/login.defs regexp: '^PASS_MAX_DAYS|^#PASS_MAX_DAYS' line: 'PASS_MAX_DAYS {{ ubtu20cis_pass.max_days }}' insertafter: '# Password aging controls' - - name: "5.5.1.2 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS" + - name: "AUTOMATED | 5.5.1.2 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS" command: chage --maxdays {{ ubtu20cis_pass.max_days }} {{ item }} failed_when: false with_items: @@ -825,20 +861,21 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.5.1.2 - user - login -- name: "5.5.1.3 | PATCH | Ensure password expiration warning days is 7 or more" +- name: "AUTOMATED | 5.5.1.3 | PATCH | Ensure password expiration warning days is 7 or more" block: - - name: "5.5.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Set /etc/login.defs PASS_WARN_AGE" + - name: "AUTOMATED | 5.5.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Set /etc/login.defs PASS_WARN_AGE" lineinfile: path: /etc/login.defs regexp: '^PASS_WARN_AGE|^#PASS_WARN_AGE' line: 'PASS_WARN_AGE {{ ubtu20cis_pass.warn_age }}' - - name: "5.5.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Set existing users PASS_WARN_AGE" + - name: "AUTOMATED | 5.5.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Set existing users PASS_WARN_AGE" command: chage --warndays {{ ubtu20cis_pass.warn_age }} {{ item }} failed_when: false with_items: @@ -849,18 +886,19 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.5.1.3 - user - login -- name: "5.5.1.4 | PATCH | Ensure inactive password lock is 30 days or less" +- name: "AUTOMATED | 5.5.1.4 | PATCH | Ensure inactive password lock is 30 days or less" block: - - name: "5.5.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set inactive period for new users" + - name: "AUTOMATED | 5.5.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set inactive period for new users" command: useradd -D -f {{ ubtu20cis_pass.inactive }} failed_when: false - - name: "5.5.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set inactive period for existing users" + - name: "AUTOMATED | 5.5.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set inactive period for existing users" command: chage --inactive {{ ubtu20cis_pass.inactive }} {{ item }} failed_when: false with_items: @@ -871,35 +909,36 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.5.1.4 - user - login -- name: "5.5.1.5 | PATCH | Ensure all users last password change date is in the past" +- name: "AUTOMATED | 5.5.1.5 | PATCH | Ensure all users last password change date is in the past" block: - - name: "5.5.1.5 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time" + - name: "AUTOMATED | 5.5.1.5 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time" shell: echo $(($(date --utc --date "$1" +%s)/86400)) changed_when: false failed_when: false check_mode: false register: ubtu20cis_5_5_1_5_current_time - - name: "5.5.1.5 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed PW date in future" + - name: "AUTOMATED | 5.5.1.5 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed PW date in future" shell: "cat /etc/shadow | awk -F: '{if($3>{{ ubtu20cis_5_4_1_5_current_time.stdout }})print$1}'" changed_when: false failed_when: false check_mode: false register: ubtu20cis_5_5_1_5_user_list - - name: "5.5.1.5 | PATCH | Ensure all users last password change date is in the past | Warn about users" + - name: "AUTOMATED | 5.5.1.5 | PATCH | Ensure all users last password change date is in the past | Warn about users" debug: msg: - "WARNING!!!!The following accounts have the last PW change date in the future" - "{{ ubtu20cis_5_5_1_5_user_list.stdout_lines }}" when: ubtu20cis_5_5_1_5_user_list.stdout != "" - - name: "5.5.1.5 | PATCH | Ensure all users last password change date is in the past | Lock accounts with furtre PW changed dates" + - name: "AUTOMATED | 5.5.1.5 | PATCH | Ensure all users last password change date is in the past | Lock accounts with furtre PW changed dates" command: passwd --expire {{ item }} failed_when: false with_items: @@ -912,14 +951,15 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.5.1.5 - user - login -- name: "5.5.2 | PATCH | Ensure system accounts are secured" +- name: "AUTOMATED | 5.5.2 | PATCH | Ensure system accounts are secured" block: - - name: "5.5.2 | PATCH | Ensure system accounts are secured | Set system accounts to login" + - name: "AUTOMATED | 5.5.2 | PATCH | Ensure system accounts are secured | Set system accounts to login" user: name: "{{ item }}" shell: /sbin/nologin @@ -931,7 +971,7 @@ - item != "shutdown" - item != "halt" - - name: "5.5.2 | PATCH | Ensure system accounts are secured | Lock non-root system accounts" + - name: "AUTOMATED | 5.5.2 | PATCH | Ensure system accounts are secured | Lock non-root system accounts" user: name: "{{ item }}" password_lock: true @@ -945,19 +985,20 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.5.2 - user - system -- name: "5.5.3 | PATCH | Ensure default group for the root account is GID 0" +- name: "AUTOMATED | 5.5.3 | PATCH | Ensure default group for the root account is GID 0" block: - - name: "5.5.3 | PATCH | Ensure default group for the root account is GID 0 | Set root group to GUID 0" + - name: "AUTOMATED | 5.5.3 | PATCH | Ensure default group for the root account is GID 0 | Set root group to GUID 0" group: name: root gid: 0 - - name: "5.5.3 | PATCH | Ensure default group for the root account is GID 0 | Set root user to root group" + - name: "AUTOMATED | 5.5.3 | PATCH | Ensure default group for the root account is GID 0 | Set root user to root group" user: name: root group: root @@ -966,28 +1007,29 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.5.3 - user - system -- name: "5.5.4 | PATCH | Ensure default user umask is 027 or more restrictive" +- name: "AUTOMATED | 5.5.4 | PATCH | Ensure default user umask is 027 or more restrictive" block: - - name: "5.5.4 | AUDIT | Ensure default user umask is 027 or more restrictive" + - name: "AUTOMATED | 5.5.4 | AUDIT | Ensure default user umask is 027 or more restrictive" shell: grep -E '^session.*optional.*pam_umask.so' /etc/pam.d/common-session changed_when: false failed_when: false check_mode: false register: ubtu20cis_5_5_4_umask_pam_status - - name: "5.5.4 | PATCH | Ensure default user umask is 027 or more restrictive" + - name: "AUTOMATED | 5.5.4 | PATCH | Ensure default user umask is 027 or more restrictive" lineinfile: path: /etc/pam.d/common-session line: 'session optional pam_umask.so' insertbefore: '^# end of pam-auth-update config' when: ubtu20cis_5_5_4_umask_pam_status.stdout != "" - - name: "5.5.4 | PATCH | Ensure default user umask is 027 or more restrictive" + - name: "AUTOMATED | 5.5.4 | PATCH | Ensure default user umask is 027 or more restrictive" replace: path: "{{ item }}" regexp: '(^\s+umask) 002' @@ -1001,11 +1043,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.5.4 - user -- name: "5.5.5 | PATCH | Ensure default user shell timeout is 900 seconds or less" +- name: "AUTOMATED | 5.5.5 | PATCH | Ensure default user shell timeout is 900 seconds or less" blockinfile: create: yes mode: 0644 @@ -1026,20 +1069,21 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.5.5 - user -- name: "5.6 | AUDIT | Ensure root login is restricted to system console" +- name: "MANUAL | 5.6 | AUDIT | Ensure root login is restricted to system console" block: - - name: "5.6 | AUDIT | Ensure root login is restricted to system console | Get list of all terminals" + - name: "MANUAL | 5.6 | AUDIT | Ensure root login is restricted to system console | Get list of all terminals" command: cat /etc/securetty changed_when: false failed_when: false check_mode: false register: ubtu20cis_5_6_terminal_list - - name: "5.6 | AUDIT | Ensure root login is restricted to system console | Message out list" + - name: "MANUAL | 5.6 | AUDIT | Ensure root login is restricted to system console | Message out list" debug: msg: - "WARNING!!!!Below is the list of conoles with root login access" @@ -1055,20 +1099,20 @@ - rule_5.6 - user -- name: "5.7 | PATCH | Ensure access to the su command is restricted" +- name: "AUTOMATED | 5.7 | PATCH | Ensure access to the su command is restricted" block: - - name: "5.7 | PATCH | Ensure access to the su command is restricted | Check for pam_wheel.so module" + - name: "AUTOMATED | 5.7 | PATCH | Ensure access to the su command is restricted | Check for pam_wheel.so module" command: grep 'auth.*required.*pam_wheel' /etc/pam.d/su changed_when: false failed_when: false check_mode: false register: ubtu20cis_5_7_pam_wheel_status - - name: "5.7 | PATCH | Ensure access to the su command is restricted | Create empty sugroup" + - name: "AUTOMATED | 5.7 | PATCH | Ensure access to the su command is restricted | Create empty sugroup" group: name: "{{ ubtu20cis_su_group }}" - - name: "5.7 | PATCH | Ensure access to the su command is restricted | Set pam_wheel if exists" + - name: "AUTOMATED | 5.7 | PATCH | Ensure access to the su command is restricted | Set pam_wheel if exists" pamd: name: su type: auth @@ -1077,7 +1121,7 @@ module_arguments: 'use_uid group={{ ubtu20cis_su_group }}' when: ubtu20cis_5_7_pam_wheel_status.stdout != "" - - name: "5.7 | PATCH | Ensure access to the su command is restricted | Set pam_wheel if does not exist" + - name: "AUTOMATED | 5.7 | PATCH | Ensure access to the su command is restricted | Set pam_wheel if does not exist" lineinfile: path: /etc/pam.d/su line: 'auth required pam_wheel.so use_uid group={{ ubtu20cis_su_group }}' @@ -1088,6 +1132,7 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.7 - user From f6134f160b45eee3c35f805e136fd1e3badb4d13 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 4 May 2021 14:26:01 -0400 Subject: [PATCH 24/44] updated section 5 empty string compares Signed-off-by: George Nalen --- tasks/section5.yml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/tasks/section5.yml b/tasks/section5.yml index 7c90ee31..b207bda1 100644 --- a/tasks/section5.yml +++ b/tasks/section5.yml @@ -651,7 +651,7 @@ module_path: pam_pwquality.so module_arguments: 'retry=3' state: args_present - when: ubtu20cis_5_4_1_pam_pwquality_state.stdout != "" + when: ubtu20cis_5_4_1_pam_pwquality_state.stdout | length > 0 - name: "AUTOMATED | 5.4.1 | PATCH | Ensure password creation requirements are configured | Set retry to 3 if pwquality does not exist" pamd: @@ -664,7 +664,7 @@ new_module_path: pam_pwquality.so module_arguments: 'retry=3' state: after - when: ubtu20cis_5_4_1_pam_pwquality_state.stdout == "" + when: ubtu20cis_5_4_1_pam_pwquality_state.stdout | length == 0 when: - ubtu20cis_rule_5_4_1 tags: @@ -763,14 +763,14 @@ module_path: pam_pwhistory.so module_arguments: 'remember={{ ubtu20cis_pamd_pwhistory_remember }}' state: args_present - when: ubtu20cis_5_4_3_pam_pwhistory_state.stdout != "" + when: ubtu20cis_5_4_3_pam_pwhistory_state.stdout | length > 0 - name: "AUTOMATED | 5.4.3 | PATCH | Ensure password reuse is limited | Set remember value if pam_pwhistory does no exist" lineinfile: path: /etc/pam.d/common-password line: 'password required pam_pwhistory.so remember={{ ubtu20cis_pamd_pwhistory_remember }}' insertafter: '^# end of pam-auth-update config' - when: ubtu20cis_5_4_3_pam_pwhistory_state.stdout == "" + when: ubtu20cis_5_4_3_pam_pwhistory_state.stdout | length == 0 when: - ubtu20cis_rule_5_4_3 tags: @@ -798,14 +798,14 @@ module_path: pam_unix.so module_arguments: sha512 state: args_present - when: ubtu20cis_5_4_4_pam_unix_state.stdout != "" + when: ubtu20cis_5_4_4_pam_unix_state.stdout | length > 0 - name: "AUTOMATED | 5.4.4 | PATCH | Ensure password hashing algorithm is SHA-512 | Set hashing if pam_unix.so does not exist" lineinfile: path: /etc/pam.d/common-password line: 'password [success=1 default=ignore] pam_unix.so sha512' insertafter: '^# end of pam-auth-update config' - when: ubtu20cis_5_4_4_pam_unix_state.stdout == "" + when: ubtu20cis_5_4_4_pam_unix_state.stdout | length == 0 when: - ubtu20cis_rule_5_4_4 tags: @@ -936,7 +936,7 @@ msg: - "WARNING!!!!The following accounts have the last PW change date in the future" - "{{ ubtu20cis_5_5_1_5_user_list.stdout_lines }}" - when: ubtu20cis_5_5_1_5_user_list.stdout != "" + when: ubtu20cis_5_5_1_5_user_list.stdout | length > 0 - name: "AUTOMATED | 5.5.1.5 | PATCH | Ensure all users last password change date is in the past | Lock accounts with furtre PW changed dates" command: passwd --expire {{ item }} @@ -945,7 +945,7 @@ - "{{ ubtu20cis_5_5_1_5_user_list.stdout_lines }}" when: - ubtu20cis_disruption_high - - ubtu20cis_5_5_1_5_user_list.stdout != "" + - ubtu20cis_5_5_1_5_user_list.stdout | length > 0 when: - ubtu20cis_rule_5_5_1_5 tags: @@ -1027,7 +1027,7 @@ path: /etc/pam.d/common-session line: 'session optional pam_umask.so' insertbefore: '^# end of pam-auth-update config' - when: ubtu20cis_5_5_4_umask_pam_status.stdout != "" + when: ubtu20cis_5_5_4_umask_pam_status.stdout | length > 0 - name: "AUTOMATED | 5.5.4 | PATCH | Ensure default user umask is 027 or more restrictive" replace: @@ -1119,14 +1119,14 @@ control: required module_path: pam_wheel.so module_arguments: 'use_uid group={{ ubtu20cis_su_group }}' - when: ubtu20cis_5_7_pam_wheel_status.stdout != "" + when: ubtu20cis_5_7_pam_wheel_status.stdout | length > 0 - name: "AUTOMATED | 5.7 | PATCH | Ensure access to the su command is restricted | Set pam_wheel if does not exist" lineinfile: path: /etc/pam.d/su line: 'auth required pam_wheel.so use_uid group={{ ubtu20cis_su_group }}' create: yes - when: ubtu20cis_5_7_pam_wheel_status.stdout == "" + when: ubtu20cis_5_7_pam_wheel_status.stdout | length == 0 when: - ubtu20cis_rule_5_7 tags: From 582396a608110d92c627903a42ec005bf4340d93 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 4 May 2021 14:30:00 -0400 Subject: [PATCH 25/44] updates to defaults/main individual control toggles Signed-off-by: George Nalen --- defaults/main.yml | 81 ++++++++++++++++++++++++++++++++--------------- 1 file changed, 55 insertions(+), 26 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 3c9bf782..4b7ba88b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -244,40 +244,69 @@ ubtu20cis_rule_5_1_9: true ubtu20cis_rule_5_2_1: true ubtu20cis_rule_5_2_2: true ubtu20cis_rule_5_2_3: true -ubtu20cis_rule_5_2_4: true -ubtu20cis_rule_5_2_5: true -ubtu20cis_rule_5_2_6: true -ubtu20cis_rule_5_2_7: true -ubtu20cis_rule_5_2_8: true -ubtu20cis_rule_5_2_9: true -ubtu20cis_rule_5_2_10: true -ubtu20cis_rule_5_2_11: true -ubtu20cis_rule_5_2_12: true -ubtu20cis_rule_5_2_13: true -ubtu20cis_rule_5_2_14: true -ubtu20cis_rule_5_2_15: true -ubtu20cis_rule_5_2_16: true -ubtu20cis_rule_5_2_17: true -ubtu20cis_rule_5_2_18: true -ubtu20cis_rule_5_2_19: true -ubtu20cis_rule_5_2_20: true -ubtu20cis_rule_5_2_21: true -ubtu20cis_rule_5_2_22: true +# ubtu20cis_rule_5_2_4: true +# ubtu20cis_rule_5_2_5: true +# ubtu20cis_rule_5_2_6: true +# ubtu20cis_rule_5_2_7: true +# ubtu20cis_rule_5_2_8: true +# ubtu20cis_rule_5_2_9: true +# ubtu20cis_rule_5_2_10: true +# ubtu20cis_rule_5_2_11: true +# ubtu20cis_rule_5_2_12: true +# ubtu20cis_rule_5_2_13: true +# ubtu20cis_rule_5_2_14: true +# ubtu20cis_rule_5_2_15: true +# ubtu20cis_rule_5_2_16: true +# ubtu20cis_rule_5_2_17: true +# ubtu20cis_rule_5_2_18: true +# ubtu20cis_rule_5_2_19: true +# ubtu20cis_rule_5_2_20: true +# ubtu20cis_rule_5_2_21: true +# ubtu20cis_rule_5_2_22: true ubtu20cis_rule_5_3_1: true ubtu20cis_rule_5_3_2: true ubtu20cis_rule_5_3_3: true ubtu20cis_rule_5_3_4: true -ubtu20cis_rule_5_4_1_1: true -ubtu20cis_rule_5_4_1_2: true -ubtu20cis_rule_5_4_1_3: true -ubtu20cis_rule_5_4_1_4: true -ubtu20cis_rule_5_4_1_5: true +ubtu20cis_rule_5_3_5: true +ubtu20cis_rule_5_3_6: true +ubtu20cis_rule_5_3_7: true +ubtu20cis_rule_5_3_8: true +ubtu20cis_rule_5_3_9: true +ubtu20cis_rule_5_3_10: true +ubtu20cis_rule_5_3_11: true +ubtu20cis_rule_5_3_12: true +ubtu20cis_rule_5_3_13: true +ubtu20cis_rule_5_3_14: true +ubtu20cis_rule_5_3_15: true +ubtu20cis_rule_5_3_16: true +ubtu20cis_rule_5_3_17: true +ubtu20cis_rule_5_3_18: true +ubtu20cis_rule_5_3_19: true +ubtu20cis_rule_5_3_20: true +ubtu20cis_rule_5_3_21: true +ubtu20cis_rule_5_3_22: true +# ubtu20cis_rule_5_4_1_1: true +# ubtu20cis_rule_5_4_1_2: true +# ubtu20cis_rule_5_4_1_3: true +# ubtu20cis_rule_5_4_1_4: true +# ubtu20cis_rule_5_4_1_5: true +ubtu20cis_rule_5_4_1: true ubtu20cis_rule_5_4_2: true ubtu20cis_rule_5_4_3: true ubtu20cis_rule_5_4_4: true -ubtu20cis_rule_5_4_5: true -ubtu20cis_rule_5_5: true +# ubtu20cis_rule_5_4_5: true +ubtu20cis_rule_5_5_1_1: true +ubtu20cis_rule_5_5_1_2: true +ubtu20cis_rule_5_5_1_3: true +ubtu20cis_rule_5_5_1_4: true +ubtu20cis_rule_5_5_1_5: true +ubtu20cis_rule_5_5_2: true +ubtu20cis_rule_5_5_3: true +ubtu20cis_rule_5_5_4: true +ubtu20cis_rule_5_5_5: true +# ubtu20cis_rule_5_5: true ubtu20cis_rule_5_6: true +ubtu20cis_rule_5_7: true # Section 6 Fixes # Section is Systme Maintenance (System File Permissions and User and Group Settings) From 47536a5e7cb67869515c84e07f6a61fbf8630a1d Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 4 May 2021 14:59:06 -0400 Subject: [PATCH 26/44] section 5 updates for running Signed-off-by: George Nalen --- tasks/section5.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section5.yml b/tasks/section5.yml index b207bda1..205b93eb 100644 --- a/tasks/section5.yml +++ b/tasks/section5.yml @@ -925,7 +925,7 @@ register: ubtu20cis_5_5_1_5_current_time - name: "AUTOMATED | 5.5.1.5 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed PW date in future" - shell: "cat /etc/shadow | awk -F: '{if($3>{{ ubtu20cis_5_4_1_5_current_time.stdout }})print$1}'" + shell: "cat /etc/shadow | awk -F: '{if($3>{{ ubtu20cis_5_5_1_5_current_time.stdout }})print$1}'" changed_when: false failed_when: false check_mode: false From e62d5e13840f5ddbbdded9849f640e3fdbdedf73 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 4 May 2021 15:59:24 -0400 Subject: [PATCH 27/44] updated section 6 to v1.1.0 Signed-off-by: George Nalen --- defaults/main.yml | 2 +- tasks/section6.yml | 417 ++++++++++++++++++++++++--------------------- 2 files changed, 222 insertions(+), 197 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 4b7ba88b..d55a1651 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -645,6 +645,6 @@ ubtu20cis_no_group_adjust: true # Set to true this role will remove that bit, set to false we will just warn about the files ubtu20cis_suid_adjust: false -# Control 6.2.6 Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable +# Control 6.2.5 Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable # ubtu20cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}" ubtu20cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}" \ No newline at end of file diff --git a/tasks/section6.yml b/tasks/section6.yml index 3c1c7452..8dd4632a 100644 --- a/tasks/section6.yml +++ b/tasks/section6.yml @@ -48,12 +48,12 @@ - rule_6.1.2 - permissions -- name: "6.1.3 | PATCH | Ensure permissions on /etc/gshadow- are configured" +- name: "6.1.3 | PATCH | Ensure permissions on /etc/passwd- are configured" file: - path: /etc/gshadow- + path: /etc/passwd- owner: root - group: shadow - mode: 0640 + group: root + mode: 0600 when: - ubtu20cis_rule_6_1_3 tags: @@ -63,12 +63,12 @@ - rule_6.1.3 - permissions -- name: "6.1.4 | PATCH | Ensure permissions on /etc/shadow are configured" +- name: "6.1.4 | PATCH | Ensure permissions on /etc/group are configured" file: - path: /etc/shadow + path: /etc/group owner: root - group: shadow - mode: 0640 + group: root + mode: 0644 when: - ubtu20cis_rule_6_1_4 tags: @@ -78,9 +78,9 @@ - rule_6.1.4 - permissions -- name: "6.1.5 | PATCH | Ensure permissions on /etc/group are configured" +- name: "6.1.5 | PATCH | Ensure permissions on /etc/group- are configured" file: - path: /etc/group + path: /etc/group- owner: root group: root mode: 0644 @@ -93,12 +93,12 @@ - rule_6.1.5 - permissions -- name: "6.1.6 | PATCH | Ensure permissions on /etc/passwd- are configured" +- name: "6.1.6 | PATCH | Ensure permissions on /etc/shadow are configured" file: - path: /etc/passwd- + path: /etc/shadow owner: root - group: root - mode: 0600 + group: shadow + mode: 0640 when: - ubtu20cis_rule_6_1_6 tags: @@ -123,12 +123,12 @@ - rule_6.1.7 - permissions -- name: "6.1.8 | PATCH | Ensure permissions on /etc/group- are configured" +- name: "6.1.8 | PATCH | Ensure permissions on /etc/gshadow are configured" file: - path: /etc/group- + path: /etc/gshadow owner: root - group: root - mode: 0644 + group: shadow + mode: 0640 when: - ubtu20cis_rule_6_1_8 tags: @@ -138,9 +138,9 @@ - rule_6.1.8 - permissions -- name: "6.1.9 | PATCH | Ensure permissions on /etc/gshadow are configured" +- name: "6.1.9 | PATCH | Ensure permissions on /etc/gshadow- are configured" file: - path: /etc/gshadow + path: /etc/gshadow- owner: root group: shadow mode: 0640 @@ -155,7 +155,7 @@ - name: "6.1.10 | PATCH | Ensure no world writable files exist" block: - - name: "6.1.10 | PATCH | Ensure no world writable files exist | Get list of world-writable files" + - name: "6.1.10 | AUDIT | Ensure no world writable files exist | Get list of world-writable files" shell: find {{ item.mount }} -xdev -type f -perm -0002 changed_when: false failed_when: false @@ -225,7 +225,7 @@ - name: "6.1.12 | PATCH | Ensure no ungrouped files or directories exist" block: - - name: "6.1.12 | PATCH | Ensure no ungrouped files or directories exist | Get ungrouped fiels or directories" + - name: "6.1.12 | AUDIT | Ensure no ungrouped files or directories exist | Get ungrouped fiels or directories" shell: find {{ item.mount }} -xdev -nogroup changed_when: false failed_when: false @@ -234,11 +234,11 @@ with_items: - "{{ ansible_mounts }}" - - name: "6.1.12 | PATCH | Ensure no ungrouped files or directories exist | Flatten ungrouped_items results for easier use" + - name: "6.1.12 | AUDIT | Ensure no ungrouped files or directories exist | Flatten ungrouped_items results for easier use" set_fact: ubtu20cis_6_1_12_ungrouped_items_flatten: "{{ ubtu20cis_6_1_12_ungrouped_items.results | map(attribute='stdout_lines') | flatten }}" - - name: "6.1.12 | PATCH | Ensure no ungrouped files or directories exist | Alert on ungrouped files and directories" + - name: "6.1.12 | AUDIT | Ensure no ungrouped files or directories exist | Alert on ungrouped files and directories" debug: msg: - "ALERT!!!!You have ungrouped files/directories and are configured to not auto-remediate for this task" @@ -313,7 +313,7 @@ - name: "6.1.14 | AUDIT | Audit SGID executables" block: - - name: "6.1.14 | PATCH | Audit SGID executables | Find SGID executables" + - name: "6.1.14 | AUDIT | Audit SGID executables | Find SGID executables" shell: find {{ item }} -xdev -type f -perm -2000 changed_when: false failed_when: false @@ -343,141 +343,82 @@ - rule_6.1.14 - permissions -- name: "6.2.1 | PATCH | Ensure password fields are not empty" +- name: "AUTOMATED | 6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords" block: - - name: "6.2.1 | PATCH | Ensure password fields are not empty | Find users with no password" - shell: awk -F":" '($2 == "" ) { print $1 }' /etc/shadow - register: ubtu20cis_6_2_1_empty_password_acct - changed_when: no - check_mode: false + - name: "AUTOMATED | 6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Get users not using shadowed passwords" + command: awk -F':' '($2 != "x" ) { print $1}' /etc/passwd + changed_when: false + failed_when: false + register: ubtu20cis_6_2_1_nonshadowed_users - - name: "6.2.1 | PATCH | Ensure password fields are not empty | Lock users with empty password" - user: - name: "{{ item }}" - password_lock: yes - with_items: - - "{{ ubtu20cis_6_2_1_empty_password_acct.stdout_lines }}" - when: ubtu20cis_6_2_1_empty_password_acct.stdout != "" + - name: "AUTOMATED | 6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Alert on findings" + debug: + msg: + - "ALERT! You have users that are not using a shadowed password. Please convert the below accounts to use a shadowed password" + - "{{ ubtu20cis_6_2_1_nonshadowed_users.stdout_lines }}" + when: + - ubtu18cis_6_2_1_nonshadowed_users.stdout | length > 0 when: - ubtu20cis_rule_6_2_1 tags: - level1-server - level1-workstation - - patch + - automated + - audit - rule_6.2.1 - - user - - permissions + - user_accounts -- name: "6.2.2 | PATCH | Ensure root is the only UID 0 account" +- name: "6.2.2 | PATCH | Ensure password fields are not empty" block: - - name: "6.2.2 | AUDIT | Ensure root is the only UID 0 account | Get non-root users with UID of 0" - shell: awk -F":" '($3 == 0 && $1 != \"root\") {i++;print $1 }' /etc/passwd - changed_when: false - failed_when: false + - name: "6.2.2 | AUDIT | Ensure password fields are not empty | Find users with no password" + shell: awk -F":" '($2 == "" ) { print $1 }' /etc/shadow + changed_when: no check_mode: false - register: ubtu20cis_6_2_2_uid_0_notroot + register: ubtu20cis_6_2_2_empty_password_acct - - name: "6.2.2 | PATCH | Ensure root is the only UID 0 account | Lock UID 0 users" + - name: "6.2.2 | PATCH | Ensure password fields are not empty | Lock users with empty password" user: name: "{{ item }}" password_lock: yes with_items: - - "{{ ubtu20cis_6_2_2_uid_0_notroot.stdout_lines }}" - when: - - ubtu20cis_disruption_high - - ubtu20cis_6_2_2_uid_0_notroot.stdout != "" - - - name: "6.2.2 | AUDIT | Ensure root is the only UID 0 account | Alert about accounts disruption high" - debug: - msg: - - "ALERT!!!! You have non-root users with a UID of 0 and ubtu18cis_disruption_high enabled" - - "This means the following accounts were password locked and will need to have the UID's manually adjusted" - - "{{ ubtu20cis_6_2_2_uid_0_notroot.stdout_lines }}" - when: - - ubtu20cis_disruption_high - - ubtu20cis_6_2_2_uid_0_notroot.stdout != "" - - - name: "6.2.2 | AUDIT | Ensure root is the only UID 0 account | Alert about accounts disruption low" - debug: - msg: - - "ALERT!!!! You have non-root users with a UID of 0 and ubtu18cis_disruption_high disabled" - - "This means no action was taken, you will need to have the UID's of the users below manually adjusted" - - "{{ ubtu20cis_6_2_2_uid_0_notroot.stdout_lines }}" - when: - - not ubtu20cis_disruption_high - - ubtu20cis_6_2_2_uid_0_notroot.stdout != "" + - "{{ ubtu20cis_6_2_2_empty_password_acct.stdout_lines }}" + when: ubtu20cis_6_2_2_empty_password_acct.stdout != "" when: - ubtu20cis_rule_6_2_2 tags: - level1-server - level1-workstation - - scored + - patch - rule_6.2.2 - user - - root - -- name: "6.2.3 | PATCH | Ensure root PATH Integrity" - command: /bin/true - changed_when: false - failed_when: false - check_mode: false - # block: - # - name: "6.2.3 | PATCH | Ensure root PATH Integrity | Determine empty value" - # shell: 'echo $PATH | grep ::' - # changed_when: False - # failed_when: ubtu20cis_6_2_3_path_colon.rc == 0 - # check_mode: false - # register: ubtu20cis_6_2_3_path_colon - - # - name: "6.2.3 | PATCH | Ensure root PATH Integrity | Determine colon end" - # shell: 'echo $PATH | grep :$' - # changed_when: False - # failed_when: ubtu20cis_6_2_3_path_colon_end.rc == 0 - # check_mode: false - # register: ubtu20cis_6_2_3_path_colon_end - - # - name: "6.2.3 | PATCH | Ensure root PATH Integrity | Determine working dir" - # shell: echo "$PATH" - # changed_when: False - # failed_when: '"." in ubtu20cis_6_2_3_working_dir.stdout_lines' - # check_mode: false - # register: ubtu20cis_6_2_3_working_dir - # - debug: var=ubtu20cis_6_2_3_working_dir - - # - name: "6.2.3 | PATCH | Ensure root PATH Integrity | Check paths" - # stat: - # path: "{{ item }}" - # check_mode: false - # register: ubtu20cis_6_2_3_path_stat - # with_items: - # - "{{ ubtu20cis_6_2_3_working_dir.stdout.split(':') }}" + - permissions - # - debug: var=ubtu20cis_6_2_3_path_stat +- name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group" + block: + - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries" + shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}' + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_6_2_3_passwd_gid_check - # - name: "6.2.3 | PATCH | Ensure root PATH Integrity | Alert on empty value, colon end, and no working dir" - # debug: - # msg: - # - "The following paths have no working directory: {{ ubtu20cis_6_2_3_path_stat.results | selectattr('stat.exists','equalto','false') | map(attribute='item') | list }}" + - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files" + debug: + msg: "Good News! There are no users that have non-existent GUIDs (Groups)" + when: ubtu20cis_6_2_3_passwd_gid_check.stdout == "" - # # - name: "6.2.3 | PATCH | Ensure root PATH Integrity | Set permissions" - # # file: - # # path: "{{ item }}" - # # owner: root - # # mode: 'o-w,g-w' - # # follow: yes - # # state: directory - # # with_items: - # # - "{{ ubtu18cis_6_2_7_path_stat | selectattr('exists','==','true') | map(attribute='path') }}" + - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" + debug: + msg: "WARNING!!!! The following users have non-existent GIDs (Groups): {{ ubtu20cis_6_2_3_passwd_gid_check.stdout_lines | join (', ') }}" + when: ubtu20cis_6_2_3_passwd_gid_check.stdout != "" when: - ubtu20cis_rule_6_2_3 tags: - level1-server - level1-workstation - - patch + - audit - rule_6.2.3 - - user - - root - - notimplemented + - groups - name: "6.2.4 | PATCH | Ensure all users' home directories exist" block: @@ -527,45 +468,64 @@ - rule_6.2.4 - user -- name: "6.2.5 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" +- name: "6.2.5 | PATCH | Ensure users own their home directories" + file: + path: "{{ item.dir }}" + owner: "{{ item.id }}" + state: directory + with_items: + - "{{ ubtu20cis_passwd }}" + loop_control: + label: "{{ ubtu20cis_passwd_label }}" + when: + - ubtu20cis_rule_6_2_5 + - item.uid >= 1000 + tags: + - level1-server + - level1-workstation + - patch + - rule_6.2.5 + - user + +- name: "6.2.6 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" block: - - name: "6.2.5 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive | Stat home directories" + - name: "6.2.6 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive | Get home directories" stat: path: "{{ item }}" with_items: "{{ ubtu20cis_passwd | selectattr('uid', '>=', 1000) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" check_mode: false - register: ubtu20cis_6_2_5_audit + register: ubtu20cis_6_2_6_audit - - name: "6.2.5 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive | Find home directories more 750" + - name: "6.2.6 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive | Find home directories more 750" command: find -H {{ item.0 | quote }} -not -type l -perm /027 - register: ubtu20cis_6_2_4_patch_audit - changed_when: ubtu20cis_6_2_4_patch_audit.stdout != "" + register: ubtu20cis_6_2_6_patch_audit + changed_when: ubtu20cis_6_2_6_patch_audit.stdout != "" check_mode: false when: - item.1.exists with_together: - - "{{ ubtu20cis_6_2_5_audit.results | map(attribute='item') | list }}" - - "{{ ubtu20cis_6_2_5_audit.results | map(attribute='stat') | list }}" + - "{{ ubtu20cis_6_2_6_audit.results | map(attribute='item') | list }}" + - "{{ ubtu20cis_6_2_6_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" - - name: "6.2.5 | PATCH | Ensure users' home directories permissions are 750 or more restrictive | Set home perms" + - name: "6.2.6 | PATCH | Ensure users' home directories permissions are 750 or more restrictive | Set home perms" file: path: "{{ item.0 }}" recurse: yes mode: a-st,g-w,o-rwx - register: ubtu20cis_6_2_5_patch + register: ubtu20cis_6_2_6_patch when: - ubtu20cis_disruption_high - item.1.exists with_together: - - "{{ ubtu20cis_6_2_5_audit.results | map(attribute='item') | list }}" - - "{{ ubtu20cis_6_2_5_audit.results | map(attribute='stat') | list }}" + - "{{ ubtu20cis_6_2_6_audit.results | map(attribute='item') | list }}" + - "{{ ubtu20cis_6_2_6_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" # set default ACLs so the homedir has an effective umask of 0027 - - name: "6.2.5 | PATCH | Ensure users' home directories permissions are 750 or more restrictive | Set ACL's" + - name: "6.2.6 | PATCH | Ensure users' home directories permissions are 750 or more restrictive | Set ACL's" acl: path: "{{ item.0 }}" default: yes @@ -575,35 +535,16 @@ permissions: "{{ item.1.mode }}" when: not ubtu20cis_system_is_container with_nested: - - "{{ (ansible_check_mode | ternary(ubtu20cis_6_2_5_patch_audit, ubtu20cis_6_2_5_patch)).results | + - "{{ (ansible_check_mode | ternary(ubtu20cis_6_2_6_patch_audit, ubtu20cis_6_2_6_patch)).results | rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" - - etype: group mode: rx - etype: other mode: '0' - when: - - ubtu20cis_rule_6_2_5 - - ubtu20cis_disruption_high - tags: - - level1-server - - level1-workstation - - patch - - rule_6.2.5 - - user - -- name: "6.2.6 | PATCH | Ensure users own their home directories" - file: - path: "{{ item.dir }}" - owner: "{{ item.id }}" - state: directory - with_items: - - "{{ ubtu20cis_passwd }}" - loop_control: - label: "{{ ubtu20cis_passwd_label }}" when: - ubtu20cis_rule_6_2_6 - - item.uid >= 1000 + - ubtu20cis_disruption_high tags: - level1-server - level1-workstation @@ -646,9 +587,9 @@ - rule_6.2.7 - user -- name: "6.2.8 | PATCH | Ensure no users have .forward files" +- name: "6.2.8 | PATCH | Ensure no users have .netrc files" file: - dest: "~{{ item }}/.forward" + dest: "~{{ item }}/.netrc" state: absent with_items: - "{{ ubtu20cis_users.stdout_lines }}" @@ -662,9 +603,9 @@ - rule_6.2.8 - user -- name: "6.2.9 | PATCH | Ensure no users have .netrc files" +- name: "6.2.9 | PATCH | Ensure no users have .forward files" file: - dest: "~{{ item }}/.netrc" + dest: "~{{ item }}/.forward" state: absent with_items: - "{{ ubtu20cis_users.stdout_lines }}" @@ -678,11 +619,10 @@ - rule_6.2.9 - user -- name: "6.2.10 | PATCH | Ensure users' .netrc Files are not group or world accessible" +- name: "6.2.10 | PATCH | Ensure no users have .rhosts files" file: - dest: "~{{ item }}/.netrc" - mode: go-w - failed_when: false + dest: "~{{ item }}/.rhosts" + state: absent with_items: - "{{ ubtu20cis_users.stdout_lines }}" when: @@ -695,48 +635,116 @@ - rule_6.2.10 - user -- name: "6.2.11 | PATCH | Ensure no users have .rhosts files" - file: - dest: "~{{ item }}/.rhosts" - state: absent - with_items: - - "{{ ubtu20cis_users.stdout_lines }}" +- name: "6.2.11 | PATCH | Ensure root is the only UID 0 account" + block: + - name: "6.2.11 | AUDIT | Ensure root is the only UID 0 account | Get non-root users with UID of 0" + shell: awk -F":" '($3 == 0 && $1 != \"root\") {i++;print $1 }' /etc/passwd + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_6_2_11_uid_0_notroot + + - name: "6.2.11 | PATCH | Ensure root is the only UID 0 account | Lock UID 0 users" + user: + name: "{{ item }}" + password_lock: yes + with_items: + - "{{ ubtu20cis_6_2_11_uid_0_notroot.stdout_lines }}" + when: + - ubtu20cis_disruption_high + - ubtu20cis_6_2_11_uid_0_notroot.stdout != "" + + - name: "6.2.11 | AUDIT | Ensure root is the only UID 0 account | Alert about accounts disruption high" + debug: + msg: + - "ALERT!!!! You have non-root users with a UID of 0 and ubtu18cis_disruption_high enabled" + - "This means the following accounts were password locked and will need to have the UID's manually adjusted" + - "{{ ubtu20cis_6_2_11_uid_0_notroot.stdout_lines }}" + when: + - ubtu20cis_disruption_high + - ubtu20cis_6_2_11_uid_0_notroot.stdout != "" + + - name: "6.2.11 | AUDIT | Ensure root is the only UID 0 account | Alert about accounts disruption low" + debug: + msg: + - "ALERT!!!! You have non-root users with a UID of 0 and ubtu18cis_disruption_high disabled" + - "This means no action was taken, you will need to have the UID's of the users below manually adjusted" + - "{{ ubtu20cis_6_2_11_uid_0_notroot.stdout_lines }}" + when: + - not ubtu20cis_disruption_high + - ubtu20cis_6_2_11_uid_0_notroot.stdout != "" when: - ubtu20cis_rule_6_2_11 - - ubtu20cis_disruption_high tags: - level1-server - level1-workstation - - patch + - scored - rule_6.2.11 - user + - root -- name: "6.2.12 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group" - block: - - name: "6.2.12 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries" - shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}' - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_6_2_12_passwd_gid_check +- name: "6.2.12 | PATCH | Ensure root PATH Integrity" + command: /bin/true + changed_when: false + failed_when: false + check_mode: false + # block: + # - name: "6.2.12 | PATCH | Ensure root PATH Integrity | Determine empty value" + # shell: 'echo $PATH | grep ::' + # changed_when: False + # failed_when: ubtu20cis_6_2_12_path_colon.rc == 0 + # check_mode: false + # register: ubtu20cis_6_2_12_path_colon - - name: "6.2.12 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files" - debug: - msg: "Good News! There are no users that have non-existent GUIDs (Groups)" - when: ubtu20cis_6_2_12_passwd_gid_check.stdout == "" + # - name: "6.2.12 | PATCH | Ensure root PATH Integrity | Determine colon end" + # shell: 'echo $PATH | grep :$' + # changed_when: False + # failed_when: ubtu20cis_6_2_12_path_colon_end.rc == 0 + # check_mode: false + # register: ubtu20cis_6_2_12_path_colon_end - - name: "6.2.12 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" - debug: - msg: "WARNING!!!! The following users have non-existent GIDs (Groups): {{ ubtu20cis_6_2_12_passwd_gid_check.stdout_lines | join (', ') }}" - when: ubtu20cis_6_2_12_passwd_gid_check.stdout != "" + # - name: "6.2.12 | PATCH | Ensure root PATH Integrity | Determine working dir" + # shell: echo "$PATH" + # changed_when: False + # failed_when: '"." in ubtu20cis_6_2_12_working_dir.stdout_lines' + # check_mode: false + # register: ubtu20cis_6_2_12_working_dir + # - debug: var=ubtu20cis_6_2_12_working_dir + + # - name: "6.2.12 | PATCH | Ensure root PATH Integrity | Check paths" + # stat: + # path: "{{ item }}" + # check_mode: false + # register: ubtu20cis_6_2_12_path_stat + # with_items: + # - "{{ ubtu20cis_6_2_12_working_dir.stdout.split(':') }}" + + # - debug: var=ubtu20cis_6_2_12_path_stat + + # - name: "6.2.12 | PATCH | Ensure root PATH Integrity | Alert on empty value, colon end, and no working dir" + # debug: + # msg: + # - "The following paths have no working directory: {{ ubtu20cis_6_2_12_path_stat.results | selectattr('stat.exists','equalto','false') | map(attribute='item') | list }}" + + # # - name: "6.2.12 | PATCH | Ensure root PATH Integrity | Set permissions" + # # file: + # # path: "{{ item }}" + # # owner: root + # # mode: 'o-w,g-w' + # # follow: yes + # # state: directory + # # with_items: + # # - "{{ ubtu18cis_6_2_12_path_stat | selectattr('exists','==','true') | map(attribute='path') }}" when: - ubtu20cis_rule_6_2_12 tags: - level1-server - level1-workstation - - audit + - patch - rule_6.2.12 - - groups + - user + - root + - notimplemented - name: "6.2.13 | AUDIT | Ensure no duplicate UIDs exist" block: @@ -884,3 +892,20 @@ - rule_6.2.17 - groups - user + +# - name: "6.2.10 | PATCH | Ensure users' .netrc Files are not group or world accessible" +# file: +# dest: "~{{ item }}/.netrc" +# mode: go-w +# failed_when: false +# with_items: +# - "{{ ubtu20cis_users.stdout_lines }}" +# when: +# - ubtu20cis_rule_6_2_10 +# - ubtu20cis_disruption_high +# tags: +# - level1-server +# - level1-workstation +# - patch +# - rule_6.2.10 +# - user From b5598e85fceead0eb90a1c7f2598ec0e5115185a Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 4 May 2021 16:09:46 -0400 Subject: [PATCH 28/44] updated section 6 automated/manual labels Signed-off-by: George Nalen --- tasks/section6.yml | 207 +++++++++++++++++++++++++-------------------- 1 file changed, 117 insertions(+), 90 deletions(-) diff --git a/tasks/section6.yml b/tasks/section6.yml index 8dd4632a..9ed9c05e 100644 --- a/tasks/section6.yml +++ b/tasks/section6.yml @@ -1,7 +1,7 @@ --- -- name: "6.1.1 | AUDIT | Audit system file permissions" +- name: "MANUAL | 6.1.1 | AUDIT | Audit system file permissions" block: - - name: "6.1.1 | AUDIT | Audit system file permissions | Register package list" + - name: "MANUAL | 6.1.1 | AUDIT | Audit system file permissions | Register package list" command: ls -a /bin/ changed_when: false failed_when: false @@ -17,7 +17,7 @@ # - "{{ ubtu18cis_6_1_1_packages.stdout_lines }}" # register: ubtu18cis_6_1_1_packages_audited - - name: "6.1.1 | AUDIT | Audit system file permissions | Message out packages results for review" + - name: "MANUAL | 6.1.1 | AUDIT | Audit system file permissions | Message out packages results for review" debug: msg: - "ALERT!!!! Below are the packages that need to be reviewed." @@ -33,7 +33,7 @@ - rule_6.1.1 - permissions -- name: "6.1.2 | PATCH | Ensure permissions on /etc/passwd are configured" +- name: "AUTOMATED | 6.1.2 | PATCH | Ensure permissions on /etc/passwd are configured" file: path: /etc/passwd owner: root @@ -44,11 +44,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_6.1.2 - permissions -- name: "6.1.3 | PATCH | Ensure permissions on /etc/passwd- are configured" +- name: "AUTOMATED | 6.1.3 | PATCH | Ensure permissions on /etc/passwd- are configured" file: path: /etc/passwd- owner: root @@ -59,11 +60,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_6.1.3 - permissions -- name: "6.1.4 | PATCH | Ensure permissions on /etc/group are configured" +- name: "AUTOMATED | 6.1.4 | PATCH | Ensure permissions on /etc/group are configured" file: path: /etc/group owner: root @@ -74,11 +76,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_6.1.4 - permissions -- name: "6.1.5 | PATCH | Ensure permissions on /etc/group- are configured" +- name: "AUTOMATED | 6.1.5 | PATCH | Ensure permissions on /etc/group- are configured" file: path: /etc/group- owner: root @@ -89,11 +92,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_6.1.5 - permissions -- name: "6.1.6 | PATCH | Ensure permissions on /etc/shadow are configured" +- name: "AUTOMATED | 6.1.6 | PATCH | Ensure permissions on /etc/shadow are configured" file: path: /etc/shadow owner: root @@ -104,11 +108,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_6.1.6 - permissions -- name: "6.1.7 | PATCH | Ensure permissions on /etc/shadow- are configured" +- name: "AUTOMATED | 6.1.7 | PATCH | Ensure permissions on /etc/shadow- are configured" file: path: /etc/shadow- owner: root @@ -119,11 +124,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_6.1.7 - permissions -- name: "6.1.8 | PATCH | Ensure permissions on /etc/gshadow are configured" +- name: "AUTOMATED | 6.1.8 | PATCH | Ensure permissions on /etc/gshadow are configured" file: path: /etc/gshadow owner: root @@ -134,11 +140,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_6.1.8 - permissions -- name: "6.1.9 | PATCH | Ensure permissions on /etc/gshadow- are configured" +- name: "AUTOMATED | 6.1.9 | PATCH | Ensure permissions on /etc/gshadow- are configured" file: path: /etc/gshadow- owner: root @@ -149,13 +156,14 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_6.1.9 - permissions -- name: "6.1.10 | PATCH | Ensure no world writable files exist" +- name: "AUTOMATED | 6.1.10 | PATCH | Ensure no world writable files exist" block: - - name: "6.1.10 | AUDIT | Ensure no world writable files exist | Get list of world-writable files" + - name: "AUTOMATED | 6.1.10 | AUDIT | Ensure no world writable files exist | Get list of world-writable files" shell: find {{ item.mount }} -xdev -type f -perm -0002 changed_when: false failed_when: false @@ -164,7 +172,7 @@ with_items: - "{{ ansible_mounts }}" - - name: "6.1.10 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist" + - name: "AUTOMATED | 6.1.10 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist" file: path: "{{ item }}" mode: o-w @@ -176,13 +184,14 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_6.1.10 - permissions -- name: "6.1.11 | PATCH | Ensure no unowned files or directories exist" +- name: "AUTOMATED | 6.1.11 | PATCH | Ensure no unowned files or directories exist" block: - - name: "6.1.11 | AUDIT | Ensure no unowned files or directories exist | Get unowned files or directories" + - name: "AUTOMATED | 6.1.11 | AUDIT | Ensure no unowned files or directories exist | Get unowned files or directories" shell: find {{ item.mount }} -xdev -nouser changed_when: false failed_when: false @@ -191,11 +200,11 @@ with_items: - "{{ ansible_mounts }}" - - name: "6.1.11 | PATCH | Ensure no unowned files or directories exist | Flatten no_user_items results for easier use" + - name: "AUTOMATED | 6.1.11 | AUDIT | Ensure no unowned files or directories exist | Flatten no_user_items results for easier use" set_fact: ubtu20cis_6_1_11_no_user_items_flatten: "{{ ubtu20cis_6_1_11_no_user_items.results | map(attribute='stdout_lines') | flatten }}" - - name: "6.1.11 | AUDIT | Ensure no unowned files or directories exist | Alert on unowned files and directories" + - name: "AUTOMATED | 6.1.11 | AUDIT | Ensure no unowned files or directories exist | Alert on unowned files and directories" debug: msg: - "ALERT!!!You have unowned files and are configured to not auto-remediate for this task" @@ -205,7 +214,7 @@ - not ubtu20cis_no_owner_adjust - ubtu20cis_6_1_11_no_user_items_flatten != "" - - name: "6.1.11 | PATCH | Ensure no unowned files or directories exist | Set unowned files/directories to configured owner" + - name: "AUTOMATED | 6.1.11 | PATCH | Ensure no unowned files or directories exist | Set unowned files/directories to configured owner" file: path: "{{ item }}" owner: "{{ ubtu20cis_unowned_owner }}" @@ -219,13 +228,14 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_6.1.11 - permissions -- name: "6.1.12 | PATCH | Ensure no ungrouped files or directories exist" +- name: "AUTOMATED | 6.1.12 | PATCH | Ensure no ungrouped files or directories exist" block: - - name: "6.1.12 | AUDIT | Ensure no ungrouped files or directories exist | Get ungrouped fiels or directories" + - name: "AUTOMATED | 6.1.12 | AUDIT | Ensure no ungrouped files or directories exist | Get ungrouped fiels or directories" shell: find {{ item.mount }} -xdev -nogroup changed_when: false failed_when: false @@ -234,11 +244,11 @@ with_items: - "{{ ansible_mounts }}" - - name: "6.1.12 | AUDIT | Ensure no ungrouped files or directories exist | Flatten ungrouped_items results for easier use" + - name: "AUTOMATED | 6.1.12 | AUDIT | Ensure no ungrouped files or directories exist | Flatten ungrouped_items results for easier use" set_fact: ubtu20cis_6_1_12_ungrouped_items_flatten: "{{ ubtu20cis_6_1_12_ungrouped_items.results | map(attribute='stdout_lines') | flatten }}" - - name: "6.1.12 | AUDIT | Ensure no ungrouped files or directories exist | Alert on ungrouped files and directories" + - name: "AUTOMATED | 6.1.12 | AUDIT | Ensure no ungrouped files or directories exist | Alert on ungrouped files and directories" debug: msg: - "ALERT!!!!You have ungrouped files/directories and are configured to not auto-remediate for this task" @@ -248,7 +258,7 @@ - not ubtu20cis_no_group_adjust - ubtu20cis_6_1_12_ungrouped_items_flatten != "" - - name: "6.1.12 | PATCH | Ensure no ungrouped files or directories exist | Set ungrouped files/directories to configured group" + - name: "AUTOMATED | 6.1.12 | PATCH | Ensure no ungrouped files or directories exist | Set ungrouped files/directories to configured group" file: path: "{{ item }}" group: "{{ ubtu20cis_ungrouped_group }}" @@ -262,13 +272,14 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_6.1.12 - permissions -- name: "6.1.13 | AUDIT | Audit SUID executables" +- name: "MANUAL | 6.1.13 | AUDIT | Audit SUID executables" block: - - name: "6.1.13 | AUDIT | Audit SUID executables | Find SUID executables" + - name: "MANUAL | 6.1.13 | AUDIT | Audit SUID executables | Find SUID executables" # shell: df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -4000 shell: find {{ item.mount }} -xdev -type f -perm -4000 changed_when: false @@ -278,11 +289,11 @@ with_items: - "{{ ansible_mounts }}" - - name: "6.1.13 | AUDIT | Audit SUID executables | Flatten suid_executables results for easier use" + - name: "MANUAL | 6.1.13 | AUDIT | Audit SUID executables | Flatten suid_executables results for easier use" set_fact: ubtu20cis_6_1_13_suid_executables_flatten: "{{ ubtu20cis_6_1_13_suid_executables.results | map(attribute='stdout_lines') | flatten }}" - - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist" + - name: "MANUAL | 6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist" debug: msg: - "ALERT!!!!You have SUID executables" @@ -292,7 +303,7 @@ - ubtu20cis_6_1_13_suid_executables_flatten != "" - not ubtu20cis_suid_adjust - - name: "6.1.13 | PATCH | Audit SUID executables | Remove SUID bit" + - name: "MANUAL | 6.1.13 | PATCH | Audit SUID executables | Remove SUID bit" file: path: "{{ item }}" mode: 'u-s' @@ -311,9 +322,9 @@ - rule_6.1.13 - permissions -- name: "6.1.14 | AUDIT | Audit SGID executables" +- name: "MANUAL | 6.1.14 | AUDIT | Audit SGID executables" block: - - name: "6.1.14 | AUDIT | Audit SGID executables | Find SGID executables" + - name: "MANUAL |6.1.14 | AUDIT | Audit SGID executables | Find SGID executables" shell: find {{ item }} -xdev -type f -perm -2000 changed_when: false failed_when: false @@ -322,11 +333,11 @@ with_items: - "{{ ansible_mounts }}" - - name: "6.1.14 | AUDIT | Audit SGID executables | Flatten sgid_executables results for easier use" + - name: "MANUAL | 6.1.14 | AUDIT | Audit SGID executables | Flatten sgid_executables results for easier use" set_fact: ubtu20cis_6_1_14_sgid_executables_flatten: "{{ ubtu20cis_6_1_14_sgid_executables.results | map(attribute='stdout_lines') | flatten }}" - - name: "6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist" + - name: "MANUAL | 6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist" debug: msg: - "ALERT!!!!You have SGID executables" @@ -368,15 +379,15 @@ - rule_6.2.1 - user_accounts -- name: "6.2.2 | PATCH | Ensure password fields are not empty" +- name: "AUTOMATED | 6.2.2 | PATCH | Ensure password fields are not empty" block: - - name: "6.2.2 | AUDIT | Ensure password fields are not empty | Find users with no password" + - name: "AUTOMATED | 6.2.2 | AUDIT | Ensure password fields are not empty | Find users with no password" shell: awk -F":" '($2 == "" ) { print $1 }' /etc/shadow changed_when: no check_mode: false register: ubtu20cis_6_2_2_empty_password_acct - - name: "6.2.2 | PATCH | Ensure password fields are not empty | Lock users with empty password" + - name: "AUTOMATED | 6.2.2 | PATCH | Ensure password fields are not empty | Lock users with empty password" user: name: "{{ item }}" password_lock: yes @@ -388,26 +399,27 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_6.2.2 - user - permissions -- name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group" +- name: "AUTOMATED | 6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group" block: - - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries" + - name: "AUTOMATED | 6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries" shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}' changed_when: false failed_when: false check_mode: false register: ubtu20cis_6_2_3_passwd_gid_check - - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files" + - name: "AUTOMATED | 6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files" debug: msg: "Good News! There are no users that have non-existent GUIDs (Groups)" when: ubtu20cis_6_2_3_passwd_gid_check.stdout == "" - - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" + - name: "AUTOMATED | 6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" debug: msg: "WARNING!!!! The following users have non-existent GIDs (Groups): {{ ubtu20cis_6_2_3_passwd_gid_check.stdout_lines | join (', ') }}" when: ubtu20cis_6_2_3_passwd_gid_check.stdout != "" @@ -416,15 +428,16 @@ tags: - level1-server - level1-workstation + - automated - audit - rule_6.2.3 - groups -- name: "6.2.4 | PATCH | Ensure all users' home directories exist" +- name: "AUTOMATED | 6.2.4 | PATCH | Ensure all users' home directories exist" block: - name: capture audit task for missing homedirs block: &u20s_homedir_audit - - name: "6.2.4 | PATCH | Ensure all users' home directories exist | Find users missing home directories" + - name: "AUTOMATED | 6.2.4 | PATCH | Ensure all users' home directories exist | Find users missing home directories" shell: pwck -r | grep -P {{ ld_regex | quote }} check_mode: false register: ubtu20cis_users_missing_home @@ -433,7 +446,7 @@ failed_when: ubtu20cis_users_missing_home.rc not in [0,1,2] ### NOTE: due to https://github.com/ansible/ansible/issues/24862 This is a shell command, and is quite frankly less than ideal. - - name: "6.2.4 | PATCH | Ensure all users' home directories exist| Creates home directories" + - name: "AUTOMATED | 6.2.4 | PATCH | Ensure all users' home directories exist| Creates home directories" command: "mkhomedir_helper {{ item }}" # check_mode: "{{ ubtu20cis_disruptive_check_mode }}" with_items: "{{ ubtu20cis_6_2_4_audit | map(attribute='id') | list }}" @@ -448,7 +461,7 @@ # CAUTION: debug loops don't show changed since 2.4: # Fix: https://github.com/ansible/ansible/pull/59958 - - name: "6.2.4 | PATCH | Ensure all users' home directories exist | Alert about correcting owner and group" + - name: "AUTOMATED | 6.2.4 | PATCH | Ensure all users' home directories exist | Alert about correcting owner and group" debug: msg="You will need to mkdir -p {{ item }} and chown properly to the correct owner and group." with_items: "{{ ubtu20cis_6_2_4_audit | map(attribute='dir') | list }}" changed_when: ubtu20cis_audit_complex @@ -464,11 +477,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_6.2.4 - user -- name: "6.2.5 | PATCH | Ensure users own their home directories" +- name: "AUTOMATED | 6.2.5 | PATCH | Ensure users own their home directories" file: path: "{{ item.dir }}" owner: "{{ item.id }}" @@ -483,20 +497,21 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_6.2.5 - user -- name: "6.2.6 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" +- name: "AUTOMATED | 6.2.6 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" block: - - name: "6.2.6 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive | Get home directories" + - name: "AUTOMATED | 6.2.6 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive | Get home directories" stat: path: "{{ item }}" with_items: "{{ ubtu20cis_passwd | selectattr('uid', '>=', 1000) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" check_mode: false register: ubtu20cis_6_2_6_audit - - name: "6.2.6 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive | Find home directories more 750" + - name: "AUTOMATED | 6.2.6 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive | Find home directories more 750" command: find -H {{ item.0 | quote }} -not -type l -perm /027 register: ubtu20cis_6_2_6_patch_audit changed_when: ubtu20cis_6_2_6_patch_audit.stdout != "" @@ -509,7 +524,7 @@ loop_control: label: "{{ item.0 }}" - - name: "6.2.6 | PATCH | Ensure users' home directories permissions are 750 or more restrictive | Set home perms" + - name: "AUTOMATED | 6.2.6 | PATCH | Ensure users' home directories permissions are 750 or more restrictive | Set home perms" file: path: "{{ item.0 }}" recurse: yes @@ -525,7 +540,7 @@ label: "{{ item.0 }}" # set default ACLs so the homedir has an effective umask of 0027 - - name: "6.2.6 | PATCH | Ensure users' home directories permissions are 750 or more restrictive | Set ACL's" + - name: "AUTOMATED | 6.2.6 | PATCH | Ensure users' home directories permissions are 750 or more restrictive | Set ACL's" acl: path: "{{ item.0 }}" default: yes @@ -548,20 +563,21 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_6.2.6 - user -- name: "6.2.7 | PATCH | Ensure users' dot files are not group or world writable" +- name: "AUTOMATED | 6.2.7 | PATCH | Ensure users' dot files are not group or world writable" block: - - name: "6.2.7 | AUDIT | Ensure users' dot files are not group or world-writable | Check for files" + - name: "AUTOMATED | 6.2.7 | AUDIT | Ensure users' dot files are not group or world-writable | Check for files" shell: find /home/ -name "\.