Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jan24 - changes and updates #206

Merged
merged 16 commits into from
Feb 12, 2024
10 changes: 10 additions & 0 deletions Changelog.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,16 @@

## Based on CIS V1.0.0

### 1.0.9

- updated audit command to allow multiple groups from inventory
- #144 usb-blacklisting - thanks to @paulquevedojdrf
- #152 and #170 Added ssh validate to tasks - thanks to @dderemiah and @twadelij
- #180 and #181 password reuse 5.3.4 - thanks to @DianaMariaDDM
- #182 pwquality enhancement New variable to allow extended or minclass (default)options - thanks to @ma3s7ro
- #184 Initial container config feedback required - thanks to @ipruteanu-sie
- #204 reboot not idempotent - changed auditd and reboot logic update to 4.1.3.6 discovery - thanks to @bhuddah

### 1.0.8

- updated goss binary to 0.4.4
Expand Down
22 changes: 21 additions & 1 deletion defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ ubtu22cis_ask_passwd_to_boot: false
# is executed on a container image and sets the variable
# system_is_container the true. Otherwise, the default value
# 'false' is left unchanged.
system_is_container: false
container_vars_file: is_container.yml

## Root user used
# Root by default is not used unless setup by user
Expand Down Expand Up @@ -940,6 +940,26 @@ ubtu22cis_sudo_timestamp_timeout: 15
# CIS requires that such a group be created (named according to site policy) and be kept empty.
ubtu22cis_sugroup: nosugroup

## Control 5.4.1
# This variable allows us to use either
#

ubtu22cis_pwquality_minclass: true
ubtu22cis_pwquality_minclass_value: '4'
ubtu22cis_pwquality:
- key: '#minclass'
value: "{{ ubtu22cis_pwquality_minclass_value }}"
- key: 'minlen'
value: '14'
- key: 'dcredit'
value: '-1'
- key: 'ucredit'
value: '-1'
- key: 'ocredit'
value: '-1'
- key: 'lcredit'
value: '-1'

## Control 5.4.3
# This variable represents the number of password change cycles, after which
# a user can re-use a password.
Expand Down
21 changes: 8 additions & 13 deletions handlers/main.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
---

- name: Update_Initramfs
ansible.builtin.shell: update-initramfs -u
notify: change_requires_reboot

- name: Remount tmp
ansible.posix.mount:
path: /tmp
Expand Down Expand Up @@ -39,6 +43,7 @@
- name: Grub update
ansible.builtin.shell: update-grub
failed_when: false
notify: change_requires_reboot

- name: Restart timeservice
ansible.builtin.systemd:
Expand Down Expand Up @@ -110,31 +115,21 @@
when:
- '"No change" not in ubtu22cis_rule_4_1_3_21_augen_check.stdout'

- name: Auditd_immutable_check
ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
changed_when: false
register: auditd_immutable_check

- name: Audit_immutable_fact
ansible.builtin.debug:
msg: "Reboot required for auditd to apply new rules as immutable set"
notify: change_requires_reboot
when:
- auditd_immutable_check.stdout == '1'
- audit_rules_updated.changed
- auditd_immutable_check is defined

- name: Restart auditd
ansible.builtin.shell: service auditd restart
when:
- audit_rules_updated.changed or
rule_4_1_2_1.changed or
rule_4_1_2_2.changed or
rule_4_1_2_3.changed
- audit_rules_updated is defined
tags:
- skip_ansible_lint

- name: remount tmp
ansible.builtin.shell: mount -o remount /tmp

- name: restart sshd
ansible.builtin.systemd:
name: sshd
Expand Down
20 changes: 2 additions & 18 deletions tasks/auditd.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,13 @@
dest: /etc/audit/rules.d/99_auditd.rules
owner: root
group: root
mode: '0600'
mode: '0640'
register: audit_rules_updated
notify:
- Auditd rules reload
- Auditd_immutable_check
- Audit_immutable_fact
- Restart auditd
- change_requires_reboot
when: update_audit_template

- name: POST | Set up auditd user logging exceptions
Expand All @@ -25,19 +25,3 @@
notify: Restart auditd
when:
- ubtu22cis_allow_auditd_uid_user_exclusions

# - name: "POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable"
# block:
# - name: "POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable | Get status"
# ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
# changed_when: false
# failed_when: false
# register: ubtu22cis_auditd_immutable_check

