-
Notifications
You must be signed in to change notification settings - Fork 23
Main Variables
AMAZON2-CIS Role Variables
As the end user you should only need to adjust the variables found within the defaults/main.yml. These address things ranging from very high level role controls to site specific host settings. Please review these before running the role to get a full understanding of what will need to be configured before running this role.
amazon2cis_section1: true
amazon2cis_section2: true
amazon2cis_section3: true
amazon2cis_section4: true
amazon2cis_section5: true
amazon2cis_section6: true
python2_bin: /bin/python2.7
benchmark: AMAZON2-CIS
amazon2cis_tmp_svc: true
setup_audit: false
This option is how the goss executable will be placed on the host system
Options are copy or download - detailed settings at the bottom of this file you will need to access to either github or the file already downloaded
get_goss_file: download
audit_content is how to get audit scanning profile files get onto the host, options options are git/copy/get_url
audit_content: git
audit_cmd_timeout: 30000
run_audit: false
amazon2cis_legacy_boot is for using EFI boot changes 1.1.1.4 to stop vfat, change to false to enable this
amazon2cis_legacy_boot: true
amazon2cis_selinux_disable: false
amazon2cis_selinux_state: enforcing
amazon2cis_skip_for_travis: false
amazon2cis_system_is_container: false
system_is_ec2: true
These variables correspond with the CIS rule IDs or paragraph numbers defined in the CIS benchmark documents.
PLEASE NOTE: These work in coordination with the section # group variables and tags. You must enable an entire section in order for the variables below to take effect.
Section 1 rules
Section 1 is Initial Setup (Filesystem Configuration, Configure Software Updates, Configure Sudo, Filesystem Integrity Checking, Secure Boot Settings, Additional Process Hardening, Mandatory Access Control, and Warning Banners)
amazon2cis_rule_1_1_1_1: true
amazon2cis_rule_1_1_1_2: true
amazon2cis_rule_1_1_1_3: true
amazon2cis_rule_1_1_2: true
amazon2cis_rule_1_1_3: true
amazon2cis_rule_1_1_4: true
amazon2cis_rule_1_1_5: true
amazon2cis_rule_1_1_6: true
amazon2cis_rule_1_1_7: true
amazon2cis_rule_1_1_8: true
amazon2cis_rule_1_1_9: true
amazon2cis_rule_1_1_10: true
amazon2cis_rule_1_1_11: true
amazon2cis_rule_1_1_12: true
amazon2cis_rule_1_1_13: true
amazon2cis_rule_1_1_14: true
amazon2cis_rule_1_1_15: true
amazon2cis_rule_1_1_16: true
amazon2cis_rule_1_1_17: true
amazon2cis_rule_1_1_18: true
amazon2cis_rule_1_1_19: true
amazon2cis_rule_1_1_20: true
amazon2cis_rule_1_1_21: true
amazon2cis_rule_1_1_22: true
amazon2cis_rule_1_1_23: true
amazon2cis_rule_1_1_24: true
amazon2cis_rule_1_2_1: true
amazon2cis_rule_1_2_2: true
amazon2cis_rule_1_2_3: true
amazon2cis_rule_1_3_1: true
amazon2cis_rule_1_3_2: true