*" -perm /g+w,o+w changed_when: no failed_when: no check_mode: false register: ubtu20cis_6_2_7_audit - - name: "6.2.7 | AUDIT | Ensure users' dot files are not group or world-writable | Alert on files found" + - name: "AUTOMATED | 6.2.7 | AUDIT | Ensure users' dot files are not group or world-writable | Alert on files found" debug: msg: "Good news! We have not found any group or world-writable dot files on your sytem" failed_when: false @@ -569,7 +585,7 @@ when: - ubtu20cis_6_2_7_audit.stdout == "" - - name: "6.2.7 | PATCH | Ensure users' dot files are not group or world-writable | Changes files if configured" + - name: "AUTOMATED | 6.2.7 | PATCH | Ensure users' dot files are not group or world-writable | Changes files if configured" file: path: '{{ item }}' mode: go-w @@ -583,11 +599,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_6.2.7 - user -- name: "6.2.8 | PATCH | Ensure no users have .netrc files" +- name: "AUTOMATED | 6.2.8 | PATCH | Ensure no users have .netrc files" file: dest: "~{{ item }}/.netrc" state: absent @@ -599,11 +616,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_6.2.8 - user -- name: "6.2.9 | PATCH | Ensure no users have .forward files" +- name: "AUTOMATED | 6.2.9 | PATCH | Ensure no users have .forward files" file: dest: "~{{ item }}/.forward" state: absent @@ -615,11 +633,12 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_6.2.9 - user -- name: "6.2.10 | PATCH | Ensure no users have .rhosts files" +- name: "AUTOMATED | 6.2.10 | PATCH | Ensure no users have .rhosts files" file: dest: "~{{ item }}/.rhosts" state: absent @@ -631,20 +650,21 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_6.2.10 - user -- name: "6.2.11 | PATCH | Ensure root is the only UID 0 account" +- name: "AUTOMATED | 6.2.11 | PATCH | Ensure root is the only UID 0 account" block: - - name: "6.2.11 | AUDIT | Ensure root is the only UID 0 account | Get non-root users with UID of 0" + - name: "AUTOMATED | 6.2.11 | AUDIT | Ensure root is the only UID 0 account | Get non-root users with UID of 0" shell: awk -F":" '($3 == 0 && $1 != \"root\") {i++;print $1 }' /etc/passwd changed_when: false failed_when: false check_mode: false register: ubtu20cis_6_2_11_uid_0_notroot - - name: "6.2.11 | PATCH | Ensure root is the only UID 0 account | Lock UID 0 users" + - name: "AUTOMATED | 6.2.11 | PATCH | Ensure root is the only UID 0 account | Lock UID 0 users" user: name: "{{ item }}" password_lock: yes @@ -654,7 +674,7 @@ - ubtu20cis_disruption_high - ubtu20cis_6_2_11_uid_0_notroot.stdout != "" - - name: "6.2.11 | AUDIT | Ensure root is the only UID 0 account | Alert about accounts disruption high" + - name: "AUTOMATED | 6.2.11 | AUDIT | Ensure root is the only UID 0 account | Alert about accounts disruption high" debug: msg: - "ALERT!!!! You have non-root users with a UID of 0 and ubtu18cis_disruption_high enabled" @@ -664,7 +684,7 @@ - ubtu20cis_disruption_high - ubtu20cis_6_2_11_uid_0_notroot.stdout != "" - - name: "6.2.11 | AUDIT | Ensure root is the only UID 0 account | Alert about accounts disruption low" + - name: "AUTOMATED | 6.2.11 | AUDIT | Ensure root is the only UID 0 account | Alert about accounts disruption low" debug: msg: - "ALERT!!!! You have non-root users with a UID of 0 and ubtu18cis_disruption_high disabled" @@ -678,32 +698,33 @@ tags: - level1-server - level1-workstation + - automated - scored - rule_6.2.11 - user - root -- name: "6.2.12 | PATCH | Ensure root PATH Integrity" +- name: "AUTOMATED | 6.2.12 | PATCH | Ensure root PATH Integrity" command: /bin/true changed_when: false failed_when: false check_mode: false # block: - # - name: "6.2.12 | PATCH | Ensure root PATH Integrity | Determine empty value" + # - name: "AUTOMATED | 6.2.12 | PATCH | Ensure root PATH Integrity | Determine empty value" # shell: 'echo $PATH | grep ::' # changed_when: False # failed_when: ubtu20cis_6_2_12_path_colon.rc == 0 # check_mode: false # register: ubtu20cis_6_2_12_path_colon - # - name: "6.2.12 | PATCH | Ensure root PATH Integrity | Determine colon end" + # - name: "AUTOMATED | 6.2.12 | PATCH | Ensure root PATH Integrity | Determine colon end" # shell: 'echo $PATH | grep :$' # changed_when: False # failed_when: ubtu20cis_6_2_12_path_colon_end.rc == 0 # check_mode: false # register: ubtu20cis_6_2_12_path_colon_end - # - name: "6.2.12 | PATCH | Ensure root PATH Integrity | Determine working dir" + # - name: "AUTOMATED | 6.2.12 | PATCH | Ensure root PATH Integrity | Determine working dir" # shell: echo "$PATH" # changed_when: False # failed_when: '"." in ubtu20cis_6_2_12_working_dir.stdout_lines' @@ -711,7 +732,7 @@ # register: ubtu20cis_6_2_12_working_dir # - debug: var=ubtu20cis_6_2_12_working_dir - # - name: "6.2.12 | PATCH | Ensure root PATH Integrity | Check paths" + # - name: "AUTOMATED | 6.2.12 | PATCH | Ensure root PATH Integrity | Check paths" # stat: # path: "{{ item }}" # check_mode: false @@ -721,12 +742,12 @@ # - debug: var=ubtu20cis_6_2_12_path_stat - # - name: "6.2.12 | PATCH | Ensure root PATH Integrity | Alert on empty value, colon end, and no working dir" + # - name: "AUTOMATED | 6.2.12 | PATCH | Ensure root PATH Integrity | Alert on empty value, colon end, and no working dir" # debug: # msg: # - "The following paths have no working directory: {{ ubtu20cis_6_2_12_path_stat.results | selectattr('stat.exists','equalto','false') | map(attribute='item') | list }}" - # # - name: "6.2.12 | PATCH | Ensure root PATH Integrity | Set permissions" + # # - name: "AUTOMATED | 6.2.12 | PATCH | Ensure root PATH Integrity | Set permissions" # # file: # # path: "{{ item }}" # # owner: root @@ -740,27 +761,28 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_6.2.12 - user - root - notimplemented -- name: "6.2.13 | AUDIT | Ensure no duplicate UIDs exist" +- name: "AUTOMATED | 6.2.13 | AUDIT | Ensure no duplicate UIDs exist" block: - - name: "6.2.13 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs" + - name: "AUTOMATED | 6.2.13 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs" shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd" changed_when: false failed_when: false check_mode: false register: ubtu20cis_6_2_13_user_uid_check - - name: "6.2.13 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist" + - name: "AUTOMATED | 6.2.13 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist" debug: msg: "Good News! There are no duplicate UID's in the system" when: ubtu20cis_6_2_13_user_uid_check.stdout == "" - - name: "6.2.13 | AUDIT | Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" + - name: "AUTOMATED | 6.2.13 | AUDIT | Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" debug: msg: "Warning!!!! The following users have UIDs that are duplicates: {{ ubtu20cis_6_2_13_user_uid_check.stdout_lines }}" when: ubtu20cis_6_2_13_user_uid_check.stdout != "" @@ -769,25 +791,26 @@ tags: - level1-server - level1-workstation + - automated - audit - rule_6.2.13 - user -- name: "6.2.14 | AUDIT | Ensure no duplicate GIDs exist" +- name: "AUTOMATED | 6.2.14 | AUDIT | Ensure no duplicate GIDs exist" block: - - name: "6.2.14 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs" + - name: "AUTOMATED | 6.2.14 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs" shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group" changed_when: no failed_when: no check_mode: false register: ubtu20cis_6_2_14_user_user_check - - name: "6.2.14 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist" + - name: "AUTOMATED | 6.2.14 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist" debug: msg: "Good News! There are no duplicate GIDs in the system" when: ubtu20cis_6_2_14_user_user_check.stdout == "" - - name: "6.2.14 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" + - name: "AUTOMATED | 6.2.14 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" debug: msg: "Warning: The following groups have duplicate GIDs: {{ ubtu20cis_6_2_14_user_user_check.stdout_lines }}" when: ubtu20cis_6_2_14_user_user_check.stdout != "" @@ -796,25 +819,26 @@ tags: - level1-server - level1-workstation + - automated - audit - rule_6.2.14 - groups -- name: "6.2.15 | AUDIT | Ensure no duplicate user names exist" +- name: "AUTOMATED | 6.2.15 | AUDIT | Ensure no duplicate user names exist" block: - - name: "6.2.15 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names" + - name: "AUTOMATED | 6.2.15 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names" shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd" changed_when: no failed_when: no check_mode: false register: ubtu20cis_6_2_15_user_username_check - - name: "6.2.15 | AUDIT | Ensure no duplicate user names exist | Print message that no duplicate user names exist" + - name: "AUTOMATED | 6.2.15 | AUDIT | Ensure no duplicate user names exist | Print message that no duplicate user names exist" debug: msg: "Good News! There are no duplicate user names in the system" when: ubtu20cis_6_2_15_user_username_check.stdout == "" - - name: "6.2.15 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" + - name: "AUTOMATED | 6.2.15 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" debug: msg: "Warning: The following user names are duplicates: {{ ubtu20cis_6_2_15_user_username_check.stdout_lines }}" when: ubtu20cis_6_2_15_user_username_check.stdout != "" @@ -823,25 +847,26 @@ tags: - level1-server - level1-workstation + - automated - audit - rule_6.2.15 - user -- name: "6.2.16 | AUDIT | Ensure no duplicate group names exist" +- name: "AUTOMATED | 6.2.16 | AUDIT | Ensure no duplicate group names exist" block: - - name: "6.2.16 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names" + - name: "AUTOMATED | 6.2.16 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names" shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d' changed_when: false failed_when: false check_mode: false register: ubtu20cis_6_2_16_group_group_check - - name: "6.2.16 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist" + - name: "AUTOMATED | 6.2.16 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist" debug: msg: "Good News! There are no duplicate group names in the system" when: ubtu20cis_6_2_16_group_group_check.stdout == "" - - name: "6.2.16 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" + - name: "AUTOMATED | 6.2.16 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" debug: msg: "Warning: The following group names are duplicates: {{ ubtu20cis_6_2_16_group_group_check.stdout_lines }}" when: ubtu20cis_6_2_16_group_group_check.stdout != "" @@ -850,32 +875,33 @@ tags: - level1-server - level1-workstation + - automated - audit - rule_6.2.16 - groups -- name: "6.2.17 | AUDIT | Ensure shadow group is empty" +- name: "AUTOMATED | 6.2.17 | AUDIT | Ensure shadow group is empty" block: - - name: "6.2.17 | AUDIT | Ensure shadow group is empty | Get Shadow GID" + - name: "AUTOMATED | 6.2.17 | AUDIT | Ensure shadow group is empty | Get Shadow GID" shell: grep ^shadow /etc/group | cut -f3 -d":" changed_when: false failed_when: false check_mode: false register: ubtu20cis_6_2_17_shadow_gid - - name: "6.2.17 | AUDIT | Ensure shadow group is empty | List of users with Shadow GID" + - name: "AUTOMATED | 6.2.17 | AUDIT | Ensure shadow group is empty | List of users with Shadow GID" shell: awk -F":" '($4 == "{{ ubtu20cis_6_2_17_shadow_gid.stdout }}") { print }' /etc/passwd | cut -f1 -d":" changed_when: false failed_when: false check_mode: false register: ubtu20cis_6_2_17_users_shadow_gid - - name: "6.2.17 | AUDIT | Ensure shadow group is empty | Message on no users" + - name: "AUTOMATED | 6.2.17 | AUDIT | Ensure shadow group is empty | Message on no users" debug: msg: "Good News! There are no users with the Shado GID on your system" when: ubtu20cis_6_2_17_users_shadow_gid.stdout == "" - - name: "6.2.17 | AUDIT | Ensure shadow group is empty | Message on users with Shadow GID" + - name: "AUTOMATED | 6.2.17 | AUDIT | Ensure shadow group is empty | Message on users with Shadow GID" debug: msg: - "WARNING!!!! There are users that are in the Shadow group" @@ -888,6 +914,7 @@ tags: - level1-server - level1-workstation + - automated - audit - rule_6.2.17 - groups From d81c3a83a48aad982e5ed0ea412d93bc513013c9 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 4 May 2021 16:16:53 -0400 Subject: [PATCH 29/44] updated section 6 empty string compares Signed-off-by: George Nalen --- tasks/section6.yml | 52 +++++++++++++++++++++++----------------------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/tasks/section6.yml b/tasks/section6.yml index 9ed9c05e..44c0c0ff 100644 --- a/tasks/section6.yml +++ b/tasks/section6.yml @@ -212,7 +212,7 @@ - "{{ ubtu20cis_6_1_11_no_user_items_flatten }}" when: - not ubtu20cis_no_owner_adjust - - ubtu20cis_6_1_11_no_user_items_flatten != "" + - ubtu20cis_6_1_11_no_user_items_flatten | length > 0 - name: "AUTOMATED | 6.1.11 | PATCH | Ensure no unowned files or directories exist | Set unowned files/directories to configured owner" file: @@ -222,7 +222,7 @@ - "{{ ubtu20cis_6_1_11_no_user_items_flatten }}" when: - ubtu20cis_no_owner_adjust - - ubtu20cis_6_1_11_no_user_items_flatten != "" + - ubtu20cis_6_1_11_no_user_items_flatten | length > 0 when: - ubtu20cis_rule_6_1_11 tags: @@ -256,7 +256,7 @@ - "{{ ubtu20cis_6_1_12_ungrouped_items_flatten }}" when: - not ubtu20cis_no_group_adjust - - ubtu20cis_6_1_12_ungrouped_items_flatten != "" + - ubtu20cis_6_1_12_ungrouped_items_flatten | length > 0 - name: "AUTOMATED | 6.1.12 | PATCH | Ensure no ungrouped files or directories exist | Set ungrouped files/directories to configured group" file: @@ -266,7 +266,7 @@ - "{{ ubtu20cis_6_1_12_ungrouped_items_flatten }}" when: - ubtu20cis_no_group_adjust - - ubtu20cis_6_1_12_ungrouped_items_flatten != "" + - ubtu20cis_6_1_12_ungrouped_items_flatten | length > 0 when: - ubtu20cis_rule_6_1_12 tags: @@ -300,7 +300,7 @@ - "The files are listed below, please confirm the integrity of these binaries" - "{{ ubtu20cis_6_1_13_suid_executables_flatten }}" when: - - ubtu20cis_6_1_13_suid_executables_flatten != "" + - ubtu20cis_6_1_13_suid_executables_flatten | length > 0 - not ubtu20cis_suid_adjust - name: "MANUAL | 6.1.13 | PATCH | Audit SUID executables | Remove SUID bit" @@ -311,7 +311,7 @@ - "{{ ubtu20cis_6_1_13_suid_executables_flatten }}" when: - ubtu20cis_suid_adjust - - ubtu20cis_6_1_13_suid_executables_flatten != "" + - ubtu20cis_6_1_13_suid_executables_flatten | length > 0 when: - ubtu20cis_rule_6_1_13 tags: @@ -343,7 +343,7 @@ - "ALERT!!!!You have SGID executables" - "The files are listed below, please review the integrity of these binaries" - "{{ ubtu20cis_6_1_14_sgid_executables_flatten }}" - when: ubtu20cis_6_1_14_sgid_executables_flatten != [] + when: ubtu20cis_6_1_14_sgid_executables_flatten | length > 0 when: - ubtu20cis_rule_6_1_14 tags: @@ -393,7 +393,7 @@ password_lock: yes with_items: - "{{ ubtu20cis_6_2_2_empty_password_acct.stdout_lines }}" - when: ubtu20cis_6_2_2_empty_password_acct.stdout != "" + when: ubtu20cis_6_2_2_empty_password_acct.stdout | length > 0 when: - ubtu20cis_rule_6_2_2 tags: @@ -417,12 +417,12 @@ - name: "AUTOMATED | 6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files" debug: msg: "Good News! There are no users that have non-existent GUIDs (Groups)" - when: ubtu20cis_6_2_3_passwd_gid_check.stdout == "" + when: ubtu20cis_6_2_3_passwd_gid_check.stdout | length == 0 - name: "AUTOMATED | 6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" debug: msg: "WARNING!!!! The following users have non-existent GIDs (Groups): {{ ubtu20cis_6_2_3_passwd_gid_check.stdout_lines | join (', ') }}" - when: ubtu20cis_6_2_3_passwd_gid_check.stdout != "" + when: ubtu20cis_6_2_3_passwd_gid_check.stdout | length > 0 when: - ubtu20cis_rule_6_2_3 tags: @@ -514,7 +514,7 @@ - name: "AUTOMATED | 6.2.6 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive | Find home directories more 750" command: find -H {{ item.0 | quote }} -not -type l -perm /027 register: ubtu20cis_6_2_6_patch_audit - changed_when: ubtu20cis_6_2_6_patch_audit.stdout != "" + changed_when: ubtu20cis_6_2_6_patch_audit.stdout | length > 0 check_mode: false when: - item.1.exists @@ -583,7 +583,7 @@ failed_when: false changed_when: false when: - - ubtu20cis_6_2_7_audit.stdout == "" + - ubtu20cis_6_2_7_audit.stdout | length == 0 - name: "AUTOMATED | 6.2.7 | PATCH | Ensure users' dot files are not group or world-writable | Changes files if configured" file: @@ -591,7 +591,7 @@ mode: go-w with_items: "{{ ubtu20cis_6_2_7_audit.stdout_lines }}" when: - - ubtu20cis_6_2_7_audit.stdout != "" + - ubtu20cis_6_2_7_audit.stdout | length > 0 - ubtu20cis_dotperm_ansibleManaged when: - ubtu20cis_rule_6_2_7 @@ -672,7 +672,7 @@ - "{{ ubtu20cis_6_2_11_uid_0_notroot.stdout_lines }}" when: - ubtu20cis_disruption_high - - ubtu20cis_6_2_11_uid_0_notroot.stdout != "" + - ubtu20cis_6_2_11_uid_0_notroot.stdout | length > 0 - name: "AUTOMATED | 6.2.11 | AUDIT | Ensure root is the only UID 0 account | Alert about accounts disruption high" debug: @@ -682,7 +682,7 @@ - "{{ ubtu20cis_6_2_11_uid_0_notroot.stdout_lines }}" when: - ubtu20cis_disruption_high - - ubtu20cis_6_2_11_uid_0_notroot.stdout != "" + - ubtu20cis_6_2_11_uid_0_notroot.stdout | length > 0 - name: "AUTOMATED | 6.2.11 | AUDIT | Ensure root is the only UID 0 account | Alert about accounts disruption low" debug: @@ -692,7 +692,7 @@ - "{{ ubtu20cis_6_2_11_uid_0_notroot.stdout_lines }}" when: - not ubtu20cis_disruption_high - - ubtu20cis_6_2_11_uid_0_notroot.stdout != "" + - ubtu20cis_6_2_11_uid_0_notroot.stdout | length > 0 when: - ubtu20cis_rule_6_2_11 tags: @@ -780,12 +780,12 @@ - name: "AUTOMATED | 6.2.13 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist" debug: msg: "Good News! There are no duplicate UID's in the system" - when: ubtu20cis_6_2_13_user_uid_check.stdout == "" + when: ubtu20cis_6_2_13_user_uid_check.stdout | length == 0 - name: "AUTOMATED | 6.2.13 | AUDIT | Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" debug: msg: "Warning!!!! The following users have UIDs that are duplicates: {{ ubtu20cis_6_2_13_user_uid_check.stdout_lines }}" - when: ubtu20cis_6_2_13_user_uid_check.stdout != "" + when: ubtu20cis_6_2_13_user_uid_check.stdout | length > 0 when: - ubtu20cis_rule_6_2_13 tags: @@ -808,12 +808,12 @@ - name: "AUTOMATED | 6.2.14 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist" debug: msg: "Good News! There are no duplicate GIDs in the system" - when: ubtu20cis_6_2_14_user_user_check.stdout == "" + when: ubtu20cis_6_2_14_user_user_check.stdout | length == 0 - name: "AUTOMATED | 6.2.14 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" debug: msg: "Warning: The following groups have duplicate GIDs: {{ ubtu20cis_6_2_14_user_user_check.stdout_lines }}" - when: ubtu20cis_6_2_14_user_user_check.stdout != "" + when: ubtu20cis_6_2_14_user_user_check.stdout | length > 0 when: - ubtu20cis_rule_6_2_14 tags: @@ -836,12 +836,12 @@ - name: "AUTOMATED | 6.2.15 | AUDIT | Ensure no duplicate user names exist | Print message that no duplicate user names exist" debug: msg: "Good News! There are no duplicate user names in the system" - when: ubtu20cis_6_2_15_user_username_check.stdout == "" + when: ubtu20cis_6_2_15_user_username_check.stdout | length == 0 - name: "AUTOMATED | 6.2.15 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" debug: msg: "Warning: The following user names are duplicates: {{ ubtu20cis_6_2_15_user_username_check.stdout_lines }}" - when: ubtu20cis_6_2_15_user_username_check.stdout != "" + when: ubtu20cis_6_2_15_user_username_check.stdout | length > 0 when: - ubtu20cis_rule_6_2_15 tags: @@ -864,12 +864,12 @@ - name: "AUTOMATED | 6.2.16 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist" debug: msg: "Good News! There are no duplicate group names in the system" - when: ubtu20cis_6_2_16_group_group_check.stdout == "" + when: ubtu20cis_6_2_16_group_group_check.stdout | length == 0 - name: "AUTOMATED | 6.2.16 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" debug: msg: "Warning: The following group names are duplicates: {{ ubtu20cis_6_2_16_group_group_check.stdout_lines }}" - when: ubtu20cis_6_2_16_group_group_check.stdout != "" + when: ubtu20cis_6_2_16_group_group_check.stdout | length > 0 when: - ubtu20cis_rule_6_2_16 tags: @@ -899,7 +899,7 @@ - name: "AUTOMATED | 6.2.17 | AUDIT | Ensure shadow group is empty | Message on no users" debug: msg: "Good News! There are no users with the Shado GID on your system" - when: ubtu20cis_6_2_17_users_shadow_gid.stdout == "" + when: ubtu20cis_6_2_17_users_shadow_gid.stdout | length == 0 - name: "AUTOMATED | 6.2.17 | AUDIT | Ensure shadow group is empty | Message on users with Shadow GID" debug: @@ -908,7 +908,7 @@ - "To conform to CIS standards no users should be in this group" - "Please move the users below into another group" - "{{ ubtu20cis_6_2_17_users_shadow_gid.stdout_lines }}" - when: ubtu20cis_6_2_17_users_shadow_gid.stdout != "" + when: ubtu20cis_6_2_17_users_shadow_gid.stdout | length > 0 when: - ubtu20cis_rule_6_2_17 tags: From 066206039296a0d9351f522b2b651aea4934ff23 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 4 May 2021 16:52:06 -0400 Subject: [PATCH 30/44] section 6 updates for running Signed-off-by: George Nalen --- tasks/section6.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section6.yml b/tasks/section6.yml index 44c0c0ff..bf519606 100644 --- a/tasks/section6.yml +++ b/tasks/section6.yml @@ -368,7 +368,7 @@ - "ALERT! You have users that are not using a shadowed password. Please convert the below accounts to use a shadowed password" - "{{ ubtu20cis_6_2_1_nonshadowed_users.stdout_lines }}" when: - - ubtu18cis_6_2_1_nonshadowed_users.stdout | length > 0 + - ubtu20cis_6_2_1_nonshadowed_users.stdout | length > 0 when: - ubtu20cis_rule_6_2_1 tags: From 84e74df8dba6567de8eb7eaf85bbcaa6a0957fe0 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 4 May 2021 17:02:04 -0400 Subject: [PATCH 31/44] removed comments and updated prelim tasks Signed-off-by: George Nalen --- defaults/main.yml | 32 -------------- tasks/prelim.yml | 5 +-- tasks/section1.yml | 100 ------------------------------------------- tasks/section2.yml | 26 ------------ tasks/section3.yml | 103 --------------------------------------------- tasks/section6.yml | 17 -------- 6 files changed, 2 insertions(+), 281 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index d55a1651..674be93e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -83,7 +83,6 @@ ubtu20cis_rule_1_2_1: true ubtu20cis_rule_1_2_2: true ubtu20cis_rule_1_3_1: true ubtu20cis_rule_1_3_2: true -# ubtu20cis_rule_1_3_3: true ubtu20cis_rule_1_4_1: true ubtu20cis_rule_1_4_2: true ubtu20cis_rule_1_4_3: true @@ -106,15 +105,10 @@ ubtu20cis_rule_1_8_1: true ubtu20cis_rule_1_8_2: true ubtu20cis_rule_1_8_3: true ubtu20cis_rule_1_8_4: true -# ubtu20cis_rule_1_8_1_5: true -# ubtu20cis_rule_1_8_1_6: true ubtu20cis_rule_1_9: true -# ubtu20cis_rule_1_10: true # Section 2 Fixes # Section 2 is Services (Special Purpose Services, and service clients) -# ubtu20cis_rule_2_1_1: true -# ubtu20cis_rule_2_1_2: true ubtu20cis_rule_2_1_1_1: true ubtu20cis_rule_2_1_1_2: true ubtu20cis_rule_2_1_1_3: true @@ -244,25 +238,6 @@ ubtu20cis_rule_5_1_9: true ubtu20cis_rule_5_2_1: true ubtu20cis_rule_5_2_2: true ubtu20cis_rule_5_2_3: true -# ubtu20cis_rule_5_2_4: true -# ubtu20cis_rule_5_2_5: true -# ubtu20cis_rule_5_2_6: true -# ubtu20cis_rule_5_2_7: true -# ubtu20cis_rule_5_2_8: true -# ubtu20cis_rule_5_2_9: true -# ubtu20cis_rule_5_2_10: true -# ubtu20cis_rule_5_2_11: true -# ubtu20cis_rule_5_2_12: true -# ubtu20cis_rule_5_2_13: true -# ubtu20cis_rule_5_2_14: true -# ubtu20cis_rule_5_2_15: true -# ubtu20cis_rule_5_2_16: true -# ubtu20cis_rule_5_2_17: true -# ubtu20cis_rule_5_2_18: true -# ubtu20cis_rule_5_2_19: true -# ubtu20cis_rule_5_2_20: true -# ubtu20cis_rule_5_2_21: true -# ubtu20cis_rule_5_2_22: true ubtu20cis_rule_5_3_1: true ubtu20cis_rule_5_3_2: true ubtu20cis_rule_5_3_3: true @@ -285,16 +260,10 @@ ubtu20cis_rule_5_3_19: true ubtu20cis_rule_5_3_20: true ubtu20cis_rule_5_3_21: true ubtu20cis_rule_5_3_22: true -# ubtu20cis_rule_5_4_1_1: true -# ubtu20cis_rule_5_4_1_2: true -# ubtu20cis_rule_5_4_1_3: true -# ubtu20cis_rule_5_4_1_4: true -# ubtu20cis_rule_5_4_1_5: true ubtu20cis_rule_5_4_1: true ubtu20cis_rule_5_4_2: true ubtu20cis_rule_5_4_3: true ubtu20cis_rule_5_4_4: true -# ubtu20cis_rule_5_4_5: true ubtu20cis_rule_5_5_1_1: true ubtu20cis_rule_5_5_1_2: true ubtu20cis_rule_5_5_1_3: true @@ -304,7 +273,6 @@ ubtu20cis_rule_5_5_2: true ubtu20cis_rule_5_5_3: true ubtu20cis_rule_5_5_4: true ubtu20cis_rule_5_5_5: true -# ubtu20cis_rule_5_5: true ubtu20cis_rule_5_6: true ubtu20cis_rule_5_7: true diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 0c26bdbf..fc625242 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -38,7 +38,7 @@ name: acl state: present when: - - ubtu20cis_rule_6_2_5 + - ubtu20cis_rule_6_2_6 - ubtu20cis_install_network_manager - name: "PRELIM | List users accounts" @@ -49,5 +49,4 @@ when: - ubtu20cis_rule_6_2_8 or ubtu20cis_rule_6_2_9 or - ubtu20cis_rule_6_2_10 or - ubtu20cis_rule_6_2_11 + ubtu20cis_rule_6_2_10 diff --git a/tasks/section1.yml b/tasks/section1.yml index 16a06b78..3a48d5a8 100644 --- a/tasks/section1.yml +++ b/tasks/section1.yml @@ -167,36 +167,6 @@ - rule_1.1.1.7 - udf -# # ----------- -# # ----------- -# # Flagged as disruptive due to UEFI systems for EFI boot partitions being FAT. Also flash drives are also generally formatted in FAT -# # ----------- -# # ----------- -# - name: "1.1.1.7 | PATCH | Ensure mounting of FAT filesystems is limited" -# block: -# - name: "1.1.1.7 | PATCH | Ensure mounting of FAT filesystems is limited | Edit modprobe config" -# lineinfile: -# dest: /etc/modprobe.d/vfat.conf -# regexp: "^(#)?install vfat(\\s|$)" -# line: install vfat /bin/true -# create: yes - -# - name: "1.1.1.7 | PATCH | Ensure mounting of FAT filesystems is limited | Disable FAT" -# modprobe: -# name: vfat -# state: absent -# when: ansible_connection != 'docker' -# when: -# - ubtu20cis_rule_1_1_1_7 -# - ubtu20cis_disruption_high -# tags: -# - level2-server -# - level2-workstation -# - manual -# - patch -# - rule_1.1.1.7 -# - vfat - - name: "AUTOMATED | 1.1.2 | PATCH | Ensure /tmp is configured" mount: path: /tmp @@ -605,50 +575,6 @@ - gpg - keys -# - name: "1.3.1 | PATCH | Ensure sudo is installed" -# apt: -# name: "{{ ubtu20cis_sudo_package }}" -# state: present -# when: -# - ubtu20cis_rule_1_3_1 -# tags: -# - level1-server -# - level1-workstation -# - scored -# - patch -# - rule_1.3.1 -# - sudo - -# - name: "1.3.2 | PATCH | Ensure sudo commands use pty" -# lineinfile: -# path: /etc/sudoers -# regexp: '^Defaults use_' -# line: 'Defaults use_pty' -# insertafter: '^Defaults' -# when: -# - ubtu20cis_rule_1_3_2 -# tags: -# - level1-server -# - level1-workstation -# - patch -# - rule_1.3.2 -# - sudo - -# - name: "1.3.3 | PATCH | Ensure sudo log file exists" -# lineinfile: -# path: /etc/sudoers -# regexp: '^Defaults logfile' -# line: 'Defaults logfile="{{ ubtu20cis_sudo_logfile }}"' -# insertafter: '^Defaults' -# when: -# - ubtu20cis_rule_1_3_3 -# tags: -# - level1-server -# - level1-workstation -# - patch -# - rule_1.3.3 -# - sudo - - name: "AUTOMATED | 1.3.1 | PATCH | Ensure AIDE is installed" apt: name: ['aide', 'aide-common'] @@ -1123,29 +1049,3 @@ - patch - rule_1.9 - patching - -# - name: "1.10 | PATCH | Ensure GDM is removed or login is configured" -# block: -# - name: "1.10 | PATCH | Ensure GDM is removed or login is configured" -# lineinfile: -# path: /etc/gdm3/greeter.dconf-defaults -# regexp: "{{ item.regexp }}" -# line: "{{ item.line }}" -# insertafter: "{{ item.insertafter }}" -# create: yes -# owner: root -# group: root -# mode: 0644 -# with_items: -# - { regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]', insertafter: EOF } -# - { regexp: 'banner-message-enable', line: 'banner-message-enable=true', insertafter: '\[org\/gnome\/login-screen\]'} -# - { regexp: 'banner-message-text', line: 'banner-message-text={{ ubtu20cis_warning_banner }}', insertafter: 'banner-message-enable' } - -# when: -# - ubtu20cis_rule_1_10 -# tags: -# - level1-server -# - level1-workstation -# - patch -# - rule_1.10 -# - gdm diff --git a/tasks/section2.yml b/tasks/section2.yml index 61d37dd0..fa85bb8e 100644 --- a/tasks/section2.yml +++ b/tasks/section2.yml @@ -1,30 +1,4 @@ --- -# - name: "2.1.1 | PATCH | Ensure xinetd is not installed" -# apt: -# name: xinetd -# state: absent -# when: -# - ubtu20cis_rule_2_1_1 -# tags: -# - level1-server -# - level1-workstation -# - patch -# - rule_2.1.1 -# - xinetd - -# - name: "2.1.2 | PATCH | Ensure openbsd-inetd is not installed" -# apt: -# name: openbsd-inetd -# state: absent -# when: -# - ubtu20cis_rule_2_1_2 -# tags: -# - level1-server -# - level1-workstation -# - patch -# - rule_2.1.2 -# - openbsd-inetd - - name: "AUTOMATED | 2.1.1.1 | PATCH | Ensure time synchronization is in use" apt: name: "{{ ubtu20cis_time_sync_tool }}" diff --git a/tasks/section3.yml b/tasks/section3.yml index 11ff5be5..2112fe7f 100644 --- a/tasks/section3.yml +++ b/tasks/section3.yml @@ -442,21 +442,6 @@ - apt - ufw -# - name: "3.5.1.1 | PATCH | Ensure Uncomplicated Firewall is installed" -# apt: -# name: ufw -# state: present -# when: -# - ubtu20cis_rule_3_5_1_1 -# - ubtu20cis_firewall_package == "ufw" -# tags: -# - level1-server -# - level1-workstation -# - patch -# - rule_3.5.1.1 -# - apt -# - ufw - - name: "AUTOMATED | 3.5.1.2 | PATCH | Ensure iptables-persistent is not installed with ufw" apt: name: iptables-persistent @@ -887,55 +872,6 @@ - rule_3.5.3.1.3 - iptables -# # --------- -# # --------- -# # Unsure about the _v6 when being there, revisit and confirm if it's needed for all ipv4 iptables tasks -# # --------- -# # --------- -# - name: "3.5.3.2.1 | PATCH | Ensure default deny firewall policy" -# block: -# - name: "3.5.3.2.1 | PATCH | Ensure default deny firewall policy | Configure SSH to be allowed in" -# iptables: -# chain: INPUT -# protocol: tcp -# destination_port: 22 -# jump: ACCEPT -# ctstate: 'NEW,ESTABLISHED' - -# - name: "3.5.3.2.1 | PATCH | Ensure default deny firewall policy | Configure SSH to be allowed out" -# iptables: -# chain: OUTPUT -# protocol: tcp -# source_port: 22 -# jump: ACCEPT -# ctstate: 'NEW,ESTABLISHED' - -# - name: "3.5.3.2.1 | PATCH | Ensure default deny firewall policy | Enable apt traffic" -# iptables: -# chain: INPUT -# ctstate: 'ESTABLISHED' -# jump: ACCEPT - -# - name: "3.5.3.2.1 | PATCH | Ensure default deny firewall policy | Set drop items" -# iptables: -# policy: DROP -# chain: "{{ item }}" -# with_items: -# - INPUT -# - FORWARD -# - OUTPUT -# when: -# - ubtu20cis_rule_3_5_3_2_1 -# - ubtu20cis_firewall_package == "iptables" -# - ubtu20cis_ipv4_required -# - not system_is_ec2 -# tags: -# - level1-server -# - level1-workstation -# - patch -# - rule_3.5.3.2.1 -# - iptables - - name: "AUTOMATED | 3.5.3.2.1 | PATCH | Ensure iptables loopback traffic is configured" block: - name: "AUTOMATED | 3.5.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | INPUT loopback ACCEPT" @@ -1107,45 +1043,6 @@ ubtu20cis_rule_3_5_3_2_3 or ubtu20cis_rule_3_5_3_2_4 -# - name: "3.5.3.3.1 | PATCH | Ensure IPv6 default deny firewall policy" -# block: -# - name: "3.5.3.3.1 | PATCH | Ensure IPv6 default deny firewall policy | Configure SSH to be allowed out" -# iptables: -# chain: OUTPUT -# protocol: tcp -# source_port: 22 -# jump: ACCEPT -# ctstate: 'NEW,ESTABLISHED' -# ip_version: ipv6 - -# - name: "3.5.3.3.1 | PATCH | Ensure IPv6 default deny firewall policy | Enable apt traffic" -# iptables: -# chain: INPUT -# ctstate: 'ESTABLISHED' -# jump: ACCEPT -# ip_version: ipv6 - -# - name: "3.5.3.3.1 | PATCH | Ensure IPv6 default deny firewall policy | Set drop items" -# iptables: -# policy: DROP -# chain: "{{ item }}" -# ip_version: ipv6 -# with_items: -# - INPUT -# - FORWARD -# - OUTPUT -# when: -# - ubtu20cis_rule_3_5_3_3_1 -# - ubtu20cis_firewall_package == "iptables" -# - ubtu20cis_ipv6_required -# - not ubtu20cis_ipv4_required -# tags: -# - level1-server -# - level1-workstation -# - patch -# - rule_3.5.3.3.1 -# - ip6tables - - name: "AUTOMATED | 3.5.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured" block: - name: "AUTOMATED | 3.5.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback ACCEPT" diff --git a/tasks/section6.yml b/tasks/section6.yml index bf519606..125ab16d 100644 --- a/tasks/section6.yml +++ b/tasks/section6.yml @@ -919,20 +919,3 @@ - rule_6.2.17 - groups - user - -# - name: "6.2.10 | PATCH | Ensure users' .netrc Files are not group or world accessible" -# file: -# dest: "~{{ item }}/.netrc" -# mode: go-w -# failed_when: false -# with_items: -# - "{{ ubtu20cis_users.stdout_lines }}" -# when: -# - ubtu20cis_rule_6_2_10 -# - ubtu20cis_disruption_high -# tags: -# - level1-server -# - level1-workstation -# - patch -# - rule_6.2.10 -# - user From 435164edb5e84bf1857189740a6bdec078d08ba8 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Thu, 6 May 2021 08:28:06 -0400 Subject: [PATCH 32/44] fixes for updates and minor issues caught Signed-off-by: George Nalen --- defaults/main.yml | 7 +++---- tasks/section1.yml | 3 ++- tasks/section2.yml | 3 ++- tasks/section3.yml | 8 ++++---- tasks/section4.yml | 4 ++-- tasks/section5.yml | 4 ++-- 6 files changed, 15 insertions(+), 14 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 674be93e..2925d6d9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -47,7 +47,7 @@ ubtu20cis_system_is_container: false system_is_ec2: false # Section 1 Fixes -# Section 1 is Iniitial setup (FileSystem Configuration, Configure Software Updates, Filesystem Integrity Checking, Secure Boot Settings, +# Section 1 is Initial setup (FileSystem Configuration, Configure Software Updates, Filesystem Integrity Checking, Secure Boot Settings, # Additional Process Hardening, Mandatory Access Control, Command Line Warning Banners, and GNOME Display Manager) ubtu20cis_rule_1_1_1_1: true ubtu20cis_rule_1_1_1_2: true @@ -136,7 +136,6 @@ ubtu20cis_rule_2_2_4: true ubtu20cis_rule_2_2_5: true ubtu20cis_rule_2_2_6: true ubtu20cis_rule_2_3: true -ubtu20cis_rule_2_4: true # Section 3 Fixes # Section 3 is Network Configuration (Disable Unused Networks, Network Parameters (Host Only), Network Parameters (Host and Router), Uncommon Network Protocols, and Firewall Configuration) @@ -224,7 +223,7 @@ ubtu20cis_rule_4_3: true ubtu20cis_rule_4_4: true # Section 5 Fixes -# Section 5 is Access, Authentication, and Authorization (Configure time-based job schedulers, Configure sudo, Configure SSH Server, configure PAM +# Section 5 is Access, Authentication, and Authorization (Configure time-based job schedulers, Configure sudo, Configure SSH Server, Configure PAM # and User Accounts and Environment) ubtu20cis_rule_5_1_1: true ubtu20cis_rule_5_1_2: true @@ -389,7 +388,7 @@ ubtu20cis_aide_cron: aide_weekday: '*' # Control 1.4.4 -# THIS VARAIBLE SHOULD BE CHANGED AND INCORPROATED INTO VAULT +# THIS VARAIBLE SHOULD BE CHANGED AND INCORPORATED INTO VAULT # THIS VALUE IS WHAT THE ROOT PW WILL BECOME!!!!!!!! # HAVING THAT PW EXPOSED IN RAW TEXT IS NOT SECURE!!!! ubtu20cis_root_pw: "Password1" diff --git a/tasks/section1.yml b/tasks/section1.yml index 3a48d5a8..13388fee 100644 --- a/tasks/section1.yml +++ b/tasks/section1.yml @@ -965,6 +965,7 @@ state: absent when: - ubtu20cis_rule_1_8_1 + - not ubtu20cis_desktop_required - ubtu20cis_disruption_high tags: - level2-server @@ -1024,7 +1025,7 @@ - name: "AUTOMATED | 1.8.4 | PATCH | Ensure XDCMP is not enabled" lineinfile: path: /etc/gdm3/custom.conf - regexp: '^Enable=true' + regexp: '^Enable.*=.*true' state: absent when: - ubtu20cis_rule_1_8_4 diff --git a/tasks/section2.yml b/tasks/section2.yml index fa85bb8e..f517ce0d 100644 --- a/tasks/section2.yml +++ b/tasks/section2.yml @@ -190,6 +190,7 @@ when: - ubtu20cis_rule_2_1_3 - not ubtu20cis_avahi_server + - ubtu20cis_disruption_high tags: - level1-server - level1-workstation @@ -249,7 +250,7 @@ - name: "AUTOMATED | 2.1.7 | PATCH | Ensure NFS is not installed" apt: - name: rpcbind + name: purge nfs-kernel-server state: absent when: - ubtu20cis_rule_2_1_7 diff --git a/tasks/section3.yml b/tasks/section3.yml index 2112fe7f..8f514320 100644 --- a/tasks/section3.yml +++ b/tasks/section3.yml @@ -1,7 +1,7 @@ --- - name: "MANUAL | 3.1.1 | PATCH | Disable IPv6" block: - - name: "MANUAL | 3.1.1 | AUDIT | Disable IPv6 | Get currnet GRUB_CMDLINE_LINUX settings" + - name: "MANUAL | 3.1.1 | AUDIT | Disable IPv6 | Get current GRUB_CMDLINE_LINUX settings" shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' changed_when: false failed_when: false @@ -244,7 +244,7 @@ - net.ipv4.conf.default.log_martians notify: sysctl flush ipv4 route table when: - - ubtu20cis_rule_3_3_3 + - ubtu20cis_rule_3_3_4 tags: - level1-server - level1-workstation @@ -376,7 +376,7 @@ - automated - patch - rule_3.4.1 - - DCCP + - dccp - name: "AUTOMATED | 3.4.2 | PATCH | Ensure SCTP is disabled" lineinfile: @@ -1185,7 +1185,7 @@ - level1-workstation - automated - audit - - rule_3.5.4.2.3 + - rule_3.5.3.3.4 - ip6tables # --------------- diff --git a/tasks/section4.yml b/tasks/section4.yml index a8c4eeef..7b0ee3e8 100644 --- a/tasks/section4.yml +++ b/tasks/section4.yml @@ -367,7 +367,7 @@ mode: 0600 notify: restart auditd when: - - ubtu20cis_rule_4_1_13 + - ubtu20cis_rule_4_1_14 tags: - level2-server - level2-workstation @@ -688,5 +688,5 @@ - level1-workstation - automated - patch - - rule_4.3 + - rule_4.4 - logrotate diff --git a/tasks/section5.yml b/tasks/section5.yml index 205b93eb..ce3f7294 100644 --- a/tasks/section5.yml +++ b/tasks/section5.yml @@ -1065,7 +1065,7 @@ - { dest: /etc/profile, state: "{{ (ubtu20cis_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" } - { dest: /etc/bash.bashrc, state: present } when: - - ubtu20cis_rule_5_5_4 + - ubtu20cis_rule_5_5_5 tags: - level1-server - level1-workstation @@ -1086,7 +1086,7 @@ - name: "MANUAL | 5.6 | AUDIT | Ensure root login is restricted to system console | Message out list" debug: msg: - - "WARNING!!!!Below is the list of conoles with root login access" + - "WARNING!!!! Below is the list of consoles with root login access" - "Please review for any conoles that are not in a physically secure location" - "{{ ubtu20cis_5_6_terminal_list.stdout_lines }}" when: From 81aa925a88f78bdbb7454d8e2df93c810d119af8 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Thu, 6 May 2021 08:56:15 -0400 Subject: [PATCH 33/44] fixed 2.3 Signed-off-by: George Nalen --- tasks/section2.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tasks/section2.yml b/tasks/section2.yml index f517ce0d..07ff8514 100644 --- a/tasks/section2.yml +++ b/tasks/section2.yml @@ -544,24 +544,24 @@ - name: "MANUAL | 2.3 | AUDIT | Ensure nonessential services are removed or masked" block: - - name: "MANUAL | 2.4 | AUDIT | Ensure nonessential services are removed or masked | Check for services" + - name: "MANUAL | 2.3 | AUDIT | Ensure nonessential services are removed or masked | Check for services" shell: lsof -i -P -n | grep -v "(ESTABLISHED)" changed_when: false failed_when: false check_mode: false - register: ubtu20cis_2_4_services + register: ubtu20cis_2_3_services - - name: "MANUAL | 2.4 | AUDIT | Ensure nonessential services are removed or masked | Message out running services" + - name: "MANUAL | 2.3 | AUDIT | Ensure nonessential services are removed or masked | Message out running services" debug: msg: - "Warning!! Below are the running services. Please review and remove as well as mask un-needed services" - "{{ ubtu20cis_2_4_services.stdout_lines }}" when: - - ubtu20cis_rule_2_4 + - ubtu20cis_rule_2_3 tags: - level1-server - level1-workstation - manual - audit - - rule_2.4 + - rule_2.3 - services" From 1eeb216ede3b88b97c1a8d9b56d0fa9bdc189b95 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Thu, 6 May 2021 09:15:39 -0400 Subject: [PATCH 34/44] updates round 2 for 2.3 Signed-off-by: George Nalen --- tasks/section2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section2.yml b/tasks/section2.yml index 07ff8514..9bfcf55b 100644 --- a/tasks/section2.yml +++ b/tasks/section2.yml @@ -555,7 +555,7 @@ debug: msg: - "Warning!! Below are the running services. Please review and remove as well as mask un-needed services" - - "{{ ubtu20cis_2_4_services.stdout_lines }}" + - "{{ ubtu20cis_2_3_services.stdout_lines }}" when: - ubtu20cis_rule_2_3 tags: @@ -564,4 +564,4 @@ - manual - audit - rule_2.3 - - services" + - services From 0be7e949359f4480e4fe2d945e462faba04eba71 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Thu, 6 May 2021 11:13:02 -0400 Subject: [PATCH 35/44] fixed 2.1.7 Signed-off-by: George Nalen --- tasks/section2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section2.yml b/tasks/section2.yml index 9bfcf55b..6fdc92fe 100644 --- a/tasks/section2.yml +++ b/tasks/section2.yml @@ -1,4 +1,4 @@ ---- +2.1.7--- - name: "AUTOMATED | 2.1.1.1 | PATCH | Ensure time synchronization is in use" apt: name: "{{ ubtu20cis_time_sync_tool }}" @@ -250,7 +250,7 @@ - name: "AUTOMATED | 2.1.7 | PATCH | Ensure NFS is not installed" apt: - name: purge nfs-kernel-server + name: nfs-kernel-server state: absent when: - ubtu20cis_rule_2_1_7 From 585817d7c081cc08bbfd2a0cc2fe7934b87e479c Mon Sep 17 00:00:00 2001 From: George Nalen Date: Thu, 6 May 2021 11:39:00 -0400 Subject: [PATCH 36/44] additional fix Signed-off-by: George Nalen --- tasks/section2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section2.yml b/tasks/section2.yml index 6fdc92fe..46764ab0 100644 --- a/tasks/section2.yml +++ b/tasks/section2.yml @@ -1,4 +1,4 @@ -2.1.7--- +--- - name: "AUTOMATED | 2.1.1.1 | PATCH | Ensure time synchronization is in use" apt: name: "{{ ubtu20cis_time_sync_tool }}" From 00da7dfa77bd2e05a69cd0933b12151f82fd7b8a Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 7 May 2021 08:28:58 -0400 Subject: [PATCH 37/44] updated section 1 layout Signed-off-by: George Nalen --- tasks/main.yml | 2 +- tasks/{section1.yml => old_section1.yml} | 0 tasks/section_1/cis_1.1.x.yml | 524 +++++++++++++++++++++++ tasks/section_1/cis_1.2.x.yml | 52 +++ tasks/section_1/cis_1.3.x.yml | 35 ++ tasks/section_1/cis_1.4.x.yml | 86 ++++ tasks/section_1/cis_1.5.x.yml | 86 ++++ tasks/section_1/cis_1.6.x.yml | 83 ++++ tasks/section_1/cis_1.7.x.yml | 93 ++++ tasks/section_1/cis_1.8.x.yml | 78 ++++ tasks/section_1/cis_1.9.yml | 14 + tasks/section_1/main.yml | 27 ++ 12 files changed, 1079 insertions(+), 1 deletion(-) rename tasks/{section1.yml => old_section1.yml} (100%) create mode 100644 tasks/section_1/cis_1.1.x.yml create mode 100644 tasks/section_1/cis_1.2.x.yml create mode 100644 tasks/section_1/cis_1.3.x.yml create mode 100644 tasks/section_1/cis_1.4.x.yml create mode 100644 tasks/section_1/cis_1.5.x.yml create mode 100644 tasks/section_1/cis_1.6.x.yml create mode 100644 tasks/section_1/cis_1.7.x.yml create mode 100644 tasks/section_1/cis_1.8.x.yml create mode 100644 tasks/section_1/cis_1.9.yml create mode 100644 tasks/section_1/main.yml diff --git a/tasks/main.yml b/tasks/main.yml index 2b8e374e..b1843f04 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -38,7 +38,7 @@ ubtu20cis_section6_patch - name: Include section 1 patches - import_tasks: section1.yml + import_tasks: section_1/main.yml when: ubtu20cis_section1_patch tags: - section1 diff --git a/tasks/section1.yml b/tasks/old_section1.yml similarity index 100% rename from tasks/section1.yml rename to tasks/old_section1.yml diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml new file mode 100644 index 00000000..8d73c0df --- /dev/null +++ b/tasks/section_1/cis_1.1.x.yml @@ -0,0 +1,524 @@ +--- +- name: "AUTOMATED | 1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled" + block: + - name: "AUTOMATED | 1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Edit modprobe config" + lineinfile: + dest: /etc/modprobe.d/cramfs.conf + regexp: "^(#)?install cramfs(\\s|$)" + line: install cramfs /bin/true + create: yes + + - name: "AUTOMATED | 1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Disable cramfs" + modprobe: + name: cramfs + state: absent + when: ansible_connection != 'docker' + when: + - ubtu20cis_rule_1_1_1_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.1.1.1 + - cramfs + +- name: "AUTOMATED | 1.1.1.2 | PATCH | Ensure mounting of freevxfs filesystems is disabled" + block: + - name: "AUTOMATED | 1.1.1.2 | PATCH | Ensure mounting of freevxfs filesystems is disabled | Edit modprobe config" + lineinfile: + dest: /etc/modprobe.d/freevxfs.conf + regexp: "^(#)?install freevxfs(\\s|$)" + line: install freevxfs /bin/true + create: yes + + - name: "AUTOMATED | 1.1.1.2 | PATCH | Ensure mounting of freevxfs filesystems is disabled | Disable freevxfs" + modprobe: + name: freevxfs + state: absent + when: ansible_connection != 'docker' + when: + - ubtu20cis_rule_1_1_1_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.1.1.2 + - freevxfs + +- name: "AUTOMATED | 1.1.1.3 | PATCH | Ensure mounting of jffs2 filesystems is disabled" + block: + - name: "AUTOMATED | 1.1.1.3 | PATCH | Ensure mounting of jffs2 filesystems is disabled | Edit modprobe config" + lineinfile: + dest: /etc/modprobe.d/jffs2.conf + regexp: "^(#)?install jffs2(\\s|$)" + line: install jffs2 /bin/true + create: yes + + - name: "AUTOMATED | 1.1.1.3 | PATCH | Ensure mounting of jffs2 filesystems is disabled | Disable jffs2" + modprobe: + name: jffs2 + state: absent + when: ansible_connection != 'docker' + when: + - ubtu20cis_rule_1_1_1_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.1.1.3 + - jffs2 + +- name: "AUTOMATED | 1.1.1.4 | PATCH | Ensure mounting of hfs filesystems is disabled" + block: + - name: "AUTOMATED | 1.1.1.4 | PATCH | Ensure mounting of hfs filesystems is disabled | Edit modprobe config" + lineinfile: + dest: /etc/modprobe.d/hfs.conf + regexp: "^(#)?install hfs(\\s|$)" + line: install hfs /bin/true + create: yes + + - name: "AUTOMATED | 1.1.1.4 | PATCH | Ensure mounting of hfs filesystems is disabled | Disable hfs" + modprobe: + name: hfs + state: absent + when: ansible_connection != 'docker' + when: + - ubtu20cis_rule_1_1_1_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.1.1.4 + - hfs + +- name: "AUTOMATED | 1.1.1.5 | PATCH | Ensure mounting of hfsplus filesystems is disabled" + block: + - name: "AUTOMATED | 1.1.1.5 | PATCH | Ensure mounting of hfsplus filesystems is disabled | Edit modprobe config" + lineinfile: + dest: /etc/modprobe.d/hfsplus.conf + regexp: "^(#)?install hfsplus(\\s|$)" + line: install hfsplus /bin/true + create: yes + + - name: "AUTOMATED | 1.1.1.5 | PATCH | Ensure mounting of hfsplus filesystems is disabled | Disable hfsplus" + modprobe: + name: hfsplus + state: absent + when: ansible_connection != 'docker' + when: + - ubtu20cis_rule_1_1_1_5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.1.1.5 + - hfsplus + +- name: "MANUAL | 1.1.1.6 | PATCH | Ensure mounting of squashfs filesystems is disabled" + block: + - name: "MANUAL | 1.1.1.6 | PATCH | Ensure mounting of squashfs filesystems is disabled | Edit modprobe config" + lineinfile: + dest: /etc/modprobe.d/squashfs.conf + regexp: "^(#)?install squashfs(\\s|$)" + line: