From 79435287a243944d61f741941a3be5aa6443d3e0 Mon Sep 17 00:00:00 2001 From: Florian Utz Date: Sat, 30 Dec 2017 22:55:02 +0100 Subject: [PATCH] initial commit --- LICENSE | 21 + README.md | 187 ++++++ defaults/main.yml | 248 ++++++++ files/etc/systemd/system/tmp.mount | 25 + handlers/main.yml | 53 ++ library/grub_crypt.py | 42 ++ meta/main.yml | 19 + tasks/main.yml | 53 ++ tasks/post.yml | 18 + tasks/prelim.yml | 205 +++++++ tasks/section1.yml | 881 +++++++++++++++++++++++++++++ tasks/section2.yml | 662 ++++++++++++++++++++++ tasks/section3.yml | 452 +++++++++++++++ tasks/section4.yml | 397 +++++++++++++ tasks/section5.yml | 584 +++++++++++++++++++ tasks/section6.yml | 351 ++++++++++++ templates/chrony.conf.j2 | 93 +++ templates/etc/issue.j2 | 1 + templates/etc/issue.net.j2 | 1 + templates/etc/motd.j2 | 1 + templates/hosts.allow.j2 | 11 + templates/ntp.conf.j2 | 59 ++ tests/test.yml | 4 + vars/main.yml | 2 + 24 files changed, 4370 insertions(+) create mode 100644 LICENSE create mode 100644 README.md create mode 100644 defaults/main.yml create mode 100644 files/etc/systemd/system/tmp.mount create mode 100644 handlers/main.yml create mode 100644 library/grub_crypt.py create mode 100644 meta/main.yml create mode 100644 tasks/main.yml create mode 100644 tasks/post.yml create mode 100644 tasks/prelim.yml create mode 100644 tasks/section1.yml create mode 100644 tasks/section2.yml create mode 100644 tasks/section3.yml create mode 100644 tasks/section4.yml create mode 100644 tasks/section5.yml create mode 100644 tasks/section6.yml create mode 100644 templates/chrony.conf.j2 create mode 100644 templates/etc/issue.j2 create mode 100644 templates/etc/issue.net.j2 create mode 100644 templates/etc/motd.j2 create mode 100644 templates/hosts.allow.j2 create mode 100644 templates/ntp.conf.j2 create mode 100644 tests/test.yml create mode 100644 vars/main.yml diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..909d42e --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2017 Florian Utz + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..c8b2a07 --- /dev/null +++ b/README.md @@ -0,0 +1,187 @@ +Ubuntu 16.04 CIS STIG +================ + +[![Build Status](https://travis-ci.org/MindPointGroup/Ubuntu1604-CIS.svg?branch=devel)](https://travis-ci.org/MindPointGroup/Ubuntu1604-CIS) +[![Ansible Role](https://img.shields.io/ansible/role/16089.svg)](https://galaxy.ansible.com/MindPointGroup/Ubuntu1604-CIS/) + +Configure RHEL/Centos 7 machine to be CIS compliant. Level 1 and 2 findings will be corrected by default. + +This role **will make changes to the system** that could break things. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted. + +## IMPORTANT INSTALL STEP + +If you want to install this via the `ansible-galaxy` command you'll need to run it like this: + +`ansible-galaxy install -p roles -r requirements.yml` + +With this in the file requirements.yml: + +``` +- src: https://github.com/MindPointGroup/Ubuntu1604-CIS.git +``` + +Based on [CIS RedHat Enterprise Linux 7 Benchmark v2.1.1 - 01-31-2017 ](https://community.cisecurity.org/collab/public/index.php). + +This repo originated from work done by [Sam Doran](https://github.com/samdoran/ansible-role-stig) + +Requirements +------------ + +You should carefully read through the tasks to make sure these changes will not break your systems before running this playbook. + +Role Variables +-------------- +There are many role variables defined in defaults/main.yml. This list shows the most important. + +**ubuntu1604cis_notauto**: Run CIS checks that we typically do NOT want to automate due to the high probability of breaking the system (Default: false) + +**ubuntu1604cis_section1**: CIS - General Settings (Section 1) (Default: true) + +**ubuntu1604cis_section2**: CIS - Services settings (Section 2) (Default: true) + +**ubuntu1604cis_section3**: CIS - Network settings (Section 3) (Default: true) + +**ubuntu1604cis_section4**: CIS - Logging and Auditing settings (Section 4) (Default: true) + +**ubuntu1604cis_section5**: CIS - Access, Authentication and Authorization settings (Section 5) (Default: true) + +**ubuntu1604cis_section6**: CIS - System Maintenance settings (Section 6) (Default: true) + +##### Disable all selinux functions +`ubuntu1604cis_selinux_disable: false` + +##### Service variables: +###### These control whether a server should or should not be allowed to continue to run these services + +``` +ubuntu1604cis_avahi_server: false +ubuntu1604cis_cups_server: false +ubuntu1604cis_dhcp_server: false +ubuntu1604cis_ldap_server: false +ubuntu1604cis_telnet_server: false +ubuntu1604cis_nfs_server: false +ubuntu1604cis_rpc_server: false +ubuntu1604cis_ntalk_server: false +ubuntu1604cis_rsyncd_server: false +ubuntu1604cis_tftp_server: false +ubuntu1604cis_rsh_server: false +ubuntu1604cis_nis_server: false +ubuntu1604cis_snmp_server: false +ubuntu1604cis_squid_server: false +ubuntu1604cis_smb_server: false +ubuntu1604cis_dovecot_server: false +ubuntu1604cis_httpd_server: false +ubuntu1604cis_vsftpd_server: false +ubuntu1604cis_named_server: false +ubuntu1604cis_bind: false +ubuntu1604cis_vsftpd: false +ubuntu1604cis_httpd: false +ubuntu1604cis_dovecot: false +ubuntu1604cis_samba: false +ubuntu1604cis_squid: false +ubuntu1604cis_net_snmp: false +``` + +##### Designate server as a Mail server +`ubuntu1604cis_is_mail_server: false` + + +##### System network parameters (host only OR host and router) +`ubuntu1604cis_is_router: false` + + +##### IPv6 required +`ubuntu1604cis_ipv6_required: true` + + +##### AIDE +`ubuntu1604cis_config_aide: true` + +###### AIDE cron settings +``` +ubuntu1604cis_aide_cron: + cron_user: root + cron_file: /etc/crontab + aide_job: '/usr/sbin/aide --check' + aide_minute: 0 + aide_hour: 5 + aide_day: '*' + aide_month: '*' + aide_weekday: '*' +``` + +##### SELinux policy +`ubuntu1604cis_selinux_pol: targeted` + + +##### Set to 'true' if X Windows is needed in your environment +`ubuntu1604cis_xwindows_required: no` + + +##### Client application requirements +``` +ubuntu1604cis_openldap_clients_required: false +ubuntu1604cis_telnet_required: false +ubuntu1604cis_talk_required: false +ubuntu1604cis_rsh_required: false +ubuntu1604cis_ypbind_required: false +``` + +##### Time Synchronization +``` +ubuntu1604cis_time_synchronization: chrony +ubuntu1604cis_time_Synchronization: ntp + +ubuntu1604cis_time_synchronization_servers: + - 0.pool.ntp.org + - 1.pool.ntp.org + - 2.pool.ntp.org + - 3.pool.ntp.org +``` + +##### 3.4.2 | PATCH | Ensure /etc/hosts.allow is configured +``` +ubuntu1604cis_host_allow: + - "10.0.0.0/255.0.0.0" + - "172.16.0.0/255.240.0.0" + - "192.168.0.0/255.255.0.0" +``` + +``` +ubuntu1604cis_firewall: firewalld +ubuntu1604cis_firewall: iptables +``` + + +Dependencies +------------ + +Ansible > 2.2 + +Example Playbook +------------------------- + +``` +- name: Harden Server + hosts: servers + become: yes + + roles: + - Ubuntu1604-CIS +``` + +Tags +---- +Many tags are available for precise control of what is and is not changed. + +Some examples of using tags: + +``` + # Audit and patch the site + ansible-playbook site.yml --tags="patch" +``` + +License +------- + +MIT diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..fc71d70 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,248 @@ +--- +# defaults file for Ubuntu1604-CIS +ubuntu1604cis_skip_for_travis: false + +ubuntu1604cis_notauto: false +ubuntu1604cis_section1: true +ubuntu1604cis_section2: true +ubuntu1604cis_section3: true +ubuntu1604cis_section4: true +ubuntu1604cis_section5: true +ubuntu1604cis_section6: true + +ubuntu1604cis_selinux_disable: false + +# These variables correspond with the CIS rule IDs or paragraph numbers defined in +# the CIS benchmark documents. +# PLEASE NOTE: These work in coordination with the section # group variables and tags. +# You must enable an entire section in order for the variables below to take effect. +# Section 1 rules +ubuntu1604cis_rule_1_1_1_1: true +ubuntu1604cis_rule_1_1_1_2: true +ubuntu1604cis_rule_1_1_1_3: true +ubuntu1604cis_rule_1_1_1_4: true +ubuntu1604cis_rule_1_1_1_5: true +ubuntu1604cis_rule_1_1_1_6: true +ubuntu1604cis_rule_1_1_1_7: true +ubuntu1604cis_rule_1_1_1_8: true +ubuntu1604cis_rule_1_1_2: true +ubuntu1604cis_rule_1_1_3: true +ubuntu1604cis_rule_1_1_4: true +ubuntu1604cis_rule_1_1_5: true +ubuntu1604cis_rule_1_1_6: true +ubuntu1604cis_rule_1_1_7: true +ubuntu1604cis_rule_1_1_8: true +ubuntu1604cis_rule_1_1_9: true +ubuntu1604cis_rule_1_1_10: true +ubuntu1604cis_rule_1_1_11: true +ubuntu1604cis_rule_1_1_12: true +ubuntu1604cis_rule_1_1_13: true +ubuntu1604cis_rule_1_1_14: true +ubuntu1604cis_rule_1_1_15: true +ubuntu1604cis_rule_1_1_16: true +ubuntu1604cis_rule_1_1_17: true +ubuntu1604cis_rule_1_1_18: true +ubuntu1604cis_rule_1_1_19: true +ubuntu1604cis_rule_1_1_20: true +ubuntu1604cis_rule_1_1_21: true +ubuntu1604cis_rule_1_1_22: true +ubuntu1604cis_rule_1_2_1: true +ubuntu1604cis_rule_1_2_2: true +ubuntu1604cis_rule_1_2_3: true +ubuntu1604cis_rule_1_2_4: true +ubuntu1604cis_rule_1_2_5: true +ubuntu1604cis_rule_1_3_1: true +ubuntu1604cis_rule_1_3_2: true +ubuntu1604cis_rule_1_4_1: true +ubuntu1604cis_rule_1_4_2: true +ubuntu1604cis_rule_1_4_3: true +ubuntu1604cis_rule_1_5_1: true +ubuntu1604cis_rule_1_5_2: true +ubuntu1604cis_rule_1_5_3: true +ubuntu1604cis_rule_1_5_4: true +ubuntu1604cis_rule_1_6_1_1: true +ubuntu1604cis_rule_1_6_1_2: true +ubuntu1604cis_rule_1_6_1_3: true +ubuntu1604cis_rule_1_6_1_4: true +ubuntu1604cis_rule_1_6_1_5: true +ubuntu1604cis_rule_1_6_2: true +ubuntu1604cis_rule_1_7_1_1: true +ubuntu1604cis_rule_1_7_1_2: true +ubuntu1604cis_rule_1_7_1_3: true +ubuntu1604cis_rule_1_7_1_4: true +ubuntu1604cis_rule_1_7_1_5: true +ubuntu1604cis_rule_1_7_1_6: true +ubuntu1604cis_rule_1_7_2: true + +# Section 2 rules +#ubuntu1604cis_rule_2_1_1: true + +# Section 3 rules +#ubuntu1604cis_rule_3_1_1: true + +# Section 4 rules +#ubuntu1604cis_rule_4_1_1_1: true + +# Section 5 rules +#ubuntu1604cis_rule_5_1_1: true + +# Section 6 rules +#ubuntu1604cis_rule_6_1_1: true + +# Service configuration booleans set true to keep service +ubuntu1604cis_avahi_server: false +ubuntu1604cis_cups_server: false +ubuntu1604cis_dhcp_server: false +ubuntu1604cis_ldap_server: false +ubuntu1604cis_telnet_server: false +ubuntu1604cis_nfs_server: false +ubuntu1604cis_rpc_server: false +ubuntu1604cis_ntalk_server: false +ubuntu1604cis_rsyncd_server: false +ubuntu1604cis_tftp_server: false +ubuntu1604cis_rsh_server: false +ubuntu1604cis_nis_server: false +ubuntu1604cis_snmp_server: false +ubuntu1604cis_squid_server: false +ubuntu1604cis_smb_server: false +ubuntu1604cis_dovecot_server: false +ubuntu1604cis_httpd_server: false +ubuntu1604cis_vsftpd_server: false +ubuntu1604cis_named_server: false +ubuntu1604cis_nfs_rpc_server: false +ubuntu1604cis_is_mail_server: false +ubuntu1604cis_bind: false +ubuntu1604cis_vsftpd: false +ubuntu1604cis_httpd: false +ubuntu1604cis_dovecot: false +ubuntu1604cis_samba: false +ubuntu1604cis_squid: false +ubuntu1604cis_net_snmp: false +ubuntu1604cis_allow_autofs: false + +# xinetd required +ubuntu1604cis_xinetd_required: false + +# RedHat Satellite Subscription items +ubuntu1604cis_rhnsd_required: false + +# 1.4.2 Bootloader password +ubuntu1604cis_bootloader_password: random +ubuntu1604cis_set_boot_pass: false + +# System network parameters (host only OR host and router) +ubuntu1604cis_is_router: false + +# IPv6 required +ubuntu1604cis_ipv6_required: true + +# AIDE +ubuntu1604cis_config_aide: true +# AIDE cron settings +ubuntu1604cis_aide_cron: + cron_user: root + cron_file: /etc/crontab + aide_job: '/usr/sbin/aide --check' + aide_minute: 0 + aide_hour: 5 + aide_day: '*' + aide_month: '*' + aide_weekday: '*' + +# SELinux policy +ubuntu1604cis_selinux_pol: targeted + +# Whether or not to run tasks related to auditing/patching the desktop environment +ubuntu1604cis_gui: no + +# Set to 'true' if X Windows is needed in your environment +ubuntu1604cis_xwindows_required: no + +ubuntu1604cis_openldap_clients_required: false +ubuntu1604cis_telnet_required: false +ubuntu1604cis_talk_required: false +ubuntu1604cis_rsh_required: false +ubuntu1604cis_ypbind_required: false + +# Time Synchronization +ubuntu1604cis_time_synchronization: chrony +#ubuntu1604cis_time_synchronization: ntp + +ubuntu1604cis_time_synchronization_servers: + - 0.pool.ntp.org + - 1.pool.ntp.org + - 2.pool.ntp.org + - 3.pool.ntp.org + +# 3.4.2 | PATCH | Ensure /etc/hosts.allow is configured +ubuntu1604cis_host_allow: + - "10.0.0.0/255.0.0.0" + - "172.16.0.0/255.240.0.0" + - "192.168.0.0/255.255.0.0" + - "0.0.0.0/0.0.0.0" + +ubuntu1604cis_firewall: firewalld +#ubuntu1604cis_firewall: iptables + +ubuntu1604cis_firewall_services: + - ssh + - dhcpv6-client + +# Warning Banner Content (issue, issue.net, motd) +ubuntu1604cis_warning_banner: | + Authorized uses only. All activity may be monitored and reported. +# End Banner + +ubuntu1604cis_sshd: + clientalivecountmax: 3 + clientaliveinterval: 300 + # - make sure you understand the precedence when working with these values!! + #allowusers: + #allowgroups: systems dba + #denyusers: + #denygroups: + +# Syslog system +ubuntu1604cis_syslog: rsyslog +#ubuntu1604cis_syslog: syslog-ng + +ubuntu1604cis_vartmp: + source: /tmp + fstype: none + opts: "defaults, nodev, nosuid, noexec, bind" + enabled: no + +######Multi OS########### +prelim_check_package_command: + RedHat: rpm -q + Debian: dpkg -V +auditd_package: + RedHat: audit + Debian: auditd +cron_package: + RedHat: cronie + Debian: cron +cron_service: + RedHat: crond + Debian: cron +ntp_service: + RedHat: ntpd + Debian: ntp +chrony_service: + RedHat: chronyd + Debian: chrony +tcp_wrapper_package: + RedHat: tcp_wrappers + Debian: tcpd +bashrc_file: + RedHat: /etc/bashrc + Debian: /etc/bash.bashrc +tmp_mount_file: + RedHat: /usr/lib/systemd/system/tmp.mount + Debian: /usr/share/systemd/tmp.mount +tmp_mount_options: + RedHat: mode=1777,strictatime,noexec,nodev,nosuid + Debian: mode=1777,strictatime,nodev,nosuid +chrony_config_file: + RedHat: /etc/chrony.conf + Debian: /etc/chrony/chrony.conf diff --git a/files/etc/systemd/system/tmp.mount b/files/etc/systemd/system/tmp.mount new file mode 100644 index 0000000..47ca662 --- /dev/null +++ b/files/etc/systemd/system/tmp.mount @@ -0,0 +1,25 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Temporary Directory +Documentation=man:hier(7) +Documentation=http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems +ConditionPathIsSymbolicLink=!