Repository: florianutz/Ubuntu1804-CIS
Branch: master
Commit: 187ff8d54543
Files: 55
Total size: 174.1 KB
Directory structure:
gitextract_1yek9sw7/
├── .ansible-lint
├── .github/
│ ├── ISSUE_TEMPLATE/
│ │ ├── bug_report.md
│ │ └── feature_request.md
│ └── workflows/
│ ├── ansible-lint.yml
│ └── run-molecule.yml
├── .gitignore
├── .travis.yml
├── .yamllint
├── LICENSE
├── Makefile
├── README.md
├── defaults/
│ └── main.yml
├── files/
│ └── etc/
│ └── systemd/
│ └── system/
│ └── tmp.mount
├── handlers/
│ └── main.yml
├── meta/
│ └── main.yml
├── molecule/
│ └── default/
│ ├── INSTALL.rst
│ ├── converge.yml
│ ├── molecule.yml
│ ├── prepare.yml
│ ├── tests/
│ │ └── test_default.py
│ └── verify.yml
├── requirements.txt
├── tasks/
│ ├── main.yml
│ ├── post.yml
│ ├── prelim.yml
│ ├── section1.yml
│ ├── section2.yml
│ ├── section3.yml
│ ├── section4.yml
│ ├── section5.yml
│ └── section6.yml
├── templates/
│ ├── at.allow.j2
│ ├── audit/
│ │ ├── ubuntu1804cis_rule_4_1_10.rules.j2
│ │ ├── ubuntu1804cis_rule_4_1_11.rules.j2
│ │ ├── ubuntu1804cis_rule_4_1_12.rules.j2
│ │ ├── ubuntu1804cis_rule_4_1_13.rules.j2
│ │ ├── ubuntu1804cis_rule_4_1_14.rules.j2
│ │ ├── ubuntu1804cis_rule_4_1_15.rules.j2
│ │ ├── ubuntu1804cis_rule_4_1_16.rules.j2
│ │ ├── ubuntu1804cis_rule_4_1_17.rules.j2
│ │ ├── ubuntu1804cis_rule_4_1_3.rules.j2
│ │ ├── ubuntu1804cis_rule_4_1_4.rules.j2
│ │ ├── ubuntu1804cis_rule_4_1_5.rules.j2
│ │ ├── ubuntu1804cis_rule_4_1_6.rules.j2
│ │ ├── ubuntu1804cis_rule_4_1_7.rules.j2
│ │ ├── ubuntu1804cis_rule_4_1_8.rules.j2
│ │ └── ubuntu1804cis_rule_4_1_9.rules.j2
│ ├── chrony.conf.j2
│ ├── cron.allow.j2
│ ├── etc/
│ │ ├── issue.j2
│ │ ├── issue.net.j2
│ │ └── motd.j2
│ ├── hosts.allow.j2
│ └── ntp.conf.j2
└── vars/
└── main.yml
================================================
FILE CONTENTS
================================================
================================================
FILE: .ansible-lint
================================================
exclude_paths:
- molecule/
- .github/
warn_list:
- '204'
skip_list:
- experimental
- yaml
================================================
FILE: .github/ISSUE_TEMPLATE/bug_report.md
================================================
---
name: Bug report
about: Create a report to help us improve
title: ''
labels: ''
assignees: ''
---
**Describe the bug**
A clear and concise description of what the bug is.
**To Reproduce**
Steps to reproduce the behavior:
1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error
**Expected behavior**
A clear and concise description of what you expected to happen.
**Software (please complete the following information):**
- Ansible Version: [e.g. 2.9.0]
- Role/Repo Version [e.g. 1.0.0, master]
**Additional context**
Add any other context about the problem here.
================================================
FILE: .github/ISSUE_TEMPLATE/feature_request.md
================================================
---
name: Feature request
about: Suggest an idea for this project
title: ''
labels: ''
assignees: ''
---
**Is your feature request related to a problem? Please describe.**
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
**Describe the solution you'd like**
A clear and concise description of what you want to happen.
**Describe alternatives you've considered**
A clear and concise description of any alternative solutions or features you've considered.
**Additional context**
Add any other context or screenshots about the feature request here.
================================================
FILE: .github/workflows/ansible-lint.yml
================================================
---
name: Lint the Playbook with Ansible Lint
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]
jobs:
build:
runs-on: ubuntu-latest
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
steps:
- uses: actions/checkout@v2
- name: Lint Ansible Playbook
uses: ansible/ansible-lint-action@master
with:
targets: |
defaults/*.yml
handlers/*.yml
tasks/*.yml
override-deps: |
ansible==2.7
ansible-lint==4.2.0
args: "-c .ansible-lint -x 204"
================================================
FILE: .github/workflows/run-molecule.yml
================================================
---
name: Run the Molecule Test Suite
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]
jobs:
molecule:
runs-on: ubuntu-latest
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
steps:
- uses: actions/checkout@v2
with:
path: "${{ github.repository }}"
- uses: gofrolist/molecule-action@v2
================================================
FILE: .gitignore
================================================
*.swp
*.retry
.DS_Store
test.yml
tests/local-test.yml
tests/.vagrant
tests/Vagrantfile
tests/test-inv
tests/*.html
tests/*.txt
tests/*.retry
.Python
.molecule/
/bin/
/etc/
/include/
/lib/
pip-selfcheck.json
/share/
molecule/default/cache
/venv/
.venv
*.bak*
*.cache
__pycache__
================================================
FILE: .travis.yml
================================================
---
os: linux
dist: focal
#sudo: required
services:
- docker
language: python
python:
- "3.8"
before_install:
#- docker pull solita/ubuntu-systemd:bionic
# - make bin/python
script:
- make travis
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/
================================================
FILE: .yamllint
================================================
extends: default
rules:
braces:
max-spaces-inside: 1
level: error
brackets:
max-spaces-inside: 1
level: error
line-length: disable
# NOTE(retr0h): Templates no longer fail this lint rule.
# Uncomment if running old Molecule templates.
# truthy: disable
================================================
FILE: LICENSE
================================================
MIT License
Copyright (c) 2020 Florian Utz
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
================================================
FILE: Makefile
================================================
# Makefile for Ubuntu1804-CIS
.PHONY: help
help:
@echo
@echo This Makefile is used to test this role. Typical use:
@echo
@echo ' make test'
@echo ' make clean'
@echo ' make travis'
@echo
@echo
@echo To use the isolated environment from this directory:
@echo
@echo ' make venv'
@echo ' . bin/activate'
@echo
@echo Molecule has built-in help
@echo
@echo
# virtualenv allows isolation of python libraries
.PHONY: venv
venv: bin/python
.PHONY: bin/python
bin/python:
pip -V || sudo easy_install pip
# virtualenv allows isolation of python libraries
virtualenv --version || sudo easy_install virtualenv
# Now with those two we can isolate our test setup.
virtualenv venv
venv/bin/pip install -r requirements.txt
# cleanup virtualenv and molecule leftovers
.PHONY: clean
clean:
rm -rf .molecule venv molecule/default/cache
.PHONY: test
test: bin/python
( . venv/bin/activate && venv/bin/molecule test )
.PHONY: travis
travis:
pip install -r requirements.txt
molecule test
================================================
FILE: README.md
================================================
Ubuntu 18.04 CIS STIG
================
[](https://travis-ci.com/florianutz/Ubuntu1804-CIS)
[](https://galaxy.ansible.com/florianutz/Ubuntu1804-CIS/)
Configure Ubuntu 18.04 machine to be CIS compliant. Level 1 and 2 findings will be corrected by default.
This role **will make changes to the system** that could break things. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted.
## IMPORTANT INSTALL STEP
If you want to install this via the `ansible-galaxy` command you'll need to run it like this:
`ansible-galaxy install -p roles -r requirements.yml`
With this in the file requirements.yml:
```
- src: https://github.com/florianutz/Ubuntu1804-CIS.git
```
Based on [CIS Ubuntu Benchmark v2.0.1 - 01-03-2020 ](https://www.cisecurity.org/cis-benchmarks/).
This repo originated from work done by [MindPointGroup](https://github.com/MindPointGroup/RHEL7-CIS)
Requirements
------------
You should carefully read through the tasks to make sure these changes will not break your systems before running this playbook.
Role Variables
--------------
There are many role variables defined in defaults/main.yml. This list shows the most important.
**ubuntu1804cis_notauto**: Run CIS checks that we typically do NOT want to automate due to the high probability of breaking the system (Default: false)
**ubuntu1804cis_section1**: CIS - General Settings (Section 1) (Default: true)
**ubuntu1804cis_section2**: CIS - Services settings (Section 2) (Default: true)
**ubuntu1804cis_section3**: CIS - Network settings (Section 3) (Default: true)
**ubuntu1804cis_section4**: CIS - Logging and Auditing settings (Section 4) (Default: true)
**ubuntu1804cis_section5**: CIS - Access, Authentication and Authorization settings (Section 5) (Default: true)
**ubuntu1804cis_section6**: CIS - System Maintenance settings (Section 6) (Default: true)
##### Disable all selinux functions
`ubuntu1804cis_selinux_disable: false`
##### Service variables:
###### These control whether a server should or should not be allowed to continue to run these services
```
ubuntu1804cis_avahi_server: false
ubuntu1804cis_cups_server: false
ubuntu1804cis_dhcp_server: false
ubuntu1804cis_ldap_server: false
ubuntu1804cis_telnet_server: false
ubuntu1804cis_nfs_server: false
ubuntu1804cis_rpc_server: false
ubuntu1804cis_ntalk_server: false
ubuntu1804cis_rsyncd_server: false
ubuntu1804cis_tftp_server: false
ubuntu1804cis_rsh_server: false
ubuntu1804cis_nis_server: false
ubuntu1804cis_snmp_server: false
ubuntu1804cis_squid_server: false
ubuntu1804cis_smb_server: false
ubuntu1804cis_dovecot_server: false
ubuntu1804cis_httpd_server: false
ubuntu1804cis_vsftpd_server: false
ubuntu1804cis_named_server: false
ubuntu1804cis_bind: false
ubuntu1804cis_vsftpd: false
ubuntu1804cis_httpd: false
ubuntu1804cis_dovecot: false
ubuntu1804cis_samba: false
ubuntu1804cis_squid: false
ubuntu1804cis_net_snmp: false
```
##### Designate server as a Mail server
`ubuntu1804cis_is_mail_server: false`
##### System network parameters (host only OR host and router)
`ubuntu1804cis_is_router: false`
##### IPv6 required
`ubuntu1804cis_ipv6_required: true`
##### AIDE
`ubuntu1804cis_config_aide: true`
###### AIDE cron settings
```
ubuntu1804cis_aide_cron:
cron_user: root
cron_file: /etc/crontab
aide_job: '/usr/sbin/aide --check'
aide_minute: 0
aide_hour: 5
aide_day: '*'
aide_month: '*'
aide_weekday: '*'
```
##### Set to 'true' if X Windows is needed in your environment
`ubuntu1804cis_xwindows_required: no`
##### Client application requirements
```
ubuntu1804cis_openldap_clients_required: false
ubuntu1804cis_telnet_required: false
ubuntu1804cis_talk_required: false
ubuntu1804cis_rsh_required: false
ubuntu1804cis_ypbind_required: false
```
##### Time Synchronization
```
ubuntu1804cis_time_synchronization: chrony
ubuntu1804cis_time_Synchronization: ntp
ubuntu1804cis_time_synchronization_servers:
- uri: "0.pool.ntp.org"
config: "minpoll 8"
- uri: "1.pool.ntp.org"
config: "minpoll 8"
- uri: "2.pool.ntp.org"
config: "minpoll 8"
- uri: "3.pool.ntp.org"
config: "minpoll 8"
```
##### - name: "SCORED | 1.1.5 | PATCH | Ensure noexec option set on /tmp partition"
It is not implemented, noexec for /tmp will disrupt apt. /tmp contains executable scripts during package installation
```
```
##### 1.5.3 | PATCH | Ensure authentication required for single user mode
It is disabled by default as it is setting random password for root. To enable it set:
```yaml
ubuntu1804cis_rule_1_5_3: true
```
To use other than random password:
```yaml
ubuntu1804cis_root_password: 'new password'
```
##### 3.4.2 | PATCH | Ensure /etc/hosts.allow is configured
```
ubuntu1804cis_host_allow:
- "10.0.0.0/255.0.0.0"
- "172.16.0.0/255.240.0.0"
- "192.168.0.0/255.255.0.0"
```
```
ubuntu1804cis_firewall: firewalld
ubuntu1804cis_firewall: iptables
```
##### 5.3.1 | PATCH | Ensure password creation requirements are configured
```
ubuntu1804cis_pwquality:
- key: 'minlen'
value: '14'
- key: 'dcredit'
value: '-1'
- key: 'ucredit'
value: '-1'
- key: 'ocredit'
value: '-1'
- key: 'lcredit'
value: '-1'
```
Dependencies
------------
Ansible >= 2.4 and <= 2.7 (2.8 is not yet supported)
Example Playbook
-------------------------
```
- name: Harden Server
hosts: servers
become: yes
roles:
- Ubuntu1804-CIS
```
To run the tasks in this repository, first create this file one level above the repository
(i.e. the playbook .yml and the directory `Ubuntu1804-CIS` should be next to each other),
then review the file `defaults/main.yml` and disable any rule/section you do not wish to execute.
Assuming you named the file `site.yml`, run it with:
```bash
ansible-playbook site.yml
```
Tags
----
Many tags are available for precise control of what is and is not changed.
Some examples of using tags:
```
# Audit and patch the site
ansible-playbook site.yml --tags="patch"
```
License
-------
MIT
================================================
FILE: defaults/main.yml
================================================
---
# defaults file for Ubuntu1804-CIS
ubuntu1804cis_skip_for_travis: false
ubuntu1804cis_notauto: false
ubuntu1804cis_section1: true
ubuntu1804cis_section2: true
ubuntu1804cis_section3: true
ubuntu1804cis_section4: true
ubuntu1804cis_section5: true
ubuntu1804cis_section6: true
ubuntu1804cis_selinux_disable: false
ubuntu1804cis_auditd_disable: false
# Ignore remount errors if you're building an image or are going to reboot anyway
ubuntu1804cis_ignore_remount_errors: true
# These variables correspond with the CIS rule IDs or paragraph numbers defined in
# the CIS benchmark documents.
# PLEASE NOTE: These work in coordination with the section # group variables and tags.
# You must enable an entire section in order for the variables below to take effect.
# Section 1 rules
ubuntu1804cis_rule_1_1_1_1: true
ubuntu1804cis_rule_1_1_1_2: true
ubuntu1804cis_rule_1_1_1_3: true
ubuntu1804cis_rule_1_1_1_4: true
ubuntu1804cis_rule_1_1_1_5: true
ubuntu1804cis_rule_1_1_1_6: true
ubuntu1804cis_rule_1_1_1_7: true
ubuntu1804cis_rule_1_1_1_8: false
ubuntu1804cis_rule_1_1_2: true
ubuntu1804cis_rule_1_1_3: true
ubuntu1804cis_rule_1_1_4: true
ubuntu1804cis_rule_1_1_5: false
ubuntu1804cis_rule_1_1_6: true
ubuntu1804cis_rule_1_1_7: true
ubuntu1804cis_rule_1_1_8: true
ubuntu1804cis_rule_1_1_9: true
ubuntu1804cis_rule_1_1_10: true
ubuntu1804cis_rule_1_1_11: true
ubuntu1804cis_rule_1_1_12: true
ubuntu1804cis_rule_1_1_13: true
ubuntu1804cis_rule_1_1_14: true
ubuntu1804cis_rule_1_1_15: true
ubuntu1804cis_rule_1_1_16: true
ubuntu1804cis_rule_1_1_17: true
ubuntu1804cis_rule_1_1_18: true
ubuntu1804cis_rule_1_1_19: true
ubuntu1804cis_rule_1_1_20: true
ubuntu1804cis_rule_1_1_21: true
ubuntu1804cis_rule_1_1_22: true
ubuntu1804cis_rule_1_1_23: true
ubuntu1804cis_rule_1_2_1: true
ubuntu1804cis_rule_1_2_2: true
ubuntu1804cis_rule_1_3_1: true
ubuntu1804cis_rule_1_3_2: true
ubuntu1804cis_rule_1_3_3: true
ubuntu1804cis_rule_1_4_1: true
ubuntu1804cis_rule_1_4_2: true
ubuntu1804cis_rule_1_5_1: true
ubuntu1804cis_rule_1_5_2: true
ubuntu1804cis_rule_1_5_2_disable_password: true
ubuntu1804cis_rule_1_5_3: false
ubuntu1804cis_rule_1_5_4: true
ubuntu1804cis_rule_1_6_1: true
ubuntu1804cis_rule_1_6_2: true
ubuntu1804cis_rule_1_6_3: true
ubuntu1804cis_rule_1_6_4: true
ubuntu1804cis_rule_1_7_1_1: true
ubuntu1804cis_rule_1_7_1_2: true
ubuntu1804cis_rule_1_7_1_3: true
ubuntu1804cis_rule_1_7_1_4: true
ubuntu1804cis_rule_1_8_1_1: true
ubuntu1804cis_rule_1_8_1_2: true
ubuntu1804cis_rule_1_8_1_3: true
ubuntu1804cis_rule_1_8_1_4: true
ubuntu1804cis_rule_1_8_1_5: true
ubuntu1804cis_rule_1_8_1_6: true
ubuntu1804cis_rule_1_8_2: true
ubuntu1804cis_rule_1_9: true
# Section 2 rules
ubuntu1804cis_rule_2_1_1: true
ubuntu1804cis_rule_2_1_2: true
ubuntu1804cis_rule_2_1_3: true
ubuntu1804cis_rule_2_1_4: true
ubuntu1804cis_rule_2_1_5: true
ubuntu1804cis_rule_2_1_6: true
ubuntu1804cis_rule_2_1_7: true
ubuntu1804cis_rule_2_1_8: true
ubuntu1804cis_rule_2_1_9: true
ubuntu1804cis_rule_2_1_10: true
ubuntu1804cis_rule_2_1_11: true
ubuntu1804cis_rule_2_2_1_1: true
ubuntu1804cis_rule_2_2_1_2: true
ubuntu1804cis_rule_2_2_1_3: true
ubuntu1804cis_rule_2_2_1_4: true
ubuntu1804cis_rule_2_2_2: true
ubuntu1804cis_rule_2_2_3: true
ubuntu1804cis_rule_2_2_4: true
ubuntu1804cis_rule_2_2_5: true
ubuntu1804cis_rule_2_2_6: true
ubuntu1804cis_rule_2_2_7: true
ubuntu1804cis_rule_2_2_8: true
ubuntu1804cis_rule_2_2_9: true
ubuntu1804cis_rule_2_2_10: true
ubuntu1804cis_rule_2_2_11: true
ubuntu1804cis_rule_2_2_12: true
ubuntu1804cis_rule_2_2_13: true
ubuntu1804cis_rule_2_2_14: true
ubuntu1804cis_rule_2_2_15: true
ubuntu1804cis_rule_2_2_16: true
ubuntu1804cis_rule_2_2_17: true
ubuntu1804cis_rule_2_3_1: true
ubuntu1804cis_rule_2_3_2: true
ubuntu1804cis_rule_2_3_3: true
ubuntu1804cis_rule_2_3_4: true
ubuntu1804cis_rule_2_3_5: true
# Section 3 rules
ubuntu1804cis_rule_3_1_1: true
ubuntu1804cis_rule_3_1_2: true
ubuntu1804cis_rule_3_2_1: true
ubuntu1804cis_rule_3_2_2: true
ubuntu1804cis_rule_3_2_3: true
ubuntu1804cis_rule_3_2_4: true
ubuntu1804cis_rule_3_2_5: true
ubuntu1804cis_rule_3_2_6: true
ubuntu1804cis_rule_3_2_7: true
ubuntu1804cis_rule_3_2_8: true
ubuntu1804cis_rule_3_2_9: true
ubuntu1804cis_rule_3_3_1: true
ubuntu1804cis_rule_3_3_2: true
ubuntu1804cis_rule_3_3_3: true
ubuntu1804cis_rule_3_3_4: true
ubuntu1804cis_rule_3_3_5: true
ubuntu1804cis_rule_3_4_1: true
ubuntu1804cis_rule_3_4_2: true
ubuntu1804cis_rule_3_4_3: true
ubuntu1804cis_rule_3_4_4: true
ubuntu1804cis_rule_3_5_1_1: true
ubuntu1804cis_rule_3_5_2_1: true
ubuntu1804cis_rule_3_5_2_2: true
ubuntu1804cis_rule_3_5_2_3: true
ubuntu1804cis_rule_3_5_2_4: true
ubuntu1804cis_rule_3_5_2_5: true
ubuntu1804cis_rule_3_5_3_1: true
ubuntu1804cis_rule_3_5_3_2: true
ubuntu1804cis_rule_3_5_3_3: true
ubuntu1804cis_rule_3_5_3_4: true
ubuntu1804cis_rule_3_5_3_5: true
ubuntu1804cis_rule_3_5_3_6: true
ubuntu1804cis_rule_3_5_3_7: true
ubuntu1804cis_rule_3_5_3_8: true
ubuntu1804cis_rule_3_5_4_1_1: true
ubuntu1804cis_rule_3_5_4_1_2: true
ubuntu1804cis_rule_3_5_4_1_3: true
ubuntu1804cis_rule_3_5_4_1_4: true
ubuntu1804cis_rule_3_5_4_2_1: true
ubuntu1804cis_rule_3_5_4_2_2: true
ubuntu1804cis_rule_3_5_4_2_3: true
ubuntu1804cis_rule_3_5_4_2_4: true
ubuntu1804cis_rule_3_5_4_3_1: true
ubuntu1804cis_rule_3_5_4_3_2: true
ubuntu1804cis_rule_3_5_4_3_3: true
ubuntu1804cis_rule_3_5_4_3_4: true
ubuntu1804cis_rule_3_5_4_3_5: true
ubuntu1804cis_rule_3_6: true
ubuntu1804cis_rule_3_7: true
# Section 4 rules
ubuntu1804cis_rule_4_1_1_1: true
ubuntu1804cis_rule_4_1_1_2: true
ubuntu1804cis_rule_4_1_1_3: true
ubuntu1804cis_rule_4_1_1_4: true
ubuntu1804cis_rule_4_1_2_1: true
ubuntu1804cis_rule_4_1_2_2: true
ubuntu1804cis_rule_4_1_2_3: true
ubuntu1804cis_rule_4_1_3: true
ubuntu1804cis_rule_4_1_4: true
ubuntu1804cis_rule_4_1_5: true
ubuntu1804cis_rule_4_1_6: true
ubuntu1804cis_rule_4_1_7: true
ubuntu1804cis_rule_4_1_8: true
ubuntu1804cis_rule_4_1_9: true
ubuntu1804cis_rule_4_1_10: true
ubuntu1804cis_rule_4_1_11: true
ubuntu1804cis_rule_4_1_12: true
ubuntu1804cis_rule_4_1_13: true
ubuntu1804cis_rule_4_1_14: true
ubuntu1804cis_rule_4_1_15: true
ubuntu1804cis_rule_4_1_16: true
ubuntu1804cis_rule_4_1_17: true
ubuntu1804cis_rule_4_2_1_1: true
ubuntu1804cis_rule_4_2_1_2: true
ubuntu1804cis_rule_4_2_1_3: true
ubuntu1804cis_rule_4_2_1_4: true
ubuntu1804cis_rule_4_2_1_5: true
ubuntu1804cis_rule_4_2_1_6: true
ubuntu1804cis_rule_4_2_2_1: true
ubuntu1804cis_rule_4_2_2_2: true
ubuntu1804cis_rule_4_2_2_3: true
ubuntu1804cis_rule_4_2_3: true
ubuntu1804cis_rule_4_3: true
# Section 5 rules
ubuntu1804cis_rule_5_1_1: true
ubuntu1804cis_rule_5_1_2: true
ubuntu1804cis_rule_5_1_3: true
ubuntu1804cis_rule_5_1_4: true
ubuntu1804cis_rule_5_1_5: true
ubuntu1804cis_rule_5_1_6: true
ubuntu1804cis_rule_5_1_7: true
ubuntu1804cis_rule_5_1_8: true
ubuntu1804cis_rule_5_2_1: true
ubuntu1804cis_rule_5_2_2: true
ubuntu1804cis_rule_5_2_3: true
ubuntu1804cis_rule_5_2_4: true
ubuntu1804cis_rule_5_2_5: true
ubuntu1804cis_rule_5_2_6: true
ubuntu1804cis_rule_5_2_7: true
ubuntu1804cis_rule_5_2_8: true
ubuntu1804cis_rule_5_2_9: true
ubuntu1804cis_rule_5_2_10: true
ubuntu1804cis_rule_5_2_11: true
ubuntu1804cis_rule_5_2_12: true
ubuntu1804cis_rule_5_2_13: true
ubuntu1804cis_rule_5_2_14: true
ubuntu1804cis_rule_5_2_15: true
ubuntu1804cis_rule_5_2_16: true
ubuntu1804cis_rule_5_2_17: true
ubuntu1804cis_rule_5_2_18: true
ubuntu1804cis_rule_5_2_19: true
ubuntu1804cis_rule_5_2_20: true
ubuntu1804cis_rule_5_2_21: true
ubuntu1804cis_rule_5_2_22: true
ubuntu1804cis_rule_5_2_23: true
ubuntu1804cis_rule_5_3_1: true
ubuntu1804cis_rule_5_3_2: true
ubuntu1804cis_rule_5_3_3: true
ubuntu1804cis_rule_5_3_4: true
ubuntu1804cis_rule_5_4_1_1: true
ubuntu1804cis_rule_5_4_1_2: true
ubuntu1804cis_rule_5_4_1_3: true
ubuntu1804cis_rule_5_4_1_4: true
ubuntu1804cis_rule_5_4_1_5: true
ubuntu1804cis_rule_5_4_2: true
ubuntu1804cis_rule_5_4_3: true
ubuntu1804cis_rule_5_4_4: true
ubuntu1804cis_rule_5_4_5: true
ubuntu1804cis_rule_5_5: true
ubuntu1804cis_rule_5_6: false
# Section 6 rules
ubuntu1804cis_rule_6_1_1: true
ubuntu1804cis_rule_6_1_2: true
ubuntu1804cis_rule_6_1_3: true
ubuntu1804cis_rule_6_1_4: true
ubuntu1804cis_rule_6_1_5: true
ubuntu1804cis_rule_6_1_6: true
ubuntu1804cis_rule_6_1_7: true
ubuntu1804cis_rule_6_1_8: true
ubuntu1804cis_rule_6_1_9: true
ubuntu1804cis_rule_6_1_10: true
ubuntu1804cis_rule_6_1_11: true
ubuntu1804cis_rule_6_1_12: true
ubuntu1804cis_rule_6_1_13: true
ubuntu1804cis_rule_6_1_14: true
ubuntu1804cis_rule_6_2_1: true
ubuntu1804cis_rule_6_2_2: true
ubuntu1804cis_rule_6_2_3: true
ubuntu1804cis_rule_6_2_4: true
ubuntu1804cis_rule_6_2_5: true
ubuntu1804cis_rule_6_2_6: true
ubuntu1804cis_rule_6_2_7: true
ubuntu1804cis_rule_6_2_8: true
ubuntu1804cis_rule_6_2_9: true
ubuntu1804cis_rule_6_2_10: true
ubuntu1804cis_rule_6_2_11: true
ubuntu1804cis_rule_6_2_12: true
ubuntu1804cis_rule_6_2_14: true
ubuntu1804cis_rule_6_2_15: true
ubuntu1804cis_rule_6_2_16: true
ubuntu1804cis_rule_6_2_17: true
ubuntu1804cis_rule_6_2_18: true
ubuntu1804cis_rule_6_2_19: true
ubuntu1804cis_rule_6_2_20: true
# Service configuration booleans set true to keep service
ubuntu1804cis_avahi_server: false
ubuntu1804cis_cups_server: false
ubuntu1804cis_dhcp_server: false
ubuntu1804cis_ldap_server: false
ubuntu1804cis_telnet_server: false
ubuntu1804cis_nfs_server: false
ubuntu1804cis_rpc_server: false
ubuntu1804cis_ntalk_server: false
ubuntu1804cis_rsyncd_server: false
ubuntu1804cis_tftp_server: false
ubuntu1804cis_rsh_server: false
ubuntu1804cis_nis_server: false
ubuntu1804cis_snmp_server: false
ubuntu1804cis_squid_server: false
ubuntu1804cis_smb_server: false
ubuntu1804cis_dovecot_server: false
ubuntu1804cis_httpd_server: false
ubuntu1804cis_vsftpd_server: false
ubuntu1804cis_named_server: false
ubuntu1804cis_nfs_rpc_server: false
ubuntu1804cis_is_mail_server: false
ubuntu1804cis_bind: false
ubuntu1804cis_vsftpd: false
ubuntu1804cis_httpd: false
ubuntu1804cis_dovecot: false
ubuntu1804cis_samba: false
ubuntu1804cis_squid: false
ubuntu1804cis_net_snmp: false
ubuntu1804cis_allow_autofs: false
# xinetd required
ubuntu1804cis_xinetd_required: false
# RedHat Satellite Subscription items
ubuntu1804cis_rhnsd_required: false
# 1.4.2 Bootloader password
ubuntu1804cis_bootloader_password: random
ubuntu1804cis_set_boot_pass: false
# System network parameters (host only OR host and router)
ubuntu1804cis_is_router: false
# IPv6 required
ubuntu1804cis_ipv6_required: true
# AIDE
ubuntu1804cis_config_aide: true
# AIDE cron settings
ubuntu1804cis_aide_cron:
cron_user: root
cron_file: /etc/crontab
aide_job: '/usr/bin/aide.wrapper --config /etc/aide/aide.conf --check'
aide_minute: 0
aide_hour: 5
aide_day: '*'
aide_month: '*'
aide_weekday: '*'
# Whether or not to run tasks related to auditing/patching the desktop environment
ubuntu1804cis_gui: false
# Set to 'true' if X Windows is needed in your environment
ubuntu1804cis_xwindows_required: false
ubuntu1804cis_openldap_clients_required: false
ubuntu1804cis_telnet_required: false
ubuntu1804cis_talk_required: false
ubuntu1804cis_rsh_required: false
ubuntu1804cis_ypbind_required: false
# Time Synchronization
ubuntu1804cis_time_synchronization: chrony
# ubuntu1804cis_time_synchronization: ntp
ubuntu1804cis_time_synchronization_servers:
- uri: "0.pool.ntp.org"
config: "minpoll 8"
- uri: "1.pool.ntp.org"
config: "minpoll 8"
- uri: "2.pool.ntp.org"
config: "minpoll 8"
- uri: "3.pool.ntp.org"
config: "minpoll 8"
# 3.3 TCP Wrappers
ubuntu1804cis_setup_tcp_wrappers: false
# 3.3.4 | PATCH | Ensure /etc/hosts.allow is configured
ubuntu1804cis_host_allow:
- "10.0.0.0/255.0.0.0"
- "172.16.0.0/255.240.0.0"
- "192.168.0.0/255.255.0.0"
- "0.0.0.0/0.0.0.0"
ubuntu1804cis_firewall: firewalld
# ubuntu1804cis_firewall: iptables
# ubuntu1804cis_firewall: ufw
# ubuntu1804cis_firewall: nftables
# 3.5.3.2 | PATCH | Ensure a table exists"
ubuntu1804cis_nftables_table: filter
ubuntu1804cis_firewall_services:
- ssh
- dhcpv6-client
# Warning Banner Content (issue, issue.net, motd)
ubuntu1804cis_warning_banner: |
Authorized uses only. All activity may be monitored and reported.
