Major enhancements (#15)

* cleanup files and folders

* updated hardening tasks
audit tasks enhancements
some bugfix

* bugfix variables

* update defaults

* update licensefile

* update gitignore

* added missing tags to 6.2.6

* added handler load audit rules

* Dev2 (#12)

* Moving the needle on implementation

- Added scored or notscored to all rule plays.
- Added rule tags to all rules (I think)
- Added 5.5 and 5.6 to defaults/main.yml
- added section tags to tasks/main.yml for easy section testing
- cleaned up tasks/post.yml for easy reading + task header standardization; removed "when == Debian" since this is only for Ubuntu systems
- standardized order of tags (levels, scored, patch, subsystem, rule, notimplemented).
- added cron, sshd, ntp, syslog, and maybe several other tags to various plays to allow bypassing or enabling based on subsystem (mostly section 5)
- moved multiple plays for the same rule into a single block (block names are only supported >= Ansible 2.3). This allows for a single "when" to run the entire block, and for nicer code folding. Unfortunately, it does push the minimum requirement from 2.1 -> 2.3; I will look at block syntax without names if backwards compat that far is desired.
- switched "restart auditd" to be a service command instead of a command; this is more Ansible-y and works on both RedHat and Debian families, with both SysV init and systemd init services. This also tracks with redhat-cis
- fixed rule 4.1.6 template to conform to the Ubuntu CIS benchmark instead of the RedHat one.

* section 1

- actually commit section1 changes, since they didn't get merged in to the previous giant splat.

* Fixed whitespace issue 1.1.2

* Fixed section1 and section4 whitespace and block errors.

* Section5 whitespace fixes.

* yamlint now passes 100% of all yml files. Did not ansible lint.

* Fixed rule 4.3

* added rule 4_3 to defaults/main.yml

* added file touch to rule 4.3

* Forgot to write an actual commit message.

* Added stat check for 5.4.4

* update handlers for docker

* - updated regex for 1.1.1.4 and 1.1.1.5
- update for 4.3: state: touch always returns an "modified" and
 idempotence test will fail. bad workaround changed_when: false

- resolve #14

* - fixed typo in 1.1.1.4

* - update regexp

* add 1.1.2 mount task

.gitignore

@@ -11,10 +11,9 @@ tests/*.txt
 tests/*.retry
 .Python
 .molecule/
-bin/
-etc/
-include/
-lib/
+/bin/
+/etc/
+/include/
+/lib/
 pip-selfcheck.json
-share/
-
+/share/

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2017 Florian Utz
+Copyright (c) 2018 Florian Utz
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

defaults/main.yml

@@ -76,19 +76,178 @@ ubuntu1604cis_rule_1_7_1_6: true
 ubuntu1604cis_rule_1_7_2: true
 
 # Section 2 rules
-#ubuntu1604cis_rule_2_1_1: true
+ubuntu1604cis_rule_2_1_1: true
+ubuntu1604cis_rule_2_1_2: true
+ubuntu1604cis_rule_2_1_3: true
+ubuntu1604cis_rule_2_1_4: true
+ubuntu1604cis_rule_2_1_5: true
+ubuntu1604cis_rule_2_1_6: true
+ubuntu1604cis_rule_2_1_7: true
+ubuntu1604cis_rule_2_2_1_1: true
+ubuntu1604cis_rule_2_2_1_2: true
+ubuntu1604cis_rule_2_2_1_3: true
+ubuntu1604cis_rule_2_2_2: true
+ubuntu1604cis_rule_2_2_3: true
+ubuntu1604cis_rule_2_2_4: true
+ubuntu1604cis_rule_2_2_5: true
+ubuntu1604cis_rule_2_2_6: true
+ubuntu1604cis_rule_2_2_7: true
+ubuntu1604cis_rule_2_2_8: true
+ubuntu1604cis_rule_2_2_9: true
+ubuntu1604cis_rule_2_2_10: true
+ubuntu1604cis_rule_2_2_11: true
+ubuntu1604cis_rule_2_2_12: true
+ubuntu1604cis_rule_2_2_13: true
+ubuntu1604cis_rule_2_2_14: true
+ubuntu1604cis_rule_2_2_15: true
+ubuntu1604cis_rule_2_2_16: true
+ubuntu1604cis_rule_2_2_17: true
+ubuntu1604cis_rule_2_2_18: true
+ubuntu1604cis_rule_2_2_19: true
+ubuntu1604cis_rule_2_2_20: true
+ubuntu1604cis_rule_2_2_21: true
+ubuntu1604cis_rule_2_3_1: true
+ubuntu1604cis_rule_2_3_2: true
+ubuntu1604cis_rule_2_3_3: true
+ubuntu1604cis_rule_2_3_4: true
+ubuntu1604cis_rule_2_3_5: true
 