/tmp +DefaultDependencies=no +Conflicts=umount.target +Before=local-fs.target umount.target + +[Mount] +What=tmpfs +Where=/tmp +Type=tmpfs +Options=mode=1777,strictatime,noexec,nodev,nosuid + +# Make 'systemctl enable tmp.mount' work: +[Install] +WantedBy=local-fs.target diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..9b2f7c3 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,53 @@ +--- +# handlers file for Ubuntu1604-CIS + +- name: sysctl flush ipv4 route table + become: yes + sysctl: + name: net.ipv4.route.flush + value: 1 + sysctl_set: yes + when: ansible_virtualization_type != "docker" + +- name: sysctl flush ipv6 route table + become: yes + sysctl: + name: net.ipv6.route.flush + value: 1 + sysctl_set: yes + when: ansible_virtualization_type != "docker" + +- name: systemd restart tmp.mount + become: yes + systemd: + name: tmp.mount + daemon_reload: yes + enabled: yes + masked: no + state: reloaded + +- name: generate new grub config + become: yes + shell: grub2-mkconfig -o "{{ grub_cfg.stat.lnk_source }}" + +- name: restart firewalld + become: yes + service: + name: firewalld + state: restarted + +- name: restart xinetd + become: yes + service: + name: xinetd + state: restarted + +- name: restart sshd + become: yes + service: + name: sshd + state: restarted + +- name: reload dconf + become: yes + command: dconf update diff --git a/library/grub_crypt.py b/library/grub_crypt.py new file mode 100644 index 0000000..c6737f8 --- /dev/null +++ b/library/grub_crypt.py @@ -0,0 +1,42 @@ +#!/usr/bin/python + +import random, string, crypt + +def gen_pass(size=16, chars=string.ascii_letters + string.digits): + return ''.join(random.choice(chars) for _ in range(size)) + +def gen_salt(salt): + '''Generate a random salt.''' + ret = '' + if not salt: + with open('/dev/urandom', 'rb') as urandom: + while True: + byte = urandom.read(1) + if byte in ('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz' + './0123456789'): + ret += byte + if len(ret) == 16: + break + return '$6$%s' % ret + else: + return '$6$%s' % salt + +def main(): + module = AnsibleModule( + argument_spec = dict( + salt = dict(required=False, default=None), + password = dict(no_log=True, required=False, default='random', type='str'), + ) + + ) + salt = module.params['salt'] + password = module.params['password'] + if password == 'random': + password = gen_pass() + sha512_salt = gen_salt(salt) + salted_pass = crypt.crypt(password, sha512_salt) + module.exit_json(changed=False, passhash=salted_pass) + +from ansible.module_utils.basic import * +if __name__ == '__main__': + main() diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..d613396 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,19 @@ +galaxy_info: + author: "Daniel Shepherd, Matt Shepherd, Bas Meijeri, amunter, daswars" + description: "Ansible role to apply Ubuntu 16.04 CIS Baseline" + company: + license: MIT + min_ansible_version: 2.4 + + platforms: + - name: Ubuntu + versions: + - 16.04 + + galaxy_tags: + - system + - security + - cis + - hardening + +dependencies: [] diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..ee00100 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,53 @@ +--- +# tasks file for Ubuntu1604-CIS +- name: Check OS version and family + fail: + msg: "This role can only be run agaist Ubuntu 16.04. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." + when: + - ansible_os_family == 'RedHat' + - ansible_distribution_major_version | version_compare('7', '!=') + tags: + - always + +- name: Check ansible version + fail: + msg: You must use ansible 2.1 or greater + when: not ansible_version.full | version_compare('2.1', '>=') + tags: + - always + +- include: prelim.yml + become: yes + tags: + - prelim_tasks + - always + +- include: section1.yml + become: yes + when: ubuntu1604cis_section1 + +- include: section2.yml + become: yes + when: ubuntu1604cis_section2 + +- include: section3.yml + become: yes + when: ubuntu1604cis_section3 + +- include: section4.yml + become: yes + when: ubuntu1604cis_section4 + +- include: section5.yml + become: yes + when: ubuntu1604cis_section5 + +- include: section6.yml + become: yes + when: ubuntu1604cis_section6 + +- include: post.yml + become: yes + tags: + - post_tasks + - always diff --git a/tasks/post.yml b/tasks/post.yml new file mode 100644 index 0000000..48fc40c --- /dev/null +++ b/tasks/post.yml @@ -0,0 +1,18 @@ +--- +# Post tasks + +- name: "Find removed configured apt packages" + shell: "dpkg --list|grep ^rc|tr -s ' '|cut -d ' ' -f 2" + register: apt_rc_packages + changed_when: no + when: ansible_os_family == "Debian" + +- name: "Perform apt package cleanup" + apt: + name: "{{ item }}" + state: absent + purge: yes + changed_when: no + ignore_errors: yes + when: ansible_os_family == "Debian" + with_items: "{{ apt_rc_packages.stdout_lines }}" diff --git a/tasks/prelim.yml b/tasks/prelim.yml new file mode 100644 index 0000000..236c1a3 --- /dev/null +++ b/tasks/prelim.yml @@ -0,0 +1,205 @@ +--- +# Preliminary tasks that should always be run +# List users in order to look files inside each home directory +- name: "PRELIM | List users accounts" + command: "awk -F: '{print $1}' /etc/passwd" + register: users + changed_when: no + check_mode: no + +- name: "PRELIM | Gather accounts with empty password fields" + shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'" + register: empty_password_accounts + changed_when: no + check_mode: no + +- name: "PRELIM | Gather UID 0 accounts other than root" + shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" + register: uid_zero_accounts_except_root + changed_when: no + check_mode: no + +- name: "PRELIM | Run apt cache update" + apt: + update_cache: yes + +- name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)" + apt: + name: audit + state: present + +- name: "PRELIM | Section 5.1 | Configure cron" + apt: + name: "{{ cron_package[ansible_os_family] }}" + state: present + +- name: "PRELIM | Check if prelink package is installed" + command: "{{ prelim_check_package_command[ansible_os_family] }} prelink" + register: prelink_installed + changed_when: no + failed_when: no + check_mode: no + +- name: "PRELIM | Check if postfix package is installed" + command: "{{ prelim_check_package_command[ansible_os_family] }} postfix" + register: postfix_installed + changed_when: no + failed_when: no + check_mode: no + +# Individual service checks +- name: "PRELIM | Check for xinetd service" + shell: "systemctl show xinetd | grep LoadState | cut -d = -f 2" + register: xinetd_service_status + changed_when: no + check_mode: no + +- name: "PRELIM | Check for ntpd service" + shell: "systemctl show {{ ntp_service[ansible_os_family] }} | grep LoadState | cut -d = -f 2" + register: ntpd_service_status + changed_when: no + check_mode: no + +- name: "PRELIM | Check for chronyd service" + shell: "systemctl show {{ chrony_service[ansible_os_family] }} | grep LoadState | cut -d = -f 2" + register: chronyd_service_status + changed_when: no + check_mode: no + +- name: "PRELIM | Check for avahi-daemon service" + shell: "systemctl show avahi-daemon | grep LoadState | cut -d = -f 2" + register: avahi_service_status + changed_when: no + check_mode: no + +- name: "PRELIM | Check for cups service" + shell: "systemctl show cups | grep LoadState | cut -d = -f 2" + register: cups_service_status + changed_when: no + check_mode: no + +- name: "PRELIM | Check for dhcpd service" + shell: "systemctl show dhcpd | grep LoadState | cut -d = -f 2" + register: dhcpd_service_status + changed_when: no + check_mode: no + +- name: "PRELIM | Check for slapd service" + shell: "systemctl show slapd | grep LoadState | cut -d = -f 2" + register: slapd_service_status + changed_when: no + check_mode: no + +- name: "PRELIM | Check for nfs service" + shell: "systemctl show nfs | grep LoadState | cut -d = -f 2" + register: nfs_service_status + changed_when: no + check_mode: no + +- name: "PRELIM | Check for rpcbind service" + shell: "systemctl show rpcbind | grep LoadState | cut -d = -f 2" + register: rpcbind_service_status + changed_when: no + check_mode: no + +- name: "PRELIM | Check for named service" + shell: "systemctl show named | grep LoadState | cut -d = -f 2" + register: named_service_status + changed_when: no + check_mode: no + +- name: "PRELIM | Check for vsftpd service" + shell: "systemctl show vsftpd | grep LoadState | cut -d = -f 2" + register: vsftpd_service_status + changed_when: no + check_mode: no + +- name: "PRELIM | Check for httpd service" + shell: "systemctl show httpd | grep LoadState | cut -d = -f 2" + register: httpd_service_status + changed_when: no + check_mode: no + +- name: "PRELIM | Check for dovecot service" + shell: "systemctl show dovecot | grep LoadState | cut -d = -f 2" + register: dovecot_service_status + changed_when: no + check_mode: no + +- name: "PRELIM | Check for smb service" + shell: "systemctl show smb | grep LoadState | cut -d = -f 2" + register: smb_service_status + changed_when: no + check_mode: no + +- name: "PRELIM | Check for squid service" + shell: "systemctl show squid | grep LoadState | cut -d = -f 2" + register: squid_service_status + changed_when: no + check_mode: no + +- name: "PRELIM | Check for snmpd service" + shell: "systemctl show snmpd | grep LoadState | cut -d = -f 2" + register: snmpd_service_status + changed_when: no + check_mode: no + +- name: "PRELIM | Check for ypserv service" + shell: "systemctl show ypserv | grep LoadState | cut -d = -f 2" + register: ypserv_service_status + changed_when: no + check_mode: no + +- name: "PRELIM | Check for rsh.socket service" + shell: "systemctl show rsh.socket | grep LoadState | cut -d = -f 2" + register: rsh_service_status + changed_when: no + check_mode: no + +- name: "PRELIM | Check for rlogin.socket service" + shell: "systemctl show rlogin.socket | grep LoadState | cut -d = -f 2" + register: rlogin_service_status + changed_when: no + check_mode: no + +- name: "PRELIM | Check for rexec.socket service" + shell: "systemctl show rexec.socket | grep LoadState | cut -d = -f 2" + register: rexec_service_status + changed_when: no + check_mode: no + +- name: "PRELIM | Check for telnet service" + shell: "systemctl show telnet | grep LoadState | cut -d = -f 2" + register: telnet_service_status + changed_when: no + check_mode: no + +- name: "PRELIM | Check for tftp service" + shell: "systemctl show tftp | grep LoadState | cut -d = -f 2" + register: tftp_service_status + changed_when: no + check_mode: no + +- name: "PRELIM | Check for rsyncd service" + shell: "systemctl show rsyncd | grep LoadState | cut -d = -f 2" + register: rsyncd_service_status + changed_when: no + check_mode: no + +- name: "PRELIM | Check for ntalk service" + shell: "systemctl show ntalk | grep LoadState | cut -d = -f 2" + register: ntalk_service_status + changed_when: no + check_mode: no + +- name: "PRELIM | Check for autofs service" + shell: "systemctl show autofs | grep LoadState | cut -d = -f 2" + register: autofs_service_status + changed_when: no + check_mode: no + +- name: "PRELIM | Check for rhnsd service" + shell: "systemctl show rhnsd | grep LoadState | cut -d = -f 2" + register: rhnsd_service_status + changed_when: no + check_mode: no diff --git a/tasks/section1.yml b/tasks/section1.yml new file mode 100644 index 0000000..d601910 --- /dev/null +++ b/tasks/section1.yml @@ -0,0 +1,881 @@ +- name: "SCORED | 1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled" + lineinfile: + dest: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install