# End Banner
## Section 4 Vars
ubuntu1804cis_auditd:
admin_space_left_action: halt
max_log_file_action: keep_logs
max_audit_log_file_size: 10
backlog_limit: "8192"
ubuntu1804cis_logrotate: "daily"
## Section 5 Vars
ubuntu1804cis_at_allow_users: []
ubuntu1804cis_cron_allow_users: []
ubuntu1804cis_sshd:
clientalivecountmax: 3
clientaliveinterval: 300
ciphers: "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr"
macs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com"
kexalgorithms: "curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256"
logingracetime: 60
### Make sure you understand the precedence when working with these values!!
# allowusers:
# allowgroups: systems dba
# denyusers:
# denygroups:
ubuntu1804cis_pwquality:
- key: 'minlen'
value: '14'
- key: 'dcredit'
value: '-1'
- key: 'ucredit'
value: '-1'
- key: 'ocredit'
value: '-1'
- key: 'lcredit'
value: '-1'
ubuntu1804cis_pass:
max_days: 365
min_days: 1
warn_age: 7
inactive: 30
history: 5
ubuntu1804cis_password_change_date_in_future_action: expire # lock
ubuntu1804cis_shell_timeout: 900
# Syslog system
ubuntu1804cis_syslog: rsyslog
# ubuntu1804cis_syslog: syslog-ng
ubuntu1804cis_vartmp:
source: /tmp
fstype: false
opts: "defaults, nodev, nosuid, noexec, bind"
enabled: false
# Apply upgrades (set to false if another patching system is in place)
ubuntu1804cis_apply_upgrades: true
###### Multi OS Vars ###########
prelim_check_package_command:
RedHat: rpm -q
Debian: dpkg -V
auditd_package:
RedHat: audit
Debian: auditd
cron_package:
RedHat: cronie
Debian: cron
cron_service:
RedHat: crond
Debian: cron
ntp_service:
RedHat: ntpd
Debian: ntp
chrony_service:
RedHat: chronyd
Debian: chrony
tcp_wrapper_package:
RedHat: tcp_wrappers
Debian: tcpd
bashrc_file:
RedHat: /etc/bashrc
Debian: /etc/bash.bashrc
tmp_mount_file:
RedHat: /usr/lib/systemd/system/tmp.mount
Debian: /usr/share/systemd/tmp.mount
tmp_mount_options:
RedHat: mode=1777,strictatime,noexec,nodev,nosuid
Debian: mode=1777,strictatime,nodev,nosuid
chrony_config_file:
RedHat: /etc/chrony.conf
Debian: /etc/chrony/chrony.conf
### Firewall
ubuntu1804cis_setup_firewall: false
================================================
FILE: files/etc/systemd/system/tmp.mount
================================================
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
[Unit]
Description=Temporary Directory
Documentation=man:hier(7)
Documentation=http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
ConditionPathIsSymbolicLink=!/tmp
DefaultDependencies=no
Conflicts=umount.target
Before=local-fs.target umount.target
[Mount]
What=tmpfs
Where=/tmp
Type=tmpfs
Options=mode=1777,strictatime,noexec,nodev,nosuid
# Make 'systemctl enable tmp.mount' work:
[Install]
WantedBy=local-fs.target
================================================
FILE: handlers/main.yml
================================================
---
# handlers file for Ubuntu1804-CIS
- name: sysctl flush ipv4 route table
become: true
sysctl:
name: net.ipv4.route.flush
value: "1"
sysctl_set: true
when: ansible_virtualization_type != "docker"
- name: sysctl flush ipv6 route table
become: true
sysctl:
name: net.ipv6.route.flush
value: "1"
sysctl_set: true
when: ansible_virtualization_type != "docker"
- name: systemd restart tmp.mount
become: true
systemd:
name: tmp.mount
daemon_reload: true
enabled: true
masked: false
state: reloaded
when: ansible_virtualization_type != "docker"
ignore_errors: "{{ ubuntu1804cis_ignore_remount_errors }}"
- name: systemd restart var-tmp.mount
become: true
systemd:
name: var-tmp.mount
daemon_reload: true
enabled: true
masked: false
state: reloaded
ignore_errors: "{{ ubuntu1804cis_ignore_remount_errors }}"
- name: generate new grub config
become: true
command: grub-mkconfig -o "{{ grub_cfg.stat.path }}"
notify: fix permissions after generate new grub config handler
- name: fix permissions after generate new grub config handler
become: true
file:
path: "/boot/grub/grub.cfg"
owner: root
group: root
mode: 0400
when:
- ansible_os_family == "Debian"
- ubuntu1804cis_rule_1_4_1
- name: restart firewalld
become: true
service:
name: firewalld
state: restarted
- name: reload nftables
become: true
service:
name: nftables
state: reloaded
- name: restart xinetd
become: true
service:
name: xinetd
state: restarted
- name: restart sshd
become: true
service:
name: sshd
state: restarted
- name: reload dconf
become: true
command: dconf update
- name: restart auditd
become: true
service:
name: auditd
state: restarted
when:
- not ubuntu1804cis_skip_for_travis
tags:
- skip_ansible_lint
- name: load audit rules
become: true
command: /sbin/augenrules --load
when:
- not ubuntu1804cis_skip_for_travis
tags:
- skip_ansible_lint
- name: restart systemd-coredump
become: true
service:
name: systemd-coredump.socket
daemon_reload: true
enabled: true
state: restarted
- name: restart journald
become: true
service:
name: systemd-journald
state: restarted
================================================
FILE: meta/main.yml
================================================
---
galaxy_info:
author: "florianutz"
role_name: ubuntu1804_cis
description: "Ansible role to apply Ubuntu 18.04 CIS Baseline"
company: "none"
license: MIT
min_ansible_version: 2.6
namespace: florianutz
platforms:
- name: Ubuntu
versions:
- bionic
galaxy_tags:
- system
- security
- cis
- hardening
dependencies: []
collections:
- ansible.posix
================================================
FILE: molecule/default/INSTALL.rst
================================================
*******
Install
*******
Requirements
============
* Docker Engine
* docker-py
Install
=======
.. code-block:: bash
$ sudo pip install docker-py
================================================
FILE: molecule/default/converge.yml
================================================
---
- name: Converge
hosts: all
vars:
ubuntu1804cis_skip_for_travis: true
ubuntu1804cis_selinux_disable: true
roles:
- role: Ubuntu1804-CIS
================================================
FILE: molecule/default/molecule.yml
================================================
---
dependency:
name: galaxy
driver:
name: docker
lint: |
set -e
ansible-lint -c .ansible-lint
platforms:
- name: instance
image: florianutz/docker-systemd:18.04
command: /lib/systemd/systemd
tmpfs:
- /run
- /run/lock
- /tmp
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
command: /sbin/init
provisioner:
name: ansible
lint:
name: ansible-lint -c .ansible-lint
enabled: true
config_options:
defaults:
bin_ansible_callbacks: True
callback_whitelist: profile_tasks,timer
fact_caching: jsonfile
fact_caching_connection: ./cache
poll_interval: 3
forks: 100
conditional_bare_variables: false
connection:
pipelining: true
scenario:
name: default
verifier:
name: ansible
================================================
FILE: molecule/default/prepare.yml
================================================
---
- name: Prepare
hosts: all
gather_facts: false
tasks:
- name: install openssh-server for testing under docker
apt:
name: openssh-server
state: present
update_cache: yes
- name: install grub files for testing under docker
block:
- name: create /boot/grub
file:
name: /boot/grub
state: directory
changed_when: false
- name: touch /boot/grub/grub.cfg
file:
name: /boot/grub/grub.cfg
state: touch
changed_when: false
- name: touch /etc/default/grub
file:
name: /etc/default/grub
state: touch
changed_when: false
================================================
FILE: molecule/default/tests/test_default.py
================================================
import os
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
def test_hosts_file(host):
f = host.file('/etc/hosts')
assert f.exists
assert f.user == 'root'
assert f.group == 'root'
================================================
FILE: molecule/default/verify.yml
================================================
---
# This is an example playbook to execute Ansible tests.
- name: Verify
hosts: all
tasks:
- name: Example assertion
assert:
that: true
================================================
FILE: requirements.txt
================================================
molecule[docker]==3.0.8
ansible-lint==5.2.1
================================================
FILE: tasks/main.yml
================================================
---
# tasks file for Ubuntu1804-CIS
- name: Check OS version and family
fail:
msg: "This role can only be run agaist Ubuntu 18.04. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported."
when:
- not ansible_distribution == "Ubuntu"
- not ansible_distribution_release == "bionic"
tags:
- always
- name: Check ansible version
fail:
msg: You must use ansible 2.3 or greater!
when: not ansible_version.full is version_compare('2.3', '>=')
tags:
- always
- include: prelim.yml
become: true
tags:
- prelim_tasks
- always
- include: section1.yml
become: true
when: ubuntu1804cis_section1
tags: section1
- include: section2.yml
become: true
when: ubuntu1804cis_section2
tags: section2
- include: section3.yml
become: true
when: ubuntu1804cis_section3
tags: section3
- include: section4.yml
become: true
when: ubuntu1804cis_section4
tags: section4
- include: section5.yml
become: true
when: ubuntu1804cis_section5
tags: section5
- include: section6.yml
become: true
when: ubuntu1804cis_section6
tags: section6
- include: post.yml
become: true
tags:
- post_tasks
- always
================================================
FILE: tasks/post.yml
================================================
---
# Post tasks
- name: "POST | Find removed but configured apt packages"
shell: "set -o pipefail;
dpkg --list | (grep ^rc || true) | tr -s ' ' | cut -d ' ' -f 2"
args:
executable: /bin/bash
register: apt_rc_packages
changed_when: false
- name: "POST | Perform apt package cleanup"
apt:
name: "{{ apt_rc_packages.stdout_lines }}"
state: absent
purge: true
changed_when: false
ignore_errors: true
when: not ansible_check_mode
tags:
- skip_ansible_lint
================================================
FILE: tasks/prelim.yml
================================================
---
# Preliminary tasks that should always be run
# List users in order to look files inside each home directory
- name: "PRELIM | List users accounts"
command: "awk -F: '{print $1}' /etc/passwd"
register: users
changed_when: false
check_mode: false
- name: "PRELIM | Gather homes with wrong permissions on /home"
shell: 'set -o pipefail;
for dir in $(getent passwd | cut -d '':'' -f 6 | awk ''$1 ~ /^\/home\//'');
do
perm=$(stat -L -c "%A" "$dir" );
if [ -d $dir ] && ([ "${perm:7:3}" != "---" ] || [ "${perm:5:1}" == "w" ] );
then
echo -n "$dir ";
fi;
done'
args:
executable: /bin/bash
register: homes_with_perms
changed_when: false
check_mode: false
- name: "PRELIM | Gather accounts with empty password fields"
shell: "set -o pipefail;
cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'"
args:
executable: /bin/bash
register: empty_password_accounts
changed_when: false
check_mode: false
- name: "PRELIM | Check if root has password"
shell: 'set -o pipefail;
getent shadow | grep root | awk -F: ''($2 == "*" || $2 == "!" ) { printf $2; }'''
args:
executable: /bin/bash
register: current_root_password
changed_when: false
check_mode: false
- name: "PRELIM | Gather UID 0 accounts other than root"
shell: "set -o pipefail;
cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'"
args:
executable: /bin/bash
register: uid_zero_accounts_except_root
changed_when: false
check_mode: false
- name: "PRELIM | Run apt cache update"
apt:
update_cache: true
changed_when: false
- name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)"
apt:
name: "{{ auditd_package[ansible_os_family] }}"
state: present
install_recommends: false
when:
- not ubuntu1804cis_auditd_disable
- name: "PRELIM | Section 5.1 | Configure cron"
apt:
name: "{{ cron_package[ansible_os_family] }}"
state: present
install_recommends: false
- name: "PRELIM | Check if prelink package is installed"
command: "{{ prelim_check_package_command[ansible_os_family] }} prelink"
register: prelink_installed
changed_when: false
failed_when: false
check_mode: false
tags:
- skip_ansible_lint
- name: "PRELIM | Check if postfix package is installed"
command: "{{ prelim_check_package_command[ansible_os_family] }} postfix"
register: postfix_installed
changed_when: false
failed_when: false
check_mode: false
tags:
- skip_ansible_lint
# Individual service checks
- name: "PRELIM | Check for xinetd service"
shell: "set -o pipefail;
systemctl show xinetd | grep LoadState | cut -d = -f 2"
args:
executable: /bin/bash
register: xinetd_service_status
changed_when: false
check_mode: false
- name: "PRELIM | Check for openbsd-inetd service"
shell: "set -o pipefail;
dpkg -s openbsd-inetd | grep -o 'ok installed'; true"
args:
executable: /bin/bash
register: openbsd_inetd_service_status
changed_when: false
check_mode: false
- name: "PRELIM | Check for ntpd service"
shell: "set -o pipefail;
systemctl show {{ ntp_service[ansible_os_family] }} | grep LoadState | cut -d = -f 2"
args:
executable: /bin/bash
register: ntpd_service_status
changed_when: false
check_mode: false
- name: "PRELIM | Check for chronyd service"
shell: "set -o pipefail;
systemctl show {{ chrony_service[ansible_os_family] }} | grep LoadState | cut -d = -f 2"
args:
executable: /bin/bash
register: chronyd_service_status
changed_when: false
check_mode: false
- name: "PRELIM | Check for systemd-timesyncd service"
shell: "set -o pipefail;
systemctl show systemd-timesyncd | grep LoadState | cut -d = -f 2"
args:
executable: /bin/bash
register: systemd_timesyncd_service_status
changed_when: false
check_mode: false
- name: "PRELIM | Check for avahi-daemon service"
shell: "set -o pipefail;
systemctl show avahi-daemon | grep LoadState | cut -d = -f 2"
args:
executable: /bin/bash
register: avahi_service_status
changed_when: false
check_mode: false
- name: "PRELIM | Check for cups service"
shell: "set -o pipefail;
systemctl show cups | grep LoadState | cut -d = -f 2"
args:
executable: /bin/bash
register: cups_service_status
changed_when: false
check_mode: false
- name: "PRELIM | Check for dhcpd service"
shell: "set -o pipefail;
systemctl show dhcpd | grep LoadState | cut -d = -f 2"
args:
executable: /bin/bash
register: dhcpd_service_status
changed_when: false
check_mode: false
- name: "PRELIM | Check for slapd service"
shell: "set -o pipefail;
systemctl show slapd | grep LoadState | cut -d = -f 2"
args:
executable: /bin/bash
register: slapd_service_status
changed_when: false
check_mode: false
- name: "PRELIM | Check for nfs service"
shell: "set -o pipefail;
systemctl show nfs | grep LoadState | cut -d = -f 2"
args:
executable: /bin/bash
register: nfs_service_status
changed_when: false
check_mode: false
- name: "PRELIM | Check for rpcbind service"
shell: "set -o pipefail;
systemctl show rpcbind | grep LoadState | cut -d = -f 2"
args:
executable: /bin/bash
register: rpcbind_service_status
changed_when: false
check_mode: false
- name: "PRELIM | Check for named service"
shell: "set -o pipefail;
systemctl show named | grep LoadState | cut -d = -f 2"
args:
executable: /bin/bash
register: named_service_status
changed_when: false
check_mode: false
- name: "PRELIM | Check for vsftpd service"
shell: "set -o pipefail;
systemctl show vsftpd | grep LoadState | cut -d = -f 2"
args:
executable: /bin/bash
register: vsftpd_service_status
changed_when: false
check_mode: false
- name: "PRELIM | Check for httpd service"
shell: "set -o pipefail;
systemctl show apache2 | grep LoadState | cut -d = -f 2"
args:
executable: /bin/bash
register: httpd_service_status
changed_when: false
check_mode: false
- name: "PRELIM | Check for dovecot service"
shell: "set -o pipefail;
systemctl show dovecot | grep LoadState | cut -d = -f 2"
args:
executable: /bin/bash
register: dovecot_service_status
changed_when: false
check_mode: false
- name: "PRELIM | Check for smb service"
shell: "set -o pipefail;
systemctl show smbd | grep LoadState | cut -d = -f 2"
args:
executable: /bin/bash
register: smb_service_status
changed_when: false
check_mode: false
- name: "PRELIM | Check for squid service"
shell: "set -o pipefail;
systemctl show squid | grep LoadState | cut -d = -f 2"
args:
executable: /bin/bash
register: squid_service_status
changed_when: false
check_mode: false
- name: "PRELIM | Check for snmpd service"
shell: "set -o pipefail;
systemctl show snmpd | grep LoadState | cut -d = -f 2"
args:
executable: /bin/bash
register: snmpd_service_status
changed_when: false
check_mode: false
- name: "PRELIM | Check for ypserv service"
shell: "set -o pipefail;
systemctl show nis | grep LoadState | cut -d = -f 2"
args:
executable: /bin/bash
register: ypserv_service_status
changed_when: false
check_mode: false
- name: "PRELIM | Check for rsh.socket service"
shell: "set -o pipefail;
systemctl show rsh.socket | grep LoadState | cut -d = -f 2"
args:
executable: /bin/bash
register: rsh_service_status
changed_when: false
check_mode: false
- name: "PRELIM | Check for rlogin.socket service"
shell: "set -o pipefail;
systemctl show rlogin.socket | grep LoadState | cut -d = -f 2"
args:
executable: /bin/bash
register: rlogin_service_status
changed_when: false
check_mode: false
- name: "PRELIM | Check for rexec.socket service"
shell: "set -o pipefail;
systemctl show rexec.socket | grep LoadState | cut -d = -f 2"
args:
executable: /bin/bash
register: rexec_service_status
changed_when: false
check_mode: false
- name: "PRELIM | Check for telnet service"
shell: "set -o pipefail;
systemctl show telnetd | grep LoadState | cut -d = -f 2"
args:
executable: /bin/bash
register: telnet_service_status
changed_when: false
check_mode: false
- name: "PRELIM | Check for tftp service"
shell: "set -o pipefail;
systemctl show tftpd-hpa | grep LoadState | cut -d = -f 2"
args:
executable: /bin/bash
register: tftp_service_status
changed_when: false
check_mode: false
- name: "PRELIM | Check for rsyncd service"
shell: "set -o pipefail;
systemctl show rsync | grep LoadState | cut -d = -f 2"
args:
executable: /bin/bash
register: rsyncd_service_status
changed_when: false
check_mode: false
- name: "PRELIM | Check for ntalk service"
shell: "set -o pipefail;
systemctl show ntalk | grep LoadState | cut -d = -f 2"
args:
executable: /bin/bash
register: ntalk_service_status
changed_when: false
check_mode: false
- name: "PRELIM | Check for autofs service"
shell: "set -o pipefail;
systemctl show autofs | grep LoadState | cut -d = -f 2"
args:
executable: /bin/bash
register: autofs_service_status
changed_when: false
check_mode: false
- name: "PRELIM | Check the grub.cfg configuration"
stat:
path: /boot/grub/grub.cfg
register: grub_cfg
- name: "PRELIM | Check the grub.conf configuration"
stat:
path: /boot/grub/grub.conf
register: grub_conf
- name: "PRELIM | Check the menu.lst configuration"
stat:
path: "/boot/grub/menu.lst"
register: menu_lst
- name: "PRELIM | Check that system accounts are non-login #1"
shell: >
set -o pipefail &&
egrep -v "^\+" /etc/passwd | awk -F: '($1!="root" && $1!="sync" &&
$1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" &&
$7!="/bin/false") {print}'
args:
executable: /bin/bash
register: system_accounts_non_login_1
changed_when: false
check_mode: false
- name: "PRELIM | Check that system accounts are non-login #2"
shell: >
set -o pipefail &&
for user in `awk -F: '($1!="root" && $3 < 1000) {print $1 }' /etc/passwd`; do
passwd -S $user | awk -F ' ' '($2!="L") {print $1}'; done
args:
executable: /bin/bash
register: system_accounts_non_login_2
changed_when: false
check_mode: false
- name: "PRELIM | Check that users last password change date are in the future"
shell: |
set -o pipefail;
awk -F: '{print $1}' /etc/shadow | while read -r usr
do
if [[ $(date --date="$(chage --list "$usr" | grep '^Last password change' | cut -d: -f2)" +%s) > $(date +%s) ]];then
echo "$usr"
fi
done
args:
executable: /bin/bash
register: users_password_change_date_in_future
changed_when: False
check_mode: false
================================================
FILE: tasks/section1.yml
================================================
---
- name: "SCORED | 1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled"
lineinfile:
dest: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install cramfs(\\s|$)"
line: "install cramfs /bin/true"
state: present
owner: root
group: root
mode: 0644
create: true
when:
- ubuntu1804cis_rule_1_1_1_1
tags:
- level1
- scored
- patch
- cramfs
- filesystems
- rule_1.1.1.1
- name: "SCORED | 1.1.1.1 | PATCH | Remove cramfs module"
modprobe:
name: cramfs
state: absent
when:
- ubuntu1804cis_rule_1_1_1_1
- not ubuntu1804cis_skip_for_travis
tags:
- level1
- scored
- patch
- cramfs
- filesystems
- rule_1.1.1.1
- name: "SCORED | 1.1.1.2 | PATCH | Ensure mounting of freevxfs filesystems is disabled"
lineinfile:
dest: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install freevxfs"
line: "install freevxfs /bin/true"
state: present
create: true
when:
- ubuntu1804cis_rule_1_1_1_2
tags:
- level1
- scored
- patch
- freevxfs
- filesystems
- rule_1.1.1.2
- name: "SCORED | 1.1.1.2 | PATCH | Remove freevxfs module"
modprobe:
name: freevxfs
state: absent
when:
- ubuntu1804cis_rule_1_1_1_2
- not ubuntu1804cis_skip_for_travis
tags:
- level1
- scored
- patch
- freevxfs
- filesystems
- rule_1.1.1.2
- name: "SCORED | 1.1.1.3 | PATCH | Ensure mounting of jffs2 filesystems is disabled"
lineinfile:
dest: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install jffs2(\\s|$)"
line: "install jffs2 /bin/true"
state: present
create: true
when:
- ubuntu1804cis_rule_1_1_1_3
tags:
- level1
- scored
- patch
- jffs2
- filesystems
- rule_1.1.1.3
- name: "SCORED | 1.1.1.3 | PATCH | Remove jffs2 module"
modprobe:
name: jffs2
state: absent
when:
- ubuntu1804cis_rule_1_1_1_3
- not ubuntu1804cis_skip_for_travis
tags:
- level1
- scored
- patch
- jffs2
- filesystems
- rule_1.1.1.3
- name: "SCORED | 1.1.1.4 | PATCH | Ensure mounting of hfs filesystems is disabled"
lineinfile:
dest: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install hfs(\\s|$)"
line: "install hfs /bin/true"
state: present
create: true
when:
- ubuntu1804cis_rule_1_1_1_4
tags:
- level1
- scored
- patch
- hfs
- filesystems
- rule_1.1.1.4
- name: "SCORED | 1.1.1.4 | PATCH | Remove hfs module"
modprobe:
name: hfs
state: absent
when:
- ubuntu1804cis_rule_1_1_1_4
- not ubuntu1804cis_skip_for_travis
tags:
- level1
- scored
- patch
- hfs
- filesystems
- rule_1.1.1.4
- name: "SCORED | 1.1.1.5 | PATCH | Ensure mounting of hfsplus filesystems is disabled"
lineinfile:
dest: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install hfsplus(\\s|$)"
line: "install hfsplus /bin/true"
state: present
create: true
when:
- ubuntu1804cis_rule_1_1_1_5
tags:
- level1
- scored
- patch
- hfsplus
- filesystems
- rule_1.1.1.5
- name: "SCORED | 1.1.1.5 | PATCH | Remove hfsplus module"
modprobe:
name: hfsplus