install squashfs /bin/true + create: yes + + - name: "MANUAL | 1.1.1.6 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs" + modprobe: + name: squashfs + state: absent + when: ansible_connection != 'docker' + when: + - ubtu20cis_rule_1_1_1_6 + tags: + - level2-server + - level2-workstation + - manual + - patch + - rule_1.1.1.6 + - squashfs + +- name: "AUTOMATED | 1.1.1.7 | PATCH | Ensure mounting of udf filesystems is disabled" + block: + - name: "AUTOMATED | 1.1.1.7 | PATCH | Ensure mounting of udf filesystems is disabled | Edit modprobe config" + lineinfile: + dest: /etc/modprobe.d/udf.conf + regexp: "^(#)?install udf(\\s|$)" + line: install udf /bin/true + create: yes + + - name: "AUTOMATED | 1.1.1.7 | PATCH | Ensure mounting of udf filesystems is disabled | Disable udf" + modprobe: + name: udf + state: absent + when: ansible_connection != 'docker' + when: + - ubtu20cis_rule_1_1_1_7 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.1.1.7 + - udf + +- name: "AUTOMATED | 1.1.2 | PATCH | Ensure /tmp is configured" + mount: + path: /tmp + src: /tmp + state: mounted + fstype: tmpfs + opts: "{{ ubtu20cis_tmp_fstab_options }}" + when: + - ubtu20cis_rule_1_1_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.1.2 + - tmp + +- name: | + "AUTOMATED | 1.1.3 | PATCH | Ensure nodev option set on /tmp partition" + "AUTOMATED | 1.1.4 | PATCH | Ensure nosuid option set on /tmp partition" + "AUTOMATED | 1.1.5 | PATCH | Ensure noexec option set on /tmp partition" + mount: + name: /tmp + src: /tmp + state: remounted + fstype: tmpfs + opts: "{{ ubtu20cis_tmp_fstab_options }}" + when: + - ubtu20cis_rule_1_1_3 or + ubtu20cis_rule_1_1_4 or + ubtu20cis_rule_1_1_5 + # - ubtu20cis_vartmp['enabled'] + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.1.3 + - rule_1.1.4 + - rule_1.1.5 + - tmp + +- name: "AUTOMATED | 1.1.6 | PATCH | Ensure /dev/shm is configured" + mount: + name: /dev/shm + src: /dev/shm + state: mounted + fstype: tmpfs + opts: "{{ ubtu20cis_dev_shm_fstab_options }}" + when: + - ubtu20cis_rule_1_1_6 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.1.6 + - dev_shm + +- name: | + "AUTOMATED | 1.1.7 | PATCH | Ensure nodev option set on /dev/shm partition" + "AUTOMATED | 1.1.8 | PATCH | Ensure nosuid option set on /dev/shm partition" + "AUTOMATED | 1.1.9 | PATCH | Ensure noexec option set on /dev/shm partition" + mount: + name: /dev/shm + src: /dev/shm + state: remounted + fstype: tmpfs + opts: "{{ ubtu20cis_dev_shm_fstab_options }}" + when: + - ubtu20cis_rule_1_1_7 or + ubtu20cis_rule_1_1_8 or + ubtu20cis_rule_1_1_9 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.1.7 + - rule_1.1.8 + - rule_1.1.9 + - dev_shm + +- name: "AUTOMATED | 1.1.10 | AUDIT | Ensure separate partition exists for /var" + block: + - name: "AUTOMATED | 1.1.10 | AUDIT | Ensure separate partition exists for /var | Gather /var partition" + shell: mount | grep "on /var " + changed_when: false + failed_when: false + check_mode: false + args: + warn: false + register: ubtu20cis_1_1_10_var_mounted + + - name: "AUTOMATED | 1.1.10 | AUDIT | Ensure separate partition exists for /var | Alert if /var partition does not exist" + debug: + msg: + - "ALERT!!!! There is no separate partition for /var" + - "Please create a separate partition for /var" + when: ubtu20cis_1_1_10_var_mounted.stdout | length == 0 + when: + - ubtu20cis_rule_1_1_10 + tags: + - level2-server + - level2-workstation + - automated + - audit + - rule_1.1.10 + - var + +- name: "AUTOMATED | 1.1.11 | AUDIT | Ensure separate partition exists for /var/tmp" + block: + - name: "AUTOMATED | 1.1.11 | AUDIT | Ensure separate partition exists for /var/tmp | Gather /var/tmp partition" + shell: mount | grep "on /var/tmp " + changed_when: false + failed_when: false + check_mode: false + args: + warn: false + register: ubtu20cis_1_1_11_var_tmp_mounted + + - name: "AUTOMATED | 1.1.11 | AUDIT | Ensure separate partition exists for /var/tmp | Alert if /var/tmp partition does not exist" + debug: + msg: + - "ALERT!!!! There is no separate partition for /var/tmp" + - "Please create a separate partition for /var/tmp" + when: ubtu20cis_1_1_11_var_tmp_mounted.stdout | length == 0 + when: + - ubtu20cis_rule_1_1_11 + tags: + - level2-server + - level2-workstation + - automated + - audit + - rule_1.1.11 + - var/tmp + +- name: | + "AUTOMATED | 1.1.12 | PATCH | Ensure /var/tmp partition includes the nodev option" + "AUTOMATED | 1.1.13 | PATCH | Ensure /var/tmp partition includes the nosuid option" + "AUTOMATED | 1.1.14 | PATCH | Ensure /var/tmp partition includes the noexec option" + mount: + name: /var/tmp + src: "{{ ubtu20cis_vartmp['source'] }}" + state: present + fstype: "{{ ubtu20cis_vartmp['fstype'] }}" + opts: "{{ ubtu20cis_vartmp['opts'] }}" + when: + - ubtu20cis_rule_1_1_12 or + ubtu20cis_rule_1_1_13 or + ubtu20cis_rule_1_1_14 + - ubtu20cis_vartmp['enabled'] + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.1.12 + - rule_1.1.13 + - rule_1.1.14 + - var/tmp + +- name: "AUTOMATED | 1.1.15 | AUDIT | Ensure separate partition exists for /var/log" + block: + - name: "AUTOMATED | 1.1.15 | AUDIT | Ensure separate partition exists for /var/log | Gather /var/log partition" + shell: mount | grep "on /var/log " + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_1_1_15_var_log_mounted + args: + warn: false + + - name: "AUTOMATED | 1.1.15 | AUDIT | Ensure separate partition exists for /var/log | Alert if /var/log partition does not exist" + debug: + msg: + - "ALERT!!!! There is no separate partition for /var/log" + - "Please create a separate partition for /var/log" + when: ubtu20cis_1_1_15_var_log_mounted.stdout | length == 0 + when: + - ubtu20cis_rule_1_1_15 + tags: + - level2-server + - level2-workstation + - automated + - audit + - rule_1.1.15 + - var/log + +- name: "AUTOMATED | 1.1.16 | AUDIT | Ensure separate partition exists for /var/log/audit" + block: + - name: "AUTOMATED | 1.1.16 | AUDIT | Ensure separate partition exists for /var/log/audit | Gather /var/log/audit" + shell: mount | grep "on /var/log/audit " + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_1_1_16_var_log_audit_mounted + args: + warn: false + + - name: "AUTOMATED | 1.1.16 | AUDIT | Ensure separate partition exists for /var/log/audit | Alert if /var/log/audit partition does not exist" + debug: + msg: + - "ALERT!!!! There is no separate partition for /var/log/audit" + - "Please create a separate partition for /var/log/audit" + when: ubtu20cis_1_1_16_var_log_audit_mounted.stdout | length == 0 + when: + - ubtu20cis_rule_1_1_16 + tags: + - level2-server + - level2-workstation + - automated + - audit + - var/log/audit + +- name: "AUTOMATED | 1.1.17 | AUDIT | Ensure separate partition exists for /home" + block: + - name: "AUTOMATED | 1.1.17 | AUDIT | Ensure separate partition exists for /home | Gather /home" + shell: mount | grep "on /home" + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_1_1_17_home_mounted + args: + warn: false + + - name: "AUTOMATED | 1.1.17 | AUDIT | Ensure separate partition exists for /home | Alert if /home partition does not exist" + debug: + msg: + - "ALERT!!!! There is no separate partition for /home" + - "Please create a separate partition for /home" + when: ubtu20cis_1_1_17_home_mounted.stdout | length == 0 + when: + - ubtu20cis_rule_1_1_17 + tags: + - level2-server + - level2-workstation + - automated + - audit + - /home + +- name: "AUTOMATED | 1.1.18 | PATCH | Ensure /home partition includes the nodev option" + mount: + name: "/home" + src: "{{ item.device }}" + state: mounted + fstype: "{{ item.fstype }}" + opts: "nodev" + with_items: "{{ ansible_mounts }}" + when: + - ubtu20cis_rule_1_1_18 + - item.mount == "/home" + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.1.18 + - /home + +- name: "MANUAL | 1.1.19 | AUDIT | Ensure nodev option set on removable media partitions" + debug: + msg: "Warning!!!! Not relevant control" + when: + - ubtu20cis_rule_1_1_19 + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_1.1.19 + - removable_media + +- name: "MANUAL | 1.1.20 | AUDIT | Ensure nosuid option set on removable media partitions" + debug: + msg: "Warning!!!! Not relevant control" + when: + - ubtu20cis_rule_1_1_20 + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_1.1.20 + - removable_media + +- name: "MANUAL | 1.1.21 | AUDIT | Ensure noexec option set on removable media partitions" + debug: + msg: "Warning!!!! Not relevant control" + when: + - ubtu20cis_rule_1_1_21 + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_1.1.21 + - removable_media + +- name: "AUTOMATED | 1.1.22 | PATCH | Ensure sticky bit is set on all world-writable directories" + shell: df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null | xargs -I '{}' chmod a+t '{}' + failed_when: ubtu20cis_1_1_22_status.rc>0 + check_mode: false + register: ubtu20cis_1_1_22_status + when: + - ubtu20cis_rule_1_1_22 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.1.22 + - sticky_bit + +- name: "AUTOMATED | 1.1.23 | PATCH | Disable Automounting" + service: + name: autofs + state: stopped + enabled: no + when: + - ubtu20cis_rule_1_1_23 + - ubtu20cis_autofs_service_status.stdout == "loaded" + - not ubtu20cis_allow_autofs + tags: + - level1-server + - level2-workstation + - automated + - patch + - rule_1.1.23 + - automounting + +- name: "AUTOMATED | 1.1.24 | PATCH | Disable USB Storage" + block: + - name: "AUTOMATED | 1.1.24 | PATCH | Disable USB Storage | Set modprobe config" + lineinfile: + path: /etc/modprobe.d/usb_storage.conf + regexp: '^install usb-storage' + line: 'install usb-storage /bin/true' + create: yes + + - name: "AUTOMATED | 1.1.24 | PATCH | Disable USB Storage | Remove usb-storage module" + modprobe: + name: usb-storage + state: absent + when: ansible_connection != 'docker' + when: + - ubtu20cis_rule_1_1_24 + - not ubtu20cis_allow_usb_storage + tags: + - level1-server + - level2-workstation + - automated + - patch + - rule_1.1.24 + - usb_storage diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml new file mode 100644 index 00000000..6849ca9a --- /dev/null +++ b/tasks/section_1/cis_1.2.x.yml @@ -0,0 +1,52 @@ +--- +- name: "MANUAL | 1.2.1 | AUDIT | Ensure package manager repositories are configured" + block: + - name: "MANUAL 1.2.1 | AUDIT | Ensure package manager repositories are configured | Get repositories" + command: apt-cache policy + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_1_2_1_apt_policy + + - name: "MANUAL 1.2.1 | AUDIT | Ensure package manager repositories are configured | Message out repository configs" + debug: + msg: + - "Alert!!!! Below are the apt package repositories" + - "Please review to make sure they conform to your sites policies" + - "{{ ubtu20cis_1_2_1_apt_policy.stdout_lines }}" + when: + - ubtu20cis_rule_1_2_1 + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_1.2.1 + - apt + +- name: "MANUAL | 1.2.2 | AUDIT | Ensure GPG keys are configured" + block: + - name: "MANUAL | 1.2.2 | AUDIT | Ensure GPG keys are configured | Get apt gpg keys" + command: apt-key list + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_1_2_2_apt_gpgkeys + + - name: "MANUAL | 1.2.2 | AUDIT | Ensure GPG keys are configured | Message out apt gpg keys" + debug: + msg: + - "Alert!!!! Below are the apt gpg kyes configured" + - "Please review to make sure they are configured" + - "in accordance with site policy" + - "{{ ubtu20cis_1_2_2_apt_gpgkeys.stdout_lines }}" + when: + - ubtu20cis_rule_1_2_2 + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_1.2.2 + - gpg + - keys diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml new file mode 100644 index 00000000..dafbaed3 --- /dev/null +++ b/tasks/section_1/cis_1.3.x.yml @@ -0,0 +1,35 @@ +--- +- name: "AUTOMATED | 1.3.1 | PATCH | Ensure AIDE is installed" + apt: + name: ['aide', 'aide-common'] + state: present + when: + - ubtu20cis_rule_1_3_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.3.1 + - aide + +- name: "AUTOMATED | 1.3.2 | PATCH | Ensure filesystem integrity is regularly checked" + cron: + name: Run AIDE integrity check + cron_file: "{{ ubtu20cis_aide_cron['cron_file'] }}" + user: "{{ ubtu20cis_aide_cron['cron_user'] }}" + minute: "{{ ubtu20cis_aide_cron['aide_minute'] | default('0') }}" + hour: "{{ ubtu20cis_aide_cron['aide_hour'] | default('5') }}" + day: "{{ ubtu20cis_aide_cron['aide_day'] | default('*') }}" + month: "{{ ubtu20cis_aide_cron['aide_month'] | default('*') }}" + weekday: "{{ ubtu20cis_aide_cron['aide_weekday'] | default('*') }}" + job: "{{ ubtu20cis_aide_cron['aide_job'] }}" + when: + - ubtu20cis_rule_1_3_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.3.2 + - cron diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml new file mode 100644 index 00000000..4c261f8f --- /dev/null +++ b/tasks/section_1/cis_1.4.x.yml @@ -0,0 +1,86 @@ +--- +- name: "AUTOMATED | 1.4.1 | PATCH | Ensure permissions on bootloader config are not overridden" + block: + - name: "AUTOMATED | 1.4.1 | PATCH | Ensure permissions on bootloader config are not overridden | Change chmod setting" + replace: + path: /usr/sbin/grub-mkconfig + regexp: 'chmod\s\d\d\d\s\${grub_cfg}.new' + replace: 'chmod 400 ${grub_cfg}.new' + + - name: "AUTOMATED | 1.4.1 | PATCH | Ensure permissions on bootloader config are not overridden | Remove check on password" + lineinfile: + path: /usr/sbin/grub-mkconfig + regexp: 'if \[ \"x\$\{grub_cfg\}\" != "x" \] && ! grep "\^password" \${grub_cfg}.new' + line: if [ "x${grub_cfg}" != "x" ]; then + when: + - ubtu20cis_rule_1_4_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.4.1 + - grub + +# --------------- +# --------------- +# The RHEL7 based control uses a custom module, grub_crypt +# I need to research best way to set grub pw for Ubuntu using the +# grub-mkpasswd-pbkdf2 command and passing the data at the same time. +# --------------- +# --------------- +- name: "AUTOMATED | 1.4.2 | PATCH | Ensure bootloader password is set" + command: /bin/true + changed_when: false + failed_when: false + check_mode: false + when: + - ubtu20cis_rule_1_4_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.4.2 + - grub + - notimplemented + +- name: "AUTOMATED | 1.4.3 | PATCH | Ensure permissions on bootloader config are configured" + block: + - name: "AUTOMATED | 1.4.3 | AUDIT | Ensure permissions on bootloader config are configured | Check for Grub file" + stat: + path: /boot/grub/grub.cfg + check_mode: false + register: ubtu20cis_1_4_3_grub_cfg_status + + - name: "AUTOMATED | 1.4.3 | PATCH | Ensure permissions on bootloader config are configured | Set permissions" + file: + path: /boot/grub/grub.cfg + owner: root + group: root + mode: 0400 + when: + - ubtu20cis_1_4_3_grub_cfg_status.stat.exists + when: + - ubtu20cis_rule_1_4_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.4.3 + - grub + +- name: "AUTOMATED | 1.4.4 | PATCH | Ensure authentication required for single user mode" + user: + name: root + password: "{{ ubtu20cis_root_pw }}" + when: + - ubtu20cis_rule_1_4_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.4.4 + - passwd diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml new file mode 100644 index 00000000..2731f3ea --- /dev/null +++ b/tasks/section_1/cis_1.5.x.yml @@ -0,0 +1,86 @@ +--- +- name: "MANUAL | 1.5.1 | AUDIT | Ensure XD/NX support is enabled" + block: + - name: "MANUAL | 1.5.1 | AUDIT | Ensure XD/NX support is enabled | Find status of XD/NX" + shell: "journalctl | grep 'protection: active'" + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_1_5_1_xdnx_status + + - name: "MANUAL | 1.5.1 | AUDIT | Ensure XD/NX support is enabled | Alert if XD/NX is not enabled" + debug: + msg: + - "ALERT!!!!You do not have XD/NX (Execute Disable/No Execute) enabled" + - "To conform to CIS standards this needs to be enabled" + when: "'active'not in ubtu20cis_1_5_1_xdnx_status.stdout" + when: + - ubtu20cis_rule_1_5_1 + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_1.5.1 + - xd/nx + +- name: "AUTOMATED | 1.5.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled" + block: + - name: "AUTOMATED | 1.5.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled | Set ASLR settings" + lineinfile: + path: /etc/sysctl.conf + regexp: '^kernel.randomize_va_space' + line: 'kernel.randomize_va_space = 2' + + - name: "AUTOMATED | 1.5.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled | Set active kernel parameter" + sysctl: + name: kernel.randomize_va_space + value: '2' + when: + - ubtu20cis_rule_1_5_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.5.2 + - aslr + +- name: "AUTOMATED | 1.5.3 | PATCH | Ensure prelink is not installed" + block: + - name: "AUTOMATED | 1.5.3 | PATCH | Ensure prelink is not installed | Restore binaries to normal" + command: prelink -ua + changed_when: false + failed_when: false + + - name: "AUTOMATED | 1.5.3 | PATCH | Ensure prelink is not installed| Remove prelink package" + apt: + name: prelink + state: absent + when: + - ubtu20cis_rule_1_5_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.5.3 + - prelink + +- name: "AUTOMATED | 1.5.4 | PATCH | Ensure core dumps are restricted" + sysctl: + name: fs.suid_dumpable + value: '0' + state: present + reload: yes + sysctl_set: yes + ignoreerrors: yes + when: + - ubtu20cis_rule_1_5_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.5.4 + - coredump diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml new file mode 100644 index 00000000..376047fa --- /dev/null +++ b/tasks/section_1/cis_1.6.x.yml @@ -0,0 +1,83 @@ +--- +- name: "AUTOMATED | 1.6.1.1 | PATCH | Ensure AppArmor is installed" + apt: + name: ['apparmor', 'apparmor-utils'] + state: present + when: + - ubtu20cis_rule_1_6_1_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.6.1.1 + - apparmor + +- name: "AUTOMATED | 1.6.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration" + block: + - name: "AUTOMATED | 1.6.1.2 | AUDIT | Ensure AppArmor is enabled in the bootloader configuration | Get current settings" + shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_1_6_1_2_cmdline_settings + + - name: "AUTOMATED | 1.6.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist" + lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX' + line: 'GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor {{ ubtu20cis_1_6_1_2_cmdline_settings.stdout }}"' + insertafter: '^GRUB_' + when: + - "'apparmor' not in ubtu20cis_1_6_1_2_cmdline_settings.stdout" + - "'security' not in ubtu20cis_1_6_1_2_cmdline_settings.stdout" + notify: grub update + + - name: "AUTOMATED | 1.6.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist | Replace apparmor settings when exists" + replace: + path: /etc/default/grub + regexp: "{{ item.regexp }}" + replace: "{{ item.replace }}" + with_items: + - { regexp: 'apparmor=\S+', replace: 'apparmor=1' } + - { regexp: 'security=\S+', replace: 'security=apparmor' } + when: + - "'apparmor' in ubtu20cis_1_6_1_2_cmdline_settings.stdout" + - "'security' in ubtu20cis_1_6_1_2_cmdline_settings.stdout" + notify: grub update + when: + - ubtu20cis_rule_1_6_1_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.6.1.2 + - apparmor + +- name: "AUTOMATED | 1.6.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode" + command: aa-enforce /etc/apparmor.d/* + failed_when: false + when: + - ubtu20cis_rule_1_6_1_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.6.1.3 + - apparmor + +- name: "AUTOMATED | 1.6.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing" + command: aa-enforce /etc/apparmor.d/* + failed_when: false + when: + - ubtu20cis_rule_1_6_1_4 + tags: + - level2-server + - level2-workstation + - automated + - scored + - patch + - rule_1.6.1.4 + - apparmor diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml new file mode 100644 index 00000000..ddde1a40 --- /dev/null +++ b/tasks/section_1/cis_1.7.x.yml @@ -0,0 +1,93 @@ +--- +- name: "AUTOMATED | 1.7.1 | PATCH | Ensure message of the day is configured properly" + template: + src: etc/motd.j2 + dest: /etc/motd + when: + - ubtu20cis_rule_1_7_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.7.1 + - motd + +- name: "AUTOMATED | 1.7.2 | PATCH | Ensure local login warning banner is configured properly" + template: + src: etc/issue.j2 + dest: /etc/issue + when: + - ubtu20cis_rule_1_7_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.7.2 + - banner + +- name: "AUTOMATED | 1.7.3 | PATCH | Ensure remote login warning banner is configured properly" + template: + src: etc/issue.net.j2 + dest: /etc/issue.net + when: + - ubtu20cis_rule_1_7_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.7.3 + - banner + +- name: "AUTOMATED | 1.7.4 | PATCH | Ensure permissions on /etc/motd are configured" + file: + path: /etc/motd + owner: root + group: root + mode: 0644 + when: + - ubtu20cis_rule_1_7_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.7.4 + - permissions + - motd + +- name: "AUTOMATED | 1.7.5 | PATCH | Ensure permissions on /etc/issue are configured" + file: + path: /etc/issue + owner: root + group: root + mode: 0644 + when: + - ubtu20cis_rule_1_7_5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.7.5 + - permissions + - banner + +- name: "AUTOMATED | 1.7.6 | PATCH | Ensure permissions on /etc/issue.net are configured" + file: + path: /etc/issue.net + owner: root + group: root + mode: 0644 + when: + - ubtu20cis_rule_1_7_6 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.7.6 + - permissions + - banner diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml new file mode 100644 index 00000000..b03ebc99 --- /dev/null +++ b/tasks/section_1/cis_1.8.x.yml @@ -0,0 +1,78 @@ +--- +- name: "MANUAL | 1.8.1 | PATCH | Ensure GNOME Display Manager is removed" + apt: + name: gdm3 + state: absent + when: + - ubtu20cis_rule_1_8_1 + - not ubtu20cis_desktop_required + - ubtu20cis_disruption_high + tags: + - level2-server + - manual + - patch + - rule_1.8.1 + - gnome + +- name: "AUTOMATED | 1.8.2 | PATCH | Ensure GDM login banner is configured" + lineinfile: + path: /etc/gdm3/greeter.dconf-defaults + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + create: yes + owner: root + group: root + mode: 0644 + notify: reload gdm + with_items: + - { regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]', insertafter: EOF } + - { regexp: 'banner-message-enable', line: 'banner-message-enable=true', insertafter: '\[org\/gnome\/login-screen\]'} + - { regexp: 'banner-message-text', line: 'banner-message-text={{ ubtu20cis_warning_banner }}', insertafter: 'banner-message-enable' } + when: + - ubtu20cis_rule_1_8_2 + - ubtu20cis_desktop_required + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.8.2 + - gnome + +- name: "AUTOMATED | 1.8.3 | PATCH | Ensure disable-user-list is enabled" + lineinfile: + path: /etc/gdm3/greeter.dconf-defaul + regexp: '^disable-user-list=' + line: 'disable-user-list=true' + insertafter: 'banner-message-text=' + create: yes + owner: root + group: root + mode: 0644 + notify: reload gdm + when: + - ubtu20cis_rule_1_8_3 + - ubtu20cis_desktop_required + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.8.3 + - gdm3 + +- name: "AUTOMATED | 1.8.4 | PATCH | Ensure XDCMP is not enabled" + lineinfile: + path: /etc/gdm3/custom.conf + regexp: '^Enable.*=.*true' + state: absent + when: + - ubtu20cis_rule_1_8_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.8.4 + - xdcmp diff --git a/tasks/section_1/cis_1.9.yml b/tasks/section_1/cis_1.9.yml new file mode 100644 index 00000000..5460d849 --- /dev/null +++ b/tasks/section_1/cis_1.9.yml @@ -0,0 +1,14 @@ +--- +- name: "MANUAL | 1.9 | PATCH | Ensure updates, patches, and additional security software are installed" + apt: + name: "*" + state: latest + when: + - ubtu20cis_rule_1_9 + tags: + - level1-server + - level1-workstation + - manual + - patch + - rule_1.9 + - patch diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml new file mode 100644 index 00000000..36ecb9d1 --- /dev/null +++ b/tasks/section_1/main.yml @@ -0,0 +1,27 @@ +--- +- name: "SECTION | 1.1 | Disable Unused Filesystems" + include: cis_1.1.x.yml + +- name: "SECTION | 1.2 | Cofnigure Software Updates" + include: cis_1.2.x.yml + +- name: "SECTION | 1.3. | Filesystem Integrity Checking" + include: cis_1.3.x.yml + +- name: "SECTION | 1.4 | Secure Boot Settings" + include: cis_1.4.x.yml + +- name: "SECTION | 1.5 | Additional Process Hardening" + include: cis_1.5.x.yml + +- name: "SECTION | 1.6 | Mandatory Access Control" + include: cis_1.6.x.yml + +- name: "SECTION | 1.7 | Command Line Warning Banners" + include: cis_1.7.x.yml + +- name: "SECTION | 1.8 | GNOME Display Manager" + include: cis_1.8.x.yml + +- name: "SECTION | 1.9 | Ensure updates, patches, and additional security software are installed" + include: cis_1.9.yml \ No newline at end of file From 1a2406d24bf19601a8ca07ffff08cdaf72271a56 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 7 May 2021 08:39:45 -0400 Subject: [PATCH 38/44] updated section 2 layout Signed-off-by: George Nalen --- tasks/main.yml | 2 +- tasks/{section2.yml => odl_section2.yml} | 0 tasks/section_2/cis_2.1.x.yml | 455 +++++++++++++++++++++++ tasks/section_2/cis_2.2.x.yml | 88 +++++ tasks/section_2/cis_2.3.yml | 24 ++ tasks/section_2/main.yml | 9 + 6 files changed, 577 insertions(+), 1 deletion(-) rename tasks/{section2.yml => odl_section2.yml} (100%) create mode 100644 tasks/section_2/cis_2.1.x.yml create mode 100644 tasks/section_2/cis_2.2.x.yml create mode 100644 tasks/section_2/cis_2.3.yml create mode 100644 tasks/section_2/main.yml diff --git a/tasks/main.yml b/tasks/main.yml index b1843f04..b9082d0c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -44,7 +44,7 @@ - section1 - name: Include section 2 patches - import_tasks: section2.yml + import_tasks: section_2/main.yml when: ubtu20cis_section2_patch tags: - section2 diff --git a/tasks/section2.yml b/tasks/odl_section2.yml similarity index 100% rename from tasks/section2.yml rename to tasks/odl_section2.yml diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml new file mode 100644 index 00000000..5c752625 --- /dev/null +++ b/tasks/section_2/cis_2.1.x.yml @@ -0,0 +1,455 @@ +--- +- name: "AUTOMATED | 2.1.1.1 | PATCH | Ensure time synchronization is in use" + apt: + name: "{{ ubtu20cis_time_sync_tool }}" + state: present + when: + - ubtu20cis_rule_2_1_1_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_2.1.1.1 + - chrony + +- name: "AUTOMATED | 2.1.1.2 | PATCH | Ensure systemd-timesyncd is configured" + block: + - name: "AUTOMATED | 2.1.1.2 | PATCH | Ensure systemd-timesyncd is configured | Remove ntp and chrony" + apt: + name: ['ntp', 'chrony'] + state: absent + + - name: "AUTOMATED | 2.1.1.2 | PATCH | Ensure systemd-timesyncd is configured | Set configuration for systemd-timesyncd" + lineinfile: + path: /etc/systemd/timesyncd.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + with_items: + - { regexp: '^\[Time\]', line: '[Time]', insertafter: EOF } + - { regexp: '^#NTP|^NTP', line: 'NTP={{ ubtu20cis_ntp_server_list }}', insertafter: '\[Time\]' } + - { regexp: '^#FallbackNTP|^FallbackNTP', line: 'FallbackNTP={{ ubtu20cis_ntp_fallback_server_list }}', insertafter: '\[Time\]' } + - { regexp: '^#RootDistanceMaxSec|^RootDistanceMaxSec', line: 'RootDistanceMaxSec=1', insertafter: '\[Time\]'} + + - name: "AUTOMATED | 2.1.1.2 | PATCH | Ensure systemd-timesyncd is configured | Start and enable the systemd-timesyncd service" + systemd: + name: systemd-timesyncd.service + state: started + enabled: yes + masked: no + + - name: "AUTOMATED | 2.1.1.2 | PATCH | Ensure systemd-timesyncd is configured | Set timedatectl to ntp" + command: timedatectl set-ntp true + when: + - ubtu20cis_rule_2_1_1_2 + - ubtu20cis_time_sync_tool == "systemd-timesyncd" + tags: + - level1-server + - level1-workstation + - automated + - manual + - patch + - rule_2.1.1.2 + - systemd-timesyncd + +- name: "AUTOMATED | 2.1.1.3 | PATCH | Ensure chrony is configured" + block: + - name: "AUTOMATED | 2.1.1.3 | PATCH | Ensure chrony is configured | Remove ntp" + apt: + name: ntp + state: absent + + - name: "AUTOMATED | 2.1.1.3 | PATCH | Ensure chrony is configured | Disable/Mask systemd-timesyncd" + systemd: + name: systemd-timesyncd + state: stopped + enabled: no + masked: yes + + - name: "AUTOMATED | 2.1.1.3 | AUDIT | Ensure chrony is configured | Check for chrony user" + shell: grep {{ ubtu20cis_chrony_user }} /etc/passwd + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_2_1_1_3_chrony_user_status + + - name: "AUTOMATED | 2.1.1.3 | PATCH | Ensure chrony is configured | Set chrony.conf file" + template: + src: chrony.conf.j2 + dest: /etc/chrony/chrony.conf + owner: root + group: root + mode: 0644 + + - name: "AUTOMATED | 2.1.1.3 | PATCH | Ensure chrony is configured | Create chrony user" + user: + name: "{{ ubtu20cis_chrony_user }}" + shell: /usr/sbin/nologin + system: true + when: ubtu20cis_2_1_1_3_chrony_user_status.stdout | length > 0 + + - name: "AUTOMATED | 2.2.1.3 | PATCH | Ensure chrony is configured | Set option to use chrony user" + lineinfile: + path: /etc/default/chrony + regexp: '^DAEMON_OPTS' + line: 'DAEMON_OPTS="-u _chrony"' + when: + - ubtu20cis_rule_2_1_1_3 + - ubtu20cis_time_sync_tool == "chrony" + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_2.1.1.3 + - chrony + +- name: "AUTOMATED | 2.1.1.4 | PATCH | Ensure ntp is configured" + block: + - name: "AUTOMATED | 2.1.1.4 | PATCH | Ensure ntp is configured | Remove chrony" + apt: + name: chrony + state: absent + + - name: "AUTOMATED | 2.1.1.4 | PATCH | Ensure ntp is configured | Disable/Mask systemd-timesyncd" + systemd: + name: systemd-timesyncd + state: stopped + enabled: no + masked: yes + + - name: "AUTOMATED | 2.1.1.4 | PATCH | Ensure ntp is configured | Set ntp.conf settings" + template: + src: ntp.conf.j2 + dest: /etc/ntp.conf + owner: root + group: root + mode: 0644 + + - name: "AUTOMATED | 2.1.1.4 | PATCH | Ensure ntp is configured | Modify sysconfig/ntpd" + lineinfile: + path: /etc/sysconfig/ntpd + regexp: "{{ item.regexp }}" + line: "{{ item. line }}" + create: yes + with_items: + - { regexp: '^OPTIONS', line: 'OPTIONS="-u ntp:ntp"'} + - { regexp: '^NTPD_OPTIONS', line: 'NTPD_OPTIONS="-u ntp:ntp"' } + + - name: "AUTOMATED | 2.1.1.4 | PATCH | Ensure ntp is configured | Modify /etc/init.d/npt" + lineinfile: + path: /etc/init.d/ntp + regexp: '^RUNAUSER' + line: 'RUNAUSER=npt' + when: + - ubtu20cis_rule_2_1_1_4 + - ubtu20cis_time_sync_tool == "ntp" + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_2.1.1.4 + - ntp + +- name: "AUTOMATED | 2.1.2 | PATCH | Ensure X Window System is not installed" + apt: + name: xserver-xorg* + state: absent + when: + - ubtu20cis_rule_2_1_2 + - not ubtu20cis_desktop_required + tags: + - level1-server + - automated + - patch + - rule_2.1.2 + - xwindows + +- name: "AUTOMATED | 2.1.3 | PATCH | Ensure Avahi Server is not installed" + block: + - name: "AUTOMATED | 2.1.3 | PATCH | Ensure Avahi Server is not installed | Stop/Disable avahi-daemon.service" + service: + name: avahi-daemon.service + state: stopped + enabled: no + when: avahi_service_status.stdout == "loaded" + + - name: "AUTOMATED | 2.1.3 | PATCH | Ensure Avahi Server is not installed | Stop/Disable avahi-daemon.socket" + service: + name: avahi-daemon.socket + state: stopped + enabled: no + when: avahi_service_status.stdout == "loaded" + + - name: "AUTOMATED | 2.1.3 | PATCH | Ensure Avahi Server is not installed | Remove avahi-daemon" + apt: + name: avahi-daemon + state: absent + when: + - ubtu20cis_rule_2_1_3 + - not ubtu20cis_avahi_server + - ubtu20cis_disruption_high + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_2.1.3 + - avahi + - services + +- name: "AUTOMATED | 2.1.4 | PATCH | Ensure CUPS is not installed" + apt: + name: cups + state: absent + when: + - ubtu20cis_rule_2_1_4 + - not ubtu20cis_cups_server + tags: + - level1-server + - level2-workstation + - automated + - patch + - rule_2.1.4 + - cups + - services + +- name: "AUTOMATED | 2.1.5 | PATCH | Ensure DHCP Server is not installed" + apt: + name: isc-dhcp-server + state: absent + when: + - ubtu20cis_rule_2_1_5 + - not ubtu20cis_dhcp_server + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_2.1.5 + - dhcp + - services + +- name: "AUTOMATED | 2.1.6 | PATCH | Ensure LDAP server is not installed" + apt: + name: slapd + state: absent + when: + - ubtu20cis_rule_2_1_6 + - not ubtu20cis_ldap_server + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_2.1.6 + - ldap + - services + +- name: "AUTOMATED | 2.1.7 | PATCH | Ensure NFS is not installed" + apt: + name: nfs-kernel-server + state: absent + when: + - ubtu20cis_rule_2_1_7 + - not ubtu20cis_nfs_server + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_2.1.7 + - nfs + - rpc + - services + +- name: "AUTOMATED | 2.1.8 | PATCH | Ensure DNS Server is not installed" + apt: + name: bind9 + state: absent + when: + - ubtu20cis_rule_2_1_8 + - not ubtu20cis_dns_server + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_2.1.8 + - dns + - service + +- name: "AUTOMATED | 2.1.9 | PATCH | Ensure FTP Server is not installed" + apt: + name: vsftpd + state: absent + when: + - ubtu20cis_rule_2_1_9 + - not ubtu20cis_vsftpd_server + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_2.1.9 + - ftp + - service + +- name: "AUTOMATED | 2.1.10 | PATCH | Ensure HTTP server is not installed" + apt: + name: apache2 + state: absent + when: + - ubtu20cis_rule_2_1_10 + - not ubtu20cis_httpd_server + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_2.1.10 + - httpd + - service + +- name: "AUTOMATED | 2.1.11 | PATCH | Ensure IMAP and POP3 server are not installed" + apt: + name: ['dovecot-imapd', 'dovecot-pop3d'] + state: absent + when: + - ubtu20cis_rule_2_1_11 + - not ubtu20cis_dovecot_server + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_2.1.11 + - dovecot + - service + +- name: "AUTOMATED | 2.1.12 | PATCH | Ensure Samba is not installed" + apt: + name: samba + state: absent + when: + - ubtu20cis_rule_2_1_12 + - not ubtu20cis_smb_server + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_2.1.12 + - samba + - service + +- name: "AUTOMATED | 2.1.13 | PATCH | Ensure HTTP Proxy Server is not installed" + apt: + name: squid + state: absent + when: + - ubtu20cis_rule_2_1_13 + - not ubtu20cis_squid_server + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_2.1.13 + - http_proxy + - service + +- name: "AUTOMATED | 2.1.14 | PATCH | Ensure SNMP Server is not installed" + apt: + name: snmpd + state: absent + when: + - ubtu20cis_rule_2_1_14 + - not ubtu20cis_snmp_server + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_2.1.14 + - snmp + - service + +- name: "AUTOMATED | 2.1.15 | PATCH | Ensure mail transfer agent is configured for local-only mode" + block: + - name: "AUTOMATED | 2.1.15 | PATCH | Ensure mail transfer agent is configured for local-only mode | Make changes if exim4 installed" + lineinfile: + path: /etc/exim4/update-exim4.conf.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^dc_eximconfig_configtype', line: "dc_eximconfig_configtype='local'" } + - { regexp: '^dc_local_interfaces', line: "dc_local_interfaces='127.0.0.1 ; ::1'" } + - { regexp: '^dc_readhost', line: "dc_readhost=''" } + - { regexp: '^dc_relay_domains', line: "dc_relay_domains=''" } + - { regexp: '^dc_minimaldns', line: "dc_minimaldns='false'" } + - { regexp: '^dc_relay_nets', line: "dc_relay_nets=''" } + - { regexp: '^dc_smarthost', line: "dc_smarthost=''" } + - { regexp: '^dc_use_split_config', line: "dc_use_split_config='false'" } + - { regexp: '^dc_hide_mailname', line: "dc_hide_mailname=''" } + - { regexp: '^dc_mailname_in_oh', line: "dc_mailname_in_oh='true'" } + - { regexp: '^dc_localdelivery', line: "dc_localdelivery='mail_spool'" } + notify: restart exim4 + when: ubtu20_cis_mail_transfer_agent == "exim4" + + - name: "AUTOMATED | 2.1.15 | PATCH | Ensure mail transfer agent is configured for local-only mode | Make changes if postfix is installed" + lineinfile: + path: /etc/postfix/main.cf + regexp: '^(#)?inet_interfaces' + line: 'inet_interfaces = loopback-only' + notify: restart postfix + when: ubtu20_cis_mail_transfer_agent == "postfix" + + - name: "AUTOMATED | 2.1.15 | PATCH | Ensure mail transfer agent is configured for local-only mode | Message out other main agents" + debug: + msg: + - "Warning!! You are not using either exim4 or postfix" + - "Please review your vendors documentation to configure local-only mode" + when: ubtu20_cis_mail_transfer_agent == "other" + when: + - ubtu20cis_rule_2_1_15 + tags: + - level1-server + - level1-workstation + - automated + - scored + - patch + - rule_2.1.15 + - postfix + +- name: "AUTOMATED | 2.1.16 | PATCH | Ensure rsync service is not installed" + apt: + name: rsync + state: absent + when: + - ubtu20cis_rule_2_1_16 + - not ubtu20cis_rsync_server + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_2.1.16 + - rsync + +- name: "AUTOMATED | 2.1.17 | PATCH | Ensure NIS Server is not installed" + apt: + name: nis + state: absent + when: + - ubtu20cis_rule_2_1_17 + - not ubtu20cis_nis_server + tags: + - level1-server + - level1-workstation + - automated + - rule_2.1.17 + - nis + - service diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml new file mode 100644 index 00000000..72851419 --- /dev/null +++ b/tasks/section_2/cis_2.2.x.yml @@ -0,0 +1,88 @@ +--- +- name: "2.2.1 | PATCH | Ensure NIS Client is not installed" + apt: + name: nis + state: absent + when: + - ubtu20cis_rule_2_2_1 + - not ubtu20cis_nis_required + tags: + - level1-server + - level1-workstation + - rule_2.2.1 + - nis + +- name: "AUTOMATED | 2.2.2 | PATCH | Ensure rsh client is not installed" + apt: + name: rsh-client + state: absent + when: + - ubtu20cis_rule_2_2_2 + - not ubtu20cis_rsh_required + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_2.2.2 + - rsh + +- name: "AUTOMATED | 2.2.3 | PATCH | Ensure talk client is not installed" + apt: + name: talk + state: absent + when: + - ubtu20cis_rule_2_2_3 + - not ubtu20cis_talk_required + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_2.2.3 + - talk + +- name: "AUTOMATED | 2.2.4 | PATCH | Ensure telnet client is not installed" + apt: + name: telnet + state: absent + when: + - ubtu20cis_rule_2_2_4 + - not ubtu20cis_telnet_required + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_2.2.4 + - telnet + +- name: "AUTOMATED | 2.2.5 | PATCH | Ensure LDAP client is not installed" + apt: + name: ldap-utils + state: absent + when: + - ubtu20cis_rule_2_2_5 + - not ubtu20cis_ldap_clients_required + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_2.2.5 + - ldap + +- name: "AUTOMATED | 2.2.6 | PATCH | Ensure RPC is not installed" + apt: + name: rpcbind + state: absent + when: + - ubtu20cis_rule_2_2_6 + - not ubtu20cis_rpc_required + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_2.2.6 + - rpbc diff --git a/tasks/section_2/cis_2.3.yml b/tasks/section_2/cis_2.3.yml new file mode 100644 index 00000000..7a8d21d3 --- /dev/null +++ b/tasks/section_2/cis_2.3.yml @@ -0,0 +1,24 @@ +--- +- name: "MANUAL | 2.3 | AUDIT | Ensure nonessential services are removed or masked" + block: + - name: "MANUAL | 2.3 | AUDIT | Ensure nonessential services are removed or masked | Check for services" + shell: lsof -i -P -n | grep -v "(ESTABLISHED)" + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_2_3_services + + - name: "MANUAL | 2.3 | AUDIT | Ensure nonessential services are removed or masked | Message out running services" + debug: + msg: + - "Warning!! Below are the running services. Please review and remove as well as mask un-needed services" + - "{{ ubtu20cis_2_3_services.stdout_lines }}" + when: + - ubtu20cis_rule_2_3 + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_2.3 + - services diff --git a/tasks/section_2/main.yml b/tasks/section_2/main.yml new file mode 100644 index 00000000..7dedfbe6 --- /dev/null +++ b/tasks/section_2/main.yml @@ -0,0 +1,9 @@ +--- +- name: "SECTION | 2.1 | Special Purpose Services" + include: cis_2.1.x.yml + +- name: "SECTION | 2.2 | Service Clients" + include: cis_2.2.x.yml + +- name: "SECTION | 2.3 | Ensure nonessential services are removed or masked" + include: cis_2.3.yml \ No newline at end of file From 1300628d41d14d69fd68010e1971e72a98a25f46 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 7 May 2021 08:48:51 -0400 Subject: [PATCH 39/44] updated section 3 layout Signed-off-by: George Nalen --- tasks/main.yml | 2 +- tasks/section_3/cis_3.1.x.yml | 70 +++ tasks/section_3/cis_3.2.x.yml | 60 +++ tasks/section_3/cis_3.3.x.yml | 233 ++++++++++ tasks/section_3/cis_3.4.x.yml | 64 +++ tasks/section_3/cis_3.5.x.yml | 791 ++++++++++++++++++++++++++++++++++ tasks/section_3/main.yml | 15 + 7 files changed, 1234 insertions(+), 1 deletion(-) create mode 100644 tasks/section_3/cis_3.1.x.yml create mode 100644 tasks/section_3/cis_3.2.x.yml create mode 100644 tasks/section_3/cis_3.3.x.yml create mode 100644 tasks/section_3/cis_3.4.x.yml create mode 100644 tasks/section_3/cis_3.5.x.yml create mode 100644 tasks/section_3/main.yml diff --git a/tasks/main.yml b/tasks/main.yml index b9082d0c..ccb315d3 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -50,7 +50,7 @@ - section2 - name: Include section 3 patches - import_tasks: section3.yml + import_tasks: section_3/main.yml when: ubtu20cis_section3_patch tags: - section3 diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml new file mode 100644 index 00000000..50697bd8 --- /dev/null +++ b/tasks/section_3/cis_3.1.x.yml @@ -0,0 +1,70 @@ +--- +- name: "MANUAL | 3.1.1 | PATCH | Disable IPv6" + block: + - name: "MANUAL | 3.1.1 | AUDIT | Disable IPv6 | Get current GRUB_CMDLINE_LINUX settings" + shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_3_1_1_grub_cmdline_linux_settings + + - name: "MANUAL | 3.1.1 | PATCH | Disable IPv6 | Add ipv6.disable if does not exist" + lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX' + line: 'GRUB_CMDLINE_LINUX="{{ ubtu20cis_3_1_1_grub_cmdline_linux_settings.stdout }} ipv6.disable=1"' + when: "'ipv6.disable' not in ubtu20cis_3_1_1_grub_cmdline_linux_settings.stdout" + notify: grub update + + - name: "MANUAL | 3.1.1 | PATCH | Disable IPv6 | Set ipv6.disable to 1 if exists" + replace: + path: /etc/default/grub + regexp: 'ipv6\.disable=.' + replace: 'ipv6.disable=1' + when: "'ipv6.disable' in ubtu20cis_3_1_1_grub_cmdline_linux_settings.stdout" + notify: grub update + + - name: "MANUAL | 3.1.1 | PATCH | Disable IPv6 | Remove net.ipv6.conf.all.disable_ipv6" + lineinfile: + path: /etc/sysctl.conf + regexp: '^net.ipv6.conf.all.disable_ipv6.*' + state: absent + when: + - ubtu20cis_rule_3_1_1 + - not ubtu20cis_ipv6_required + tags: + - level2-server + - level2-workstation + - manual + - patch + - rule_3.1.1 + - ipv6 + +- name: "AUTOMATED | 3.1.2 | PATCH | Ensure wireless interfaces are disabled" + block: + - name: "AUTOMATED | 3.1.2 | PATCH | Ensure wireless interfaces are disabled | Check for network-manager tool" + shell: dpkg -l | grep network-manager + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_3_1_2_network_manager_status + + - name: "AUTOMATED | 3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wireless if network-manager installed" + command: nmcli radio all off + changed_when: ubtu20cis_3_1_2_nmcli_radio_off.rc == 0 + register: ubtu20cis_3_1_2_nmcli_radio_off + when: ubtu20cis_3_1_2_network_manager_status.stdout | length > 0 + + - name: "AUTOMATED | 3.1.2 | PATCH | Ensure wireless interfaces are disabled | Warn about wireless if network-manager not installed" + debug: + msg: "ALERT!!!! You need to disable wireless interfaces manually since network-manager is not installed" + when: ubtu20cis_3_1_2_network_manager_status.stdout | length == 0 + when: + - ubtu20cis_rule_3_1_2 + tags: + - level1-server + - level2-workstation + - automated + - patch + - rule_3.1.2 + - wireless diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml new file mode 100644 index 00000000..90c2a20c --- /dev/null +++ b/tasks/section_3/cis_3.2.x.yml @@ -0,0 +1,60 @@ +--- +- name: "AUTOMATED | 3.2.1 | PATCH | Ensure packet redirect sending is disabled" + sysctl: + name: "{{ item }}" + value: '0' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + with_items: + - net.ipv4.conf.all.send_redirects + - net.ipv4.conf.default.send_redirects + notify: sysctl flush ipv4 route table + when: + - ubtu20cis_rule_3_2_1 + - not ubtu20cis_is_router + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.2.1 + - packet_redirect + - sysctl + +- name: "AUTOMATED | 3.2.2 | PATCH | Ensure IP forwarding is disabled" + block: + - name: "AUTOMATED | 3.2.2 | PATCH | Ensure IP forwarding is disabled | IPv4 settings" + sysctl: + name: net.ipv4.ip_forward + value: '0' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + notify: + - sysctl flush ipv4 route table + + - name: "AUTOMATED | 3.2.2 | PATCH | Ensure IP forwarding is disabled | IPv6 settings" + sysctl: + name: net.ipv6.conf.all.forwarding + value: '0' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + notify: + - sysctl flush ipv6 route table + when: ubtu20cis_ipv6_required + when: + - ubtu20cis_rule_3_2_2 + - not ubtu20cis_is_router + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.2.2 + - ip_forwarding + - sysctl diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml new file mode 100644 index 00000000..b4060c48 --- /dev/null +++ b/tasks/section_3/cis_3.3.x.yml @@ -0,0 +1,233 @@ +--- +- name: "AUTOMATED | 3.3.1 | PATCH | Ensure source routed packets are not accepted" + block: + - name: "AUTOMATED | 3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv4 settings" + sysctl: + name: "{{ item }}" + value: '0' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + with_items: + - net.ipv4.conf.all.accept_source_route + - net.ipv4.conf.default.accept_source_route + notify: sysctl flush ipv4 route table + + - name: "AUTOMATED | 3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6 settings" + sysctl: + name: "{{ item }}" + value: '0' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + with_items: + - net.ipv6.conf.all.accept_source_route + - net.ipv6.conf.default.accept_source_route + notify: sysctl flush ipv6 route table + when: ubtu20cis_ipv6_required + when: + - ubtu20cis_rule_3_3_1 + - not ubtu20cis_is_router + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.3.1 + - routed_packets + - sysctl + +- name: "AUTOMATED | 3.3.2 | PATCH | Ensure ICMP redirects are not accepted" + block: + - name: "AUTOMATED | 3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv4 settings" + sysctl: + name: "{{ item }}" + value: '0' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + with_items: + - net.ipv4.conf.all.accept_redirects + - net.ipv4.conf.default.accept_redirects + notify: sysctl flush ipv4 route table + + - name: "AUTOMATED | 3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6 settings" + sysctl: + name: "{{ item }}" + value: '0' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + with_items: + - net.ipv6.conf.all.accept_redirects + - net.ipv6.conf.default.accept_redirects + notify: sysctl flush ipv6 route table + when: ubtu20cis_ipv6_required + when: + - ubtu20cis_rule_3_3_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.3.2 + - icmp + - sysctl + +- name: "AUTOMATED | 3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted" + sysctl: + name: "{{ item }}" + value: '0' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + with_items: + - net.ipv4.conf.all.secure_redirects + - net.ipv4.conf.default.secure_redirects + notify: sysctl flush ipv4 route table + when: + - ubtu20cis_rule_3_3_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.3.3 + - icmp + - sysctl + +- name: "AUTOMATED | 3.3.4 | PATCH | Ensure suspicious packets are logged" + sysctl: + name: "{{ item }}" + value: '1' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + with_items: + - net.ipv4.conf.all.log_martians + - net.ipv4.conf.default.log_martians + notify: sysctl flush ipv4 route table + when: + - ubtu20cis_rule_3_3_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.3.4 + - suspicious_packets + - sysctl + +- name: "AUTOMATED | 3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored" + sysctl: + name: net.ipv4.icmp_echo_ignore_broadcasts + value: '1' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + notify: sysctl flush ipv4 route table + when: + - ubtu20cis_rule_3_3_5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.3.5 + - icmp + - sysctl + +- name: "AUTOMATED | 3.3.6 | PATCH | Ensure bogus ICMP responses are ignored" + sysctl: + name: net.ipv4.icmp_ignore_bogus_error_responses + value: '1' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + notify: sysctl flush ipv4 route table + when: + - ubtu20cis_rule_3_3_6 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.3.6 + - icmp + - sysctl + +- name: "AUTOMATED | 3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" + sysctl: + name: "{{ item }}" + value: '1' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + with_items: + - net.ipv4.conf.all.rp_filter + - net.ipv4.conf.default.rp_filter + notify: sysctl flush ipv4 route table + when: + - ubtu20cis_rule_3_3_7 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.3.7 + - reverse_path_filtering + - sysctl + +- name: "AUTOMATED | 3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled" + sysctl: + name: net.ipv4.tcp_syncookies + value: '1' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + notify: sysctl flush ipv4 route table + when: + - ubtu20cis_rule_3_3_8 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.3.8 + - tcp_syn_cookies + - sysctl + +- name: "AUTOMATED | 3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" + sysctl: + name: "{{ item }}" + value: '0' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + with_items: + - net.ipv6.conf.all.accept_ra + - net.ipv6.conf.default.accept_ra + notify: sysctl flush ipv6 route table + when: + - ubtu20cis_rule_3_3_9 + - ubtu20cis_ipv6_required + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.3.9 + - ipv6 + - router_advertisements + - sysctl diff --git a/tasks/section_3/cis_3.4.x.yml b/tasks/section_3/cis_3.4.x.yml new file mode 100644 index 00000000..042ee6e9 --- /dev/null +++ b/tasks/section_3/cis_3.4.x.yml @@ -0,0 +1,64 @@ +--- +- name: "AUTOMATED | 3.4.1 | PATCH | Ensure DCCP is disabled" + lineinfile: + path: /etc/modprobe.d/dccp.conf + regexp: '^(#)?install dccp(\\s|$)' + line: 'install dccp /bin/true' + create: yes + when: + - ubtu20cis_rule_3_4_1 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_3.4.1 + - dccp + +- name: "AUTOMATED | 3.4.2 | PATCH | Ensure SCTP is disabled" + lineinfile: + path: /etc/modprobe.d/sctp.conf + regexp: "^(#)?install sctp(\\s|$)" + line: 'install sctp /bin/true' + create: yes + when: + - ubtu20cis_rule_3_4_2 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_3.4.2 + - sctp + +- name: "AUTOMATED | 3.4.3 | PATCH | Ensure RDS is disabled" + lineinfile: + path: /etc/modprobe.d/rds.conf + regexp: '^(#)?install rds(\\s|$)' + line: 'install rds /bin/true' + create: yes + when: + - ubtu20cis_rule_3_4_3 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_3.4.3 + - rds + +- name: "AUTOMATED | 3.4.4 | PATCH | Ensure TIPC is disabled" + lineinfile: + path: /etc/modprobe.d/tipc.conf + regexp: '^(#)?install tipc(\\s|$)' + line: install tipc /bin/true + create: yes + when: + - ubtu20cis_rule_3_4_4 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_3.4.4 + - tipc diff --git a/tasks/section_3/cis_3.5.x.yml b/tasks/section_3/cis_3.5.x.yml new file mode 100644 index 00000000..29938427 --- /dev/null +++ b/tasks/section_3/cis_3.5.x.yml @@ -0,0 +1,791 @@ +--- +- name: "AUTOMATED | 3.5.1.1 | PATCH | Ensure ufw is installed" + apt: + name: ufw + state: present + when: + - ubtu20cis_rule_3_5_1_1 + - ubtu20cis_firewall_package == "ufw" + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.5.1.1 + - apt + - ufw + +- name: "AUTOMATED | 3.5.1.2 | PATCH | Ensure iptables-persistent is not installed with ufw" + apt: + name: iptables-persistent + state: absent + when: + - ubtu20cis_rule_3_5_1_2 + - ubtu20cis_firewall_package == "ufw" + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.5.1.2 + - ufw + +# Adding the allow OpenSSH rule while enabling ufw to allow ansible to run after enabling +- name: "AUTOMATED | 3.5.1.3 | PATCH | Ensure ufw service is enabled" + ufw: + rule: allow + name: OpenSSH + state: enabled + when: + - ubtu20cis_rule_3_5_2_1 + - ubtu20cis_firewall_package == "ufw" + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.5.1.3 + - ufw + +- name: "AUTOMATED | 3.5.1.4 | PATCH | Ensure loopback traffic is configured" + block: + - name: "AUTOMATED | 3.5.1.4 | PATCH | Ensure loopback traffic is configured | Set allow in ufw rules" + ufw: + rule: allow + direction: in + interface: lo + notify: reload ufw + + - name: "AUTOMATED | 3.5.1.4 | PATCH | Ensure loopback traffic is configured | Set allow out ufw rules" + ufw: + rule: allow + direction: out + interface: lo + notify: reload ufw + + - name: "AUTOMATED | 3.5.1.4 | PATCH | Ensure loopback traffic is configured | Set deny ufw rules IPv4" + ufw: + rule: deny + direction: in + from_ip: 127.0.0.0/8 + notify: reload ufw + + - name: "AUTOMATED | 3.5.1.4 | PATCH | Ensure loopback traffic is configured | Set deny ufw rules IPv6" + ufw: + rule: deny + direction: in + from_ip: "::1" + notify: reload ufw + when: ubtu20cis_ipv6_required + when: + - ubtu20cis_rule_3_5_1_4 + - ubtu20cis_firewall_package == "ufw" + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.5.1.4 + - ufw + +- name: "MANUAL | 3.5.1.5 | PATCH | Ensure ufw outbound connections are configured" + block: + - name: "MANUAL | 3.5.1.5 | PATCH | Ensure ufw outbound connections are configured | Custom ports" + ufw: + rule: allow + direction: out + to_port: '{{ item }}' + with_items: + - "{{ ubtu20cis_ufw_allow_out_ports }}" + notify: reload ufw + when: ubtu20cis_ufw_allow_out_ports != "all" + + - name: "MANUAL | 3.5.1.5 | PATCH | Ensure ufw outbound connections are configured | Allow all" + ufw: + rule: allow + direction: out + to_port: all + notify: reload ufw + when: "'all' in ubtu20cis_ufw_allow_out_ports" + when: + - ubtu20cis_rule_3_5_1_5 + - ubtu20cis_firewall_package == "ufw" + tags: + - level1-server + - level1-workstation + - manual + - patch + - rule_3.5.1.5 + - ufw + +- name: "MANUAL | 3.5.