# - name: "POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable | Set reboot required"
# ansible.builtin.debug:
# msg: "Reboot required for auditd to apply new rules as immutable set"
# notify: change_requires_reboot
# when: ubtu22cis_auditd_immutable_check.stdout == '1'
# when:
# - ubtu22cis_audit_rules_update.changed
2 changes: 2 additions & 0 deletions tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -208,13 +208,15 @@
ansible.builtin.reboot:
when:
- not skip_reboot
- change_requires_reboot

- name: Warning a reboot required but skip option set
ansible.builtin.debug:
msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results"
changed_when: true
when:
- skip_reboot
- change_requires_reboot

- name: Run post remediation audit
ansible.builtin.import_tasks:
Expand Down
2 changes: 1 addition & 1 deletion tasks/post_remediation_audit.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---

- name: Post Audit | Run post_remediation {{ benchmark }} audit
ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}"
ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\""
changed_when: true
environment:
AUDIT_BIN: "{{ audit_bin }}"
Expand Down
2 changes: 1 addition & 1 deletion tasks/pre_remediation_audit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@
mode: '0600'

- name: Pre Audit | Run pre_remediation {{ benchmark }} audit
ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}"
ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\""
changed_when: true
environment:
AUDIT_BIN: "{{ audit_bin }}"
Expand Down
15 changes: 9 additions & 6 deletions tasks/prelim.yml
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,15 @@
- auditd
- always

- name: "PRELIM | Check if auditd is immutable before changes"
ansible.builtin.shell: auditctl -l | grep -c '-e 2'
changed_when: false
failed_when: auditd_immutable_check.rc not in [ 0, 1 ]
register: auditd_immutable_check
when: "'auditd' in ansible_facts.packages"
tags:
- always

- name: "PRELIM | 5.3.4 | 5.3.5 | Find all sudoers files."
ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'"
changed_when: false
Expand Down Expand Up @@ -216,12 +225,6 @@
tags:
- always

- name: "PRELIM | Recapture packages"
ansible.builtin.package_facts:
manager: auto
tags:
- always

- name: "Optional | Patch | UFW firewall force to use /etc/sysctl.conf settings"
ansible.builtin.lineinfile:
path: /etc/default/ufw
Expand Down
3 changes: 3 additions & 0 deletions tasks/section_1/cis_1.1.1.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
name: cramfs
state: absent
when: ansible_connection != 'docker'
notify: Update_Initramfs
when:
- ubtu22cis_rule_1_1_1_1
tags:
Expand Down Expand Up @@ -54,6 +55,7 @@
name: squashfs
state: absent
when: ansible_connection != 'docker'
notify: Update_Initramfs
when:
- ubtu22cis_rule_1_1_1_2
- snap_pkg_mgr.stdout == "0"
Expand Down Expand Up @@ -88,6 +90,7 @@
name: udf
state: absent
when: ansible_connection != 'docker'
notify: Update_Initramfs
when:
- ubtu22cis_rule_1_1_1_3
tags:
Expand Down
1 change: 1 addition & 0 deletions tasks/section_1/cis_1.1.10.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
name: usb-storage
state: absent
when: ansible_connection != 'docker'
notify: Update_Initramfs
when:
- ubtu22cis_rule_1_1_10
- not ubtu22cis_allow_usb_storage
Expand Down
2 changes: 1 addition & 1 deletion tasks/section_1/cis_1.1.2.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@
state: present
fstype: "{{ item.fstype }}"
opts: defaults,{% if ubtu22cis_rule_1_1_2_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_2_3 %}noexec,{% endif %}{% if ubtu22cis_rule_1_1_2_4 %}nosuid{% endif %}
notify: remount tmp
notify: Remount tmp
with_items:
- "{{ ansible_facts.mounts }}"
loop_control:
Expand Down
15 changes: 14 additions & 1 deletion tasks/section_1/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,12 @@
- name: "SECTION | 1.1.2 | configure /tmp"
ansible.builtin.import_tasks:
file: cis_1.1.2.x.yml
when: not system_is_container

- name: "SECTION | 1.1.3 | configure /var"
ansible.builtin.import_tasks:
file: cis_1.1.3.x.yml
when: not system_is_container

- name: "SECTION | 1.1.4 | configure /var/tmp"
ansible.builtin.import_tasks:
Expand All @@ -19,30 +21,37 @@
- name: "SECTION | 1.1.5 | configure /var/log"
ansible.builtin.import_tasks:
file: cis_1.1.5.x.yml
when: not system_is_container

- name: "SECTION | 1.1.6 | configure /var/log/audit"
ansible.builtin.import_tasks:
file: cis_1.1.6.x.yml
when: not system_is_container

- name: "SECTION | 1.1.7 | configure /home"
ansible.builtin.import_tasks:
file: cis_1.1.7.x.yml
when: not system_is_container