cramfs(\\s|$)" + line: "install cramfs /bin/true" + create: yes + when: + - ubuntu1604cis_rule_1_1_1_1 + tags: + - level1 + - scored + - patch + - rule_1.1.1.1 + - cramfs + +- name: "SCORED | 1.1.1.2 | PATCH | Ensure mounting of freevxfs filesystems is disabled" + lineinfile: + dest: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install freevxfs(\\s|$)" + line: "install freevxfs /bin/true" + create: yes + when: + - ubuntu1604cis_rule_1_1_1_2 + tags: + - level1 + - scored + - patch + - rule_1.1.1.2 + - freevxfs + +- name: "SCORED | 1.1.1.3 | PATCH | Ensure mounting of jffs2 filesystems is disabled" + lineinfile: + dest: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install jffs2(\\s|$)" + line: "install jffs2 /bin/true" + create: yes + when: + - ubuntu1604cis_rule_1_1_1_3 + tags: + - level1 + - scored + - patch + - rule_1.1.1.3 + - jffs2 + +- name: "SCORED | 1.1.1.4 | PATCH | Ensure mounting of hfs filesystems is disabled" + lineinfile: + dest: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install hfs(\\s|$)" + line: "install hfs /bin/true" + create: yes + when: + - ubuntu1604cis_rule_1_1_1_4 + tags: + - level1 + - scored + - patch + - rule_1.1.1.4 + - hfs + +- name: "SCORED | 1.1.1.5 | PATCH | Ensure mounting of hfsplus filesystems is disabled" + lineinfile: + dest: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install hfsplus(\\s|$)" + line: "install hfsplus /bin/true" + create: yes + when: + - ubuntu1604cis_rule_1_1_1_5 + tags: + - level1 + - scored + - patch + - rule_1.1.1.5 + - hfsplus + +- name: "SCORED | 1.1.1.6 | PATCH | Ensure mounting of squashfs filesystems is disabled" + lineinfile: + dest: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install squashfs(\\s|$)" + line: "install squashfs /bin/true" + create: yes + when: + - ubuntu1604cis_rule_1_1_1_6 + tags: + - level1 + - scored + - patch + - rule_1.1.1.6 + - squashfs + +- name: "SCORED | 1.1.1.7 | PATCH | Ensure mounting of udf filesystems is disabled" + lineinfile: + dest: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install udf(\\s|$)" + line: "install udf /bin/true" + create: yes + when: + - ubuntu1604cis_rule_1_1_1_7 + tags: + - level1 + - scored + - patch + - rule_1.1.1.7 + - udf + +- name: "SCORED | 1.1.1.8 | PATCH | Ensure mounting of FAT filesystems is disabled" + lineinfile: + dest: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install vfat(\\s|$)" + line: "install vfat /bin/true" + create: yes + when: + - ubuntu1604cis_rule_1_1_1_8 + tags: + - level1 + - scored + - patch + - rule_1.1.1.8 + - vfat + +- name: "SCORED | 1.1.2 | PATCH | Ensure separate partition exists for /tmp | enable and start/restart tmp.mount" + copy: + src: "{{ tmp_mount_file[ansible_os_family] }}" + dest: /etc/systemd/system/tmp.mount + owner: root + group: root + mode: 0644 + force: yes + remote_src: True + notify: systemd restart tmp.mount + #when: ansible_os_family == "Debian" + tags: + - level2 + - scored + - patch + - rule_1.1.2 + +- name: "SCORED | 1.1.2 | PATCH | Ensure separate partition exists for /tmp | enable and start/restart tmp.mount" + systemd: + name: tmp.mount + daemon_reload: yes + enabled: yes + masked: no + state: started + when: + - ubuntu1604cis_rule_1_1_2 + tags: + - level2 + - scored + - patch + - rule_1.1.2 + +- name: "SCORED | 1.1.3 | PATCH | Ensure nodev option set on /tmp partition\n + SCORED | 1.1.4 | PATCH | Ensure nosuid option set on /tmp partition\n + SCORED | 1.1.5 | PATCH | Ensure noexec option set on /tmp partition\n + | drop custom tmp.mount" + ini_file: + path: "{{ item }}" + section: Mount + option: Options + value: "{{ tmp_mount_options[ansible_os_family] }}" + no_extra_spaces: yes + with_items: + - "{{ tmp_mount_file[ansible_os_family] }}" + - /etc/systemd/system/tmp.mount + notify: systemd restart tmp.mount + when: + - ubuntu1604cis_rule_1_1_3 + - ubuntu1604cis_rule_1_1_4 + - ubuntu1604cis_rule_1_1_5 + tags: + - level1 + - scored + - patch + - rule_1.1.3 + - rule_1.1.4 + - rule_1.1.5 + +- name: "SCORED | 1.1.6 | PATCH | Ensure separate partition exists for /var" + shell: mount | grep "on /var " + register: var_mounted + changed_when: no + failed_when: no + when: + - ubuntu1604cis_rule_1_1_6 + tags: + - level2 + - scored + - patch + - rule_1.1.6 + +- name: "SCORED | 1.1.7 | PATCH | Ensure separate partition exists for /var/tmp" + shell: mount | grep "on /var/tmp " + register: var_tmp_mounted + changed_when: no + failed_when: no + when: + - ubuntu1604cis_rule_1_1_7 + tags: + - level2 + - scored + - patch + - rule_1.1.7 + +- name: "SCORED | 1.1.8 | PATCH | Ensure nodev option set on /var/tmp partition\n + SCORED | 1.1.9 | PATCH | Ensure nosuid option set on /var/tmp partition\n + SCORED | 1.1.10 | PATCH | Ensure noexec option set on /var/tmp partition" + mount: + name: /var/tmp + src: "{{ ubuntu1604cis_vartmp['source'] }}" + state: mounted + fstype: "{{ ubuntu1604cis_vartmp['fstype'] }}" + opts: "{{ ubuntu1604cis_vartmp['opts'] }}" + when: + - ubuntu1604cis_vartmp['enabled'] == 'yes' + - ubuntu1604cis_rule_1_1_8 + - ubuntu1604cis_rule_1_1_9 + - ubuntu1604cis_rule_1_1_10 + tags: + - level1 + - scored + - patch + - rule_1.1.8 + - rule_1.1.9 + - rule_1.1.10 + +- name: "SCORED | 1.1.11 | PATCH | Ensure separate partition exists for /var/log" + shell: mount | grep "on /var/log " + register: var_log_mounted + changed_when: no + failed_when: no + when: + - ubuntu1604cis_rule_1_1_11 + tags: + - level2 + - scored + - patch + - rule_1.1.11 + +- name: "SCORED | 1.1.12 | PATCH | Ensure separate partition exists for /var/log/audit" + shell: mount | grep "on /var/log/audit " + register: var_log_audit_mounted + changed_when: no + failed_when: no + when: + - ubuntu1604cis_rule_1_1_12 + tags: + - level2 + - scored + - patch + - rule_1.1.12 + +- name: "SCORED | 1.1.13 | PATCH | Ensure separate partition exists for /home" + shell: mount | grep "on /home " + register: home_mounted + changed_when: no + failed_when: no + when: + - ubuntu1604cis_rule_1_1_13 + tags: + - level2 + - scored + - patch + - rule_1.1.13 + +- name: "SCORED | 1.1.14 | PATCH | Ensure nodev option set on /home partition" + command: /bin/true + changed_when: no + when: + - ubuntu1604cis_rule_1_1_14 + tags: + - level1 + - level2 + - patch + - rule_1.1.14 + - notimplemented + +- name: "SCORED | 1.1.15 | PATCH | Ensure nodev option set on /dev/shm partition\n + SCORED | 1.1.16 | PATCH | Ensure nosuid option set on /dev/shm partition\n + SCORED | 1.1.17 | PATCH | Ensure noexec option set on /dev/shm partition" + mount: + name: /dev/shm + src: tmpfs + state: mounted + fstype: tmpfs + opts: "defaults,nodev,nosuid,noexec" + when: + - ubuntu1604cis_rule_1_1_15 + - ubuntu1604cis_rule_1_1_16 + - ubuntu1604cis_rule_1_1_17 + tags: + - level1 + - scored + - patch + - rule_1.1.15 + - rule_1.1.16 + - rule_1.1.17 + +- name: "NOTSCORED | 1.1.18 | PATCH | Ensure nodev option set on removable media partitions" + command: /bin/true + changed_when: no + when: + - ubuntu1604cis_rule_1_1_18 + tags: + - level1 + - notscored + - patch + - rule_1.1.18 + - notimplemented + +- name: "NOTSCORED | 1.1.19 | PATCH | Ensure nosuid option set on removable media partitions" + command: /bin/true + changed_when: no + when: + - ubuntu1604cis_rule_1_1_19 + tags: + - level1 + - notscored + - patch + - rule_1.1.19 + - notimplemented + +- name: "NOTSCORED | 1.1.20 | PATCH | Ensure noexec option set on removable media partitions" + command: /bin/true + changed_when: no + when: + - ubuntu1604cis_rule_1_1_20 + tags: + - level1 + - notscored + - patch + - rule_1.1.20 + - notimplemented + +- name: "SCORED | 1.1.21 | PATCH | Ensure sticky bit is set on all world-writable directories" + shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t + changed_when: no + failed_when: no + #when: sticky_bit_on_worldwritable_dirs_audit.rc == '0' + when: + - ubuntu1604cis_rule_1_1_21 + tags: + - level1 + - level2 + - patch + - rule_1.1.21 + +- name: "SCORED | 1.1.22 | PATCH | Disable Automounting" + service: + name: autofs + enabled: no + when: + - ubuntu1604cis_allow_autofs == false and autofs_service_status.stdout == "loaded" + - ubuntu1604cis_rule_1_1_22 + tags: + - level1 + - patch + - rule_1.1.22 + +- name: "NOTSCORED | 1.2.1 | PATCH | Ensure package manager repositories are configured" + command: /bin/true + changed_when: no + when: + - ubuntu1604cis_rule_1_2_1 + tags: + - level1 + - notscored + - patch + - rule_1.2.1 + - notimplemented + +- name: "SCORED | 1.2.2 | PATCH | Ensure gpgcheck is globally activated" + replace: + name: /etc/yum.conf + regexp: "^gpgcheck=0" + replace: "gpgcheck=1" + when: + - ubuntu1604cis_rule_1_2_2 + tags: + - level1 + - scored + - patch + - rule_1.2.2 + +- name: "SCORED | 1.2.2 | PATCH | Ensure gpgcheck is globally activated" + find: + paths: /etc/yum.repos.d + patterns: "*.repo" + register: yum_repos + changed_when: no + when: + - ubuntu1604cis_rule_1_2_2 + tags: + - level1 + - scored + - patch + - rule_1.2.2 + +- name: "SCORED | 1.2.2 | PATCH | Ensure gpgcheck is globally activated" + replace: + name: "{{ item.path }}" + regexp: "^gpgcheck=0" + replace: "gpgcheck=1" + with_items: + - "{{ yum_repos.files }}" + when: + - ubuntu1604cis_rule_1_2_2 + tags: + - level1 + - scored + - patch + - rule_1.2.2 + +- name: "NOTSCORED | 1.2.3 | PATCH | Ensure GPG keys are configured" + command: /bin/true + changed_when: no + when: + - ubuntu1604cis_rule_1_2_3 + tags: + - level1 + - notscored + - patch + - rule_1.2.3 + - notimplemented + +- name: "NOTSCORED | 1.2.4 | PATCH | Ensure Red Hat Network or Subscription Manager connection is configured" + command: /bin/true + changed_when: no + when: + - ansible_distribution == "RedHat" + - ubuntu1604cis_rule_1_2_4 + tags: + - level1 + - notscored + - patch + - rule_1.2.4 + - notimplemented + +- name: "NOTSCORED | 1.2.5 | PATCH | Disable the rhnsd Daemon" + service: + name: rhnsd + state: stopped + enabled: no + when: + - ansible_distribution == "RedHat" and rhnsd_service_status.stdout == "loaded" and not ubuntu1604cis_rhnsd_required + - ubuntu1604cis_rule_1_2_5 + tags: + - level2 + - notscored + - patch + - rule_1.2.5 + +- name: "SCORED | 1.3.1 | PATCH | Ensure AIDE is installed" + apt: + name: aide + state: present + when: + - ubuntu1604cis_rule_1_3_1 + tags: + - level1 + - scored + - aide + - patch + - rule_1.3.1 + +- name: "SCORED | 1.3.1 | PATCH | Ensure AIDE is installed" + command: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz' + args: + creates: /var/lib/aide/aide.db.gz + changed_when: no + failed_when: no + async: 45 + poll: 0 + when: + - ubuntu1604cis_config_aide + - ubuntu1604cis_rule_1_3_1 + tags: + - level1 + - scored + - aide + - patch + - rule_1.3.1 + +- name: "SCORED | 1.3.2 | PATCH | Ensure filesystem integrity is regularly checked" + cron: + name: Run AIDE integrity check weekly + cron_file: "{{ ubuntu1604cis_aide_cron['cron_file'] }}" + user: "{{ ubuntu1604cis_aide_cron['cron_user'] }}" + minute: "{{ ubuntu1604cis_aide_cron['aide_minute'] | default('0') }}" + hour: "{{ ubuntu1604cis_aide_cron['aide_hour'] | default('5') }}" + day: "{{ ubuntu1604cis_aide_cron['aide_day'] | default('*') }}" + month: "{{ ubuntu1604cis_aide_cron['aide_month'] | default('*') }}" + weekday: "{{ ubuntu1604cis_aide_cron['aide_weekday'] | default('*') }}" + job: "{{ ubuntu1604cis_aide_cron['aide_job'] }}" + when: + - ubuntu1604cis_rule_1_3_2 + tags: + - level1 + - scored + - aide + - file_integrity + - patch + - rule_1.3.2 + +- name: "SCORED | 1.4.1 | PATCH | Ensure permissions on bootloader config are configured" + stat: + path: /etc/grub2.cfg + register: grub_cfg + when: + - ubuntu1604cis_rule_1_4_1 + tags: + - level1 + - scored + - grub + - patch + - rule_1.4.1 + +- name: "SCORED | 1.4.1 | PATCH | Ensure permissions on bootloader config are configured" + file: + path: "{{ grub_cfg.stat.lnk_source }}" + owner: root + group: root + mode: 0600 + when: + - grub_cfg.stat.exists and grub_cfg.stat.islnk + tags: + - level1 + - scored + - grub + - patch + - rule_1.4.1 + - ubuntu1604cis_rule_1_4_1 +- name: "SCORED | 1.4.1 | PATCH | Ensure permissions on bootloader config are configured" + file: + path: "/boot/grub/grub.cfg" + owner: root + group: root + mode: 0600 + when: ansible_os_family == "Debian" + tags: + - level1 + - scored + - grub + - patch + - rule_1.4.1 + +- name: "SCORED | 1.4.2 | PATCH | Ensure bootloader password is set" + grub_crypt: + password: "{{ ubuntu1604cis_bootloader_password }}" + register: grub_pass + when: + - ubuntu1604cis_set_boot_pass + - ubuntu1604cis_rule_1_4_2 + tags: + - level1 + - scored + - grub + - patch + - rule_1.4.2 + +- name: "SCORED | 1.4.2 | PATCH | Ensure bootloader password is set" + copy: + dest: /boot/grub2/user.cfg + content: "GRUB2_PASSWORD={{ grub_pass.passhash }}" + notify: generate new grub config + when: + - ubuntu1604cis_set_boot_pass and grub_pass is defined and grub_pass.passhash is defined and grub_pass.passhash != '' + - ubuntu1604cis_rule_1_4_2 + tags: + - level1 + - scored + - grub + - patch + - rule_1.4.2 + +- name: "NOTSCORED | 1.4.3 | PATCH | Ensure authentication required for single user mode" + command: /bin/true + changed_when: no + when: + - ubuntu1604cis_rule_1_4_3 + tags: + - level1 + - level2 + - patch + - rule_1.4.3 + - notimplemented + +- name: "NOTSCORED | 1.4.3 | PATCH | Ensure authentication required for single user mode" + command: /bin/true + changed_when: no + when: + - ubuntu1604cis_rule_1_4_3 + tags: + - level1 + - level2 + - patch + - rule_1.4.3 + - notimplemented + +- name: "SCORED | 1.5.1 | PATCH | Ensure core dumps are restricted" + lineinfile: + state: present + dest: /etc/security/limits.conf + regexp: '^#?