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports" + block: + - name: "MANUAL | 3.5.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Get list of open ports" + command: ss -4tuln + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_3_5_1_6_open_listen_ports + + - name: "MANUAL | 3.5.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Get list of firewall rules" + command: ufw status + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_3_5_1_6_firewall_rules + + - name: "MANUAL | 3.5.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Message out settings" + debug: + msg: + - "ALERT!!!!Below are the listening ports and firewall rules" + - "Please create firewall rule for any open ports if not already done" + - "*****---Open Listen Ports---*****" + - "{{ ubtu20cis_3_5_1_6_open_listen_ports.stdout_lines }}" + - "*****---Firewall Rules---*****" + - "{{ ubtu20cis_3_5_1_6_firewall_rules.stdout_lines }}" + when: + - ubtu20cis_rule_3_5_1_6 + - ubtu20cis_firewall_package == "ufw" + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_3.5.1.6 + - ufw + +- name: "AUTOMATED | 3.5.1.7 | PATCH | Ensure ufw default deny firewall policy" + ufw: + default: deny + direction: "{{ item }}" + notify: reload ufw + with_items: + - incoming + - outgoing + - routed + when: + - ubtu20cis_rule_3_5_1_7 + - ubtu20cis_firewall_package == "ufw" + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.5.1.7 + - ufw + +# --------------- +# --------------- +# NFTables is unsupported with this role. However I have the actions commented out as a guide +# --------------- +# --------------- +- name: "AUTOMATED | 3.5.2.1 | AUDIT | Ensure nftables is installed" + debug: + msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" + # apt: + # name: nftables + # state: present + when: + - ubtu20cis_rule_3_5_2_1 + - ubtu20cis_firewall_package == "nftables" + tags: + - level1-server + - level1-workstation + - automated + - audit + - rule_3.5.2.1 + - nftables + +- name: "AUTOMATED | 3.5.2.2 | AUDIT | Ensure ufw is uninstalled or disabled with nftables" + debug: + msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" + # apt: + # name: ufw + # state: absent + when: + - ubtu20cis_rule_3_5_2_2 + - ubtu20cis_firewall_package == "nftables" + tags: + - level1-server + - level1-workstation + - automated + - audit + - rule_3.5.2.2 + - nftables + +- name: "MANUAL | 3.5.2.3 | AUDIT | Ensure iptables are flushed with nftables" + debug: + msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" + # iptables: + # flush: yes + when: + - ubtu20cis_rule_3_5_2_3 + - ubtu20cis_firewall_package == "nftables" + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_3.5.2.3 + - nftables + +- name: "AUTOMATED | 3.5.2.4 | AUDIT | Ensure a nftables table exists" + debug: + msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" + # command: "nft create table {{ ubtu20cis_nftables_table_name }}" + # changed_when: ubtu20cis_3_5_2_4_new_table.rc == 0 + # failed_when: false + # check_mode: false + # register: ubtu20cis_3_5_2_4_new_table + when: + - ubtu20cis_rule_3_5_2_4 + - ubtu20cis_firewall_package == "nftables" + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.5.2.4 + - nftables + +- name: "AUTOMATED | 3.5.2.5 | AUDIT | Ensure nftables base chains exist" + debug: + msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" + # block: + # - name: "AUTOMATED | 3.5.2.5 | PATCH | Ensure nftables base chains exist | Input entry" + # shell: 'nft create chain {{ ubtu20cis_nftables_table_name }} input { type filter hook input priority 0 \; }' + # changed_when: ubtu20cis_3_5_2_5_base_chains_input.rc == 0 + # failed_when: false + # register: ubtu20cis_3_5_2_5_base_chains_input + + # - name: "AUTOMATED | 3.5.2.5 | PATCH | Ensure nftables base chains exist | Forward entry" + # shell: 'nft create chain {{ ubtu20cis_nftables_table_name }} forward { type filter hook forward priority 0 \; }' + # changed_when: ubtu20cis_3_5_2_5_base_chains_forward.rc == 0 + # failed_when: false + # register: ubtu20cis_3_5_2_5_base_chains_forward + + # - name: "AUTOMATED | 3.5.2.5 | PATCH | Ensure nftables base chains exist | Output entry" + # shell: 'nft create chain {{ ubtu20cis_nftables_table_name }} output { type filter hook output priority 0 \; }' + # changed_when: ubtu20cis_3_5_2_5_base_chains_output.rc == 0 + # failed_when: false + # register: ubtu20cis_3_5_2_5_base_chains_output + when: + - ubtu20cis_rule_3_5_2_5 + - ubtu20cis_firewall_package == "nftables" + tags: + - level1-server + - level1-workstation + - automated + - audit + - rule_3.5.2.5 + - nftables + +- name: "AUTOMATED | 3.5.2.6 | AUDIT | Ensure nftables loopback traffic is configured" + debug: + msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" + # block: + # - name: "AUTOMATED | 3.5.2.6 | AUDIT | Ensure nftables loopback traffic is configured | Get input iif lo accept status" + # shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' + # changed_when: false + # failed_when: false + # check_mode: false + # register: ubtu20cis_3_5_2_6_loopback_iif_status + + # - name: "AUTOMATED | 3.5.2.6 | AUDIT | Ensure nftables loopback traffic is configured | Get input iif lo accept status" + # shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' + # changed_when: false + # failed_when: false + # check_mode: false + # register: ubtu20cis_3_5_2_6_loopback_input_drop_status + + # - name: "AUTOMATED | 3.5.2.6 | AUDIT | Ensure nftables loopback traffic is configured | Get input iif lo accept status" + # shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' + # changed_when: false + # failed_when: false + # check_mode: false + # register: ubtu20cis_3_5_2_6_loopback_ipv6_drop_status + + # - name: "AUTOMATED | 3.5.2.6 | PATCH | Ensure nftables loopback traffic is configured | Loopback iif lo accept" + # command: 'nft add rule inet {{ ubtu20cis_nftables_table_name }} input iif lo accept' + # changed_when: ubtu20cis_3_5_2_6_loopback_iif.rc == 0 + # failed_when: false + # register: ubtu20cis_3_5_2_6_loopback_iif + # when: "'iif \"lo\" accept' not in ubtu20cis_3_5_2_6_loopback_iif_status.stdout" + + # - name: "AUTOMATED | 3.5.2.6 | PATCH | Ensure nftables loopback traffic is configured | Loopback input drop" + # command: 'nft add rule inet {{ ubtu20cis_nftables_table_name }} input ip saddr 127\.0\.0\.0\/8 counter drop' + # changed_when: ubtu20cis_3_5_2_6_loopback_input_drop.rc == 0 + # failed_when: false + # register: ubtu20cis_3_5_2_6_loopback_input_drop + # when: + # - "'ip saddr 127.0.0.0/8' not in ubtu18cis_3_5_3_4_loopback_input_drop_status.stdout" + # - "'drop' not in ubtu20cis_3_5_2_6_loopback_input_drop_status.stdout" + + # - name: "3AUTOMATED | .5.2.6 | PATCH | Ensure nftables loopback traffic is configured | Loopback ipv6 drop" + # command: 'nft add rule inet {{ ubtu20cis_nftables_table_name }} input ip6 saddr ::1 counter drop' + # changed_when: ubtu20cis_3_5_2_6_loopback_ipv6_drop.rc == 0 + # failed_when: false + # register: ubtu20cis_3_5_2_6_loopback_ipv6_drop + # when: + # - "'ip6 saddr' not in ubtu20cis_3_5_2_6_loopback_ipv6_drop_status.stdout" + # - "'drop' not in ubtu20cis_3_5_2_6_loopback_ipv6_drop_status.stdout" + when: + - ubtu20cis_rule_3_5_2_6 + - ubtu20cis_firewall_package == "nftables" + tags: + - level1-server + - level1-workstation + - automated + - audit + - rule_3.5.2.6 + - nftables + +- name: "MANUAL | 3.5.2.7 | AUDIT | Ensure nftables outbound and established connections are configured" + debug: + msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" + when: + - ubtu20cis_rule_3_5_2_7 + - ubtu20cis_firewall_package == "nftables" + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_3.5.2.7 + - nftables + +- name: "AUTOMATED | 3.5.2.8 | AUDIT | Ensure nftables default deny firewall policy" + debug: + msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" + when: + - ubtu20cis_rule_3_5_2_8 + - ubtu20cis_firewall_package == "nftables" + tags: + - level1-server + - level1-workstation + - automated + - audit + - rule_3.5.2.8 + - nftables + +- name: "AUTOMATED | 3.5.2.9 | AUDIT | Ensure nftables service is enabled" + debug: + msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" + # service: + # name: nftables + # state: started + # enabled: yes + when: + - ubtu20cis_rule_3_5_2_8 + - ubtu20cis_firewall_package == "nftables" + tags: + - level1-server + - level1-workstation + - automated + - audit + - rule_3.5.2.9 + - nftables + +- name: "AUTOMATED | 3.5.2.10 | AUDIT | Ensure nftables rules are permanent" + debug: + msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" + when: + - ubtu20cis_rule_3_5_2_10 + - ubtu20cis_firewall_package == "nftables" + tags: + - level1-server + - level1-workstation + - automated + - audit + - rule_3.5.2.10 + - nftables + +- name: "AUTOMATED | 3.5.3.1.1 | PATCH | Ensure iptables packages are installed" + apt: + name: ['iptables', 'iptables-persistent'] + state: present + when: + - ubtu20cis_rule_3_5_3_1_1 + - ubtu20cis_firewall_package == "iptables" + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.5.3.1.1 + - iptables + +- name: "AUTOMATED | 3.5.3.1.2 | PATCH | Ensure nftables is not installed with iptables" + apt: + name: nftables + state: absent + when: + - ubtu20cis_rule_3_5_3_1_2 + - ubtu20cis_firewall_package == "iptables" + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.5.3.1.2 + - iptables + +- name: "AUTOMATED | 3.5.3.1.3 | PATCH | Ensure ufw is uninstalled or disabled with iptables" + apt: + name: ufw + state: absent + when: + - ubtu20cis_rule_3_5_3_1_3 + - ubtu20cis_firewall_package == "iptables" + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.5.3.1.3 + - iptables + +- name: "AUTOMATED | 3.5.3.2.1 | PATCH | Ensure iptables loopback traffic is configured" + block: + - name: "AUTOMATED | 3.5.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | INPUT loopback ACCEPT" + iptables: + action: append + chain: INPUT + in_interface: lo + jump: ACCEPT + + - name: "AUTOMATED | 3.5.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT" + iptables: + action: append + chain: OUTPUT + out_interface: lo + jump: ACCEPT + + - name: "AUTOMATED | 3.5.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT" + iptables: + action: append + chain: INPUT + source: 127.0.0.0/8 + jump: DROP + when: + - ubtu20cis_rule_3_5_3_2_1 + - ubtu20cis_firewall_package == "iptables" + - ubtu20cis_ipv4_required + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.5.3.2.1 + - iptables + +- name: "MANUAL | 3.5.3.2.2 | PATCH | Ensure iptables outbound and established connections are configured" + iptables: + action: append + chain: '{{ item.chain }}' + protocol: '{{ item.protocol }}' + match: state + ctstate: '{{ item.ctstate }}' + jump: ACCEPT + with_items: + - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } + - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } + - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' } + - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' } + - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } + - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } + when: + - ubtu20cis_rule_3_5_3_2_2 + - ubtu20cis_firewall_package == "iptables" + - ubtu20cis_ipv4_required + tags: + - level1-server + - level1-workstation + - manual + - patch + - rule_3.5.3.2.2 + - iptables + +- name: "AUTOMATED | 3.5.3.2.3 | PATCH | Ensure iptables default deny firewall policy" + block: + - name: "AUTOMATED | 3.5.3.2.3 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed in" + iptables: + chain: INPUT + protocol: tcp + destination_port: 22 + jump: ACCEPT + ctstate: 'NEW,ESTABLISHED' + + - name: "AUTOMATED | 3.5.3.2.3 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed out" + iptables: + chain: OUTPUT + protocol: tcp + source_port: 22 + jump: ACCEPT + ctstate: 'NEW,ESTABLISHED' + + - name: "AUTOMATED | 3.5.3.2.3 | PATCH | Ensure iptables default deny firewall policy | Enable apt traffic" + iptables: + chain: INPUT + ctstate: 'ESTABLISHED' + jump: ACCEPT + + - name: "AUTOMATED | 3.5.3.2.3 | PATCH | Ensure iptables default deny firewall policy | Set drop items" + iptables: + policy: DROP + chain: "{{ item }}" + with_items: + - INPUT + - FORWARD + - OUTPUT + when: + - ubtu20cis_rule_3_5_3_2_3 + - ubtu20cis_firewall_package == "iptables" + - ubtu20cis_ipv4_required + - not system_is_ec2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.5.3.2.3 + - iptables + + +- name: "AUTOMATED | 3.5.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports" + block: + - name: "AUTOMATED | 3.5.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of open ports" + command: ss -4tuln + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_3_5_3_2_4_open_ports + + - name: "AUTOMATED | 3.5.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of rules" + command: iptables -L INPUT -v -n + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_3_5_3_2_4_current_rules + + - name: "AUTOMATED | 3.5.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Alert about settings" + debug: + msg: + - "ALERT!!!!Below is the list the open ports and current rules" + - "Please create a rule for any open port that does not have a current rule" + - "Open Ports:" + - "{{ ubtu20cis_3_5_3_2_4_open_ports.stdout_lines }}" + - "Current Rules:" + - "{{ ubtu20cis_3_5_3_2_4_current_rules.stdout_lines }}" + when: + - ubtu20cis_rule_3_5_3_2_4 + - ubtu20cis_firewall_package == "iptables" + - ubtu20cis_ipv4_required + tags: + - level1-server + - level1-workstation + - automated + - audit + - rule_3.5.3.2.4 + - iptables + +# --------------- +# --------------- +# This is not a control however using the iptables module only writes to memery +# if a reboot occurs that means changes can revert. This task will make the +# above iptables settings permanent +# --------------- +# --------------- +- name: "Make IPTables persistent | Not a control" + block: + - name: "Make IPTables persistent | Install iptables-persistent" + apt: + name: iptables-persistent + state: present + + - name: "Make IPTables persistent | Save to persistent files" + shell: bash -c "iptables-save > /etc/iptables/rules.v4" + changed_when: ubtu20cis_iptables_save.rc == 0 + failed_when: ubtu20cis_iptables_save.rc > 0 + register: ubtu20cis_iptables_save + when: + - ubtu20cis_firewall_package == "iptables" + - ubtu20cis_save_iptables_cis_rules + - ubtu20cis_rule_3_5_3_2_1 or + ubtu20cis_rule_3_5_3_2_2 or + ubtu20cis_rule_3_5_3_2_3 or + ubtu20cis_rule_3_5_3_2_4 + +- name: "AUTOMATED | 3.5.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured" + block: + - name: "AUTOMATED | 3.5.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback ACCEPT" + iptables: + action: append + chain: INPUT + in_interface: lo + jump: ACCEPT + ip_version: ipv6 + + - name: "AUTOMATED | 3.5.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | OUTPUT loopback ACCEPT" + iptables: + action: append + chain: OUTPUT + out_interface: lo + jump: ACCEPT + ip_version: ipv6 + + - name: "AUTOMATED | 3.5.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback drop" + iptables: + action: append + chain: INPUT + source: ::1 + jump: DROP + ip_version: ipv6 + when: + - ubtu20cis_rule_3_5_3_3_1 + - ubtu20cis_firewall_package == "iptables" + - ubtu20cis_ipv6_required + - not ubtu20cis_ipv4_required + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.5.3.3.1 + - ip6tables + +- name: "MANUAL | 3.5.3.3.2 | PATCH | Ensure ip6tables outbound and established connections are configured" + iptables: + action: append + chain: '{{ item.chain }}' + protocol: '{{ item.protocol }}' + match: state + ctstate: '{{ item.ctstate }}' + jump: ACCEPT + ip_version: ipv6 + with_items: + - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } + - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } + - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' } + - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' } + - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } + - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } + when: + - ubtu20cis_rule_3_5_3_3_2 + - ubtu20cis_firewall_package == "iptables" + - ubtu20cis_ipv6_required + - not ubtu20cis_ipv4_required + tags: + - level1-server + - level1-workstation + - manual + - patch + - rule_3.5.3.3.2 + - ip6tables + +- name: "AUTOMATED | 3.5.3.3.3 | PATCH | Ensure ip6tables default deny firewall policy" + block: + - name: "3.5.3.3.3 | PATCH | Ensure ip6tables default deny firewall policy | Configure SSH to be allowed out" + iptables: + chain: OUTPUT + protocol: tcp + source_port: 22 + jump: ACCEPT + ctstate: 'NEW,ESTABLISHED' + ip_version: ipv6 + + - name: "AUTOMATED | 3.5.3.3.3 | PATCH | Ensure ip6tables default deny firewall policy | Enable apt traffic" + iptables: + chain: INPUT + ctstate: 'ESTABLISHED' + jump: ACCEPT + ip_version: ipv6 + + - name: "AUTOMATED | 3.5.3.3.3 | PATCH | Ensure ip6tables default deny firewall policy | Set drop items" + iptables: + policy: DROP + chain: "{{ item }}" + ip_version: ipv6 + with_items: + - INPUT + - FORWARD + - OUTPUT + when: + - ubtu20cis_rule_3_5_3_3_3 + - ubtu20cis_firewall_package == "iptables" + - ubtu20cis_ipv6_required + - not ubtu20cis_ipv4_required + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_3.5.3.3.3 + - ip6tables + +- name: "AUTOMATED | 3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports" + block: + - name: "AUTOMATED | 3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of open ports" + command: ss -6tuln + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_3_5_3_3_4_open_ports + + - name: "AUTOMATED | 3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of rules" + command: ip6tables -L INPUT -v -n + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_3_5_3_3_4_current_rules + + - name: "AUTOMATED | 3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Alert about settings" + debug: + msg: + - "ALERT!!!!Below is the list the open ports and current rules" + - "Please create a rule for any open port that does not have a current rule" + - "Open Ports:" + - "{{ ubtu20cis_3_5_3_3_4_open_ports.stdout_lines }}" + - "Current Rules:" + - "{{ ubtu20cis_3_5_3_3_4_current_rules.stdout_lines }}" + when: + - ubtu20cis_rule_3_5_3_3_4 + - ubtu20cis_firewall_package == "iptables" + - ubtu20cis_ipv6_required + - not ubtu20cis_ipv4_required + tags: + - level1-server + - level1-workstation + - automated + - audit + - rule_3.5.3.3.4 + - ip6tables + +# --------------- +# --------------- +# This is not a control however using the ip6tables module only writes to memery +# if a reboot occurs that means changes can revert. This task will make the +# above ip6tables settings permanent +# --------------- +# --------------- +- name: "Make IP6Tables persistent | Not a control" + block: + - name: "Make IP6Tables persistent | Install iptables-persistent" + apt: + name: iptables-persistent + state: present + + - name: "Make IP6Tables persistent | Save to persistent files" + shell: bash -c "ip6tables-save > /etc/iptables/rules.v6" + changed_when: ubtu20cis_ip6tables_save.rc == 0 + failed_when: ubtu20cis_ip6tables_save.rc > 0 + register: ubtu20cis_ip6tables_save + when: + - ubtu20cis_firewall_package == "iptables" + - ubtu20cis_ipv6_required + - not ubtu20cis_ipv4_required + - ubtu20cis_save_iptables_cis_rules + - ubtu20cis_rule_3_5_3_3_1 or + ubtu20cis_rule_3_5_3_3_2 or + ubtu20cis_rule_3_5_3_3_3 or + ubtu20cis_rule_3_5_3_3_4 diff --git a/tasks/section_3/main.yml b/tasks/section_3/main.yml new file mode 100644 index 00000000..1f80b148 --- /dev/null +++ b/tasks/section_3/main.yml @@ -0,0 +1,15 @@ +--- +- name: "SECTION | 3.1 | Disable unused network protocols and devices" + include: cis_3.1.x.yml + +- name: "SECTION | 3.2 | Network Parameters Host Only" + include: cis_3.2.x.yml + +- name: "SECTION | 3.3 | Network Parameters Host and Router" + include: cis_3.3.x.yml + +- name: "SECTION | 3.4 | Uncommong Network Protocols" + include: cis_3.4.x.yml + +- name: "SECTION | 3.5 | Firewall Configuration" + include: cis_3.5.x.yml \ No newline at end of file From fbc9de71a10b4e51647171061fa781877e8ed01c Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 7 May 2021 09:12:05 -0400 Subject: [PATCH 40/44] updated section 4 layout Signed-off-by: George Nalen --- tasks/main.yml | 2 +- tasks/{odl_section2.yml => old_section2.yml} | 0 tasks/{section3.yml => old_section3.yml} | 0 tasks/{section4.yml => old_section4.yml} | 0 tasks/section_4/cis_4.1.1.x.yml | 100 +++++++ tasks/section_4/cis_4.1.2.x.yml | 53 ++++ tasks/section_4/cis_4.1.x.yml | 279 +++++++++++++++++++ tasks/section_4/cis_4.2.1.x.yml | 153 ++++++++++ tasks/section_4/cis_4.2.2.x.yml | 50 ++++ tasks/section_4/cis_4.2.3.yml | 16 ++ tasks/section_4/cis_4.3.yml | 26 ++ tasks/section_4/cis_4.4.yml | 15 + tasks/section_4/main.yml | 24 ++ 13 files changed, 717 insertions(+), 1 deletion(-) rename tasks/{odl_section2.yml => old_section2.yml} (100%) rename tasks/{section3.yml => old_section3.yml} (100%) rename tasks/{section4.yml => old_section4.yml} (100%) create mode 100644 tasks/section_4/cis_4.1.1.x.yml create mode 100644 tasks/section_4/cis_4.1.2.x.yml create mode 100644 tasks/section_4/cis_4.1.x.yml create mode 100644 tasks/section_4/cis_4.2.1.x.yml create mode 100644 tasks/section_4/cis_4.2.2.x.yml create mode 100644 tasks/section_4/cis_4.2.3.yml create mode 100644 tasks/section_4/cis_4.3.yml create mode 100644 tasks/section_4/cis_4.4.yml create mode 100644 tasks/section_4/main.yml diff --git a/tasks/main.yml b/tasks/main.yml index ccb315d3..4450ea00 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -56,7 +56,7 @@ - section3 - name: Include section 4 patches - import_tasks: section4.yml + import_tasks: section_4/main.yml when: ubtu20cis_section4_patch tags: - section4 diff --git a/tasks/odl_section2.yml b/tasks/old_section2.yml similarity index 100% rename from tasks/odl_section2.yml rename to tasks/old_section2.yml diff --git a/tasks/section3.yml b/tasks/old_section3.yml similarity index 100% rename from tasks/section3.yml rename to tasks/old_section3.yml diff --git a/tasks/section4.yml b/tasks/old_section4.yml similarity index 100% rename from tasks/section4.yml rename to tasks/old_section4.yml diff --git a/tasks/section_4/cis_4.1.1.x.yml b/tasks/section_4/cis_4.1.1.x.yml new file mode 100644 index 00000000..3e743ebc --- /dev/null +++ b/tasks/section_4/cis_4.1.1.x.yml @@ -0,0 +1,100 @@ +--- +- name: "AUTOMATED | 4.1.1.1 | PATCH | Ensure auditd is installed" + apt: + name: ['auditd', 'audispd-plugins'] + state: present + when: + - ubtu20cis_rule_4_1_1_1 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.1.1 + - auditd + +- name: "AUTOMATED | 4.1.1.2 | PATCH | Ensure auditd service is enabled" + service: + name: auditd + state: started + enabled: yes + when: + - ubtu20cis_rule_4_1_1_2 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.1.2 + - auditd + +- name: "AUTOMATED | 4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" + block: + - name: "AUTOMATED | 4.1.1.3 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX" + shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_4_1_1_3_cmdline_settings + + - name: "AUTOMATED | 4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add setting if doesn't exist" + lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX=' + line: 'GRUB_CMDLINE_LINUX="{{ ubtu20cis_4_1_1_3_cmdline_settings.stdout }} audit=1"' + when: "'audit=' not in ubtu20cis_4_1_1_3_cmdline_settings.stdout" + notify: grub update + + - name: "AUTOMATED | 4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Update setting if exists" + replace: + dest: /etc/default/grub + regexp: 'audit=([0-9]+)' + replace: 'audot=1' + after: '^GRUB_CMDLINE_LINUX="' + before: '"' + notify: grub update + when: "'audit=' in ubtu20cis_4_1_1_3_cmdline_settings.stdout" + when: + - ubtu20cis_rule_4_1_1_3 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4_1_1_3 + - auditd + +- name: "AUTOMATED | 4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient" + block: + - name: "AUTOMATED | 4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Get current GRUB_CMDLINE_LINUX" + shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_4_1_1_4_cmdline_settings + + - name: "AUTOMATED | 4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Add setting if doesn't exist" + lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX=' + line: 'GRUB_CMDLINE_LINUX="{{ ubtu20cis_4_1_1_4_cmdline_settings.stdout }} audit_backlog_limit={{ ubtu20cis_audit_back_log_limit }}"' + notify: grub update + when: "'audit_backlog_limit=' not in ubtu20cis_4_1_1_4_cmdline_settings.stdout" + + - name: "AUTOMATED | 4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Update setting if exists" + replace: + dest: /etc/default/grub + regexp: 'audit_backlog_limit=([0-9]+)' + replace: 'audit_backlog_limit={{ ubtu20cis_audit_back_log_limit }}' + after: '^GRUB_CMDLINE_LINUX="' + before: '"' + notify: grub update + when: + - ubtu20cis_rule_4_1_1_4 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.1.4 + - auditd diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml new file mode 100644 index 00000000..0a833db9 --- /dev/null +++ b/tasks/section_4/cis_4.1.2.x.yml @@ -0,0 +1,53 @@ +--- +- name: "AUTOMATED | 4.1.2.1 | PATCH | Ensure audit log storage size is configured" + lineinfile: + dest: /etc/audit/auditd.conf + regexp: "^max_log_file( |=)" + line: "max_log_file = {{ ubtu20cis_max_log_file_size }}" + state: present + notify: restart auditd + when: + - ubtu20cis_rule_4_1_2_1 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.2.1 + - auditd + +- name: "AUTOMATED | 4.1.2.2 | PATCH | Ensure audit logs are not automatically deleted" + lineinfile: + path: /etc/audit/auditd.conf + regexp: '^max_log_file_action' + line: "max_log_file_action = {{ ubtu20cis_auditd['max_log_file_action'] }}" + notify: restart auditd + when: + - ubtu20cis_rule_4_1_2_2 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.2.2 + - auditd + +- name: "AUTOMATED | 4.1.2.3 | PATCH | Ensure system is disabled when audit logs are full" + lineinfile: + path: /etc/audit/auditd.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^space_left_action', line: 'space_left_action = email' } + - { regexp: '^action_mail_acct', line: 'action_mail_acct = root' } + - { regexp: '^admin_space_left_action = halt', line: 'admin_space_left_action = halt' } + notify: restart auditd + when: + - ubtu20cis_rule_4_1_2_3 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.2.3 + - auditd diff --git a/tasks/section_4/cis_4.1.x.yml b/tasks/section_4/cis_4.1.x.yml new file mode 100644 index 00000000..f6eb574a --- /dev/null +++ b/tasks/section_4/cis_4.1.x.yml @@ -0,0 +1,279 @@ +--- +- name: "AUTOMATED | 4.1.3 | PATCH | Ensure events that modify date and time information are collected" + template: + src: audit/ubtu20cis_4_1_3_timechange.rules.j2 + dest: /etc/audit/rules.d/time-change.rules + owner: root + group: root + mode: 0600 + notify: restart auditd + when: + - ubtu20cis_rule_4_1_3 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.3 + - auditd + +- name: "AUTOMATED | 4.1.4 | PATCH | Ensure events that modify user/group information are collected" + template: + src: audit/ubtu20cis_4_1_4_identity.rules.j2 + dest: /etc/audit/rules.d/identity.rules + owner: root + group: root + mode: 0600 + notify: restart auditd + when: + - ubtu20cis_rule_4_1_4 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.4 + - auditd + +- name: "AUTOMATED | 4.1.5 | PATCH | Ensure events that modify the system's network environment are collected" + template: + src: audit/ubtu20cis_4_1_5_systemlocale.rules.j2 + dest: /etc/audit/rules.d/system-locale.rules + owner: root + group: root + mode: 0600 + notify: restart auditd + when: + - ubtu20cis_rule_4_1_5 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.5 + - auditd + +- name: "AUTOMATED | 4.1.6 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" + template: + src: audit/ubtu20cis_4_1_6_macpolicy.rules.j2 + dest: /etc/audit/rules.d/MAC-policy.rules + owner: root + group: root + mode: 0600 + notify: restart auditd + when: + - ubtu20cis_rule_4_1_6 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.6 + - auditd + +- name: "AUTOMATED | 4.1.7 | PATCH | Ensure login and logout events are collected" + template: + src: audit/ubtu20cis_4_1_7_logins.rules.j2 + dest: /etc/audit/rules.d/logins.rules + owner: root + group: root + mode: 0600 + notify: restart auditd + when: + - ubtu20cis_rule_4_1_7 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.7 + - auditd + +- name: "AUTOMATED | 4.1.8 | PATCH | Ensure session initiation information is collected" + template: + src: audit/ubtu20cis_4_1_8_session.rules.j2 + dest: /etc/audit/rules.d/session.rules + owner: root + group: root + mode: 0600 + notify: restart auditd + when: + - ubtu20cis_rule_4_1_8 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.8 + - auditd + +- name: "AUTOMATED | 4.1.9 | PATCH | Ensure discretionary access control permission modification events are collected" + template: + src: audit/ubtu20cis_4_1_9_permmod.rules.j2 + dest: /etc/audit/rules.d/perm_mod.rules + owner: root + group: root + mode: 0600 + notify: restart auditd + when: + - ubtu20cis_rule_4_1_9 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.9 + - auditd + +- name: "AUTOMATED | 4.1.10 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected" + template: + src: audit/ubtu20cis_4_1_10_access.rules.j2 + dest: /etc/audit/rules.d/access.rules + owner: root + group: root + mode: 0600 + notify: restart auditd + when: + - ubtu20cis_rule_4_1_10 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.10 + - auditd + +- name: "AUTOMATED | 4.1.11 | PATCH | Ensure use of privileged commands is collected" + block: + - name: "AUTOMATED | 4.1.11 | AUDIT | Ensure use of privileged commands is collected | Get list of privileged programs" + shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done + register: priv_procs + changed_when: no + check_mode: false + + - name: "AUTOMATED | 4.1.11 | PATCH | Ensure use of privileged commands is collected | Set privileged rules" + template: + src: audit/ubtu20cis_4_1_11_privileged.rules.j2 + dest: /etc/audit/rules.d/privileged.rules + owner: root + group: root + mode: 0600 + notify: restart auditd + when: + - ubtu20cis_rule_4_1_11 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.11 + - auditd + +- name: "AUTOMATED | 4.1.12 | PATCH | Ensure successful file system mounts are collected" + template: + src: audit/ubtu20cis_4_1_12_audit.rules.j2 + dest: /etc/audit/rules.d/audit.rules + owner: root + group: root + mode: 0600 + notify: restart auditd + when: + ubtu20cis_rule_4_1_12 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.12 + - auditd + +- name: "AUTOMATED | 4.1.13 | PATCH | Ensure file deletion events by users are collected" + template: + src: audit/ubtu20cis_4_1_13_delete.rules.j2 + dest: /etc/audit/rules.d/delete.rules + owner: root + group: root + mode: 0600 + notify: restart auditd + when: + - ubtu20cis_rule_4_1_13 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.13 + - auditd + +- name: "AUTOMATED | 4.1.14 | PATCH | Ensure changes to system administration scope (sudoers) is collected" + template: + src: audit/ubtu20cis_4_1_14_scope.rules.j2 + dest: /etc/audit/rules.d/scope.rules + owner: root + group: root + mode: 0600 + notify: restart auditd + when: + - ubtu20cis_rule_4_1_14 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.14 + - auditd + +- name: "AUTOMATED | 4.1.15 | PATCH | Ensure system administrator command executions (sudo) are collected" + template: + src: audit/ubtu20cis_4_1_15_actions.rules.j2 + dest: /etc/audit/rules.d/actions.rules + owner: root + group: root + mode: 0600 + notify: restart auditd + when: + - ubtu20cis_rule_4_1_15 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.15 + - auditd + +- name: "AUTOMATED | 4.1.16 | PATCH | Ensure kernel module loading and unloading is collected" + template: + src: audit/ubtu20cis_4_1_16_modules.rules.j2 + dest: /etc/audit/rules.d/modules.rules + owner: root + group: root + mode: 0600 + notify: restart auditd + when: + - ubtu20cis_rule_4_1_16 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_4.1.16 + - auditd + +- name: "AUTOMATED | 4.1.17 | PATCH | Ensure the audit configuration is immutable" + template: + src: audit/ubtu20cis_4_1_17_99finalize.rules.j2 + dest: /etc/audit/rules.d/99-finalize.rules + owner: root + group: root + mode: 0600 + notify: restart auditd + when: + - ubtu20cis_rule_4_1_17 + tags: + - level2-server + - level2-workstation + - automated + - scored + - patch + - rule_4.1.17 + - auditd diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml new file mode 100644 index 00000000..4fff92c1 --- /dev/null +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -0,0 +1,153 @@ +--- +- name: "AUTOMATED | 4.2.1.1 | PATCH | Ensure rsyslog is installed" + apt: + name: rsyslog + state: present + when: + - ubtu20cis_rule_4_2_1_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.2.1.1 + - rsyslog + - apt + +- name: "AUTOMATED | 4.2.1.2 | PATCH | Ensure rsyslog Service is enabled" + service: + name: rsyslog + enabled: yes + when: + - ubtu20cis_rule_4_2_1_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.2.1.2 + - rsyslog + +- name: "MANUAL | 4.2.1.3 | PATCH | Ensure logging is configured" + block: + - name: "MANUAL | 4.2.1.3 | AUDIT | Ensure logging is configured | Find configuration file" + shell: grep -r "*.emerg" /etc/* | cut -f1 -d":" + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_4_2_1_3_rsyslog_config_path + + - name: "MANUAL | 4.2.1.3 | AUDIT | Ensure logging is configured | Gather rsyslog current config" + command: "cat {{ ubtu20cis_4_2_1_3_rsyslog_config_path.stdout }}" + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_4_2_1_3_rsyslog_config + + - name: "MANUAL | 4.2.1.3 | AUDIT | Ensure logging is configured | Message out config" + debug: + msg: + - "Alert!!!Below is the current logging configurations for rsyslog, please review" + - "{{ ubtu20cis_4_2_1_3_rsyslog_config.stdout_lines }}" + when: not ubtu20cis_rsyslog_ansible_managed + + - name: "MANUAL | 4.2.1.3 | PATCH | Ensure logging is configured | Automated rsyslog configuration" + lineinfile: + path: "{{ ubtu20cis_4_2_1_3_rsyslog_config_path.stdout }}" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + with_items: + - { regexp: '^\*.emerg', line: '*.emerg :omusrmsg:*', insertafter: '^# Emergencies are sent to everybody logged in' } + - { regexp: '^auth,authpriv.\*', line: 'auth,authpriv.* /var/log/auth.log', insertafter: '^# First some standard log files. Log by facility' } + - { regexp: '^mail.\*|^#mail.\*', line: 'mail.* -/var/log/mail', insertafter: '^# First some standard log files' } + - { regexp: '^mail.info|^#mail.info', line: 'mail.info -/var/log/mail.info', insertafter: '^# Logging for the mail system' } + - { regexp: '^mail.warn|^#mail.warn', line: 'mail.warn -/var/log/mail.warn', insertafter: '^# Logging for the mail system.' } + - { regexp: '^mail.err|^#mail.err', line: 'mail.err /var/log/mail.err', insertafter: '^# Logging for the mail system.' } + - { regexp: '^news.crit|^#news.crit', line: 'news.crit -/var/log/news/news.crit', insertafter: '^# First some standard log files'} + - { regexp: '^news.err|^#news.err', line: 'news.err -/var/log/news/news.err', insertafter: '^# First some standard log files' } + - { regexp: '^news.notice|^#news.notice', line: 'news.notice -/var/log/news/news.notice', insertafter: '^# First some standard log files' } + - { regexp: '^\*.=warning;\*.=err|^#\*.=warning;\*.=err', line: '*.=warning;*.=err -/var/log/warn', insertafter: '^# First some standard log files' } + - { regexp: '^\*.crit|^#\*.crit', line: '*.crit /var/log/warn', insertafter: '^# First some standard log files' } + - { regexp: '^\*.\*;mail.none;news.none|^#\*.\*;mail.none;news.none', line: '*.*;mail.none;news.none -/var/log/messages', insertafter: '^# First some standard log files' } + - { regexp: '^local0,local1.\*|^#local0,local1.\*', line: 'local0,local1.* -/var/log/localmessages', insertafter: '^# First some standard log files' } + - { regexp: '^local2,local3.\*|^#local2,local3.\*', line: 'local2,local3.* -/var/log/localmessages', insertafter: '^# First some standard log files' } + - { regexp: '^local4,local5.\*|^#local4,local5.\*', line: 'local4,local5.* -/var/log/localmessages', insertafter: '^# First some standard log files' } + - { regexp: '^local6,local7.\*|^#local6,local7.\*', line: 'local6,local7.* -/var/log/localmessages', insertafter: '^# First some standard log files' } + notify: restart rsyslog + when: ubtu20cis_rsyslog_ansible_managed + when: + - ubtu20cis_rule_4_2_1_3 + tags: + - level1-server + - level1-workstation + - manual + - patch + - rule_4.2.1.3 + - rsyslog + +- name: "AUTOMATED | 4.2.1.4 | PATCH | Ensure rsyslog default file permissions configured" + lineinfile: + path: /etc/rsyslog.conf + regexp: '^\$FileCreateMode|^#\$FileCreateMode' + line: '$FileCreateMode 0640' + notify: restart rsyslog + when: + - ubtu20cis_rule_4_2_1_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.2.1.4 + - rsyslog + +- name: "AUTOMATED | 4.2.1.5 | PATCH | Ensure rsyslog is configured to send logs to a remote log host" + blockinfile: + path: /etc/rsyslog.conf + block: | + ##Enable sending of logs over TCP add the following line: + *.* @@{{ ubtu20cis_remote_log_server }} + insertafter: EOF + when: + - ubtu20cis_rule_4_2_1_5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.2.1.5 + - rsyslog + +- name: "MANUAL | 4.2.1.6 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts" + block: + - name: "MANUAL | 4.2.1.6 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts | When not a log host" + replace: + path: /etc/rsyslog.conf + regexp: '({{ item }})' + replace: '#\1' + with_items: + - '^(\$ModLoad)' + - '^(\$InputTCPServerRun)' + notify: restart rsyslog + when: not ubtu20cis_system_is_log_server + + - name: "MANUAL | 4.2.1.6 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts | When a log server" + lineinfile: + path: /etc/rsyslog.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^\$ModLoad|^#\$ModLoad', line: '$ModLoad imtcp' } + - { regexp: '^\$InputTCPServerRun|^#\$InputTCPServerRun', line: '$InputTCPServerRun 514' } + notify: restart rsyslog + when: ubtu20cis_system_is_log_server + when: + - ubtu20cis_rule_4_2_1_6 + tags: + - level1-server + - level1-workstation + - manual + - patch + - rule_4.2.1.6 + - rsyslog diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml new file mode 100644 index 00000000..891ffb23 --- /dev/null +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -0,0 +1,50 @@ +--- +- name: "AUTOMATED | 4.2.2.1 | PATCH | Ensure journald is configured to send logs to rsyslog" + lineinfile: + path: /etc/systemd/journald.conf + regexp: '^ForwardToSyslog|^#ForwardToSyslog' + line: 'ForwardToSyslog=yes' + insertafter: '\[Journal\]' + when: + - ubtu20cis_rule_4_2_2_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.2.2.1 + - rsyslog + - journald + +- name: "4.2.2.2 | PATCH | Ensure journald is configured to compress large log files" + lineinfile: + path: /etc/systemd/journald.conf + regexp: '^Compress|^#Compress' + line: 'Compress=yes' + insertafter: '\[Journal\]' + when: + - ubtu20cis_rule_4_2_2_2 + tags: + - level1-server + - level1-workstation + - patch + - rule_4.2.2.2 + - rsyslog + - journald + +- name: "AUTOMATED | 4.2.2.3 | PATCH | Ensure journald is configured to write logfiles to persistent disk" + lineinfile: + path: /etc/systemd/journald.conf + regexp: '^Storage|^#Storage' + line: 'Storage=persistent' + insertafter: '\[Journal\]' + when: + - ubtu20cis_rule_4_2_2_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.2.2.3 + - rsyslog + - journald diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml new file mode 100644 index 00000000..033fb27d --- /dev/null +++ b/tasks/section_4/cis_4.2.3.yml @@ -0,0 +1,16 @@ +--- +- name: "AUTOMATED | 4.2.3 | PATCH | Ensure permissions on all logfiles are configured" + command: find /var/log -type f -exec chmod g-wx,o-rwx "{}" + -o -type d -exec chmod g-w,o-rwx "{}" + + changed_when: ubtu20cis_4_2_3_logfile_perms_status.rc == 0 + check_mode: false + register: ubtu20cis_4_2_3_logfile_perms_status + when: + - ubtu20cis_rule_4_2_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.2.3 + - logfiles + - permissions diff --git a/tasks/section_4/cis_4.3.yml b/tasks/section_4/cis_4.3.yml new file mode 100644 index 00000000..362f6329 --- /dev/null +++ b/tasks/section_4/cis_4.3.yml @@ -0,0 +1,26 @@ +--- +- name: "MANUAL | 4.3 | PATCH | Ensure logrotate is configured" + block: + - name: "MANUAL | 4.3 | PATCH | Ensure logrotate is configured | Get logrotate files" + find: + paths: /etc/logrotate.d/ + check_mode: false + register: ubtu20cis_4_3_logrotate_files + + - name: "MANUAL | 4.3 | PATCH | Ensure logrotate is configured | Set rotation configurations" + replace: + path: "{{ item.path }}" + regexp: '^(\s*)(daily|weekly|monthly|yearly)$' + replace: "\\1{{ ubtu20cis_logrotate }}" + with_items: + - "{{ ubtu20cis_4_3_logrotate_files.files }}" + - { path: "/etc/logrotate.conf" } + when: + - ubtu20cis_rule_4_3 + tags: + - level1-server + - level1-workstation + - manual + - patch + - rule_4.3 + - logrotate diff --git a/tasks/section_4/cis_4.4.yml b/tasks/section_4/cis_4.4.yml new file mode 100644 index 00000000..448e6408 --- /dev/null +++ b/tasks/section_4/cis_4.4.yml @@ -0,0 +1,15 @@ +--- +- name: "AUTOMATED | 4.4 | PATCH | Ensure logrotate assigns appropriate permissions" + lineinfile: + path: /etc/logrotate.conf + regexp: '^create' + line: ' create {{ ubtu20cis_logrotate_create_settings }}' + when: + - ubtu20cis_rule_4_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_4.4 + - logrotate diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml new file mode 100644 index 00000000..ef82c3a1 --- /dev/null +++ b/tasks/section_4/main.yml @@ -0,0 +1,24 @@ +--- +- name: "SECTION | 4.1.1 | Ensure auditing is enabled" + include: cis_4.1.1.x.yml + +- name: "SECTION | 4.1.2 | Configure Data Retention" + include: cis_4.1.2.x.yml + +- name: "SECTION | 4.1.x | Login Settings" + include: cis_4.1.x.yml + +- name: "SECTION | 4.2.1 | Configure rsyslog" + include: cis_4.2.1.x.yml + +- name: "SECTION | 4.2.2 | Configure journald" + include: cis_4.2.2.x.yml + +- name: "SECTION | 4.2.3 | Ensure permissions on all logfiles are configured" + include: cis_4.2.3.yml + +- name: "SECTION | 4.3 | Ensure logrotate is configured" + include: cis_4.3.yml + +- name: "SECTION | 4.4 | Ensure logrotate assigns appropriate permissions" + include: cis_4.4.yml \ No newline at end of file From e3d883176c2f969b82e5480c9b739bca0f8c8b42 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 7 May 2021 09:22:57 -0400 Subject: [PATCH 41/44] updated section 5 layout Signed-off-by: George Nalen --- tasks/main.yml | 2 +- tasks/{section5.yml => old_section5.yml} | 0 tasks/section_5/cis_5.1.x.yml | 159 +++++++++ tasks/section_5/cis_5.2.x.yml | 46 +++ tasks/section_5/cis_5.3.x.yml | 413 +++++++++++++++++++++++ tasks/section_5/cis_5.4.x.yml | 199 +++++++++++ tasks/section_5/cis_5.5.x.yml | 258 ++++++++++++++ tasks/section_5/cis_5.6.yml | 25 ++ tasks/section_5/cis_5.7.yml | 38 +++ tasks/section_5/main.yml | 21 ++ 10 files changed, 1160 insertions(+), 1 deletion(-) rename tasks/{section5.yml => old_section5.yml} (100%) create mode 100644 tasks/section_5/cis_5.1.x.yml create mode 100644 tasks/section_5/cis_5.2.x.yml create mode 100644 tasks/section_5/cis_5.3.x.yml create mode 100644 tasks/section_5/cis_5.4.x.yml create mode 100644 tasks/section_5/cis_5.5.x.yml create mode 100644 tasks/section_5/cis_5.6.yml create mode 100644 tasks/section_5/cis_5.7.yml create mode 100644 tasks/section_5/main.yml diff --git a/tasks/main.yml b/tasks/main.yml index 4450ea00..a7d7cdf7 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -62,7 +62,7 @@ - section4 - name: Include section 5 patches - import_tasks: section5.yml + import_tasks: section_5/main.yml when: ubtu20cis_section5_patch tags: - section5 diff --git a/tasks/section5.yml b/tasks/old_section5.yml similarity index 100% rename from tasks/section5.yml rename to tasks/old_section5.yml diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml new file mode 100644 index 00000000..70657990 --- /dev/null +++ b/tasks/section_5/cis_5.1.x.yml @@ -0,0 +1,159 @@ +--- +- name: "AUTOMATED | 5.1.1 | PATCH | Ensure cron daemon is enabled and running" + service: + name: cron + state: started + enabled: yes + when: + - ubtu20cis_rule_5_1_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.1.1 + - cron + +- name: "AUTOMATED | 5.1.2 | PATCH | Ensure permissions on /etc/crontab are configured" + file: + path: /etc/crontab + owner: root + group: root + mode: 0600 + when: + - ubtu20cis_rule_5_1_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.1.2 + - cron + +- name: "AUTOMATED | 5.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" + file: + path: /etc/cron.hourly + owner: root + group: root + mode: 0700 + when: + - ubtu20cis_rule_5_1_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.1.3 + - cron + +- name: "AUTOMATED | 5.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" + file: + path: /etc/cron.daily + owner: root + group: root + mode: 0700 + when: + - ubtu20cis_rule_5_1_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.1.4 + - cron + +- name: "AUTOMATED | 5.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" + file: + path: /etc/cron.weekly + owner: root + group: root + mode: 0700 + when: + - ubtu20cis_rule_5_1_5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.1.5 + - cron + +- name: "AUTOMATED | 5.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" + file: + path: /etc/cron.monthly + owner: root + group: root + mode: 0700 + when: + - ubtu20cis_rule_5_1_6 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.1.6 + - cron + +- name: "AUTOMATED | 5.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" + file: + path: /etc/cron.d + owner: root + group: root + mode: 0700 + when: + - ubtu20cis_rule_5_1_7 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.1.7 + - cron + +- name: "AUTOMATED | 5.1.8 | PATCH | Ensure at/cron is restricted to authorized users" + block: + - name: "AUTOMATED | 5.1.8 | PATCH | Ensure at/cron is restricted to authorized users | Remove cron.deny" + file: + path: /etc/cron.deny + state: absent + + - name: "AUTOMATED | 5.1.8 | PATCH | Ensure at/cron is restricted to authorized users | Create cron.allow" + file: + path: /etc/cron.allow + owner: root + group: root + mode: 0640 + state: touch + when: + - ubtu20cis_rule_5_1_8 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.1.8 + - cron + +- name: "AUTOMATED | 5.1.9 | PATCH | Ensure at is restricted to authorized users" + block: + - name: "AUTOMATED | 5.1.9 | PATCH | Ensure at is restricted to authorized users | Remove at.deny" + file: + path: /etc/at.deny + state: absent + + - name: "AUTOMATED | 5.1.9 | PATCH | Ensure at is restricted to authorized users | Create at.allow" + file: + path: /etc/at.allow + owner: root + group: root + mode: 0640 + state: touch + when: + - ubtu20cis_rule_5_1_9 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.1.9 + - cron diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml new file mode 100644 index 00000000..a001e3b4 --- /dev/null +++ b/tasks/section_5/cis_5.2.x.yml @@ -0,0 +1,46 @@ +--- +- name: "AUTOMATED | 5.2.1 | PATCH | Ensure sudo is installed" + apt: + name: "{{ ubtu20cis_sudo_package }}" + state: present + when: + - ubtu20cis_rule_5_2_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.2.1 + - sudo + +- name: "AUTOMATED | 5.2.2 | PATCH | Ensure sudo commands use pty" + lineinfile: + path: /etc/sudoers + regexp: '^Defaults use_' + line: 'Defaults use_pty' + insertafter: '^Defaults' + when: + - ubtu20cis_rule_5_2_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.2.2 + - sudo + +- name: "AUTOMATED | 5.2.3 | PATCH | Ensure sudo log file exists" + lineinfile: + path: /etc/sudoers + regexp: '^Defaults logfile' + line: 'Defaults logfile="{{ ubtu20cis_sudo_logfile }}"' + insertafter: '^Defaults' + when: + - ubtu20cis_rule_5_2_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.2.3 + - sudo diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml new file mode 100644 index 00000000..3eb9647e --- /dev/null +++ b/tasks/section_5/cis_5.3.x.yml @@ -0,0 +1,413 @@ +--- +- name: "AUTOMATED | 5.3.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" + file: + path: /etc/ssh/sshd_config + owner: root + group: root + mode: 0600 + when: + - ubtu20cis_rule_5_3_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.1 + - ssh + +- name: "AUTOMATED | 5.3.2 | PATCH | Ensure permissions on SSH private host key files are configured" + block: + - name: "AUTOMATED | 5.3.2 | AUDIT | Ensure permissions on SSH private host key files are configured | Find ssh_host private keys" + find: + paths: /etc/ssh + patterns: 'ssh_host_*_key' + register: ubtu20cis_5_3_2_ssh_host_priv_keys + + - name: "AUTOMATED | 5.3.