state: absent
when:
- ubuntu1804cis_rule_1_1_1_5
- not ubuntu1804cis_skip_for_travis
tags:
- level1
- scored
- patch
- hfsplus
- filesystems
- rule_1.1.1.5
- name: "SCORED | 1.1.1.6 | PATCH | Ensure mounting of squashfs filesystems is disabled"
lineinfile:
dest: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install squashfs(\\s|$)"
line: "install squashfs /bin/true"
state: present
create: true
when:
- ubuntu1804cis_rule_1_1_1_6
tags:
- level1
- scored
- patch
- squashfs
- filesystems
- rule_1.1.1.6
- name: "SCORED | 1.1.1.6 | PATCH | Remove squashfs module"
modprobe:
name: squashfs
state: absent
when:
- ubuntu1804cis_rule_1_1_1_6
- not ubuntu1804cis_skip_for_travis
tags:
- level1
- scored
- patch
- squashfs
- filesystems
- rule_1.1.1.6
- name: "SCORED | 1.1.1.7 | PATCH | Ensure mounting of udf filesystems is disabled"
lineinfile:
dest: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install udf(\\s|$)"
line: "install udf /bin/true"
state: present
create: true
when:
- ubuntu1804cis_rule_1_1_1_7
tags:
- level1
- scored
- patch
- udf
- filesystems
- rule_1.1.1.7
- name: "SCORED | 1.1.1.7 | PATCH | Remove udf module"
modprobe:
name: udf
state: absent
when:
- ubuntu1804cis_rule_1_1_1_7
- not ubuntu1804cis_skip_for_travis
tags:
- level1
- scored
- patch
- udf
- filesystems
- rule_1.1.1.7
- name: "NOTSCORED | 1.1.1.8 | PATCH | Ensure mounting of FAT filesystems is limited"
lineinfile:
dest: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install vfat(\\s|$)"
line: "install vfat /bin/true"
state: present
create: true
when:
- ubuntu1804cis_rule_1_1_1_8
tags:
- level2
- notscored
- patch
- vfat
- filesystems
- rule_1.1.1.8
- name: "NOTSCORED | 1.1.1.8 | PATCH | Remove FAT module"
modprobe:
name: vfat
state: absent
when:
- ubuntu1804cis_rule_1_1_1_8
- not ubuntu1804cis_skip_for_travis
tags:
- level2
- notscored
- patch
- vfat
- filesystems
- rule_1.1.1.8
- name: "SCORED | 1.1.2 | PATCH | Ensure separate partition exists for /tmp | enable and start/restart tmp.mount"
copy:
src: "{{ tmp_mount_file[ansible_os_family] }}"
dest: /etc/systemd/system/tmp.mount
owner: root
group: root
mode: 0644
force: true
remote_src: true
notify:
- systemd restart tmp.mount
when:
- ubuntu1804cis_rule_1_1_2
- not ubuntu1804cis_skip_for_travis
tags:
- level2
- scored
- patch
- rule_1.1.2
- name: "SCORED | 1.1.2 | PATCH | Ensure separate partition exists for /tmp | enable and start/restart tmp.mount"
systemd:
name: tmp.mount
daemon_reload: yes
enabled: yes
masked: no
state: started
when:
- ubuntu1804cis_rule_1_1_2
- not ubuntu1804cis_skip_for_travis
tags:
- level2
- scored
- patch
- rule_1.1.2
- name: "SCORED | 1.1.3 | PATCH | Ensure nodev option set on /tmp partition\n
SCORED | 1.1.4 | PATCH | Ensure nosuid option set on /tmp partition\n
| drop custom tmp.mount"
ini_file:
path: "{{ item }}"
section: Mount
option: Options
value: "{{ tmp_mount_options[ansible_os_family] }}"
no_extra_spaces: true
with_items:
- "{{ tmp_mount_file[ansible_os_family] }}"
- /etc/systemd/system/tmp.mount
notify:
- systemd restart tmp.mount
when:
- ubuntu1804cis_rule_1_1_3
- ubuntu1804cis_rule_1_1_4
tags:
- level1
- scored
- patch
- rule_1.1.3
- rule_1.1.4
- name: "SCORED | 1.1.5 | PATCH | Ensure noexec option set on /tmp partition\n
| drop custom tmp.mount"
ini_file:
path: "{{ item }}"
section: Mount
option: Options
value: noexec
no_extra_spaces: true
with_items:
- "{{ tmp_mount_file[ansible_os_family] }}"
- /etc/systemd/system/tmp.mount
notify:
- systemd restart tmp.mount
when:
- ubuntu1804cis_rule_1_1_5
tags:
- level1
- scored
- patch
- rule_1.1.5
- name: "SCORED | 1.1.6 | PATCH | Ensure separate partition exists for /var"
shell: mount | grep "on /var "
register: var_mounted
changed_when: false
failed_when: false
when:
- ubuntu1804cis_rule_1_1_6
tags:
- level2
- scored
- patch
- rule_1.1.6
- skip_ansible_lint
- name: "SCORED | 1.1.7 | PATCH | Ensure separate partition exists for /var/tmp"
shell: mount | grep "on /var/tmp "
register: var_tmp_mounted
changed_when: false
failed_when: false
when:
- ubuntu1804cis_rule_1_1_7
tags:
- level2
- scored
- patch
- rule_1.1.7
- skip_ansible_lint
- name:
"SCORED | 1.1.8 | PATCH | Ensure nodev option set on /var/tmp partition\n
SCORED | 1.1.9 | PATCH | Ensure nosuid option set on /var/tmp partition\n
SCORED | 1.1.10 | PATCH | Ensure noexec option set on /var/tmp partition"
mount:
name: /var/tmp
src: "{{ ubuntu1804cis_vartmp['source'] }}"
state: mounted
fstype: "{{ ubuntu1804cis_vartmp['fstype'] }}"
opts: "{{ ubuntu1804cis_vartmp['opts'] }}"
when:
- ubuntu1804cis_vartmp['enabled'] == 'yes'
- ubuntu1804cis_rule_1_1_8
- ubuntu1804cis_rule_1_1_9
- ubuntu1804cis_rule_1_1_10
tags:
- level1
- scored
- patch
- rule_1.1.8
- rule_1.1.9
- rule_1.1.10
- name: "SCORED | 1.1.11 | PATCH | Ensure separate partition exists for /var/log"
shell: mount | grep "on /var/log "
register: var_log_mounted
changed_when: false
failed_when: false
when:
- ubuntu1804cis_rule_1_1_11
tags:
- level2
- scored
- patch
- rule_1.1.11
- skip_ansible_lint
- name: "SCORED | 1.1.12 | PATCH | Ensure separate partition exists for /var/log/audit"
shell: mount | grep "on /var/log/audit "
register: var_log_audit_mounted
changed_when: false
failed_when: false
when:
- ubuntu1804cis_rule_1_1_12
tags:
- level2
- scored
- patch
- rule_1.1.12
- skip_ansible_lint
- name: "SCORED | 1.1.13 | PATCH | Ensure separate partition exists for /home"
shell: mount | grep "on /home "
register: home_mounted
changed_when: false
failed_when: false
when:
- ubuntu1804cis_rule_1_1_13
tags:
- level2
- scored
- patch
- rule_1.1.13
- skip_ansible_lint
- name: "SCORED | 1.1.14 | PATCH | Ensure nodev option set on /home partition"
mount:
name: "/home"
src: "{{ item.device }}"
state: mounted
fstype: "{{ item.fstype }}"
opts: "nodev"
when:
- ubuntu1804cis_rule_1_1_14
- item.mount == "/home"
with_items:
- "{{ ansible_mounts }}"
tags:
- scored
- level1
- patch
- rule_1.1.14
- name:
"SCORED | 1.1.15 | PATCH | Ensure nodev option set on /dev/shm partition\n
SCORED | 1.1.16 | PATCH | Ensure nosuid option set on /dev/shm partition\n
SCORED | 1.1.17 | PATCH | Ensure noexec option set on /dev/shm partition"
mount:
name: /dev/shm
src: tmpfs
state: mounted
fstype: tmpfs
opts: "defaults,nodev,nosuid,noexec"
when:
- ubuntu1804cis_rule_1_1_15
- ubuntu1804cis_rule_1_1_16
- ubuntu1804cis_rule_1_1_17
tags:
- level1
- scored
- patch
- rule_1.1.15
- rule_1.1.16
- rule_1.1.17
- name: "NOTSCORED | 1.1.18 | PATCH | Ensure nodev option set on removable media partitions"
command: /bin/true
changed_when: false
when:
- ubuntu1804cis_rule_1_1_18
tags:
- level1
- notscored
- patch
- rule_1.1.18
- notimplemented
- name: "NOTSCORED | 1.1.19 | PATCH | Ensure nosuid option set on removable media partitions"
command: /bin/true
changed_when: false
when:
- ubuntu1804cis_rule_1_1_19
tags:
- level1
- notscored
- patch
- rule_1.1.19
- notimplemented
- name: "NOTSCORED | 1.1.20 | PATCH | Ensure noexec option set on removable media partitions"
command: /bin/true
changed_when: false
when:
- ubuntu1804cis_rule_1_1_20
tags:
- level1
- notscored
- patch
- rule_1.1.20
- notimplemented
- name: "SCORED | 1.1.21 | PATCH | Ensure sticky bit is set on all world-writable directories"
shell: |
set -o pipefail;
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
args:
executable: /bin/bash
changed_when: false
failed_when: false
when:
- ubuntu1804cis_rule_1_1_21
# - sticky_bit_on_worldwritable_dirs_audit.rc == '0'
tags:
- level1
- scored
- patch
- rule_1.1.21
- name: "SCORED | 1.1.22 | PATCH | Disable Automounting"
service:
name: autofs
enabled: false
when:
- not ubuntu1804cis_allow_autofs
- autofs_service_status.stdout == "loaded"
- ubuntu1804cis_rule_1_1_22
tags:
- level1
- scored
- patch
- rule_1.1.22
- name: "SCORED | 1.1.23 | PATCH | Disable USB Storage"
lineinfile:
dest: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install usb-storage(\\s|$)"
line: "install usb-storage /bin/true"
state: present
create: true
when:
- ubuntu1804cis_rule_1_1_23
tags:
- level1
- scored
- patch
- udf
- filesystems
- rule_1.1.23
- name: "SCORED | 1.1.23 | PATCH | Remove usb-storage module"
modprobe:
name: usb-storage
state: absent
when:
- ubuntu1804cis_rule_1_1_23
- not ubuntu1804cis_skip_for_travis
tags:
- level1
- scored
- patch
- usb
- filesystems
- rule_1.1.23
- name: "NOTSCORED | 1.2.1 | PATCH | Ensure package manager repositories are configured"
command: /bin/true
changed_when: false
when:
- ubuntu1804cis_rule_1_2_1
tags:
- level1
- notscored
- patch
- rule_1.2.1
- name: "NOTSCORED | 1.2.2 | PATCH | Ensure GPG keys are configured"
command: /bin/true
changed_when: false
when:
- ubuntu1804cis_rule_1_2_2
tags:
- level1
- notscored
- patch
- rule_1.2.2
- notimplemented
- name: "SCORED | 1.3.1 | PATCH | Ensure sudo is installed"
apt:
name:
- sudo
state: present
install_recommends: false
when:
- ubuntu1804cis_rule_1_3_1
tags:
- level1
- scored
- sudo
- patch
- rule_1.3.1
- name: "SCORED | 1.3.2 | PATCH | Ensure sudo commands use pty"
lineinfile:
dest: /etc/sudoers
state: present
regexp: '^Defaults use_pty'
line: 'Defaults use_pty'
validate: 'visudo -cf %s'
when:
- ubuntu1804cis_rule_1_3_2
tags:
- level1
- scored
- sudo
- patch
- rule_1.3.2
- name: "SCORED | 1.3.3 | PATCH | Ensure sudo log file exists"
lineinfile:
dest: /etc/sudoers
state: present
regexp: '^Defaults logfile.*'
line: 'Defaults logfile="/var/log/sudo.log"'
validate: 'visudo -cf %s'
when:
- ubuntu1804cis_rule_1_3_3
tags:
- level1
- scored
- sudo
- patch
- rule_1.3.3
- name: "SCORED | 1.4.1 | PATCH | Ensure AIDE is installed (install nullmailer instead of postfix)"
apt:
name:
- nullmailer
state: present
install_recommends: false
when:
- ubuntu1804cis_rule_1_4_1
- not postfix_installed.rc == 0
tags:
- level1
- scored
- aide
- patch
- rule_1.4.1
- name: "SCORED | 1.4.1 | PATCH | Ensure AIDE is installed"
apt:
name:
- aide
- aide-common
state: present
install_recommends: false
when:
- ubuntu1804cis_rule_1_4_1
tags:
- level1
- scored
- aide
- patch
- rule_1.4.1
- name: "SCORED | 1.4.1 | PATCH | Stat AIDE DB"
stat: path=/var/lib/aide/aide.db
register: aide_db
tags:
- level1
- scored
- aide
- patch
- rule_1.4.1
- name: "SCORED | 1.4.1 | PATCH | Init AIDE | This may take a LONG time"
command: /usr/sbin/aideinit
args:
creates: /var/lib/aide/aide.db
when:
- ubuntu1804cis_config_aide
- ubuntu1804cis_rule_1_4_1
- not aide_db.stat.exists
- not ubuntu1804cis_skip_for_travis
tags:
- level1
- scored
- aide
- patch
- rule_1.4.1
- name: "SCORED | 1.4.2 | PATCH | Ensure filesystem integrity is regularly checked"
cron:
name: Run AIDE integrity check weekly
cron_file: "{{ ubuntu1804cis_aide_cron['cron_file'] }}"
user: "{{ ubuntu1804cis_aide_cron['cron_user'] }}"
minute: "{{ ubuntu1804cis_aide_cron['aide_minute'] | default('0') }}"
hour: "{{ ubuntu1804cis_aide_cron['aide_hour'] | default('5') }}"
day: "{{ ubuntu1804cis_aide_cron['aide_day'] | default('*') }}"
month: "{{ ubuntu1804cis_aide_cron['aide_month'] | default('*') }}"
weekday: "{{ ubuntu1804cis_aide_cron['aide_weekday'] | default('*') }}"
job: "{{ ubuntu1804cis_aide_cron['aide_job'] }}"
when:
- ubuntu1804cis_rule_1_4_2
tags:
- level1
- scored
- aide
- file_integrity
- patch
- rule_1.4.2
- name: "SCORED | 1.5.1 | PATCH | Ensure permissions on bootloader config are configured for grub.cfg"
file:
path: "/boot/grub/grub.cfg"
owner: root
group: root
mode: 0400
when:
- ansible_os_family == "Debian"
- ubuntu1804cis_rule_1_5_1
tags:
- level1
- scored
- grub
- patch
- rule_1.5.1
- name: "SCORED | 1.5.1 | PATCH | Ensure permissions on bootloader config are configured for grub.conf"
file:
path: "/boot/grub/grub.conf"
owner: root
group: root
mode: 0400
when:
- ansible_os_family == "Debian"
- ubuntu1804cis_rule_1_5_1
- grub_conf.stat.exists
tags:
- level1
- scored
- grub
- patch
- rule_1.5.1
- name: "SCORED | 1.5.1 | PATCH | Ensure permissions on bootloader config are configured for menu.lst"
file:
path: "/boot/grub/menu.lst"
owner: root
group: root
mode: 0400
when:
- ansible_os_family == "Debian"
- ubuntu1804cis_rule_1_5_1
- menu_lst.stat.exists
tags:
- level1
- scored
- grub
- patch
- rule_1.5.1
- name: "SCORED | 1.5.2 | PATCH | Ensure bootloader password is set - generate password"
shell: "set -o pipefail;
if [ '{{ ubuntu1804cis_bootloader_password }}' == 'random' ];
then PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c12); else PASSWORD='{{ ubuntu1804cis_bootloader_password }}';
fi;
echo -e \"$PASSWORD\n$PASSWORD\" | grub-mkpasswd-pbkdf2 | awk '/grub.pbkdf/{print$NF}'"
register: grub_pass
args:
executable: /bin/bash
when:
- ubuntu1804cis_set_boot_pass
- ubuntu1804cis_rule_1_5_2
tags:
- level1
- scored
- grub
- patch
- rule_1.5.2
- notimplemented
- name: "SCORED | 1.5.2 | PATCH | Ensure bootloader password is set - generate config"
copy:
dest: /etc/grub.d/00_password
content: "cat << EOF\nset superusers=\"root\"\npassword_pbkdf2 root {{ grub_pass.stdout }}\nEOF"
owner: root
group: root
mode: 0755
notify: generate new grub config
when:
- ubuntu1804cis_set_boot_pass and grub_pass is defined and grub_pass.stdout is defined and grub_pass.stdout | length >0
- ubuntu1804cis_rule_1_5_2
tags:
- level1
- scored
- grub
- patch
- rule_1.5.2
- name: "SCORED | 1.5.2 | PATCH | Ensure bootloader password is set - disable password for system boot"
replace:
path: /etc/grub.d/10_linux
regexp: '--class os"'
replace: '--class os --unrestricted"'
notify: generate new grub config
when:
- ubuntu1804cis_set_boot_pass
- ubuntu1804cis_rule_1_5_2
- ubuntu1804cis_rule_1_5_2_disable_password
tags:
- level1
- scored
- grub
- patch
- rule_1.5.2
- name: "SCORED | 1.5.3 | PATCH | Ensure authentication required for single user mode"
shell: "set -o pipefail;
if [ '{{ ubuntu1804cis_root_password }}' == 'random' ];
then PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c24); else PASSWORD='{{ ubuntu1804cis_root_password }}';
fi;
echo \"root:$PASSWORD\" | chpasswd"
args:
executable: /bin/bash
when:
- ubuntu1804cis_rule_1_5_3
- current_root_password.stdout | length > 0
tags:
- level1
- scored
- patch
- rule_1.5.3
- notimplemented
- name: "NOTSCORED | 1.5.4 | PATCH | Ensure interactive boot is not enabled"
command: /bin/true
changed_when: false
when:
- ubuntu1804cis_rule_1_5_4
tags:
- level1
- notscored
- patch
- rule_1.5.4
- notimplemented
- name: "SCORED | 1.6.1 | PATCH | Ensure XD/NX support is enabled"
shell: |
set -o pipefail;
dmesg | grep -E "NX|XD" | grep " active"
args:
executable: /bin/bash
changed_when: false
when:
- ubuntu1804cis_rule_1_6_1
- not ubuntu1804cis_skip_for_travis
tags:
- level1
- scored
- patch
- rule_1.6.1
- name: "SCORED | 1.6.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
sysctl:
name: kernel.randomize_va_space
value: "2"
state: present
reload: true
sysctl_set: true
ignoreerrors: true
when:
- ubuntu1804cis_rule_1_6_2
tags:
- level1
- scored
- patch
- sysctl
- rule_1.6.2
- name: "SCORED | 1.6.3 | PATCH | Ensure prelink is disabled"
command: prelink -ua
when:
- prelink_installed.rc == 0
- ubuntu1804cis_rule_1_6_3
tags:
- level1
- scored
- patch
- rule_1.6.3
- name: "SCORED | 1.6.3 | PATCH | Ensure prelink is disabled"
apt:
name: prelink
state: absent
when:
- ubuntu1804cis_rule_1_6_3
tags:
- level1
- scored
- patch
- rule_1.6.3
- name: "SCORED | 1.6.4 | PATCH | Ensure core dumps are restricted"
sysctl:
name: fs.suid_dumpable
value: "0"
state: present
reload: true
sysctl_set: true
ignoreerrors: true
when:
- ubuntu1804cis_rule_1_6_4
tags:
- level1
- scored
- sysctl
- patch
- rule_1.6.4
- name: "SCORED | 1.6.4 | PATCH | Ensure systemd-coredump is installed"
apt:
name: systemd-coredump
state: present
notify: restart systemd-coredump
when:
- ubuntu1804cis_rule_1_6_4
tags:
- level1
- scored
- patch
- rule_1.6.4
- name: "SCORED | 1.6.4 | PATCH | Ensure hard core 0 is set"
lineinfile:
dest: /etc/security/limits.conf
line: '* hard core 0'
regexp: '(^#)?\*\s+hard\s+core\s+[0-9]+'
state: present
create: true
insertbefore: "# End of file"
notify: restart systemd-coredump
when:
- ubuntu1804cis_rule_1_6_4
tags:
- level1
- scored
- patch
- rule_1.6.4
- name: "SCORED | 1.7.1.1 | PATCH | Ensure AppArmor is installed"
apt:
name: '{{ item }}'
state: present
with_items:
- apparmor
- apparmor-utils
when:
- ubuntu1804cis_rule_1_7_1_1
tags:
- level1
- scored
- patch
- rule_1.7.1.1
- name: "SCORED | 1.7.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration"
block:
- name: "SCORED | 1.7.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration"
replace:
dest: /etc/default/grub
regexp: '^(GRUB_CMDLINE_LINUX=(?!.*apparmor)\"[^\"]*)(\".*)'
replace: '\1 apparmor=1 security=apparmor\2'
notify:
- generate new grub config
- name: "SCORED | 1.7.1.2 | PATCH | Ensure AppArmor Security is enabled in the bootloader configuration"
replace:
dest: /etc/default/grub
regexp: '^(GRUB_CMDLINE_LINUX=(?!.*security)\"[^\"]*)(\".*)'
replace: '\1 security=apparmor\2'
notify:
- generate new grub config
when:
- ubuntu1804cis_rule_1_7_1_2
tags:
- level1
- scored
- patch
- rule_1.7.1.2
- name: "SCORED | 1.7.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode"
command: /bin/true
changed_when: false
when:
- ubuntu1804cis_rule_1_7_1_3
tags:
- level1
- scored
- patc3
- rule_1.7.1.3
- notimplemented
- name: "SCORED | 1.7.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing"
command: /bin/true
changed_when: false
when:
- ubuntu1804cis_rule_1_7_1_4
tags:
- level1
- scored
- patch
- rule_1.7.1.4
- notimplemented
- name: "SCORED | 1.8.1.1 | PATCH | Ensure message of the day is configured properly"
template:
src: etc/motd.j2
dest: /etc/motd
when:
- ubuntu1804cis_rule_1_8_1_1
tags:
- level1
- scored
- patch
- banner
- rule_1.8.1.1
- name: "SCORED | 1.8.1.2 | PATCH | Ensure local login warning banner is configured properly"
template:
src: etc/issue.j2
dest: /etc/issue
when:
- ubuntu1804cis_rule_1_8_1_2
tags:
- level1
- scored
- patch
- banner
- rule_1.8.1.2
- name: "SCORED | 1.8.1.3 | PATCH | Ensure remote login warning banner is configured properly"
template:
src: etc/issue.net.j2
dest: /etc/issue.net
when:
- ubuntu1804cis_rule_1_8_1_3
tags:
- level1
- scored
- patch
- banner
- rule_1.8.1.3
- name: "SCORED | 1.8.1.4 | PATCH | Ensure permissions on /etc/motd are configured"
file:
dest: /etc/motd
state: file
owner: root
group: root
mode: 0644
when:
- ubuntu1804cis_rule_1_8_1_4
tags:
- level1
- scored
- patch
- perms
- rule_1.8.1.4
- name: "SCORED | 1.8.1.5 | PATCH | Ensure permissions on /etc/issue are configured"
file:
dest: /etc/issue
state: file
owner: root
group: root
mode: 0644
when:
- ubuntu1804cis_rule_1_8_1_5
tags:
- level1
- scored
- patch
- perms
- rule_1.8.1.5
- name: "SCORED | 1.8.1.6 | PATCH | Ensure permissions on /etc/issue.net are configured"
file:
dest: /etc/issue.net
state: file
owner: root
group: root
mode: 0644
when:
- ubuntu1804cis_rule_1_8_1_6
tags:
- level1
- scored
- patch
- perms
- rule_1.8.1.6
- name: "SCORED | 1.8.2 | PATCH | Ensure GDM login banner is configured"
lineinfile:
dest: "{{ item.file }}"
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
create: true
owner: root
group: root
mode: 0644
with_items:
- { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' }
- { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' }
- { file: '/etc/dconf/profile/gdm', regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults' }
- { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' }
- { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-enable', line: 'banner-message-enable=true' }
- { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-text', line: "banner-message-text='{{ ubuntu1804cis_warning_banner }}' " }
when:
- ubuntu1804cis_gui
- ubuntu1804cis_rule_1_8_2
tags:
- level1
- scored
- patch
- banner
- rule_1.8.2
- name: "NOTSCORED | 1.9 | PATCH | Ensure updates, patches, and additional security software are installed"
apt:
upgrade: dist
when:
- ubuntu1804cis_apply_upgrades
tags:
- level1
- notscored
- patch
- rule_1.8
- skip_ansible_lint
================================================
FILE: tasks/section2.yml
================================================
---
- name: "SCORED | 2.1.1 | PATCH | Ensure chargen services are not enabled | chargen-dgram,chargen-stream"
block:
- name: "SCORED | 2.1.1 | PATCH | Ensure chargen services are not enabled | chargen-dgram"
stat:
path: /etc/xinetd.d/chargen-dgram
register: chargen_dgram_service
- name: "SCORED | 2.1.1 | PATCH | Ensure chargen services are not enabled | chargen-dgram"
service:
name: chargen-dgram
enabled: no
notify: restart xinetd
when:
- chargen_dgram_service.stat.exists
- name: "SCORED | 2.1.1 | PATCH | Ensure chargen services are not enabled | chargen-stream"
stat:
path: /etc/xinetd.d/chargen-stream
register: chargen_stream_service
- name: "SCORED | 2.1.1 | PATCH | Ensure chargen services are not enabled | chargen-stream"
service:
name: chargen-stream
enabled: no
notify: restart xinetd
when:
- chargen_stream_service.stat.exists
when:
- ubuntu1804cis_rule_2_1_1
tags:
- level1
- scored
- services
- patch
- rule_2.1.1
- skip_ansible_lint
- name: "SCORED | 2.1.2 | PATCH | Ensure daytime services are not enabled | daytime-dgram,daytime-stream"
block:
- name: "SCORED | 2.1.2 | PATCH | Ensure daytime services are not enabled | daytime-dgram"
stat:
path: /etc/xinetd.d/daytime-dgram
register: daytime_dgram_service
- name: "SCORED | 2.1.2 | PATCH | Ensure daytime services are not enabled | daytime-dgram"
service:
name: daytime-dgram
enabled: no
notify: restart xinetd
when:
- daytime_dgram_service.stat.exists
- name: "SCORED | 2.1.2 | PATCH | Ensure daytime services are not enabled | daytime-stream"
stat:
path: /etc/xinetd.d/daytime-stream
register: daytime_stream_service
- name: "SCORED | 2.1.2 | PATCH | Ensure daytime services are not enabled | daytime-stream"
service:
name: daytime-stream
enabled: no
notify: restart xinetd
when:
- daytime_stream_service.stat.exists
when:
- ubuntu1804cis_rule_2_1_2
tags:
- level1
- scored
- patch
- rule_2.1.2
- skip_ansible_lint
- name: "SCORED | 2.1.3 | PATCH | Ensure discard services are not enabled | discard-dgram,discard-stream"
block:
- name: "SCORED | 2.1.3 | PATCH | Ensure discard services are not enabled | discard-dgram"
stat:
path: /etc/xinetd.d/discard-dgram
register: discard_dgram_service
- name: "SCORED | 2.1.3 | PATCH | Ensure discard services are not enabled | discard-dgram"
service:
name: discard-dgram
enabled: no
notify: restart xinetd
when:
- discard_dgram_service.stat.exists
- name: "SCORED | 2.1.3 | PATCH | Ensure discard services are not enabled | discard-stream"
stat:
path: /etc/xinetd.d/discard-stream
register: discard_stream_service
- name: "SCORED | 2.1.3 | PATCH | Ensure discard services are not enabled | discard-stream"
service:
name: discard-stream
enabled: no
notify: restart xinetd
when:
- discard_stream_service.stat.exists
when:
- ubuntu1804cis_rule_2_1_3
tags:
- level1