\\*.*core' + line: '* hard core 0' + insertbefore: '^# End of file' + when: + - ubuntu1604cis_rule_1_5_1 + tags: + - level1 + - scored + - limits + - patch + - rule_1.5.1 + +- name: "SCORED | 1.5.1 | PATCH | Ensure core dumps are restricted" + sysctl: + name: fs.suid_dumpable + value: 0 + state: present + reload: yes + sysctl_set: yes + ignoreerrors: yes + when: + - ubuntu1604cis_rule_1_5_1 + tags: + - level1 + - scored + - sysctl + - patch + - rule_1.5.1 + +- name: "NOTSCORED | 1.5.2 | PATCH | Ensure XD/NX support is enabled" + command: /bin/true + changed_when: no + when: + - ubuntu1604cis_rule_1_5_2 + tags: + - level1 + - level2 + - patch + - rule_1.5.2 + - notimplemented + +- name: "SCORED | 1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled" + sysctl: + name: kernel.randomize_va_space + value: 2 + state: present + reload: yes + sysctl_set: yes + ignoreerrors: yes + when: + - ubuntu1604cis_rule_1_5_3 + tags: + - level1 + - scored + - patch + - rule_1.5.3 + +- name: "SCORED | 1.5.4 | PATCH | Ensure prelink is disabled" + command: prelink -ua + when: + - prelink_installed.rc == 0 + - ubuntu1604cis_rule_1_5_4 + tags: + - level1 + - scored + - patch + - rule_1.5.4 + +- name: "SCORED | 1.5.4 | PATCH | Ensure prelink is disabled" + apt: + name: prelink + state: absent + when: + - ubuntu1604cis_rule_1_5_4 + tags: + - level1 + - scored + - patch + - rule_1.5.4 + +- name: "SCORED | 1.6.1.1 | PATCH | Ensure SELinux is not disabled in bootloader configuration" + replace: + dest: /etc/default/grub + regexp: '(selinux|enforcing)\s*=\s*0\s*' + follow: yes + register: selinux_grub_patch + ignore_errors: yes + notify: generate new grub config + when: + - ubuntu1604cis_rule_1_6_1_1 + tags: + - level2 + - scored + - patch + - rule_1.6.1.1 + +- name: "SCORED | 1.6.1.2 | PATCH | Ensure the SELinux state is enforcing" + selinux: + conf: /etc/selinux/config + policy: "{{ ubuntu1604cis_selinux_pol }}" + state: enforcing + when: + - not ubuntu1604cis_selinux_disable + - ubuntu1604cis_rule_1_6_1_2 + tags: + - level2 + - scored + - selinux + - patch + - rule_1.6.1.2 + +- name: "SCORED | 1.6.1.3 | PATCH | Ensure SELinux policy is configured" + selinux: + conf: /etc/selinux/config + policy: "{{ ubuntu1604cis_selinux_pol }}" + state: enforcing + when: + - not ubuntu1604cis_selinux_disable + - ubuntu1604cis_rule_1_6_1_3 + tags: + - level2 + - scored + - selinux + - patch + - rule_1.6.1.3 + +- name: "SCORED | 1.6.1.4 | PATCH | Ensure SETroubleshoot is not installed" + apt: + name: setroubleshoot + state: absent + when: + - ubuntu1604cis_rule_1_6_1_4 + tags: + - level2 + - scored + - selinux + - patch + - rule_1.6.1.4 + +- name: "SCORED | 1.6.1.5 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed" + apt: + name: mcstrans + state: absent + when: + - ubuntu1604cis_rule_1_6_1_5 + tags: + - level2 + - scored + - patch + - rule_1.6.1.5 + +- name: "SCORED | 1.6.2 | PATCH | Ensure SELinux is installed" + apt: + name: libselinux + state: present + when: + - ubuntu1604cis_rule_1_6_2 + tags: + - level2 + - scored + - patch + - rule_1.6.2 + +- name: "SCORED | 1.7.1.1 | PATCH | Ensure message of the day is configured properly" + template: + src: etc/motd.j2 + dest: /etc/motd + when: + - ubuntu1604cis_rule_1_7_1_1 + tags: + - level1 + - banner + - patch + - rule_1.7.1.1 + +- name: "NOTSCORED | 1.7.1.2 | PATCH | Ensure local login warning banner is configured properly" + template: + src: etc/issue.j2 + dest: /etc/issue + when: + - ubuntu1604cis_rule_1_7_1_2 + tags: + - level1 + - patch + - rule_1.7.1.2 + +- name: "NOTSCORED | 1.7.1.3 | PATCH | Ensure remote login warning banner is configured properly" + template: + src: etc/issue.net.j2 + dest: /etc/issue.net + when: + - ubuntu1604cis_rule_1_7_1_3 + tags: + - level1 + - banner + - patch + - rule_1.7.1.3 + +- name: "NOTSCORED | 1.7.1.4 | PATCH | Ensure permissions on /etc/motd are configured" + file: + dest: /etc/motd + state: file + owner: root + group: root + mode: 0644 + when: + - ubuntu1604cis_rule_1_7_1_4 + tags: + - level1 + - perms + - patch + - rule_1.7.1.4 + +- name: "SCORED | 1.7.1.5 | PATCH | Ensure permissions on /etc/issue are configured" + file: + dest: /etc/issue + state: file + owner: root + group: root + mode: 0644 + when: + - ubuntu1604cis_rule_1_7_1_5 + tags: + - level1 + - perms + - patch + - rule_1.7.1.5 + +- name: "NOTSCORED | 1.7.1.6 | PATCH | Ensure permissions on /etc/issue.net are configured" + file: + dest: /etc/issue.net + state: file + owner: root + group: root + mode: 0644 + when: + - ubuntu1604cis_rule_1_7_1_6 + tags: + - level1 + - perms + - patch + - rule_1.7.1.6 + +- name: "SCORED | 1.7.2 | PATCH | Ensure GDM login banner is configured" + lineinfile: + dest: "{{ item.file }}" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + state: present + create: yes + owner: root + group: root + mode: 0644 + with_items: + - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' } + - { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' } + - { file: '/etc/dconf/profile/gdm', regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults' } + - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' } + - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-enable', line: 'banner-message-enable=true' } + - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-text', line: "banner-message-text='{{ ubuntu1604cis_warning_banner }}' " } + when: + - ubuntu1604cis_gui + - ubuntu1604cis_rule_1_7_2 + tags: + - level1 + - level2 + - patch + - rule_1.7.2 + +- name: "NOTSCORED | 1.8 | PATCH | Ensure updates, patches, and additional security software are installed" + apt: + upgrade: dist + when: ansible_os_family == "Debian" + tags: + - level1 + - level2 + - patch + - rule_1.8 diff --git a/tasks/section2.yml b/tasks/section2.yml new file mode 100644 index 0000000..86f9040 --- /dev/null +++ b/tasks/section2.yml @@ -0,0 +1,662 @@ +- name: "SCORED | 2.1.1 | PATCH | Ensure chargen services are not enabled | chargen-dgram" + stat: + path: /etc/xinetd.d/chargen-dgram + register: chargen_dgram_service + tags: + - level1 + - scored + - services + - patch + - rule_2.1.1 + +- name: "SCORED | 2.1.1 | PATCH | Ensure chargen services are not enabled | chargen-dgram" + command: chkconfig chargen-dgram off + notify: restart xinetd + when: chargen_dgram_service.stat.exists + tags: + - level1 + - scored + - services + - patch + - rule_2.1.1 + +- name: "SCORED | 2.1.1 | PATCH | Ensure chargen services are not enabled | chargen-stream" + stat: + path: /etc/xinetd.d/chargen-stream + register: chargen_stream_service + tags: + - level1 + - scored + - services + - patch + - rule_2.1.1 + +- name: "SCORED | 2.1.1 | PATCH | Ensure chargen services are not enabled | chargen-stream" + command: chkconfig chargen-stream off + notify: restart xinetd + when: chargen_stream_service.stat.exists + tags: + - level1 + - scored + - services + - patch + - rule_2.1.1 + +- name: "SCORED | 2.1.2 | PATCH | Ensure daytime services are not enabled | daytime-dgram" + stat: + path: /etc/xinetd.d/daytime-dgram + register: daytime_dgram_service + tags: + - level1 + - scored + - patch + - rule_2.1.2 + +- name: "SCORED | 2.1.2 | PATCH | Ensure daytime services are not enabled | daytime-dgram" + command: chkconfig daytime-dgram off + notify: restart xinetd + when: daytime_dgram_service.stat.exists + tags: + - level1 + - scored + - patch + - rule_2.1.2 + +- name: "SCORED | 2.1.2 | PATCH | Ensure daytime services are not enabled | daytime-stream" + stat: + path: /etc/xinetd.d/daytime-stream + register: daytime_stream_service + tags: + - level1 + - scored + - patch + - rule_2.1.2 + +- name: "SCORED | 2.1.2 | PATCH | Ensure daytime services are not enabled | daytime-stream" + command: chkconfig daytime-stream off + notify: restart xinetd + when: daytime_stream_service.stat.exists + tags: + - level1 + - scored + - patch + - rule_2.1.2 + +- name: "SCORED | 2.1.3 | PATCH | Ensure discard services are not enabled | discard-dgram" + stat: + path: /etc/xinetd.d/discard-dgram + register: discard_dgram_service + tags: + - level1 + - scored + - patch + - rule_2.1.3 + +- name: "SCORED | 2.1.3 | PATCH | Ensure discard services are not enabled | discard-dgram" + command: chkconfig discard-dgram off + notify: restart xinetd + when: discard_dgram_service.stat.exists + tags: + - level1 + - scored + - patch + - rule_2.1.3 + +- name: "SCORED | 2.1.3 | PATCH | Ensure discard services are not enabled | discard-stream" + stat: + path: /etc/xinetd.d/discard-stream + register: discard_stream_service + tags: + - level1 + - scored + - patch + - rule_2.1.3 + +- name: "SCORED | 2.1.3 | PATCH | Ensure discard services are not enabled | discard-stream" + command: chkconfig discard-stream off + notify: restart xinetd + when: discard_stream_service.stat.exists + tags: + - level1 + - scored + - patch + - rule_2.1.3 + +- name: "SCORED | 2.1.4 | PATCH | Ensure echo services are not enabled | echo-dgram" + stat: + path: /etc/xinetd.d/echo-dgram + register: echo_dgram_service + tags: + - level1 + - scored + - patch + - rule_2.1.4 + +- name: "SCORED | 2.1.4 | PATCH | Ensure echo services are not enabled | echo-dgram" + command: chkconfig echo-dgram off + notify: restart xinetd + when: echo_dgram_service.stat.exists + tags: + - level1 + - scored + - patch + - rule_2.1.4 + +- name: "SCORED | 2.1.4 | PATCH | Ensure echo services are not enabled | echo-stream" + stat: + path: /etc/xinetd.d/echo-stream + register: echo_stream_service + tags: + - level1 + - scored + - patch + - rule_2.1.4 + +- name: "SCORED | 2.1.4 | PATCH | Ensure echo services are not enabled | echo-stream" + command: chkconfig echo-stream off + notify: restart xinetd + when: echo_stream_service.stat.exists + tags: + - level1 + - scored + - patch + - rule_2.1.4 + +- name: "SCORED | 2.1.5 | PATCH | Ensure time services are not enabled | time-dgram" + stat: + path: /etc/xinetd.d/time-dgram + register: time_dgram_service + tags: + - level1 + - scored + - patch + - rule_2.1.5 + +- name: "SCORED | 2.1.5 | PATCH | Ensure time services are not enabled | time-dgram" + command: chkconfig time-dgram off + notify: restart xinetd + when: time_dgram_service.stat.exists + tags: + - level1 + - scored + - patch + - rule_2.1.5 + +- name: "SCORED | 2.1.5 | PATCH | Ensure time services are not enabled | time-stream" + stat: + path: /etc/xinetd.d/time-stream + register: time_stream_service + tags: + - level1 + - scored + - patch + - rule_2.1.5 + +- name: "SCORED | 2.1.5 | PATCH | Ensure time services are not enabled | time-stream" + command: chkconfig time-stream off + notify: restart xinetd + when: time_stream_service.stat.exists + tags: + - level1 + - scored + - patch + - rule_2.1.5 + +- name: "SCORED | 2.1.6 | PATCH | Ensure tftp server is not enabled" + stat: + path: /etc/xinetd.d/tftp + register: tftp_service + tags: + - level1 + - scored + - patch + - rule_2.1.6 + +- name: "SCORED | 2.1.6 | PATCH | Ensure tftp server is not enabled" + command: chkconfig tftp off + notify: restart xinetd + when: tftp_service.stat.exists and ubuntu1604cis_tftp_server == false + tags: + - level1 + - scored + - patch + - rule_2.1.6 + +- name: "SCORED | 2.1.7 | PATCH | Ensure xinetd is not enabled" + service: + name: xinetd + state: stopped + enabled: no + when: + - xinetd_service_status.stdout == "loaded" and not ubuntu1604cis_xinetd_required + tags: + - level1 + - patch + - scored + - rule_2.1.7 + +- name: "NOTSCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use - service install" + apt: + name: "{{ ubuntu1604cis_time_synchronization }}" + state: present + tags: + - level1 + - patch + - rule_2.2.1.1 + + + +- name: "NOTSCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use - service start" + service: + name: "{{ rhel7cis_time_synchronization }}" + state: started + enabled: yes + when: ansible_os_family == "Debian" + tags: + - level1 + - patch + - rule_2.2.1.1 + +- name: "NOTSCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use - service stop ntp" + service: + name: "{{ ntp_service[ansible_os_family] }}" + state: stopped + enabled: no + when: ubuntu1604cis_time_synchronization == "chrony" and ntpd_service_status.stdout == "loaded" + tags: + - level1 + - patch + - rule_2.2.1.1 + +- name: "NOTSCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use - service stop chrony" + service: + name: "{{ chrony_service[ansible_os_family] }}" + state: stopped + enabled: no + ignore_errors: yes + when: ubuntu1604cis_time_synchronization == "ntp" and chronyd_service_status.stdout == "loaded" + tags: + - level1 + - patch + - rule_2.2.1.1 + +- name: "SCORED | 2.2.1.2 | PATCH | Ensure ntp is configured | modify /etc/ntp.conf" + template: + src: ntp.conf.j2 + dest: /etc/ntp.conf + owner: root + group: root + mode: 0644 + when: ubuntu1604cis_time_synchronization == "ntp" + tags: + - level1 + - patch + - rule_2.2.1.2 + + +- name: "SCORED | 2.2.1.2 | PATCH | Ensure ntp is configured | modify /etc/init.d/ntp" + lineinfile: + dest: /etc/init.d/ntp + regexp: "^RUNASUSER" + line: "RUNASUSER=ntp" + when: rhel7cis_time_synchronization == "ntp" and ansible_os_family == "Debian" + tags: + - level1 + - patch + - rule_2.2.1.2 + +- name: "SCORED | 2.2.1.3 | PATCH | Ensure chrony is configured" + template: + src: chrony.conf.j2 + dest: "{{ chrony_config_file[ansible_os_family] }}" + owner: root + group: root + mode: 0644 + when: ubuntu1604cis_time_synchronization == "chrony" + tags: + - level1 + - patch + - rule_2.2.1.3 + +- name: "SCORED | 2.2.1.3 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd | 1" + lineinfile: + dest: /etc/sysconfig/chronyd + regexp: "^(#)?OPTIONS" + line: "OPTIONS=\"-u chrony\"" + state: present + create: yes + when: ubuntu1604cis_time_synchronization == "chrony" + tags: + - level1 + - patch + - rule_2.2.1.3 + +- name: "SCORED | 2.2.2 | PATCH | Ensure X Window System is not installed" + apt: + name: "{{item}}" + state: absent + when: not ubuntu1604cis_xwindows_required + with_items: + - "@X Window System" + - "xorg-x11*" + tags: + - level1 + - scored + - xwindows + - patch + - rule_2.2.2 + +- name: "SCORED | 2.2.3 | PATCH | Ensure Avahi Server is not enabled" + service: + name: avahi-daemon + state: stopped + enabled: no + when: ubuntu1604cis_avahi_server == false and avahi_service_status.stdout == "loaded" + tags: + - level1 + - scored + - avahi + - services + - patch + - rule_2.2.3 + +- name: "SCORED | 2.2.4 | PATCH | Ensure CUPS is not enabled" + service: + name: cups + state: stopped + enabled: no + when: ubuntu1604cis_cups_server == false and cups_service_status.stdout == "loaded" + tags: + - level1 + - scored + - cups + - services + - patch + - rule_2.2.4 + +- name: "SCORED | 2.2.5 | PATCH | Ensure DHCP Server is not enabled" + service: + name: dhcpd + state: stopped + enabled: no + when: ubuntu1604cis_dhcp_server == false and dhcpd_service_status.stdout == "loaded" + tags: + - level1 + - scored + - dhcp + - services + - patch + - rule_2.2.5 + +- name: "SCORED | 2.2.6 | PATCH | Ensure LDAP server is not enabled" + service: + name: slapd + state: stopped + enabled: no + when: ubuntu1604cis_ldap_server == false and slapd_service_status.stdout == "loaded" + tags: + - level1 + - scored + - ldap + - services + - patch + - rule_2.2.6 + +- name: "SCORED | 2.2.7 | PATCH | Ensure NFS and RPC are not enabled" + service: + name: nfs + state: stopped + enabled: no + when: ubuntu1604cis_nfs_rpc_server == false and nfs_service_status.stdout == "loaded" + tags: + - level1 + - scored + - nfs + - rpc + - services + - patch + - rule_2.2.7 + +- name: "SCORED | 2.2.7 | PATCH | Ensure NFS and RPC are not enabled" + service: + name: rpcbind + state: stopped + enabled: no + when: ubuntu1604cis_nfs_rpc_server == false and rpcbind_service_status.stdout == "loaded" + tags: + - level1 + - scored + - nfs + - rpc + - services + - patch + - rule_2.2.7 + +- name: "SCORED | 2.2.8 | PATCH | Ensure DNS Server is not enabled" + service: + name: named + state: stopped + enabled: no + when: ubuntu1604cis_named_server == false and named_service_status.stdout == "loaded" + tags: + - level1 + - patch + - rule_2.2.8 + +- name: "SCORED | 2.2.9 | PATCH | Ensure FTP Server is not enabled" + service: + name: vsftpd + state: stopped + enabled: no + when: ubuntu1604cis_vsftpd_server == false and vsftpd_service_status.stdout == "loaded" + tags: + - level1 + - patch + - rule_2.2.9 + +- name: "SCORED | 2.2.10 | PATCH | Ensure HTTP server is not enabled" + service: + name: httpd + state: stopped + enabled: no + when: ubuntu1604cis_httpd_server == false and httpd_service_status.stdout == "loaded" + tags: + - level1 + - patch + - rule_2.2.10 + +- name: "SCORED | 2.2.11 | PATCH | Ensure IMAP and POP3 server is not enabled" + service: + name: dovecot + state: stopped + enabled: no + when: ubuntu1604cis_dovecot_server == false and dovecot_service_status.stdout == "loaded" + tags: + - level1 + - patch + - rule_2.2.11 + +- name: "SCORED | 2.2.12 | PATCH | Ensure Samba is not enabled" + service: + name: smb + state: stopped + enabled: no + when: ubuntu1604cis_smb_server == false and smb_service_status.stdout == "loaded" + tags: + - level1 + - patch + - rule_2.2.12 + +- name: "SCORED | 2.2.13 | PATCH | Ensure HTTP Proxy Server is not enabled" + service: + name: squid + state: stopped + enabled: no + when: ubuntu1604cis_squid_server == false and squid_service_status.stdout == "loaded" + tags: + - level1 + - patch + - rule_2.2.13 + +- name: "SCORED | 2.2.14 | PATCH | Ensure SNMP Server is not enabled" + service: + name: snmpd + state: stopped + enabled: no + when: ubuntu1604cis_snmp_server == false and snmpd_service_status.stdout == "loaded" + tags: + - level1 + - patch + - rule_2.2.14 + +- name: "SCORED | 2.2.15 | PATCH | Ensure mail transfer agent is configured for local-only mode" + lineinfile: + dest: /etc/postfix/main.cf + regexp: "^(#)?inet_interfaces" + line: "inet_interfaces = localhost" + when: ubuntu1604cis_is_mail_server == false and postfix_installed.rc == 0 + tags: + - level1 + - patch + - rule_2.2.15 + +- name: "SCORED | 2.2.16 | PATCH | Ensure NIS Server is not enabled" + service: + name: ypserv + state: stopped + enabled: no + when: ubuntu1604cis_nis_server == false and ypserv_service_status.stdout == "loaded" + tags: + - level1 + - patch + - rule_2.2.16 + +- name: "SCORED | 2.2.17 | PATCH | Ensure rsh server is not enabled | rsh" + service: + name: rsh.socket + state: stopped + enabled: no + when: ubuntu1604cis_rsh_server == false and rsh_service_status.stdout == "loaded" + tags: + - level1 + - patch + - rule_2.2.17 + +- name: "SCORED | 2.2.17 | PATCH | Ensure rsh server is not enabled | rlogin" + service: + name: rlogin.socket + state: stopped + enabled: no + when: ubuntu1604cis_rsh_server == false and rlogin_service_status.stdout == "loaded" + tags: + - level1 + - patch + - rule_2.2.17 + +- name: "SCORED | 2.2.17 | PATCH | Ensure rsh server is not enabled | rexec" + service: + name: rexec.socket + state: stopped + enabled: no + when: ubuntu1604cis_rsh_server == false and rexec_service_status.stdout == "loaded" + tags: + - level1 + - patch + - rule_2.2.17 + +- name: "SCORED | 2.2.18 | PATCH | Ensure telnet server is not enabled" + service: + name: telnet + state: stopped + enabled: no + when: ubuntu1604cis_telnet_server == false and telnet_service_status.stdout == "loaded" + tags: + - level1 + - patch + - rule_2.2.18 + +- name: "SCORED | 2.2.19 | PATCH | Ensure tftp server is not enabled" + service: + name: tftp + state: stopped + enabled: no + when: ubuntu1604cis_tftp_server == false and tftp_service_status.stdout == "loaded" + tags: + - level1 + - scored + - insecure_services + - tftp + - patch + - rule_2.2.19 + +- name: "SCORED | 2.2.20 | PATCH | Ensure rsync service is not enabled " + service: + name: rsyncd + state: stopped + enabled: no + when: ubuntu1604cis_rsyncd_server == false and rsyncd_service_status.stdout == "loaded" + tags: + - level1 + - patch + - rule_2.2.20 + +- name: "SCORED | 2.2.21 | PATCH | Ensure talk server is not enabled" + service: + name: ntalk + state: stopped + enabled: no + when: ubuntu1604cis_ntalk_server == false and ntalk_service_status.stdout == "loaded" + tags: + - level1 + - patch + - rule_2.2.21 + +- name: "SCORED | 2.3.1 | PATCH | Ensure NIS Client is not installed" + apt: + name: ypbind + state: absent + when: ubuntu1604cis_ypbind_required == false + tags: + - level1 + - patch + - rule_2.3.1 + +- name: "SCORED | 2.3.2 | PATCH | Ensure rsh client is not installed" + apt: + name: rsh + state: absent + when: ubuntu1604cis_rsh_required == false + tags: + - level1 + - patch + - rule_2.3.2 + +- name: "SCORED | 2.3.3 | PATCH | Ensure talk client is not installed" + apt: + name: talk + state: absent + when: ubuntu1604cis_talk_required == false + tags: + - level1 + - patch + - rule_2.3.3 + +- name: "SCORED | 2.3.4 | PATCH | Ensure telnet client is not installed" + apt: + name: telnet + state: absent + when: ubuntu1604cis_telnet_required == false + tags: + - level1 + - patch + - rule_2.3.4 + +- name: "SCORED | 2.3.5 | PATCH | Ensure LDAP client is not installed" + apt: + name: openldap-clients + state: absent + when: ubuntu1604cis_openldap_clients_required == false + tags: + - level1 + - patch + - rule_2.3.5 diff --git a/tasks/section3.yml b/tasks/section3.yml new file mode 100644 index 0000000..bbd95ff --- /dev/null +++ b/tasks/section3.yml @@ -0,0 +1,452 @@ +- name: "SCORED | 3.1.1 | PATCH | Ensure IP forwarding is disabled" + sysctl: + name: net.ipv4.ip_forward + value: 0 + state: present + reload: yes + ignoreerrors: yes + when: ubuntu1604cis_is_router == false + notify: + - sysctl flush ipv4 route table + tags: + - level1 + - sysctl + - patch + - rule_3.1.1 + +- name: "SCORED | 3.1.2 | PATCH | Ensure packet redirect sending is disabled" + sysctl: + name: '{{ item.name }}' + value: '{{ item.value }}' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + with_items: + - { name: net.ipv4.conf.all.send_redirects, value: 0 } + - { name: net.ipv4.conf.default.send_redirects, value: 0 } + when: ubuntu1604cis_is_router == false + notify: + - sysctl flush ipv4 route table + tags: + - level1 + - sysctl + - patch + - rule_3.1.2 + +- name: "SCORED | 3.2.1 | PATCH | Ensure source routed packets are not accepted" + sysctl: + name: '{{ item.name }}' + value: '{{ item.value }}' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + with_items: + - { name: net.ipv4.conf.all.accept_source_route, value: 0 } + - { name: net.ipv4.conf.default.accept_source_route, value: 0 } + notify: + - sysctl flush ipv4 route table + tags: + - level1 + - sysctl + - patch + - rule_3.2.1 + +- name: "SCORED | 3.2.2 | PATCH | Ensure ICMP redirects are not accepted" + sysctl: + name: '{{ item.name }}' + value: '{{ item.value }}' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + with_items: + - { name: net.ipv4.conf.all.accept_redirects, value: 0 } + - { name: net.ipv4.conf.default.accept_redirects, value: 0 } + notify: + - sysctl flush ipv4 route table + tags: + - level1 + - sysctl + - patch + - rule_3.2.2 + +- name: "SCORED | 3.2.3 | PATCH | Ensure secure ICMP redirects are not accepted" + sysctl: + name: '{{ item.name }}' + value: '{{ item.value }}' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + with_items: + - { name: net.ipv4.conf.all.secure_redirects, value: 0 } + - { name: net.ipv4.conf.default.secure_redirects, value: 0 } + notify: + - sysctl flush ipv4 route table + tags: + - level1 + - sysctl + - patch + - rule_3.2.3 + +- name: "SCORED | 3.2.4 | PATCH | Ensure suspicious packets are logged" + sysctl: + name: '{{ item.name }}' + value: '{{ item.value }}' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + with_items: + - { name: net.ipv4.conf.all.log_martians, value: 1 } + - { name: net.ipv4.conf.default.log_martians, value: 1 } + notify: + - sysctl flush ipv4 route table + tags: + - level1 + - sysctl + - patch + - rule_3.2.4 + +- name: "SCORED | 3.2.5 | PATCH | Ensure broadcast ICMP requests are ignored" + sysctl: + name: net.ipv4.icmp_echo_ignore_broadcasts + value: 1 + state: present + reload: yes + ignoreerrors: yes + notify: + - sysctl flush ipv4 route table + tags: + - level1 + - sysctl + - patch + - rule_3.2.5 + +- name: "SCORED | 3.2.6 | PATCH | Ensure bogus ICMP responses are ignored" + sysctl: + name: net.ipv4.icmp_ignore_bogus_error_responses + value: 1 + state: present + reload: yes + ignoreerrors: yes + notify: + - sysctl flush ipv4 route table + tags: + - level1 + - sysctl + - patch + - rule_3.2.6 + +- name: "SCORED | 3.2.7 | PATCH | Ensure Reverse Path Filtering is enabled" + sysctl: + name: '{{ item.name }}' + value: '{{ item.value }}' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + with_items: + - { name: net.ipv4.conf.all.rp_filter, value: 1 } + - { name: net.ipv4.conf.default.rp_filter, value: 1 } + notify: + - sysctl flush ipv4 route table + tags: + - level1 + - sysctl + - patch + - rule_3.2.7 + +- name: "SCORED | 3.2.8 | PATCH | Ensure TCP SYN Cookies is enabled" + sysctl: + name: net.ipv4.tcp_syncookies + value: 1 + state: present + reload: yes + ignoreerrors: yes + notify: + - sysctl flush ipv4 route table + tags: + - level1 + - sysctl + - patch + - rule_3.2.8 + +- name: "SCORED | 3.3.1 | PATCH | Ensure IPv6 router advertisements are not accepted" + sysctl: + name: '{{ item.name }}' + value: '{{ item.value }}' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + with_items: + - { name: net.ipv6.conf.all.accept_ra, value: 0 } + - { name: net.ipv6.conf.default.accept_ra, value: 0 } + when: ubuntu1604cis_ipv6_required == true + notify: + - sysctl flush ipv6 route table + tags: + - level1 + - sysctl + - patch + - rule_3.3.1 + +- name: "SCORED | 3.3.2 | PATCH | Ensure IPv6 redirects are not accepted" + sysctl: + name: '{{ item.name }}' + value: '{{ item.value }}' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + with_items: + - { name: net.ipv6.conf.all.accept_redirects, value: 0 } + - { name: net.ipv6.conf.default.accept_redirects, value: 0 } + when: ubuntu1604cis_ipv6_required == true + notify: + - sysctl flush ipv6 route table + tags: + - level1 + - sysctl + - patch + - rule_3.3.2 + +- name: "NOTSCORED | 3.3.3 | PATCH | Ensure IPv6 is disabled" + lineinfile: + dest: /etc/modprobe.d/CIS.conf + regexp: "^(#)?options ipv6 disable=" + line: "options ipv6 disable=1" + create: yes + when: ubuntu1604cis_ipv6_required == false + tags: + - level1 + - patch + - rule_3.3.3 + +- name: "SCORED | 3.4.1 | PATCH | Ensure TCP Wrappers is installed" + apt: + name: "{{ tcp_wrapper_package[ansible_os_family] }}" + state: present + tags: + - level1 + - patch + - rule_3.4.1 + +- name: "SCORED | 3.4.2 | PATCH | Ensure /etc/hosts.allow is configured" + template: + src: hosts.allow.j2 + dest: /etc/hosts.allow + owner: root + group: root + mode: 0644 + tags: + - level1 + - patch + - rule_3.4.2 + +- name: "SCORED | 3.4.3 | PATCH | Ensure /etc/hosts.deny is configured" + lineinfile: + dest: /etc/hosts.deny + regexp: "^(#)?ALL" + line: "ALL: ALL" + tags: + - level1 + - patch + - rule_3.4.3 + +- name: "SCORED | 3.4.4 | PATCH | Ensure permissions on /etc/hosts.allow are configured" + file: + dest: /etc/hosts.allow + owner: root + group: root + mode: 0644 + tags: + - level1 + - patch + - rule_3.4.4 + +- name: "SCORED | 3.4.5 | PATCH | Ensure permissions on /etc/hosts.deny are 644" + file: + dest: /etc/hosts.deny + owner: root + group: root + mode: 0644 + tags: + - level1 + - patch + - rule_3.4.5 + +- name: "NOTSCORED | 3.5.1 | PATCH | Ensure DCCP is disabled" + lineinfile: + dest: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install dccp(\\s|$)" + line: "install dccp /bin/true" + create: yes + tags: + - level1 + - patch + - rule_3.5.1 + +- name: "NOTSCORED | 3.5.2 | PATCH | Ensure SCTP is disabled" + lineinfile: + dest: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install sctp(\\s|$)" + line: "install sctp /bin/true" + create: yes + tags: + - level1 + - patch + - rule_3.5.2 + +- name: "NOTSCORED | 3.5.3 | PATCH | Ensure RDS is disabled" + lineinfile: + dest: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install rds(\\s|$)" + line: "install rds /bin/true" + create: yes + tags: + - level1 + - patch + - rule_3.5.3 + +- name: "NOTSCORED | 3.5.4 | PATCH | Ensure TIPC is disabled" + lineinfile: + dest: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install tipc(\\s|$)" + line: "install tipc /bin/true" + create: yes + tags: + - level1 + - patch + - rule_3.5.4 + +- name: "SCORED | 3.6 | PATCH | Ensure firewalld is installed and started | CUSTOM" + apt: + name: firewalld + state: present + when: ubuntu1604cis_firewall == "firewalld" + tags: + - level1 + - patch + - rule_3.6 + +- name: "SCORED | 3.6 | PATCH | Ensure firewalld is installed and started | CUSTOM" + service: + name: firewalld + state: started + enabled: yes + when: ubuntu1604cis_firewall == "firewalld" + tags: + - level1 + - patch + - rule_3.6 + +- name: "SCORED | 3.6.1 | PATCH | Ensure iptables is installed" + apt: + name: iptables + state: present + when: ubuntu1604cis_firewall == "iptables" + tags: + - level1 + - patch + - rule_3.6.1 + +- name: "SCORED | 3.6.1 | PATCH | Ensure iptables is installed and started" + service: + name: iptables + state: started + enabled: yes + when: ubuntu1604cis_firewall == "iptables" + tags: + - level1 + - patch + - rule_3.6.1 + +- name: "SCORED | 3.6.2 | PATCH | Ensure default deny firewall policy" + lineinfile: + dest: /etc/firewalld/firewalld.conf + regexp: "^DefaultZone" + line: "DefaultZone=drop" + when: ubuntu1604cis_firewall == "firewalld" + tags: + - level1 + - patch + - rule_3.6.2 + +- name: "SCORED | 3.6.2 | PATCH | Ensure default deny firewall policy" + firewalld: + state: enabled + zone: drop + permanent: true + when: ubuntu1604cis_firewall == "firewalld" + tags: + - level1 + - patch + - rule_3.6.2 + +- name: "SCORED | 3.6.2 | PATCH | Ensure default deny firewall policy" + command: /bin/true + changed_when: no + when: ubuntu1604cis_firewall == "iptables" + tags: + - level1 + - patch + - rule_3.6.2 + - notimplemented + +- name: "SCORED | 3.6.3 | PATCH | Ensure loopback traffic is configured" + command: /bin/true + changed_when: no + when: ubuntu1604cis_firewall == "iptables" + tags: + - level1 + - patch + - rule_3.6.3 + - notimplemented + +- name: "NOTSCORED | 3.6.4 | PATCH | Ensure outbound and established connections are configured" + command: /bin/true + changed_when: no + when: ubuntu1604cis_firewall == "iptables" + tags: + - level1 + - patch + - rule_3.6.4 + - notimplemented + +- name: "SCORED | 3.6.5 | PATCH | Ensure firewall rules exist for all open ports" + firewalld: + service: "{{ item }}" + state: enabled + zone: drop + permanent: true + immediate: true + when: ubuntu1604cis_firewall == "firewalld" + notify: restart firewalld + with_items: "{{ ubuntu1604cis_firewall_services }}" + tags: + - level1 + - patch + - rule_3.6.5 + +- name: "SCORED | 3.6.5 | PATCH | Ensure firewall rules exist for all open ports" + command: /bin/true + changed_when: no + when: ubuntu1604cis_firewall == "iptables" + tags: + - level1 + - patch + - rule_3.6.5 + - notimplemented + +- name: "NOTSCORED | 3.7 | PATCH | Ensure wireless interfaces are disabled" + command: /bin/true + changed_when: no + tags: + - level1 + - level2 + - patch + - rule_3.7 diff --git a/tasks/section4.yml b/tasks/section4.yml new file mode 100644 index 0000000..ad47498 --- /dev/null +++ b/tasks/section4.yml @@ -0,0 +1,397 @@ +- name: "NOTSCORED | 4.1.1.1 | PATCH | Ensure audit log storage size is configured" + lineinfile: + dest: /etc/audit/auditd.conf + regexp: "^max_log_file( |=)" + line: "max_log_file = 10" + state: present + tags: + - level2 + - auditd + - patch + - rule_4.1.1.1 + +- name: "SCORED | 4.1.1.2 | PATCH | Ensure system is disabled when audit logs are full" + lineinfile: + dest: /etc/audit/auditd.conf + regexp: "^admin_space_left_action" + line: "admin_space_left_action = halt" + state: present + tags: + - level2 + - auditd + - patch + - rule_4.1.1.2 + +- name: "SCORED | 4.1.1.3 | PATCH | Ensure audit logs are not automatically deleted" + lineinfile: + dest: /etc/audit/auditd.conf + regexp: "^max_log_file_action" + line: "max_log_file_action = keep_logs" + state: present + tags: + - level2 + - auditd + - patch + - rule_4.1.1.3 + +- name: "SCORED | 4.1.2 | PATCH | Ensure auditd service is enabled" + service: + name: auditd + state: started + enabled: yes + when: ubuntu1604cis_skip_for_travis == false + tags: + - level2 + - auditd + - patch + - rule_4.1.2 + +- name: "SCORED | 4.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" + replace: + dest: /etc/default/grub + regexp: '(^GRUB_CMDLINE_LINUX\s*\=\s*)(?:")(.+)(?=1000 -F auid!=4294967295 -k mounts" + state: present + tags: + - level2 + - auditd + - patch + - rule_4.1.13 + +- name: "SCORED | 4.1.13 | PATCH | Ensure successful file system mounts are collected" + lineinfile: + dest: /etc/audit/audit.rules + line: "-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts" + state: present + tags: + - level2 + - auditd + - patch + - rule_4.1.13 + +- name: "SCORED | 4.1.13 | PATCH | Ensure successful file system mounts are collected" + lineinfile: + dest: /etc/audit/rules.d/audit.rules + line: "-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts" + state: present + tags: + - level2 + - auditd + - patch + - rule_4.1.13 + +- name: "SCORED | 4.1.14 | PATCH | Ensure file deletion events by users are collected" + command: /bin/true + changed_when: no + tags: + - level2 + - auditd + - patch + - rule_4.1.14 + - notimplemented + +- name: "SCORED | 4.1.15 | PATCH | Ensure changes to system administration scope (sudoers) is collected" + lineinfile: + dest: /etc/audit/rules.d/audit.rules + line: "-w /etc/sudoers -p wa -k scope" + state: present + tags: + - level2 + - auditd + - patch + - rule_4.1.15 + +- name: "SCORED | 4.1.15 | PATCH | Ensure changes to system administration scope (sudoers) is collected" + lineinfile: + dest: /etc/audit/audit.rules + line: "-w /etc/sudoers -p wa -k scope" + state: present + tags: + - level2 + - auditd + - patch + - rule_4.1.15 + +- name: "SCORED | 4.1.15 | PATCH | Ensure changes to system administration scope (sudoers) is collected" + lineinfile: + dest: /etc/audit/rules.d/audit.rules + line: "-w /etc/sudoers.d -p wa -k scope" + state: present + tags: + - level2 + - auditd + - patch + - rule_4.1.15 + +- name: "SCORED | 4.1.16 | PATCH | Ensure system administrator actions (sudolog) are collected" + command: /bin/true + changed_when: no + tags: + - level2 + - auditd + - patch + - rule_4.1.16 + - notimplemented + +- name: "SCORED | 4.1.17 | PATCH | Ensure kernel module loading and unloading is collected" + command: /bin/true + changed_when: no + tags: + - level2 + - auditd + - patch + - rule_4.1.17 + - notimplemented + +- name: "SCORED | 4.1.18 | PATCH | Ensure the audit configuration is immutable" + command: /bin/true + changed_when: no + tags: + - level2 + - auditd + - patch + - rule_4.1.18 + - notimplemented + +- name: "SCORED | 4.2.3 | PATCH | Ensure rsyslog or syslog-ng is installed" + apt: + name: "{{ ubuntu1604cis_syslog }}" + state: present + tags: + - level1 + - level2 + - patch + - rule_4.2.3 + +- name: "SCORED | 4.2.1.1 | PATCH | Ensure rsyslog Service is enabled" + command: /bin/true + changed_when: no + tags: + - level1 + - level2 + - patch + - rule_4.2.1.1 + - notimplemented + +- name: "NOTSCORED | 4.2.1.2 | PATCH | Ensure logging is configured" + command: /bin/true + changed_when: no + tags: + - level1 + - level2 + - patch + - rule_4.2.1.2 + - notimplemented + +- name: "SCORED | 4.2.1.3 | PATCH | Ensure rsyslog default file permissions configured" + lineinfile: + dest: /etc/rsyslog.conf + regexp: '^\$FileCreateMode' + line: '$FileCreateMode 0640' + tags: + - level1 + - level2 + - patch + - rule_4.2.1.3 + +- name: "SCORED | 4.2.1.4 | PATCH | Ensure rsyslog is configured to send logs to a remote log host" + command: /bin/true + changed_when: no + tags: + - level1 + - level2 + - patch + - rule_4.2.1.4 + - notimplemented + +- name: "NOTSCORED | 4.2.1.5 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts." + command: /bin/true + changed_when: no + tags: + - level1 + - level2 + - patch + - rule_4.2.1.5 + - notimplemented + +- name: "NOTSCORED | 4.2.1.5 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts." + command: /bin/true + changed_when: no + tags: + - level1 + - level2 + - patch + - rule_4.2.1.5 + - notimplemented + +- name: "SCORED | 4.2.2.1 | PATCH | Ensure syslog-ng service is enabled" + command: /bin/true + changed_when: no + tags: + - level1 + - level2 + - patch + - rule_4.2.2.1 + - notimplemented + +- name: "NOTSCORED | 4.2.2.2 | PATCH | Ensure logging is configured" + command: /bin/true + changed_when: no + tags: + - level1 + - level2 + - patch + - rule_4.2.2.2 + - notimplemented + +- name: "SCORED | 4.2.2.3 | PATCH | Ensure syslog-ng default file permissions configured" + command: /bin/true + changed_when: no + tags: + - level1 + - level2 + - patch + - rule_4.2.2.3 + - notimplemented + +- name: "NOTSCORED | 4.2.2.4 | PATCH | Ensure syslog-ng is configured to send logs to a remote log host" + command: /bin/true + changed_when: no + tags: + - level1 + - level2 + - patch + - rule_4.2.2.4 + - notimplemented + +- name: "NOTSCORED | 4.2.2.5 | PATCH | Ensure remote syslog-ng messages are only accepted on designated log hosts" + command: /bin/true + changed_when: no + tags: + - level1 + - level2 + - patch + - rule_4.2.2.5 + - notimplemented + +- name: "SCORED | 4.2.4 | PATCH | Ensure permissions on all logfiles are configured" + command: find /var/log -type f -exec chmod g-wx,o-rwx {} + + changed_when: no + failed_when: no + tags: + - level1 + - level2 + - patch + - rule_4.2.4 + +- name: "NOTSCORED | 4.3 | PATCH | Ensure logrotate is configured" + command: /bin/true + changed_when: no + tags: + - level1 + - level2 + - patch + - rule_4.3 diff --git a/tasks/section5.yml b/tasks/section5.yml new file mode 100644 index 0000000..c409a92 --- /dev/null +++ b/tasks/section5.yml @@ -0,0 +1,584 @@ +- name: "SCORED | 5.1.1 | PATCH | Ensure cron daemon is enabled" + service: + name: "{{ cron_service[ansible_os_family] }}" + enabled: yes + tags: + - level1 + - level2 + - patch + - rule_5.1.1 + +- name: "SCORED | 5.1.2 | PATCH | Ensure permissions on /etc/crontab are configured" + file: + dest: /etc/crontab + owner: root + group: root + mode: 0600 + tags: + - level1 + - level2 + - patch + - rule_5.1.2 + +- name: "SCORED | 5.