amazon2cis_rule_1_4_1: true
amazon2cis_rule_1_4_2: true
amazon2cis_rule_1_5_1: true
amazon2cis_rule_1_5_2: true
amazon2cis_rule_1_5_3: true
amazon2cis_rule_1_5_4: true
amazon2cis_rule_1_6_1_1: true
amazon2cis_rule_1_6_1_2: true
amazon2cis_rule_1_6_1_3: true
amazon2cis_rule_1_6_1_4: true
amazon2cis_rule_1_6_1_5: true
amazon2cis_rule_1_6_1_6: true
amazon2cis_rule_1_6_1_7: true
amazon2cis_rule_1_6_1_8: true
amazon2cis_rule_1_7_1: true
amazon2cis_rule_1_7_2: true
amazon2cis_rule_1_7_3: true
amazon2cis_rule_1_7_4: true
amazon2cis_rule_1_7_5: true
amazon2cis_rule_1_7_6: true
amazon2cis_rule_1_8: true
Section 2 rules
Section 2 is Services (inetd Services, Special Purpose Services, and Service Clients)
amazon2cis_rule_2_1_1: true
amazon2cis_rule_2_1_2: true
amazon2cis_rule_2_1_3: true
amazon2cis_rule_2_1_4: true
amazon2cis_rule_2_1_5: true
amazon2cis_rule_2_1_6: true
amazon2cis_rule_2_1_7: true
amazon2cis_rule_2_1_8: true
amazon2cis_rule_2_1_9: true
amazon2cis_rule_2_1_10: true
amazon2cis_rule_2_1_11: true
amazon2cis_rule_2_1_12: true
amazon2cis_rule_2_1_13: true
amazon2cis_rule_2_1_14: true
amazon2cis_rule_2_1_15: true
amazon2cis_rule_2_1_16: true
amazon2cis_rule_2_1_17: true
amazon2cis_rule_2_1_18: true
amazon2cis_rule_2_1_19: true
amazon2cis_rule_2_1_1_1: true
amazon2cis_rule_2_1_1_2: true
amazon2cis_rule_2_1_1_3: true
amazon2cis_rule_2_2_1: true
amazon2cis_rule_2_2_2: true
amazon2cis_rule_2_2_3: true
amazon2cis_rule_2_2_4: true
amazon2cis_rule_2_2_5: true
amazon2cis_rule_2_3: true
Section 3 rules
Section 3 is Network Configuration (Disable unused network protocols, Network parameters (host), Network parameters (Host and Router), Uncommon Network Protocols, Firewall Configuration, and Configure iptables)
amazon2cis_rule_3_1_1: true
amazon2cis_rule_3_1_2: true
amazon2cis_rule_3_2_1: true
amazon2cis_rule_3_2_2: true
amazon2cis_rule_3_3_1: true
amazon2cis_rule_3_3_2: true
amazon2cis_rule_3_3_3: true
amazon2cis_rule_3_3_4: true
amazon2cis_rule_3_3_5: true
amazon2cis_rule_3_3_6: true
amazon2cis_rule_3_3_7: true
amazon2cis_rule_3_3_8: true
amazon2cis_rule_3_3_9: true
amazon2cis_rule_3_4_1: true
amazon2cis_rule_3_4_2: true
amazon2cis_rule_3_5_1_1: true
amazon2cis_rule_3_5_1_2: true
amazon2cis_rule_3_5_1_3: true
amazon2cis_rule_3_5_1_4: true
amazon2cis_rule_3_5_1_5: true
amazon2cis_rule_3_5_1_6: true
amazon2cis_rule_3_5_1_7: true
amazon2cis_rule_3_5_2_1: true
amazon2cis_rule_3_5_2_2: true
amazon2cis_rule_3_5_2_3: true
amazon2cis_rule_3_5_2_4: true
amazon2cis_rule_3_5_2_5: true
amazon2cis_rule_3_5_2_6: true
amazon2cis_rule_3_5_2_7: true
amazon2cis_rule_3_5_2_8: true
amazon2cis_rule_3_5_2_9: true
amazon2cis_rule_3_5_2_10: true
amazon2cis_rule_3_5_2_11: true
amazon2cis_rule_3_5_3_1_1: true
amazon2cis_rule_3_5_3_1_2: true
amazon2cis_rule_3_5_3_1_3: true
Section 4 rules
