[ { "path": ".ansible-lint", "content": "exclude_paths:\n - molecule/\n - .github/\nwarn_list:\n - '204'\nskip_list:\n - experimental \n - yaml\n" }, { "path": ".github/ISSUE_TEMPLATE/bug_report.md", "content": "---\nname: Bug report\nabout: Create a report to help us improve\ntitle: ''\nlabels: ''\nassignees: ''\n\n---\n\n**Describe the bug**\nA clear and concise description of what the bug is.\n\n**To Reproduce**\nSteps to reproduce the behavior:\n1. Go to '...'\n2. Click on '....'\n3. Scroll down to '....'\n4. See error\n\n**Expected behavior**\nA clear and concise description of what you expected to happen.\n\n**Software (please complete the following information):**\n - Ansible Version: [e.g. 2.9.0]\n - Role/Repo Version [e.g. 1.0.0, master]\n\n**Additional context**\nAdd any other context about the problem here.\n" }, { "path": ".github/ISSUE_TEMPLATE/feature_request.md", "content": "---\nname: Feature request\nabout: Suggest an idea for this project\ntitle: ''\nlabels: ''\nassignees: ''\n\n---\n\n**Is your feature request related to a problem? Please describe.**\nA clear and concise description of what the problem is. Ex. I'm always frustrated when [...]\n\n**Describe the solution you'd like**\nA clear and concise description of what you want to happen.\n\n**Describe alternatives you've considered**\nA clear and concise description of any alternative solutions or features you've considered.\n\n**Additional context**\nAdd any other context or screenshots about the feature request here.\n" }, { "path": ".github/workflows/ansible-lint.yml", "content": "---\nname: Lint the Playbook with Ansible Lint\n\non:\n push:\n branches: [ master ]\n pull_request:\n branches: [ master ]\n\njobs:\n build:\n runs-on: ubuntu-latest\n env:\n PY_COLORS: '1'\n ANSIBLE_FORCE_COLOR: '1'\n steps:\n - uses: actions/checkout@v2\n - name: Lint Ansible Playbook\n uses: ansible/ansible-lint-action@master\n with:\n targets: |\n defaults/*.yml\n handlers/*.yml\n tasks/*.yml\n override-deps: |\n ansible==2.7\n ansible-lint==4.2.0\n args: \"-c .ansible-lint -x 204\"\n" }, { "path": ".github/workflows/run-molecule.yml", "content": "---\nname: Run the Molecule Test Suite\n\non:\n push:\n branches: [ master ]\n pull_request:\n branches: [ master ]\n\njobs:\n molecule:\n runs-on: ubuntu-latest\n env:\n PY_COLORS: '1'\n ANSIBLE_FORCE_COLOR: '1' \n steps:\n - uses: actions/checkout@v2\n with:\n path: \"${{ github.repository }}\"\n - uses: gofrolist/molecule-action@v2\n" }, { "path": ".gitignore", "content": "*.swp\n*.retry\n.DS_Store\ntest.yml\ntests/local-test.yml\ntests/.vagrant\ntests/Vagrantfile\ntests/test-inv\ntests/*.html\ntests/*.txt\ntests/*.retry\n.Python\n.molecule/\n/bin/\n/etc/\n/include/\n/lib/\npip-selfcheck.json\n/share/\nmolecule/default/cache\n/venv/\n.venv\n*.bak*\n*.cache\n__pycache__\n" }, { "path": ".travis.yml", "content": "---\nos: linux\ndist: focal\n\n#sudo: required\n\nservices:\n - docker\n\nlanguage: python\npython:\n - \"3.8\"\n\nbefore_install:\n #- docker pull solita/ubuntu-systemd:bionic\n # - make bin/python\n\nscript:\n - make travis\n\nnotifications:\n webhooks: https://galaxy.ansible.com/api/v1/notifications/\n" }, { "path": ".yamllint", "content": "extends: default\n\nrules:\n braces:\n max-spaces-inside: 1\n level: error\n brackets:\n max-spaces-inside: 1\n level: error\n line-length: disable\n # NOTE(retr0h): Templates no longer fail this lint rule.