 # Section 3 rules
-#ubuntu1604cis_rule_3_1_1: true
+ubuntu1604cis_rule_3_1_1: true
+ubuntu1604cis_rule_3_1_2: true
+ubuntu1604cis_rule_3_2_1: true
+ubuntu1604cis_rule_3_2_2: true
+ubuntu1604cis_rule_3_2_3: true
+ubuntu1604cis_rule_3_2_4: true
+ubuntu1604cis_rule_3_2_5: true
+ubuntu1604cis_rule_3_2_6: true
+ubuntu1604cis_rule_3_2_7: true
+ubuntu1604cis_rule_3_2_8: true
+ubuntu1604cis_rule_3_3_1: true
+ubuntu1604cis_rule_3_3_2: true
+ubuntu1604cis_rule_3_3_3: true
+ubuntu1604cis_rule_3_4_1: true
+ubuntu1604cis_rule_3_4_2: true
+ubuntu1604cis_rule_3_4_3: true
+ubuntu1604cis_rule_3_4_4: true
+ubuntu1604cis_rule_3_4_5: true
+ubuntu1604cis_rule_3_5_1: true
+ubuntu1604cis_rule_3_5_2: true
+ubuntu1604cis_rule_3_5_3: true
+ubuntu1604cis_rule_3_5_4: true
+ubuntu1604cis_rule_3_6_1: true
+ubuntu1604cis_rule_3_6_2: true
+ubuntu1604cis_rule_3_6_3: true
+ubuntu1604cis_rule_3_6_4: true
+ubuntu1604cis_rule_3_6_5: true
 
 # Section 4 rules
-#ubuntu1604cis_rule_4_1_1_1: true
+ubuntu1604cis_rule_4_1_1_1: true
+ubuntu1604cis_rule_4_1_1_2: true
+ubuntu1604cis_rule_4_1_1_3: true
+ubuntu1604cis_rule_4_1_2: true
+ubuntu1604cis_rule_4_1_3: true
+ubuntu1604cis_rule_4_1_4: true
+ubuntu1604cis_rule_4_1_5: true
+ubuntu1604cis_rule_4_1_6: true
+ubuntu1604cis_rule_4_1_7: true
+ubuntu1604cis_rule_4_1_8: true
+ubuntu1604cis_rule_4_1_9: true
+ubuntu1604cis_rule_4_1_10: true
+ubuntu1604cis_rule_4_1_11: true
+ubuntu1604cis_rule_4_1_12: true
+ubuntu1604cis_rule_4_1_13: true
+ubuntu1604cis_rule_4_1_14: true
+ubuntu1604cis_rule_4_1_15: true
+ubuntu1604cis_rule_4_1_16: true
+ubuntu1604cis_rule_4_1_17: true
+ubuntu1604cis_rule_4_1_18: true
+ubuntu1604cis_rule_4_2_3: true
+ubuntu1604cis_rule_4_2_1_1: true
+ubuntu1604cis_rule_4_2_1_2: true
+ubuntu1604cis_rule_4_2_1_3: true
+ubuntu1604cis_rule_4_2_1_4: true
+ubuntu1604cis_rule_4_2_1_5: true
+ubuntu1604cis_rule_4_2_2_1: true
+ubuntu1604cis_rule_4_2_2_2: true
+ubuntu1604cis_rule_4_2_2_3: true
+ubuntu1604cis_rule_4_2_2_4: true
+ubuntu1604cis_rule_4_2_2_5: true
+ubuntu1604cis_rule_4_2_4: true
+ubuntu1604cis_rule_4_3: true
 