- scored
- patch
- rule_2.1.3
- skip_ansible_lint
- name: "SCORED | 2.1.4 | PATCH | Ensure echo services are not enabled | echo-dgram,echo-stream"
block:
- name: "SCORED | 2.1.4 | PATCH | Ensure echo services are not enabled | echo-dgram"
stat:
path: /etc/xinetd.d/echo-dgram
register: echo_dgram_service
- name: "SCORED | 2.1.4 | PATCH | Ensure echo services are not enabled | echo-dgram"
service:
name: echo-dgram
enabled: no
notify: restart xinetd
when:
- echo_dgram_service.stat.exists
- name: "SCORED | 2.1.4 | PATCH | Ensure echo services are not enabled | echo-stream"
stat:
path: /etc/xinetd.d/echo-stream
register: echo_stream_service
- name: "SCORED | 2.1.4 | PATCH | Ensure echo services are not enabled | echo-stream"
service:
name: echo-stream
enabled: no
notify: restart xinetd
when:
- echo_stream_service.stat.exists
when:
- ubuntu1804cis_rule_2_1_4
tags:
- level1
- scored
- patch
- rule_2.1.4
- skip_ansible_lint
- name: "SCORED | 2.1.5 | PATCH | Ensure time services are not enabled | time-dgram,time-stream"
block:
- name: "SCORED | 2.1.5 | PATCH | Ensure time services are not enabled | time-dgram"
stat:
path: /etc/xinetd.d/time-dgram
register: time_dgram_service
- name: "SCORED | 2.1.5 | PATCH | Ensure time services are not enabled | time-dgram"
service:
name: time-dgram
enabled: no
notify: restart xinetd
when:
- time_dgram_service.stat.exists
- name: "SCORED | 2.1.5 | PATCH | Ensure time services are not enabled | time-stream"
stat:
path: /etc/xinetd.d/time-stream
register: time_stream_service
- name: "SCORED | 2.1.5 | PATCH | Ensure time services are not enabled | time-stream"
service:
name: time-stream
enabled: no
notify: restart xinetd
when:
- time_stream_service.stat.exists
when:
- ubuntu1804cis_rule_2_1_5
tags:
- level1
- scored
- patch
- rule_2.1.5
- skip_ansible_lint
- name: "SCORED | 2.1.6 | PATCH | Ensure rsh server is not enabled | rsh, rlogin, rexec"
block:
- name: "SCORED | 2.1.6 | PATCH | Ensure rsh server is not enabled | rsh"
service:
name: rsh.socket
state: stopped
enabled: false
when:
- not ubuntu1804cis_rsh_server
- rsh_service_status.stdout == "loaded"
- ubuntu1804cis_rule_2_1_6
- name: "SCORED | 2.1.6 | PATCH | Ensure rsh server is not enabled | rlogin"
service:
name: rlogin.socket
state: stopped
enabled: false
when:
- not ubuntu1804cis_rsh_server
- rlogin_service_status.stdout == "loaded"
- ubuntu1804cis_rule_2_1_6
- name: "SCORED | 2.1.6 | PATCH | Ensure rsh server is not enabled | rexec"
service:
name: rexec.socket
state: stopped
enabled: false
when:
- not ubuntu1804cis_rsh_server
- rexec_service_status.stdout == "loaded"
- ubuntu1804cis_rule_2_1_6
tags:
- level1
- scored
- patch
- rule_2.1.6
- name: "SCORED | 2.1.7 | PATCH | Ensure talk server is not enabled"
service:
name: ntalk
state: stopped
enabled: false
when:
- not ubuntu1804cis_ntalk_server
- ntalk_service_status.stdout == "loaded"
- ubuntu1804cis_rule_2_1_7
tags:
- level1
- scored
- patch
- rule_2.1.7
- name: "SCORED | 2.1.8 | PATCH | Ensure telnet server is not enabled"
service:
name: telnetd
state: stopped
enabled: false
when:
- not ubuntu1804cis_telnet_server
- telnet_service_status.stdout == "loaded"
- ubuntu1804cis_rule_2_1_8
tags:
- level1
- scored
- patch
- rule_2.1.8
- name: "SCORED | 2.1.9 | PATCH | Ensure tftp server is not enabled"
service:
name: tftpd-hpa
state: stopped
enabled: no
when:
- not ubuntu1804cis_tftp_server
- ubuntu1804cis_rule_2_1_9
- tftp_service_status.stdout == "loaded"
tags:
- level1
- scored
- patch
- rule_2.1.9
- name: "SCORED | 2.1.10 | PATCH | Ensure xinetd is not enabled"
service:
name: xinetd
state: stopped
enabled: false
when:
- xinetd_service_status.stdout == "loaded"
- not ubuntu1804cis_xinetd_required
- ubuntu1804cis_rule_2_1_10
tags:
- level1
- patch
- scored
- rule_2.1.10
- name: "SCORED | 2.1.11 | PATCH | Ensure openbsd-inetd is not installed"
apt:
name: openbsd-inetd
state: absent
when:
- openbsd_inetd_service_status.stdout == "ok installed"
- ubuntu1804cis_rule_2_1_11
tags:
- level1
- patch
- scored
- rule_2.1.11
- name: "SCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use"
block:
- name: "SCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use - service install"
apt:
name: "{{ ubuntu1804cis_time_synchronization }}"
state: present
install_recommends: false
- name: "SCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use - service start"
service:
name: "{{ ubuntu1804cis_time_synchronization }}"
state: started
enabled: true
- name: "SCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use - service stop ntp"
service:
name: "{{ ntp_service[ansible_os_family] }}"
state: stopped
enabled: false
when:
- ubuntu1804cis_time_synchronization == "chrony"
- ntpd_service_status.stdout == "loaded"
- name: "SCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use - service stop chrony"
service:
name: chronyd
state: stopped
enabled: false
ignore_errors: true
when:
- ubuntu1804cis_time_synchronization == "ntp"
- chronyd_service_status.stdout == "loaded"
- name: "SCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use - mask systemd-timesyncd"
systemd:
name: systemd-timesyncd
enabled: no
masked: yes
when:
- ubuntu1804cis_time_synchronization == "ntp"
- systemd_timesyncd_service_status.stdout == "loaded"
when:
- ubuntu1804cis_rule_2_2_1_1
tags:
- level1
- scored
- ntp
- chrony
- patch
- rule_2.2.1.1
- name: "NOTSCORED | 2.2.1.2 | PATCH | Ensure systemd-timesyncd is configured"
command: /bin/true
changed_when: false
when:
- ubuntu1804cis_rule_2_2_1_2
tags:
- level1
- notscored
- patch
- rule_2.2.1.2
- notimplemented
- name: "SCORED | 2.2.1.3 | PATCH | Ensure chrony is configured"
block:
- name: "SCORED | 2.2.1.3 | PATCH | Ensure chrony is configured | create chrony.conf"
template:
src: chrony.conf.j2
dest: "{{ chrony_config_file[ansible_os_family] }}"
owner: root
group: root
mode: 0644
- name: "SCORED | 2.2.1.3 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd"
lineinfile:
dest: /etc/sysconfig/chronyd
regexp: "^(#)?OPTIONS"
line: "OPTIONS=\"-u chrony\""
state: present
create: true
when:
- ubuntu1804cis_time_synchronization == "chrony"
- ubuntu1804cis_rule_2_2_1_3
tags:
- level1
- scored
- chrony
- patch
- rule_2.2.1.3
- name: "SCORED | 2.2.1.4 | PATCH | Ensure ntp is configured"
block:
- name: "SCORED | 2.2.1.4 | PATCH | Ensure ntp is configured | modify /etc/ntp.conf"
template:
src: ntp.conf.j2
dest: /etc/ntp.conf
owner: root
group: root
mode: 0644
- name: "SCORED | 2.2.1.4 | PATCH | Ensure ntp is configured | modify /etc/init.d/ntp"
lineinfile:
dest: /etc/init.d/ntp
regexp: "^RUNASUSER"
line: "RUNASUSER=ntp"
when:
- ubuntu1804cis_time_synchronization == "ntp"
- ubuntu1804cis_rule_2_2_1_4
tags:
- level1
- scored
- ntp
- patch
- rule_2.2.1.4
- name: "SCORED | 2.2.2 | PATCH | Ensure X Window System is not installed"
apt:
name:
- "xorg"
- "x11*"
state: absent
when:
- not ubuntu1804cis_xwindows_required
- ubuntu1804cis_rule_2_2_2
tags:
- level1
- scored
- xwindows
- patch
- rule_2.2.2
- name: "SCORED | 2.2.3 | PATCH | Ensure Avahi Server is not enabled"
service:
name: avahi-daemon
state: stopped
enabled: false
when:
- not ubuntu1804cis_avahi_server
- avahi_service_status.stdout == "loaded"
- ubuntu1804cis_rule_2_2_3
tags:
- level1
- scored
- avahi
- services
- patch
- rule_2.2.3
- name: "SCORED | 2.2.4 | PATCH | Ensure CUPS is not enabled"
service:
name: cups
state: stopped
enabled: false
when:
- not ubuntu1804cis_cups_server
- cups_service_status.stdout == "loaded"
- ubuntu1804cis_rule_2_2_4
tags:
- level1
- scored
- cups
- services
- patch
- rule_2.2.4
- name: "SCORED | 2.2.5 | PATCH | Ensure DHCP Server is not enabled"
service:
name: dhcpd
state: stopped
enabled: false
when:
- not ubuntu1804cis_dhcp_server
- dhcpd_service_status.stdout == "loaded"
- ubuntu1804cis_rule_2_2_5
tags:
- level1
- scored
- dhcp
- services
- patch
- rule_2.2.5
- name: "SCORED | 2.2.6 | PATCH | Ensure LDAP server is not enabled"
service:
name: slapd
state: stopped
enabled: false
when:
- not ubuntu1804cis_ldap_server
- slapd_service_status.stdout == "loaded"
- ubuntu1804cis_rule_2_2_6
tags:
- level1
- scored
- ldap
- services
- patch
- rule_2.2.6
- name: "SCORED | 2.2.7 | PATCH | Ensure NFS and RPC are not enabled"
service:
name: nfs
state: stopped
enabled: false
when:
- not ubuntu1804cis_nfs_rpc_server
- nfs_service_status.stdout == "loaded"
- ubuntu1804cis_rule_2_2_7
tags:
- level1
- scored
- nfs
- rpc
- services
- patch
- rule_2.2.7
- name: "SCORED | 2.2.7 | PATCH | Ensure RPC is not enabled"
service:
name: rpcbind
state: stopped
enabled: false
when:
- not ubuntu1804cis_nfs_rpc_server
- rpcbind_service_status.stdout == "loaded"
- ubuntu1804cis_rule_2_2_7
tags:
- level1
- scored
- nfs
- rpc
- services
- patch
- rule_2.2.7
- name: "SCORED | 2.2.8 | PATCH | Ensure DNS Server is not enabled"
service:
name: named
state: stopped
enabled: false
when:
- not ubuntu1804cis_named_server
- named_service_status.stdout == "loaded"
- ubuntu1804cis_rule_2_2_8
tags:
- level1
- scored
- dns
- services
- patch
- rule_2.2.8
- name: "SCORED | 2.2.9 | PATCH | Ensure FTP Server is not enabled"
service:
name: vsftpd
state: stopped
enabled: false
when:
- not ubuntu1804cis_vsftpd_server
- vsftpd_service_status.stdout == "loaded"
- ubuntu1804cis_rule_2_2_9
tags:
- level1
- scored
- ftp
- services
- patch
- rule_2.2.9
- name: "SCORED | 2.2.10 | PATCH | Ensure HTTP server is not enabled"
service:
name: apache2
state: stopped
enabled: false
when:
- not ubuntu1804cis_httpd_server
- httpd_service_status.stdout == "loaded"
- ubuntu1804cis_rule_2_2_10
tags:
- level1
- scored
- http
- services
- patch
- rule_2.2.10
- name: "SCORED | 2.2.11 | PATCH | Ensure IMAP and POP3 server is not enabled"
service:
name: dovecot
state: stopped
enabled: false
when:
- not ubuntu1804cis_dovecot_server
- dovecot_service_status.stdout == "loaded"
- ubuntu1804cis_rule_2_2_11
tags:
- level1
- scored
- imap
- pop3
- services
- patch
- rule_2.2.11
- name: "SCORED | 2.2.12 | PATCH | Ensure Samba is not enabled"
service:
name: smbd
state: stopped
enabled: false
when:
- not ubuntu1804cis_smb_server
- smb_service_status.stdout == "loaded"
- ubuntu1804cis_rule_2_2_12
tags:
- level1
- scored
- samba
- services
- patch
- rule_2.2.12
- name: "SCORED | 2.2.13 | PATCH | Ensure HTTP Proxy Server is not enabled"
service:
name: squid
state: stopped
enabled: false
when:
- not ubuntu1804cis_squid_server
- squid_service_status.stdout == "loaded"
- ubuntu1804cis_rule_2_2_13
tags:
- level1
- scored
- http_proxy
- services
- patch
- rule_2.2.13
- name: "SCORED | 2.2.14 | PATCH | Ensure SNMP Server is not enabled"
service:
name: snmpd
state: stopped
enabled: false
when:
- not ubuntu1804cis_snmp_server
- snmpd_service_status.stdout == "loaded"
- ubuntu1804cis_rule_2_2_14
tags:
- level1
- scored
- snmp
- services
- patch
- rule_2.2.14
- name: "SCORED | 2.2.15 | PATCH | Ensure mail transfer agent is configured for local-only mode"
lineinfile:
dest: /etc/postfix/main.cf
regexp: "^(#)?inet_interfaces"
line: "inet_interfaces = localhost"
when:
- not ubuntu1804cis_is_mail_server
- postfix_installed.rc == 0
- ubuntu1804cis_rule_2_2_15
tags:
- level1
- scored
- patch
- rule_2.2.15
- name: "SCORED | 2.2.16 | PATCH | Ensure rsync service is not enabled "
service:
name: rsync
state: stopped
enabled: false
when:
- not ubuntu1804cis_rsyncd_server
- rsyncd_service_status.stdout == "loaded"
- ubuntu1804cis_rule_2_2_16
tags:
- level1
- scored
- rsync
- services
- patch
- rule_2.2.16
- name: "SCORED | 2.2.17 | PATCH | Ensure NIS Server is not enabled"
service:
name: nis
state: stopped
enabled: false
when:
- not ubuntu1804cis_nis_server
- ypserv_service_status.stdout == "loaded"
- ubuntu1804cis_rule_2_2_17
tags:
- level1
- scored
- nis
- services
- patch
- rule_2.2.17
- name: "SCORED | 2.3.1 | PATCH | Ensure NIS Client is not installed"
apt:
name: yp-tools
state: absent
when:
- not ubuntu1804cis_ypbind_required
- ubuntu1804cis_rule_2_3_1
tags:
- level1
- scored
- patch
- rule_2.3.1
- name: "SCORED | 2.3.2 | PATCH | Ensure rsh client is not installed"
apt:
name: rsh
state: absent
when:
- not ubuntu1804cis_rsh_required
- ubuntu1804cis_rule_2_3_2
tags:
- level1
- scored
- patch
- rule_2.3.2
- name: "SCORED | 2.3.3 | PATCH | Ensure talk client is not installed"
apt:
name: talk
state: absent
when:
- not ubuntu1804cis_talk_required
- ubuntu1804cis_rule_2_3_3
tags:
- level1
- scored
- patch
- rule_2.3.3
- name: "SCORED | 2.3.4 | PATCH | Ensure telnet client is not installed"
apt:
name: telnet
state: absent
when:
- not ubuntu1804cis_telnet_required
- ubuntu1804cis_rule_2_3_4
tags:
- level1
- scored
- patch
- rule_2.3.4
- name: "SCORED | 2.3.5 | PATCH | Ensure LDAP client is not installed"
apt:
name: ldap-utils
state: absent
when:
- not ubuntu1804cis_openldap_clients_required
- ubuntu1804cis_rule_2_3_5
tags:
- level1
- scored
- patch
- rule_2.3.5
================================================
FILE: tasks/section3.yml
================================================
---
- name: "SCORED | 3.1.1 | PATCH | Ensure packet redirect sending is disabled"
sysctl:
name: '{{ item.name }}'
value: '{{ item.value }}'
sysctl_set: true
state: present
reload: true
ignoreerrors: true
with_items:
- { name: net.ipv4.conf.all.send_redirects, value: 0 }
- { name: net.ipv4.conf.default.send_redirects, value: 0 }
when:
- not ubuntu1804cis_is_router
- ubuntu1804cis_rule_3_1_1
notify:
- sysctl flush ipv4 route table
tags:
- level1
- scored
- patch
- sysctl
- rule_3.1.1
- name: "SCORED | 3.1.2 | PATCH | Ensure IP forwarding is disabled"
block:
- name: "SCORED | 3.1.2 | PATCH | Ensure IP forwarding is disabled | ipv4"
sysctl:
name: net.ipv4.ip_forward
value: "0"
state: present
reload: true
ignoreerrors: true
notify:
- sysctl flush ipv4 route table
- name: "SCORED | 3.1.2 | PATCH | Ensure IP forwarding is disabled | ipv6"
sysctl:
name: net.ipv6.conf.all.forwarding
value: "0"
state: present
reload: true
ignoreerrors: true
when: ubuntu1804cis_ipv6_required
notify:
- sysctl flush ipv6 route table
when:
- not ubuntu1804cis_is_router
- ubuntu1804cis_rule_3_1_2
tags:
- level1
- scored
- patch
- sysctl
- rule_3.1.2
- name: "SCORED | 3.2.1 | PATCH | Ensure source routed packets are not accepted"
block:
- name: "SCORED | 3.2.1 | PATCH | Ensure source routed packets are not accepted | ipv4"
sysctl:
name: '{{ item.name }}'
value: '{{ item.value }}'
sysctl_set: true
state: present
reload: true
ignoreerrors: true
with_items:
- { name: net.ipv4.conf.all.accept_source_route, value: 0 }
- { name: net.ipv4.conf.default.accept_source_route, value: 0 }
notify:
- sysctl flush ipv4 route table
- name: "SCORED | 3.2.1 | PATCH | Ensure source routed packets are not accepted | ipv6"
sysctl:
name: '{{ item.name }}'
value: '{{ item.value }}'
sysctl_set: true
state: present
reload: true
ignoreerrors: true
with_items:
- { name: net.ipv6.conf.all.accept_source_route, value: 0 }
- { name: net.ipv6.conf.default.accept_source_route, value: 0 }
when:
- ubuntu1804cis_ipv6_required
notify:
- sysctl flush ipv6 route table
when:
- ubuntu1804cis_rule_3_2_1
tags:
- level1
- scored
- patch
- sysctl
- rule_3.2.1
- name: "SCORED | 3.2.2 | PATCH | Ensure ICMP redirects are not accepted | ipv4,ipv6"
block:
- name: "SCORED | 3.2.2 | PATCH | Ensure ICMP redirects are not accepted | ipv4"
sysctl:
name: '{{ item.name }}'
value: '{{ item.value }}'
sysctl_set: true
state: present
reload: true
ignoreerrors: true
with_items:
- { name: net.ipv4.conf.all.accept_redirects, value: 0 }
- { name: net.ipv4.conf.default.accept_redirects, value: 0 }
notify:
- sysctl flush ipv4 route table
- name: "SCORED | 3.2.2 | PATCH | Ensure ICMP redirects are not accepted | ipv6"
sysctl:
name: '{{ item.name }}'
value: '{{ item.value }}'
sysctl_set: true
state: present
reload: true
ignoreerrors: true
with_items:
- { name: net.ipv6.conf.all.accept_redirects, value: 0 }
- { name: net.ipv6.conf.default.accept_redirects, value: 0 }
when:
- ubuntu1804cis_ipv6_required
notify:
- sysctl flush ipv6 route table
when:
- ubuntu1804cis_rule_3_2_2
tags:
- level1
- scored
- patch
- sysctl
- rule_3.2.2
- name: "SCORED | 3.2.3 | PATCH | Ensure secure ICMP redirects are not accepted"
sysctl:
name: '{{ item.name }}'
value: '{{ item.value }}'
sysctl_set: true
state: present
reload: true
ignoreerrors: true
with_items:
- { name: net.ipv4.conf.all.secure_redirects, value: 0 }
- { name: net.ipv4.conf.default.secure_redirects, value: 0 }
when:
- ubuntu1804cis_rule_3_2_3
notify:
- sysctl flush ipv4 route table
tags:
- level1
- scored
- patch
- sysctl
- rule_3.2.3
- name: "SCORED | 3.2.4 | PATCH | Ensure suspicious packets are logged"
sysctl:
name: '{{ item.name }}'
value: '{{ item.value }}'
sysctl_set: true
state: present
reload: true
ignoreerrors: true
with_items:
- { name: net.ipv4.conf.all.log_martians, value: 1 }
- { name: net.ipv4.conf.default.log_martians, value: 1 }
when:
- ubuntu1804cis_rule_3_2_4
notify:
- sysctl flush ipv4 route table
tags:
- level1
- scored
- patch
- sysctl
- rule_3.2.4
- name: "SCORED | 3.2.5 | PATCH | Ensure broadcast ICMP requests are ignored"
sysctl:
name: net.ipv4.icmp_echo_ignore_broadcasts
value: "1"
state: present
reload: true
ignoreerrors: true
when:
- ubuntu1804cis_rule_3_2_5
notify:
- sysctl flush ipv4 route table
tags:
- level1
- scored
- patch
- sysctl
- rule_3.2.5
- name: "SCORED | 3.2.6 | PATCH | Ensure bogus ICMP responses are ignored"
sysctl:
name: net.ipv4.icmp_ignore_bogus_error_responses
value: "1"
state: present
reload: true
ignoreerrors: true
when:
- ubuntu1804cis_rule_3_2_6
notify:
- sysctl flush ipv4 route table
tags:
- level1
- scored
- patch
- sysctl
- rule_3.2.6
- name: "SCORED | 3.2.7 | PATCH | Ensure Reverse Path Filtering is enabled"
sysctl:
name: '{{ item.name }}'
value: '{{ item.value }}'
sysctl_set: true
state: present
reload: true
ignoreerrors: true
with_items:
- { name: net.ipv4.conf.all.rp_filter, value: 1 }
- { name: net.ipv4.conf.default.rp_filter, value: 1 }
when:
- ubuntu1804cis_rule_3_2_7
notify:
- sysctl flush ipv4 route table
tags:
- level1
- scored
- patch
- sysctl
- rule_3.2.7
- name: "SCORED | 3.2.8 | PATCH | Ensure TCP SYN Cookies is enabled"
sysctl:
name: net.ipv4.tcp_syncookies
value: '1'
state: present
reload: true
ignoreerrors: true
when:
- ubuntu1804cis_rule_3_2_8
notify:
- sysctl flush ipv4 route table
tags:
- level1
- scored
- patch
- sysctl
- rule_3.2.8
- name: "SCORED | 3.2.9 | PATCH | Ensure IPv6 router advertisements are not accepted"
sysctl:
name: '{{ item.name }}'
value: '{{ item.value }}'
state: present
reload: true
ignoreerrors: true
with_items:
- { name: net.ipv6.conf.all.accept_ra, value: 0 }
- { name: net.ipv6.conf.default.accept_ra, value: 0 }
when:
- ubuntu1804cis_ipv6_required
- ubuntu1804cis_rule_3_2_9
notify:
- sysctl flush ipv6 route table
tags:
- level1
- scored
- patch
- sysctl
- rule_3.2.9
- name: "NOTSCORED | 3.3.1 | PATCH | Ensure TCP Wrappers is installed"
apt:
name: "{{ tcp_wrapper_package[ansible_os_family] }}"
state: present
install_recommends: false
when:
- ubuntu1804cis_setup_tcp_wrappers
- ubuntu1804cis_rule_3_3_1
tags:
- level1
- notscored
- patch
- rule_3.3.1
- name: "NOTSCORED | 3.3.2 | PATCH | Ensure /etc/hosts.allow is configured"
template:
src: hosts.allow.j2
dest: /etc/hosts.allow
when:
- ubuntu1804cis_setup_tcp_wrappers
- ubuntu1804cis_rule_3_3_2
tags:
- level1
- notscored
- patch
- rule_3.3.2
- name: "NOTSCORED | 3.3.3 | PATCH | Ensure /etc/hosts.deny is configured"
lineinfile:
dest: /etc/hosts.deny
regexp: "^(#)?ALL"
line: "ALL: ALL"
when:
- ubuntu1804cis_setup_tcp_wrappers
- ubuntu1804cis_rule_3_3_3
tags:
- level1
- notscored
- patch
- rule_3.3.3
- name: "SCORED | 3.3.4 | PATCH | Ensure permissions on /etc/hosts.allow are configured"
template:
src: hosts.allow.j2
dest: /etc/hosts.allow
owner: root
group: root
mode: 0644
when:
- ubuntu1804cis_setup_tcp_wrappers
- ubuntu1804cis_rule_3_3_4
tags:
- level1
- scored
- patch
- rule_3.3.4
- name: "SCORED | 3.3.5 | PATCH | Ensure permissions on /etc/hosts.deny are configured"
file:
dest: /etc/hosts.deny
owner: root
group: root
mode: 0644
when:
- ubuntu1804cis_setup_tcp_wrappers
- ubuntu1804cis_rule_3_3_5
tags:
- level1
- scored
- patch
- rule_3.3.5
- name: "SCORED | 3.4.1 | PATCH | Ensure DCCP is disabled"
lineinfile:
dest: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install dccp(\\s|$)"
line: "install dccp /bin/true"
create: true
when:
- ubuntu1804cis_rule_3_4_1
tags:
- level2
- scored
- patch
- rule_3.4.1
- name: "SCORED | 3.4.2 | PATCH | Ensure SCTP is disabled"
lineinfile:
dest: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install sctp(\\s|$)"
line: "install sctp /bin/true"
create: true
when:
- ubuntu1804cis_rule_3_4_2
tags:
- level2
- scored
- patch
- rule_3.4.2
- name: "SCORED | 3.4.3 | PATCH | Ensure RDS is disabled"
lineinfile:
dest: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install rds(\\s|$)"
line: "install rds /bin/true"
create: true
when:
- ubuntu1804cis_rule_3_4_3
tags:
- level2
- scored
- patch
- rule_3.4.3
- name: "SCORED | 3.4.4 | PATCH | Ensure TIPC is disabled"
lineinfile:
dest: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install tipc(\\s|$)"
line: "install tipc /bin/true"
create: true
when:
- ubuntu1804cis_rule_3_4_4
tags:
- level2
- scored
- patch
- rule_3.4.4
- name: "SCORED | 3.5.1.1 | PATCH | Ensure a Firewall package is installed | firewalld(CUSTOM),ufw,nftables,iptables"
block:
- name: "SCORED | 3.5.1.1 | PATCH | Ensure a Firewall package is installed | firewalld | CUSTOM"
apt:
name: firewalld
state: present
install_recommends: false
when:
- ubuntu1804cis_firewall == "firewalld"
- name: "SCORED | 3.5.1.1 | PATCH | Ensure a Firewall package is installed | ufw"
apt:
name: ufw
state: present
install_recommends: false
when:
- ubuntu1804cis_firewall == "ufw"
- name: "SCORED | 3.5.1.1 | PATCH | Ensure a Firewall package is installed | nftables"
apt:
name: nftables
state: present
install_recommends: false
when:
- ubuntu1804cis_firewall == "nftables"
- name: "SCORED | 3.5.1.1 | PATCH | Ensure a Firewall package is installed | iptables"
apt:
name: iptables
state: present
install_recommends: false
when:
- ubuntu1804cis_firewall == "iptables"
when:
- ubuntu1804cis_rule_3_5_1_1
- ubuntu1804cis_setup_firewall
tags:
- level1
- scored
- patch
- rule_3.5.1.1
- name: "SCORED | 3.5.2.1 | PATCH | Ensure ufw service is enabled"
service:
name: ufw
state: started
enabled: true
when:
- ubuntu1804cis_rule_3_5_2_1
- ubuntu1804cis_firewall == "ufw"
- ubuntu1804cis_setup_firewall
tags:
- level1
- scored
- patch
- rule_3.5.2.1
- name: "SCORED | 3.5.2.2 | PATCH | Ensure default deny firewall policy"
ufw:
rule: "{{ item.rule }}"
direction: "{{ item.direction }}"
with_items:
- { rule: deny, direction: incoming }
- { rule: deny, direction: outgoing }
- { rule: deny, direction: routed }
when:
- ubuntu1804cis_rule_3_5_2_2
- ubuntu1804cis_firewall == "ufw"