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" + file: + dest: /etc/cron.hourly + state: directory + owner: root + group: root + mode: 0700 + tags: + - level1 + - level2 + - patch + - rule_5.1.3 + +- name: "SCORED | 5.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" + file: + dest: /etc/cron.daily + state: directory + owner: root + group: root + mode: 0700 + tags: + - level1 + - level2 + - patch + - rule_5.1.4 + +- name: "SCORED | 5.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" + file: + dest: /etc/cron.weekly + state: directory + owner: root + group: root + mode: 0700 + tags: + - level1 + - level2 + - patch + - rule_5.1.5 + +- name: "SCORED | 5.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" + file: + dest: /etc/cron.monthly + state: directory + owner: root + group: root + mode: 0700 + tags: + - level1 + - level2 + - patch + - rule_5.1.6 + +- name: "SCORED | 5.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" + file: + dest: /etc/cron.d + state: directory + owner: root + group: root + mode: 0700 + tags: + - level1 + - level2 + - patch + - rule_5.1.7 + +- name: "SCORED | 5.1.8 | PATCH | Ensure at/cron is restricted to authorized users" + file: + dest: /etc/at.deny + state: absent + tags: + - level1 + - level2 + - patch + - rule_5.1.8 + +- stat: + path: "/etc/at.allow" + register: p + tags: + - level1 + - level2 + - patch + - rule_5.1.8 + +- name: "SCORED | 5.1.8 | PATCH | Ensure at/cron is restricted to authorized users" + file: + dest: /etc/at.allow + state: '{{ "file" if p.stat.exists else "touch"}}' + owner: root + group: root + mode: 0600 + tags: + - level1 + - level2 + - patch + - rule_5.1.8 + +- name: "SCORED | 5.1.8 | PATCH | Ensure at/cron is restricted to authorized users" + file: + dest: /etc/cron.deny + state: absent + tags: + - level1 + - level2 + - patch + - rule_5.1.8 + +- stat: + path: "/etc/cron.allow" + register: p + tags: + - level1 + - level2 + - patch + - rule_5.1.8 + +- name: "SCORED | 5.1.8 | PATCH | Ensure at/cron is restricted to authorized users" + file: + dest: /etc/cron.allow + state: '{{ "file" if p.stat.exists else "touch"}}' + owner: root + group: root + mode: 0600 + tags: + - level1 + - level2 + - patch + - rule_5.1.8 + +- name: "SCORED | 5.2.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" + file: + dest: /etc/ssh/sshd_config + state: file + owner: root + group: root + mode: 0600 + tags: + - level1 + - level2 + - patch + - rule_5.2.1 + +- name: "SCORED | 5.2.2 | PATCH | Ensure SSH Protocol is set to 2" + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: '^Protocol' + line: 'Protocol 2' + tags: + - level1 + - level2 + - patch + - rule_5.2.2 + +- name: "SCORED | 5.2.3 | PATCH | Ensure SSH LogLevel is set to INFO" + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: '^LogLevel' + line: 'LogLevel INFO' + tags: + - level1 + - level2 + - patch + - rule_5.2.3 + +- name: "SCORED | 5.2.4 | PATCH | Ensure SSH X11 forwarding is disabled" + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: '^X11Forwarding' + line: 'X11Forwarding no' + tags: + - level1 + - level2 + - patch + - rule_5.2.4 + +- name: "SCORED | 5.2.5 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: '^(#)?MaxAuthTries \d' + line: 'MaxAuthTries 4' + tags: + - level1 + - level2 + - patch + - rule_5.2.5 + +- name: "SCORED | 5.2.6 | PATCH | Ensure SSH IgnoreRhosts is enabled" + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: '^IgnoreRhosts' + line: 'IgnoreRhosts yes' + tags: + - level1 + - level2 + - patch + - rule_5.2.6 + +- name: "SCORED | 5.2.7 | PATCH | Ensure SSH HostbasedAuthentication is disabled" + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: '^HostbasedAuthentication' + line: 'HostbasedAuthentication no' + tags: + - level1 + - level2 + - patch + - rule_5.2.7 + +- name: "SCORED | 5.2.8 | PATCH | Ensure SSH root login is disabled" + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: '^PermitRootLogin' + line: 'PermitRootLogin no' + tags: + - level1 + - level2 + - patch + - rule_5.2.8 + +- name: "SCORED | 5.2.9 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: '^PermitEmptyPasswords' + line: 'PermitEmptyPasswords no' + tags: + - level1 + - level2 + - patch + - rule_5.2.9 + +- name: "SCORED | 5.2.10 | PATCH | Ensure SSH PermitUserEnvironment is disabled" + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: '^PermitUserEnvironment' + line: 'PermitUserEnvironment no' + tags: + - level1 + - level2 + - patch + - rule_5.2.10 + +- name: "SCORED | 5.2.11 | PATCH | Ensure only approved ciphers are used" + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: '^Ciphers' + line: 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr' + tags: + - level1 + - level2 + - patch + - rule_5.2.11 + +- name: "SCORED | 5.2.12 | PATCH | Ensure only approved MAC algorithms are used" + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: '^MACs' + line: 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com' + tags: + - level1 + - level2 + - patch + - rule_5.2.12 + +- name: "SCORED | 5.2.13 | PATCH | Ensure SSH Idle Timeout Interval is configured" + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: '^ClientAliveInterval' + line: "ClientAliveInterval {{ ubuntu1604cis_sshd['clientaliveinterval'] }}" + tags: + - level1 + - level2 + - patch + - rule_5.2.13 + +- name: "SCORED | 5.2.13 | PATCH | Ensure SSH ClientAliveCountMax set to <= 3" + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: '^ClientAliveCountMax' + line: "ClientAliveCountMax {{ ubuntu1604cis_sshd['clientalivecountmax'] }}" + tags: + - level1 + - level2 + - patch + - rule_5.2.13 + +- name: "SCORED | 5.2.14 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: '^LoginGraceTime' + line: 'LoginGraceTime 60' + tags: + - level1 + - level2 + - patch + - rule_5.2.14 + +- name: "SCORED | 5.2.15 | PATCH | Ensure SSH access is limited - allowusers" + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: "^AllowUsers" + line: AllowUsers {{ ubuntu1604cis_sshd['allowusers'] }} + notify: + - restart sshd + when: "ubuntu1604cis_sshd['allowusers']|default('') != ''" + tags: + - level1 + - level2 + - patch + - rule_5.2.15 + +- name: "SCORED | 5.2.15 | PATCH | Ensure SSH access is limited - allowgroups" + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: "^AllowGroups" + line: AllowGroups {{ ubuntu1604cis_sshd['allowgroups'] }} + notify: + - restart sshd + when: "ubuntu1604cis_sshd['allowgroups']|default('') != ''" + tags: + - level1 + - level2 + - patch + - rule_5.2.15 + +- name: "SCORED | 5.2.15 | PATCH | Ensure SSH access is limited - denyusers" + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: "^DenyUsers" + line: DenyUsers {{ ubuntu1604cis_sshd['denyusers'] }} + notify: + - restart sshd + when: "ubuntu1604cis_sshd['denyusers']|default('') != ''" + tags: + - level1 + - level2 + - patch + - rule_5.2.15 + +- name: "SCORED | 5.2.15 | PATCH | Ensure SSH access is limited - denygroups" + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: "^DenyGroups" + line: DenyGroups {{ ubuntu1604cis_sshd['denygroups'] }} + notify: + - restart sshd + when: "ubuntu1604cis_sshd['denygroups']|default('') != ''" + tags: + - level1 + - level2 + - patch + - rule_5.2.15 + +- name: "SCORED | 5.2.16 | PATCH | Ensure SSH warning banner is configured" + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: '^Banner' + line: 'Banner /etc/issue.net' + tags: + - level1 + - level2 + - patch + - rule_5.2.16 + +- name: "SCORED | 5.3.1 | PATCH | Ensure password creation requirements are configured" + package: + name: libpam-pwquality + state: present + when: ansible_os_family == "Debian" + tags: + - level1 + - level2 + - patch + - rule_5.3.1 + +- name: "SCORED | 5.3.1 | PATCH | Ensure password creation requirements are configured" + lineinfile: + state: present + dest: /etc/security/pwquality.conf + regexp: '^{{ item.key }}' + line: '{{ item.key }} = {{ item.value }}' + with_items: + - { key: 'minlen', value: '14' } + - { key: 'dcredit', value: '-1' } + - { key: 'ucredit', value: '-1' } + - { key: 'ocredit', value: '-1' } + - { key: 'lcredit', value: '-1' } + tags: + - level1 + - level2 + - patch + - rule_5.3.1 + +- name: "SCORED | 5.3.2 | PATCH | Ensure lockout for failed password attempts is configured" + command: /bin/true + changed_when: no + tags: + - level1 + - level2 + - patch + - rule_5.3.2 + - notimplemented + +- name: "SCORED | 5.3.3 | PATCH | Ensure password reuse is limited" + command: /bin/true + changed_when: no + tags: + - level1 + - level2 + - patch + - rule_5.3.3 + - notimplemented + +- name: "SCORED | 5.3.4 | PATCH | Ensure password hashing algorithm is SHA-512" + command: authconfig --passalgo=sha512 --update + changed_when: no + failed_when: no + tags: + - level1 + - level2 + - patch + - rule_5.3.4 + +- name: "SCORED | 5.4.1.1 | PATCH | Ensure password expiration is 90 days or less" + lineinfile: + state: present + dest: /etc/login.defs + regexp: '^PASS_MAX_DAYS' + line: 'PASS_MAX_DAYS 90' + tags: + - level1 + - level2 + - patch + - rule_5.4.1.1 + +- name: "SCORED | 5.4.1.2 | PATCH | Ensure minimum days between password changes is 7 or more" + lineinfile: + state: present + dest: /etc/login.defs + regexp: '^PASS_MIN_DAYS' + line: 'PASS_MIN_DAYS 7' + tags: + - level1 + - level2 + - patch + - rule_5.4.1.2 + +- name: "SCORED | 5.4.1.3 | PATCH | Ensure password expiration warning days is 7 or more" + lineinfile: + state: present + dest: /etc/login.defs + regexp: '^PASS_WARN_AGE' + line: 'PASS_WARN_AGE 7' + tags: + - level1 + - level2 + - patch + - rule_5.4.1.3 + +- name: "SCORED | 5.4.1.4 | PATCH | Ensure inactive password lock is 30 days or less" + command: /bin/true + changed_when: no + tags: + - level1 + - level2 + - patch + - rule_5.4.1.4 + - notimplemented + +- name: "SCORED | 5.4.2 | PATCH | Ensure system accounts are non-login" + command: /bin/true + changed_when: no + tags: + - level1 + - level2 + - patch + - rule_5.4.2 + - notimplemented + +- name: "SCORED | 5.4.3 | PATCH | Ensure default group for the root account is GID 0" + command: usermod -g 0 root + changed_when: no + failed_when: no + tags: + - level1 + - level2 + - patch + - rule_5.4.3 + +- name: "SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive - /etc/bashrc" + replace: + path: "{{ bashrc_file[ansible_os_family] }}" + regexp: '(^\s+umask) 002' + replace: '\1 027' + tags: + - level1 + - level2 + - patch + - rule_5.4.4 + +- name: "SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive - /etc/profile" + replace: + path: /etc/profile + regexp: '(^\s+umask) 002' + replace: '\1 027' + tags: + - level1 + - level2 + - patch + - rule_5.4.4 + +- name: "NOTSCORED | 5.5 | PATCH | Ensure root login is restricted to system console" + command: /bin/true + changed_when: no + tags: + - level1 + - level2 + - patch + - rule_5.5 + - notimplemented + +- name: "SCORED | 5.6 | PATCH | Ensure access to the su command is restricted" + lineinfile: + state: present + dest: /etc/pam.d/su + regexp: '^(#)?auth\s+required\s+pam_wheel\.so' + line: 'auth required pam_wheel.so use_uid' + when: ansible_os_family == "RedHat" + tags: + - level1 + - level2 + - patch + - rule_5.6 + +- name: "SCORED | 5.6 | PATCH | Ensure access to the su command is restricted - wheel group contains root" + user: + name: root + groups: wheel + when: ansible_os_family == "RedHat" + tags: + - level1 + - level2 + - patch + - rule_5.6 diff --git a/tasks/section6.yml b/tasks/section6.yml new file mode 100644 index 0000000..0acd3fc --- /dev/null +++ b/tasks/section6.yml @@ -0,0 +1,351 @@ +- name: "NOTSCORED | 6.1.1 | PATCH | Audit system file permissions" + command: /bin/true + changed_when: no + tags: + - level2 + - patch + - rule_6.1.1 + - notimplemented + +- name: "SCORED | 6.1.2 | PATCH | Ensure permissions on /etc/passwd are configured" + file: + dest: /etc/passwd + owner: root + group: root + mode: 0644 + tags: + - level1 + - level2 + - patch + - rule_6.1.2 + +- name: "SCORED | 6.1.3 | PATCH | Ensure permissions on /etc/shadow are configured" + file: + dest: /etc/shadow + owner: root + group: root + mode: 0000 + tags: + - level1 + - level2 + - patch + - rule_6.1.3 + +- name: "SCORED | 6.1.4 | PATCH | Ensure permissions on /etc/group are configured" + file: + dest: /etc/group + owner: root + group: root + mode: 0644 + tags: + - level1 + - level2 + - patch + - rule_6.1.4 + +- name: "SCORED | 6.1.5 | PATCH | Ensure permissions on /etc/gshadow are configured" + file: + dest: /etc/gshadow + owner: root + group: root + mode: 0000 + tags: + - level1 + - level2 + - patch + - rule_6.1.5 + +- name: "SCORED | 6.1.6 | PATCH | Ensure permissions on /etc/passwd- are configured" + file: + dest: /etc/passwd- + owner: root + group: root + mode: 0600 + tags: + - level1 + - level2 + - patch + - rule_6.1.6 + +- name: "SCORED | 6.1.7 | PATCH | Ensure permissions on /etc/shadow- are configured" + file: + dest: /etc/shadow- + owner: root + group: root + mode: 0000 + tags: + - level1 + - level2 + - patch + - rule_6.1.7 + +- name: "SCORED | 6.1.8 | PATCH | Ensure permissions on /etc/group- are configured" + file: + dest: /etc/group- + owner: root + group: root + mode: 0600 + tags: + - level1 + - level2 + - patch + - rule_6.1.8 + +- name: "SCORED | 6.1.9 | PATCH | Ensure permissions on /etc/gshadow- are configured" + file: + dest: /etc/gshadow- + owner: root + group: root + mode: 0600 + tags: + - level1 + - level2 + - patch + - rule_6.1.9 + +- name: "SCORED | 6.1.10 | PATCH | Ensure no world writable files exist" + command: /bin/true + changed_when: no + tags: + - level1 + - level2 + - patch + - rule_6.1.10 + - notimplemented + +- name: "SCORED | 6.1.11 | PATCH | Ensure no unowned files or directories exist" + command: /bin/true + changed_when: no + tags: + - level1 + - level2 + - patch + - rule_6.1.11 + - notimplemented + +- name: "SCORED | 6.1.12 | PATCH | Ensure no ungrouped files or directories exist" + command: /bin/true + changed_when: no + tags: + - level1 + - level2 + - patch + - rule_6.1.12 + - notimplemented + +- name: "NOTSCORED | 6.1.13 | PATCH | Audit SUID executables" + command: /bin/true + changed_when: no + tags: + - level1 + - level2 + - patch + - rule_6.1.13 + - notimplemented + +- name: "NOTSCORED | 6.1.14 | PATCH | Audit SGID executables" + command: /bin/true + changed_when: no + tags: + - level1 + - level2 + - patch + - rule_6.1.14 + - notimplemented + +- name: "SCORED | 6.2.1 | PATCH | Ensure password fields are not empty" + command: passwd -l {{ item }} + changed_when: no + failed_when: no + with_items: "{{ empty_password_accounts.stdout_lines }}" + when: empty_password_accounts.rc + tags: + - level1 + - level2 + - patch + - rule_6.2.1 + +- name: "SCORED | 6.2.2 | PATCH | Ensure no legacy '+' entries exist in /etc/passwd" + command: sed -i '/^+/ d' /etc/passwd + changed_when: no + failed_when: no + tags: + - level1 + - level2 + - patch + - rule_6.2.2 + +- name: "SCORED | 6.2.3 | PATCH | Ensure no legacy '+' entries exist in /etc/shadow" + command: sed -i '/^+/ d' /etc/shadow + changed_when: no + failed_when: no + tags: + - level1 + - level2 + - patch + - rule_6.2.3 + +- name: "SCORED | 6.2.4 | PATCH | Ensure no legacy '+' entries exist in /etc/group" + command: sed -i '/^+/ d' /etc/group + changed_when: no + failed_when: no + tags: + - level1 + - level2 + - patch + - rule_6.2.4 + +- name: "SCORED | 6.2.5 | PATCH | Ensure root is the only UID 0 account" + command: passwd -l {{ item }} + changed_when: no + failed_when: no + with_items: "{{ uid_zero_accounts_except_root.stdout_lines }}" + when: uid_zero_accounts_except_root.rc + tags: + - level1 + - level2 + - patch + - rule_6.2.5 + +- name: "SCORED | 6.2.6 | PATCH | Ensure root PATH Integrity" + command: /bin/true + changed_when: no + tags: + - level1 + - level2 + - patch + - rule_6.2.6 + - notimplemented + +- name: "SCORED | 6.2.7 | PATCH | Ensure all users' home directories exist" + command: /bin/true + changed_when: no + tags: + - level1 + - level2 + - patch + - rule_6.2.7 + - notimplemented + +- name: "SCORED | 6.2.8 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" + command: /bin/true + changed_when: no + tags: + - level1 + - level2 + - patch + - rule_6.2.8 + - notimplemented + +- name: "SCORED | 6.2.9 | PATCH | Ensure users own their home directories" + command: /bin/true + changed_when: no + tags: + - level1 + - level2 + - patch + - rule_6.2.9 + - notimplemented + +- name: "SCORED | 6.2.10 | PATCH | Ensure users' dot files are not group or world writable" + command: /bin/true + changed_when: no + tags: + - level1 + - level2 + - patch + - rule_6.2.10 + - notimplemented + +- name: "SCORED | 6.2.11 | PATCH | Ensure no users have .forward files" + file: + state: absent + dest: "~{{ item }}/.forward" + with_items: "{{ users.stdout_lines }}" + tags: + - level1 + - level2 + - patch + - rule_6.2.11 + +- name: "SCORED | 6.2.12 | PATCH | Ensure no users have .netrc files" + file: + state: absent + dest: "~{{ item }}/.netrc" + with_items: "{{ users.stdout_lines }}" + tags: + - level1 + - level2 + - patch + - rule_6.2.12 + +# - name: "SCORED | 6.2.13 | PATCH | Ensure users' .netrc Files are not group or world accessible" +# file: +# mode: 0600 +# dest: "~{{ item }}/.netrc" +# with_items: "{{ users.stdout_lines }}" +# tags: +# - level1 +# - level2 +# - patch +# - rule_6.2.13 + +- name: "SCORED | 6.2.14 | PATCH | Ensure no users have .rhosts files" + file: + state: absent + dest: "~{{ item }}/.rhosts" + with_items: "{{ users.stdout_lines }}" + tags: + - level1 + - level2 + - patch + - rule_6.2.14 + +- name: "SCORED | 6.2.15 | PATCH | Ensure all groups in /etc/passwd exist in /etc/group" + command: /bin/true + changed_when: no + tags: + - level1 + - level2 + - patch + - rule_6.2.15 + - notimplemented + +- name: "SCORED | 6.2.16 | PATCH | Ensure no duplicate UIDs exist" + command: /bin/true + changed_when: no + tags: + - level1 + - level2 + - patch + - rule_6.2.16 + - notimplemented + +- name: "SCORED | 6.2.17 | PATCH | Ensure no duplicate GIDs exist" + command: /bin/true + changed_when: no + tags: + - level1 + - level2 + - patch + - rule_6.2.17 + - notimplemented + +- name: "SCORED | 6.2.18 | PATCH | Ensure no duplicate user names exist" + command: /bin/true + changed_when: no + tags: + - level1 + - level2 + - patch + - rule_6.2.18 + - notimplemented + +- name: "SCORED | 6.2.19 | PATCH | Ensure no duplicate group names exist" + command: /bin/true + changed_when: no + tags: + - level1 + - level2 + - patch + - rule_6.2.19 diff --git a/templates/chrony.conf.j2 b/templates/chrony.conf.j2 new file mode 100644 index 0000000..7a0e7ac --- /dev/null +++ b/templates/chrony.conf.j2 @@ -0,0 +1,93 @@ +# This the default chrony.conf file for the Debian chrony package. After +# editing this file use the command 'invoke-rc.d chrony restart' to make +# your changes take effect. John Hasler 1998-2008 + +# See www.pool.ntp.org for an explanation of these servers. Please +# consider joining the project if possible. If you can't or don't want to +# use these servers I suggest that you try your ISP's nameservers. We mark +# the servers 'offline' so that chronyd won't try to connect when the link +# is down. Scripts in /etc/ppp/ip-up.d and /etc/ppp/ip-down.d use chronyc +# commands to switch it on when a dialup link comes up and off when it goes +# down. Code in /etc/init.d/chrony attempts to determine whether or not +# the link is up at boot time and set the online status accordingly. If +# you have an always-on connection such as cable omit the 'offline' +# directive and chronyd will default to online. +# +# Note that if Chrony tries to go "online" and dns lookup of the servers +# fails they will be discarded. Thus under some circumstances it is +# better to use IP numbers than host names. + +{% for server in ubuntu1604cis_time_synchronization_servers -%} +server {{ server }} minpoll 8 +{% endfor %} + +# Look here for the admin password needed for chronyc. The initial +# password is generated by a random process at install time. You may +# change it if you wish. + +keyfile /etc/chrony/chrony.keys + +# Set runtime command key. Note that if you change the key (not the +# password) to anything other than 1 you will need to edit +# /etc/ppp/ip-up.d/chrony, /etc/ppp/ip-down.d/chrony, /etc/init.d/chrony +# and /etc/cron.weekly/chrony as these scripts use it to get the password. + +commandkey 1 + +# I moved the driftfile to /var/lib/chrony to comply with the Debian +# filesystem standard. + +driftfile /var/lib/chrony/chrony.drift + +# Comment this line out to turn off logging. + +log tracking measurements statistics +logdir /var/log/chrony + +# Stop bad estimates upsetting machine clock. + +maxupdateskew 100.0 + +# Dump measurements when daemon exits. + +dumponexit + +# Specify directory for dumping measurements. + +dumpdir /var/lib/chrony + +# Let computer be a server when it is unsynchronised. + +local stratum 10 + +# Allow computers on the unrouted nets to use the server. + +#allow 10/8 +#allow 192.168/16 +#allow 172.16/12 + +# This directive forces `chronyd' to send a message to syslog if it +# makes a system clock adjustment larger than a threshold value in seconds. + +logchange 0.5 + +# This directive defines an email address to which mail should be sent +# if chronyd applies a correction exceeding a particular threshold to the +# system clock. + +# mailonchange root@localhost 0.5 + +# This directive tells chrony to regulate the real-time clock and tells it +# Where to store related data. It may not work on some newer motherboards +# that use the HPET real-time clock. It requires enhanced real-time +# support in the kernel. I've commented it out because with certain +# combinations of motherboard and kernel it is reported to cause lockups. + +# rtcfile /var/lib/chrony/chrony.rtc + +# If the last line of this file reads 'rtconutc' chrony will assume that +# the CMOS clock is on UTC (GMT). If it reads '# rtconutc' or is absent +# chrony will assume local time. The line (if any) was written by the +# chrony postinst based on what it found in /etc/default/rcS. You may +# change it if necessary. +rtconutc diff --git a/templates/etc/issue.j2 b/templates/etc/issue.j2 new file mode 100644 index 0000000..9facfcc --- /dev/null +++ b/templates/etc/issue.j2 @@ -0,0 +1 @@ +{{ ubuntu1604cis_warning_banner }} diff --git a/templates/etc/issue.net.j2 b/templates/etc/issue.net.j2 new file mode 100644 index 0000000..9facfcc --- /dev/null +++ b/templates/etc/issue.net.j2 @@ -0,0 +1 @@ +{{ ubuntu1604cis_warning_banner }} diff --git a/templates/etc/motd.j2 b/templates/etc/motd.j2 new file mode 100644 index 0000000..9facfcc --- /dev/null +++ b/templates/etc/motd.j2 @@ -0,0 +1 @@ +{{ ubuntu1604cis_warning_banner }} diff --git a/templates/hosts.allow.j2 b/templates/hosts.allow.j2 new file mode 100644 index 0000000..aa3ca6d --- /dev/null +++ b/templates/hosts.allow.j2 @@ -0,0 +1,11 @@ +# +# hosts.allow This file contains access rules which are used to +# allow or deny connections to network services that +# either use the tcp_wrappers library or that have been +# started through a tcp_wrappers-enabled xinetd. +# +# See 'man 5 hosts_options' and 'man 5 hosts_access' +# for information on rule syntax. +# See 'man tcpd' for information on tcp_wrappers +# +ALL: {% for iprange in ubuntu1604cis_host_allow -%}{{ iprange }}{% if not loop.last %}, {% endif %}{% endfor %} diff --git a/templates/ntp.conf.j2 b/templates/ntp.conf.j2 new file mode 100644 index 0000000..d469d61 --- /dev/null +++ b/templates/ntp.conf.j2 @@ -0,0 +1,59 @@ +# For more information about this file, see the man pages +# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5). + +driftfile /var/lib/ntp/drift + +# Permit time synchronization with our time source, but do not +# permit the source to query or modify the service on this system. +#restrict default nomodify notrap nopeer noquery +restrict -4 default kod nomodify notrap nopeer noquery +restrict -6 default kod nomodify notrap nopeer noquery + +# Permit all access over the loopback interface. This could +# be tightened as well, but to do so would effect some of +# the administrative functions. +restrict 127.0.0.1 +restrict ::1 + +# Hosts on local network are less restricted. +#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap + +# Use public servers from the pool.ntp.org project. +# Please consider joining the pool (http://www.pool.ntp.org/join.html). +{% for server in ubuntu1604cis_time_synchronization_servers -%} +server {{ server }} iburst +{% endfor %} + +#broadcast 192.168.1.255 autokey # broadcast server +#broadcastclient # broadcast client +#broadcast 224.0.1.1 autokey # multicast server +#multicastclient 224.0.1.1 # multicast client +#manycastserver 239.255.254.254 # manycast server +#manycastclient 239.255.254.254 autokey # manycast client + +# Enable public key cryptography. +#crypto + +includefile /etc/ntp/crypto/pw + +# Key file containing the keys and key identifiers used when operating +# with symmetric key cryptography. +keys /etc/ntp/keys + +# Specify the key identifiers which are trusted. +#trustedkey 4 8 42 + +# Specify the key identifier to use with the ntpdc utility. +#requestkey 8 + +# Specify the key identifier to use with the ntpq utility. +#controlkey 8 + +# Enable writing of statistics records. +#statistics clockstats cryptostats loopstats peerstats + +# Disable the monitoring facility to prevent amplification attacks using ntpdc +# monlist command when default restrict does not include the noquery flag. See +# CVE-2013-5211 for more details. +# Note: Monitoring will not be disabled with the limited restriction flag. +disable monitor diff --git a/tests/test.yml b/tests/test.yml new file mode 100644 index 0000000..aab8da6 --- /dev/null +++ b/tests/test.yml @@ -0,0 +1,4 @@ +- hosts: all + + roles: + - role_under_test diff --git a/vars/main.yml b/vars/main.yml new file mode 100644 index 0000000..412829c --- /dev/null +++ b/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for Ubuntu1604-CIS