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions" + file: + path: "{{ item.path }}" + owner: root + group: root + mode: 0600 + with_items: + - "{{ ubtu20cis_5_3_2_ssh_host_priv_keys.files }}" + when: + - ubtu20cis_rule_5_3_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.2 + - ssh + +- name: "AUTOMATED | 5.3.3 | PATCH | Ensure permissions on SSH public host key files are configured" + block: + - name: "AUTOMATED | 5.3.3 | AUDIT | Ensure permissions on SSH public host key files are configured | Find ssh_host public keys" + find: + paths: /etc/ssh + patterns: 'ssh_host_*_key.pub' + register: ubtu20cis_5_3_3_ssh_host_pub_keys + + - name: "AUTOMATED | 5.3.3 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions" + file: + path: "{{ item.path }}" + owner: root + group: root + mode: 0644 + with_items: + - "{{ ubtu20cis_5_3_3_ssh_host_pub_keys.files }}" + when: + - ubtu20cis_rule_5_3_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.3 + - ssh + +- name: "AUTOMATED | 5.3.4 | PATCH | Ensure SSH access is limited" + block: + - name: "AUTOMATED | 5.3.4 | PATCH | Ensure SSH access is limited | Add allowed users" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^AllowUsers|^#AllowUsers' + line: 'AllowUsers {{ ubtu20cis_sshd.allow_users }}' + notify: restart sshd + when: "ubtu20cis_sshd['allow_users']|default('') != ''" + + - name: "AUTOMATED | 5.3.4 | PATCH | Ensure SSH access is limited | Add allowed groups" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^AllowGroups|^#AllowGroups' + line: 'AllowGroups {{ ubtu20cis_sshd.allow_groups }}' + notify: restart sshd + when: "ubtu20cis_sshd['allow_groups']|default('') != ''" + + - name: "AUTOMATED | 5.3.4 | PATCH | Ensure SSH access is limited | Add deny users" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^DenyUsers|^#DenyUsers' + line: 'DenyUsers {{ ubtu20cis_sshd.deny_users }}' + notify: restart sshd + when: "ubtu20cis_sshd['deny_users']|default('') != ''" + + - name: "AUTOMATED | 5.3.4 | PATCH | Ensure SSH access is limited | Add deny groups" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^DenyGroups|^#DenyGroups' + line: 'DenyGroups {{ ubtu20cis_sshd.deny_groups }}' + notify: restart sshd + when: "ubtu20cis_sshd['deny_groups']|default('') != ''" + when: + - ubtu20cis_rule_5_3_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.4 + - ssh + +- name: "AUTOMATED | 5.3.5 | PATCH | Ensure SSH LogLevel is appropriate" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^LogLevel|^#LogLevel' + line: 'LogLevel {{ ubtu20cis_sshd.log_level }}' + insertafter: '^# Logging' + notify: restart sshd + when: + - ubtu20cis_rule_5_3_5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.5 + - ssh + +- name: "AUTOMATED | 5.3.6 | PATCH | Ensure SSH X11 forwarding is disabled" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^X11Forwarding|^#X11Forwarding' + line: 'X11Forwarding no' + notify: restart sshd + when: + - ubtu20cis_rule_5_3_6 + tags: + - level2-server + - level1-workstation + - automated + - patch + - rule_5.3.6 + - ssh + +- name: "AUTOMATED | 5.3.7 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^MaxAuthTries|^#MaxAuthTries' + line: 'MaxAuthTries {{ ubtu20cis_sshd.max_auth_tries }}' + insertafter: '^# Authentication' + notify: restart sshd + when: + - ubtu20cis_rule_5_3_7 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.7 + - ssh + +- name: "AUTOMATED | 5.3.8 | PATCH | Ensure SSH IgnoreRhosts is enabled" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^IgnoreRhosts|^#IgnoreRhosts' + line: 'IgnoreRhosts yes' + notify: restart sshd + when: + - ubtu20cis_rule_5_3_8 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.8 + - ssh + +- name: "AUTOMATED | 5.3.9 | PATCH | Ensure SSH HostbasedAuthentication is disabled" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^HostbasedAuthentication|^#HostbasedAuthentication' + line: 'HostbasedAuthentication no' + notify: restart sshd + when: + - ubtu20cis_rule_5_3_9 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.9 + - ssh + +- name: "AUTOMATED | 5.3.10 | PATCH | Ensure SSH root login is disabled" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^PermitRootLogin|^#PermitRootLogin' + line: 'PermitRootLogin no' + notify: restart sshd + when: + - ubtu20cis_rule_5_3_10 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.10 + - ssh + +- name: "AUTOMATED | 5.3.11 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^PermitEmptyPasswords|^#PermitEmptyPasswords' + line: 'PermitEmptyPasswords no' + insertafter: '# To disable tunneled clear text passwords' + notify: restart sshd + when: + - ubtu20cis_rule_5_3_11 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.11 + - ssh + +- name: "AUTOMATED | 5.3.12 | PATCH | Ensure SSH PermitUserEnvironment is disabled" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^PermitUserEnvironment|^#PermitUserEnvironment' + line: 'PermitUserEnvironment no' + notify: restart sshd + when: + - ubtu20cis_rule_5_3_12 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.12 + - ssh + +- name: "AUTOMATED | 5.3.13 | PATCH | Ensure only strong Ciphers are used" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^Ciphers|^#Ciphers' + line: 'Ciphers {{ ubtu20cis_sshd.ciphers }}' + insertafter: '^# Ciphers and keying' + notify: restart sshd + when: + - ubtu20cis_rule_5_3_13 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.13 + - ssh + +- name: "AUTOMATED | 5.3.14 | PATCH | Ensure only strong MAC algorithms are used" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^MACs|^#MACs' + line: 'MACs {{ ubtu20cis_sshd.macs }}' + insertafter: '^# Ciphers and keying' + notify: restart sshd + when: + - ubtu20cis_rule_5_3_14 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.14 + - ssh + +- name: "AUTOMATED | 5.3.15 | PATCH | Ensure only strong Key Exchange algorithms are used" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^KexAlgorithms|^#KexAlgorithms' + line: 'KexAlgorithms {{ ubtu20cis_sshd.kex_algorithms }}' + insertafter: '^# Ciphers and keying' + notify: restart sshd + when: + - ubtu20cis_rule_5_3_15 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.15 + - ssh + +- name: "AUTOMATED | 5.3.16 | PATCH | Ensure SSH Idle Timeout Interval is configured" + lineinfile: + path: /etc/ssh/sshd_config + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^ClientAliveInterval|^#ClientAliveInterval', line: 'ClientAliveInterval {{ ubtu20cis_sshd.client_alive_interval }}' } + - { regexp: '^ClientAliveCountMax|^#ClientAliveCountMax', line: 'ClientAliveCountMax {{ ubtu20cis_sshd.client_alive_count_max }}' } + notify: restart sshd + when: + - ubtu20cis_rule_5_3_16 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.16 + - sshd + +- name: "AUTOMATED | 5.3.17 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^LoginGraceTime|^#LoginGraceTime' + line: 'LoginGraceTime {{ ubtu20cis_sshd.login_grace_time }}' + insertafter: '^# Authentication' + notify: restart sshd + when: + - ubtu20cis_rule_5_3_17 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.17 + - ssh + +- name: "AUTOMATED | 5.3.18 | PATCH | Ensure SSH warning banner is configured" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^Banner|^#Banner' + line: Banner /etc/issue.net + insertafter: '^# no default banner path' + notify: restart sshd + when: + - ubtu20cis_rule_5_3_18 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.18 + - ssh + +- name: "AUTOMATED | 5.3.19 | PATCH | Ensure SSH PAM is enabled" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^UsePAM|^#UsePAM' + line: 'UsePAM yes' + insertafter: '^# and ChallengeResponseAuthentication' + notify: restart sshd + when: + - ubtu20cis_rule_5_3_19 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.19 + - ssh + - pam + +- name: "AUTOMATED | 5.3.20 | PATCH | Ensure SSH AllowTcpForwarding is disabled" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^AllowTcpForwarding|^#AllowTcpForwarding' + line: 'AllowTcpForwarding no' + notify: restart sshd + when: + - ubtu20cis_rule_5_3_20 + tags: + - level2-server + - level2-workstation + - automated + - patch + - rule_5.3.20 + - ssh + +- name: "AUTOMATED | 5.3.21 | PATCH | Ensure SSH MaxStartups is configured" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^MaxStartups|^#MaxStartups' + line: 'MaxStartups 10:30:60' + notify: restart sshd + when: + - ubtu20cis_rule_5_3_21 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.21 + - ssh + +- name: "AUTOMATED | 5.3.22 | PATCH | Ensure SSH MaxSessions is set to 4 or less" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^MaxSessions|^#MaxSessions' + line: 'MaxSessions {{ ubtu20cis_sshd.max_sessions }}' + insertafter: '^# Authentication' + notify: restart sshd + when: + - ubtu20cis_rule_5_3_22 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.3.22 + - ssh diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml new file mode 100644 index 00000000..8780279c --- /dev/null +++ b/tasks/section_5/cis_5.4.x.yml @@ -0,0 +1,199 @@ +--- +- name: "AUTOMATED | 5.4.1 | PATCH | Ensure password creation requirements are configured" + block: + - name: "AUTOMATED | 5.4.1 | PATCH | Ensure password creation requirements are configured | Install pam_pwquality module" + apt: + name: libpam-pwquality + state: present + + - name: "AUTOMATED | 5.4.1 | PATCH | Ensure password creation requirements are configured | Add minlen" + lineinfile: + path: /etc/security/pwquality.conf + regexp: '^minlen|^# minlen' + line: minlen = 14 + + - name: "AUTOMATED | 5.4.1 | PATCH | Ensure password creation requirements are configured | Add minclass" + lineinfile: + path: /etc/security/pwquality.conf + regexp: '^minclass|^# minclass' + line: 'minclass = 4' + + - name: "AUTOMATED | 5.4.1 | AUDIT | Ensure password creation requirements are configured | Confirm pwquality module in common-password" + command: grep 'password.*requisite.*pam_pwquality.so' /etc/pam.d/common-password + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_5_4_1_pam_pwquality_state + + - name: "AUTOMATED | 5.4.1 | PATCH | Ensure password creation requirements are configured | Set retry to 3 if pwquality exists" + pamd: + name: common-password + type: password + control: requisite + module_path: pam_pwquality.so + module_arguments: 'retry=3' + state: args_present + when: ubtu20cis_5_4_1_pam_pwquality_state.stdout | length > 0 + + - name: "AUTOMATED | 5.4.1 | PATCH | Ensure password creation requirements are configured | Set retry to 3 if pwquality does not exist" + pamd: + name: common-password + type: password + control: required + module_path: pam_permit.so + new_type: password + new_control: requisite + new_module_path: pam_pwquality.so + module_arguments: 'retry=3' + state: after + when: ubtu20cis_5_4_1_pam_pwquality_state.stdout | length == 0 + when: + - ubtu20cis_rule_5_4_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.4.1 + - pam + +# ------------- +# ------------- +# There is a bug in pam_tally2.so where the use of the audit keyword may log credentials in the case of user error during authentication. +# To work around this bug the CIS documentation has you setting pam_tally2 to the account section. +# Once bug is fixed please set pam_tally2 to the auth sections. We have those commented out in the task +# ------------- +# ------------- + +# ------------- +# ------------- +# figure out why pam_deny kills vagrant user. Below is everything working but the pam_deny.so in the last task with_items +# ------------- +# ------------- +- name: "AUTOMATED | 5.4.2 | PATCH | Ensure lockout for failed password attempts is configured" + command: /bin/true + changed_when: false + failed_when: false + check_mode: false + # block: + # - name: "AUTOMATED | 5.4.2 | AUDIT | Ensure lockout for failed password attempts is configured | Confirm pam_tally2.so module in common-auth" + # # command: grep 'auth.*required.*pam_tally2.so' /etc/pam.d/common-auth + # command: grep 'auth.*required.*pam_tally2.so' /etc/pam.d/common-account + # changed_when: false + # failed_when: false + # check_mode: false + # register: ubtu20cis_5_4_2_pam_tally2_state + + # - name: "AUTOMATED | 5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | Set pam_tally2.so settings if exists" + # pamd: + # # name: common-auth + # name: common-account + # # type: auth + # type: account + # control: required + # module_path: pam_tally2.so + # module_arguments: 'onerr=fail + # audit + # silent + # deny=5 + # unlock_time=900' + # when: ubtu20cis_5_4_2_pam_tally2_state.stdout != "" + + # - name: "AUTOMATED | 5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | Set pam_tally2.so settings if does not exist" + # lineinfile: + # # path: /etc/pam.d/common-auth + # path: /etc/pam.d/common-account + # # line: 'auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900' + # line: 'account required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900' + # insertafter: '^# end of pam-auth-update config' + # when: ubtu20cis_5_4_2_pam_tally2_state == "" + + # - name: "AUTOMATED | 5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | Set pam_deny.so and pam_tally.so" + # lineinfile: + # path: /etc/pam.d/common-account + # regexp: "{{ item.regexp }}" + # line: "{{ item.line }}" + # insertafter: '^# end of pam-auth-update config' + # with_items: + # # - { regexp: '^accout.*requisite.*pam_deny.so', line: 'account requisite pam_george.so' } + # - { regexp: '^account.*required.*pam_tally.so', line: 'account required pam_tally.so' } + when: + - ubtu20cis_rule_5_4_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.4.2 + - pamd + - notimplemented + +- name: "AUTOMATED | 5.4.3 | PATCH | Ensure password reuse is limited" + block: + - name: "AUTOMATED | 5.4.3 | AUDIT | Ensure password reuse is limited | Confirm pam_pwhistory.so in common-password" + command: grep 'password.*required.*pam_pwhistory.so' /etc/pam.d/common-password + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_5_4_3_pam_pwhistory_state + + - name: "AUTOMATED | 5.4.3 | PATCH | Ensure password reuse is limited | Set remember value if pam_pwhistory exists" + pamd: + name: common-password + type: password + control: required + module_path: pam_pwhistory.so + module_arguments: 'remember={{ ubtu20cis_pamd_pwhistory_remember }}' + state: args_present + when: ubtu20cis_5_4_3_pam_pwhistory_state.stdout | length > 0 + + - name: "AUTOMATED | 5.4.3 | PATCH | Ensure password reuse is limited | Set remember value if pam_pwhistory does no exist" + lineinfile: + path: /etc/pam.d/common-password + line: 'password required pam_pwhistory.so remember={{ ubtu20cis_pamd_pwhistory_remember }}' + insertafter: '^# end of pam-auth-update config' + when: ubtu20cis_5_4_3_pam_pwhistory_state.stdout | length == 0 + when: + - ubtu20cis_rule_5_4_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.4.3 + - pamd + +- name: "AUTOMATED | 5.4.4 | PATCH | Ensure password hashing algorithm is SHA-512" + block: + - name: "AUTOMATED | 5.4.4 | AUDIT | Ensure password hashing algorithm is SHA-512 | Confirm pam_unix.so" + shell: grep -E '^\s*password\s+(\S+\s+)+pam_unix\.so\s+(\S+\s+)*sha512\s*(\S+\s*)*(\s+#.*)?$' /etc/pam.d/common-password + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_5_4_4_pam_unix_state + + - name: "AUTOMATED | 5.4.4 | PATCH | Ensure password hashing algorithm is SHA-512 | Set hashing if pam_unix.so exists" + pamd: + name: common-password + type: password + control: '[success=1 default=ignore]' + module_path: pam_unix.so + module_arguments: sha512 + state: args_present + when: ubtu20cis_5_4_4_pam_unix_state.stdout | length > 0 + + - name: "AUTOMATED | 5.4.4 | PATCH | Ensure password hashing algorithm is SHA-512 | Set hashing if pam_unix.so does not exist" + lineinfile: + path: /etc/pam.d/common-password + line: 'password [success=1 default=ignore] pam_unix.so sha512' + insertafter: '^# end of pam-auth-update config' + when: ubtu20cis_5_4_4_pam_unix_state.stdout | length == 0 + when: + - ubtu20cis_rule_5_4_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.4.4 + - pamd diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml new file mode 100644 index 00000000..aa775b7f --- /dev/null +++ b/tasks/section_5/cis_5.5.x.yml @@ -0,0 +1,258 @@ +--- +- name: "AUTOMATED | 5.5.1.1 | PATCH | Ensure minimum days between password changes is configured" + block: + - name: "AUTOMATED | 5.5.1.1 | PATCH | Ensure minimum days between password changes is configured | Set /etc/login.defs PASS_MIN_DAYS" + lineinfile: + path: /etc/login.defs + regexp: '^PASS_MIN_DAYS|^#PASS_MIN_DAYS' + line: 'PASS_MIN_DAYS {{ ubtu20cis_pass.min_days }}' + + - name: "AUTOMATED | 5.5.1.1 | PATCH | Ensure minimum days between password changes is configured | Set existing users PASS_MIN_DAYS" + command: chage --mindays {{ ubtu20cis_pass.min_days }} {{ item }} + failed_when: false + with_items: + - "{{ ubtu20cis_passwd| selectattr('uid', '>=', 1000) | map(attribute='id') | list }}" + when: ubtu20cis_disruption_high + when: + - ubtu20cis_rule_5_5_1_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.5.1.1 + - user + - login + +- name: "AUTOMATED | 5.5.1.2 | PATCH | Ensure password expiration is 365 days or less" + block: + - name: "AUTOMATED | 5.5.1.2 | PATCH | Ensure password expiration is 365 days or less | Set /etc/login.defs PASS_MAX_DAYS" + lineinfile: + path: /etc/login.defs + regexp: '^PASS_MAX_DAYS|^#PASS_MAX_DAYS' + line: 'PASS_MAX_DAYS {{ ubtu20cis_pass.max_days }}' + insertafter: '# Password aging controls' + + - name: "AUTOMATED | 5.5.1.2 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS" + command: chage --maxdays {{ ubtu20cis_pass.max_days }} {{ item }} + failed_when: false + with_items: + - "{{ ubtu20cis_passwd| selectattr('uid', '>=', 1000) | map(attribute='id') | list }}" + when: ubtu20cis_disruption_high + when: + - ubtu20cis_rule_5_5_1_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.5.1.2 + - user + - login + +- name: "AUTOMATED | 5.5.1.3 | PATCH | Ensure password expiration warning days is 7 or more" + block: + - name: "AUTOMATED | 5.5.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Set /etc/login.defs PASS_WARN_AGE" + lineinfile: + path: /etc/login.defs + regexp: '^PASS_WARN_AGE|^#PASS_WARN_AGE' + line: 'PASS_WARN_AGE {{ ubtu20cis_pass.warn_age }}' + + - name: "AUTOMATED | 5.5.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Set existing users PASS_WARN_AGE" + command: chage --warndays {{ ubtu20cis_pass.warn_age }} {{ item }} + failed_when: false + with_items: + - "{{ ubtu20cis_passwd| selectattr('uid', '>=', 1000) | map(attribute='id') | list }}" + when: ubtu20cis_disruption_high + when: + - ubtu20cis_rule_5_5_1_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.5.1.3 + - user + - login + +- name: "AUTOMATED | 5.5.1.4 | PATCH | Ensure inactive password lock is 30 days or less" + block: + - name: "AUTOMATED | 5.5.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set inactive period for new users" + command: useradd -D -f {{ ubtu20cis_pass.inactive }} + failed_when: false + + - name: "AUTOMATED | 5.5.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set inactive period for existing users" + command: chage --inactive {{ ubtu20cis_pass.inactive }} {{ item }} + failed_when: false + with_items: + - "{{ ubtu20cis_passwd| selectattr('uid', '>=', 1000) | map(attribute='id') | list }}" + when: ubtu20cis_disruption_high + when: + - ubtu20cis_rule_5_5_1_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.5.1.4 + - user + - login + +- name: "AUTOMATED | 5.5.1.5 | PATCH | Ensure all users last password change date is in the past" + block: + - name: "AUTOMATED | 5.5.1.5 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time" + shell: echo $(($(date --utc --date "$1" +%s)/86400)) + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_5_5_1_5_current_time + + - name: "AUTOMATED | 5.5.1.5 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed PW date in future" + shell: "cat /etc/shadow | awk -F: '{if($3>{{ ubtu20cis_5_5_1_5_current_time.stdout }})print$1}'" + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_5_5_1_5_user_list + + - name: "AUTOMATED | 5.5.1.5 | PATCH | Ensure all users last password change date is in the past | Warn about users" + debug: + msg: + - "WARNING!!!!The following accounts have the last PW change date in the future" + - "{{ ubtu20cis_5_5_1_5_user_list.stdout_lines }}" + when: ubtu20cis_5_5_1_5_user_list.stdout | length > 0 + + - name: "AUTOMATED | 5.5.1.5 | PATCH | Ensure all users last password change date is in the past | Lock accounts with furtre PW changed dates" + command: passwd --expire {{ item }} + failed_when: false + with_items: + - "{{ ubtu20cis_5_5_1_5_user_list.stdout_lines }}" + when: + - ubtu20cis_disruption_high + - ubtu20cis_5_5_1_5_user_list.stdout | length > 0 + when: + - ubtu20cis_rule_5_5_1_5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.5.1.5 + - user + - login + +- name: "AUTOMATED | 5.5.2 | PATCH | Ensure system accounts are secured" + block: + - name: "AUTOMATED | 5.5.2 | PATCH | Ensure system accounts are secured | Set system accounts to login" + user: + name: "{{ item }}" + shell: /sbin/nologin + with_items: + - "{{ ubtu20cis_passwd | selectattr('uid', '<', 1000) | map(attribute='id') | list }}" + when: + - item != "root" + - item != "sync" + - item != "shutdown" + - item != "halt" + + - name: "AUTOMATED | 5.5.2 | PATCH | Ensure system accounts are secured | Lock non-root system accounts" + user: + name: "{{ item }}" + password_lock: true + with_items: + - "{{ ubtu20cis_passwd| selectattr('uid', '<', 1000) | map(attribute='id') | list }}" + when: + - item != "root" + when: + - ubtu20cis_rule_5_5_2 + - ubtu20cis_disruption_high + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.5.2 + - user + - system + +- name: "AUTOMATED | 5.5.3 | PATCH | Ensure default group for the root account is GID 0" + block: + - name: "AUTOMATED | 5.5.3 | PATCH | Ensure default group for the root account is GID 0 | Set root group to GUID 0" + group: + name: root + gid: 0 + + - name: "AUTOMATED | 5.5.3 | PATCH | Ensure default group for the root account is GID 0 | Set root user to root group" + user: + name: root + group: root + when: + - ubtu20cis_rule_5_5_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.5.3 + - user + - system + +- name: "AUTOMATED | 5.5.4 | PATCH | Ensure default user umask is 027 or more restrictive" + block: + - name: "AUTOMATED | 5.5.4 | AUDIT | Ensure default user umask is 027 or more restrictive" + shell: grep -E '^session.*optional.*pam_umask.so' /etc/pam.d/common-session + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_5_5_4_umask_pam_status + + - name: "AUTOMATED | 5.5.4 | PATCH | Ensure default user umask is 027 or more restrictive" + lineinfile: + path: /etc/pam.d/common-session + line: 'session optional pam_umask.so' + insertbefore: '^# end of pam-auth-update config' + when: ubtu20cis_5_5_4_umask_pam_status.stdout | length > 0 + + - name: "AUTOMATED | 5.5.4 | PATCH | Ensure default user umask is 027 or more restrictive" + replace: + path: "{{ item }}" + regexp: '(^\s+umask) 002' + replace: '\1 027' + with_items: + - /etc/bash.bashrc + - /etc/profile + - /etc/login.defs + when: + - ubtu20cis_rule_5_5_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.5.4 + - user + +- name: "AUTOMATED | 5.5.5 | PATCH | Ensure default user shell timeout is 900 seconds or less" + blockinfile: + create: yes + mode: 0644 + dest: "{{ item.dest }}" + state: "{{ item.state }}" + marker: "# {mark} ANSIBLE MANAGED" + block: | + # Set session timeout - CIS ID 5.5.5 + TMOUT={{ ubtu20cis_shell_session_timeout.timeout }} + readonly TMOUT + export TMOUT + with_items: + - { dest: "{{ ubtu20cis_shell_session_timeout.file }}", state: present } + - { dest: /etc/profile, state: "{{ (ubtu20cis_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" } + - { dest: /etc/bash.bashrc, state: present } + when: + - ubtu20cis_rule_5_5_5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.5.5 + - user diff --git a/tasks/section_5/cis_5.6.yml b/tasks/section_5/cis_5.6.yml new file mode 100644 index 00000000..6af98a46 --- /dev/null +++ b/tasks/section_5/cis_5.6.yml @@ -0,0 +1,25 @@ +--- +- name: "MANUAL | 5.6 | AUDIT | Ensure root login is restricted to system console" + block: + - name: "MANUAL | 5.6 | AUDIT | Ensure root login is restricted to system console | Get list of all terminals" + command: cat /etc/securetty + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_5_6_terminal_list + + - name: "MANUAL | 5.6 | AUDIT | Ensure root login is restricted to system console | Message out list" + debug: + msg: + - "WARNING!!!! Below is the list of consoles with root login access" + - "Please review for any conoles that are not in a physically secure location" + - "{{ ubtu20cis_5_6_terminal_list.stdout_lines }}" + when: + - ubtu20cis_rule_5_6 + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_5.6 + - user diff --git a/tasks/section_5/cis_5.7.yml b/tasks/section_5/cis_5.7.yml new file mode 100644 index 00000000..c60264a3 --- /dev/null +++ b/tasks/section_5/cis_5.7.yml @@ -0,0 +1,38 @@ +--- +- name: "AUTOMATED | 5.7 | PATCH | Ensure access to the su command is restricted" + block: + - name: "AUTOMATED | 5.7 | PATCH | Ensure access to the su command is restricted | Check for pam_wheel.so module" + command: grep 'auth.*required.*pam_wheel' /etc/pam.d/su + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_5_7_pam_wheel_status + + - name: "AUTOMATED | 5.7 | PATCH | Ensure access to the su command is restricted | Create empty sugroup" + group: + name: "{{ ubtu20cis_su_group }}" + + - name: "AUTOMATED | 5.7 | PATCH | Ensure access to the su command is restricted | Set pam_wheel if exists" + pamd: + name: su + type: auth + control: required + module_path: pam_wheel.so + module_arguments: 'use_uid group={{ ubtu20cis_su_group }}' + when: ubtu20cis_5_7_pam_wheel_status.stdout | length > 0 + + - name: "AUTOMATED | 5.7 | PATCH | Ensure access to the su command is restricted | Set pam_wheel if does not exist" + lineinfile: + path: /etc/pam.d/su + line: 'auth required pam_wheel.so use_uid group={{ ubtu20cis_su_group }}' + create: yes + when: ubtu20cis_5_7_pam_wheel_status.stdout | length == 0 + when: + - ubtu20cis_rule_5_7 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_5.7 + - user diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml new file mode 100644 index 00000000..040d4fbc --- /dev/null +++ b/tasks/section_5/main.yml @@ -0,0 +1,21 @@ +--- +- name: "SECTION | 5.1 | Configure time-based job schedulers" + include: cis_5.1.x.yml + +- name: "SECTION | 5.2 | Configure sudo" + include: cis_5.2.x.yml + +- name: "SECTION | 5.3 | Configure SSH Server" + include: cis_5.3.x.yml + +- name: "SECTION | 5.4.x | User PAM" + include: cis_5.4.x.yml + +- name: "SECTION | 5.5.x | User Accounts and Enironment" + include: cis_5.5.x.yml + +- name: "SECTION | 5.6 | Ensure root login is restricted to system console" + include: cis_5.6.yml + +- name: "SECTION | 5.7 | Ensure access to the su command is restricted" + include: cis_5.7.yml \ No newline at end of file From 7ea382ac3a41065ca968fe7cd7deb842fabd2f0b Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 7 May 2021 09:25:43 -0400 Subject: [PATCH 42/44] updated section 6 layout Signed-off-by: George Nalen --- tasks/main.yml | 2 +- tasks/{section6.yml => old_section6.yml} | 0 tasks/section_6/cis_6.1.x.yml | 355 ++++++++++++++ tasks/section_6/cis_6.2.x.yml | 566 +++++++++++++++++++++++ tasks/section_6/main.yml | 6 + 5 files changed, 928 insertions(+), 1 deletion(-) rename tasks/{section6.yml => old_section6.yml} (100%) create mode 100644 tasks/section_6/cis_6.1.x.yml create mode 100644 tasks/section_6/cis_6.2.x.yml create mode 100644 tasks/section_6/main.yml diff --git a/tasks/main.yml b/tasks/main.yml index a7d7cdf7..2fd5cebf 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -68,7 +68,7 @@ - section5 - name: Include section 6 patches - import_tasks: section6.yml + import_tasks: section_6/main.yml when: ubtu20cis_section6_patch tags: - section6 diff --git a/tasks/section6.yml b/tasks/old_section6.yml similarity index 100% rename from tasks/section6.yml rename to tasks/old_section6.yml diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml new file mode 100644 index 00000000..07e1fdb4 --- /dev/null +++ b/tasks/section_6/cis_6.1.x.yml @@ -0,0 +1,355 @@ +--- +- name: "MANUAL | 6.1.1 | AUDIT | Audit system file permissions" + block: + - name: "MANUAL | 6.1.1 | AUDIT | Audit system file permissions | Register package list" + command: ls -a /bin/ + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_6_1_1_packages + + # - name: "NOTSCORED | 6.1.1 | AUDIT | Audit system file permissions | Audit the packages" + # command: dpkg --verify {{ item }} + # changed_when: false + # failed_when: false + # check_mode: false + # with_items: + # - "{{ ubtu18cis_6_1_1_packages.stdout_lines }}" + # register: ubtu18cis_6_1_1_packages_audited + + - name: "MANUAL | 6.1.1 | AUDIT | Audit system file permissions | Message out packages results for review" + debug: + msg: + - "ALERT!!!! Below are the packages that need to be reviewed." + - "You can run dpkg --verify and if nothing is returned the package is installed correctly" + - "{{ ubtu20cis_6_1_1_packages.stdout_lines }}" + when: + - ubtu20cis_rule_6_1_1 + tags: + - level2-server + - level2-workstation + - manual + - audit + - rule_6.1.1 + - permissions + +- name: "AUTOMATED | 6.1.2 | PATCH | Ensure permissions on /etc/passwd are configured" + file: + path: /etc/passwd + owner: root + group: root + mode: 0644 + when: + - ubtu20cis_rule_6_1_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.1.2 + - permissions + +- name: "AUTOMATED | 6.1.3 | PATCH | Ensure permissions on /etc/passwd- are configured" + file: + path: /etc/passwd- + owner: root + group: root + mode: 0600 + when: + - ubtu20cis_rule_6_1_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.1.3 + - permissions + +- name: "AUTOMATED | 6.1.4 | PATCH | Ensure permissions on /etc/group are configured" + file: + path: /etc/group + owner: root + group: root + mode: 0644 + when: + - ubtu20cis_rule_6_1_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.1.4 + - permissions + +- name: "AUTOMATED | 6.1.5 | PATCH | Ensure permissions on /etc/group- are configured" + file: + path: /etc/group- + owner: root + group: root + mode: 0644 + when: + - ubtu20cis_rule_6_1_5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.1.5 + - permissions + +- name: "AUTOMATED | 6.1.6 | PATCH | Ensure permissions on /etc/shadow are configured" + file: + path: /etc/shadow + owner: root + group: shadow + mode: 0640 + when: + - ubtu20cis_rule_6_1_6 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.1.6 + - permissions + +- name: "AUTOMATED | 6.1.7 | PATCH | Ensure permissions on /etc/shadow- are configured" + file: + path: /etc/shadow- + owner: root + group: shadow + mode: 0640 + when: + - ubtu20cis_rule_6_1_7 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.1.7 + - permissions + +- name: "AUTOMATED | 6.1.8 | PATCH | Ensure permissions on /etc/gshadow are configured" + file: + path: /etc/gshadow + owner: root + group: shadow + mode: 0640 + when: + - ubtu20cis_rule_6_1_8 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.1.8 + - permissions + +- name: "AUTOMATED | 6.1.9 | PATCH | Ensure permissions on /etc/gshadow- are configured" + file: + path: /etc/gshadow- + owner: root + group: shadow + mode: 0640 + when: + - ubtu20cis_rule_6_1_9 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.1.9 + - permissions + +- name: "AUTOMATED | 6.1.10 | PATCH | Ensure no world writable files exist" + block: + - name: "AUTOMATED | 6.1.10 | AUDIT | Ensure no world writable files exist | Get list of world-writable files" + shell: find {{ item.mount }} -xdev -type f -perm -0002 + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_6_1_10_wwf + with_items: + - "{{ ansible_mounts }}" + + - name: "AUTOMATED | 6.1.10 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist" + file: + path: "{{ item }}" + mode: o-w + with_items: + - "{{ ubtu20cis_6_1_10_wwf.results | map(attribute='stdout_lines') | flatten }}" + when: ubtu20cis_no_world_write_adjust + when: + - ubtu20cis_rule_6_1_10 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.1.10 + - permissions + +- name: "AUTOMATED | 6.1.11 | PATCH | Ensure no unowned files or directories exist" + block: + - name: "AUTOMATED | 6.1.11 | AUDIT | Ensure no unowned files or directories exist | Get unowned files or directories" + shell: find {{ item.mount }} -xdev -nouser + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_6_1_11_no_user_items + with_items: + - "{{ ansible_mounts }}" + + - name: "AUTOMATED | 6.1.11 | AUDIT | Ensure no unowned files or directories exist | Flatten no_user_items results for easier use" + set_fact: + ubtu20cis_6_1_11_no_user_items_flatten: "{{ ubtu20cis_6_1_11_no_user_items.results | map(attribute='stdout_lines') | flatten }}" + + - name: "AUTOMATED | 6.1.11 | AUDIT | Ensure no unowned files or directories exist | Alert on unowned files and directories" + debug: + msg: + - "ALERT!!!You have unowned files and are configured to not auto-remediate for this task" + - "Please review the files/directories below and assign an owner" + - "{{ ubtu20cis_6_1_11_no_user_items_flatten }}" + when: + - not ubtu20cis_no_owner_adjust + - ubtu20cis_6_1_11_no_user_items_flatten | length > 0 + + - name: "AUTOMATED | 6.1.11 | PATCH | Ensure no unowned files or directories exist | Set unowned files/directories to configured owner" + file: + path: "{{ item }}" + owner: "{{ ubtu20cis_unowned_owner }}" + with_items: + - "{{ ubtu20cis_6_1_11_no_user_items_flatten }}" + when: + - ubtu20cis_no_owner_adjust + - ubtu20cis_6_1_11_no_user_items_flatten | length > 0 + when: + - ubtu20cis_rule_6_1_11 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.1.11 + - permissions + +- name: "AUTOMATED | 6.1.12 | PATCH | Ensure no ungrouped files or directories exist" + block: + - name: "AUTOMATED | 6.1.12 | AUDIT | Ensure no ungrouped files or directories exist | Get ungrouped fiels or directories" + shell: find {{ item.mount }} -xdev -nogroup + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_6_1_12_ungrouped_items + with_items: + - "{{ ansible_mounts }}" + + - name: "AUTOMATED | 6.1.12 | AUDIT | Ensure no ungrouped files or directories exist | Flatten ungrouped_items results for easier use" + set_fact: + ubtu20cis_6_1_12_ungrouped_items_flatten: "{{ ubtu20cis_6_1_12_ungrouped_items.results | map(attribute='stdout_lines') | flatten }}" + + - name: "AUTOMATED | 6.1.12 | AUDIT | Ensure no ungrouped files or directories exist | Alert on ungrouped files and directories" + debug: + msg: + - "ALERT!!!!You have ungrouped files/directories and are configured to not auto-remediate for this task" + - "Please review the files/directories below and assign a group" + - "{{ ubtu20cis_6_1_12_ungrouped_items_flatten }}" + when: + - not ubtu20cis_no_group_adjust + - ubtu20cis_6_1_12_ungrouped_items_flatten | length > 0 + + - name: "AUTOMATED | 6.1.12 | PATCH | Ensure no ungrouped files or directories exist | Set ungrouped files/directories to configured group" + file: + path: "{{ item }}" + group: "{{ ubtu20cis_ungrouped_group }}" + with_items: + - "{{ ubtu20cis_6_1_12_ungrouped_items_flatten }}" + when: + - ubtu20cis_no_group_adjust + - ubtu20cis_6_1_12_ungrouped_items_flatten | length > 0 + when: + - ubtu20cis_rule_6_1_12 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.1.12 + - permissions + +- name: "MANUAL | 6.1.13 | AUDIT | Audit SUID executables" + block: + - name: "MANUAL | 6.1.13 | AUDIT | Audit SUID executables | Find SUID executables" + # shell: df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -4000 + shell: find {{ item.mount }} -xdev -type f -perm -4000 + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_6_1_13_suid_executables + with_items: + - "{{ ansible_mounts }}" + + - name: "MANUAL | 6.1.13 | AUDIT | Audit SUID executables | Flatten suid_executables results for easier use" + set_fact: + ubtu20cis_6_1_13_suid_executables_flatten: "{{ ubtu20cis_6_1_13_suid_executables.results | map(attribute='stdout_lines') | flatten }}" + + - name: "MANUAL | 6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist" + debug: + msg: + - "ALERT!!!!You have SUID executables" + - "The files are listed below, please confirm the integrity of these binaries" + - "{{ ubtu20cis_6_1_13_suid_executables_flatten }}" + when: + - ubtu20cis_6_1_13_suid_executables_flatten | length > 0 + - not ubtu20cis_suid_adjust + + - name: "MANUAL | 6.1.13 | PATCH | Audit SUID executables | Remove SUID bit" + file: + path: "{{ item }}" + mode: 'u-s' + with_items: + - "{{ ubtu20cis_6_1_13_suid_executables_flatten }}" + when: + - ubtu20cis_suid_adjust + - ubtu20cis_6_1_13_suid_executables_flatten | length > 0 + when: + - ubtu20cis_rule_6_1_13 + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_6.1.13 + - permissions + +- name: "MANUAL | 6.1.14 | AUDIT | Audit SGID executables" + block: + - name: "MANUAL |6.1.14 | AUDIT | Audit SGID executables | Find SGID executables" + shell: find {{ item }} -xdev -type f -perm -2000 + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_6_1_14_sgid_executables + with_items: + - "{{ ansible_mounts }}" + + - name: "MANUAL | 6.1.14 | AUDIT | Audit SGID executables | Flatten sgid_executables results for easier use" + set_fact: + ubtu20cis_6_1_14_sgid_executables_flatten: "{{ ubtu20cis_6_1_14_sgid_executables.results | map(attribute='stdout_lines') | flatten }}" + + - name: "MANUAL | 6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist" + debug: + msg: + - "ALERT!!!!You have SGID executables" + - "The files are listed below, please review the integrity of these binaries" + - "{{ ubtu20cis_6_1_14_sgid_executables_flatten }}" + when: ubtu20cis_6_1_14_sgid_executables_flatten | length > 0 + when: + - ubtu20cis_rule_6_1_14 + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_6.1.14 + - permissions diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml new file mode 100644 index 00000000..51bafb6e --- /dev/null +++ b/tasks/section_6/cis_6.2.x.yml @@ -0,0 +1,566 @@ +--- +- name: "AUTOMATED | 6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords" + block: + - name: "AUTOMATED | 6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Get users not using shadowed passwords" + command: awk -F':' '($2 != "x" ) { print $1}' /etc/passwd + changed_when: false + failed_when: false + register: ubtu20cis_6_2_1_nonshadowed_users + + - name: "AUTOMATED | 6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Alert on findings" + debug: + msg: + - "ALERT! You have users that are not using a shadowed password. Please convert the below accounts to use a shadowed password" + - "{{ ubtu20cis_6_2_1_nonshadowed_users.stdout_lines }}" + when: + - ubtu20cis_6_2_1_nonshadowed_users.stdout | length > 0 + when: + - ubtu20cis_rule_6_2_1 + tags: + - level1-server + - level1-workstation + - automated + - audit + - rule_6.2.1 + - user_accounts + +- name: "AUTOMATED | 6.2.2 | PATCH | Ensure password fields are not empty" + block: + - name: "AUTOMATED | 6.2.2 | AUDIT | Ensure password fields are not empty | Find users with no password" + shell: awk -F":" '($2 == "" ) { print $1 }' /etc/shadow + changed_when: no + check_mode: false + register: ubtu20cis_6_2_2_empty_password_acct + + - name: "AUTOMATED | 6.2.2 | PATCH | Ensure password fields are not empty | Lock users with empty password" + user: + name: "{{ item }}" + password_lock: yes + with_items: + - "{{ ubtu20cis_6_2_2_empty_password_acct.stdout_lines }}" + when: ubtu20cis_6_2_2_empty_password_acct.stdout | length > 0 + when: + - ubtu20cis_rule_6_2_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.2.2 + - user + - permissions + +- name: "AUTOMATED | 6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group" + block: + - name: "AUTOMATED | 6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries" + shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}' + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_6_2_3_passwd_gid_check + + - name: "AUTOMATED | 6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files" + debug: + msg: "Good News! There are no users that have non-existent GUIDs (Groups)" + when: ubtu20cis_6_2_3_passwd_gid_check.stdout | length == 0 + + - name: "AUTOMATED | 6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" + debug: + msg: "WARNING!!!! The following users have non-existent GIDs (Groups): {{ ubtu20cis_6_2_3_passwd_gid_check.stdout_lines | join (', ') }}" + when: ubtu20cis_6_2_3_passwd_gid_check.stdout | length > 0 + when: + - ubtu20cis_rule_6_2_3 + tags: + - level1-server + - level1-workstation + - automated + - audit + - rule_6.2.3 + - groups + +- name: "AUTOMATED | 6.2.4 | PATCH | Ensure all users' home directories exist" + block: + - name: capture audit task for missing homedirs + block: &u20s_homedir_audit + - name: "AUTOMATED | 6.2.4 | PATCH | Ensure all users' home directories exist | Find users missing home directories" + shell: pwck -r | grep -P {{ ld_regex | quote }} + check_mode: false + register: ubtu20cis_users_missing_home + changed_when: ubtu20cis_6_2_4_audit | length > 0 + # failed_when: 0: success, 1: no grep match, 2: pwck found something + failed_when: ubtu20cis_users_missing_home.rc not in [0,1,2] + + ### NOTE: due to https://github.com/ansible/ansible/issues/24862 This is a shell command, and is quite frankly less than ideal. + - name: "AUTOMATED | 6.2.4 | PATCH | Ensure all users' home directories exist| Creates home directories" + command: "mkhomedir_helper {{ item }}" + # check_mode: "{{ ubtu20cis_disruptive_check_mode }}" + with_items: "{{ ubtu20cis_6_2_4_audit | map(attribute='id') | list }}" + when: + - ubtu20cis_users_missing_home is changed + - ubtu20cis_disruption_high + + ### NOTE: Now we need to address that SELINUX will not let mkhomedir_helper create home directories for UUID < 500, so the ftp user will still show up in a pwck. Not sure this is needed, I need to confirm if that user is removed in an earlier task. + ### ^ Likely doesn't matter as 6.2.7 defines "local interactive users" as those w/ uid 1000-4999 + - name: replay audit task + block: *u20s_homedir_audit + + # CAUTION: debug loops don't show changed since 2.4: + # Fix: https://github.com/ansible/ansible/pull/59958 + - name: "AUTOMATED | 6.2.4 | PATCH | Ensure all users' home directories exist | Alert about correcting owner and group" + debug: msg="You will need to mkdir -p {{ item }} and chown properly to the correct owner and group." + with_items: "{{ ubtu20cis_6_2_4_audit | map(attribute='dir') | list }}" + changed_when: ubtu20cis_audit_complex + when: + - ubtu20cis_users_missing_home is changed + vars: + ld_regex: >- + ^user '(?P.*)': directory '(?P.*)' does not exist$ + ld_users: "{{ ubtu20cis_users_missing_home.stdout_lines | map('regex_replace', ld_regex, '\\g') | list }}" + ubtu20cis_6_2_4_audit: "{{ ubtu20cis_passwd | selectattr('uid', '>=', 1000) | selectattr('id', 'in', ld_users) | list }}" + when: + - ubtu20cis_rule_6_2_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.2.4 + - user + +- name: "AUTOMATED | 6.2.5 | PATCH | Ensure users own their home directories" + file: + path: "{{ item.dir }}" + owner: "{{ item.id }}" + state: directory + with_items: + - "{{ ubtu20cis_passwd }}" + loop_control: + label: "{{ ubtu20cis_passwd_label }}" + when: + - ubtu20cis_rule_6_2_5 + - item.uid >= 1000 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.2.5 + - user + +- name: "AUTOMATED | 6.2.6 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" + block: + - name: "AUTOMATED | 6.2.6 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive | Get home directories" + stat: + path: "{{ item }}" + with_items: "{{ ubtu20cis_passwd | selectattr('uid', '>=', 1000) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" + check_mode: false + register: ubtu20cis_6_2_6_audit + + - name: "AUTOMATED | 6.2.6 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive | Find home directories more 750" + command: find -H {{ item.0 | quote }} -not -type l -perm /027 + register: ubtu20cis_6_2_6_patch_audit + changed_when: ubtu20cis_6_2_6_patch_audit.stdout | length > 0 + check_mode: false + when: + - item.1.exists + with_together: + - "{{ ubtu20cis_6_2_6_audit.results | map(attribute='item') | list }}" + - "{{ ubtu20cis_6_2_6_audit.results | map(attribute='stat') | list }}" + loop_control: + label: "{{ item.0 }}" + + - name: "AUTOMATED | 6.2.6 | PATCH | Ensure users' home directories permissions are 750 or more restrictive | Set home perms" + file: + path: "{{ item.0 }}" + recurse: yes + mode: a-st,g-w,o-rwx + register: ubtu20cis_6_2_6_patch + when: + - ubtu20cis_disruption_high + - item.1.exists + with_together: + - "{{ ubtu20cis_6_2_6_audit.results | map(attribute='item') | list }}" + - "{{ ubtu20cis_6_2_6_audit.results | map(attribute='stat') | list }}" + loop_control: + label: "{{ item.0 }}" + + # set default ACLs so the homedir has an effective umask of 0027 + - name: "AUTOMATED | 6.2.6 | PATCH | Ensure users' home directories permissions are 750 or more restrictive | Set ACL's" + acl: + path: "{{ item.0 }}" + default: yes + state: present + recursive: yes + etype: "{{ item.1.etype }}" + permissions: "{{ item.1.mode }}" + when: not ubtu20cis_system_is_container + with_nested: + - "{{ (ansible_check_mode | ternary(ubtu20cis_6_2_6_patch_audit, ubtu20cis_6_2_6_patch)).results | + rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" + - + - etype: group + mode: rx + - etype: other + mode: '0' + when: + - ubtu20cis_rule_6_2_6 + - ubtu20cis_disruption_high + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.2.6 + - user + +- name: "AUTOMATED | 6.2.7 | PATCH | Ensure users' dot files are not group or world writable" + block: + - name: "AUTOMATED | 6.2.7 | AUDIT | Ensure users' dot files are not group or world-writable | Check for files" + shell: find /home/ -name "\.