Section 4 is Logging and Auditing (Configure System Accounting (auditd) and Configure Logging)
amazon2cis_rule_4_1_1_1: true
amazon2cis_rule_4_1_1_2: true
amazon2cis_rule_4_1_1_3: true
amazon2cis_rule_4_1_2_1: true
amazon2cis_rule_4_1_2_2: true
amazon2cis_rule_4_1_2_3: true
amazon2cis_rule_4_1_2_4: true
amazon2cis_rule_4_1_3: true
amazon2cis_rule_4_1_4: true
amazon2cis_rule_4_1_5: true
amazon2cis_rule_4_1_6: true
amazon2cis_rule_4_1_7: true
amazon2cis_rule_4_1_8: true
amazon2cis_rule_4_1_9: true
amazon2cis_rule_4_1_10: true
amazon2cis_rule_4_1_11: true
amazon2cis_rule_4_1_12: true
amazon2cis_rule_4_1_13: true
amazon2cis_rule_4_1_14: true
amazon2cis_rule_4_1_15: true
amazon2cis_rule_4_1_16: true
amazon2cis_rule_4_1_17: true
amazon2cis_rule_4_2_1_1: true
amazon2cis_rule_4_2_1_2: true
amazon2cis_rule_4_2_1_3: true
amazon2cis_rule_4_2_1_4: true
amazon2cis_rule_4_2_1_5: true
amazon2cis_rule_4_2_1_6: true
amazon2cis_rule_4_2_2_1: true
amazon2cis_rule_4_2_2_2: true
amazon2cis_rule_4_2_2_3: true
amazon2cis_rule_4_2_3: true
amazon2cis_rule_4_2_4: true
Section 5 rules
Section 5 is Access, Authentication, and Authorization (Configure time-based job schedulers, Configure SSH Server, Configure PAM, and User Accounts and Environment)
amazon2cis_rule_5_1_1: true
amazon2cis_rule_5_1_2: true
amazon2cis_rule_5_1_3: true
amazon2cis_rule_5_1_4: true
amazon2cis_rule_5_1_5: true
amazon2cis_rule_5_1_6: true
amazon2cis_rule_5_1_7: true
amazon2cis_rule_5_1_8: true
amazon2cis_rule_5_1_9: true
amazon2cis_rule_5_2_1: true
amazon2cis_rule_5_2_2: true
amazon2cis_rule_5_2_3: true
amazon2cis_rule_5_3_1: true
amazon2cis_rule_5_3_2: true
amazon2cis_rule_5_3_3: true
amazon2cis_rule_5_3_4: true
amazon2cis_rule_5_3_5: true
amazon2cis_rule_5_3_6: true
amazon2cis_rule_5_3_7: true
amazon2cis_rule_5_3_8: true
amazon2cis_rule_5_3_9: true
amazon2cis_rule_5_3_10: true
amazon2cis_rule_5_3_12: true
amazon2cis_rule_5_3_11: true
amazon2cis_rule_5_3_13: true
amazon2cis_rule_5_3_14: true
amazon2cis_rule_5_3_15: true
amazon2cis_rule_5_3_16: true
amazon2cis_rule_5_3_17: true
amazon2cis_rule_5_3_18: true
amazon2cis_rule_5_3_19: true
amazon2cis_rule_5_3_20: true
amazon2cis_rule_5_3_21: true
amazon2cis_rule_5_3_22: true
amazon2cis_rule_5_4_1: true
amazon2cis_rule_5_4_2: true
amazon2cis_rule_5_4_3: true
amazon2cis_rule_5_4_4: true
amazon2cis_rule_5_5_1_1: true
amazon2cis_rule_5_5_1_2: true
amazon2cis_rule_5_5_1_3: true
amazon2cis_rule_5_5_1_4: true
amazon2cis_rule_5_5_1_5: true
amazon2cis_rule_5_5_2: true
amazon2cis_rule_5_5_3: true
amazon2cis_rule_5_5_4: true
amazon2cis_rule_5_5_5: true
amazon2cis_rule_5_6: true
amazon2cis_rule_5_7: true
Section 6 rules
Section 6 is System Maintenance (System File Permissions and User and Group Settings)
amazon2cis_rule_6_1_1: true
amazon2cis_rule_6_1_2: true
amazon2cis_rule_6_1_3: true
amazon2cis_rule_6_1_4: true
amazon2cis_rule_6_1_5: true