\n # Uncomment if running old Molecule templates.\n # truthy: disable\n" }, { "path": "LICENSE", "content": "MIT License\n\nCopyright (c) 2020 Florian Utz\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "Makefile", "content": "# Makefile for Ubuntu1804-CIS\n.PHONY: help\nhelp:\n\t@echo\n\t@echo This Makefile is used to test this role. Typical use:\n\t@echo\n\t@echo ' make test'\n\t@echo ' make clean'\n\t@echo ' make travis'\n\t@echo\n\t@echo\n\t@echo To use the isolated environment from this directory:\n\t@echo\n\t@echo ' make venv'\n\t@echo ' . bin/activate'\n\t@echo\n\t@echo Molecule has built-in help\n\t@echo\n\t@echo\n\n# virtualenv allows isolation of python libraries\n.PHONY: venv\nvenv: bin/python\n\n.PHONY: bin/python\nbin/python:\n\tpip -V || sudo easy_install pip\n\t# virtualenv allows isolation of python libraries\n\tvirtualenv --version || sudo easy_install virtualenv\n\t# Now with those two we can isolate our test setup.\n\tvirtualenv venv\n\tvenv/bin/pip install -r requirements.txt\n\n# cleanup virtualenv and molecule leftovers\n.PHONY: clean\nclean:\n\trm -rf .molecule venv molecule/default/cache\n\n.PHONY: test\ntest: bin/python\n\t( . venv/bin/activate && venv/bin/molecule test )\n\n.PHONY: travis\ntravis:\n\tpip install -r requirements.txt\n\tmolecule test\n" }, { "path": "README.md", "content": "Ubuntu 18.04 CIS STIG\n================\n\n[![Build Status](https://travis-ci.com/florianutz/Ubuntu1804-CIS.svg?branch=master)](https://travis-ci.com/florianutz/Ubuntu1804-CIS)\n[![Ansible Role](https://img.shields.io/badge/role-florianutz.Ubuntu1804--CIS-blue.svg)](https://galaxy.ansible.com/florianutz/Ubuntu1804-CIS/)\n\nConfigure Ubuntu 18.04 machine to be CIS compliant. Level 1 and 2 findings will be corrected by default.\n\nThis role **will make changes to the system** that could break things. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted.\n\n## IMPORTANT INSTALL STEP\n\nIf you want to install this via the `ansible-galaxy` command you'll need to run it like this:\n\n`ansible-galaxy install -p roles -r requirements.yml`\n\nWith this in the file requirements.yml:\n\n```\n- src: https://github.com/florianutz/Ubuntu1804-CIS.git\n```\n\nBased on [CIS Ubuntu Benchmark v2.0.1 - 01-03-2020 ](https://www.cisecurity.org/cis-benchmarks/).\n\nThis repo originated from work done by [MindPointGroup](https://github.com/MindPointGroup/RHEL7-CIS)\n\nRequirements\n------------\n\nYou should carefully read through the tasks to make sure these changes will not break your systems before running this playbook.\n\nRole Variables\n--------------\nThere are many role variables defined in defaults/main.yml. This list shows the most important.