*" -perm /g+w,o+w + changed_when: no + failed_when: no + check_mode: false + register: ubtu20cis_6_2_7_audit + + - name: "AUTOMATED | 6.2.7 | AUDIT | Ensure users' dot files are not group or world-writable | Alert on files found" + debug: + msg: "Good news! We have not found any group or world-writable dot files on your sytem" + failed_when: false + changed_when: false + when: + - ubtu20cis_6_2_7_audit.stdout | length == 0 + + - name: "AUTOMATED | 6.2.7 | PATCH | Ensure users' dot files are not group or world-writable | Changes files if configured" + file: + path: '{{ item }}' + mode: go-w + with_items: "{{ ubtu20cis_6_2_7_audit.stdout_lines }}" + when: + - ubtu20cis_6_2_7_audit.stdout | length > 0 + - ubtu20cis_dotperm_ansibleManaged + when: + - ubtu20cis_rule_6_2_7 + - ubtu20cis_disruption_high + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.2.7 + - user + +- name: "AUTOMATED | 6.2.8 | PATCH | Ensure no users have .netrc files" + file: + dest: "~{{ item }}/.netrc" + state: absent + with_items: + - "{{ ubtu20cis_users.stdout_lines }}" + when: + - ubtu20cis_rule_6_2_8 + - ubtu20cis_disruption_high + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.2.8 + - user + +- name: "AUTOMATED | 6.2.9 | PATCH | Ensure no users have .forward files" + file: + dest: "~{{ item }}/.forward" + state: absent + with_items: + - "{{ ubtu20cis_users.stdout_lines }}" + when: + - ubtu20cis_rule_6_2_9 + - ubtu20cis_disruption_high + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.2.9 + - user + +- name: "AUTOMATED | 6.2.10 | PATCH | Ensure no users have .rhosts files" + file: + dest: "~{{ item }}/.rhosts" + state: absent + with_items: + - "{{ ubtu20cis_users.stdout_lines }}" + when: + - ubtu20cis_rule_6_2_10 + - ubtu20cis_disruption_high + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.2.10 + - user + +- name: "AUTOMATED | 6.2.11 | PATCH | Ensure root is the only UID 0 account" + block: + - name: "AUTOMATED | 6.2.11 | AUDIT | Ensure root is the only UID 0 account | Get non-root users with UID of 0" + shell: awk -F":" '($3 == 0 && $1 != \"root\") {i++;print $1 }' /etc/passwd + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_6_2_11_uid_0_notroot + + - name: "AUTOMATED | 6.2.11 | PATCH | Ensure root is the only UID 0 account | Lock UID 0 users" + user: + name: "{{ item }}" + password_lock: yes + with_items: + - "{{ ubtu20cis_6_2_11_uid_0_notroot.stdout_lines }}" + when: + - ubtu20cis_disruption_high + - ubtu20cis_6_2_11_uid_0_notroot.stdout | length > 0 + + - name: "AUTOMATED | 6.2.11 | AUDIT | Ensure root is the only UID 0 account | Alert about accounts disruption high" + debug: + msg: + - "ALERT!!!! You have non-root users with a UID of 0 and ubtu18cis_disruption_high enabled" + - "This means the following accounts were password locked and will need to have the UID's manually adjusted" + - "{{ ubtu20cis_6_2_11_uid_0_notroot.stdout_lines }}" + when: + - ubtu20cis_disruption_high + - ubtu20cis_6_2_11_uid_0_notroot.stdout | length > 0 + + - name: "AUTOMATED | 6.2.11 | AUDIT | Ensure root is the only UID 0 account | Alert about accounts disruption low" + debug: + msg: + - "ALERT!!!! You have non-root users with a UID of 0 and ubtu18cis_disruption_high disabled" + - "This means no action was taken, you will need to have the UID's of the users below manually adjusted" + - "{{ ubtu20cis_6_2_11_uid_0_notroot.stdout_lines }}" + when: + - not ubtu20cis_disruption_high + - ubtu20cis_6_2_11_uid_0_notroot.stdout | length > 0 + when: + - ubtu20cis_rule_6_2_11 + tags: + - level1-server + - level1-workstation + - automated + - scored + - rule_6.2.11 + - user + - root + +- name: "AUTOMATED | 6.2.12 | PATCH | Ensure root PATH Integrity" + command: /bin/true + changed_when: false + failed_when: false + check_mode: false + # block: + # - name: "AUTOMATED | 6.2.12 | PATCH | Ensure root PATH Integrity | Determine empty value" + # shell: 'echo $PATH | grep ::' + # changed_when: False + # failed_when: ubtu20cis_6_2_12_path_colon.rc == 0 + # check_mode: false + # register: ubtu20cis_6_2_12_path_colon + + # - name: "AUTOMATED | 6.2.12 | PATCH | Ensure root PATH Integrity | Determine colon end" + # shell: 'echo $PATH | grep :$' + # changed_when: False + # failed_when: ubtu20cis_6_2_12_path_colon_end.rc == 0 + # check_mode: false + # register: ubtu20cis_6_2_12_path_colon_end + + # - name: "AUTOMATED | 6.2.12 | PATCH | Ensure root PATH Integrity | Determine working dir" + # shell: echo "$PATH" + # changed_when: False + # failed_when: '"." in ubtu20cis_6_2_12_working_dir.stdout_lines' + # check_mode: false + # register: ubtu20cis_6_2_12_working_dir + # - debug: var=ubtu20cis_6_2_12_working_dir + + # - name: "AUTOMATED | 6.2.12 | PATCH | Ensure root PATH Integrity | Check paths" + # stat: + # path: "{{ item }}" + # check_mode: false + # register: ubtu20cis_6_2_12_path_stat + # with_items: + # - "{{ ubtu20cis_6_2_12_working_dir.stdout.split(':') }}" + + # - debug: var=ubtu20cis_6_2_12_path_stat + + # - name: "AUTOMATED | 6.2.12 | PATCH | Ensure root PATH Integrity | Alert on empty value, colon end, and no working dir" + # debug: + # msg: + # - "The following paths have no working directory: {{ ubtu20cis_6_2_12_path_stat.results | selectattr('stat.exists','equalto','false') | map(attribute='item') | list }}" + + # # - name: "AUTOMATED | 6.2.12 | PATCH | Ensure root PATH Integrity | Set permissions" + # # file: + # # path: "{{ item }}" + # # owner: root + # # mode: 'o-w,g-w' + # # follow: yes + # # state: directory + # # with_items: + # # - "{{ ubtu18cis_6_2_12_path_stat | selectattr('exists','==','true') | map(attribute='path') }}" + when: + - ubtu20cis_rule_6_2_12 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_6.2.12 + - user + - root + - notimplemented + +- name: "AUTOMATED | 6.2.13 | AUDIT | Ensure no duplicate UIDs exist" + block: + - name: "AUTOMATED | 6.2.13 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs" + shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd" + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_6_2_13_user_uid_check + + - name: "AUTOMATED | 6.2.13 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist" + debug: + msg: "Good News! There are no duplicate UID's in the system" + when: ubtu20cis_6_2_13_user_uid_check.stdout | length == 0 + + - name: "AUTOMATED | 6.2.13 | AUDIT | Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" + debug: + msg: "Warning!!!! The following users have UIDs that are duplicates: {{ ubtu20cis_6_2_13_user_uid_check.stdout_lines }}" + when: ubtu20cis_6_2_13_user_uid_check.stdout | length > 0 + when: + - ubtu20cis_rule_6_2_13 + tags: + - level1-server + - level1-workstation + - automated + - audit + - rule_6.2.13 + - user + +- name: "AUTOMATED | 6.2.14 | AUDIT | Ensure no duplicate GIDs exist" + block: + - name: "AUTOMATED | 6.2.14 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs" + shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group" + changed_when: no + failed_when: no + check_mode: false + register: ubtu20cis_6_2_14_user_user_check + + - name: "AUTOMATED | 6.2.14 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist" + debug: + msg: "Good News! There are no duplicate GIDs in the system" + when: ubtu20cis_6_2_14_user_user_check.stdout | length == 0 + + - name: "AUTOMATED | 6.2.14 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" + debug: + msg: "Warning: The following groups have duplicate GIDs: {{ ubtu20cis_6_2_14_user_user_check.stdout_lines }}" + when: ubtu20cis_6_2_14_user_user_check.stdout | length > 0 + when: + - ubtu20cis_rule_6_2_14 + tags: + - level1-server + - level1-workstation + - automated + - audit + - rule_6.2.14 + - groups + +- name: "AUTOMATED | 6.2.15 | AUDIT | Ensure no duplicate user names exist" + block: + - name: "AUTOMATED | 6.2.15 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names" + shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd" + changed_when: no + failed_when: no + check_mode: false + register: ubtu20cis_6_2_15_user_username_check + + - name: "AUTOMATED | 6.2.15 | AUDIT | Ensure no duplicate user names exist | Print message that no duplicate user names exist" + debug: + msg: "Good News! There are no duplicate user names in the system" + when: ubtu20cis_6_2_15_user_username_check.stdout | length == 0 + + - name: "AUTOMATED | 6.2.15 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" + debug: + msg: "Warning: The following user names are duplicates: {{ ubtu20cis_6_2_15_user_username_check.stdout_lines }}" + when: ubtu20cis_6_2_15_user_username_check.stdout | length > 0 + when: + - ubtu20cis_rule_6_2_15 + tags: + - level1-server + - level1-workstation + - automated + - audit + - rule_6.2.15 + - user + +- name: "AUTOMATED | 6.2.16 | AUDIT | Ensure no duplicate group names exist" + block: + - name: "AUTOMATED | 6.2.16 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names" + shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d' + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_6_2_16_group_group_check + + - name: "AUTOMATED | 6.2.16 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist" + debug: + msg: "Good News! There are no duplicate group names in the system" + when: ubtu20cis_6_2_16_group_group_check.stdout | length == 0 + + - name: "AUTOMATED | 6.2.16 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" + debug: + msg: "Warning: The following group names are duplicates: {{ ubtu20cis_6_2_16_group_group_check.stdout_lines }}" + when: ubtu20cis_6_2_16_group_group_check.stdout | length > 0 + when: + - ubtu20cis_rule_6_2_16 + tags: + - level1-server + - level1-workstation + - automated + - audit + - rule_6.2.16 + - groups + +- name: "AUTOMATED | 6.2.17 | AUDIT | Ensure shadow group is empty" + block: + - name: "AUTOMATED | 6.2.17 | AUDIT | Ensure shadow group is empty | Get Shadow GID" + shell: grep ^shadow /etc/group | cut -f3 -d":" + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_6_2_17_shadow_gid + + - name: "AUTOMATED | 6.2.17 | AUDIT | Ensure shadow group is empty | List of users with Shadow GID" + shell: awk -F":" '($4 == "{{ ubtu20cis_6_2_17_shadow_gid.stdout }}") { print }' /etc/passwd | cut -f1 -d":" + changed_when: false + failed_when: false + check_mode: false + register: ubtu20cis_6_2_17_users_shadow_gid + + - name: "AUTOMATED | 6.2.17 | AUDIT | Ensure shadow group is empty | Message on no users" + debug: + msg: "Good News! There are no users with the Shado GID on your system" + when: ubtu20cis_6_2_17_users_shadow_gid.stdout | length == 0 + + - name: "AUTOMATED | 6.2.17 | AUDIT | Ensure shadow group is empty | Message on users with Shadow GID" + debug: + msg: + - "WARNING!!!! There are users that are in the Shadow group" + - "To conform to CIS standards no users should be in this group" + - "Please move the users below into another group" + - "{{ ubtu20cis_6_2_17_users_shadow_gid.stdout_lines }}" + when: ubtu20cis_6_2_17_users_shadow_gid.stdout | length > 0 + when: + - ubtu20cis_rule_6_2_17 + tags: + - level1-server + - level1-workstation + - automated + - audit + - rule_6.2.17 + - groups + - user diff --git a/tasks/section_6/main.yml b/tasks/section_6/main.yml new file mode 100644 index 00000000..6849f497 --- /dev/null +++ b/tasks/section_6/main.yml @@ -0,0 +1,6 @@ +--- +- name: "SECTION | 6.1 | System File Permissions" + include: cis_6.1.x.yml + +- name: "SECTION | 6.2 | User and Group Settings" + include: cis_6.2.x.yml \ No newline at end of file From c952126e5bfac9fb162e2660af1860cb13efb7cb Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 7 May 2021 09:43:11 -0400 Subject: [PATCH 43/44] removed old layout files Signed-off-by: George Nalen --- tasks/old_section1.yml | 1052 ---------------------------------- tasks/old_section2.yml | 567 ------------------- tasks/old_section3.yml | 1218 ---------------------------------------- tasks/old_section4.yml | 692 ----------------------- tasks/old_section5.yml | 1138 ------------------------------------- tasks/old_section6.yml | 921 ------------------------------ 6 files changed, 5588 deletions(-) delete mode 100644 tasks/old_section1.yml delete mode 100644 tasks/old_section2.yml delete mode 100644 tasks/old_section3.yml delete mode 100644 tasks/old_section4.yml delete mode 100644 tasks/old_section5.yml delete mode 100644 tasks/old_section6.yml diff --git a/tasks/old_section1.yml b/tasks/old_section1.yml deleted file mode 100644 index 13388fee..00000000 --- a/tasks/old_section1.yml +++ /dev/null @@ -1,1052 +0,0 @@ ---- -- name: "AUTOMATED | 1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled" - block: - - name: "AUTOMATED | 1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Edit modprobe config" - lineinfile: - dest: /etc/modprobe.d/cramfs.conf - regexp: "^(#)?install cramfs(\\s|$)" - line: install cramfs /bin/true - create: yes - - - name: "AUTOMATED | 1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Disable cramfs" - modprobe: - name: cramfs - state: absent - when: ansible_connection != 'docker' - when: - - ubtu20cis_rule_1_1_1_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.1.1.1 - - cramfs - -- name: "AUTOMATED | 1.1.1.2 | PATCH | Ensure mounting of freevxfs filesystems is disabled" - block: - - name: "AUTOMATED | 1.1.1.2 | PATCH | Ensure mounting of freevxfs filesystems is disabled | Edit modprobe config" - lineinfile: - dest: /etc/modprobe.d/freevxfs.conf - regexp: "^(#)?install freevxfs(\\s|$)" - line: install freevxfs /bin/true - create: yes - - - name: "AUTOMATED | 1.1.1.2 | PATCH | Ensure mounting of freevxfs filesystems is disabled | Disable freevxfs" - modprobe: - name: freevxfs - state: absent - when: ansible_connection != 'docker' - when: - - ubtu20cis_rule_1_1_1_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.1.1.2 - - freevxfs - -- name: "AUTOMATED | 1.1.1.3 | PATCH | Ensure mounting of jffs2 filesystems is disabled" - block: - - name: "AUTOMATED | 1.1.1.3 | PATCH | Ensure mounting of jffs2 filesystems is disabled | Edit modprobe config" - lineinfile: - dest: /etc/modprobe.d/jffs2.conf - regexp: "^(#)?install jffs2(\\s|$)" - line: install jffs2 /bin/true - create: yes - - - name: "AUTOMATED | 1.1.1.3 | PATCH | Ensure mounting of jffs2 filesystems is disabled | Disable jffs2" - modprobe: - name: jffs2 - state: absent - when: ansible_connection != 'docker' - when: - - ubtu20cis_rule_1_1_1_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.1.1.3 - - jffs2 - -- name: "AUTOMATED | 1.1.1.4 | PATCH | Ensure mounting of hfs filesystems is disabled" - block: - - name: "AUTOMATED | 1.1.1.4 | PATCH | Ensure mounting of hfs filesystems is disabled | Edit modprobe config" - lineinfile: - dest: /etc/modprobe.d/hfs.conf - regexp: "^(#)?install hfs(\\s|$)" - line: install hfs /bin/true - create: yes - - - name: "AUTOMATED | 1.1.1.4 | PATCH | Ensure mounting of hfs filesystems is disabled | Disable hfs" - modprobe: - name: hfs - state: absent - when: ansible_connection != 'docker' - when: - - ubtu20cis_rule_1_1_1_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.1.1.4 - - hfs - -- name: "AUTOMATED | 1.1.1.5 | PATCH | Ensure mounting of hfsplus filesystems is disabled" - block: - - name: "AUTOMATED | 1.1.1.5 | PATCH | Ensure mounting of hfsplus filesystems is disabled | Edit modprobe config" - lineinfile: - dest: /etc/modprobe.d/hfsplus.conf - regexp: "^(#)?install hfsplus(\\s|$)" - line: install hfsplus /bin/true - create: yes - - - name: "AUTOMATED | 1.1.1.5 | PATCH | Ensure mounting of hfsplus filesystems is disabled | Disable hfsplus" - modprobe: - name: hfsplus - state: absent - when: ansible_connection != 'docker' - when: - - ubtu20cis_rule_1_1_1_5 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.1.1.5 - - hfsplus - -- name: "MANUAL | 1.1.1.6 | PATCH | Ensure mounting of squashfs filesystems is disabled" - block: - - name: "MANUAL | 1.1.1.6 | PATCH | Ensure mounting of squashfs filesystems is disabled | Edit modprobe config" - lineinfile: - dest: /etc/modprobe.d/squashfs.conf - regexp: "^(#)?install squashfs(\\s|$)" - line: install squashfs /bin/true - create: yes - - - name: "MANUAL | 1.1.1.6 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs" - modprobe: - name: squashfs - state: absent - when: ansible_connection != 'docker' - when: - - ubtu20cis_rule_1_1_1_6 - tags: - - level2-server - - level2-workstation - - manual - - patch - - rule_1.1.1.6 - - squashfs - -- name: "AUTOMATED | 1.1.1.7 | PATCH | Ensure mounting of udf filesystems is disabled" - block: - - name: "AUTOMATED | 1.1.1.7 | PATCH | Ensure mounting of udf filesystems is disabled | Edit modprobe config" - lineinfile: - dest: /etc/modprobe.d/udf.conf - regexp: "^(#)?install udf(\\s|$)" - line: install udf /bin/true - create: yes - - - name: "AUTOMATED | 1.1.1.7 | PATCH | Ensure mounting of udf filesystems is disabled | Disable udf" - modprobe: - name: udf - state: absent - when: ansible_connection != 'docker' - when: - - ubtu20cis_rule_1_1_1_7 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.1.1.7 - - udf - -- name: "AUTOMATED | 1.1.2 | PATCH | Ensure /tmp is configured" - mount: - path: /tmp - src: /tmp - state: mounted - fstype: tmpfs - opts: "{{ ubtu20cis_tmp_fstab_options }}" - when: - - ubtu20cis_rule_1_1_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.1.2 - - tmp - -- name: | - "AUTOMATED | 1.1.3 | PATCH | Ensure nodev option set on /tmp partition" - "AUTOMATED | 1.1.4 | PATCH | Ensure nosuid option set on /tmp partition" - "AUTOMATED | 1.1.5 | PATCH | Ensure noexec option set on /tmp partition" - mount: - name: /tmp - src: /tmp - state: remounted - fstype: tmpfs - opts: "{{ ubtu20cis_tmp_fstab_options }}" - when: - - ubtu20cis_rule_1_1_3 or - ubtu20cis_rule_1_1_4 or - ubtu20cis_rule_1_1_5 - # - ubtu20cis_vartmp['enabled'] - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.1.3 - - rule_1.1.4 - - rule_1.1.5 - - tmp - -- name: "AUTOMATED | 1.1.6 | PATCH | Ensure /dev/shm is configured" - mount: - name: /dev/shm - src: /dev/shm - state: mounted - fstype: tmpfs - opts: "{{ ubtu20cis_dev_shm_fstab_options }}" - when: - - ubtu20cis_rule_1_1_6 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.1.6 - - dev_shm - -- name: | - "AUTOMATED | 1.1.7 | PATCH | Ensure nodev option set on /dev/shm partition" - "AUTOMATED | 1.1.8 | PATCH | Ensure nosuid option set on /dev/shm partition" - "AUTOMATED | 1.1.9 | PATCH | Ensure noexec option set on /dev/shm partition" - mount: - name: /dev/shm - src: /dev/shm - state: remounted - fstype: tmpfs - opts: "{{ ubtu20cis_dev_shm_fstab_options }}" - when: - - ubtu20cis_rule_1_1_7 or - ubtu20cis_rule_1_1_8 or - ubtu20cis_rule_1_1_9 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.1.7 - - rule_1.1.8 - - rule_1.1.9 - - dev_shm - -- name: "AUTOMATED | 1.1.10 | AUDIT | Ensure separate partition exists for /var" - block: - - name: "AUTOMATED | 1.1.10 | AUDIT | Ensure separate partition exists for /var | Gather /var partition" - shell: mount | grep "on /var " - changed_when: false - failed_when: false - check_mode: false - args: - warn: false - register: ubtu20cis_1_1_10_var_mounted - - - name: "AUTOMATED | 1.1.10 | AUDIT | Ensure separate partition exists for /var | Alert if /var partition does not exist" - debug: - msg: - - "ALERT!!!! There is no separate partition for /var" - - "Please create a separate partition for /var" - when: ubtu20cis_1_1_10_var_mounted.stdout | length == 0 - when: - - ubtu20cis_rule_1_1_10 - tags: - - level2-server - - level2-workstation - - automated - - audit - - rule_1.1.10 - - var - -- name: "AUTOMATED | 1.1.11 | AUDIT | Ensure separate partition exists for /var/tmp" - block: - - name: "AUTOMATED | 1.1.11 | AUDIT | Ensure separate partition exists for /var/tmp | Gather /var/tmp partition" - shell: mount | grep "on /var/tmp " - changed_when: false - failed_when: false - check_mode: false - args: - warn: false - register: ubtu20cis_1_1_11_var_tmp_mounted - - - name: "AUTOMATED | 1.1.11 | AUDIT | Ensure separate partition exists for /var/tmp | Alert if /var/tmp partition does not exist" - debug: - msg: - - "ALERT!!!! There is no separate partition for /var/tmp" - - "Please create a separate partition for /var/tmp" - when: ubtu20cis_1_1_11_var_tmp_mounted.stdout | length == 0 - when: - - ubtu20cis_rule_1_1_11 - tags: - - level2-server - - level2-workstation - - automated - - audit - - rule_1.1.11 - - var/tmp - -- name: | - "AUTOMATED | 1.1.12 | PATCH | Ensure /var/tmp partition includes the nodev option" - "AUTOMATED | 1.1.13 | PATCH | Ensure /var/tmp partition includes the nosuid option" - "AUTOMATED | 1.1.14 | PATCH | Ensure /var/tmp partition includes the noexec option" - mount: - name: /var/tmp - src: "{{ ubtu20cis_vartmp['source'] }}" - state: present - fstype: "{{ ubtu20cis_vartmp['fstype'] }}" - opts: "{{ ubtu20cis_vartmp['opts'] }}" - when: - - ubtu20cis_rule_1_1_12 or - ubtu20cis_rule_1_1_13 or - ubtu20cis_rule_1_1_14 - - ubtu20cis_vartmp['enabled'] - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.1.12 - - rule_1.1.13 - - rule_1.1.14 - - var/tmp - -- name: "AUTOMATED | 1.1.15 | AUDIT | Ensure separate partition exists for /var/log" - block: - - name: "AUTOMATED | 1.1.15 | AUDIT | Ensure separate partition exists for /var/log | Gather /var/log partition" - shell: mount | grep "on /var/log " - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_1_1_15_var_log_mounted - args: - warn: false - - - name: "AUTOMATED | 1.1.15 | AUDIT | Ensure separate partition exists for /var/log | Alert if /var/log partition does not exist" - debug: - msg: - - "ALERT!!!! There is no separate partition for /var/log" - - "Please create a separate partition for /var/log" - when: ubtu20cis_1_1_15_var_log_mounted.stdout | length == 0 - when: - - ubtu20cis_rule_1_1_15 - tags: - - level2-server - - level2-workstation - - automated - - audit - - rule_1.1.15 - - var/log - -- name: "AUTOMATED | 1.1.16 | AUDIT | Ensure separate partition exists for /var/log/audit" - block: - - name: "AUTOMATED | 1.1.16 | AUDIT | Ensure separate partition exists for /var/log/audit | Gather /var/log/audit" - shell: mount | grep "on /var/log/audit " - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_1_1_16_var_log_audit_mounted - args: - warn: false - - - name: "AUTOMATED | 1.1.16 | AUDIT | Ensure separate partition exists for /var/log/audit | Alert if /var/log/audit partition does not exist" - debug: - msg: - - "ALERT!!!! There is no separate partition for /var/log/audit" - - "Please create a separate partition for /var/log/audit" - when: ubtu20cis_1_1_16_var_log_audit_mounted.stdout | length == 0 - when: - - ubtu20cis_rule_1_1_16 - tags: - - level2-server - - level2-workstation - - automated - - audit - - var/log/audit - -- name: "AUTOMATED | 1.1.17 | AUDIT | Ensure separate partition exists for /home" - block: - - name: "AUTOMATED | 1.1.17 | AUDIT | Ensure separate partition exists for /home | Gather /home" - shell: mount | grep "on /home" - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_1_1_17_home_mounted - args: - warn: false - - - name: "AUTOMATED | 1.1.17 | AUDIT | Ensure separate partition exists for /home | Alert if /home partition does not exist" - debug: - msg: - - "ALERT!!!! There is no separate partition for /home" - - "Please create a separate partition for /home" - when: ubtu20cis_1_1_17_home_mounted.stdout | length == 0 - when: - - ubtu20cis_rule_1_1_17 - tags: - - level2-server - - level2-workstation - - automated - - audit - - /home - -- name: "AUTOMATED | 1.1.18 | PATCH | Ensure /home partition includes the nodev option" - mount: - name: "/home" - src: "{{ item.device }}" - state: mounted - fstype: "{{ item.fstype }}" - opts: "nodev" - with_items: "{{ ansible_mounts }}" - when: - - ubtu20cis_rule_1_1_18 - - item.mount == "/home" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.1.18 - - /home - -- name: "MANUAL | 1.1.19 | AUDIT | Ensure nodev option set on removable media partitions" - debug: - msg: "Warning!!!! Not relevant control" - when: - - ubtu20cis_rule_1_1_19 - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_1.1.19 - - removable_media - -- name: "MANUAL | 1.1.20 | AUDIT | Ensure nosuid option set on removable media partitions" - debug: - msg: "Warning!!!! Not relevant control" - when: - - ubtu20cis_rule_1_1_20 - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_1.1.20 - - removable_media - -- name: "MANUAL | 1.1.21 | AUDIT | Ensure noexec option set on removable media partitions" - debug: - msg: "Warning!!!! Not relevant control" - when: - - ubtu20cis_rule_1_1_21 - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_1.1.21 - - removable_media - -- name: "AUTOMATED | 1.1.22 | PATCH | Ensure sticky bit is set on all world-writable directories" - shell: df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null | xargs -I '{}' chmod a+t '{}' - failed_when: ubtu20cis_1_1_22_status.rc>0 - check_mode: false - register: ubtu20cis_1_1_22_status - when: - - ubtu20cis_rule_1_1_22 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.1.22 - - sticky_bit - -- name: "AUTOMATED | 1.1.23 | PATCH | Disable Automounting" - service: - name: autofs - state: stopped - enabled: no - when: - - ubtu20cis_rule_1_1_23 - - ubtu20cis_autofs_service_status.stdout == "loaded" - - not ubtu20cis_allow_autofs - tags: - - level1-server - - level2-workstation - - automated - - patch - - rule_1.1.23 - - automounting - -- name: "AUTOMATED | 1.1.24 | PATCH | Disable USB Storage" - block: - - name: "AUTOMATED | 1.1.24 | PATCH | Disable USB Storage | Set modprobe config" - lineinfile: - path: /etc/modprobe.d/usb_storage.conf - regexp: '^install usb-storage' - line: 'install usb-storage /bin/true' - create: yes - - - name: "AUTOMATED | 1.1.24 | PATCH | Disable USB Storage | Remove usb-storage module" - modprobe: - name: usb-storage - state: absent - when: ansible_connection != 'docker' - when: - - ubtu20cis_rule_1_1_24 - - not ubtu20cis_allow_usb_storage - tags: - - level1-server - - level2-workstation - - automated - - patch - - rule_1.1.24 - - usb_storage - -- name: "MANUAL | 1.2.1 | AUDIT | Ensure package manager repositories are configured" - block: - - name: "MANUAL 1.2.1 | AUDIT | Ensure package manager repositories are configured | Get repositories" - command: apt-cache policy - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_1_2_1_apt_policy - - - name: "MANUAL 1.2.1 | AUDIT | Ensure package manager repositories are configured | Message out repository configs" - debug: - msg: - - "Alert!!!! Below are the apt package repositories" - - "Please review to make sure they conform to your sites policies" - - "{{ ubtu20cis_1_2_1_apt_policy.stdout_lines }}" - when: - - ubtu20cis_rule_1_2_1 - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_1.2.1 - - apt - -- name: "MANUAL | 1.2.2 | AUDIT | Ensure GPG keys are configured" - block: - - name: "MANUAL | 1.2.2 | AUDIT | Ensure GPG keys are configured | Get apt gpg keys" - command: apt-key list - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_1_2_2_apt_gpgkeys - - - name: "MANUAL | 1.2.2 | AUDIT | Ensure GPG keys are configured | Message out apt gpg keys" - debug: - msg: - - "Alert!!!! Below are the apt gpg kyes configured" - - "Please review to make sure they are configured" - - "in accordance with site policy" - - "{{ ubtu20cis_1_2_2_apt_gpgkeys.stdout_lines }}" - when: - - ubtu20cis_rule_1_2_2 - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_1.2.2 - - gpg - - keys - -- name: "AUTOMATED | 1.3.1 | PATCH | Ensure AIDE is installed" - apt: - name: ['aide', 'aide-common'] - state: present - when: - - ubtu20cis_rule_1_3_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.3.1 - - aide - -- name: "AUTOMATED | 1.3.2 | PATCH | Ensure filesystem integrity is regularly checked" - cron: - name: Run AIDE integrity check - cron_file: "{{ ubtu20cis_aide_cron['cron_file'] }}" - user: "{{ ubtu20cis_aide_cron['cron_user'] }}" - minute: "{{ ubtu20cis_aide_cron['aide_minute'] | default('0') }}" - hour: "{{ ubtu20cis_aide_cron['aide_hour'] | default('5') }}" - day: "{{ ubtu20cis_aide_cron['aide_day'] | default('*') }}" - month: "{{ ubtu20cis_aide_cron['aide_month'] | default('*') }}" - weekday: "{{ ubtu20cis_aide_cron['aide_weekday'] | default('*') }}" - job: "{{ ubtu20cis_aide_cron['aide_job'] }}" - when: - - ubtu20cis_rule_1_3_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.3.2 - - cron - -- name: "AUTOMATED | 1.4.1 | PATCH | Ensure permissions on bootloader config are not overridden" - block: - - name: "AUTOMATED | 1.4.1 | PATCH | Ensure permissions on bootloader config are not overridden | Change chmod setting" - replace: - path: /usr/sbin/grub-mkconfig - regexp: 'chmod\s\d\d\d\s\${grub_cfg}.new' - replace: 'chmod 400 ${grub_cfg}.new' - - - name: "AUTOMATED | 1.4.1 | PATCH | Ensure permissions on bootloader config are not overridden | Remove check on password" - lineinfile: - path: /usr/sbin/grub-mkconfig - regexp: 'if \[ \"x\$\{grub_cfg\}\" != "x" \] && ! grep "\^password" \${grub_cfg}.new' - line: if [ "x${grub_cfg}" != "x" ]; then - when: - - ubtu20cis_rule_1_4_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.4.1 - - grub - -# --------------- -# --------------- -# The RHEL7 based control uses a custom module, grub_crypt -# I need to research best way to set grub pw for Ubuntu using the -# grub-mkpasswd-pbkdf2 command and passing the data at the same time. -# --------------- -# --------------- -- name: "AUTOMATED | 1.4.2 | PATCH | Ensure bootloader password is set" - command: /bin/true - changed_when: false - failed_when: false - check_mode: false - when: - - ubtu20cis_rule_1_4_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.4.2 - - grub - - notimplemented - -- name: "AUTOMATED | 1.4.3 | PATCH | Ensure permissions on bootloader config are configured" - block: - - name: "AUTOMATED | 1.4.3 | AUDIT | Ensure permissions on bootloader config are configured | Check for Grub file" - stat: - path: /boot/grub/grub.cfg - check_mode: false - register: ubtu20cis_1_4_3_grub_cfg_status - - - name: "AUTOMATED | 1.4.3 | PATCH | Ensure permissions on bootloader config are configured | Set permissions" - file: - path: /boot/grub/grub.cfg - owner: root - group: root - mode: 0400 - when: - - ubtu20cis_1_4_3_grub_cfg_status.stat.exists - when: - - ubtu20cis_rule_1_4_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.4.3 - - grub - -- name: "AUTOMATED | 1.4.4 | PATCH | Ensure authentication required for single user mode" - user: - name: root - password: "{{ ubtu20cis_root_pw }}" - when: - - ubtu20cis_rule_1_4_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.4.4 - - passwd - -- name: "MANUAL | 1.5.1 | AUDIT | Ensure XD/NX support is enabled" - block: - - name: "MANUAL | 1.5.1 | AUDIT | Ensure XD/NX support is enabled | Find status of XD/NX" - shell: "journalctl | grep 'protection: active'" - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_1_5_1_xdnx_status - - - name: "MANUAL | 1.5.1 | AUDIT | Ensure XD/NX support is enabled | Alert if XD/NX is not enabled" - debug: - msg: - - "ALERT!!!!You do not have XD/NX (Execute Disable/No Execute) enabled" - - "To conform to CIS standards this needs to be enabled" - when: "'active'not in ubtu20cis_1_5_1_xdnx_status.stdout" - when: - - ubtu20cis_rule_1_5_1 - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_1.5.1 - - xd/nx - -- name: "AUTOMATED | 1.5.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled" - block: - - name: "AUTOMATED | 1.5.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled | Set ASLR settings" - lineinfile: - path: /etc/sysctl.conf - regexp: '^kernel.randomize_va_space' - line: 'kernel.randomize_va_space = 2' - - - name: "AUTOMATED | 1.5.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled | Set active kernel parameter" - sysctl: - name: kernel.randomize_va_space - value: '2' - when: - - ubtu20cis_rule_1_5_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.5.2 - - aslr - -- name: "AUTOMATED | 1.5.3 | PATCH | Ensure prelink is not installed" - block: - - name: "AUTOMATED | 1.5.3 | PATCH | Ensure prelink is not installed | Restore binaries to normal" - command: prelink -ua - changed_when: false - failed_when: false - - - name: "AUTOMATED | 1.5.3 | PATCH | Ensure prelink is not installed| Remove prelink package" - apt: - name: prelink - state: absent - when: - - ubtu20cis_rule_1_5_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.5.3 - - prelink - -- name: "AUTOMATED | 1.5.4 | PATCH | Ensure core dumps are restricted" - sysctl: - name: fs.suid_dumpable - value: '0' - state: present - reload: yes - sysctl_set: yes - ignoreerrors: yes - when: - - ubtu20cis_rule_1_5_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.5.4 - - coredump - -- name: "AUTOMATED | 1.6.1.1 | PATCH | Ensure AppArmor is installed" - apt: - name: ['apparmor', 'apparmor-utils'] - state: present - when: - - ubtu20cis_rule_1_6_1_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.6.1.1 - - apparmor - -- name: "AUTOMATED | 1.6.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration" - block: - - name: "AUTOMATED | 1.6.1.2 | AUDIT | Ensure AppArmor is enabled in the bootloader configuration | Get current settings" - shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_1_6_1_2_cmdline_settings - - - name: "AUTOMATED | 1.6.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist" - lineinfile: - path: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX' - line: 'GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor {{ ubtu20cis_1_6_1_2_cmdline_settings.stdout }}"' - insertafter: '^GRUB_' - when: - - "'apparmor' not in ubtu20cis_1_6_1_2_cmdline_settings.stdout" - - "'security' not in ubtu20cis_1_6_1_2_cmdline_settings.stdout" - notify: grub update - - - name: "AUTOMATED | 1.6.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist | Replace apparmor settings when exists" - replace: - path: /etc/default/grub - regexp: "{{ item.regexp }}" - replace: "{{ item.replace }}" - with_items: - - { regexp: 'apparmor=\S+', replace: 'apparmor=1' } - - { regexp: 'security=\S+', replace: 'security=apparmor' } - when: - - "'apparmor' in ubtu20cis_1_6_1_2_cmdline_settings.stdout" - - "'security' in ubtu20cis_1_6_1_2_cmdline_settings.stdout" - notify: grub update - when: - - ubtu20cis_rule_1_6_1_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.6.1.2 - - apparmor - -- name: "AUTOMATED | 1.6.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode" - command: aa-enforce /etc/apparmor.d/* - failed_when: false - when: - - ubtu20cis_rule_1_6_1_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.6.1.3 - - apparmor - -- name: "AUTOMATED | 1.6.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing" - command: aa-enforce /etc/apparmor.d/* - failed_when: false - when: - - ubtu20cis_rule_1_6_1_4 - tags: - - level2-server - - level2-workstation - - automated - - scored - - patch - - rule_1.6.1.4 - - apparmor - - -- name: "AUTOMATED | 1.7.1 | PATCH | Ensure message of the day is configured properly" - template: - src: etc/motd.j2 - dest: /etc/motd - when: - - ubtu20cis_rule_1_7_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.7.1 - - motd - -- name: "AUTOMATED | 1.7.2 | PATCH | Ensure local login warning banner is configured properly" - template: - src: etc/issue.j2 - dest: /etc/issue - when: - - ubtu20cis_rule_1_7_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.7.2 - - banner - -- name: "AUTOMATED | 1.7.3 | PATCH | Ensure remote login warning banner is configured properly" - template: - src: etc/issue.net.j2 - dest: /etc/issue.net - when: - - ubtu20cis_rule_1_7_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.7.3 - - banner - -- name: "AUTOMATED | 1.7.4 | PATCH | Ensure permissions on /etc/motd are configured" - file: - path: /etc/motd - owner: root - group: root - mode: 0644 - when: - - ubtu20cis_rule_1_7_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.7.4 - - permissions - - motd - -- name: "AUTOMATED | 1.7.5 | PATCH | Ensure permissions on /etc/issue are configured" - file: - path: /etc/issue - owner: root - group: root - mode: 0644 - when: - - ubtu20cis_rule_1_7_5 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.7.5 - - permissions - - banner - -- name: "AUTOMATED | 1.7.6 | PATCH | Ensure permissions on /etc/issue.net are configured" - file: - path: /etc/issue.net - owner: root - group: root - mode: 0644 - when: - - ubtu20cis_rule_1_7_6 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.7.6 - - permissions - - banner - -- name: "MANUAL | 1.8.1 | PATCH | Ensure GNOME Display Manager is removed" - apt: - name: gdm3 - state: absent - when: - - ubtu20cis_rule_1_8_1 - - not ubtu20cis_desktop_required - - ubtu20cis_disruption_high - tags: - - level2-server - - manual - - patch - - rule_1.8.1 - - gnome - -- name: "AUTOMATED | 1.8.2 | PATCH | Ensure GDM login banner is configured" - lineinfile: - path: /etc/gdm3/greeter.dconf-defaults - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: "{{ item.insertafter }}" - create: yes - owner: root - group: root - mode: 0644 - notify: reload gdm - with_items: - - { regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]', insertafter: EOF } - - { regexp: 'banner-message-enable', line: 'banner-message-enable=true', insertafter: '\[org\/gnome\/login-screen\]'} - - { regexp: 'banner-message-text', line: 'banner-message-text={{ ubtu20cis_warning_banner }}', insertafter: 'banner-message-enable' } - when: - - ubtu20cis_rule_1_8_2 - - ubtu20cis_desktop_required - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.8.2 - - gnome - -- name: "AUTOMATED | 1.8.3 | PATCH | Ensure disable-user-list is enabled" - lineinfile: - path: /etc/gdm3/greeter.dconf-defaul - regexp: '^disable-user-list=' - line: 'disable-user-list=true' - insertafter: 'banner-message-text=' - create: yes - owner: root - group: root - mode: 0644 - notify: reload gdm - when: - - ubtu20cis_rule_1_8_3 - - ubtu20cis_desktop_required - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.8.3 - - gdm3 - -- name: "AUTOMATED | 1.8.4 | PATCH | Ensure XDCMP is not enabled" - lineinfile: - path: /etc/gdm3/custom.conf - regexp: '^Enable.*=.*true' - state: absent - when: - - ubtu20cis_rule_1_8_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.8.4 - - xdcmp - -- name: "MANUAL | 1.9 | PATCH | Ensure updates, patches, and additional security software are installed" - apt: - name: "*" - state: latest - when: - - ubtu20cis_rule_1_9 - tags: - - level1-server - - level1-workstation - - manual - - patch - - rule_1.9 - - patching diff --git a/tasks/old_section2.yml b/tasks/old_section2.yml deleted file mode 100644 index 46764ab0..00000000 --- a/tasks/old_section2.yml +++ /dev/null @@ -1,567 +0,0 @@ ---- -- name: "AUTOMATED | 2.1.1.1 | PATCH | Ensure time synchronization is in use" - apt: - name: "{{ ubtu20cis_time_sync_tool }}" - state: present - when: - - ubtu20cis_rule_2_1_1_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.1.1.1 - - chrony - -- name: "AUTOMATED | 2.1.1.2 | PATCH | Ensure systemd-timesyncd is configured" - block: - - name: "AUTOMATED | 2.1.1.2 | PATCH | Ensure systemd-timesyncd is configured | Remove ntp and chrony" - apt: - name: ['ntp', 'chrony'] - state: absent - - - name: "AUTOMATED | 2.1.1.2 | PATCH | Ensure systemd-timesyncd is configured | Set configuration for systemd-timesyncd" - lineinfile: - path: /etc/systemd/timesyncd.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: "{{ item.insertafter }}" - with_items: - - { regexp: '^\[Time\]', line: '[Time]', insertafter: EOF } - - { regexp: '^#NTP|^NTP', line: 'NTP={{ ubtu20cis_ntp_server_list }}', insertafter: '\[Time\]' } - - { regexp: '^#FallbackNTP|^FallbackNTP', line: 'FallbackNTP={{ ubtu20cis_ntp_fallback_server_list }}', insertafter: '\[Time\]' } - - { regexp: '^#RootDistanceMaxSec|^RootDistanceMaxSec', line: 'RootDistanceMaxSec=1', insertafter: '\[Time\]'} - - - name: "AUTOMATED | 2.1.1.2 | PATCH | Ensure systemd-timesyncd is configured | Start and enable the systemd-timesyncd service" - systemd: - name: systemd-timesyncd.service - state: started - enabled: yes - masked: no - - - name: "AUTOMATED | 2.1.1.2 | PATCH | Ensure systemd-timesyncd is configured | Set timedatectl to ntp" - command: timedatectl set-ntp true - when: - - ubtu20cis_rule_2_1_1_2 - - ubtu20cis_time_sync_tool == "systemd-timesyncd" - tags: - - level1-server - - level1-workstation - - automated - - manual - - patch - - rule_2.1.1.2 - - systemd-timesyncd - -- name: "AUTOMATED | 2.1.1.3 | PATCH | Ensure chrony is configured" - block: - - name: "AUTOMATED | 2.1.1.3 | PATCH | Ensure chrony is configured | Remove ntp" - apt: - name: ntp - state: absent - - - name: "AUTOMATED | 2.1.1.3 | PATCH | Ensure chrony is configured | Disable/Mask systemd-timesyncd" - systemd: - name: systemd-timesyncd - state: stopped - enabled: no - masked: yes - - - name: "AUTOMATED | 2.1.1.3 | AUDIT | Ensure chrony is configured | Check for chrony user" - shell: grep {{ ubtu20cis_chrony_user }} /etc/passwd - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_2_1_1_3_chrony_user_status - - - name: "AUTOMATED | 2.1.1.3 | PATCH | Ensure chrony is configured | Set chrony.conf file" - template: - src: chrony.conf.j2 - dest: /etc/chrony/chrony.conf - owner: root - group: root - mode: 0644 - - - name: "AUTOMATED | 2.1.1.3 | PATCH | Ensure chrony is configured | Create chrony user" - user: - name: "{{ ubtu20cis_chrony_user }}" - shell: /usr/sbin/nologin - system: true - when: ubtu20cis_2_1_1_3_chrony_user_status.stdout | length > 0 - - - name: "AUTOMATED | 2.2.1.3 | PATCH | Ensure chrony is configured | Set option to use chrony user" - lineinfile: - path: /etc/default/chrony - regexp: '^DAEMON_OPTS' - line: 'DAEMON_OPTS="-u _chrony"' - when: - - ubtu20cis_rule_2_1_1_3 - - ubtu20cis_time_sync_tool == "chrony" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.1.1.3 - - chrony - -- name: "AUTOMATED | 2.1.1.4 | PATCH | Ensure ntp is configured" - block: - - name: "AUTOMATED | 2.1.1.4 | PATCH | Ensure ntp is configured | Remove chrony" - apt: - name: chrony - state: absent - - - name: "AUTOMATED | 2.1.1.4 | PATCH | Ensure ntp is configured | Disable/Mask systemd-timesyncd" - systemd: - name: systemd-timesyncd - state: stopped - enabled: no - masked: yes - - - name: "AUTOMATED | 2.1.1.4 | PATCH | Ensure ntp is configured | Set ntp.conf settings" - template: - src: ntp.conf.j2 - dest: /etc/ntp.conf - owner: root - group: root - mode: 0644 - - - name: "AUTOMATED | 2.1.1.4 | PATCH | Ensure ntp is configured | Modify sysconfig/ntpd" - lineinfile: - path: /etc/sysconfig/ntpd - regexp: "{{ item.regexp }}" - line: "{{ item. line }}" - create: yes - with_items: - - { regexp: '^OPTIONS', line: 'OPTIONS="-u ntp:ntp"'} - - { regexp: '^NTPD_OPTIONS', line: 'NTPD_OPTIONS="-u ntp:ntp"' } - - - name: "AUTOMATED | 2.1.1.4 | PATCH | Ensure ntp is configured | Modify /etc/init.d/npt" - lineinfile: - path: /etc/init.d/ntp - regexp: '^RUNAUSER' - line: 'RUNAUSER=npt' - when: - - ubtu20cis_rule_2_1_1_4 - - ubtu20cis_time_sync_tool == "ntp" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.1.1.4 - - ntp - -- name: "AUTOMATED | 2.1.2 | PATCH | Ensure X Window System is not installed" - apt: - name: xserver-xorg* - state: absent - when: - - ubtu20cis_rule_2_1_2 - - not ubtu20cis_desktop_required - tags: - - level1-server - - automated - - patch - - rule_2.1.2 - - xwindows - -- name: "AUTOMATED | 2.1.3 | PATCH | Ensure Avahi Server is not installed" - block: - - name: "AUTOMATED | 2.1.3 | PATCH | Ensure Avahi Server is not installed | Stop/Disable avahi-daemon.service" - service: - name: avahi-daemon.service - state: stopped - enabled: no - when: avahi_service_status.stdout == "loaded" - - - name: "AUTOMATED | 2.1.3 | PATCH | Ensure Avahi Server is not installed | Stop/Disable avahi-daemon.socket" - service: - name: avahi-daemon.socket - state: stopped - enabled: no - when: avahi_service_status.stdout == "loaded" - - - name: "AUTOMATED | 2.1.3 | PATCH | Ensure Avahi Server is not installed | Remove avahi-daemon" - apt: - name: avahi-daemon - state: absent - when: - - ubtu20cis_rule_2_1_3 - - not ubtu20cis_avahi_server - - ubtu20cis_disruption_high - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.1.3 - - avahi - - services - -- name: "AUTOMATED | 2.1.4 | PATCH | Ensure CUPS is not installed" - apt: - name: cups - state: absent - when: - - ubtu20cis_rule_2_1_4 - - not ubtu20cis_cups_server - tags: - - level1-server - - level2-workstation - - automated - - patch - - rule_2.1.4 - - cups - - services - -- name: "AUTOMATED | 2.1.5 | PATCH | Ensure DHCP Server is not installed" - apt: - name: isc-dhcp-server - state: absent - when: - - ubtu20cis_rule_2_1_5 - - not ubtu20cis_dhcp_server - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.1.5 - - dhcp - - services - -- name: "AUTOMATED | 2.1.6 | PATCH | Ensure LDAP server is not installed" - apt: - name: slapd - state: absent - when: - - ubtu20cis_rule_2_1_6 - - not ubtu20cis_ldap_server - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.1.6 - - ldap - - services - -- name: "AUTOMATED | 2.1.7 | PATCH | Ensure NFS is not installed" - apt: - name: nfs-kernel-server - state: absent - when: - - ubtu20cis_rule_2_1_7 - - not ubtu20cis_nfs_server - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.1.7 - - nfs - - rpc - - services - -- name: "AUTOMATED | 2.1.8 | PATCH | Ensure DNS Server is not installed" - apt: - name: bind9 - state: absent - when: - - ubtu20cis_rule_2_1_8 - - not ubtu20cis_dns_server - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.1.8 - - dns - - service - -- name: "AUTOMATED | 2.1.9 | PATCH | Ensure FTP Server is not installed" - apt: - name: vsftpd - state: absent - when: - - ubtu20cis_rule_2_1_9 - - not ubtu20cis_vsftpd_server - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.1.9 - - ftp - - service - -- name: "AUTOMATED | 2.1.10 | PATCH | Ensure HTTP server is not installed" - apt: - name: apache2 - state: absent - when: - - ubtu20cis_rule_2_1_10 - - not ubtu20cis_httpd_server - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.1.10 - - httpd - - service - -- name: "AUTOMATED | 2.1.11 | PATCH | Ensure IMAP and POP3 server are not installed" - apt: - name: ['dovecot-imapd', 'dovecot-pop3d'] - state: absent - when: - - ubtu20cis_rule_2_1_11 - - not ubtu20cis_dovecot_server - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.1.11 - - dovecot - - service - -- name: "AUTOMATED | 2.1.12 | PATCH | Ensure Samba is not installed" - apt: - name: samba - state: absent - when: - - ubtu20cis_rule_2_1_12 - - not ubtu20cis_smb_server - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.1.12 - - samba - - service - -- name: "AUTOMATED | 2.1.13 | PATCH | Ensure HTTP Proxy Server is not installed" - apt: - name: squid - state: absent - when: - - ubtu20cis_rule_2_1_13 - - not ubtu20cis_squid_server - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.1.13 - - http_proxy - - service - -- name: "AUTOMATED | 2.1.14 | PATCH | Ensure SNMP Server is not installed" - apt: - name: snmpd - state: absent - when: - - ubtu20cis_rule_2_1_14 - - not ubtu20cis_snmp_server - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.1.14 - - snmp - - service - -- name: "AUTOMATED | 2.1.15 | PATCH | Ensure mail transfer agent is configured for local-only mode" - block: - - name: "AUTOMATED | 2.1.15 | PATCH | Ensure mail transfer agent is configured for local-only mode | Make changes if exim4 installed" - lineinfile: - path: /etc/exim4/update-exim4.conf.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^dc_eximconfig_configtype', line: "dc_eximconfig_configtype='local'" } - - { regexp: '^dc_local_interfaces', line: "dc_local_interfaces='127.0.0.1 ; ::1'" } - - { regexp: '^dc_readhost', line: "dc_readhost=''" } - - { regexp: '^dc_relay_domains', line: "dc_relay_domains=''" } - - { regexp: '^dc_minimaldns', line: "dc_minimaldns='false'" } - - { regexp: '^dc_relay_nets', line: "dc_relay_nets=''" } - - { regexp: '^dc_smarthost', line: "dc_smarthost=''" } - - { regexp: '^dc_use_split_config', line: "dc_use_split_config='false'" } - - { regexp: '^dc_hide_mailname', line: "dc_hide_mailname=''" } - - { regexp: '^dc_mailname_in_oh', line: "dc_mailname_in_oh='true'" } - - { regexp: '^dc_localdelivery', line: "dc_localdelivery='mail_spool'" } - notify: restart exim4 - when: ubtu20_cis_mail_transfer_agent == "exim4" - - - name: "AUTOMATED | 2.1.15 | PATCH | Ensure mail transfer agent is configured for local-only mode | Make changes if postfix is installed" - lineinfile: - path: /etc/postfix/main.cf - regexp: '^(#)?inet_interfaces' - line: 'inet_interfaces = loopback-only' - notify: restart postfix - when: ubtu20_cis_mail_transfer_agent == "postfix" - - - name: "AUTOMATED | 2.1.15 | PATCH | Ensure mail transfer agent is configured for local-only mode | Message out other main agents" - debug: - msg: - - "Warning!! You are not using either exim4 or postfix" - - "Please review your vendors documentation to configure local-only mode" - when: ubtu20_cis_mail_transfer_agent == "other" - when: - - ubtu20cis_rule_2_1_15 - tags: - - level1-server - - level1-workstation - - automated - - scored - - patch - - rule_2.1.15 - - postfix - -- name: "AUTOMATED | 2.1.16 | PATCH | Ensure rsync service is not installed" - apt: - name: rsync - state: absent - when: - - ubtu20cis_rule_2_1_16 - - not ubtu20cis_rsync_server - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.1.16 - - rsync - -- name: "AUTOMATED | 2.1.17 | PATCH | Ensure NIS Server is not installed" - apt: - name: nis - state: absent - when: - - ubtu20cis_rule_2_1_17 - - not ubtu20cis_nis_server - tags: - - level1-server - - level1-workstation - - automated - - rule_2.1.17 - - nis - - service - -- name: "2.2.1 | PATCH | Ensure NIS Client is not installed" - apt: - name: nis - state: absent - when: - - ubtu20cis_rule_2_2_1 - - not ubtu20cis_nis_required - tags: - - level1-server - - level1-workstation - - rule_2.2.1 - - nis - -- name: "AUTOMATED | 2.2.2 | PATCH | Ensure rsh client is not installed" - apt: - name: rsh-client - state: absent - when: - - ubtu20cis_rule_2_2_2 - - not ubtu20cis_rsh_required - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.2.2 - - rsh - -- name: "AUTOMATED | 2.2.3 | PATCH | Ensure talk client is not installed" - apt: - name: talk - state: absent - when: - - ubtu20cis_rule_2_2_3 - - not ubtu20cis_talk_required - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.2.3 - - talk - -- name: "AUTOMATED | 2.2.4 | PATCH | Ensure telnet client is not installed" - apt: - name: telnet - state: absent - when: - - ubtu20cis_rule_2_2_4 - - not ubtu20cis_telnet_required - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.2.4 - - telnet - -- name: "AUTOMATED | 2.2.5 | PATCH | Ensure LDAP client is not installed" - apt: - name: ldap-utils - state: absent - when: - - ubtu20cis_rule_2_2_5 - - not ubtu20cis_ldap_clients_required - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.2.5 - - ldap - -- name: "AUTOMATED | 2.2.6 | PATCH | Ensure RPC is not installed" - apt: - name: rpcbind - state: absent - when: - - ubtu20cis_rule_2_2_6 - - not ubtu20cis_rpc_required - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.2.6 - - rpbc - -- name: "MANUAL | 2.3 | AUDIT | Ensure nonessential services are removed or masked" - block: - - name: "MANUAL | 2.3 | AUDIT | Ensure nonessential services are removed or masked | Check for services" - shell: lsof -i -P -n | grep -v "(ESTABLISHED)" - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_2_3_services - - - name: "MANUAL | 2.3 | AUDIT | Ensure nonessential services are removed or masked | Message out running services" - debug: - msg: - - "Warning!! Below are the running services. Please review and remove as well as mask un-needed services" - - "{{ ubtu20cis_2_3_services.stdout_lines }}" - when: - - ubtu20cis_rule_2_3 - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_2.3 - - services diff --git a/tasks/old_section3.yml b/tasks/old_section3.yml deleted file mode 100644 index 8f514320..00000000 --- a/tasks/old_section3.yml +++ /dev/null @@ -1,1218 +0,0 @@ ---- -- name: "MANUAL | 3.1.1 | PATCH | Disable IPv6" - block: - - name: "MANUAL | 3.1.1 | AUDIT | Disable IPv6 | Get current GRUB_CMDLINE_LINUX settings" - shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_3_1_1_grub_cmdline_linux_settings - - - name: "MANUAL | 3.1.1 | PATCH | Disable IPv6 | Add ipv6.disable if does not exist" - lineinfile: - path: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX' - line: 'GRUB_CMDLINE_LINUX="{{ ubtu20cis_3_1_1_grub_cmdline_linux_settings.stdout }} ipv6.disable=1"' - when: "'ipv6.disable' not in ubtu20cis_3_1_1_grub_cmdline_linux_settings.stdout" - notify: grub update - - - name: "MANUAL | 3.1.1 | PATCH | Disable IPv6 | Set ipv6.disable to 1 if exists" - replace: - path: /etc/default/grub - regexp: 'ipv6\.disable=.' - replace: 'ipv6.disable=1' - when: "'ipv6.disable' in ubtu20cis_3_1_1_grub_cmdline_linux_settings.stdout" - notify: grub update - - - name: "MANUAL | 3.1.1 | PATCH | Disable IPv6 | Remove net.ipv6.conf.all.disable_ipv6" - lineinfile: - path: /etc/sysctl.conf - regexp: '^net.ipv6.conf.all.disable_ipv6.