amazon2cis_rule_6_1_6: true
amazon2cis_rule_6_1_7: true
amazon2cis_rule_6_1_8: true
amazon2cis_rule_6_1_9: true
amazon2cis_rule_6_1_10: true
amazon2cis_rule_6_1_11: true
amazon2cis_rule_6_1_12: true
amazon2cis_rule_6_1_13: true
amazon2cis_rule_6_1_14: true
amazon2cis_rule_6_2_1: true
amazon2cis_rule_6_2_2: true
amazon2cis_rule_6_2_3: true
amazon2cis_rule_6_2_4: true
amazon2cis_rule_6_2_5: true
amazon2cis_rule_6_2_6: true
amazon2cis_rule_6_2_7: true
amazon2cis_rule_6_2_8: true
amazon2cis_rule_6_2_9: true
amazon2cis_rule_6_2_10: true
amazon2cis_rule_6_2_11: true
amazon2cis_rule_6_2_12: true
amazon2cis_rule_6_2_13: true
amazon2cis_rule_6_2_14: true
amazon2cis_rule_6_2_15: true
amazon2cis_rule_6_2_16: true
amazon2cis_rule_6_2_17: true
Service configuration booleans set true to keep service or disable controls that would brake service
amazon2cis_allow_autofs: false
amazon2cis_avahi_server: false
amazon2cis_cups_server: false
amazon2cis_dhcp_server: false
amazon2cis_ldap_server: false
amazon2cis_named_server: false
amazon2cis_vsftpd_server: false
amazon2cis_httpd_server: false
amazon2cis_dovecot_server: false
amazon2cis_smb_server: false
amazon2cis_squid_server: false
amazon2cis_snmp_server: false
amazon2cis_nis_server: false
amazon2cis_telnet_server: false
amazon2cis_is_mail_server: false
amazon2cis_nfs_rpc_server: false
amazon2cis_nfs_server: false
amazon2cis_rpc_server: false
amazon2cis_rsyncd_server: false
amazon2cis_ypbind_required: false
amazon2cis_rsh_required: false
amazon2cis_talk_required: false
amazon2cis_telnet_required: false
amazon2cis_openldap_clients_required: false
amazon2cis_is_router: false
amazon2cis_ipv6_required: false
amazon2cis_gui: false
amazon2cis_xwindows_required: false
amazon2cis_time_synchronization: chrony
amazon2cis_time_synchronization_servers:
- 0.pool.ntp.org
- 1.pool.ntp.org
- 2.pool.ntp.org
- 3.pool.ntp.org
amazon2cis_chrony_server_options: "minpoll 8"
amazon2cis_ntp_server_options: "iburst"
amazon2cis_firewall: firewalld
amazon2cis_default_zone: public
amazon2cis_config_aide: true
amazon2cis_aide_cron:
cron_user: root
cron_file: /etc/crontab
aide_job: '/usr/sbin/aide --check'
aide_minute: '0'
aide_hour: '5'
aide_day: '*'
aide_month: '*'
aide_weekday: '*'
amazon2cis_auditd:
space_left_action: email
action_mail_acct: root
admin_space_left_action: halt
max_log_file_action: keep_logs
4.2.3
amazon2cis_logrotate sets the daily, weekly, monthly, yearly value for the log rotation.
To conform to CIS standards this just needs to comply with your site policy
amazon2cis_logrotate: "daily"
amazon2cis_audit_backlog_limit: 8192
amazon2cis_remote_log_server: logagg.example.com
amazon2cis_system_is_log_server: false
amazon2cis_maxauditlog_size: 10
amazon2cis_rsyslog_ansibleManaged: true
amazon2cis_ssh_loglevel: INFO
amazon2cis_ssh_maxsessions is the max number of sessions.