 # Section 5 rules
-#ubuntu1604cis_rule_5_1_1: true
+ubuntu1604cis_rule_5_1_1: true
+ubuntu1604cis_rule_5_1_2: true
+ubuntu1604cis_rule_5_1_3: true
+ubuntu1604cis_rule_5_1_4: true
+ubuntu1604cis_rule_5_1_5: true
+ubuntu1604cis_rule_5_1_6: true
+ubuntu1604cis_rule_5_1_7: true
+ubuntu1604cis_rule_5_1_8: true
+ubuntu1604cis_rule_5_2_1: true
+ubuntu1604cis_rule_5_2_2: true
+ubuntu1604cis_rule_5_2_3: true
+ubuntu1604cis_rule_5_2_4: true
+ubuntu1604cis_rule_5_2_5: true
+ubuntu1604cis_rule_5_2_6: true
+ubuntu1604cis_rule_5_2_7: true
+ubuntu1604cis_rule_5_2_8: true
+ubuntu1604cis_rule_5_2_9: true
+ubuntu1604cis_rule_5_2_10: true
+ubuntu1604cis_rule_5_2_11: true
+ubuntu1604cis_rule_5_2_12: true
+ubuntu1604cis_rule_5_2_13: true
+ubuntu1604cis_rule_5_2_14: true
+ubuntu1604cis_rule_5_2_15: true
+ubuntu1604cis_rule_5_2_16: true
+ubuntu1604cis_rule_5_3_1: true
+ubuntu1604cis_rule_5_3_2: true
+ubuntu1604cis_rule_5_3_3: true
+ubuntu1604cis_rule_5_3_4: true
+ubuntu1604cis_rule_5_4_1_1: true
+ubuntu1604cis_rule_5_4_1_2: true
+ubuntu1604cis_rule_5_4_1_3: true
+ubuntu1604cis_rule_5_4_1_4: true
+ubuntu1604cis_rule_5_4_2: true
+ubuntu1604cis_rule_5_4_3: true
+ubuntu1604cis_rule_5_4_4: true
+ubuntu1604cis_rule_5_5: true
+ubuntu1604cis_rule_5_6: false
 
 # Section 6 rules
-#ubuntu1604cis_rule_6_1_1: true
+ubuntu1604cis_rule_6_1_1: true
+ubuntu1604cis_rule_6_1_2: true
+ubuntu1604cis_rule_6_1_3: true
+ubuntu1604cis_rule_6_1_4: true
+ubuntu1604cis_rule_6_1_5: true
+ubuntu1604cis_rule_6_1_6: true
+ubuntu1604cis_rule_6_1_7: true
+ubuntu1604cis_rule_6_1_8: true
+ubuntu1604cis_rule_6_1_9: true
+ubuntu1604cis_rule_6_1_10: true
+ubuntu1604cis_rule_6_1_11: true
+ubuntu1604cis_rule_6_1_12: true
+ubuntu1604cis_rule_6_1_13: true
+ubuntu1604cis_rule_6_1_14: true
+ubuntu1604cis_rule_6_2_1: true
+ubuntu1604cis_rule_6_2_2: true
+ubuntu1604cis_rule_6_2_3: true
+ubuntu1604cis_rule_6_2_4: true
+ubuntu1604cis_rule_6_2_5: true
+ubuntu1604cis_rule_6_2_6: true
+ubuntu1604cis_rule_6_2_7: true
+ubuntu1604cis_rule_6_2_8: true
+ubuntu1604cis_rule_6_2_9: true
+ubuntu1604cis_rule_6_2_10: true
+ubuntu1604cis_rule_6_2_11: true
+ubuntu1604cis_rule_6_2_12: true
+ubuntu1604cis_rule_6_2_14: true
+ubuntu1604cis_rule_6_2_15: true
+ubuntu1604cis_rule_6_2_16: true
+ubuntu1604cis_rule_6_2_17: true
+ubuntu1604cis_rule_6_2_18: true
+ubuntu1604cis_rule_6_2_19: true
 