- ubuntu1804cis_setup_firewall
tags:
- level1
- scored
- patch
- rule_3.5.2.2
- name: "SCORED | 3.5.2.3 | PATCH | Ensure loopback traffic is configured"
block:
- name: "SCORED | 3.5.2.3 | PATCH | Ensure loopback traffic is configured| ingress lo allow any"
ufw:
rule: allow
direction: in
interface: lo
- name: "SCORED | 3.5.2.3 | PATCH | Ensure loopback traffic is configured | ingress deny from lo network ipv4"
ufw:
rule: deny
direction: in
from: "127.0.0.0/8"
- name: "SCORED | 3.5.2.3 | PATCH | Ensure loopback traffic is configured | ingress deny from lo network ipv6"
ufw:
rule: deny
direction: in
from: "::1"
when: ubuntu1804cis_ipv6_required
when:
- ubuntu1804cis_rule_3_5_2_3
- ubuntu1804cis_firewall == "ufw"
- ubuntu1804cis_setup_firewall
tags:
- level1
- scored
- patch
- rule_3.5.2.3
- name: "NOTSCORED | 3.5.2.4 | PATCH | Ensure outbound and established connections are configured"
ufw:
rule: allow
direction: out
interface: all
when:
- ubuntu1804cis_rule_3_5_2_4
- ubuntu1804cis_firewall == "ufw"
- ubuntu1804cis_setup_firewall
tags:
- level1
- notscored
- patch
- rule_3.5.2.4
- name: "NOTSCORED | 3.5.2.5 | PATCH | Ensure firewall rules exist for all open ports"
block:
- name: "NOTSCORED | 3.5.2.5 | PATCH | Ensure firewall rules exist for all open ports| ssh"
ufw:
rule: allow
proto: tcp
port: '22'
- name: "NOTSCORED | 3.5.2.5 | PATCH | Ensure firewall rules exist for all open ports| dns"
ufw:
rule: allow
proto: "{{ item }}"
port: '53'
loop:
- tcp
- udp
when:
- ubuntu1804cis_rule_3_5_2_5
- ubuntu1804cis_firewall == "ufw"
- ubuntu1804cis_setup_firewall
tags:
- level1
- notscored
- patch
- rule_3.5.2.5
- name: "NOTSCORED | 3.5.3.1 | PATCH | Ensure iptables are flushed | ipv4, ipv6"
block:
- name: "NOTSCORED | 3.5.3.1 | PATCH | Ensure iptables are flushed | ipv4"
iptables:
flush: yes
- name: "NOTSCORED | 3.5.3.1 | PATCH | Ensure iptables are flushed | ipv6"
iptables:
flush: yes
ip_version: ipv6
when: ubuntu1804cis_ipv6_required
when:
- ubuntu1804cis_rule_3_5_3_1
- ubuntu1804cis_firewall == "nftables"
- ubuntu1804cis_setup_firewall
tags:
- level1
- notscored
- patch
- rule_3.5.3.1
- name: "SCORED | 3.5.3.2 | PATCH | Ensure a table exists"
shell: |
nft create table inet {{ ubuntu1804cis_nftables_table }}
args:
executable: /bin/bash
changed_when: false
check_mode: false
# default table name exist when install nftables by apt
# nft create table will raise an error
ignore_errors: true
when:
- ubuntu1804cis_rule_3_5_3_2
- ubuntu1804cis_firewall == "nftables"
- ubuntu1804cis_setup_firewall
tags:
- level1
- scored
- patch
- rule_3.5.3.2
- name: "SCORED | 3.5.3.3 | PATCH | Ensure base chains exist"
shell: |
nft chain inet {{ ubuntu1804cis_nftables_table }} {{ item }} { type filter hook {{ item }} priority 0\; }
args:
executable: /bin/bash
loop:
- input
- forward
- output
changed_when: false
check_mode: false
when:
- ubuntu1804cis_rule_3_5_3_3
- ubuntu1804cis_firewall == "nftables"
- ubuntu1804cis_setup_firewall
tags:
- level1
- scored
- patch
- rule_3.5.3.3
- name: "SCORED | 3.5.3.4 | PATCH | Ensure loopback traffic is configured"
block:
- name: "SCORED | 3.5.3.4 | PATCH | Ensure loopback traffic is configured | ingress lo allow nay"
shell: |
nft add rule inet {{ ubuntu1804cis_nftables_table }} input iif lo accept
args:
executable: /bin/bash
changed_when: false
check_mode: false
- name: "SCORED | 3.5.3.4 | PATCH | Ensure loopback traffic is configured | ingress deny from lo network ipv4"
shell: |
nft add rule inet {{ ubuntu1804cis_nftables_table }} input ip saddr 127.0.0.0/8 counter drop
args:
executable: /bin/bash
changed_when: false
check_mode: false
- name: "SCORED | 3.5.3.4 | PATCH | Ensure loopback traffic is configured | ingress deny from lo network ipv6"
shell: |
nft add rule inet {{ ubuntu1804cis_nftables_table }} input ip6 saddr ::1 counter drop
args:
executable: /bin/bash
changed_when: false
check_mode: false
when: ubuntu1804cis_ipv6_required
when:
- ubuntu1804cis_rule_3_5_3_4
- ubuntu1804cis_firewall == "nftables"
- ubuntu1804cis_setup_firewall
tags:
- level1
- scored
- patch
- rule_3.5.3.4
- name: "NOTSCORED | 3.5.3.5 | PATCH | Ensure outbound and established connections are configured"
shell: |
nft add rule inet {{ ubuntu1804cis_nftables_table }} input ip protocol {{ item }} ct state established accept
nft add rule inet {{ ubuntu1804cis_nftables_table }} output ip protocol {{ item }} ct state new,related,established accept
args:
executable: /bin/bash
loop:
- tcp
- udp
- icmp
changed_when: false
check_mode: false
when:
- ubuntu1804cis_rule_3_5_3_5
- ubuntu1804cis_firewall == "nftables"
- ubuntu1804cis_setup_firewall
tags:
- level1
- notscored
- patch
- rule_3.5.3.5
- name: "SCORED | 3.5.3.6 | PATCH | Ensure base chains exist"
shell: |
nft chain inet {{ ubuntu1804cis_nftables_table }} {{ item }} { policy drop \; }
args:
executable: /bin/bash
loop:
- input
- forward
- output
changed_when: false
check_mode: false
when:
- ubuntu1804cis_rule_3_5_3_6
- ubuntu1804cis_firewall == "nftables"
- ubuntu1804cis_setup_firewall
tags:
- level1
- scored
- patch
- rule_3.5.3.6
- name: "SCORED | 3.5.3.7 | PATCH | Ensure nftables service is enabled"
service:
name: nftables
state: started
enabled: true
when:
- ubuntu1804cis_rule_3_5_3_7
- ubuntu1804cis_firewall == "nftables"
- ubuntu1804cis_setup_firewall
tags:
- level1
- scored
- patch
- rule_3.5.3.7
- name: "SCORED | 3.5.3.8 | PATCH | Ensure nftables rules are permanent"
shell:
nft list table inet {{ ubuntu1804cis_nftables_table }} > /etc/nftables.conf
when:
- ubuntu1804cis_rule_3_5_3_8
- ubuntu1804cis_firewall == "nftables"
- ubuntu1804cis_setup_firewall
tags:
- level1
- scored
- patch
- rule_3.5.3.8
- name: "SCORED | 3.5.4.1.1 | PATCH | Ensure default deny firewall policy"
iptables:
chain: "{{ item }}"
policy: DROP
loop:
- INPUT
- OUTPUT
- FORWARD
when:
- ubuntu1804cis_rule_3_5_4_1_1
- ubuntu1804cis_firewall == "iptables"
- ubuntu1804cis_setup_firewall
tags:
- level1
- scored
- patch
- rule_3.5.4.1.1
- name: "SCORED | 3.5.4.1.2 | PATCH | Ensure loopback traffic is configured"
block:
- name: "SCORED | 3.5.4.1.2 | PATCH | Ensure loopback traffic is configured| ingress lo allow any"
iptables:
chain: INPUT
jump: ACCEPT
in_interface: lo
- name: "SCORED | 3.5.4.1.2 | PATCH | Ensure loopback traffic is configured| egress lo allow any"
iptables:
chain: INPUT
jump: ACCEPT
in_interface: lo
- name: "SCORED | 3.5.4.1.2 | PATCH | Ensure loopback traffic is configured| ingress deny from lo network"
iptables:
chain: INPUT
jump: DROP
source: 127.0.0.0/8
when:
- ubuntu1804cis_rule_3_5_4_1_2
- ubuntu1804cis_firewall == "iptables"
- ubuntu1804cis_setup_firewall
tags:
- level1
- scored
- patch
- rule_3.5.4.1.2
- name: "NOTSCORED | 3.5.4.1.3 | PATCH | Ensure outbound and established connections are configured"
block:
- name: "NOTSCORED | 3.5.4.1.3 | PATCH | Ensure outbound and established connections are configured | input "
iptables:
chain: INPUT
jump: ACCEPT
ctstate: NEW,ESTABLISHED
protocol: "{{ item }}"
loop:
- tcp
- udp
- icmp
- name: "NOTSCORED | 3.5.4.1.3 | PATCH | Ensure outbound and established connections are configured | output"
iptables:
chain: OUTPUT
jump: ACCEPT
ctstate: NEW,ESTABLISHED
protocol: "{{ item }}"
loop:
- tcp
- udp
- icmp
when:
- ubuntu1804cis_rule_3_5_4_1_3
- ubuntu1804cis_firewall == "iptables"
- ubuntu1804cis_setup_firewall
tags:
- level1
- notscored
- patch
- rule_3.5.4.1.3
- name: "SCORED | 3.5.4.1.4 | PATCH | Ensure firewall rules exist for all open ports"
block:
- name: "SCORED | 3.5.4.1.4 | PATCH | Ensure firewall rules exist for all open ports| ssh"
iptables:
chain: INPUT
jump: ACCEPT
ctstate: NEW
protocol: tcp
destination_port: 22
- name: "SCORED | 3.5.4.1.4 | PATCH | Ensure firewall rules exist for all open ports| dns"
iptables:
chain: INPUT
jump: ACCEPT
ctstate: NEW
protocol: "{{ item }}"
destination_port: 53
loop:
- tcp
- udp
when:
- ubuntu1804cis_rule_3_5_4_1_4
- ubuntu1804cis_firewall == "iptables"
- ubuntu1804cis_setup_firewall
tags:
- level1
- scored
- patch
- rule_3.5.4.1.4
- name: "SCORED | 3.5.4.2.1 | PATCH | Ensure IPv6 default deny firewall policy"
iptables:
chain: "{{ item }}"
policy: DROP
ip_version: ipv6
loop:
- INPUT
- OUTPUT
- FORWARD
when:
- ubuntu1804cis_rule_3_5_4_2_1
- ubuntu1804cis_firewall == "iptables"
- ubuntu1804cis_setup_firewall
- ubuntu1804cis_ipv6_required
tags:
- level1
- scored
- patch
- rule_3.5.4.2.1
- name: "SCORED | 3.5.4.2.2 | PATCH | Ensure IPv6 loopback traffic is configured"
block:
- name: "SCORED | 3.5.4.2.2 | PATCH | Ensure IPv6 loopback traffic is configured| ingress lo allow any"
iptables:
chain: INPUT
jump: ACCEPT
in_interface: lo
ip_version: ipv6
- name: "SCORED | 3.5.4.2.2 | PATCH | Ensure IPv6 loopback traffic is configured| egress lo allow any"
iptables:
chain: INPUT
jump: ACCEPT
in_interface: lo
ip_version: ipv6
- name: "SCORED | 3.5.4.2.2 | PATCH | Ensure IPv6 loopback traffic is configured| ingress deny from lo network"
iptables:
chain: INPUT
jump: DROP
source: "::1"
ip_version: ipv6
when:
- ubuntu1804cis_rule_3_5_4_2_2
- ubuntu1804cis_firewall == "iptables"
- ubuntu1804cis_setup_firewall
- ubuntu1804cis_ipv6_required
tags:
- level1
- scored
- patch
- rule_3.5.4.2.2
- name: "NOTSCORED | 3.5.4.2.3 | PATCH | Ensure IPv6 outbound and established connections are configured"
block:
- name: "NOTSCORED | 3.5.4.2.3 | PATCH | Ensure IPv6 outbound and established connections are configured | input "
iptables:
chain: INPUT
jump: ACCEPT
ctstate: NEW,ESTABLISHED
protocol: "{{ item }}"
ip_version: ipv6
loop:
- tcp
- udp
- icmp
- name: "NOTSCORED | 3.5.4.2.3 | PATCH | Ensure IPv6 outbound and established connections are configured | output"
iptables:
chain: OUTPUT
jump: ACCEPT
ctstate: NEW,ESTABLISHED
protocol: "{{ item }}"
ip_version: ipv6
loop:
- tcp
- udp
- icmp
when:
- ubuntu1804cis_rule_3_5_4_2_3
- ubuntu1804cis_firewall == "iptables"
- ubuntu1804cis_setup_firewall
- ubuntu1804cis_ipv6_required
tags:
- level1
- notscored
- patch
- rule_3.5.4.2.3
- name: "NOTSCORED | 3.5.4.2.4 | PATCH | Ensure IPv6 firewall rules exist for all open ports"
block:
- name: "NOTSCORED | 3.5.4.2.4 | PATCH | Ensure IPv6 firewall rules exist for all open ports| ssh"
iptables:
chain: INPUT
jump: ACCEPT
ctstate: NEW
protocol: tcp
destination_port: 22
ip_version: ipv6
- name: "NOTSCORED | 3.5.4.2.4 | PATCH | Ensure IPv6 firewall rules exist for all open ports| dns"
iptables:
chain: INPUT
jump: ACCEPT
ctstate: NEW
protocol: "{{ item }}"
destination_port: 53
ip_version: ipv6
loop:
- tcp
- udp
when:
- ubuntu1804cis_rule_3_5_4_2_4
- ubuntu1804cis_firewall == "iptables"
- ubuntu1804cis_setup_firewall
- ubuntu1804cis_ipv6_required
tags:
- level1
- notscored
- patch
- rule_3.5.4.2.4
- name: "SCORED | 3.5.4.3.1 | PATCH | Ensure firewalld is installed and started | CUSTOM"
apt:
name: firewalld
state: present
install_recommends: false
when:
- ubuntu1804cis_rule_3_5_4_3_1
- ubuntu1804cis_firewall == "firewalld"
- ubuntu1804cis_setup_firewall
tags:
- level1
- scored
- patch
- rule_3.5.4.3.1
- name: "SCORED | 3.5.4.3.2 | PATCH | Ensure firewalld is installed and started | CUSTOM"
service:
name: firewalld
state: started
enabled: true
when:
- ubuntu1804cis_rule_3_5_4_3_2
- ubuntu1804cis_firewall == "firewalld"
- ubuntu1804cis_setup_firewall
tags:
- level1
- scored
- patch
- rule_3.5.4.3.2
- name: "SCORED | 3.5.4.3.3 | PATCH | Ensure default deny firewall policy | CUSTOM"
lineinfile:
dest: /etc/firewalld/firewalld.conf
regexp: "^DefaultZone"
line: "DefaultZone=drop"
when:
- ubuntu1804cis_rule_3_5_4_3_3
- ubuntu1804cis_firewall == "firewalld"
- ubuntu1804cis_setup_firewall
tags:
- level1
- scored
- patch
- rule_3.5.4.3.3
- name: "SCORED | 3.5.4.3.4 | PATCH | Ensure default deny firewall policy | CUSTOM"
firewalld:
state: enabled
zone: drop
permanent: true
when:
- ubuntu1804cis_rule_3_5_4_3_4
- ubuntu1804cis_firewall == "firewalld"
- ubuntu1804cis_setup_firewall
tags:
- level1
- scored
- patch
- rule_3.5.4.3.4
- name: "SCORED | 3.5.4.3.5 | PATCH | Ensure firewall rules exist for all open ports | CUSTOM"
firewalld:
service: "{{ item }}"
state: enabled
zone: drop
permanent: true
immediate: true
when:
- ubuntu1804cis_rule_3_5_4_3_5
- ubuntu1804cis_firewall == "firewalld"
- ubuntu1804cis_setup_firewall
notify: restart firewalld
with_items: "{{ ubuntu1804cis_firewall_services }}"
tags:
- level1
- scored
- patch
- rule_3.5.4.3.5
- name: "NOTSCORED | 3.7 | Disable IPv6"
replace:
dest: /etc/default/grub
regexp: '^(GRUB_CMDLINE_LINUX=(?!.*ipv6.disable)\"[^\"]*)(\".*)'
replace: '\1 ipv6.disable=1\2'
ignore_errors: true
when:
- ubuntu1804cis_rule_3_7
notify:
- generate new grub config
tags:
- level2
- notscored
- patch
- rule_3.7
================================================
FILE: tasks/section4.yml
================================================
---
- name: "SCORED | 4.1.1.1 | PATCH | Ensure auditd is installed"
apt:
name: audispd-plugins
state: present
install_recommends: false
when:
- not ubuntu1804cis_skip_for_travis
- ubuntu1804cis_rule_4_1_1_1
tags:
- level2
- scored
- patch
- auditd
- rule_4.1.1.1
- name: "SCORED | 4.1.1.2 | PATCH | Ensure auditd service is enabled"
service:
name: auditd
state: started
enabled: true
when:
- not ubuntu1804cis_skip_for_travis
- ubuntu1804cis_rule_4_1_1_2
tags:
- level2
- scored
- patch
- auditd
- rule_4.1.1.2
- name: "SCORED | 4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled"
replace:
dest: /etc/default/grub
regexp: '^(GRUB_CMDLINE_LINUX=(?!.*audit)\"[^\"]*)(\".*)'
replace: '\1 audit=1\2'
notify:
- generate new grub config
when:
- ubuntu1804cis_rule_4_1_1_3
tags:
- level2
- scored
- patch
- auditd
- rule_4.1.1.3
- name: "SCORED | 4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient"
replace:
dest: /etc/default/grub
regexp: '^(GRUB_CMDLINE_LINUX=(?!.*audit_backlog_limit)\"[^\"]*)(\".*)'
replace: '\1 audit_backlog_limit={{ ubuntu1804cis_auditd.backlog_limit }}\2'
ignore_errors: true
notify:
- generate new grub config
when:
- ubuntu1804cis_rule_4_1_1_4
tags:
- level2
- scored
- patch
- auditd
- rule_4.1.1.4
- name: "SCORED | 4.1.2.1 | PATCH | Ensure audit log storage size is configured"
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^max_log_file( |=)"
line: "max_log_file = {{ ubuntu1804cis_auditd.max_audit_log_file_size }}"
state: present
create: yes
when:
- ubuntu1804cis_rule_4_1_2_1
notify:
- restart auditd
tags:
- level2
- scored
- patch
- auditd
- rule_4.1.2.1
- name: "SCORED | 4.1.2.2 | PATCH | Ensure audit logs are not automatically deleted"
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^max_log_file_action"
line: "max_log_file_action = {{ ubuntu1804cis_auditd['max_log_file_action'] }}"
state: present
create: yes
when:
- ubuntu1804cis_rule_4_1_2_2
notify:
- restart auditd
tags:
- level2
- scored
- patch
- auditd
- rule_4.1.2.2
- name: "SCORED | 4.1.2.3 | PATCH | Ensure system is disabled when audit logs are full"
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^admin_space_left_action"
line: "admin_space_left_action = {{ ubuntu1804cis_auditd['admin_space_left_action'] }}"
state: present
create: yes
when:
- ubuntu1804cis_rule_4_1_2_3
notify:
- restart auditd
tags:
- level2
- scored
- patch
- auditd
- rule_4.1.2.3
- name: "SCORED | 4.1.1.2 | PATCH | Ensure email on non-admin audit space alert"
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^space_left_action"
line: "space_left_action = email"
state: present
create: yes
when:
- ubuntu1804cis_rule_4_1_1_2
notify:
- restart auditd
tags:
- level2
- scored
- patch
- auditd
- rule_4.1.1.2
- name: "SCORED | 4.1.3 | PATCH | Ensure events that modify date and time information are collected"
template:
src: audit/ubuntu1804cis_rule_4_1_3.rules.j2
dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_3.rules
owner: root
group: root
mode: 0600
when:
- ubuntu1804cis_rule_4_1_3
notify:
- load audit rules
- restart auditd
tags:
- level2
- scored
- patch
- auditd
- rule_4.1.3
- name: "SCORED | 4.1.4 | PATCH | Ensure events that modify user/group information are collected"
template:
src: audit/ubuntu1804cis_rule_4_1_4.rules.j2
dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_4.rules
owner: root
group: root
mode: 0600
when:
- ubuntu1804cis_rule_4_1_4
notify:
- load audit rules
- restart auditd
tags:
- level2
- scored
- patch
- auditd
- rule_4.1.4
- name: "SCORED | 4.1.5 | PATCH | Ensure events that modify the system's network environment are collected"
template:
src: audit/ubuntu1804cis_rule_4_1_5.rules.j2
dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_5.rules
owner: root
group: root
mode: 0600
when:
- ubuntu1804cis_rule_4_1_5
notify:
- load audit rules
- restart auditd
tags:
- level2
- scored
- patch
- auditd
- rule_4.1.5
- name: "SCORED | 4.1.6 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected"
template:
src: audit/ubuntu1804cis_rule_4_1_6.rules.j2
dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_6.rules
owner: root
group: root
mode: 0600
when:
- ubuntu1804cis_rule_4_1_6
notify:
- load audit rules
- restart auditd
tags:
- level2
- scored
- patch
- auditd
- rule_4.1.6
- name: "SCORED | 4.1.7 | PATCH | Ensure login and logout events are collected"
template:
src: audit/ubuntu1804cis_rule_4_1_7.rules.j2
dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_7.rules
owner: root
group: root
mode: 0600
when:
- ubuntu1804cis_rule_4_1_7
notify:
- load audit rules
- restart auditd
tags:
- level2
- scored
- patch
- auditd
- rule_4.1.7
- name: "SCORED | 4.1.8 | PATCH | Ensure session initiation information is collected"
template:
src: audit/ubuntu1804cis_rule_4_1_8.rules.j2
dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_8.rules
owner: root
group: root
mode: 0600
when:
- ubuntu1804cis_rule_4_1_8
notify:
- load audit rules
- restart auditd
tags:
- level2
- scored
- patch
- auditd
- rule_4.1.8
- name: "SCORED | 4.1.9 | PATCH | Ensure discretionary access control permission modification events are collected"
template:
src: audit/ubuntu1804cis_rule_4_1_9.rules.j2
dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_9.rules
owner: root
group: root
mode: 0600
when:
- ubuntu1804cis_rule_4_1_9
notify:
- load audit rules
- restart auditd
tags:
- level2
- scored
- patch
- auditd
- rule_4.1.9
- name: "SCORED | 4.1.10 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected"
template:
src: audit/ubuntu1804cis_rule_4_1_10.rules.j2
dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_10.rules
owner: root
group: root
mode: 0600
when:
- ubuntu1804cis_rule_4_1_10
notify:
- load audit rules
- restart auditd
tags:
- level2
- scored
- patch
- auditd
- rule_4.1.10
- name: "SCORED | 4.1.11 | PATCH | Ensure use of privileged commands is collected"
block:
- name: "SCORED | 4.1.11 | PATCH | Get list of setuid/setguid binaries"
shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done
register: priv_procs
changed_when: false
check_mode: false
- name: "SCORED | 4.1.11 | PATCH | Ensure use of privileged commands is collected"
template:
src: audit/ubuntu1804cis_rule_4_1_11.rules.j2
dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_11.rules
owner: root
group: root
mode: 0600
notify:
- load audit rules
- restart auditd
when:
- ubuntu1804cis_rule_4_1_11
tags:
- level2
- scored
- patch
- auditd
- rule_4.1.11
- name: "SCORED | 4.1.12 | PATCH | Ensure successful file system mounts are collected"
template:
src: audit/ubuntu1804cis_rule_4_1_12.rules.j2
dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_12.rules
owner: root
group: root
mode: 0600
when:
- ubuntu1804cis_rule_4_1_12
notify:
- load audit rules
- restart auditd
tags:
- level2
- scored
- patch
- auditd
- rule_4.1.12
- name: "SCORED | 4.1.13 | PATCH | Ensure file deletion events by users are collected"
template:
src: audit/ubuntu1804cis_rule_4_1_13.rules.j2
dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_13.rules
owner: root
group: root
mode: 0600
when:
- ubuntu1804cis_rule_4_1_13
notify:
- load audit rules
- restart auditd
tags:
- level2
- scored
- patch
- auditd
- rule_4.1.13
- name: "SCORED | 4.1.14 | PATCH | Ensure changes to system administration scope (sudoers) is collected"
template:
src: audit/ubuntu1804cis_rule_4_1_14.rules.j2
dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_14.rules
owner: root
group: root
mode: 0600
when:
- ubuntu1804cis_rule_4_1_14
notify:
- load audit rules
- restart auditd
tags:
- level2
- scored
- patch
- auditd
- rule_4.1.14
- name: "SCORED | 4.1.15 | PATCH | Ensure system administrator actions (sudolog) are collected"
template:
src: audit/ubuntu1804cis_rule_4_1_15.rules.j2
dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_15.rules
owner: root
group: root
mode: 0600
when:
- ubuntu1804cis_rule_4_1_15
notify:
- load audit rules
- restart auditd
tags:
- level2
- scored
- patch
- auditd
- rule_4.1.15
- name: "SCORED | 4.1.16 | PATCH | Ensure kernel module loading and unloading is collected"
template:
src: audit/ubuntu1804cis_rule_4_1_16.rules.j2
dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_16.rules
owner: root
group: root
mode: 0600
when:
- ubuntu1804cis_rule_4_1_16
notify:
- load audit rules
- restart auditd
tags:
- level2
- scored
- patch
- auditd
- rule_4.1.16
- name: "SCORED | 4.1.17 | PATCH | Ensure the audit configuration is immutable"
template:
src: audit/ubuntu1804cis_rule_4_1_17.rules.j2
dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_17.rules
owner: root
group: root
mode: 0600
when:
- ubuntu1804cis_rule_4_1_17
notify:
- load audit rules
- restart auditd
tags:
- level2
- scored
- patch
- auditd
- rule_4.1.17
- name: "SCORED | 4.2.1.1 | PATCH | Ensure rsyslog or is installed"
apt:
name: rsyslog
state: present
install_recommends: false
when:
- ubuntu1804cis_rule_4_2_1_1
- ubuntu1804cis_syslog == "rsyslog"
tags:
- level1
- scored
- patch
- syslog
- rule_4.2.1.1
- name: "SCORED | 4.2.1.2 | PATCH | Ensure rsyslog Service is enabled"
service:
name: rsyslog
enabled: yes
changed_when: false
when:
- ubuntu1804cis_rule_4_2_1_2
- ubuntu1804cis_syslog == "rsyslog"
tags:
- level1
- scored
- patch
- syslog
- rule_4.2.1.2
- name: "NOTSCORED | 4.2.1.3 | PATCH | Ensure logging is configured"
command: /bin/true
changed_when: false
when:
- ubuntu1804cis_rule_4_2_1_3
tags:
- level1
- notscored
- patch
- syslog
- rule_4.2.1.3
- notimplemented
- name: "SCORED | 4.2.1.4 | PATCH | Ensure rsyslog default file permissions configured"
lineinfile:
dest: /etc/rsyslog.conf
regexp: '^\$FileCreateMode'
line: '$FileCreateMode 0640'
when:
- ubuntu1804cis_rule_4_2_1_4
tags:
- level1
- scored
- patch
- syslog
- rule_4.2.1.4
- name: "SCORED | 4.2.1.5 | PATCH | Ensure rsyslog is configured to send logs to a remote log host"
command: /bin/true
changed_when: false
when:
- ubuntu1804cis_rule_4_2_1_5
tags:
- level1
- scored
- patch
- syslog
- rule_4.2.1.5
- notimplemented
- name: "NOTSCORED | 4.2.1.6 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts."