*' - state: absent - when: - - ubtu20cis_rule_3_1_1 - - not ubtu20cis_ipv6_required - tags: - - level2-server - - level2-workstation - - manual - - patch - - rule_3.1.1 - - ipv6 - -- name: "AUTOMATED | 3.1.2 | PATCH | Ensure wireless interfaces are disabled" - block: - - name: "AUTOMATED | 3.1.2 | PATCH | Ensure wireless interfaces are disabled | Check for network-manager tool" - shell: dpkg -l | grep network-manager - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_3_1_2_network_manager_status - - - name: "AUTOMATED | 3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wireless if network-manager installed" - command: nmcli radio all off - changed_when: ubtu20cis_3_1_2_nmcli_radio_off.rc == 0 - register: ubtu20cis_3_1_2_nmcli_radio_off - when: ubtu20cis_3_1_2_network_manager_status.stdout | length > 0 - - - name: "AUTOMATED | 3.1.2 | PATCH | Ensure wireless interfaces are disabled | Warn about wireless if network-manager not installed" - debug: - msg: "ALERT!!!! You need to disable wireless interfaces manually since network-manager is not installed" - when: ubtu20cis_3_1_2_network_manager_status.stdout | length == 0 - when: - - ubtu20cis_rule_3_1_2 - tags: - - level1-server - - level2-workstation - - automated - - patch - - rule_3.1.2 - - wireless - -- name: "AUTOMATED | 3.2.1 | PATCH | Ensure packet redirect sending is disabled" - sysctl: - name: "{{ item }}" - value: '0' - sysctl_set: yes - state: present - reload: yes - ignoreerrors: yes - with_items: - - net.ipv4.conf.all.send_redirects - - net.ipv4.conf.default.send_redirects - notify: sysctl flush ipv4 route table - when: - - ubtu20cis_rule_3_2_1 - - not ubtu20cis_is_router - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.2.1 - - packet_redirect - - sysctl - -- name: "AUTOMATED | 3.2.2 | PATCH | Ensure IP forwarding is disabled" - block: - - name: "AUTOMATED | 3.2.2 | PATCH | Ensure IP forwarding is disabled | IPv4 settings" - sysctl: - name: net.ipv4.ip_forward - value: '0' - sysctl_set: yes - state: present - reload: yes - ignoreerrors: yes - notify: - - sysctl flush ipv4 route table - - - name: "AUTOMATED | 3.2.2 | PATCH | Ensure IP forwarding is disabled | IPv6 settings" - sysctl: - name: net.ipv6.conf.all.forwarding - value: '0' - sysctl_set: yes - state: present - reload: yes - ignoreerrors: yes - notify: - - sysctl flush ipv6 route table - when: ubtu20cis_ipv6_required - when: - - ubtu20cis_rule_3_2_2 - - not ubtu20cis_is_router - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.2.2 - - ip_forwarding - - sysctl - -- name: "AUTOMATED | 3.3.1 | PATCH | Ensure source routed packets are not accepted" - block: - - name: "AUTOMATED | 3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv4 settings" - sysctl: - name: "{{ item }}" - value: '0' - sysctl_set: yes - state: present - reload: yes - ignoreerrors: yes - with_items: - - net.ipv4.conf.all.accept_source_route - - net.ipv4.conf.default.accept_source_route - notify: sysctl flush ipv4 route table - - - name: "AUTOMATED | 3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6 settings" - sysctl: - name: "{{ item }}" - value: '0' - sysctl_set: yes - state: present - reload: yes - ignoreerrors: yes - with_items: - - net.ipv6.conf.all.accept_source_route - - net.ipv6.conf.default.accept_source_route - notify: sysctl flush ipv6 route table - when: ubtu20cis_ipv6_required - when: - - ubtu20cis_rule_3_3_1 - - not ubtu20cis_is_router - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.3.1 - - routed_packets - - sysctl - -- name: "AUTOMATED | 3.3.2 | PATCH | Ensure ICMP redirects are not accepted" - block: - - name: "AUTOMATED | 3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv4 settings" - sysctl: - name: "{{ item }}" - value: '0' - sysctl_set: yes - state: present - reload: yes - ignoreerrors: yes - with_items: - - net.ipv4.conf.all.accept_redirects - - net.ipv4.conf.default.accept_redirects - notify: sysctl flush ipv4 route table - - - name: "AUTOMATED | 3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6 settings" - sysctl: - name: "{{ item }}" - value: '0' - sysctl_set: yes - state: present - reload: yes - ignoreerrors: yes - with_items: - - net.ipv6.conf.all.accept_redirects - - net.ipv6.conf.default.accept_redirects - notify: sysctl flush ipv6 route table - when: ubtu20cis_ipv6_required - when: - - ubtu20cis_rule_3_3_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.3.2 - - icmp - - sysctl - -- name: "AUTOMATED | 3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted" - sysctl: - name: "{{ item }}" - value: '0' - sysctl_set: yes - state: present - reload: yes - ignoreerrors: yes - with_items: - - net.ipv4.conf.all.secure_redirects - - net.ipv4.conf.default.secure_redirects - notify: sysctl flush ipv4 route table - when: - - ubtu20cis_rule_3_3_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.3.3 - - icmp - - sysctl - -- name: "AUTOMATED | 3.3.4 | PATCH | Ensure suspicious packets are logged" - sysctl: - name: "{{ item }}" - value: '1' - sysctl_set: yes - state: present - reload: yes - ignoreerrors: yes - with_items: - - net.ipv4.conf.all.log_martians - - net.ipv4.conf.default.log_martians - notify: sysctl flush ipv4 route table - when: - - ubtu20cis_rule_3_3_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.3.4 - - suspicious_packets - - sysctl - -- name: "AUTOMATED | 3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored" - sysctl: - name: net.ipv4.icmp_echo_ignore_broadcasts - value: '1' - sysctl_set: yes - state: present - reload: yes - ignoreerrors: yes - notify: sysctl flush ipv4 route table - when: - - ubtu20cis_rule_3_3_5 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.3.5 - - icmp - - sysctl - -- name: "AUTOMATED | 3.3.6 | PATCH | Ensure bogus ICMP responses are ignored" - sysctl: - name: net.ipv4.icmp_ignore_bogus_error_responses - value: '1' - sysctl_set: yes - state: present - reload: yes - ignoreerrors: yes - notify: sysctl flush ipv4 route table - when: - - ubtu20cis_rule_3_3_6 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.3.6 - - icmp - - sysctl - -- name: "AUTOMATED | 3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" - sysctl: - name: "{{ item }}" - value: '1' - sysctl_set: yes - state: present - reload: yes - ignoreerrors: yes - with_items: - - net.ipv4.conf.all.rp_filter - - net.ipv4.conf.default.rp_filter - notify: sysctl flush ipv4 route table - when: - - ubtu20cis_rule_3_3_7 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.3.7 - - reverse_path_filtering - - sysctl - -- name: "AUTOMATED | 3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled" - sysctl: - name: net.ipv4.tcp_syncookies - value: '1' - sysctl_set: yes - state: present - reload: yes - ignoreerrors: yes - notify: sysctl flush ipv4 route table - when: - - ubtu20cis_rule_3_3_8 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.3.8 - - tcp_syn_cookies - - sysctl - -- name: "AUTOMATED | 3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" - sysctl: - name: "{{ item }}" - value: '0' - sysctl_set: yes - state: present - reload: yes - ignoreerrors: yes - with_items: - - net.ipv6.conf.all.accept_ra - - net.ipv6.conf.default.accept_ra - notify: sysctl flush ipv6 route table - when: - - ubtu20cis_rule_3_3_9 - - ubtu20cis_ipv6_required - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.3.9 - - ipv6 - - router_advertisements - - sysctl - -- name: "AUTOMATED | 3.4.1 | PATCH | Ensure DCCP is disabled" - lineinfile: - path: /etc/modprobe.d/dccp.conf - regexp: '^(#)?install dccp(\\s|$)' - line: 'install dccp /bin/true' - create: yes - when: - - ubtu20cis_rule_3_4_1 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_3.4.1 - - dccp - -- name: "AUTOMATED | 3.4.2 | PATCH | Ensure SCTP is disabled" - lineinfile: - path: /etc/modprobe.d/sctp.conf - regexp: "^(#)?install sctp(\\s|$)" - line: 'install sctp /bin/true' - create: yes - when: - - ubtu20cis_rule_3_4_2 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_3.4.2 - - sctp - -- name: "AUTOMATED | 3.4.3 | PATCH | Ensure RDS is disabled" - lineinfile: - path: /etc/modprobe.d/rds.conf - regexp: '^(#)?install rds(\\s|$)' - line: 'install rds /bin/true' - create: yes - when: - - ubtu20cis_rule_3_4_3 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_3.4.3 - - rds - -- name: "AUTOMATED | 3.4.4 | PATCH | Ensure TIPC is disabled" - lineinfile: - path: /etc/modprobe.d/tipc.conf - regexp: '^(#)?install tipc(\\s|$)' - line: install tipc /bin/true - create: yes - when: - - ubtu20cis_rule_3_4_4 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_3.4.4 - - tipc - -- name: "AUTOMATED | 3.5.1.1 | PATCH | Ensure ufw is installed" - apt: - name: ufw - state: present - when: - - ubtu20cis_rule_3_5_1_1 - - ubtu20cis_firewall_package == "ufw" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.1.1 - - apt - - ufw - -- name: "AUTOMATED | 3.5.1.2 | PATCH | Ensure iptables-persistent is not installed with ufw" - apt: - name: iptables-persistent - state: absent - when: - - ubtu20cis_rule_3_5_1_2 - - ubtu20cis_firewall_package == "ufw" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.1.2 - - ufw - -# Adding the allow OpenSSH rule while enabling ufw to allow ansible to run after enabling -- name: "AUTOMATED | 3.5.1.3 | PATCH | Ensure ufw service is enabled" - ufw: - rule: allow - name: OpenSSH - state: enabled - when: - - ubtu20cis_rule_3_5_2_1 - - ubtu20cis_firewall_package == "ufw" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.1.3 - - ufw - -- name: "AUTOMATED | 3.5.1.4 | PATCH | Ensure loopback traffic is configured" - block: - - name: "AUTOMATED | 3.5.1.4 | PATCH | Ensure loopback traffic is configured | Set allow in ufw rules" - ufw: - rule: allow - direction: in - interface: lo - notify: reload ufw - - - name: "AUTOMATED | 3.5.1.4 | PATCH | Ensure loopback traffic is configured | Set allow out ufw rules" - ufw: - rule: allow - direction: out - interface: lo - notify: reload ufw - - - name: "AUTOMATED | 3.5.1.4 | PATCH | Ensure loopback traffic is configured | Set deny ufw rules IPv4" - ufw: - rule: deny - direction: in - from_ip: 127.0.0.0/8 - notify: reload ufw - - - name: "AUTOMATED | 3.5.1.4 | PATCH | Ensure loopback traffic is configured | Set deny ufw rules IPv6" - ufw: - rule: deny - direction: in - from_ip: "::1" - notify: reload ufw - when: ubtu20cis_ipv6_required - when: - - ubtu20cis_rule_3_5_1_4 - - ubtu20cis_firewall_package == "ufw" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.1.4 - - ufw - -- name: "MANUAL | 3.5.1.5 | PATCH | Ensure ufw outbound connections are configured" - block: - - name: "MANUAL | 3.5.1.5 | PATCH | Ensure ufw outbound connections are configured | Custom ports" - ufw: - rule: allow - direction: out - to_port: '{{ item }}' - with_items: - - "{{ ubtu20cis_ufw_allow_out_ports }}" - notify: reload ufw - when: ubtu20cis_ufw_allow_out_ports != "all" - - - name: "MANUAL | 3.5.1.5 | PATCH | Ensure ufw outbound connections are configured | Allow all" - ufw: - rule: allow - direction: out - to_port: all - notify: reload ufw - when: "'all' in ubtu20cis_ufw_allow_out_ports" - when: - - ubtu20cis_rule_3_5_1_5 - - ubtu20cis_firewall_package == "ufw" - tags: - - level1-server - - level1-workstation - - manual - - patch - - rule_3.5.1.5 - - ufw - -- name: "MANUAL | 3.5.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports" - block: - - name: "MANUAL | 3.5.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Get list of open ports" - command: ss -4tuln - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_3_5_1_6_open_listen_ports - - - name: "MANUAL | 3.5.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Get list of firewall rules" - command: ufw status - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_3_5_1_6_firewall_rules - - - name: "MANUAL | 3.5.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Message out settings" - debug: - msg: - - "ALERT!!!!Below are the listening ports and firewall rules" - - "Please create firewall rule for any open ports if not already done" - - "*****---Open Listen Ports---*****" - - "{{ ubtu20cis_3_5_1_6_open_listen_ports.stdout_lines }}" - - "*****---Firewall Rules---*****" - - "{{ ubtu20cis_3_5_1_6_firewall_rules.stdout_lines }}" - when: - - ubtu20cis_rule_3_5_1_6 - - ubtu20cis_firewall_package == "ufw" - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_3.5.1.6 - - ufw - -- name: "AUTOMATED | 3.5.1.7 | PATCH | Ensure ufw default deny firewall policy" - ufw: - default: deny - direction: "{{ item }}" - notify: reload ufw - with_items: - - incoming - - outgoing - - routed - when: - - ubtu20cis_rule_3_5_1_7 - - ubtu20cis_firewall_package == "ufw" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.1.7 - - ufw - -# --------------- -# --------------- -# NFTables is unsupported with this role. However I have the actions commented out as a guide -# --------------- -# --------------- -- name: "AUTOMATED | 3.5.2.1 | AUDIT | Ensure nftables is installed" - debug: - msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" - # apt: - # name: nftables - # state: present - when: - - ubtu20cis_rule_3_5_2_1 - - ubtu20cis_firewall_package == "nftables" - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_3.5.2.1 - - nftables - -- name: "AUTOMATED | 3.5.2.2 | AUDIT | Ensure ufw is uninstalled or disabled with nftables" - debug: - msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" - # apt: - # name: ufw - # state: absent - when: - - ubtu20cis_rule_3_5_2_2 - - ubtu20cis_firewall_package == "nftables" - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_3.5.2.2 - - nftables - -- name: "MANUAL | 3.5.2.3 | AUDIT | Ensure iptables are flushed with nftables" - debug: - msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" - # iptables: - # flush: yes - when: - - ubtu20cis_rule_3_5_2_3 - - ubtu20cis_firewall_package == "nftables" - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_3.5.2.3 - - nftables - -- name: "AUTOMATED | 3.5.2.4 | AUDIT | Ensure a nftables table exists" - debug: - msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" - # command: "nft create table {{ ubtu20cis_nftables_table_name }}" - # changed_when: ubtu20cis_3_5_2_4_new_table.rc == 0 - # failed_when: false - # check_mode: false - # register: ubtu20cis_3_5_2_4_new_table - when: - - ubtu20cis_rule_3_5_2_4 - - ubtu20cis_firewall_package == "nftables" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.2.4 - - nftables - -- name: "AUTOMATED | 3.5.2.5 | AUDIT | Ensure nftables base chains exist" - debug: - msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" - # block: - # - name: "AUTOMATED | 3.5.2.5 | PATCH | Ensure nftables base chains exist | Input entry" - # shell: 'nft create chain {{ ubtu20cis_nftables_table_name }} input { type filter hook input priority 0 \; }' - # changed_when: ubtu20cis_3_5_2_5_base_chains_input.rc == 0 - # failed_when: false - # register: ubtu20cis_3_5_2_5_base_chains_input - - # - name: "AUTOMATED | 3.5.2.5 | PATCH | Ensure nftables base chains exist | Forward entry" - # shell: 'nft create chain {{ ubtu20cis_nftables_table_name }} forward { type filter hook forward priority 0 \; }' - # changed_when: ubtu20cis_3_5_2_5_base_chains_forward.rc == 0 - # failed_when: false - # register: ubtu20cis_3_5_2_5_base_chains_forward - - # - name: "AUTOMATED | 3.5.2.5 | PATCH | Ensure nftables base chains exist | Output entry" - # shell: 'nft create chain {{ ubtu20cis_nftables_table_name }} output { type filter hook output priority 0 \; }' - # changed_when: ubtu20cis_3_5_2_5_base_chains_output.rc == 0 - # failed_when: false - # register: ubtu20cis_3_5_2_5_base_chains_output - when: - - ubtu20cis_rule_3_5_2_5 - - ubtu20cis_firewall_package == "nftables" - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_3.5.2.5 - - nftables - -- name: "AUTOMATED | 3.5.2.6 | AUDIT | Ensure nftables loopback traffic is configured" - debug: - msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" - # block: - # - name: "AUTOMATED | 3.5.2.6 | AUDIT | Ensure nftables loopback traffic is configured | Get input iif lo accept status" - # shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' - # changed_when: false - # failed_when: false - # check_mode: false - # register: ubtu20cis_3_5_2_6_loopback_iif_status - - # - name: "AUTOMATED | 3.5.2.6 | AUDIT | Ensure nftables loopback traffic is configured | Get input iif lo accept status" - # shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' - # changed_when: false - # failed_when: false - # check_mode: false - # register: ubtu20cis_3_5_2_6_loopback_input_drop_status - - # - name: "AUTOMATED | 3.5.2.6 | AUDIT | Ensure nftables loopback traffic is configured | Get input iif lo accept status" - # shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' - # changed_when: false - # failed_when: false - # check_mode: false - # register: ubtu20cis_3_5_2_6_loopback_ipv6_drop_status - - # - name: "AUTOMATED | 3.5.2.6 | PATCH | Ensure nftables loopback traffic is configured | Loopback iif lo accept" - # command: 'nft add rule inet {{ ubtu20cis_nftables_table_name }} input iif lo accept' - # changed_when: ubtu20cis_3_5_2_6_loopback_iif.rc == 0 - # failed_when: false - # register: ubtu20cis_3_5_2_6_loopback_iif - # when: "'iif \"lo\" accept' not in ubtu20cis_3_5_2_6_loopback_iif_status.stdout" - - # - name: "AUTOMATED | 3.5.2.6 | PATCH | Ensure nftables loopback traffic is configured | Loopback input drop" - # command: 'nft add rule inet {{ ubtu20cis_nftables_table_name }} input ip saddr 127\.0\.0\.0\/8 counter drop' - # changed_when: ubtu20cis_3_5_2_6_loopback_input_drop.rc == 0 - # failed_when: false - # register: ubtu20cis_3_5_2_6_loopback_input_drop - # when: - # - "'ip saddr 127.0.0.0/8' not in ubtu18cis_3_5_3_4_loopback_input_drop_status.stdout" - # - "'drop' not in ubtu20cis_3_5_2_6_loopback_input_drop_status.stdout" - - # - name: "3AUTOMATED | .5.2.6 | PATCH | Ensure nftables loopback traffic is configured | Loopback ipv6 drop" - # command: 'nft add rule inet {{ ubtu20cis_nftables_table_name }} input ip6 saddr ::1 counter drop' - # changed_when: ubtu20cis_3_5_2_6_loopback_ipv6_drop.rc == 0 - # failed_when: false - # register: ubtu20cis_3_5_2_6_loopback_ipv6_drop - # when: - # - "'ip6 saddr' not in ubtu20cis_3_5_2_6_loopback_ipv6_drop_status.stdout" - # - "'drop' not in ubtu20cis_3_5_2_6_loopback_ipv6_drop_status.stdout" - when: - - ubtu20cis_rule_3_5_2_6 - - ubtu20cis_firewall_package == "nftables" - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_3.5.2.6 - - nftables - -- name: "MANUAL | 3.5.2.7 | AUDIT | Ensure nftables outbound and established connections are configured" - debug: - msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" - when: - - ubtu20cis_rule_3_5_2_7 - - ubtu20cis_firewall_package == "nftables" - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_3.5.2.7 - - nftables - -- name: "AUTOMATED | 3.5.2.8 | AUDIT | Ensure nftables default deny firewall policy" - debug: - msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" - when: - - ubtu20cis_rule_3_5_2_8 - - ubtu20cis_firewall_package == "nftables" - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_3.5.2.8 - - nftables - -- name: "AUTOMATED | 3.5.2.9 | AUDIT | Ensure nftables service is enabled" - debug: - msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" - # service: - # name: nftables - # state: started - # enabled: yes - when: - - ubtu20cis_rule_3_5_2_8 - - ubtu20cis_firewall_package == "nftables" - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_3.5.2.9 - - nftables - -- name: "AUTOMATED | 3.5.2.10 | AUDIT | Ensure nftables rules are permanent" - debug: - msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" - when: - - ubtu20cis_rule_3_5_2_10 - - ubtu20cis_firewall_package == "nftables" - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_3.5.2.10 - - nftables - -- name: "AUTOMATED | 3.5.3.1.1 | PATCH | Ensure iptables packages are installed" - apt: - name: ['iptables', 'iptables-persistent'] - state: present - when: - - ubtu20cis_rule_3_5_3_1_1 - - ubtu20cis_firewall_package == "iptables" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.3.1.1 - - iptables - -- name: "AUTOMATED | 3.5.3.1.2 | PATCH | Ensure nftables is not installed with iptables" - apt: - name: nftables - state: absent - when: - - ubtu20cis_rule_3_5_3_1_2 - - ubtu20cis_firewall_package == "iptables" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.3.1.2 - - iptables - -- name: "AUTOMATED | 3.5.3.1.3 | PATCH | Ensure ufw is uninstalled or disabled with iptables" - apt: - name: ufw - state: absent - when: - - ubtu20cis_rule_3_5_3_1_3 - - ubtu20cis_firewall_package == "iptables" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.3.1.3 - - iptables - -- name: "AUTOMATED | 3.5.3.2.1 | PATCH | Ensure iptables loopback traffic is configured" - block: - - name: "AUTOMATED | 3.5.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | INPUT loopback ACCEPT" - iptables: - action: append - chain: INPUT - in_interface: lo - jump: ACCEPT - - - name: "AUTOMATED | 3.5.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT" - iptables: - action: append - chain: OUTPUT - out_interface: lo - jump: ACCEPT - - - name: "AUTOMATED | 3.5.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT" - iptables: - action: append - chain: INPUT - source: 127.0.0.0/8 - jump: DROP - when: - - ubtu20cis_rule_3_5_3_2_1 - - ubtu20cis_firewall_package == "iptables" - - ubtu20cis_ipv4_required - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.3.2.1 - - iptables - -- name: "MANUAL | 3.5.3.2.2 | PATCH | Ensure iptables outbound and established connections are configured" - iptables: - action: append - chain: '{{ item.chain }}' - protocol: '{{ item.protocol }}' - match: state - ctstate: '{{ item.ctstate }}' - jump: ACCEPT - with_items: - - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' } - - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' } - - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } - - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } - when: - - ubtu20cis_rule_3_5_3_2_2 - - ubtu20cis_firewall_package == "iptables" - - ubtu20cis_ipv4_required - tags: - - level1-server - - level1-workstation - - manual - - patch - - rule_3.5.3.2.2 - - iptables - -- name: "AUTOMATED | 3.5.3.2.3 | PATCH | Ensure iptables default deny firewall policy" - block: - - name: "AUTOMATED | 3.5.3.2.3 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed in" - iptables: - chain: INPUT - protocol: tcp - destination_port: 22 - jump: ACCEPT - ctstate: 'NEW,ESTABLISHED' - - - name: "AUTOMATED | 3.5.3.2.3 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed out" - iptables: - chain: OUTPUT - protocol: tcp - source_port: 22 - jump: ACCEPT - ctstate: 'NEW,ESTABLISHED' - - - name: "AUTOMATED | 3.5.3.2.3 | PATCH | Ensure iptables default deny firewall policy | Enable apt traffic" - iptables: - chain: INPUT - ctstate: 'ESTABLISHED' - jump: ACCEPT - - - name: "AUTOMATED | 3.5.3.2.3 | PATCH | Ensure iptables default deny firewall policy | Set drop items" - iptables: - policy: DROP - chain: "{{ item }}" - with_items: - - INPUT - - FORWARD - - OUTPUT - when: - - ubtu20cis_rule_3_5_3_2_3 - - ubtu20cis_firewall_package == "iptables" - - ubtu20cis_ipv4_required - - not system_is_ec2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.3.2.3 - - iptables - - -- name: "AUTOMATED | 3.5.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports" - block: - - name: "AUTOMATED | 3.5.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of open ports" - command: ss -4tuln - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_3_5_3_2_4_open_ports - - - name: "AUTOMATED | 3.5.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of rules" - command: iptables -L INPUT -v -n - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_3_5_3_2_4_current_rules - - - name: "AUTOMATED | 3.5.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Alert about settings" - debug: - msg: - - "ALERT!!!!Below is the list the open ports and current rules" - - "Please create a rule for any open port that does not have a current rule" - - "Open Ports:" - - "{{ ubtu20cis_3_5_3_2_4_open_ports.stdout_lines }}" - - "Current Rules:" - - "{{ ubtu20cis_3_5_3_2_4_current_rules.stdout_lines }}" - when: - - ubtu20cis_rule_3_5_3_2_4 - - ubtu20cis_firewall_package == "iptables" - - ubtu20cis_ipv4_required - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_3.5.3.2.4 - - iptables - -# --------------- -# --------------- -# This is not a control however using the iptables module only writes to memery -# if a reboot occurs that means changes can revert. This task will make the -# above iptables settings permanent -# --------------- -# --------------- -- name: "Make IPTables persistent | Not a control" - block: - - name: "Make IPTables persistent | Install iptables-persistent" - apt: - name: iptables-persistent - state: present - - - name: "Make IPTables persistent | Save to persistent files" - shell: bash -c "iptables-save > /etc/iptables/rules.v4" - changed_when: ubtu20cis_iptables_save.rc == 0 - failed_when: ubtu20cis_iptables_save.rc > 0 - register: ubtu20cis_iptables_save - when: - - ubtu20cis_firewall_package == "iptables" - - ubtu20cis_save_iptables_cis_rules - - ubtu20cis_rule_3_5_3_2_1 or - ubtu20cis_rule_3_5_3_2_2 or - ubtu20cis_rule_3_5_3_2_3 or - ubtu20cis_rule_3_5_3_2_4 - -- name: "AUTOMATED | 3.5.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured" - block: - - name: "AUTOMATED | 3.5.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback ACCEPT" - iptables: - action: append - chain: INPUT - in_interface: lo - jump: ACCEPT - ip_version: ipv6 - - - name: "AUTOMATED | 3.5.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | OUTPUT loopback ACCEPT" - iptables: - action: append - chain: OUTPUT - out_interface: lo - jump: ACCEPT - ip_version: ipv6 - - - name: "AUTOMATED | 3.5.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback drop" - iptables: - action: append - chain: INPUT - source: ::1 - jump: DROP - ip_version: ipv6 - when: - - ubtu20cis_rule_3_5_3_3_1 - - ubtu20cis_firewall_package == "iptables" - - ubtu20cis_ipv6_required - - not ubtu20cis_ipv4_required - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.3.3.1 - - ip6tables - -- name: "MANUAL | 3.5.3.3.2 | PATCH | Ensure ip6tables outbound and established connections are configured" - iptables: - action: append - chain: '{{ item.chain }}' - protocol: '{{ item.protocol }}' - match: state - ctstate: '{{ item.ctstate }}' - jump: ACCEPT - ip_version: ipv6 - with_items: - - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' } - - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' } - - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } - - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } - when: - - ubtu20cis_rule_3_5_3_3_2 - - ubtu20cis_firewall_package == "iptables" - - ubtu20cis_ipv6_required - - not ubtu20cis_ipv4_required - tags: - - level1-server - - level1-workstation - - manual - - patch - - rule_3.5.3.3.2 - - ip6tables - -- name: "AUTOMATED | 3.5.3.3.3 | PATCH | Ensure ip6tables default deny firewall policy" - block: - - name: "3.5.3.3.3 | PATCH | Ensure ip6tables default deny firewall policy | Configure SSH to be allowed out" - iptables: - chain: OUTPUT - protocol: tcp - source_port: 22 - jump: ACCEPT - ctstate: 'NEW,ESTABLISHED' - ip_version: ipv6 - - - name: "AUTOMATED | 3.5.3.3.3 | PATCH | Ensure ip6tables default deny firewall policy | Enable apt traffic" - iptables: - chain: INPUT - ctstate: 'ESTABLISHED' - jump: ACCEPT - ip_version: ipv6 - - - name: "AUTOMATED | 3.5.3.3.3 | PATCH | Ensure ip6tables default deny firewall policy | Set drop items" - iptables: - policy: DROP - chain: "{{ item }}" - ip_version: ipv6 - with_items: - - INPUT - - FORWARD - - OUTPUT - when: - - ubtu20cis_rule_3_5_3_3_3 - - ubtu20cis_firewall_package == "iptables" - - ubtu20cis_ipv6_required - - not ubtu20cis_ipv4_required - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.3.3.3 - - ip6tables - -- name: "AUTOMATED | 3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports" - block: - - name: "AUTOMATED | 3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of open ports" - command: ss -6tuln - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_3_5_3_3_4_open_ports - - - name: "AUTOMATED | 3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of rules" - command: ip6tables -L INPUT -v -n - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_3_5_3_3_4_current_rules - - - name: "AUTOMATED | 3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Alert about settings" - debug: - msg: - - "ALERT!!!!Below is the list the open ports and current rules" - - "Please create a rule for any open port that does not have a current rule" - - "Open Ports:" - - "{{ ubtu20cis_3_5_3_3_4_open_ports.stdout_lines }}" - - "Current Rules:" - - "{{ ubtu20cis_3_5_3_3_4_current_rules.stdout_lines }}" - when: - - ubtu20cis_rule_3_5_3_3_4 - - ubtu20cis_firewall_package == "iptables" - - ubtu20cis_ipv6_required - - not ubtu20cis_ipv4_required - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_3.5.3.3.4 - - ip6tables - -# --------------- -# --------------- -# This is not a control however using the ip6tables module only writes to memery -# if a reboot occurs that means changes can revert. This task will make the -# above ip6tables settings permanent -# --------------- -# --------------- -- name: "Make IP6Tables persistent | Not a control" - block: - - name: "Make IP6Tables persistent | Install iptables-persistent" - apt: - name: iptables-persistent - state: present - - - name: "Make IP6Tables persistent | Save to persistent files" - shell: bash -c "ip6tables-save > /etc/iptables/rules.v6" - changed_when: ubtu20cis_ip6tables_save.rc == 0 - failed_when: ubtu20cis_ip6tables_save.rc > 0 - register: ubtu20cis_ip6tables_save - when: - - ubtu20cis_firewall_package == "iptables" - - ubtu20cis_ipv6_required - - not ubtu20cis_ipv4_required - - ubtu20cis_save_iptables_cis_rules - - ubtu20cis_rule_3_5_3_3_1 or - ubtu20cis_rule_3_5_3_3_2 or - ubtu20cis_rule_3_5_3_3_3 or - ubtu20cis_rule_3_5_3_3_4 diff --git a/tasks/old_section4.yml b/tasks/old_section4.yml deleted file mode 100644 index 7b0ee3e8..00000000 --- a/tasks/old_section4.yml +++ /dev/null @@ -1,692 +0,0 @@ ---- -- name: "AUTOMATED | 4.1.1.1 | PATCH | Ensure auditd is installed" - apt: - name: ['auditd', 'audispd-plugins'] - state: present - when: - - ubtu20cis_rule_4_1_1_1 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.1.1 - - auditd - -- name: "AUTOMATED | 4.1.1.2 | PATCH | Ensure auditd service is enabled" - service: - name: auditd - state: started - enabled: yes - when: - - ubtu20cis_rule_4_1_1_2 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.1.2 - - auditd - -- name: "AUTOMATED | 4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" - block: - - name: "AUTOMATED | 4.1.1.3 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX" - shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_4_1_1_3_cmdline_settings - - - name: "AUTOMATED | 4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add setting if doesn't exist" - lineinfile: - path: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="{{ ubtu20cis_4_1_1_3_cmdline_settings.stdout }} audit=1"' - when: "'audit=' not in ubtu20cis_4_1_1_3_cmdline_settings.stdout" - notify: grub update - - - name: "AUTOMATED | 4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Update setting if exists" - replace: - dest: /etc/default/grub - regexp: 'audit=([0-9]+)' - replace: 'audot=1' - after: '^GRUB_CMDLINE_LINUX="' - before: '"' - notify: grub update - when: "'audit=' in ubtu20cis_4_1_1_3_cmdline_settings.stdout" - when: - - ubtu20cis_rule_4_1_1_3 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4_1_1_3 - - auditd - -- name: "AUTOMATED | 4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient" - block: - - name: "AUTOMATED | 4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Get current GRUB_CMDLINE_LINUX" - shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_4_1_1_4_cmdline_settings - - - name: "AUTOMATED | 4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Add setting if doesn't exist" - lineinfile: - path: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="{{ ubtu20cis_4_1_1_4_cmdline_settings.stdout }} audit_backlog_limit={{ ubtu20cis_audit_back_log_limit }}"' - notify: grub update - when: "'audit_backlog_limit=' not in ubtu20cis_4_1_1_4_cmdline_settings.stdout" - - - name: "AUTOMATED | 4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Update setting if exists" - replace: - dest: /etc/default/grub - regexp: 'audit_backlog_limit=([0-9]+)' - replace: 'audit_backlog_limit={{ ubtu20cis_audit_back_log_limit }}' - after: '^GRUB_CMDLINE_LINUX="' - before: '"' - notify: grub update - when: - - ubtu20cis_rule_4_1_1_4 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.1.4 - - auditd - -- name: "AUTOMATED | 4.1.2.1 | PATCH | Ensure audit log storage size is configured" - lineinfile: - dest: /etc/audit/auditd.conf - regexp: "^max_log_file( |=)" - line: "max_log_file = {{ ubtu20cis_max_log_file_size }}" - state: present - notify: restart auditd - when: - - ubtu20cis_rule_4_1_2_1 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.2.1 - - auditd - -- name: "AUTOMATED | 4.1.2.2 | PATCH | Ensure audit logs are not automatically deleted" - lineinfile: - path: /etc/audit/auditd.conf - regexp: '^max_log_file_action' - line: "max_log_file_action = {{ ubtu20cis_auditd['max_log_file_action'] }}" - notify: restart auditd - when: - - ubtu20cis_rule_4_1_2_2 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.2.2 - - auditd - -- name: "AUTOMATED | 4.1.2.3 | PATCH | Ensure system is disabled when audit logs are full" - lineinfile: - path: /etc/audit/auditd.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^space_left_action', line: 'space_left_action = email' } - - { regexp: '^action_mail_acct', line: 'action_mail_acct = root' } - - { regexp: '^admin_space_left_action = halt', line: 'admin_space_left_action = halt' } - notify: restart auditd - when: - - ubtu20cis_rule_4_1_2_3 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.2.3 - - auditd - -- name: "AUTOMATED | 4.1.3 | PATCH | Ensure events that modify date and time information are collected" - template: - src: audit/ubtu20cis_4_1_3_timechange.rules.j2 - dest: /etc/audit/rules.d/time-change.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - ubtu20cis_rule_4_1_3 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3 - - auditd - -- name: "AUTOMATED | 4.1.4 | PATCH | Ensure events that modify user/group information are collected" - template: - src: audit/ubtu20cis_4_1_4_identity.rules.j2 - dest: /etc/audit/rules.d/identity.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - ubtu20cis_rule_4_1_4 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.4 - - auditd - -- name: "AUTOMATED | 4.1.5 | PATCH | Ensure events that modify the system's network environment are collected" - template: - src: audit/ubtu20cis_4_1_5_systemlocale.rules.j2 - dest: /etc/audit/rules.d/system-locale.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - ubtu20cis_rule_4_1_5 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.5 - - auditd - -- name: "AUTOMATED | 4.1.6 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" - template: - src: audit/ubtu20cis_4_1_6_macpolicy.rules.j2 - dest: /etc/audit/rules.d/MAC-policy.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - ubtu20cis_rule_4_1_6 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.6 - - auditd - -- name: "AUTOMATED | 4.1.7 | PATCH | Ensure login and logout events are collected" - template: - src: audit/ubtu20cis_4_1_7_logins.rules.j2 - dest: /etc/audit/rules.d/logins.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - ubtu20cis_rule_4_1_7 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.7 - - auditd - -- name: "AUTOMATED | 4.1.8 | PATCH | Ensure session initiation information is collected" - template: - src: audit/ubtu20cis_4_1_8_session.rules.j2 - dest: /etc/audit/rules.d/session.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - ubtu20cis_rule_4_1_8 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.8 - - auditd - -- name: "AUTOMATED | 4.1.9 | PATCH | Ensure discretionary access control permission modification events are collected" - template: - src: audit/ubtu20cis_4_1_9_permmod.rules.j2 - dest: /etc/audit/rules.d/perm_mod.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - ubtu20cis_rule_4_1_9 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.9 - - auditd - -- name: "AUTOMATED | 4.1.10 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected" - template: - src: audit/ubtu20cis_4_1_10_access.rules.j2 - dest: /etc/audit/rules.d/access.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - ubtu20cis_rule_4_1_10 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.10 - - auditd - -- name: "AUTOMATED | 4.1.11 | PATCH | Ensure use of privileged commands is collected" - block: - - name: "AUTOMATED | 4.1.11 | AUDIT | Ensure use of privileged commands is collected | Get list of privileged programs" - shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done - register: priv_procs - changed_when: no - check_mode: false - - - name: "AUTOMATED | 4.1.11 | PATCH | Ensure use of privileged commands is collected | Set privileged rules" - template: - src: audit/ubtu20cis_4_1_11_privileged.rules.j2 - dest: /etc/audit/rules.d/privileged.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - ubtu20cis_rule_4_1_11 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.11 - - auditd - -- name: "AUTOMATED | 4.1.12 | PATCH | Ensure successful file system mounts are collected" - template: - src: audit/ubtu20cis_4_1_12_audit.rules.j2 - dest: /etc/audit/rules.d/audit.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - ubtu20cis_rule_4_1_12 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.12 - - auditd - -- name: "AUTOMATED | 4.1.13 | PATCH | Ensure file deletion events by users are collected" - template: - src: audit/ubtu20cis_4_1_13_delete.rules.j2 - dest: /etc/audit/rules.d/delete.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - ubtu20cis_rule_4_1_13 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.13 - - auditd - -- name: "AUTOMATED | 4.1.14 | PATCH | Ensure changes to system administration scope (sudoers) is collected" - template: - src: audit/ubtu20cis_4_1_14_scope.rules.j2 - dest: /etc/audit/rules.d/scope.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - ubtu20cis_rule_4_1_14 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.14 - - auditd - -- name: "AUTOMATED | 4.1.15 | PATCH | Ensure system administrator command executions (sudo) are collected" - template: - src: audit/ubtu20cis_4_1_15_actions.rules.j2 - dest: /etc/audit/rules.d/actions.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - ubtu20cis_rule_4_1_15 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.15 - - auditd - -- name: "AUTOMATED | 4.1.16 | PATCH | Ensure kernel module loading and unloading is collected" - template: - src: audit/ubtu20cis_4_1_16_modules.rules.j2 - dest: /etc/audit/rules.d/modules.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - ubtu20cis_rule_4_1_16 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.16 - - auditd - -- name: "AUTOMATED | 4.1.17 | PATCH | Ensure the audit configuration is immutable" - template: - src: audit/ubtu20cis_4_1_17_99finalize.rules.j2 - dest: /etc/audit/rules.d/99-finalize.rules - owner: root - group: root - mode: 0600 - notify: restart auditd - when: - - ubtu20cis_rule_4_1_17 - tags: - - level2-server - - level2-workstation - - automated - - scored - - patch - - rule_4.1.17 - - auditd - -- name: "AUTOMATED | 4.2.1.1 | PATCH | Ensure rsyslog is installed" - apt: - name: rsyslog - state: present - when: - - ubtu20cis_rule_4_2_1_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_4.2.1.1 - - rsyslog - - apt - -- name: "AUTOMATED | 4.2.1.2 | PATCH | Ensure rsyslog Service is enabled" - service: - name: rsyslog - enabled: yes - when: - - ubtu20cis_rule_4_2_1_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_4.2.1.2 - - rsyslog - -- name: "MANUAL | 4.2.1.3 | PATCH | Ensure logging is configured" - block: - - name: "MANUAL | 4.2.1.3 | AUDIT | Ensure logging is configured | Find configuration file" - shell: grep -r "*.emerg" /etc/* | cut -f1 -d":" - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_4_2_1_3_rsyslog_config_path - - - name: "MANUAL | 4.2.1.3 | AUDIT | Ensure logging is configured | Gather rsyslog current config" - command: "cat {{ ubtu20cis_4_2_1_3_rsyslog_config_path.stdout }}" - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_4_2_1_3_rsyslog_config - - - name: "MANUAL | 4.2.1.3 | AUDIT | Ensure logging is configured | Message out config" - debug: - msg: - - "Alert!!!Below is the current logging configurations for rsyslog, please review" - - "{{ ubtu20cis_4_2_1_3_rsyslog_config.stdout_lines }}" - when: not ubtu20cis_rsyslog_ansible_managed - - - name: "MANUAL | 4.2.1.3 | PATCH | Ensure logging is configured | Automated rsyslog configuration" - lineinfile: - path: "{{ ubtu20cis_4_2_1_3_rsyslog_config_path.stdout }}" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: "{{ item.insertafter }}" - with_items: - - { regexp: '^\*.emerg', line: '*.emerg :omusrmsg:*', insertafter: '^# Emergencies are sent to everybody logged in' } - - { regexp: '^auth,authpriv.\*', line: 'auth,authpriv.* /var/log/auth.log', insertafter: '^# First some standard log files. Log by facility' } - - { regexp: '^mail.\*|^#mail.\*', line: 'mail.* -/var/log/mail', insertafter: '^# First some standard log files' } - - { regexp: '^mail.info|^#mail.info', line: 'mail.info -/var/log/mail.info', insertafter: '^# Logging for the mail system' } - - { regexp: '^mail.warn|^#mail.warn', line: 'mail.warn -/var/log/mail.warn', insertafter: '^# Logging for the mail system.' } - - { regexp: '^mail.err|^#mail.err', line: 'mail.err /var/log/mail.err', insertafter: '^# Logging for the mail system.' } - - { regexp: '^news.crit|^#news.crit', line: 'news.crit -/var/log/news/news.crit', insertafter: '^# First some standard log files'} - - { regexp: '^news.err|^#news.err', line: 'news.err -/var/log/news/news.err', insertafter: '^# First some standard log files' } - - { regexp: '^news.notice|^#news.notice', line: 'news.notice -/var/log/news/news.notice', insertafter: '^# First some standard log files' } - - { regexp: '^\*.=warning;\*.=err|^#\*.=warning;\*.=err', line: '*.=warning;*.=err -/var/log/warn', insertafter: '^# First some standard log files' } - - { regexp: '^\*.crit|^#\*.crit', line: '*.crit /var/log/warn', insertafter: '^# First some standard log files' } - - { regexp: '^\*.\*;mail.none;news.none|^#\*.\*;mail.none;news.none', line: '*.*;mail.none;news.none -/var/log/messages', insertafter: '^# First some standard log files' } - - { regexp: '^local0,local1.\*|^#local0,local1.\*', line: 'local0,local1.* -/var/log/localmessages', insertafter: '^# First some standard log files' } - - { regexp: '^local2,local3.\*|^#local2,local3.\*', line: 'local2,local3.* -/var/log/localmessages', insertafter: '^# First some standard log files' } - - { regexp: '^local4,local5.\*|^#local4,local5.\*', line: 'local4,local5.* -/var/log/localmessages', insertafter: '^# First some standard log files' } - - { regexp: '^local6,local7.\*|^#local6,local7.\*', line: 'local6,local7.* -/var/log/localmessages', insertafter: '^# First some standard log files' } - notify: restart rsyslog - when: ubtu20cis_rsyslog_ansible_managed - when: - - ubtu20cis_rule_4_2_1_3 - tags: - - level1-server - - level1-workstation - - manual - - patch - - rule_4.2.1.3 - - rsyslog - -- name: "AUTOMATED | 4.2.1.4 | PATCH | Ensure rsyslog default file permissions configured" - lineinfile: - path: /etc/rsyslog.conf - regexp: '^\$FileCreateMode|^#\$FileCreateMode' - line: '$FileCreateMode 0640' - notify: restart rsyslog - when: - - ubtu20cis_rule_4_2_1_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_4.2.1.4 - - rsyslog - -- name: "AUTOMATED | 4.2.1.5 | PATCH | Ensure rsyslog is configured to send logs to a remote log host" - blockinfile: - path: /etc/rsyslog.conf - block: | - ##Enable sending of logs over TCP add the following line: - *.* @@{{ ubtu20cis_remote_log_server }} - insertafter: EOF - when: - - ubtu20cis_rule_4_2_1_5 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_4.2.1.5 - - rsyslog - -- name: "MANUAL | 4.2.1.6 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts" - block: - - name: "MANUAL | 4.2.1.6 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts | When not a log host" - replace: - path: /etc/rsyslog.conf - regexp: '({{ item }})' - replace: '#\1' - with_items: - - '^(\$ModLoad)' - - '^(\$InputTCPServerRun)' - notify: restart rsyslog - when: not ubtu20cis_system_is_log_server - - - name: "MANUAL | 4.2.1.6 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts | When a log server" - lineinfile: - path: /etc/rsyslog.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^\$ModLoad|^#\$ModLoad', line: '$ModLoad imtcp' } - - { regexp: '^\$InputTCPServerRun|^#\$InputTCPServerRun', line: '$InputTCPServerRun 514' } - notify: restart rsyslog - when: ubtu20cis_system_is_log_server - when: - - ubtu20cis_rule_4_2_1_6 - tags: - - level1-server - - level1-workstation - - manual - - patch - - rule_4.2.1.6 - - rsyslog - -- name: "AUTOMATED | 4.2.2.1 | PATCH | Ensure journald is configured to send logs to rsyslog" - lineinfile: - path: /etc/systemd/journald.conf - regexp: '^ForwardToSyslog|^#ForwardToSyslog' - line: 'ForwardToSyslog=yes' - insertafter: '\[Journal\]' - when: - - ubtu20cis_rule_4_2_2_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_4.2.2.1 - - rsyslog - - journald - -- name: "4.2.2.2 | PATCH | Ensure journald is configured to compress large log files" - lineinfile: - path: /etc/systemd/journald.conf - regexp: '^Compress|^#Compress' - line: 'Compress=yes' - insertafter: '\[Journal\]' - when: - - ubtu20cis_rule_4_2_2_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_4.2.2.2 - - rsyslog - - journald - -- name: "AUTOMATED | 4.2.2.3 | PATCH | Ensure journald is configured to write logfiles to persistent disk" - lineinfile: - path: /etc/systemd/journald.conf - regexp: '^Storage|^#Storage' - line: 'Storage=persistent' - insertafter: '\[Journal\]' - when: - - ubtu20cis_rule_4_2_2_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_4.2.2.3 - - rsyslog - - journald - -- name: "AUTOMATED | 4.2.3 | PATCH | Ensure permissions on all logfiles are configured" - command: find /var/log -type f -exec chmod g-wx,o-rwx "{}" + -o -type d -exec chmod g-w,o-rwx "{}" + - changed_when: ubtu20cis_4_2_3_logfile_perms_status.rc == 0 - check_mode: false - register: ubtu20cis_4_2_3_logfile_perms_status - when: - - ubtu20cis_rule_4_2_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_4.2.3 - - logfiles - - permissions - -- name: "MANUAL | 4.3 | PATCH | Ensure logrotate is configured" - block: - - name: "MANUAL | 4.3 | PATCH | Ensure logrotate is configured | Get logrotate files" - find: - paths: /etc/logrotate.d/ - check_mode: false - register: ubtu20cis_4_3_logrotate_files - - - name: "MANUAL | 4.3 | PATCH | Ensure logrotate is configured | Set rotation configurations" - replace: - path: "{{ item.path }}" - regexp: '^(\s*)(daily|weekly|monthly|yearly)$' - replace: "\\1{{ ubtu20cis_logrotate }}" - with_items: - - "{{ ubtu20cis_4_3_logrotate_files.files }}" - - { path: "/etc/logrotate.conf" } - when: - - ubtu20cis_rule_4_3 - tags: - - level1-server - - level1-workstation - - manual - - patch - - rule_4.3 - - logrotate - -- name: "AUTOMATED | 4.4 | PATCH | Ensure logrotate assigns appropriate permissions" - lineinfile: - path: /etc/logrotate.conf - regexp: '^create' - line: ' create {{ ubtu20cis_logrotate_create_settings }}' - when: - - ubtu20cis_rule_4_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_4.4 - - logrotate diff --git a/tasks/old_section5.yml b/tasks/old_section5.yml deleted file mode 100644 index ce3f7294..00000000 --- a/tasks/old_section5.yml +++ /dev/null @@ -1,1138 +0,0 @@ ---- -- name: "AUTOMATED | 5.1.1 | PATCH | Ensure cron daemon is enabled and running" - service: - name: cron - state: started - enabled: yes - when: - - ubtu20cis_rule_5_1_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.1.1 - - cron - -- name: "AUTOMATED | 5.1.2 | PATCH | Ensure permissions on /etc/crontab are configured" - file: - path: /etc/crontab - owner: root - group: root - mode: 0600 - when: - - ubtu20cis_rule_5_1_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.1.2 - - cron - -- name: "AUTOMATED | 5.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" - file: - path: /etc/cron.hourly - owner: root - group: root - mode: 0700 - when: - - ubtu20cis_rule_5_1_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.1.3 - - cron - -- name: "AUTOMATED | 5.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" - file: - path: /etc/cron.daily - owner: root - group: root - mode: 0700 - when: - - ubtu20cis_rule_5_1_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.1.4 - - cron - -- name: "AUTOMATED | 5.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" - file: - path: /etc/cron.weekly - owner: root - group: root - mode: 0700 - when: - - ubtu20cis_rule_5_1_5 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.1.5 - - cron - -- name: "AUTOMATED | 5.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" - file: - path: /etc/cron.monthly - owner: root - group: root - mode: 0700 - when: - - ubtu20cis_rule_5_1_6 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.1.6 - - cron - -- name: "AUTOMATED | 5.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" - file: - path: /etc/cron.d - owner: root - group: root - mode: 0700 - when: - - ubtu20cis_rule_5_1_7 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.1.7 - - cron - -- name: "AUTOMATED | 5.1.8 | PATCH | Ensure at/cron is restricted to authorized users" - block: - - name: "AUTOMATED | 5.1.8 | PATCH | Ensure at/cron is restricted to authorized users | Remove cron.deny" - file: - path: /etc/cron.deny - state: absent - - - name: "AUTOMATED | 5.1.8 | PATCH | Ensure at/cron is restricted to authorized users | Create cron.allow" - file: - path: /etc/cron.allow - owner: root - group: root - mode: 0640 - state: touch - when: - - ubtu20cis_rule_5_1_8 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.1.8 - - cron - -- name: "AUTOMATED | 5.1.9 | PATCH | Ensure at is restricted to authorized users" - block: - - name: "AUTOMATED | 5.1.9 | PATCH | Ensure at is restricted to authorized users | Remove at.deny" - file: - path: /etc/at.deny - state: absent - - - name: "AUTOMATED | 5.1.9 | PATCH | Ensure at is restricted to authorized users | Create at.allow" - file: - path: /etc/at.allow - owner: root - group: root - mode: 0640 - state: touch - when: - - ubtu20cis_rule_5_1_9 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.1.9 - - cron - -- name: "AUTOMATED | 5.2.1 | PATCH | Ensure sudo is installed" - apt: - name: "{{ ubtu20cis_sudo_package }}" - state: present - when: - - ubtu20cis_rule_5_2_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.2.1 - - sudo - -- name: "AUTOMATED | 5.2.2 | PATCH | Ensure sudo commands use pty" - lineinfile: - path: /etc/sudoers - regexp: '^Defaults use_' - line: 'Defaults use_pty' - insertafter: '^Defaults' - when: - - ubtu20cis_rule_5_2_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.2.2 - - sudo - -- name: "AUTOMATED | 5.2.3 | PATCH | Ensure sudo log file exists" - lineinfile: - path: /etc/sudoers - regexp: '^Defaults logfile' - line: 'Defaults logfile="{{ ubtu20cis_sudo_logfile }}"' - insertafter: '^Defaults' - when: - - ubtu20cis_rule_5_2_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.2.3 - - sudo - -- name: "AUTOMATED | 5.3.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" - file: - path: /etc/ssh/sshd_config - owner: root - group: root - mode: 0600 - when: - - ubtu20cis_rule_5_3_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.3.1 - - ssh - -- name: "AUTOMATED | 5.3.2 | PATCH | Ensure permissions on SSH private host key files are configured" - block: - - name: "AUTOMATED | 5.3.2 | AUDIT | Ensure permissions on SSH private host key files are configured | Find ssh_host private keys" - find: - paths: /etc/ssh - patterns: 'ssh_host_*_key' - register: ubtu20cis_5_3_2_ssh_host_priv_keys - - - name: "AUTOMATED | 5.3.