To conform to CIS standards this value nees to be 10 or less
amazon2cis_ssh_maxsessions: 10
amazon2cis_sshd:
# clientalivecountmax: 0
# clientaliveinterval shoudl be between 1 and 900
clientaliveinterval: 300
ciphers: "[email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr"
macs: "[email protected],[email protected],hmac-sha2-512,hmac-sha2-256"
kex: "curve25519-sha256,[email protected],ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256"
# logingracetime value is in seconds and needs to be set to 1 minute or less
logingracetime: 60
# WARNING: make sure you understand the precedence when working with these values!!
# allowusers:
# allowgroups: systems dba
# denyusers:
# denygroups:
amazon2cis_pam_faillock:
attempts: 5
interval: 900
unlock_time: 900
fail_for_root: "no"
remember: 5
pwhash: sha512
amazon2cis_inactivelock:
lock_days: 30
amazon2cis_inactive_whitelist:
- root
- vagrant
amazon2cis_pass:
max_days: 90
min_days: 1
warn_age: 7
5.3.7
amazon2_max_auth_tries is the number of max authorization attemps permitted per connection.
To conform to CIS standards this needs to be 4 or less
amazon2_max_auth_tries: 4
5.4.5
Session timeout setting file (TMOUT setting can be set in multiple files). Timeout value is in seconds. (60 seconds * 10 = 600)
amazon2cis_shell_session_timeout:
file: /etc/profile.d/tmout.sh
timeout: 600
5.4.1.5 Allow ansible to expire password for account with a last changed date in the future. False will just display users in violation, true will expire those users passwords
amazon2cis_futurepwchgdate_autofix: true
amazon2cis_int_gid: 1000
5.6 Group to be used for su, this group needs to exists groups will not be created for remediation this is considered sys admins
amazon2cis_sugroup: sugroup
amazon2cis_rpm_audit_file: /var/tmp/rpm_file_check
amazon2cis_no_world_write_adjust: true
amazon2cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}"
amazon2cis_dotperm_ansibleManaged: true
amazon2cis_selinux_pol: targeted
amazon2cis_warning_banner: |
Authorized uses only. All activity may be monitored and reported.
# End Banner
goss_version:
release: v0.3.16
checksum: 'sha256:827e354b48f93bce933f5efcd1f00dc82569c42a179cf2d384b040d8a80bfbfb'
audit_bin_path: /usr/local/bin/
audit_bin: "{{ audit_bin_path }}goss"
The audit_format is the output format on the pre/post audit reports. Common options are json or documentation (read goss manual for other options)
audit_format: json
goss_url: "https://github.com/aelsabbahy/goss/releases/download/{{ goss_version.release }}/goss-linux-amd64"
copy_goss_from_path is the localized path for the goss file to copy from
If get_goss_file - copy the following needs to be updated for your environment. It is expected that it will be copied from somewhere accessible to the control node, e.g copy from ansible control node to remote host
copy_goss_from_path: /some/accessible/path
audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
audit_git_version: devel
audit_local_copy: "some path to copy from"
audit_files_url is if you pull the audit scannign profile via a link, using something like S3 storage for example.
audit_files_url: "some url maybe s3?"
audit_files: "/var/tmp/{{ benchmark }}-Audit/"
audit_out_dir: '/var/tmp'
audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit"
pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}
_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"
post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}``_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"
The following is related to displaying the pre and post audit scan reports and should not need changing
goss_file: "{{ audit_conf_dir }}goss.yml"
audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_hostname }}.yml"
audit_results: |
The pre remediation results are: {{ pre_audit_summary }}.
The post remediation results are: {{ post_audit_summary }}.
Full breakdown can be found in {{ audit_out_dir }}