command: /bin/true
changed_when: false
when:
- ubuntu1804cis_rule_4_2_1_6
tags:
- level1
- notscored
- patch
- syslog
- rule_4.2.1.6
- notimplemented
- name: "SCORED | 4.2.2.1 | PATCH | Ensure journald is configured to send logs to rsyslog"
lineinfile:
dest: /etc/systemd/journald.conf
regexp: "(#)?ForwardToSyslog=(yes|no)"
line: ForwardToSyslog=yes
changed_when: false
when:
- ubuntu1804cis_rule_4_2_2_1
notify:
- restart journald
tags:
- level1
- scored
- patch
- syslog
- rule_4.2.2.1
- name: "SCORED | 4.2.2.2 | PATCH | Ensure journald is configured to compress large log files"
lineinfile:
dest: /etc/systemd/journald.conf
regexp: "(#)?Compress=(yes|no)"
line: Compress=yes
when:
- ubuntu1804cis_rule_4_2_2_2
notify:
- restart journald
tags:
- level1
- scored
- patch
- syslog
- rule_4.2.2.2
- name: "SCORED | 4.2.2.3 | PATCH | Ensure journald is configured to write logfiles to persistent disk"
lineinfile:
dest: /etc/systemd/journald.conf
regexp: "(#)?Storage=(auto|persistent)"
line: Storage=persistent
when:
- ubuntu1804cis_rule_4_2_2_3
notify:
- restart journald
tags:
- level1
- scored
- patch
- syslog
- rule_4.2.2.3
- name: "SCORED | 4.2.3 | PATCH | Ensure permissions on all logfiles are configured"
command: find /var/log -type f -exec chmod g-wx,o-rwx {} +
changed_when: false
failed_when: false
when:
- ubuntu1804cis_rule_4_2_3
tags:
- level1
- scored
- patch
- syslog
- rule_4.2.3
- name: "NOTSCORED | 4.3 | PATCH | Ensure logrotate is configured"
block:
- name: "NOTSCORED | 4.3 | PATCH | Register logrotate.d files"
find:
paths: /etc/logrotate.d/
register: log_rotates
- name: "NOTSCORED | 4.3 | PATCH | Ensure logrotate.conf exists"
file:
path: /etc/logrotate.conf
state: touch
changed_when: false
- name: "NOTSCORED | 4.3 | PATCH | Ensure logrotate is configured"
replace:
path: "{{ item.path }}"
regexp: '^(\s*)(daily|weekly|monthly|yearly)$'
replace: "\\1{{ ubuntu1804cis_logrotate }}"
with_items:
- "{{ log_rotates.files }}"
- { path: "/etc/logrotate.conf" }
when:
- ubuntu1804cis_rule_4_3
tags:
- level1
- notscored
- patch
- syslog
- rule_4.3
================================================
FILE: tasks/section5.yml
================================================
---
- name: "SCORED | 5.1.1 | PATCH | Ensure cron daemon is enabled"
service:
name: "{{ cron_service[ansible_os_family] }}"
enabled: true
when:
- ubuntu1804cis_rule_5_1_1
tags:
- level1
- scored
- patch
- cron
- rule_5.1.1
- name: "SCORED | 5.1.2 | PATCH | Ensure permissions on /etc/crontab are configured"
file:
dest: /etc/crontab
owner: root
group: root
mode: 0600
when:
- ubuntu1804cis_rule_5_1_2
tags:
- level1
- scored
- patch
- cron
- rule_5.1.2
- name: "SCORED | 5.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured"
file:
dest: /etc/cron.hourly
state: directory
owner: root
group: root
mode: 0700
when:
- ubuntu1804cis_rule_5_1_3
tags:
- level1
- scored
- patch
- cron
- rule_5.1.3
- name: "SCORED | 5.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured"
file:
dest: /etc/cron.daily
state: directory
owner: root
group: root
mode: 0700
when:
- ubuntu1804cis_rule_5_1_4
tags:
- level1
- scored
- patch
- cron
- rule_5.1.4
- name: "SCORED | 5.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured"
file:
dest: /etc/cron.weekly
state: directory
owner: root
group: root
mode: 0700
when:
- ubuntu1804cis_rule_5_1_5
tags:
- level1
- scored
- patch
- cron
- rule_5.1.5
- name: "SCORED | 5.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured"
file:
dest: /etc/cron.monthly
state: directory
owner: root
group: root
mode: 0700
when:
- ubuntu1804cis_rule_5_1_6
tags:
- level1
- scored
- patch
- cron
- rule_5.1.6
- name: "SCORED | 5.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured"
file:
dest: /etc/cron.d
state: directory
owner: root
group: root
mode: 0700
when:
- ubuntu1804cis_rule_5_1_7
tags:
- level1
- scored
- patch
- cron
- rule_5.1.7
- name: "SCORED | 5.1.8 | PATCH | Ensure at/cron is restricted to authorized users"
block:
- name: "SCORED | 5.1.8 | PATCH | Ensure at is restricted to authorized users"
file:
dest: /etc/at.deny
state: absent
- name: "SCORED | 5.1.8 | PATCH | Ensure at is restricted to authorized users"
template:
src: at.allow.j2
dest: /etc/at.allow
owner: root
group: root
mode: 0600
- name: "SCORED | 5.1.8 | PATCH | Ensure cron is restricted to authorized users"
file:
dest: /etc/cron.deny
state: absent
- name: "SCORED | 5.1.8 | PATCH | Ensure cron is restricted to authorized users"
template:
src: cron.allow.j2
dest: /etc/cron.allow
owner: root
group: root
mode: 0600
when:
- ubuntu1804cis_rule_5_1_8
tags:
- level1
- scored
- patch
- cron
- rule_5.1.8
- name: "SCORED | 5.2.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured"
file:
dest: /etc/ssh/sshd_config
state: file
owner: root
group: root
mode: 0600
when:
- ubuntu1804cis_rule_5_2_1
tags:
- level1
- scored
- patch
- sshd
- rule_5.2.1
- name: "SCORED | 5.2.2 | PATCH | 5.2.2 Ensure permissions on SSH private host key files are configured"
block:
- name: "SCORED | 5.2.2 | PATCH | 5.2.2 Ensure permissions on SSH private host key files are configured | find keys"
find:
paths: /etc/ssh
patterns: "ssh_host_*_key"
register: ssh_private_host_keys
- name: "SCORED | 5.2.2 | PATCH | 5.2.2 Ensure permissions on SSH private host key files are configured | change permissions"
file:
dest: "{{ item.path }}"
state: file
owner: root
group: root
mode: 0600
with_items: "{{ ssh_private_host_keys.files }}"
when:
- ubuntu1804cis_rule_5_2_2
tags:
- level1
- scored
- patch
- sshd
- rule_5.2.2
- name: "SCORED | 5.2.3 | PATCH | 5.2.3 Ensure permissions on SSH public host key files are configured"
block:
- name: "SCORED | 5.2.3 | PATCH | 5.2.3 Ensure permissions on SSH public host key files are configured | find keys"
find:
paths: /etc/ssh
patterns: "ssh_host_*_key.pub"
register: ssh_public_host_keys
- name: "SCORED | 5.2.3 | PATCH | 5.2.3 Ensure permissions on SSH public host key files are configured | change permissions"
file:
dest: "{{ item.path }}"
state: file
owner: root
group: root
mode: 0644
with_items: "{{ ssh_public_host_keys.files }}"
when:
- ubuntu1804cis_rule_5_2_3
tags:
- level1
- scored
- patch
- sshd
- rule_5.2.3
- name: "SCORED | 5.2.4 | PATCH | Ensure SSH Protocol is not set to 1"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^Protocol'
line: 'Protocol 2'
when:
- ubuntu1804cis_rule_5_2_4
tags:
- level1
- scored
- patch
- sshd
- rule_5.2.4
- name: "SCORED | 5.2.5 | PATCH | Ensure SSH LogLevel is set to INFO"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^LogLevel'
line: 'LogLevel INFO'
when:
- ubuntu1804cis_rule_5_2_5
tags:
- level1
- scored
- patch
- sshd
- rule_5.2.5
- name: "SCORED | 5.2.6 | PATCH | Ensure SSH X11 forwarding is disabled"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^X11Forwarding'
line: 'X11Forwarding no'
when:
- ubuntu1804cis_rule_5_2_6
tags:
- level1
- scored
- patch
- sshd
- rule_5.2.6
- name: "SCORED | 5.2.7 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^(#)?MaxAuthTries \d'
line: 'MaxAuthTries 4'
when:
- ubuntu1804cis_rule_5_2_7
tags:
- level1
- scored
- patch
- sshd
- rule_5.2.7
- name: "SCORED | 5.2.8 | PATCH | Ensure SSH IgnoreRhosts is enabled"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^IgnoreRhosts'
line: 'IgnoreRhosts yes'
when:
- ubuntu1804cis_rule_5_2_8
tags:
- level1
- scored
- patch
- sshd
- rule_5.2.8
- name: "SCORED | 5.2.9 | PATCH | Ensure SSH HostbasedAuthentication is disabled"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^HostbasedAuthentication'
line: 'HostbasedAuthentication no'
when:
- ubuntu1804cis_rule_5_2_9
tags:
- level1
- scored
- patch
- sshd
- rule_5.2.9
- name: "SCORED | 5.2.10 | PATCH | Ensure SSH root login is disabled"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^PermitRootLogin'
line: 'PermitRootLogin no'
when:
- ubuntu1804cis_rule_5_2_10
tags:
- level1
- scored
- patch
- sshd
- rule_5.2.10
- name: "SCORED | 5.2.11 | PATCH | Ensure SSH PermitEmptyPasswords is disabled"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^PermitEmptyPasswords'
line: 'PermitEmptyPasswords no'
when:
- ubuntu1804cis_rule_5_2_11
tags:
- level1
- scored
- patch
- sshd
- rule_5.2.11
- name: "SCORED | 5.2.12 | PATCH | Ensure SSH PermitUserEnvironment is disabled"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^PermitUserEnvironment'
line: 'PermitUserEnvironment no'
when:
- ubuntu1804cis_rule_5_2_12
tags:
- level1
- scored
- patch
- sshd
- rule_5.2.12
- name: "SCORED | 5.2.13 | PATCH | Ensure only strong Ciphers are used"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^Ciphers'
line: "Ciphers {{ ubuntu1804cis_sshd['ciphers'] }}"
when:
- ubuntu1804cis_rule_5_2_13
tags:
- level1
- scored
- patch
- sshd
- rule_5.2.13
- name: "SCORED | 5.2.14 | PATCH | Ensure only approved MAC algorithms are used"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^MACs'
line: "MACs {{ ubuntu1804cis_sshd['macs'] }}"
when:
- ubuntu1804cis_rule_5_2_14
tags:
- level1
- scored
- patch
- sshd
- rule_5.2.14
- name: "SCORED | 5.2.15 | PATCH | Ensure only strong Key Exchange algorithms are used"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^KexAlgorithms'
line: "KexAlgorithms {{ ubuntu1804cis_sshd['kexalgorithms'] }}"
when:
- ubuntu1804cis_rule_5_2_15
tags:
- level1
- scored
- patch
- sshd
- rule_5.2.15
- name: "SCORED | 5.2.16 | PATCH | Ensure SSH Idle Timeout Interval is configured"
block:
- name: "SCORED | 5.2.16 | PATCH | Ensure SSH Idle Timeout Interval is configured"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^ClientAliveInterval'
line: "ClientAliveInterval {{ ubuntu1804cis_sshd['clientaliveinterval'] }}"
- name: "SCORED | 5.2.16 | PATCH | Ensure SSH ClientAliveCountMax set to <= 3"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^ClientAliveCountMax'
line: "ClientAliveCountMax {{ ubuntu1804cis_sshd['clientalivecountmax'] }}"
when:
- ubuntu1804cis_rule_5_2_16
tags:
- level1
- scored
- patch
- sshd
- rule_5.2.16
- name: "SCORED | 5.2.17 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^LoginGraceTime'
line: "LoginGraceTime 60"
when:
- ubuntu1804cis_rule_5_2_17
tags:
- level1
- scored
- patch
- sshd
- rule_5.2.17
- name: "SCORED | 5.2.18 | PATCH | Ensure SSH access is limited"
block:
- name: "SCORED | 5.2.18 | PATCH | Ensure SSH access is limited | allowusers"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^AllowUsers'
line: "AllowUsers {{ ubuntu1804cis_sshd['allowusers'] }}"
when:
- "ubuntu1804cis_sshd['allowusers']|default('')"
- name: "SCORED | 5.2.18 | PATCH | Ensure SSH access is limited | allowgroups"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^AllowGroups'
line: "AllowGroups {{ ubuntu1804cis_sshd['allowgroups'] }}"
when:
- "ubuntu1804cis_sshd['allowgroups']|default('')"
- name: "SCORED | 5.2.18 | PATCH | Ensure SSH access is limited | denyusers"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^DenyUsers'
line: "DenyUsers {{ ubuntu1804cis_sshd['denyusers'] }}"
when:
- "ubuntu1804cis_sshd['denyusers']|default('')"
- name: "SCORED | 5.2.18 | PATCH | Ensure SSH access is limited | denygroups"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^DenyGroups'
line: "DenyGroups {{ ubuntu1804cis_sshd['denygroups'] }}"
when:
- "ubuntu1804cis_sshd['denygroups']|default('')"
when:
- ubuntu1804cis_rule_5_2_18
tags:
- level1
- scored
- patch
- sshd
- rule_5.2.18
- name: "SCORED | 5.2.19 | PATCH | Ensure SSH warning banner is configured"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^Banner'
line: 'Banner /etc/issue.net'
when:
- ubuntu1804cis_rule_5_2_19
tags:
- level1
- scored
- patch
- sshd
- rule_5.2.19
- name: "SCORED | 5.2.20 | PATCH | Ensure SSH PAM is enabled"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^UsePAM'
line: 'UsePAM yes'
when:
- ubuntu1804cis_rule_5_2_20
tags:
- level1
- scored
- patch
- sshd
- rule_5.2.20
- name: "SCORED | 5.2.21 | PATCH | Ensure SSH AllowTcpForwarding is disabled"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^AllowTcpForwarding'
line: 'AllowTcpForwarding no'
when:
- ubuntu1804cis_rule_5_2_21
tags:
- level2
- scored
- patch
- sshd
- rule_5.2.21
- name: "SCORED | 5.2.22 | PATCH | Ensure SSH MaxStartups is configured"
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^MaxStartups'
line: 'MaxStartups 10:30:60'
when:
- ubuntu1804cis_rule_5_2_22
tags:
- level1
- scored
- patch
- sshd
- rule_5.2.22
- name: "SCORED | 5.2.23 | PATCH | Ensure SSH MaxSessions is set to 4 or less "
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^MaxSessions'
line: 'MaxSessions 4'
notify:
- restart sshd
when:
- ubuntu1804cis_rule_5_2_23
tags:
- level1
- scored
- patch
- sshd
- rule_5.2.23
- name: "SCORED | 5.3.1 | PATCH | Ensure password creation requirements are configured"
block:
- name: "SCORED | 5.3.1 | PATCH | Ensure lipam-pwquality is installed"
apt:
name: libpam-pwquality
state: present
install_recommends: false
- name: "SCORED | 5.3.1 | PATCH | Ensure password creation requirements are configured"
lineinfile:
state: present
create: yes
dest: /etc/security/pwquality.conf
regexp: '^{{ item.key }}'
line: '{{ item.key }} = {{ item.value }}'
with_items:
- "{{ ubuntu1804cis_pwquality }}"
when:
- ubuntu1804cis_rule_5_3_1
tags:
- level1
- scored
- patch
- rule_5.3.1
- name: "SCORED | 5.3.2 | PATCH | Ensure lockout for failed password attempts is configured"
block:
- name: "SCORED | 5.3.2 | PATCH | Ensure lockout for failed password attempts is configured - /etc/pam.d/common-account"
lineinfile:
dest: /etc/pam.d/common-account
line: 'account required pam_tally2.so'
- name: "SCORED | 5.3.2 | PATCH | Ensure lockout for failed password attempts is configured - /etc/pam.d/common-auth"
lineinfile:
dest: /etc/pam.d/common-auth
line: 'auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900'
when:
- ubuntu1804cis_rule_5_3_2
tags:
- level1
- scored
- patch
- rule_5.3.2
- name: "SCORED | 5.3.3 | PATCH | Ensure password reuse is limited"
lineinfile:
dest: /etc/pam.d/common-password
line: "password required pam_pwhistory.so remember={{ ubuntu1804cis_pass['history'] }}"
when:
- ubuntu1804cis_rule_5_3_3
tags:
- level1
- scored
- patch
- rule_5.3.3
- name: "SCORED | 5.3.4 | PATCH | Ensure password hashing algorithm is SHA-512"
command: authconfig --passalgo=sha512 --update
changed_when: false
failed_when: false
when:
- ubuntu1804cis_rule_5_3_4
tags:
- level1
- scored
- patch
- rule_5.3.4
- name: "SCORED | 5.4.1.1 | PATCH | Ensure password expiration is 365 days or less"
lineinfile:
state: present
dest: /etc/login.defs
regexp: '^PASS_MAX_DAYS'
line: "PASS_MAX_DAYS {{ ubuntu1804cis_pass['max_days'] }}"
when:
- ubuntu1804cis_rule_5_4_1_1
tags:
- level1
- scored
- patch
- rule_5.4.1.1
- name: "SCORED | 5.4.1.2 | PATCH | Ensure minimum days between password changes is configured"
lineinfile:
state: present
dest: /etc/login.defs
regexp: '^PASS_MIN_DAYS'
line: "PASS_MIN_DAYS {{ ubuntu1804cis_pass['min_days'] }}"
when:
- ubuntu1804cis_rule_5_4_1_2
tags:
- level1
- scored
- patch
- rule_5.4.1.2
- name: "SCORED | 5.4.1.3 | PATCH | Ensure password expiration warning days is 7 or more"
lineinfile:
state: present
dest: /etc/login.defs
regexp: '^PASS_WARN_AGE'
line: "PASS_WARN_AGE {{ ubuntu1804cis_pass['warn_age'] }}"
when:
- ubuntu1804cis_rule_5_4_1_3
tags:
- level1
- scored
- patch
- rule_5.4.1.3
- name: "SCORED | 5.4.1.4 | PATCH | Ensure inactive password lock is 30 days or less"
lineinfile:
state: present
dest: /etc/default/useradd
regexp: '^INACTIVE'
line: "INACTIVE={{ ubuntu1804cis_pass['inactive'] }}"
when:
- ubuntu1804cis_rule_5_4_1_4
tags:
- level1
- scored
- patch
- rule_5.4.1.4