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions" - file: - path: "{{ item.path }}" - owner: root - group: root - mode: 0600 - with_items: - - "{{ ubtu20cis_5_3_2_ssh_host_priv_keys.files }}" - when: - - ubtu20cis_rule_5_3_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.3.2 - - ssh - -- name: "AUTOMATED | 5.3.3 | PATCH | Ensure permissions on SSH public host key files are configured" - block: - - name: "AUTOMATED | 5.3.3 | AUDIT | Ensure permissions on SSH public host key files are configured | Find ssh_host public keys" - find: - paths: /etc/ssh - patterns: 'ssh_host_*_key.pub' - register: ubtu20cis_5_3_3_ssh_host_pub_keys - - - name: "AUTOMATED | 5.3.3 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions" - file: - path: "{{ item.path }}" - owner: root - group: root - mode: 0644 - with_items: - - "{{ ubtu20cis_5_3_3_ssh_host_pub_keys.files }}" - when: - - ubtu20cis_rule_5_3_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.3.3 - - ssh - -- name: "AUTOMATED | 5.3.4 | PATCH | Ensure SSH access is limited" - block: - - name: "AUTOMATED | 5.3.4 | PATCH | Ensure SSH access is limited | Add allowed users" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^AllowUsers|^#AllowUsers' - line: 'AllowUsers {{ ubtu20cis_sshd.allow_users }}' - notify: restart sshd - when: "ubtu20cis_sshd['allow_users']|default('') != ''" - - - name: "AUTOMATED | 5.3.4 | PATCH | Ensure SSH access is limited | Add allowed groups" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^AllowGroups|^#AllowGroups' - line: 'AllowGroups {{ ubtu20cis_sshd.allow_groups }}' - notify: restart sshd - when: "ubtu20cis_sshd['allow_groups']|default('') != ''" - - - name: "AUTOMATED | 5.3.4 | PATCH | Ensure SSH access is limited | Add deny users" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^DenyUsers|^#DenyUsers' - line: 'DenyUsers {{ ubtu20cis_sshd.deny_users }}' - notify: restart sshd - when: "ubtu20cis_sshd['deny_users']|default('') != ''" - - - name: "AUTOMATED | 5.3.4 | PATCH | Ensure SSH access is limited | Add deny groups" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^DenyGroups|^#DenyGroups' - line: 'DenyGroups {{ ubtu20cis_sshd.deny_groups }}' - notify: restart sshd - when: "ubtu20cis_sshd['deny_groups']|default('') != ''" - when: - - ubtu20cis_rule_5_3_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.3.4 - - ssh - -- name: "AUTOMATED | 5.3.5 | PATCH | Ensure SSH LogLevel is appropriate" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^LogLevel|^#LogLevel' - line: 'LogLevel {{ ubtu20cis_sshd.log_level }}' - insertafter: '^# Logging' - notify: restart sshd - when: - - ubtu20cis_rule_5_3_5 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.3.5 - - ssh - -- name: "AUTOMATED | 5.3.6 | PATCH | Ensure SSH X11 forwarding is disabled" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^X11Forwarding|^#X11Forwarding' - line: 'X11Forwarding no' - notify: restart sshd - when: - - ubtu20cis_rule_5_3_6 - tags: - - level2-server - - level1-workstation - - automated - - patch - - rule_5.3.6 - - ssh - -- name: "AUTOMATED | 5.3.7 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^MaxAuthTries|^#MaxAuthTries' - line: 'MaxAuthTries {{ ubtu20cis_sshd.max_auth_tries }}' - insertafter: '^# Authentication' - notify: restart sshd - when: - - ubtu20cis_rule_5_3_7 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.3.7 - - ssh - -- name: "AUTOMATED | 5.3.8 | PATCH | Ensure SSH IgnoreRhosts is enabled" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^IgnoreRhosts|^#IgnoreRhosts' - line: 'IgnoreRhosts yes' - notify: restart sshd - when: - - ubtu20cis_rule_5_3_8 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.3.8 - - ssh - -- name: "AUTOMATED | 5.3.9 | PATCH | Ensure SSH HostbasedAuthentication is disabled" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^HostbasedAuthentication|^#HostbasedAuthentication' - line: 'HostbasedAuthentication no' - notify: restart sshd - when: - - ubtu20cis_rule_5_3_9 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.3.9 - - ssh - -- name: "AUTOMATED | 5.3.10 | PATCH | Ensure SSH root login is disabled" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^PermitRootLogin|^#PermitRootLogin' - line: 'PermitRootLogin no' - notify: restart sshd - when: - - ubtu20cis_rule_5_3_10 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.3.10 - - ssh - -- name: "AUTOMATED | 5.3.11 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^PermitEmptyPasswords|^#PermitEmptyPasswords' - line: 'PermitEmptyPasswords no' - insertafter: '# To disable tunneled clear text passwords' - notify: restart sshd - when: - - ubtu20cis_rule_5_3_11 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.3.11 - - ssh - -- name: "AUTOMATED | 5.3.12 | PATCH | Ensure SSH PermitUserEnvironment is disabled" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^PermitUserEnvironment|^#PermitUserEnvironment' - line: 'PermitUserEnvironment no' - notify: restart sshd - when: - - ubtu20cis_rule_5_3_12 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.3.12 - - ssh - -- name: "AUTOMATED | 5.3.13 | PATCH | Ensure only strong Ciphers are used" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^Ciphers|^#Ciphers' - line: 'Ciphers {{ ubtu20cis_sshd.ciphers }}' - insertafter: '^# Ciphers and keying' - notify: restart sshd - when: - - ubtu20cis_rule_5_3_13 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.3.13 - - ssh - -- name: "AUTOMATED | 5.3.14 | PATCH | Ensure only strong MAC algorithms are used" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^MACs|^#MACs' - line: 'MACs {{ ubtu20cis_sshd.macs }}' - insertafter: '^# Ciphers and keying' - notify: restart sshd - when: - - ubtu20cis_rule_5_3_14 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.3.14 - - ssh - -- name: "AUTOMATED | 5.3.15 | PATCH | Ensure only strong Key Exchange algorithms are used" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^KexAlgorithms|^#KexAlgorithms' - line: 'KexAlgorithms {{ ubtu20cis_sshd.kex_algorithms }}' - insertafter: '^# Ciphers and keying' - notify: restart sshd - when: - - ubtu20cis_rule_5_3_15 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.3.15 - - ssh - -- name: "AUTOMATED | 5.3.16 | PATCH | Ensure SSH Idle Timeout Interval is configured" - lineinfile: - path: /etc/ssh/sshd_config - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^ClientAliveInterval|^#ClientAliveInterval', line: 'ClientAliveInterval {{ ubtu20cis_sshd.client_alive_interval }}' } - - { regexp: '^ClientAliveCountMax|^#ClientAliveCountMax', line: 'ClientAliveCountMax {{ ubtu20cis_sshd.client_alive_count_max }}' } - notify: restart sshd - when: - - ubtu20cis_rule_5_3_16 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.3.16 - - sshd - -- name: "AUTOMATED | 5.3.17 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^LoginGraceTime|^#LoginGraceTime' - line: 'LoginGraceTime {{ ubtu20cis_sshd.login_grace_time }}' - insertafter: '^# Authentication' - notify: restart sshd - when: - - ubtu20cis_rule_5_3_17 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.3.17 - - ssh - -- name: "AUTOMATED | 5.3.18 | PATCH | Ensure SSH warning banner is configured" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^Banner|^#Banner' - line: Banner /etc/issue.net - insertafter: '^# no default banner path' - notify: restart sshd - when: - - ubtu20cis_rule_5_3_18 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.3.18 - - ssh - -- name: "AUTOMATED | 5.3.19 | PATCH | Ensure SSH PAM is enabled" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^UsePAM|^#UsePAM' - line: 'UsePAM yes' - insertafter: '^# and ChallengeResponseAuthentication' - notify: restart sshd - when: - - ubtu20cis_rule_5_3_19 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.3.19 - - ssh - - pam - -- name: "AUTOMATED | 5.3.20 | PATCH | Ensure SSH AllowTcpForwarding is disabled" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^AllowTcpForwarding|^#AllowTcpForwarding' - line: 'AllowTcpForwarding no' - notify: restart sshd - when: - - ubtu20cis_rule_5_3_20 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_5.3.20 - - ssh - -- name: "AUTOMATED | 5.3.21 | PATCH | Ensure SSH MaxStartups is configured" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^MaxStartups|^#MaxStartups' - line: 'MaxStartups 10:30:60' - notify: restart sshd - when: - - ubtu20cis_rule_5_3_21 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.3.21 - - ssh - -- name: "AUTOMATED | 5.3.22 | PATCH | Ensure SSH MaxSessions is set to 4 or less" - lineinfile: - path: /etc/ssh/sshd_config - regexp: '^MaxSessions|^#MaxSessions' - line: 'MaxSessions {{ ubtu20cis_sshd.max_sessions }}' - insertafter: '^# Authentication' - notify: restart sshd - when: - - ubtu20cis_rule_5_3_22 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.3.22 - - ssh - -- name: "AUTOMATED | 5.4.1 | PATCH | Ensure password creation requirements are configured" - block: - - name: "AUTOMATED | 5.4.1 | PATCH | Ensure password creation requirements are configured | Install pam_pwquality module" - apt: - name: libpam-pwquality - state: present - - - name: "AUTOMATED | 5.4.1 | PATCH | Ensure password creation requirements are configured | Add minlen" - lineinfile: - path: /etc/security/pwquality.conf - regexp: '^minlen|^# minlen' - line: minlen = 14 - - - name: "AUTOMATED | 5.4.1 | PATCH | Ensure password creation requirements are configured | Add minclass" - lineinfile: - path: /etc/security/pwquality.conf - regexp: '^minclass|^# minclass' - line: 'minclass = 4' - - - name: "AUTOMATED | 5.4.1 | AUDIT | Ensure password creation requirements are configured | Confirm pwquality module in common-password" - command: grep 'password.*requisite.*pam_pwquality.so' /etc/pam.d/common-password - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_5_4_1_pam_pwquality_state - - - name: "AUTOMATED | 5.4.1 | PATCH | Ensure password creation requirements are configured | Set retry to 3 if pwquality exists" - pamd: - name: common-password - type: password - control: requisite - module_path: pam_pwquality.so - module_arguments: 'retry=3' - state: args_present - when: ubtu20cis_5_4_1_pam_pwquality_state.stdout | length > 0 - - - name: "AUTOMATED | 5.4.1 | PATCH | Ensure password creation requirements are configured | Set retry to 3 if pwquality does not exist" - pamd: - name: common-password - type: password - control: required - module_path: pam_permit.so - new_type: password - new_control: requisite - new_module_path: pam_pwquality.so - module_arguments: 'retry=3' - state: after - when: ubtu20cis_5_4_1_pam_pwquality_state.stdout | length == 0 - when: - - ubtu20cis_rule_5_4_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.4.1 - - pam - -# ------------- -# ------------- -# There is a bug in pam_tally2.so where the use of the audit keyword may log credentials in the case of user error during authentication. -# To work around this bug the CIS documentation has you setting pam_tally2 to the account section. -# Once bug is fixed please set pam_tally2 to the auth sections. We have those commented out in the task -# ------------- -# ------------- - -# ------------- -# ------------- -# figure out why pam_deny kills vagrant user. Below is everything working but the pam_deny.so in the last task with_items -# ------------- -# ------------- -- name: "AUTOMATED | 5.4.2 | PATCH | Ensure lockout for failed password attempts is configured" - command: /bin/true - changed_when: false - failed_when: false - check_mode: false - # block: - # - name: "AUTOMATED | 5.4.2 | AUDIT | Ensure lockout for failed password attempts is configured | Confirm pam_tally2.so module in common-auth" - # # command: grep 'auth.*required.*pam_tally2.so' /etc/pam.d/common-auth - # command: grep 'auth.*required.*pam_tally2.so' /etc/pam.d/common-account - # changed_when: false - # failed_when: false - # check_mode: false - # register: ubtu20cis_5_4_2_pam_tally2_state - - # - name: "AUTOMATED | 5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | Set pam_tally2.so settings if exists" - # pamd: - # # name: common-auth - # name: common-account - # # type: auth - # type: account - # control: required - # module_path: pam_tally2.so - # module_arguments: 'onerr=fail - # audit - # silent - # deny=5 - # unlock_time=900' - # when: ubtu20cis_5_4_2_pam_tally2_state.stdout != "" - - # - name: "AUTOMATED | 5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | Set pam_tally2.so settings if does not exist" - # lineinfile: - # # path: /etc/pam.d/common-auth - # path: /etc/pam.d/common-account - # # line: 'auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900' - # line: 'account required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900' - # insertafter: '^# end of pam-auth-update config' - # when: ubtu20cis_5_4_2_pam_tally2_state == "" - - # - name: "AUTOMATED | 5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | Set pam_deny.so and pam_tally.so" - # lineinfile: - # path: /etc/pam.d/common-account - # regexp: "{{ item.regexp }}" - # line: "{{ item.line }}" - # insertafter: '^# end of pam-auth-update config' - # with_items: - # # - { regexp: '^accout.*requisite.*pam_deny.so', line: 'account requisite pam_george.so' } - # - { regexp: '^account.*required.*pam_tally.so', line: 'account required pam_tally.so' } - when: - - ubtu20cis_rule_5_4_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.4.2 - - pamd - - notimplemented - -- name: "AUTOMATED | 5.4.3 | PATCH | Ensure password reuse is limited" - block: - - name: "AUTOMATED | 5.4.3 | AUDIT | Ensure password reuse is limited | Confirm pam_pwhistory.so in common-password" - command: grep 'password.*required.*pam_pwhistory.so' /etc/pam.d/common-password - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_5_4_3_pam_pwhistory_state - - - name: "AUTOMATED | 5.4.3 | PATCH | Ensure password reuse is limited | Set remember value if pam_pwhistory exists" - pamd: - name: common-password - type: password - control: required - module_path: pam_pwhistory.so - module_arguments: 'remember={{ ubtu20cis_pamd_pwhistory_remember }}' - state: args_present - when: ubtu20cis_5_4_3_pam_pwhistory_state.stdout | length > 0 - - - name: "AUTOMATED | 5.4.3 | PATCH | Ensure password reuse is limited | Set remember value if pam_pwhistory does no exist" - lineinfile: - path: /etc/pam.d/common-password - line: 'password required pam_pwhistory.so remember={{ ubtu20cis_pamd_pwhistory_remember }}' - insertafter: '^# end of pam-auth-update config' - when: ubtu20cis_5_4_3_pam_pwhistory_state.stdout | length == 0 - when: - - ubtu20cis_rule_5_4_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.4.3 - - pamd - -- name: "AUTOMATED | 5.4.4 | PATCH | Ensure password hashing algorithm is SHA-512" - block: - - name: "AUTOMATED | 5.4.4 | AUDIT | Ensure password hashing algorithm is SHA-512 | Confirm pam_unix.so" - shell: grep -E '^\s*password\s+(\S+\s+)+pam_unix\.so\s+(\S+\s+)*sha512\s*(\S+\s*)*(\s+#.*)?$' /etc/pam.d/common-password - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_5_4_4_pam_unix_state - - - name: "AUTOMATED | 5.4.4 | PATCH | Ensure password hashing algorithm is SHA-512 | Set hashing if pam_unix.so exists" - pamd: - name: common-password - type: password - control: '[success=1 default=ignore]' - module_path: pam_unix.so - module_arguments: sha512 - state: args_present - when: ubtu20cis_5_4_4_pam_unix_state.stdout | length > 0 - - - name: "AUTOMATED | 5.4.4 | PATCH | Ensure password hashing algorithm is SHA-512 | Set hashing if pam_unix.so does not exist" - lineinfile: - path: /etc/pam.d/common-password - line: 'password [success=1 default=ignore] pam_unix.so sha512' - insertafter: '^# end of pam-auth-update config' - when: ubtu20cis_5_4_4_pam_unix_state.stdout | length == 0 - when: - - ubtu20cis_rule_5_4_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.4.4 - - pamd - -- name: "AUTOMATED | 5.5.1.1 | PATCH | Ensure minimum days between password changes is configured" - block: - - name: "AUTOMATED | 5.5.1.1 | PATCH | Ensure minimum days between password changes is configured | Set /etc/login.defs PASS_MIN_DAYS" - lineinfile: - path: /etc/login.defs - regexp: '^PASS_MIN_DAYS|^#PASS_MIN_DAYS' - line: 'PASS_MIN_DAYS {{ ubtu20cis_pass.min_days }}' - - - name: "AUTOMATED | 5.5.1.1 | PATCH | Ensure minimum days between password changes is configured | Set existing users PASS_MIN_DAYS" - command: chage --mindays {{ ubtu20cis_pass.min_days }} {{ item }} - failed_when: false - with_items: - - "{{ ubtu20cis_passwd| selectattr('uid', '>=', 1000) | map(attribute='id') | list }}" - when: ubtu20cis_disruption_high - when: - - ubtu20cis_rule_5_5_1_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.5.1.1 - - user - - login - -- name: "AUTOMATED | 5.5.1.2 | PATCH | Ensure password expiration is 365 days or less" - block: - - name: "AUTOMATED | 5.5.1.2 | PATCH | Ensure password expiration is 365 days or less | Set /etc/login.defs PASS_MAX_DAYS" - lineinfile: - path: /etc/login.defs - regexp: '^PASS_MAX_DAYS|^#PASS_MAX_DAYS' - line: 'PASS_MAX_DAYS {{ ubtu20cis_pass.max_days }}' - insertafter: '# Password aging controls' - - - name: "AUTOMATED | 5.5.1.2 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS" - command: chage --maxdays {{ ubtu20cis_pass.max_days }} {{ item }} - failed_when: false - with_items: - - "{{ ubtu20cis_passwd| selectattr('uid', '>=', 1000) | map(attribute='id') | list }}" - when: ubtu20cis_disruption_high - when: - - ubtu20cis_rule_5_5_1_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.5.1.2 - - user - - login - -- name: "AUTOMATED | 5.5.1.3 | PATCH | Ensure password expiration warning days is 7 or more" - block: - - name: "AUTOMATED | 5.5.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Set /etc/login.defs PASS_WARN_AGE" - lineinfile: - path: /etc/login.defs - regexp: '^PASS_WARN_AGE|^#PASS_WARN_AGE' - line: 'PASS_WARN_AGE {{ ubtu20cis_pass.warn_age }}' - - - name: "AUTOMATED | 5.5.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Set existing users PASS_WARN_AGE" - command: chage --warndays {{ ubtu20cis_pass.warn_age }} {{ item }} - failed_when: false - with_items: - - "{{ ubtu20cis_passwd| selectattr('uid', '>=', 1000) | map(attribute='id') | list }}" - when: ubtu20cis_disruption_high - when: - - ubtu20cis_rule_5_5_1_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.5.1.3 - - user - - login - -- name: "AUTOMATED | 5.5.1.4 | PATCH | Ensure inactive password lock is 30 days or less" - block: - - name: "AUTOMATED | 5.5.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set inactive period for new users" - command: useradd -D -f {{ ubtu20cis_pass.inactive }} - failed_when: false - - - name: "AUTOMATED | 5.5.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set inactive period for existing users" - command: chage --inactive {{ ubtu20cis_pass.inactive }} {{ item }} - failed_when: false - with_items: - - "{{ ubtu20cis_passwd| selectattr('uid', '>=', 1000) | map(attribute='id') | list }}" - when: ubtu20cis_disruption_high - when: - - ubtu20cis_rule_5_5_1_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.5.1.4 - - user - - login - -- name: "AUTOMATED | 5.5.1.5 | PATCH | Ensure all users last password change date is in the past" - block: - - name: "AUTOMATED | 5.5.1.5 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time" - shell: echo $(($(date --utc --date "$1" +%s)/86400)) - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_5_5_1_5_current_time - - - name: "AUTOMATED | 5.5.1.5 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed PW date in future" - shell: "cat /etc/shadow | awk -F: '{if($3>{{ ubtu20cis_5_5_1_5_current_time.stdout }})print$1}'" - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_5_5_1_5_user_list - - - name: "AUTOMATED | 5.5.1.5 | PATCH | Ensure all users last password change date is in the past | Warn about users" - debug: - msg: - - "WARNING!!!!The following accounts have the last PW change date in the future" - - "{{ ubtu20cis_5_5_1_5_user_list.stdout_lines }}" - when: ubtu20cis_5_5_1_5_user_list.stdout | length > 0 - - - name: "AUTOMATED | 5.5.1.5 | PATCH | Ensure all users last password change date is in the past | Lock accounts with furtre PW changed dates" - command: passwd --expire {{ item }} - failed_when: false - with_items: - - "{{ ubtu20cis_5_5_1_5_user_list.stdout_lines }}" - when: - - ubtu20cis_disruption_high - - ubtu20cis_5_5_1_5_user_list.stdout | length > 0 - when: - - ubtu20cis_rule_5_5_1_5 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.5.1.5 - - user - - login - -- name: "AUTOMATED | 5.5.2 | PATCH | Ensure system accounts are secured" - block: - - name: "AUTOMATED | 5.5.2 | PATCH | Ensure system accounts are secured | Set system accounts to login" - user: - name: "{{ item }}" - shell: /sbin/nologin - with_items: - - "{{ ubtu20cis_passwd | selectattr('uid', '<', 1000) | map(attribute='id') | list }}" - when: - - item != "root" - - item != "sync" - - item != "shutdown" - - item != "halt" - - - name: "AUTOMATED | 5.5.2 | PATCH | Ensure system accounts are secured | Lock non-root system accounts" - user: - name: "{{ item }}" - password_lock: true - with_items: - - "{{ ubtu20cis_passwd| selectattr('uid', '<', 1000) | map(attribute='id') | list }}" - when: - - item != "root" - when: - - ubtu20cis_rule_5_5_2 - - ubtu20cis_disruption_high - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.5.2 - - user - - system - -- name: "AUTOMATED | 5.5.3 | PATCH | Ensure default group for the root account is GID 0" - block: - - name: "AUTOMATED | 5.5.3 | PATCH | Ensure default group for the root account is GID 0 | Set root group to GUID 0" - group: - name: root - gid: 0 - - - name: "AUTOMATED | 5.5.3 | PATCH | Ensure default group for the root account is GID 0 | Set root user to root group" - user: - name: root - group: root - when: - - ubtu20cis_rule_5_5_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.5.3 - - user - - system - -- name: "AUTOMATED | 5.5.4 | PATCH | Ensure default user umask is 027 or more restrictive" - block: - - name: "AUTOMATED | 5.5.4 | AUDIT | Ensure default user umask is 027 or more restrictive" - shell: grep -E '^session.*optional.*pam_umask.so' /etc/pam.d/common-session - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_5_5_4_umask_pam_status - - - name: "AUTOMATED | 5.5.4 | PATCH | Ensure default user umask is 027 or more restrictive" - lineinfile: - path: /etc/pam.d/common-session - line: 'session optional pam_umask.so' - insertbefore: '^# end of pam-auth-update config' - when: ubtu20cis_5_5_4_umask_pam_status.stdout | length > 0 - - - name: "AUTOMATED | 5.5.4 | PATCH | Ensure default user umask is 027 or more restrictive" - replace: - path: "{{ item }}" - regexp: '(^\s+umask) 002' - replace: '\1 027' - with_items: - - /etc/bash.bashrc - - /etc/profile - - /etc/login.defs - when: - - ubtu20cis_rule_5_5_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.5.4 - - user - -- name: "AUTOMATED | 5.5.5 | PATCH | Ensure default user shell timeout is 900 seconds or less" - blockinfile: - create: yes - mode: 0644 - dest: "{{ item.dest }}" - state: "{{ item.state }}" - marker: "# {mark} ANSIBLE MANAGED" - block: | - # Set session timeout - CIS ID 5.5.5 - TMOUT={{ ubtu20cis_shell_session_timeout.timeout }} - readonly TMOUT - export TMOUT - with_items: - - { dest: "{{ ubtu20cis_shell_session_timeout.file }}", state: present } - - { dest: /etc/profile, state: "{{ (ubtu20cis_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" } - - { dest: /etc/bash.bashrc, state: present } - when: - - ubtu20cis_rule_5_5_5 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.5.5 - - user - -- name: "MANUAL | 5.6 | AUDIT | Ensure root login is restricted to system console" - block: - - name: "MANUAL | 5.6 | AUDIT | Ensure root login is restricted to system console | Get list of all terminals" - command: cat /etc/securetty - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_5_6_terminal_list - - - name: "MANUAL | 5.6 | AUDIT | Ensure root login is restricted to system console | Message out list" - debug: - msg: - - "WARNING!!!! Below is the list of consoles with root login access" - - "Please review for any conoles that are not in a physically secure location" - - "{{ ubtu20cis_5_6_terminal_list.stdout_lines }}" - when: - - ubtu20cis_rule_5_6 - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_5.6 - - user - -- name: "AUTOMATED | 5.7 | PATCH | Ensure access to the su command is restricted" - block: - - name: "AUTOMATED | 5.7 | PATCH | Ensure access to the su command is restricted | Check for pam_wheel.so module" - command: grep 'auth.*required.*pam_wheel' /etc/pam.d/su - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_5_7_pam_wheel_status - - - name: "AUTOMATED | 5.7 | PATCH | Ensure access to the su command is restricted | Create empty sugroup" - group: - name: "{{ ubtu20cis_su_group }}" - - - name: "AUTOMATED | 5.7 | PATCH | Ensure access to the su command is restricted | Set pam_wheel if exists" - pamd: - name: su - type: auth - control: required - module_path: pam_wheel.so - module_arguments: 'use_uid group={{ ubtu20cis_su_group }}' - when: ubtu20cis_5_7_pam_wheel_status.stdout | length > 0 - - - name: "AUTOMATED | 5.7 | PATCH | Ensure access to the su command is restricted | Set pam_wheel if does not exist" - lineinfile: - path: /etc/pam.d/su - line: 'auth required pam_wheel.so use_uid group={{ ubtu20cis_su_group }}' - create: yes - when: ubtu20cis_5_7_pam_wheel_status.stdout | length == 0 - when: - - ubtu20cis_rule_5_7 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.7 - - user diff --git a/tasks/old_section6.yml b/tasks/old_section6.yml deleted file mode 100644 index 125ab16d..00000000 --- a/tasks/old_section6.yml +++ /dev/null @@ -1,921 +0,0 @@ ---- -- name: "MANUAL | 6.1.1 | AUDIT | Audit system file permissions" - block: - - name: "MANUAL | 6.1.1 | AUDIT | Audit system file permissions | Register package list" - command: ls -a /bin/ - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_6_1_1_packages - - # - name: "NOTSCORED | 6.1.1 | AUDIT | Audit system file permissions | Audit the packages" - # command: dpkg --verify {{ item }} - # changed_when: false - # failed_when: false - # check_mode: false - # with_items: - # - "{{ ubtu18cis_6_1_1_packages.stdout_lines }}" - # register: ubtu18cis_6_1_1_packages_audited - - - name: "MANUAL | 6.1.1 | AUDIT | Audit system file permissions | Message out packages results for review" - debug: - msg: - - "ALERT!!!! Below are the packages that need to be reviewed." - - "You can run dpkg --verify and if nothing is returned the package is installed correctly" - - "{{ ubtu20cis_6_1_1_packages.stdout_lines }}" - when: - - ubtu20cis_rule_6_1_1 - tags: - - level2-server - - level2-workstation - - manual - - audit - - rule_6.1.1 - - permissions - -- name: "AUTOMATED | 6.1.2 | PATCH | Ensure permissions on /etc/passwd are configured" - file: - path: /etc/passwd - owner: root - group: root - mode: 0644 - when: - - ubtu20cis_rule_6_1_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_6.1.2 - - permissions - -- name: "AUTOMATED | 6.1.3 | PATCH | Ensure permissions on /etc/passwd- are configured" - file: - path: /etc/passwd- - owner: root - group: root - mode: 0600 - when: - - ubtu20cis_rule_6_1_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_6.1.3 - - permissions - -- name: "AUTOMATED | 6.1.4 | PATCH | Ensure permissions on /etc/group are configured" - file: - path: /etc/group - owner: root - group: root - mode: 0644 - when: - - ubtu20cis_rule_6_1_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_6.1.4 - - permissions - -- name: "AUTOMATED | 6.1.5 | PATCH | Ensure permissions on /etc/group- are configured" - file: - path: /etc/group- - owner: root - group: root - mode: 0644 - when: - - ubtu20cis_rule_6_1_5 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_6.1.5 - - permissions - -- name: "AUTOMATED | 6.1.6 | PATCH | Ensure permissions on /etc/shadow are configured" - file: - path: /etc/shadow - owner: root - group: shadow - mode: 0640 - when: - - ubtu20cis_rule_6_1_6 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_6.1.6 - - permissions - -- name: "AUTOMATED | 6.1.7 | PATCH | Ensure permissions on /etc/shadow- are configured" - file: - path: /etc/shadow- - owner: root - group: shadow - mode: 0640 - when: - - ubtu20cis_rule_6_1_7 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_6.1.7 - - permissions - -- name: "AUTOMATED | 6.1.8 | PATCH | Ensure permissions on /etc/gshadow are configured" - file: - path: /etc/gshadow - owner: root - group: shadow - mode: 0640 - when: - - ubtu20cis_rule_6_1_8 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_6.1.8 - - permissions - -- name: "AUTOMATED | 6.1.9 | PATCH | Ensure permissions on /etc/gshadow- are configured" - file: - path: /etc/gshadow- - owner: root - group: shadow - mode: 0640 - when: - - ubtu20cis_rule_6_1_9 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_6.1.9 - - permissions - -- name: "AUTOMATED | 6.1.10 | PATCH | Ensure no world writable files exist" - block: - - name: "AUTOMATED | 6.1.10 | AUDIT | Ensure no world writable files exist | Get list of world-writable files" - shell: find {{ item.mount }} -xdev -type f -perm -0002 - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_6_1_10_wwf - with_items: - - "{{ ansible_mounts }}" - - - name: "AUTOMATED | 6.1.10 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist" - file: - path: "{{ item }}" - mode: o-w - with_items: - - "{{ ubtu20cis_6_1_10_wwf.results | map(attribute='stdout_lines') | flatten }}" - when: ubtu20cis_no_world_write_adjust - when: - - ubtu20cis_rule_6_1_10 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_6.1.10 - - permissions - -- name: "AUTOMATED | 6.1.11 | PATCH | Ensure no unowned files or directories exist" - block: - - name: "AUTOMATED | 6.1.11 | AUDIT | Ensure no unowned files or directories exist | Get unowned files or directories" - shell: find {{ item.mount }} -xdev -nouser - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_6_1_11_no_user_items - with_items: - - "{{ ansible_mounts }}" - - - name: "AUTOMATED | 6.1.11 | AUDIT | Ensure no unowned files or directories exist | Flatten no_user_items results for easier use" - set_fact: - ubtu20cis_6_1_11_no_user_items_flatten: "{{ ubtu20cis_6_1_11_no_user_items.results | map(attribute='stdout_lines') | flatten }}" - - - name: "AUTOMATED | 6.1.11 | AUDIT | Ensure no unowned files or directories exist | Alert on unowned files and directories" - debug: - msg: - - "ALERT!!!You have unowned files and are configured to not auto-remediate for this task" - - "Please review the files/directories below and assign an owner" - - "{{ ubtu20cis_6_1_11_no_user_items_flatten }}" - when: - - not ubtu20cis_no_owner_adjust - - ubtu20cis_6_1_11_no_user_items_flatten | length > 0 - - - name: "AUTOMATED | 6.1.11 | PATCH | Ensure no unowned files or directories exist | Set unowned files/directories to configured owner" - file: - path: "{{ item }}" - owner: "{{ ubtu20cis_unowned_owner }}" - with_items: - - "{{ ubtu20cis_6_1_11_no_user_items_flatten }}" - when: - - ubtu20cis_no_owner_adjust - - ubtu20cis_6_1_11_no_user_items_flatten | length > 0 - when: - - ubtu20cis_rule_6_1_11 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_6.1.11 - - permissions - -- name: "AUTOMATED | 6.1.12 | PATCH | Ensure no ungrouped files or directories exist" - block: - - name: "AUTOMATED | 6.1.12 | AUDIT | Ensure no ungrouped files or directories exist | Get ungrouped fiels or directories" - shell: find {{ item.mount }} -xdev -nogroup - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_6_1_12_ungrouped_items - with_items: - - "{{ ansible_mounts }}" - - - name: "AUTOMATED | 6.1.12 | AUDIT | Ensure no ungrouped files or directories exist | Flatten ungrouped_items results for easier use" - set_fact: - ubtu20cis_6_1_12_ungrouped_items_flatten: "{{ ubtu20cis_6_1_12_ungrouped_items.results | map(attribute='stdout_lines') | flatten }}" - - - name: "AUTOMATED | 6.1.12 | AUDIT | Ensure no ungrouped files or directories exist | Alert on ungrouped files and directories" - debug: - msg: - - "ALERT!!!!You have ungrouped files/directories and are configured to not auto-remediate for this task" - - "Please review the files/directories below and assign a group" - - "{{ ubtu20cis_6_1_12_ungrouped_items_flatten }}" - when: - - not ubtu20cis_no_group_adjust - - ubtu20cis_6_1_12_ungrouped_items_flatten | length > 0 - - - name: "AUTOMATED | 6.1.12 | PATCH | Ensure no ungrouped files or directories exist | Set ungrouped files/directories to configured group" - file: - path: "{{ item }}" - group: "{{ ubtu20cis_ungrouped_group }}" - with_items: - - "{{ ubtu20cis_6_1_12_ungrouped_items_flatten }}" - when: - - ubtu20cis_no_group_adjust - - ubtu20cis_6_1_12_ungrouped_items_flatten | length > 0 - when: - - ubtu20cis_rule_6_1_12 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_6.1.12 - - permissions - -- name: "MANUAL | 6.1.13 | AUDIT | Audit SUID executables" - block: - - name: "MANUAL | 6.1.13 | AUDIT | Audit SUID executables | Find SUID executables" - # shell: df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -4000 - shell: find {{ item.mount }} -xdev -type f -perm -4000 - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_6_1_13_suid_executables - with_items: - - "{{ ansible_mounts }}" - - - name: "MANUAL | 6.1.13 | AUDIT | Audit SUID executables | Flatten suid_executables results for easier use" - set_fact: - ubtu20cis_6_1_13_suid_executables_flatten: "{{ ubtu20cis_6_1_13_suid_executables.results | map(attribute='stdout_lines') | flatten }}" - - - name: "MANUAL | 6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist" - debug: - msg: - - "ALERT!!!!You have SUID executables" - - "The files are listed below, please confirm the integrity of these binaries" - - "{{ ubtu20cis_6_1_13_suid_executables_flatten }}" - when: - - ubtu20cis_6_1_13_suid_executables_flatten | length > 0 - - not ubtu20cis_suid_adjust - - - name: "MANUAL | 6.1.13 | PATCH | Audit SUID executables | Remove SUID bit" - file: - path: "{{ item }}" - mode: 'u-s' - with_items: - - "{{ ubtu20cis_6_1_13_suid_executables_flatten }}" - when: - - ubtu20cis_suid_adjust - - ubtu20cis_6_1_13_suid_executables_flatten | length > 0 - when: - - ubtu20cis_rule_6_1_13 - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_6.1.13 - - permissions - -- name: "MANUAL | 6.1.14 | AUDIT | Audit SGID executables" - block: - - name: "MANUAL |6.1.14 | AUDIT | Audit SGID executables | Find SGID executables" - shell: find {{ item }} -xdev -type f -perm -2000 - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_6_1_14_sgid_executables - with_items: - - "{{ ansible_mounts }}" - - - name: "MANUAL | 6.1.14 | AUDIT | Audit SGID executables | Flatten sgid_executables results for easier use" - set_fact: - ubtu20cis_6_1_14_sgid_executables_flatten: "{{ ubtu20cis_6_1_14_sgid_executables.results | map(attribute='stdout_lines') | flatten }}" - - - name: "MANUAL | 6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist" - debug: - msg: - - "ALERT!!!!You have SGID executables" - - "The files are listed below, please review the integrity of these binaries" - - "{{ ubtu20cis_6_1_14_sgid_executables_flatten }}" - when: ubtu20cis_6_1_14_sgid_executables_flatten | length > 0 - when: - - ubtu20cis_rule_6_1_14 - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_6.1.14 - - permissions - -- name: "AUTOMATED | 6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords" - block: - - name: "AUTOMATED | 6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Get users not using shadowed passwords" - command: awk -F':' '($2 != "x" ) { print $1}' /etc/passwd - changed_when: false - failed_when: false - register: ubtu20cis_6_2_1_nonshadowed_users - - - name: "AUTOMATED | 6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Alert on findings" - debug: - msg: - - "ALERT! You have users that are not using a shadowed password. Please convert the below accounts to use a shadowed password" - - "{{ ubtu20cis_6_2_1_nonshadowed_users.stdout_lines }}" - when: - - ubtu20cis_6_2_1_nonshadowed_users.stdout | length > 0 - when: - - ubtu20cis_rule_6_2_1 - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_6.2.1 - - user_accounts - -- name: "AUTOMATED | 6.2.2 | PATCH | Ensure password fields are not empty" - block: - - name: "AUTOMATED | 6.2.2 | AUDIT | Ensure password fields are not empty | Find users with no password" - shell: awk -F":" '($2 == "" ) { print $1 }' /etc/shadow - changed_when: no - check_mode: false - register: ubtu20cis_6_2_2_empty_password_acct - - - name: "AUTOMATED | 6.2.2 | PATCH | Ensure password fields are not empty | Lock users with empty password" - user: - name: "{{ item }}" - password_lock: yes - with_items: - - "{{ ubtu20cis_6_2_2_empty_password_acct.stdout_lines }}" - when: ubtu20cis_6_2_2_empty_password_acct.stdout | length > 0 - when: - - ubtu20cis_rule_6_2_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_6.2.2 - - user - - permissions - -- name: "AUTOMATED | 6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group" - block: - - name: "AUTOMATED | 6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries" - shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}' - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_6_2_3_passwd_gid_check - - - name: "AUTOMATED | 6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files" - debug: - msg: "Good News! There are no users that have non-existent GUIDs (Groups)" - when: ubtu20cis_6_2_3_passwd_gid_check.stdout | length == 0 - - - name: "AUTOMATED | 6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" - debug: - msg: "WARNING!!!! The following users have non-existent GIDs (Groups): {{ ubtu20cis_6_2_3_passwd_gid_check.stdout_lines | join (', ') }}" - when: ubtu20cis_6_2_3_passwd_gid_check.stdout | length > 0 - when: - - ubtu20cis_rule_6_2_3 - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_6.2.3 - - groups - -- name: "AUTOMATED | 6.2.4 | PATCH | Ensure all users' home directories exist" - block: - - name: capture audit task for missing homedirs - block: &u20s_homedir_audit - - name: "AUTOMATED | 6.2.4 | PATCH | Ensure all users' home directories exist | Find users missing home directories" - shell: pwck -r | grep -P {{ ld_regex | quote }} - check_mode: false - register: ubtu20cis_users_missing_home - changed_when: ubtu20cis_6_2_4_audit | length > 0 - # failed_when: 0: success, 1: no grep match, 2: pwck found something - failed_when: ubtu20cis_users_missing_home.rc not in [0,1,2] - - ### NOTE: due to https://github.com/ansible/ansible/issues/24862 This is a shell command, and is quite frankly less than ideal. - - name: "AUTOMATED | 6.2.4 | PATCH | Ensure all users' home directories exist| Creates home directories" - command: "mkhomedir_helper {{ item }}" - # check_mode: "{{ ubtu20cis_disruptive_check_mode }}" - with_items: "{{ ubtu20cis_6_2_4_audit | map(attribute='id') | list }}" - when: - - ubtu20cis_users_missing_home is changed - - ubtu20cis_disruption_high - - ### NOTE: Now we need to address that SELINUX will not let mkhomedir_helper create home directories for UUID < 500, so the ftp user will still show up in a pwck. Not sure this is needed, I need to confirm if that user is removed in an earlier task. - ### ^ Likely doesn't matter as 6.2.7 defines "local interactive users" as those w/ uid 1000-4999 - - name: replay audit task - block: *u20s_homedir_audit - - # CAUTION: debug loops don't show changed since 2.4: - # Fix: https://github.com/ansible/ansible/pull/59958 - - name: "AUTOMATED | 6.2.4 | PATCH | Ensure all users' home directories exist | Alert about correcting owner and group" - debug: msg="You will need to mkdir -p {{ item }} and chown properly to the correct owner and group." - with_items: "{{ ubtu20cis_6_2_4_audit | map(attribute='dir') | list }}" - changed_when: ubtu20cis_audit_complex - when: - - ubtu20cis_users_missing_home is changed - vars: - ld_regex: >- - ^user '(?P.*)': directory '(?P.*)' does not exist$ - ld_users: "{{ ubtu20cis_users_missing_home.stdout_lines | map('regex_replace', ld_regex, '\\g') | list }}" - ubtu20cis_6_2_4_audit: "{{ ubtu20cis_passwd | selectattr('uid', '>=', 1000) | selectattr('id', 'in', ld_users) | list }}" - when: - - ubtu20cis_rule_6_2_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_6.2.4 - - user - -- name: "AUTOMATED | 6.2.5 | PATCH | Ensure users own their home directories" - file: - path: "{{ item.dir }}" - owner: "{{ item.id }}" - state: directory - with_items: - - "{{ ubtu20cis_passwd }}" - loop_control: - label: "{{ ubtu20cis_passwd_label }}" - when: - - ubtu20cis_rule_6_2_5 - - item.uid >= 1000 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_6.2.5 - - user - -- name: "AUTOMATED | 6.2.6 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" - block: - - name: "AUTOMATED | 6.2.6 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive | Get home directories" - stat: - path: "{{ item }}" - with_items: "{{ ubtu20cis_passwd | selectattr('uid', '>=', 1000) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" - check_mode: false - register: ubtu20cis_6_2_6_audit - - - name: "AUTOMATED | 6.2.6 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive | Find home directories more 750" - command: find -H {{ item.0 | quote }} -not -type l -perm /027 - register: ubtu20cis_6_2_6_patch_audit - changed_when: ubtu20cis_6_2_6_patch_audit.stdout | length > 0 - check_mode: false - when: - - item.1.exists - with_together: - - "{{ ubtu20cis_6_2_6_audit.results | map(attribute='item') | list }}" - - "{{ ubtu20cis_6_2_6_audit.results | map(attribute='stat') | list }}" - loop_control: - label: "{{ item.0 }}" - - - name: "AUTOMATED | 6.2.6 | PATCH | Ensure users' home directories permissions are 750 or more restrictive | Set home perms" - file: - path: "{{ item.0 }}" - recurse: yes - mode: a-st,g-w,o-rwx - register: ubtu20cis_6_2_6_patch - when: - - ubtu20cis_disruption_high - - item.1.exists - with_together: - - "{{ ubtu20cis_6_2_6_audit.results | map(attribute='item') | list }}" - - "{{ ubtu20cis_6_2_6_audit.results | map(attribute='stat') | list }}" - loop_control: - label: "{{ item.0 }}" - - # set default ACLs so the homedir has an effective umask of 0027 - - name: "AUTOMATED | 6.2.6 | PATCH | Ensure users' home directories permissions are 750 or more restrictive | Set ACL's" - acl: - path: "{{ item.0 }}" - default: yes - state: present - recursive: yes - etype: "{{ item.1.etype }}" - permissions: "{{ item.1.mode }}" - when: not ubtu20cis_system_is_container - with_nested: - - "{{ (ansible_check_mode | ternary(ubtu20cis_6_2_6_patch_audit, ubtu20cis_6_2_6_patch)).results | - rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" - - - - etype: group - mode: rx - - etype: other - mode: '0' - when: - - ubtu20cis_rule_6_2_6 - - ubtu20cis_disruption_high - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_6.2.6 - - user - -- name: "AUTOMATED | 6.2.7 | PATCH | Ensure users' dot files are not group or world writable" - block: - - name: "AUTOMATED | 6.2.7 | AUDIT | Ensure users' dot files are not group or world-writable | Check for files" - shell: find /home/ -name "\.*" -perm /g+w,o+w - changed_when: no - failed_when: no - check_mode: false - register: ubtu20cis_6_2_7_audit - - - name: "AUTOMATED | 6.2.7 | AUDIT | Ensure users' dot files are not group or world-writable | Alert on files found" - debug: - msg: "Good news! We have not found any group or world-writable dot files on your sytem" - failed_when: false - changed_when: false - when: - - ubtu20cis_6_2_7_audit.stdout | length == 0 - - - name: "AUTOMATED | 6.2.7 | PATCH | Ensure users' dot files are not group or world-writable | Changes files if configured" - file: - path: '{{ item }}' - mode: go-w - with_items: "{{ ubtu20cis_6_2_7_audit.stdout_lines }}" - when: - - ubtu20cis_6_2_7_audit.stdout | length > 0 - - ubtu20cis_dotperm_ansibleManaged - when: - - ubtu20cis_rule_6_2_7 - - ubtu20cis_disruption_high - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_6.2.7 - - user - -- name: "AUTOMATED | 6.2.8 | PATCH | Ensure no users have .netrc files" - file: - dest: "~{{ item }}/.netrc" - state: absent - with_items: - - "{{ ubtu20cis_users.stdout_lines }}" - when: - - ubtu20cis_rule_6_2_8 - - ubtu20cis_disruption_high - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_6.2.8 - - user - -- name: "AUTOMATED | 6.2.9 | PATCH | Ensure no users have .forward files" - file: - dest: "~{{ item }}/.forward" - state: absent - with_items: - - "{{ ubtu20cis_users.stdout_lines }}" - when: - - ubtu20cis_rule_6_2_9 - - ubtu20cis_disruption_high - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_6.2.9 - - user - -- name: "AUTOMATED | 6.2.10 | PATCH | Ensure no users have .rhosts files" - file: - dest: "~{{ item }}/.rhosts" - state: absent - with_items: - - "{{ ubtu20cis_users.stdout_lines }}" - when: - - ubtu20cis_rule_6_2_10 - - ubtu20cis_disruption_high - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_6.2.10 - - user - -- name: "AUTOMATED | 6.2.11 | PATCH | Ensure root is the only UID 0 account" - block: - - name: "AUTOMATED | 6.2.11 | AUDIT | Ensure root is the only UID 0 account | Get non-root users with UID of 0" - shell: awk -F":" '($3 == 0 && $1 != \"root\") {i++;print $1 }' /etc/passwd - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_6_2_11_uid_0_notroot - - - name: "AUTOMATED | 6.2.11 | PATCH | Ensure root is the only UID 0 account | Lock UID 0 users" - user: - name: "{{ item }}" - password_lock: yes - with_items: - - "{{ ubtu20cis_6_2_11_uid_0_notroot.stdout_lines }}" - when: - - ubtu20cis_disruption_high - - ubtu20cis_6_2_11_uid_0_notroot.stdout | length > 0 - - - name: "AUTOMATED | 6.2.11 | AUDIT | Ensure root is the only UID 0 account | Alert about accounts disruption high" - debug: - msg: - - "ALERT!!!! You have non-root users with a UID of 0 and ubtu18cis_disruption_high enabled" - - "This means the following accounts were password locked and will need to have the UID's manually adjusted" - - "{{ ubtu20cis_6_2_11_uid_0_notroot.stdout_lines }}" - when: - - ubtu20cis_disruption_high - - ubtu20cis_6_2_11_uid_0_notroot.stdout | length > 0 - - - name: "AUTOMATED | 6.2.11 | AUDIT | Ensure root is the only UID 0 account | Alert about accounts disruption low" - debug: - msg: - - "ALERT!!!! You have non-root users with a UID of 0 and ubtu18cis_disruption_high disabled" - - "This means no action was taken, you will need to have the UID's of the users below manually adjusted" - - "{{ ubtu20cis_6_2_11_uid_0_notroot.stdout_lines }}" - when: - - not ubtu20cis_disruption_high - - ubtu20cis_6_2_11_uid_0_notroot.stdout | length > 0 - when: - - ubtu20cis_rule_6_2_11 - tags: - - level1-server - - level1-workstation - - automated - - scored - - rule_6.2.11 - - user - - root - -- name: "AUTOMATED | 6.2.12 | PATCH | Ensure root PATH Integrity" - command: /bin/true - changed_when: false - failed_when: false - check_mode: false - # block: - # - name: "AUTOMATED | 6.2.12 | PATCH | Ensure root PATH Integrity | Determine empty value" - # shell: 'echo $PATH | grep ::' - # changed_when: False - # failed_when: ubtu20cis_6_2_12_path_colon.rc == 0 - # check_mode: false - # register: ubtu20cis_6_2_12_path_colon - - # - name: "AUTOMATED | 6.2.12 | PATCH | Ensure root PATH Integrity | Determine colon end" - # shell: 'echo $PATH | grep :$' - # changed_when: False - # failed_when: ubtu20cis_6_2_12_path_colon_end.rc == 0 - # check_mode: false - # register: ubtu20cis_6_2_12_path_colon_end - - # - name: "AUTOMATED | 6.2.12 | PATCH | Ensure root PATH Integrity | Determine working dir" - # shell: echo "$PATH" - # changed_when: False - # failed_when: '"." in ubtu20cis_6_2_12_working_dir.stdout_lines' - # check_mode: false - # register: ubtu20cis_6_2_12_working_dir - # - debug: var=ubtu20cis_6_2_12_working_dir - - # - name: "AUTOMATED | 6.2.12 | PATCH | Ensure root PATH Integrity | Check paths" - # stat: - # path: "{{ item }}" - # check_mode: false - # register: ubtu20cis_6_2_12_path_stat - # with_items: - # - "{{ ubtu20cis_6_2_12_working_dir.stdout.split(':') }}" - - # - debug: var=ubtu20cis_6_2_12_path_stat - - # - name: "AUTOMATED | 6.2.12 | PATCH | Ensure root PATH Integrity | Alert on empty value, colon end, and no working dir" - # debug: - # msg: - # - "The following paths have no working directory: {{ ubtu20cis_6_2_12_path_stat.results | selectattr('stat.exists','equalto','false') | map(attribute='item') | list }}" - - # # - name: "AUTOMATED | 6.2.12 | PATCH | Ensure root PATH Integrity | Set permissions" - # # file: - # # path: "{{ item }}" - # # owner: root - # # mode: 'o-w,g-w' - # # follow: yes - # # state: directory - # # with_items: - # # - "{{ ubtu18cis_6_2_12_path_stat | selectattr('exists','==','true') | map(attribute='path') }}" - when: - - ubtu20cis_rule_6_2_12 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_6.2.12 - - user - - root - - notimplemented - -- name: "AUTOMATED | 6.2.13 | AUDIT | Ensure no duplicate UIDs exist" - block: - - name: "AUTOMATED | 6.2.13 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs" - shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd" - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_6_2_13_user_uid_check - - - name: "AUTOMATED | 6.2.13 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist" - debug: - msg: "Good News! There are no duplicate UID's in the system" - when: ubtu20cis_6_2_13_user_uid_check.stdout | length == 0 - - - name: "AUTOMATED | 6.2.13 | AUDIT | Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" - debug: - msg: "Warning!!!! The following users have UIDs that are duplicates: {{ ubtu20cis_6_2_13_user_uid_check.stdout_lines }}" - when: ubtu20cis_6_2_13_user_uid_check.stdout | length > 0 - when: - - ubtu20cis_rule_6_2_13 - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_6.2.13 - - user - -- name: "AUTOMATED | 6.2.14 | AUDIT | Ensure no duplicate GIDs exist" - block: - - name: "AUTOMATED | 6.2.14 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs" - shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group" - changed_when: no - failed_when: no - check_mode: false - register: ubtu20cis_6_2_14_user_user_check - - - name: "AUTOMATED | 6.2.14 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist" - debug: - msg: "Good News! There are no duplicate GIDs in the system" - when: ubtu20cis_6_2_14_user_user_check.stdout | length == 0 - - - name: "AUTOMATED | 6.2.14 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" - debug: - msg: "Warning: The following groups have duplicate GIDs: {{ ubtu20cis_6_2_14_user_user_check.stdout_lines }}" - when: ubtu20cis_6_2_14_user_user_check.stdout | length > 0 - when: - - ubtu20cis_rule_6_2_14 - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_6.2.14 - - groups - -- name: "AUTOMATED | 6.2.15 | AUDIT | Ensure no duplicate user names exist" - block: - - name: "AUTOMATED | 6.2.15 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names" - shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd" - changed_when: no - failed_when: no - check_mode: false - register: ubtu20cis_6_2_15_user_username_check - - - name: "AUTOMATED | 6.2.15 | AUDIT | Ensure no duplicate user names exist | Print message that no duplicate user names exist" - debug: - msg: "Good News! There are no duplicate user names in the system" - when: ubtu20cis_6_2_15_user_username_check.stdout | length == 0 - - - name: "AUTOMATED | 6.2.15 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" - debug: - msg: "Warning: The following user names are duplicates: {{ ubtu20cis_6_2_15_user_username_check.stdout_lines }}" - when: ubtu20cis_6_2_15_user_username_check.stdout | length > 0 - when: - - ubtu20cis_rule_6_2_15 - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_6.2.15 - - user - -- name: "AUTOMATED | 6.2.16 | AUDIT | Ensure no duplicate group names exist" - block: - - name: "AUTOMATED | 6.2.16 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names" - shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d' - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_6_2_16_group_group_check - - - name: "AUTOMATED | 6.2.16 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist" - debug: - msg: "Good News! There are no duplicate group names in the system" - when: ubtu20cis_6_2_16_group_group_check.stdout | length == 0 - - - name: "AUTOMATED | 6.2.16 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" - debug: - msg: "Warning: The following group names are duplicates: {{ ubtu20cis_6_2_16_group_group_check.stdout_lines }}" - when: ubtu20cis_6_2_16_group_group_check.stdout | length > 0 - when: - - ubtu20cis_rule_6_2_16 - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_6.2.16 - - groups - -- name: "AUTOMATED | 6.2.17 | AUDIT | Ensure shadow group is empty" - block: - - name: "AUTOMATED | 6.2.17 | AUDIT | Ensure shadow group is empty | Get Shadow GID" - shell: grep ^shadow /etc/group | cut -f3 -d":" - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_6_2_17_shadow_gid - - - name: "AUTOMATED | 6.2.17 | AUDIT | Ensure shadow group is empty | List of users with Shadow GID" - shell: awk -F":" '($4 == "{{ ubtu20cis_6_2_17_shadow_gid.stdout }}") { print }' /etc/passwd | cut -f1 -d":" - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_6_2_17_users_shadow_gid - - - name: "AUTOMATED | 6.2.17 | AUDIT | Ensure shadow group is empty | Message on no users" - debug: - msg: "Good News! There are no users with the Shado GID on your system" - when: ubtu20cis_6_2_17_users_shadow_gid.stdout | length == 0 - - - name: "AUTOMATED | 6.2.17 | AUDIT | Ensure shadow group is empty | Message on users with Shadow GID" - debug: - msg: - - "WARNING!!!! There are users that are in the Shadow group" - - "To conform to CIS standards no users should be in this group" - - "Please move the users below into another group" - - "{{ ubtu20cis_6_2_17_users_shadow_gid.stdout_lines }}" - when: ubtu20cis_6_2_17_users_shadow_gid.stdout | length > 0 - when: - - ubtu20cis_rule_6_2_17 - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_6.2.17 - - groups - - user From 185fbca8bf997b0688c270a889f9fea523ff2ede Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 7 May 2021 12:29:02 -0400 Subject: [PATCH 44/44] updated section3/5 main.ymls Signed-off-by: George Nalen --- tasks/section_3/main.yml | 2 +- tasks/section_5/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_3/main.yml b/tasks/section_3/main.yml index 1f80b148..20a166d6 100644 --- a/tasks/section_3/main.yml +++ b/tasks/section_3/main.yml @@ -8,7 +8,7 @@ - name: "SECTION | 3.3 | Network Parameters Host and Router" include: cis_3.3.x.yml -- name: "SECTION | 3.4 | Uncommong Network Protocols" +- name: "SECTION | 3.4 | Uncommon Network Protocols" include: cis_3.4.x.yml - name: "SECTION | 3.5 | Firewall Configuration" diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml index 040d4fbc..7259f3e6 100644 --- a/tasks/section_5/main.yml +++ b/tasks/section_5/main.yml @@ -11,7 +11,7 @@ - name: "SECTION | 5.4.x | User PAM" include: cis_5.4.x.yml -- name: "SECTION | 5.5.x | User Accounts and Enironment" +- name: "SECTION | 5.5.x | User Accounts and Environment" include: cis_5.5.x.yml - name: "SECTION | 5.6 | Ensure root login is restricted to system console"