 # Service configuration booleans set true to keep service
 ubuntu1604cis_avahi_server: false
@@ -154,10 +313,10 @@ ubuntu1604cis_aide_cron:
 ubuntu1604cis_selinux_pol: targeted
 
 # Whether or not to run tasks related to auditing/patching the desktop environment
-ubuntu1604cis_gui: no
+ubuntu1604cis_gui: false
 
 # Set to 'true' if X Windows is needed in your environment
-ubuntu1604cis_xwindows_required: no
+ubuntu1604cis_xwindows_required: false
 
 ubuntu1604cis_openldap_clients_required: false
 ubuntu1604cis_telnet_required: false
@@ -167,53 +326,69 @@ ubuntu1604cis_ypbind_required: false
 
 # Time Synchronization
 ubuntu1604cis_time_synchronization: chrony
-#ubuntu1604cis_time_synchronization: ntp
+# ubuntu1604cis_time_synchronization: ntp
 
 ubuntu1604cis_time_synchronization_servers:
-    - 0.pool.ntp.org
-    - 1.pool.ntp.org
-    - 2.pool.ntp.org
-    - 3.pool.ntp.org
+  -0.pool.ntp.org
+  -1.pool.ntp.org
+  -2.pool.ntp.org
+  -3.pool.ntp.org
 
 # 3.4.2 | PATCH | Ensure /etc/hosts.allow is configured
 ubuntu1604cis_host_allow:
-    - "10.0.0.0/255.0.0.0"
-    - "172.16.0.0/255.240.0.0"
-    - "192.168.0.0/255.255.0.0"
-    - "0.0.0.0/0.0.0.0"
+  -"10.0.0.0/255.0.0.0"
+  -"172.16.0.0/255.240.0.0"
+  -"192.168.0.0/255.255.0.0"
+  -"0.0.0.0/0.0.0.0"
 
 ubuntu1604cis_firewall: firewalld
-#ubuntu1604cis_firewall: iptables
+# ubuntu1604cis_firewall: iptables
 
 ubuntu1604cis_firewall_services:
-    - ssh
-    - dhcpv6-client
+  -ssh
+  -dhcpv6-client
 
 # Warning Banner Content (issue, issue.net, motd)
 ubuntu1604cis_warning_banner: |
     Authorized uses only. All activity may be monitored and reported.
 # End Banner
 
+## Section 4 Vars
+ubuntu1604cis_auditd:
+  admin_space_left_action: halt
+  max_log_file_action: keep_logs
+
+ubuntu1604cis_logrotate: "daily"
+
+## Section 5 Vars
 ubuntu1604cis_sshd:
-    clientalivecountmax: 3
-    clientaliveinterval: 300
-    # - make sure you understand the precedence when working with these values!!
-    #allowusers:
-    #allowgroups: systems dba
-    #denyusers:
-    #denygroups:
+  clientalivecountmax: 3
+  clientaliveinterval: 300
+  ciphers: "aes256-ctr,aes192-ctr,aes128-ctr"
+  macs: "[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]"
+  logingracetime: 60
+  ### Make sure you understand the precedence when working with these values!!
+  # allowusers:
+  # allowgroups: systems dba
+  # denyusers:
+  # denygroups:
+
+ubuntu1604cis_pass:
+  max_days: 90
+  min_days: 7
+  warn_age: 7
 
 # Syslog system
 ubuntu1604cis_syslog: rsyslog
-#ubuntu1604cis_syslog: syslog-ng
+# ubuntu1604cis_syslog: syslog-ng
 
 ubuntu1604cis_vartmp:
-    source: /tmp
-    fstype: none
-    opts: "defaults, nodev, nosuid, noexec, bind"
-    enabled: no
+  source: /tmp
+  fstype: falsene
+  opts: "defaults, nodev, nosuid, noexec, bind"
+  enabled: false
 
-######Multi OS###########
+###### Multi OS Vars ###########
 prelim_check_package_command:
   RedHat: rpm -q
   Debian: dpkg -V
@@ -248,6 +423,5 @@ chrony_config_file:
   RedHat: /etc/chrony.conf
   Debian: /etc/chrony/chrony.conf
 
-###firewall
-
+### Firewall
 ubuntu1604cis_setup_firewall: false