- name: "SCORED | 5.4.1.5 | PATCH | Ensure all users last password change date is in the past"
block:
- name: "SCORED | 5.4.1.5 | PATCH | Ensure all users last password change date is in the past| lock users"
user:
name: "{{ item }}"
password_lock: yes"
loop: "{{ users_password_change_date_in_future.stdout_lines }}"
when:
- ubuntu1804cis_password_change_date_in_future_action == 'lock'
- name: "SCORED | 5.4.1.5 | PATCH | Ensure all users last password change date is in the past| expire users"
user:
name: "{{ item }}"
expires: 1422403387
loop: "{{ users_password_change_date_in_future.stdout_lines }}"
when:
- ubuntu1804cis_password_change_date_in_future_action == 'expire'
when:
- ubuntu1804cis_rule_5_4_1_5
- users_password_change_date_in_future.stdout_lines | length > 0
tags:
- level1
- scored
- patch
- rule_5.4.1.5
- name: "SCORED | 5.4.2 | PATCH | Ensure system accounts are secured"
command: >
for user in `awk -F: '($3 < 1000) {print $1 }' /etc/passwd`; do
if [ $user != "root" ]; then
usermod -L $user
if [ $user != "sync" ] && [ $user != "shutdown" ] && [ $user != "halt" ];
then
usermod -s /usr/sbin/nologin $user
fi
fi
done
changed_when: false
when:
- ubuntu1804cis_rule_5_4_2
- system_accounts_non_login_1.stdout
- system_accounts_non_login_2.stdout
tags:
- level1
- patch
- rule_5.4.2
- scored
- name: "SCORED | 5.4.3 | PATCH | Ensure default group for the root account is GID 0"
command: usermod -g 0 root
changed_when: false
failed_when: false
when:
- ubuntu1804cis_rule_5_4_3
tags:
- level1
- patch
- rule_5.4.3
- scored
- name: "SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive"
block:
- name: "SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive - /etc/bash.bashrc"
lineinfile:
state: present
dest: /etc/bash.bashrc
create: true
regexp: '^umask '
line: 'umask 027'
- name: "SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive - /etc/profile"
lineinfile:
state: present
dest: /etc/profile
create: true
regexp: '^umask '
line: 'umask 027'
- name: "SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive - /etc/profile.d/99-umask.sh"
lineinfile:
state: present
dest: /etc/profile.d/99-umask.sh
create: true
regexp: '^umask '
line: 'umask 027'
when:
- ubuntu1804cis_rule_5_4_4
tags:
- level1
- patch
- rule_5.4.4
- scored
- name: "SCORED | 5.4.5 | PATCH | Ensure default user shell timeout is 900 seconds or less"
block:
- name: "SCORED | 5.4.5 | PATCH | Ensure default user shell timeout is 900 seconds or less - /etc/bash.bashrc"
lineinfile:
state: present
dest: /etc/bash.bashrc
create: true
regexp: '^TMOUT='
line: "TMOUT={{ ubuntu1804cis_shell_timeout }}"
- name: "SCORED | 5.4.5 | PATCH | Ensure default user shell timeout is 900 seconds or less - /etc/profile"
lineinfile:
state: present
dest: /etc/profile
create: true
regexp: '^TMOUT='
line: "TMOUT={{ ubuntu1804cis_shell_timeout }}"
- name: "SCORED | 5.4.5 | PATCH | Ensure default user shell timeout is 900 seconds or less - /etc/profile.d/99-tmout.sh"
lineinfile:
state: present
dest: /etc/profile.d/99-tmout.sh
create: true
regexp: '^TMOUT='
line: "TMOUT={{ ubuntu1804cis_shell_timeout }}"
when:
- ubuntu1804cis_rule_5_4_5
tags:
- level1
- patch
- rule_5.4.5
- scored
- name: "NOTSCORED | 5.5 | PATCH | Ensure root login is restricted to system console"
command: /bin/true
changed_when: false
when:
- ubuntu1804cis_rule_5_5
tags:
- level1
- patch
- rule_5.5
- notscored
- notimplemented
- name: "SCORED | 5.6 | PATCH | Ensure access to the su command is restricted"
lineinfile:
state: present
dest: /etc/pam.d/su
regexp: '^(#)?auth\s+required\s+pam_wheel\.so'
line: "auth required pam_wheel.so use_uid"
when:
- ubuntu1804cis_rule_5_6
tags:
- level1
- patch
- rule_5.6
- scored
- name: "SCORED | 5.6 | PATCH | Ensure access to the su command is restricted - sudo group contains root"
user:
name: root
groups: sudo
when:
- ubuntu1804cis_rule_5_6
tags:
- level1
- patch
- rule_5.6
- scored
================================================
FILE: tasks/section6.yml
================================================
---
- name: "NOTSCORED | 6.1.1 | PATCH | Audit system file permissions"
command: /bin/true
changed_when: false
when:
- ubuntu1804cis_rule_6_1_1
tags:
- level2
- notscored
- patch
- rule_6.1.1
- notimplemented
- name: "SCORED | 6.1.2 | PATCH | Ensure permissions on /etc/passwd are configured"
file:
dest: /etc/passwd
owner: root
group: root
mode: 0644
when:
- ubuntu1804cis_rule_6_1_2
tags:
- level1
- scored
- patch
- rule_6.1.2
- name: "SCORED | 6.1.3 | PATCH | Ensure permissions on /etc/gshadow- are configured"
file:
dest: /etc/gshadow-
owner: root
group: shadow
mode: 0640
when:
- ubuntu1804cis_rule_6_1_3
tags:
- level1
- scored
- patch
- rule_6.1.3
- name: "SCORED | 6.1.4 | PATCH | Ensure permissions on /etc/shadow are configured"
file:
dest: /etc/shadow
owner: root
group: shadow
mode: 0640
when:
- ubuntu1804cis_rule_6_1_4
tags:
- level1
- scored
- patch
- rule_6.1.4
- name: "SCORED | 6.1.5 | PATCH | Ensure permissions on /etc/group are configured"
file:
dest: /etc/group
owner: root
group: root
mode: 0644
when:
- ubuntu1804cis_rule_6_1_5
tags:
- level1
- scored
- patch
- rule_6.1.5
- name: "SCORED | 6.1.6 | PATCH | Ensure permissions on /etc/passwd- are configured"
file:
dest: /etc/passwd-
owner: root
group: root
mode: 0600
when:
- ubuntu1804cis_rule_6_1_6
tags:
- level1
- scored
- patch
- rule_6.1.6
- name: "SCORED | 6.1.7 | PATCH | Ensure permissions on /etc/shadow- are configured"
file:
dest: /etc/shadow-
owner: root
group: shadow
mode: 0600
when:
- ubuntu1804cis_rule_6_1_7
tags:
- level1
- scored
- patch
- rule_6.1.7
- name: "SCORED | 6.1.8 | PATCH | Ensure permissions on /etc/group- are configured"
file:
dest: /etc/group-
owner: root
group: root
mode: 0644
when:
- ubuntu1804cis_rule_6_1_8
tags:
- level1
- scored
- patch
- rule_6.1.8
- name: "SCORED | 6.1.9 | PATCH | Ensure permissions on /etc/gshadow are configured"
file:
dest: /etc/gshadow
owner: root
group: shadow
mode: 0640
when:
- ubuntu1804cis_rule_6_1_9
tags:
- level1
- scored
- patch
- rule_6.1.9
- name: "SCORED | 6.1.10 | PATCH | Ensure no world writable files exist"
command: /bin/true
changed_when: false
when:
- ubuntu1804cis_rule_6_1_10
tags:
- level1
- scored
- patch
- rule_6.1.10
- notimplemented
- name: "SCORED | 6.1.11 | PATCH | Ensure no unowned files or directories exist"
command: /bin/true
changed_when: false
when:
- ubuntu1804cis_rule_6_1_11
tags:
- level1
- scored
- patch
- rule_6.1.11
- notimplemented
- name: "SCORED | 6.1.12 | PATCH | Ensure no ungrouped files or directories exist"
command: /bin/true
changed_when: false
when:
- ubuntu1804cis_rule_6_1_12
tags:
- level1
- scored
- patch
- rule_6.1.12
- notimplemented
- name: "NOTSCORED | 6.1.13 | PATCH | Audit SUID executables"
command: /bin/true
changed_when: false
when:
- ubuntu1804cis_rule_6_1_13
tags:
- level1
- notscored
- patch
- rule_6.1.13
- notimplemented
- name: "NOTSCORED | 6.1.14 | PATCH | Audit SGID executables"
command: /bin/true
changed_when: false
when:
- ubuntu1804cis_rule_6_1_14
tags:
- level1
- notscored
- patch
- rule_6.1.14
- notimplemented
- name: "SCORED | 6.2.1 | PATCH | Ensure password fields are not empty"
command: passwd -l {{ item }}
changed_when: false
failed_when: false
with_items: "{{ empty_password_accounts.stdout_lines }}"
when:
- empty_password_accounts.rc
- ubuntu1804cis_rule_6_2_1
tags:
- level1
- scored
- patch
- rule_6.2.1
- name: "SCORED | 6.2.2 | PATCH | Ensure no legacy '+' entries exist in /etc/passwd"
lineinfile:
regexp: '^\+'
state: absent
path: /etc/passwd
when:
- ubuntu1804cis_rule_6_2_2
tags:
- level1
- scored
- patch
- rule_6.2.2
- name: "SCORED | 6.2.3 | PATCH | Ensure no legacy '+' entries exist in /etc/shadow"
lineinfile:
regexp: '^\+'
state: absent
path: /etc/shadow
when:
- ubuntu1804cis_rule_6_2_3
tags:
- level1
- scored
- patch
- rule_6.2.3
- name: "SCORED | 6.2.4 | PATCH | Ensure no legacy '+' entries exist in /etc/group"
lineinfile:
regexp: '^\+'
state: absent
path: /etc/group
when:
- ubuntu1804cis_rule_6_2_4
tags:
- level1
- scored
- patch
- rule_6.2.4
- name: "SCORED | 6.2.5 | PATCH | Ensure root is the only UID 0 account"
command: passwd -l {{ item }}
changed_when: false
failed_when: false
with_items: "{{ uid_zero_accounts_except_root.stdout_lines }}"
when:
- uid_zero_accounts_except_root.rc
- ubuntu1804cis_rule_6_2_5
tags:
- level1
- scored
- patch
- rule_6.2.5
- name: "SCORED | 6.2.6 | PATCH | Ensure root PATH Integrity"
block:
- name: "SCORED | 6.2.6 | PATCH | Ensure root PATH Integrity (unimplemented)"
command: /bin/true
changed_when: false
tags:
- level1
- scored
- patch
- rule_6.2.6
- notimplemented
- name: "SCORED | 6.2.6 | PATCH | Ensure root PATH Integrity (collect paths)"
shell: |
set -o pipefail;
sudopath=($(grep secure_path /etc/sudoers | cut -f2 -d= |cut -f2 -d\"))
IFS=:
for i in ${sudopath[*]}
do
if [ -d "$i" ]
then newsudopath+=($i)
fi
done
echo "${newsudopath[*]}"
args:
executable: /bin/bash
register: fixsudo
changed_when: false
check_mode: false
tags:
- level1
- scored
- patch
- rule_6.2.6
- name: "SCORED | 6.2.6 | PATCH | Ensure root PATH Integrity (fix paths)"
lineinfile:
dest: /etc/sudoers
regexp: "(.*secure_path=).*"
line: '\1"{{ fixsudo.stdout_lines[0] }}"'
backrefs: true
when:
- fixsudo.stdout_lines[0]
tags:
- level1
- scored
- patch
- rule_6.2.6
when:
- ubuntu1804cis_rule_6_2_6
- name: "SCORED | 6.2.7 | PATCH | Ensure all users' home directories exist"
command: /bin/true
changed_when: false
when:
- ubuntu1804cis_rule_6_2_7
tags:
- level1
- scored
- patch
- rule_6.2.7
- notimplemented
- name: "SCORED | 6.2.8 | PATCH | Ensure users' home directories permissions are 750 or more restrictive"
shell: |
for dir in {{ homes_with_perms.stdout }};
do
chmod g-w,o-rwx $dir;
done
when:
- ubuntu1804cis_rule_6_2_8
- homes_with_perms.stdout | length > 0
tags:
- level1
- scored
- patch
- rule_6.2.8
- name: "SCORED | 6.2.9 | PATCH | Ensure users own their home directories"
command: /bin/true
changed_when: false
when:
- ubuntu1804cis_rule_6_2_9
tags:
- level1
- scored
- patch
- rule_6.2.9
- notimplemented
- name: "SCORED | 6.2.10 | PATCH | Ensure users' dot files are not group or world writable"
command: /bin/true
changed_when: false
when:
- ubuntu1804cis_rule_6_2_10
tags:
- level1
- scored
- patch
- rule_6.2.10
- notimplemented
- name: "SCORED | 6.2.11 | PATCH | Ensure no users have .forward files"
file:
state: absent
dest: "~{{ item }}/.forward"
with_items: "{{ users.stdout_lines }}"
when:
- ubuntu1804cis_rule_6_2_11
tags:
- level1
- scored
- patch
- rule_6.2.11
- name: "SCORED | 6.2.12 | PATCH | Ensure no users have .netrc files"
file:
state: absent
dest: "~{{ item }}/.netrc"
with_items: "{{ users.stdout_lines }}"
when:
- ubuntu1804cis_rule_6_2_12
tags:
- level1
- scored
- patch
- rule_6.2.12
- name: "SCORED | 6.2.14 | PATCH | Ensure no users have .rhosts files"
file:
state: absent
dest: "~{{ item }}/.rhosts"
with_items: "{{ users.stdout_lines }}"
when:
- ubuntu1804cis_rule_6_2_14
tags:
- level1
- scored
- patch
- rule_6.2.14
- name: "SCORED | 6.2.15 | PATCH | Ensure all groups in /etc/passwd exist in /etc/group"
command: /bin/true
changed_when: false
when:
- ubuntu1804cis_rule_6_2_15
tags:
- level1
- scored
- patch
- rule_6.2.15
- notimplemented
- name: "SCORED | 6.2.16 | PATCH | Ensure no duplicate UIDs exist"
command: /bin/true
changed_when: false
when:
- ubuntu1804cis_rule_6_2_16
tags:
- level1
- scored
- patch
- rule_6.2.16
- notimplemented
- name: "SCORED | 6.2.17 | PATCH | Ensure no duplicate GIDs exist"
command: /bin/true
changed_when: false
when:
- ubuntu1804cis_rule_6_2_17
tags:
- level1
- scored
- patch
- rule_6.2.17
- notimplemented
- name: "SCORED | 6.2.18 | PATCH | Ensure no duplicate user names exist"
command: /bin/true
changed_when: false
when:
- ubuntu1804cis_rule_6_2_18
tags:
- level1
- scored
- patch
- rule_6.2.18
- notimplemented
- name: "SCORED | 6.2.19 | PATCH | Ensure no duplicate group names exist"
command: /bin/true
changed_when: false
when:
- ubuntu1804cis_rule_6_2_19
tags:
- level1
- scored
- patch
- rule_6.2.19
- notimplemented
- name: "SCORED | 6.2.20 | PATCH | Ensure shadow group is empty"
command: /bin/true
changed_when: false
when:
- ubuntu1804cis_rule_6_2_20
tags:
- level1
- scored
- patch
- rule_6.2.20
- notimplemented
================================================
FILE: templates/at.allow.j2
================================================
{% for user in ubuntu1804cis_at_allow_users %}
{{ user }}
{% endfor %}
================================================
FILE: templates/audit/ubuntu1804cis_rule_4_1_10.rules.j2
================================================
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
{% if ansible_architecture == 'x86_64' -%}
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
{% endif %}
================================================
FILE: templates/audit/ubuntu1804cis_rule_4_1_11.rules.j2
================================================
{% for proc in priv_procs.stdout_lines -%}
-a always,exit -F path={{ proc }} -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
{% endfor %}
================================================
FILE: templates/audit/ubuntu1804cis_rule_4_1_12.rules.j2
================================================
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
{% if ansible_architecture == 'x86_64' -%}
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
{% endif %}
================================================
FILE: templates/audit/ubuntu1804cis_rule_4_1_13.rules.j2
================================================
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
{% if ansible_architecture == 'x86_64' -%}
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
{% endif %}
================================================
FILE: templates/audit/ubuntu1804cis_rule_4_1_14.rules.j2
================================================
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope
================================================
FILE: templates/audit/ubuntu1804cis_rule_4_1_15.rules.j2
================================================
-w /var/log/sudo.log -p wa -k actions
================================================
FILE: templates/audit/ubuntu1804cis_rule_4_1_16.rules.j2
================================================
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
{% if ansible_architecture == 'x86_64' -%}
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
{% endif %}
-a always,exit -F arch=b32 -S init_module -S delete_module -k modules
================================================
FILE: templates/audit/ubuntu1804cis_rule_4_1_17.rules.j2
================================================
-e 2
================================================
FILE: templates/audit/ubuntu1804cis_rule_4_1_3.rules.j2
================================================
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
{% if ansible_architecture == 'x86_64' -%}
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
{% endif %}
-w /etc/localtime -p wa -k time-change
================================================
FILE: templates/audit/ubuntu1804cis_rule_4_1_4.rules.j2
================================================
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
================================================
FILE: templates/audit/ubuntu1804cis_rule_4_1_5.rules.j2
================================================
{% if ansible_architecture == 'x86_64' -%}
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
{% endif %}
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/network -p wa -k system-locale