- name: "SECTION | 1.1.8 | configure /dev/shm"
ansible.builtin.import_tasks:
file: cis_1.1.8.x.yml
when: not system_is_container

- name: "SECTION | 1.1.9 | configure software updates"
ansible.builtin.import_tasks:
file: cis_1.1.9.yml
when: not system_is_container

- name: "SECTION | 1.1.10 | Disable USB storage"
ansible.builtin.import_tasks:
file: cis_1.1.10.yml
when: not system_is_container

- name: "SECTION | 1.2 | Configure Software Updates"
ansible.builtin.import_tasks:
file: cis_1.2.x.yml
when: not system_is_container

- name: "SECTION | 1.3. | Filesystem Integrity Checking"
ansible.builtin.import_tasks:
Expand All @@ -55,6 +64,7 @@
- name: "SECTION | 1.5 | Additional Process Hardening"
ansible.builtin.import_tasks:
file: cis_1.5.x.yml
when: not system_is_container

- name: "SECTION | 1.6 | Mandatory Access Control"
ansible.builtin.import_tasks:
Expand All @@ -67,8 +77,11 @@
- name: "SECTION | 1.8 | GNOME Display Manager"
ansible.builtin.import_tasks:
file: cis_1.8.x.yml
when: "'gdm3' in ansible_facts.packages"
when:
- "'gdm3' in ansible_facts.packages"
- not system_is_container

- name: "SECTION | 1.9 | Ensure updates, patches, and additional security software are installed"
ansible.builtin.import_tasks:
file: cis_1.9.yml
when: not system_is_container
2 changes: 1 addition & 1 deletion tasks/section_4/cis_4.1.3.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@
- name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected"
block:
- name: "4.1.3.6 | AUDIT | Ensure use of privileged commands is collected | Get list of privileged programs"
ansible.builtin.shell: for i in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done
ansible.builtin.shell: for i in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done | grep -vw '/snap'
register: priv_procs
changed_when: false
check_mode: false
Expand Down
2 changes: 1 addition & 1 deletion tasks/section_5/cis_5.2.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -123,7 +123,7 @@
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: '^LogLevel|^#LogLevel'
line: 'LogLevel {{ ubtu22cis_sshd.log_level }}'
line: "LogLevel {{ ubtu22cis_sshd.log_level }}"
insertafter: '^# Logging'
validate: 'sshd -t -f %s'
notify: restart sshd
Expand Down
1 change: 0 additions & 1 deletion tasks/section_5/cis_5.3.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,6 @@

- name: "5.3.7 | PATCH | Ensure access to the su command is restricted"
block:

- name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Ensure sugroup exists"
ansible.builtin.group:
name: "{{ ubtu22cis_sugroup }}"
Expand Down
13 changes: 11 additions & 2 deletions tasks/section_5/cis_5.4.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,17 @@
- name: "5.4.1 | PATCH | Ensure password creation requirements are configured | Add minclass"
ansible.builtin.lineinfile:
path: /etc/security/pwquality.conf
regexp: '^minclass|^# minclass'
line: 'minclass = 4'
regexp: ^minclass
line: "minclass = {{ ubtu22cis_pwquality_minclass_value }}"
when: ubtu22cis_pwquality_minclass

- name: "5.4.1 | PATCH | Ensure password creation requirements are configured | Add extended keys"
ansible.builtin.lineinfile:
path: /etc/security/pwquality.conf
regexp: ^{{ item.key }}
line: "{{ item.key }} = {{ item.value }}"
loop: "{{ ubtu22cis_pwquality }}"
when: not ubtu22cis_pwquality_minclass

- name: "5.4.1 | AUDIT | Ensure password creation requirements are configured | Confirm pwquality module in common-password"
ansible.builtin.shell: grep 'password.*requisite.*pam_pwquality.so' /etc/pam.d/common-password
Expand Down
3 changes: 3 additions & 0 deletions tasks/section_5/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,17 @@
- name: "SECTION | 5.2 | Configure sudo"
ansible.builtin.import_tasks:
file: cis_5.2.x.yml
when: not system_is_container

- name: "SECTION | 5.3 | Configure SSH Server"
ansible.builtin.import_tasks:
file: cis_5.3.x.yml
when: not system_is_container

- name: "SECTION | 5.4.x | User PAM"
ansible.builtin.import_tasks:
file: cis_5.4.x.yml
when: not system_is_container

- name: "SECTION | 5.5.x | User Accounts and Environment"
ansible.builtin.import_tasks:
Expand Down
Loading