-w /etc/networks -p wa -k system-locale
================================================
FILE: templates/audit/ubuntu1804cis_rule_4_1_6.rules.j2
================================================
-w /etc/apparmor/ -p wa -k MAC-policy
-w /etc/apparmor.d/ -p wa -k MAC-policy
================================================
FILE: templates/audit/ubuntu1804cis_rule_4_1_7.rules.j2
================================================
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
================================================
FILE: templates/audit/ubuntu1804cis_rule_4_1_8.rules.j2
================================================
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k logins
-w /var/log/btmp -p wa -k logins
================================================
FILE: templates/audit/ubuntu1804cis_rule_4_1_9.rules.j2
================================================
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
{% if ansible_architecture == 'x86_64' -%}
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
{% endif %}
================================================
FILE: templates/chrony.conf.j2
================================================
# This the default chrony.conf file for the Debian chrony package. After
# editing this file use the command 'invoke-rc.d chrony restart' to make
# your changes take effect. John Hasler <jhasler@debian.org> 1998-2008
# See www.pool.ntp.org for an explanation of these servers. Please
# consider joining the project if possible. If you can't or don't want to
# use these servers I suggest that you try your ISP's nameservers. We mark
# the servers 'offline' so that chronyd won't try to connect when the link
# is down. Scripts in /etc/ppp/ip-up.d and /etc/ppp/ip-down.d use chronyc
# commands to switch it on when a dialup link comes up and off when it goes
# down. Code in /etc/init.d/chrony attempts to determine whether or not
# the link is up at boot time and set the online status accordingly. If
# you have an always-on connection such as cable omit the 'offline'
# directive and chronyd will default to online.
#
# Note that if Chrony tries to go "online" and dns lookup of the servers
# fails they will be discarded. Thus under some circumstances it is
# better to use IP numbers than host names.
{% for server in ubuntu1804cis_time_synchronization_servers -%}
server {{ server.uri }} {{ server.config }}
{% endfor %}
# Look here for the admin password needed for chronyc. The initial
# password is generated by a random process at install time. You may
# change it if you wish.
keyfile /etc/chrony/chrony.keys
# Set runtime command key. Note that if you change the key (not the
# password) to anything other than 1 you will need to edit
# /etc/ppp/ip-up.d/chrony, /etc/ppp/ip-down.d/chrony, /etc/init.d/chrony
# and /etc/cron.weekly/chrony as these scripts use it to get the password.
commandkey 1
# I moved the driftfile to /var/lib/chrony to comply with the Debian
# filesystem standard.
driftfile /var/lib/chrony/chrony.drift
# Comment this line out to turn off logging.
log tracking measurements statistics
logdir /var/log/chrony
# Stop bad estimates upsetting machine clock.
maxupdateskew 100.0
# Dump measurements when daemon exits.
dumponexit
# Specify directory for dumping measurements.
dumpdir /var/lib/chrony
# Let computer be a server when it is unsynchronised.
local stratum 10
# Allow computers on the unrouted nets to use the server.
#allow 10/8
#allow 192.168/16
#allow 172.16/12
# This directive forces `chronyd' to send a message to syslog if it
# makes a system clock adjustment larger than a threshold value in seconds.
logchange 0.5
# This directive defines an email address to which mail should be sent
# if chronyd applies a correction exceeding a particular threshold to the
# system clock.
# mailonchange root@localhost 0.5
# This directive tells chrony to regulate the real-time clock and tells it
# Where to store related data. It may not work on some newer motherboards
# that use the HPET real-time clock. It requires enhanced real-time
# support in the kernel. I've commented it out because with certain
# combinations of motherboard and kernel it is reported to cause lockups.
# rtcfile /var/lib/chrony/chrony.rtc
# If the last line of this file reads 'rtconutc' chrony will assume that
# the CMOS clock is on UTC (GMT). If it reads '# rtconutc' or is absent
# chrony will assume local time. The line (if any) was written by the
# chrony postinst based on what it found in /etc/default/rcS. You may
# change it if necessary.
rtconutc
================================================
FILE: templates/cron.allow.j2
================================================
{% for user in ubuntu1804cis_cron_allow_users %}
{{ user }}
{% endfor %}
================================================
FILE: templates/etc/issue.j2
================================================
{{ ubuntu1804cis_warning_banner }}
================================================
FILE: templates/etc/issue.net.j2
================================================
{{ ubuntu1804cis_warning_banner }}
================================================
FILE: templates/etc/motd.j2
================================================
{{ ubuntu1804cis_warning_banner }}
================================================
FILE: templates/hosts.allow.j2
================================================
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
ALL: {% for iprange in ubuntu1804cis_host_allow -%}{{ iprange }}{% if not loop.last %}, {% endif %}{% endfor %}
================================================
FILE: templates/ntp.conf.j2
================================================
# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
driftfile /var/lib/ntp/drift
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
#restrict default nomodify notrap nopeer noquery
restrict -4 default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict ::1
# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
{% for server in ubuntu1804cis_time_synchronization_servers -%}
server {{ server.uri }} {{ server.config }}
{% endfor %}
#broadcast 192.168.1.255 autokey # broadcast server
#broadcastclient # broadcast client
#broadcast 224.0.1.1 autokey # multicast server
#multicastclient 224.0.1.1 # multicast client
#manycastserver 239.255.254.254 # manycast server
#manycastclient 239.255.254.254 autokey # manycast client
# Enable public key cryptography.
#crypto
# includefile /etc/ntp/crypto/pw
# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
# keys /etc/ntp/keys
# Specify the key identifiers which are trusted.
#trustedkey 4 8 42
# Specify the key identifier to use with the ntpdc utility.
#requestkey 8
# Specify the key identifier to use with the ntpq utility.
#controlkey 8
# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats
# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor
================================================
FILE: vars/main.yml
================================================
---
# vars file for Ubuntu1804-CIS
gitextract_1yek9sw7/
├── .ansible-lint
├── .github/
│ ├── ISSUE_TEMPLATE/
│ │ ├── bug_report.md
│ │ └── feature_request.md
│ └── workflows/
│ ├── ansible-lint.yml
│ └── run-molecule.yml
├── .gitignore
├── .travis.yml
├── .yamllint
├── LICENSE
├── Makefile
├── README.md
├── defaults/
│ └── main.yml
├── files/
│ └── etc/
│ └── systemd/
│ └── system/
│ └── tmp.mount
├── handlers/
│ └── main.yml
├── meta/
│ └── main.yml
├── molecule/
│ └── default/
│ ├── INSTALL.rst
│ ├── converge.yml
│ ├── molecule.yml
│ ├── prepare.yml
│ ├── tests/
│ │ └── test_default.py
│ └── verify.yml
├── requirements.txt
├── tasks/
│ ├── main.yml
│ ├── post.yml
│ ├── prelim.yml
│ ├── section1.yml
│ ├── section2.yml
│ ├── section3.yml
│ ├── section4.yml
│ ├── section5.yml
│ └── section6.yml
├── templates/
│ ├── at.allow.j2
│ ├── audit/
│ │ ├── ubuntu1804cis_rule_4_1_10.rules.j2
│ │ ├── ubuntu1804cis_rule_4_1_11.rules.j2
│ │ ├── ubuntu1804cis_rule_4_1_12.rules.j2
│ │ ├── ubuntu1804cis_rule_4_1_13.rules.j2
│ │ ├── ubuntu1804cis_rule_4_1_14.rules.j2
│ │ ├── ubuntu1804cis_rule_4_1_15.rules.j2
│ │ ├── ubuntu1804cis_rule_4_1_16.rules.j2
│ │ ├── ubuntu1804cis_rule_4_1_17.rules.j2
│ │ ├── ubuntu1804cis_rule_4_1_3.rules.j2
│ │ ├── ubuntu1804cis_rule_4_1_4.rules.j2
│ │ ├── ubuntu1804cis_rule_4_1_5.rules.j2
│ │ ├── ubuntu1804cis_rule_4_1_6.rules.j2
│ │ ├── ubuntu1804cis_rule_4_1_7.rules.j2
│ │ ├── ubuntu1804cis_rule_4_1_8.rules.j2
│ │ └── ubuntu1804cis_rule_4_1_9.rules.j2
│ ├── chrony.conf.j2
│ ├── cron.allow.j2
│ ├── etc/
│ │ ├── issue.j2
│ │ ├── issue.net.j2
│ │ └── motd.j2
│ ├── hosts.allow.j2
│ └── ntp.conf.j2
└── vars/
└── main.yml
SYMBOL INDEX (1 symbols across 1 files) FILE: molecule/default/tests/test_default.py function test_hosts_file (line 9) | def test_hosts_file(host):
Condensed preview — 55 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (190K chars).
[
{
"path": ".ansible-lint",
"chars": 102,
"preview": "exclude_paths:\n - molecule/\n - .github/\nwarn_list:\n - '204'\nskip_list:\n - experimental \n - yaml\n"
},
{
"path": ".github/ISSUE_TEMPLATE/bug_report.md",
"chars": 591,
"preview": "---\nname: Bug report\nabout: Create a report to help us improve\ntitle: ''\nlabels: ''\nassignees: ''\n\n---\n\n**Describe the b"
},
{
"path": ".github/ISSUE_TEMPLATE/feature_request.md",
"chars": 595,
"preview": "---\nname: Feature request\nabout: Suggest an idea for this project\ntitle: ''\nlabels: ''\nassignees: ''\n\n---\n\n**Is your fea"
},
{
"path": ".github/workflows/ansible-lint.yml",
"chars": 574,
"preview": "---\nname: Lint the Playbook with Ansible Lint\n\non:\n push:\n branches: [ master ]\n pull_request:\n branches: [ mast"
},
{
"path": ".github/workflows/run-molecule.yml",
"chars": 373,
"preview": "---\nname: Run the Molecule Test Suite\n\non:\n push:\n branches: [ master ]\n pull_request:\n branches: [ master ]\n\njo"
},
{
"path": ".gitignore",
"chars": 278,
"preview": "*.swp\n*.retry\n.DS_Store\ntest.yml\ntests/local-test.yml\ntests/.vagrant\ntests/Vagrantfile\ntests/test-inv\ntests/*.html\ntests"
},
{
"path": ".travis.yml",
"chars": 288,
"preview": "---\nos: linux\ndist: focal\n\n#sudo: required\n\nservices:\n - docker\n\nlanguage: python\npython:\n - \"3.8\"\n\nbefore_install:\n "
},
{
"path": ".yamllint",
"chars": 296,
"preview": "extends: default\n\nrules:\n braces:\n max-spaces-inside: 1\n level: error\n brackets:\n max-spaces-inside: 1\n le"
},
{
"path": "LICENSE",
"chars": 1068,
"preview": "MIT License\n\nCopyright (c) 2020 Florian Utz\n\nPermission is hereby granted, free of charge, to any person obtaining a cop"
},
{
"path": "Makefile",
"chars": 1007,
"preview": "# Makefile for Ubuntu1804-CIS\n.PHONY: help\nhelp:\n\t@echo\n\t@echo This Makefile is used to test this role. Typical use:\n\t@e"
},
{
"path": "README.md",
"chars": 6254,
"preview": "Ubuntu 18.04 CIS STIG\n================\n\n[![Build Status](https://travis-ci.com/florianutz/Ubuntu1804-CIS.svg?branch=mast"
},
{
"path": "defaults/main.yml",
"chars": 14672,
"preview": "---\n# defaults file for Ubuntu1804-CIS\nubuntu1804cis_skip_for_travis: false\n\nubuntu1804cis_notauto: false\nubuntu1804cis_"
},
{
"path": "files/etc/systemd/system/tmp.mount",
"chars": 723,
"preview": "# This file is part of systemd.\n#\n# systemd is free software; you can redistribute it and/or modify it\n# under the te"
},
{
"path": "handlers/main.yml",
"chars": 2377,
"preview": "---\n# handlers file for Ubuntu1804-CIS\n\n- name: sysctl flush ipv4 route table\n become: true\n sysctl:\n name: net.i"
},
{
"path": "meta/main.yml",
"chars": 404,
"preview": "---\ngalaxy_info:\n author: \"florianutz\"\n role_name: ubuntu1804_cis\n description: \"Ansible role to apply Ubuntu 18.04 C"
},
{
"path": "molecule/default/INSTALL.rst",
"chars": 151,
"preview": "*******\nInstall\n*******\n\nRequirements\n============\n\n* Docker Engine\n* docker-py\n\nInstall\n=======\n\n.. code-block:: bash\n\n"
},
{
"path": "molecule/default/converge.yml",
"chars": 158,
"preview": "---\n- name: Converge\n hosts: all\n vars:\n ubuntu1804cis_skip_for_travis: true\n ubuntu1804cis_selinux_disable: tru"
},
{
"path": "molecule/default/molecule.yml",
"chars": 810,
"preview": "---\ndependency:\n name: galaxy\ndriver:\n name: docker\nlint: |\n set -e\n ansible-lint -c .ansible-lint\nplatforms:\n - na"
},
{
"path": "molecule/default/prepare.yml",
"chars": 730,
"preview": "---\n- name: Prepare\n hosts: all\n gather_facts: false\n tasks:\n - name: install openssh-server for testing under doc"
},
{
"path": "molecule/default/tests/test_default.py",
"chars": 313,
"preview": "import os\n\nimport testinfra.utils.ansible_runner\n\ntestinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(\n os"
},
{
"path": "molecule/default/verify.yml",
"chars": 155,
"preview": "---\n# This is an example playbook to execute Ansible tests.\n\n- name: Verify\n hosts: all\n tasks:\n - name: Example asse"
},
{
"path": "requirements.txt",
"chars": 44,
"preview": "molecule[docker]==3.0.8\nansible-lint==5.2.1\n"
},
{
"path": "tasks/main.yml",
"chars": 1218,
"preview": "---\n# tasks file for Ubuntu1804-CIS\n- name: Check OS version and family\n fail:\n msg: \"This role can only be run ag"
},
{
"path": "tasks/post.yml",
"chars": 500,
"preview": "---\n# Post tasks\n\n- name: \"POST | Find removed but configured apt packages\"\n shell: \"set -o pipefail;\n dpkg --list"
},
{
"path": "tasks/prelim.yml",
"chars": 10931,
"preview": "---\n# Preliminary tasks that should always be run\n# List users in order to look files inside each home directory\n- name:"
},
{
"path": "tasks/section1.yml",
"chars": 27966,
"preview": "---\n- name: \"SCORED | 1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled\"\n lineinfile:\n dest: /et"
},
{
"path": "tasks/section2.yml",
"chars": 19804,
"preview": "---\n- name: \"SCORED | 2.1.1 | PATCH | Ensure chargen services are not enabled | chargen-dgram,chargen-stream\"\n block:\n "
},
{
"path": "tasks/section3.yml",
"chars": 28440,
"preview": "---\n- name: \"SCORED | 3.1.1 | PATCH | Ensure packet redirect sending is disabled\"\n sysctl:\n name: '{{ item.name }}"
},
{
"path": "tasks/section4.yml",
"chars": 14937,
"preview": "---\n- name: \"SCORED | 4.1.1.1 | PATCH | Ensure auditd is installed\"\n apt:\n name: audispd-plugins\n state: pres"
},
{
"path": "tasks/section5.yml",
"chars": 22151,
"preview": "---\n- name: \"SCORED | 5.1.1 | PATCH | Ensure cron daemon is enabled\"\n service:\n name: \"{{ cron_service[ansible_os_"
},
{
"path": "tasks/section6.yml",
"chars": 10310,
"preview": "---\n- name: \"NOTSCORED | 6.1.1 | PATCH | Audit system file permissions\"\n command: /bin/true\n changed_when: false\n whe"
},
{
"path": "templates/at.allow.j2",
"chars": 71,
"preview": "{% for user in ubuntu1804cis_at_allow_users %}\n{{ user }}\n{% endfor %}\n"
},
{
"path": "templates/audit/ubuntu1804cis_rule_4_1_10.rules.j2",
"chars": 610,
"preview": "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=42"
},
{
"path": "templates/audit/ubuntu1804cis_rule_4_1_11.rules.j2",
"chars": 149,
"preview": "{% for proc in priv_procs.stdout_lines -%} \n-a always,exit -F path={{ proc }} -F perm=x -F auid>=1000 -F auid!=429496729"
},
{
"path": "templates/audit/ubuntu1804cis_rule_4_1_12.rules.j2",
"chars": 216,
"preview": "-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n{% if ansible_architecture == 'x86_64' -"
},
{
"path": "templates/audit/ubuntu1804cis_rule_4_1_13.rules.j2",
"chars": 286,
"preview": "-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n{% if"
},
{
"path": "templates/audit/ubuntu1804cis_rule_4_1_14.rules.j2",
"chars": 65,
"preview": "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope\n"
},
{
"path": "templates/audit/ubuntu1804cis_rule_4_1_15.rules.j2",
"chars": 38,
"preview": "-w /var/log/sudo.log -p wa -k actions\n"
},
{
"path": "templates/audit/ubuntu1804cis_rule_4_1_16.rules.j2",
"chars": 293,
"preview": "-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n{% if ansible_architect"
},
{
"path": "templates/audit/ubuntu1804cis_rule_4_1_17.rules.j2",
"chars": 5,
"preview": "-e 2\n"
},
{
"path": "templates/audit/ubuntu1804cis_rule_4_1_3.rules.j2",
"chars": 362,
"preview": "-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_setti"
},
{
"path": "templates/audit/ubuntu1804cis_rule_4_1_4.rules.j2",
"chars": 175,
"preview": "-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa "
},
{
"path": "templates/audit/ubuntu1804cis_rule_4_1_5.rules.j2",
"chars": 402,
"preview": "{% if ansible_architecture == 'x86_64' -%} \n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n"
},
{
"path": "templates/audit/ubuntu1804cis_rule_4_1_6.rules.j2",
"chars": 78,
"preview": "-w /etc/apparmor/ -p wa -k MAC-policy\n-w /etc/apparmor.d/ -p wa -k MAC-policy\n"
},
{
"path": "templates/audit/ubuntu1804cis_rule_4_1_7.rules.j2",
"chars": 109,
"preview": "-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n"
},
{
"path": "templates/audit/ubuntu1804cis_rule_4_1_8.rules.j2",
"chars": 100,
"preview": "-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n"
},
{
"path": "templates/audit/ubuntu1804cis_rule_4_1_9.rules.j2",
"chars": 808,
"preview": "-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -"
},
{
"path": "templates/chrony.conf.j2",
"chars": 3419,
"preview": "# This the default chrony.conf file for the Debian chrony package. After\n# editing this file use the command 'invoke-rc"
},
{
"path": "templates/cron.allow.j2",
"chars": 73,
"preview": "{% for user in ubuntu1804cis_cron_allow_users %}\n{{ user }}\n{% endfor %}\n"
},
{
"path": "templates/etc/issue.j2",
"chars": 35,
"preview": "{{ ubuntu1804cis_warning_banner }}\n"
},
{
"path": "templates/etc/issue.net.j2",
"chars": 35,
"preview": "{{ ubuntu1804cis_warning_banner }}\n"
},
{
"path": "templates/etc/motd.j2",
"chars": 35,
"preview": "{{ ubuntu1804cis_warning_banner }}\n"
},
{
"path": "templates/hosts.allow.j2",
"chars": 482,
"preview": "#\n# hosts.allow\tThis file contains access rules which are used to\n#\t\tallow or deny connections to network services that\n"
},
{
"path": "templates/ntp.conf.j2",
"chars": 2147,
"preview": "# For more information about this file, see the man pages\n# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc"
},
{
"path": "vars/main.yml",
"chars": 35,
"preview": "---\n# vars file for Ubuntu1804-CIS\n"
}
]
About this extraction
This page contains the full source code of the florianutz/Ubuntu1804-CIS GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 55 files (174.1 KB), approximately 58.6k tokens, and a symbol index with 1 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.