\n\n**ubuntu1804cis_notauto**: Run CIS checks that we typically do NOT want to automate due to the high probability of breaking the system (Default: false)\n\n**ubuntu1804cis_section1**: CIS - General Settings (Section 1) (Default: true)\n\n**ubuntu1804cis_section2**: CIS - Services settings (Section 2) (Default: true)\n\n**ubuntu1804cis_section3**: CIS - Network settings (Section 3) (Default: true)\n\n**ubuntu1804cis_section4**: CIS - Logging and Auditing settings (Section 4) (Default: true)\n\n**ubuntu1804cis_section5**: CIS - Access, Authentication and Authorization settings (Section 5) (Default: true)\n\n**ubuntu1804cis_section6**: CIS - System Maintenance settings (Section 6) (Default: true) \n\n##### Disable all selinux functions\n`ubuntu1804cis_selinux_disable: false`\n\n##### Service variables:\n###### These control whether a server should or should not be allowed to continue to run these services\n\n```\nubuntu1804cis_avahi_server: false \nubuntu1804cis_cups_server: false \nubuntu1804cis_dhcp_server: false \nubuntu1804cis_ldap_server: false \nubuntu1804cis_telnet_server: false \nubuntu1804cis_nfs_server: false \nubuntu1804cis_rpc_server: false \nubuntu1804cis_ntalk_server: false \nubuntu1804cis_rsyncd_server: false \nubuntu1804cis_tftp_server: false \nubuntu1804cis_rsh_server: false \nubuntu1804cis_nis_server: false \nubuntu1804cis_snmp_server: false \nubuntu1804cis_squid_server: false \nubuntu1804cis_smb_server: false \nubuntu1804cis_dovecot_server: false \nubuntu1804cis_httpd_server: false \nubuntu1804cis_vsftpd_server: false \nubuntu1804cis_named_server: false \nubuntu1804cis_bind: false \nubuntu1804cis_vsftpd: false \nubuntu1804cis_httpd: false \nubuntu1804cis_dovecot: false \nubuntu1804cis_samba: false \nubuntu1804cis_squid: false \nubuntu1804cis_net_snmp: false \n``` \n\n##### Designate server as a Mail server\n`ubuntu1804cis_is_mail_server: false`\n\n\n##### System network parameters (host only OR host and router)\n`ubuntu1804cis_is_router: false` \n\n\n##### IPv6 required\n`ubuntu1804cis_ipv6_required: true` \n\n\n##### AIDE\n`ubuntu1804cis_config_aide: true`\n\n###### AIDE cron settings\n```\nubuntu1804cis_aide_cron:\n cron_user: root\n cron_file: /etc/crontab\n aide_job: '/usr/sbin/aide --check'\n aide_minute: 0\n aide_hour: 5\n aide_day: '*'\n aide_month: '*'\n aide_weekday: '*' \n```\n\n\n##### Set to 'true' if X Windows is needed in your environment\n`ubuntu1804cis_xwindows_required: no`\n\n\n##### Client application requirements\n```\nubuntu1804cis_openldap_clients_required: false\nubuntu1804cis_telnet_required: false\nubuntu1804cis_talk_required: false \nubuntu1804cis_rsh_required: false\nubuntu1804cis_ypbind_required: false\n```\n\n##### Time Synchronization\n```\nubuntu1804cis_time_synchronization: chrony\nubuntu1804cis_time_Synchronization: ntp\n\nubuntu1804cis_time_synchronization_servers:\n - uri: \"0.pool.ntp.org\"\n config: \"minpoll 8\"\n - uri: \"1.pool.ntp.org\"\n config: \"minpoll 8\"\n - uri: \"2.pool.ntp.org\"\n config: \"minpoll 8\"\n - uri: \"3.pool.ntp.org\"\n config: \"minpoll 8\"\n\n```\n##### - name: \"SCORED | 1.1.5 | PATCH | Ensure noexec option set on /tmp partition\"\nIt is not implemented, noexec for /tmp will disrupt apt. /tmp contains executable scripts during package installation\n```\n\n``` \n##### 1.5.3 | PATCH | Ensure authentication required for single user mode\nIt is disabled by default as it is setting random password for root. To enable it set:\n```yaml\nubuntu1804cis_rule_1_5_3: true\n```\nTo use other than random password:\n```yaml\nubuntu1804cis_root_password: 'new password'\n```\n\n##### 3.4.2 | PATCH | Ensure /etc/hosts.allow is configured\n```\nubuntu1804cis_host_allow:\n - \"10.0.0.0/255.0.0.0\" \n - \"172.16.0.0/255.240.0.0\" \n - \"192.168.0.0/255.255.0.0\" \n``` \n\n```\nubuntu1804cis_firewall: firewalld\nubuntu1804cis_firewall: iptables\n```\n\n##### 5.3.1 | PATCH | Ensure password creation requirements are configured\n```\nubuntu1804cis_pwquality:\n - key: 'minlen'\n value: '14'\n - key: 'dcredit'\n value: '-1'\n - key: 'ucredit'\n value: '-1'\n - key: 'ocredit'\n value: '-1'\n - key: 'lcredit'\n value: '-1'\n```\n\n\nDependencies\n------------\n\nAnsible >= 2.4 and <= 2.7 (2.8 is not yet supported)\n\nExample Playbook\n-------------------------\n\n```\n- name: Harden Server\n hosts: servers\n become: yes\n\n roles:\n - Ubuntu1804-CIS\n```\n\nTo run the tasks in this repository, first create this file one level above the repository\n(i.e. the playbook .yml and the directory `Ubuntu1804-CIS` should be next to each other),\nthen review the file `defaults/main.yml` and disable any rule/section you do not wish to execute.\n\nAssuming you named the file `site.yml`, run it with:\n```bash\nansible-playbook site.yml\n```\n\nTags\n----\nMany tags are available for precise control of what is and is not changed.\n\nSome examples of using tags:\n\n```\n # Audit and patch the site\n ansible-playbook site.yml --tags=\"patch\"\n```\n\nLicense\n-------\n\nMIT\n" }, { "path": "defaults/main.yml", "content": "---\n# defaults file for Ubuntu1804-CIS\nubuntu1804cis_skip_for_travis: false\n\nubuntu1804cis_notauto: false\nubuntu1804cis_section1: true\nubuntu1804cis_section2: true\nubuntu1804cis_section3: true\nubuntu1804cis_section4: true\nubuntu1804cis_section5: true\nubuntu1804cis_section6: true\n\nubuntu1804cis_selinux_disable: false\nubuntu1804cis_auditd_disable: false\n\n# Ignore remount errors if you're building an image or are going to reboot anyway\nubuntu1804cis_ignore_remount_errors: true\n\n# These variables correspond with the CIS rule IDs or paragraph numbers defined in\n# the CIS benchmark documents.\n# PLEASE NOTE: These work in coordination with the section # group variables and tags.\n# You must enable an entire section in order for the variables below to take effect.\n# Section 1 rules\nubuntu1804cis_rule_1_1_1_1: true\nubuntu1804cis_rule_1_1_1_2: true\nubuntu1804cis_rule_1_1_1_3: true\nubuntu1804cis_rule_1_1_1_4: true\nubuntu1804cis_rule_1_1_1_5: true\nubuntu1804cis_rule_1_1_1_6: true\nubuntu1804cis_rule_1_1_1_7: true\nubuntu1804cis_rule_1_1_1_8: false\nubuntu1804cis_rule_1_1_2: true\nubuntu1804cis_rule_1_1_3: true\nubuntu1804cis_rule_1_1_4: true\nubuntu1804cis_rule_1_1_5: false\nubuntu1804cis_rule_1_1_6: true\nubuntu1804cis_rule_1_1_7: true\nubuntu1804cis_rule_1_1_8: true\nubuntu1804cis_rule_1_1_9: true\nubuntu1804cis_rule_1_1_10: true\nubuntu1804cis_rule_1_1_11: true\nubuntu1804cis_rule_1_1_12: true\nubuntu1804cis_rule_1_1_13: true\nubuntu1804cis_rule_1_1_14: true\nubuntu1804cis_rule_1_1_15: true\nubuntu1804cis_rule_1_1_16: true\nubuntu1804cis_rule_1_1_17: true\nubuntu1804cis_rule_1_1_18: true\nubuntu1804cis_rule_1_1_19: true\nubuntu1804cis_rule_1_1_20: true\nubuntu1804cis_rule_1_1_21: true\nubuntu1804cis_rule_1_1_22: true\nubuntu1804cis_rule_1_1_23: true\nubuntu1804cis_rule_1_2_1: true\nubuntu1804cis_rule_1_2_2: true\nubuntu1804cis_rule_1_3_1: true\nubuntu1804cis_rule_1_3_2: true\nubuntu1804cis_rule_1_3_3: true\nubuntu1804cis_rule_1_4_1: true\nubuntu1804cis_rule_1_4_2: true\nubuntu1804cis_rule_1_5_1: true\nubuntu1804cis_rule_1_5_2: true\nubuntu1804cis_rule_1_5_2_disable_password: true\nubuntu1804cis_rule_1_5_3: false\nubuntu1804cis_rule_1_5_4: true\nubuntu1804cis_rule_1_6_1: true\nubuntu1804cis_rule_1_6_2: true\nubuntu1804cis_rule_1_6_3: true\nubuntu1804cis_rule_1_6_4: true\nubuntu1804cis_rule_1_7_1_1: true\nubuntu1804cis_rule_1_7_1_2: true\nubuntu1804cis_rule_1_7_1_3: true\nubuntu1804cis_rule_1_7_1_4: true\nubuntu1804cis_rule_1_8_1_1: true\nubuntu1804cis_rule_1_8_1_2: true\nubuntu1804cis_rule_1_8_1_3: true\nubuntu1804cis_rule_1_8_1_4: true\nubuntu1804cis_rule_1_8_1_5: true\nubuntu1804cis_rule_1_8_1_6: true\nubuntu1804cis_rule_1_8_2: true\nubuntu1804cis_rule_1_9: true\n\n# Section 2 rules\nubuntu1804cis_rule_2_1_1: true\nubuntu1804cis_rule_2_1_2: true\nubuntu1804cis_rule_2_1_3: true\nubuntu1804cis_rule_2_1_4: true\nubuntu1804cis_rule_2_1_5: true\nubuntu1804cis_rule_2_1_6: true\nubuntu1804cis_rule_2_1_7: true\nubuntu1804cis_rule_2_1_8: true\nubuntu1804cis_rule_2_1_9: true\nubuntu1804cis_rule_2_1_10: true\nubuntu1804cis_rule_2_1_11: true\nubuntu1804cis_rule_2_2_1_1: true\nubuntu1804cis_rule_2_2_1_2: true\nubuntu1804cis_rule_2_2_1_3: true\nubuntu1804cis_rule_2_2_1_4: true\nubuntu1804cis_rule_2_2_2: true\nubuntu1804cis_rule_2_2_3: true\nubuntu1804cis_rule_2_2_4: true\nubuntu1804cis_rule_2_2_5: true\nubuntu1804cis_rule_2_2_6: true\nubuntu1804cis_rule_2_2_7: true\nubuntu1804cis_rule_2_2_8: true\nubuntu1804cis_rule_2_2_9: true\nubuntu1804cis_rule_2_2_10: true\nubuntu1804cis_rule_2_2_11: true\nubuntu1804cis_rule_2_2_12: true\nubuntu1804cis_rule_2_2_13: true\nubuntu1804cis_rule_2_2_14: true\nubuntu1804cis_rule_2_2_15: true\nubuntu1804cis_rule_2_2_16: true\nubuntu1804cis_rule_2_2_17: true\nubuntu1804cis_rule_2_3_1: true\nubuntu1804cis_rule_2_3_2: true\nubuntu1804cis_rule_2_3_3: true\nubuntu1804cis_rule_2_3_4: true\nubuntu1804cis_rule_2_3_5: true\n\n# Section 3 rules\nubuntu1804cis_rule_3_1_1: true\nubuntu1804cis_rule_3_1_2: true\nubuntu1804cis_rule_3_2_1: true\nubuntu1804cis_rule_3_2_2: true\nubuntu1804cis_rule_3_2_3: true\nubuntu1804cis_rule_3_2_4: true\nubuntu1804cis_rule_3_2_5: true\nubuntu1804cis_rule_3_2_6: true\nubuntu1804cis_rule_3_2_7: true\nubuntu1804cis_rule_3_2_8: true\nubuntu1804cis_rule_3_2_9: true\nubuntu1804cis_rule_3_3_1: true\nubuntu1804cis_rule_3_3_2: true\nubuntu1804cis_rule_3_3_3: true\nubuntu1804cis_rule_3_3_4: true\nubuntu1804cis_rule_3_3_5: true\nubuntu1804cis_rule_3_4_1: true\nubuntu1804cis_rule_3_4_2: true\nubuntu1804cis_rule_3_4_3: true\nubuntu1804cis_rule_3_4_4: true\nubuntu1804cis_rule_3_5_1_1: true\nubuntu1804cis_rule_3_5_2_1: true\nubuntu1804cis_rule_3_5_2_2: true\nubuntu1804cis_rule_3_5_2_3: true\nubuntu1804cis_rule_3_5_2_4: true\nubuntu1804cis_rule_3_5_2_5: true\nubuntu1804cis_rule_3_5_3_1: true\nubuntu1804cis_rule_3_5_3_2: true\nubuntu1804cis_rule_3_5_3_3: true\nubuntu1804cis_rule_3_5_3_4: true\nubuntu1804cis_rule_3_5_3_5: true\nubuntu1804cis_rule_3_5_3_6: true\nubuntu1804cis_rule_3_5_3_7: true\nubuntu1804cis_rule_3_5_3_8: true\nubuntu1804cis_rule_3_5_4_1_1: true\nubuntu1804cis_rule_3_5_4_1_2: true\nubuntu1804cis_rule_3_5_4_1_3: true\nubuntu1804cis_rule_3_5_4_1_4: true\nubuntu1804cis_rule_3_5_4_2_1: true\nubuntu1804cis_rule_3_5_4_2_2: true\nubuntu1804cis_rule_3_5_4_2_3: true\nubuntu1804cis_rule_3_5_4_2_4: true\nubuntu1804cis_rule_3_5_4_3_1: true\nubuntu1804cis_rule_3_5_4_3_2: true\nubuntu1804cis_rule_3_5_4_3_3: true\nubuntu1804cis_rule_3_5_4_3_4: true\nubuntu1804cis_rule_3_5_4_3_5: true\nubuntu1804cis_rule_3_6: true\nubuntu1804cis_rule_3_7: true\n\n# Section 4 rules\nubuntu1804cis_rule_4_1_1_1: true\nubuntu1804cis_rule_4_1_1_2: true\nubuntu1804cis_rule_4_1_1_3: true\nubuntu1804cis_rule_4_1_1_4: true\nubuntu1804cis_rule_4_1_2_1: true\nubuntu1804cis_rule_4_1_2_2: true\nubuntu1804cis_rule_4_1_2_3: true\nubuntu1804cis_rule_4_1_3: true\nubuntu1804cis_rule_4_1_4: true\nubuntu1804cis_rule_4_1_5: true\nubuntu1804cis_rule_4_1_6: true\nubuntu1804cis_rule_4_1_7: true\nubuntu1804cis_rule_4_1_8: true\nubuntu1804cis_rule_4_1_9: true\nubuntu1804cis_rule_4_1_10: true\nubuntu1804cis_rule_4_1_11: true\nubuntu1804cis_rule_4_1_12: true\nubuntu1804cis_rule_4_1_13: true\nubuntu1804cis_rule_4_1_14: true\nubuntu1804cis_rule_4_1_15: true\nubuntu1804cis_rule_4_1_16: true\nubuntu1804cis_rule_4_1_17: true\nubuntu1804cis_rule_4_2_1_1: true\nubuntu1804cis_rule_4_2_1_2: true\nubuntu1804cis_rule_4_2_1_3: true\nubuntu1804cis_rule_4_2_1_4: true\nubuntu1804cis_rule_4_2_1_5: true\nubuntu1804cis_rule_4_2_1_6: true\nubuntu1804cis_rule_4_2_2_1: true\nubuntu1804cis_rule_4_2_2_2: true\nubuntu1804cis_rule_4_2_2_3: true\nubuntu1804cis_rule_4_2_3: true\nubuntu1804cis_rule_4_3: true\n\n# Section 5 rules\nubuntu1804cis_rule_5_1_1: true\nubuntu1804cis_rule_5_1_2: true\nubuntu1804cis_rule_5_1_3: true\nubuntu1804cis_rule_5_1_4: true\nubuntu1804cis_rule_5_1_5: true\nubuntu1804cis_rule_5_1_6: true\nubuntu1804cis_rule_5_1_7: true\nubuntu1804cis_rule_5_1_8: true\nubuntu1804cis_rule_5_2_1: true\nubuntu1804cis_rule_5_2_2: true\nubuntu1804cis_rule_5_2_3: true\nubuntu1804cis_rule_5_2_4: true\nubuntu1804cis_rule_5_2_5: true\nubuntu1804cis_rule_5_2_6: true\nubuntu1804cis_rule_5_2_7: true\nubuntu1804cis_rule_5_2_8: true\nubuntu1804cis_rule_5_2_9: true\nubuntu1804cis_rule_5_2_10: true\nubuntu1804cis_rule_5_2_11: true\nubuntu1804cis_rule_5_2_12: true\nubuntu1804cis_rule_5_2_13: true\nubuntu1804cis_rule_5_2_14: true\nubuntu1804cis_rule_5_2_15: true\nubuntu1804cis_rule_5_2_16: true\nubuntu1804cis_rule_5_2_17: true\nubuntu1804cis_rule_5_2_18: true\nubuntu1804cis_rule_5_2_19: true\nubuntu1804cis_rule_5_2_20: true\nubuntu1804cis_rule_5_2_21: true\nubuntu1804cis_rule_5_2_22: true\nubuntu1804cis_rule_5_2_23: true\nubuntu1804cis_rule_5_3_1: true\nubuntu1804cis_rule_5_3_2: true\nubuntu1804cis_rule_5_3_3: true\nubuntu1804cis_rule_5_3_4: true\nubuntu1804cis_rule_5_4_1_1: true\nubuntu1804cis_rule_5_4_1_2: true\nubuntu1804cis_rule_5_4_1_3: true\nubuntu1804cis_rule_5_4_1_4: true\nubuntu1804cis_rule_5_4_1_5: true\nubuntu1804cis_rule_5_4_2: true\nubuntu1804cis_rule_5_4_3: true\nubuntu1804cis_rule_5_4_4: true\nubuntu1804cis_rule_5_4_5: true\nubuntu1804cis_rule_5_5: true\nubuntu1804cis_rule_5_6: false\n\n# Section 6 rules\nubuntu1804cis_rule_6_1_1: true\nubuntu1804cis_rule_6_1_2: true\nubuntu1804cis_rule_6_1_3: true\nubuntu1804cis_rule_6_1_4: true\nubuntu1804cis_rule_6_1_5: true\nubuntu1804cis_rule_6_1_6: true\nubuntu1804cis_rule_6_1_7: true\nubuntu1804cis_rule_6_1_8: true\nubuntu1804cis_rule_6_1_9: true\nubuntu1804cis_rule_6_1_10: true\nubuntu1804cis_rule_6_1_11: true\nubuntu1804cis_rule_6_1_12: true\nubuntu1804cis_rule_6_1_13: true\nubuntu1804cis_rule_6_1_14: true\nubuntu1804cis_rule_6_2_1: true\nubuntu1804cis_rule_6_2_2: true\nubuntu1804cis_rule_6_2_3: true\nubuntu1804cis_rule_6_2_4: true\nubuntu1804cis_rule_6_2_5: true\nubuntu1804cis_rule_6_2_6: true\nubuntu1804cis_rule_6_2_7: true\nubuntu1804cis_rule_6_2_8: true\nubuntu1804cis_rule_6_2_9: true\nubuntu1804cis_rule_6_2_10: true\nubuntu1804cis_rule_6_2_11: true\nubuntu1804cis_rule_6_2_12: true\nubuntu1804cis_rule_6_2_14: true\nubuntu1804cis_rule_6_2_15: true\nubuntu1804cis_rule_6_2_16: true\nubuntu1804cis_rule_6_2_17: true\nubuntu1804cis_rule_6_2_18: true\nubuntu1804cis_rule_6_2_19: true\nubuntu1804cis_rule_6_2_20: true\n\n# Service configuration booleans set true to keep service\nubuntu1804cis_avahi_server: false\nubuntu1804cis_cups_server: false\nubuntu1804cis_dhcp_server: false\nubuntu1804cis_ldap_server: false\nubuntu1804cis_telnet_server: false\nubuntu1804cis_nfs_server: false\nubuntu1804cis_rpc_server: false\nubuntu1804cis_ntalk_server: false\nubuntu1804cis_rsyncd_server: false\nubuntu1804cis_tftp_server: false\nubuntu1804cis_rsh_server: false\nubuntu1804cis_nis_server: false\nubuntu1804cis_snmp_server: false\nubuntu1804cis_squid_server: false\nubuntu1804cis_smb_server: false\nubuntu1804cis_dovecot_server: false\nubuntu1804cis_httpd_server: false\nubuntu1804cis_vsftpd_server: false\nubuntu1804cis_named_server: false\nubuntu1804cis_nfs_rpc_server: false\nubuntu1804cis_is_mail_server: false\nubuntu1804cis_bind: false\nubuntu1804cis_vsftpd: false\nubuntu1804cis_httpd: false\nubuntu1804cis_dovecot: false\nubuntu1804cis_samba: false\nubuntu1804cis_squid: false\nubuntu1804cis_net_snmp: false\nubuntu1804cis_allow_autofs: false\n\n# xinetd required\nubuntu1804cis_xinetd_required: false\n\n# RedHat Satellite Subscription items\nubuntu1804cis_rhnsd_required: false\n\n# 1.4.2 Bootloader password\nubuntu1804cis_bootloader_password: random\nubuntu1804cis_set_boot_pass: false\n\n# System network parameters (host only OR host and router)\nubuntu1804cis_is_router: false\n\n# IPv6 required\nubuntu1804cis_ipv6_required: true\n\n# AIDE\nubuntu1804cis_config_aide: true\n# AIDE cron settings\nubuntu1804cis_aide_cron:\n cron_user: root\n cron_file: /etc/crontab\n aide_job: '/usr/bin/aide.wrapper --config /etc/aide/aide.conf --check'\n aide_minute: 0\n aide_hour: 5\n aide_day: '*'\n aide_month: '*'\n aide_weekday: '*'\n\n# Whether or not to run tasks related to auditing/patching the desktop environment\nubuntu1804cis_gui: false\n\n# Set to 'true' if X Windows is needed in your environment\nubuntu1804cis_xwindows_required: false\n\nubuntu1804cis_openldap_clients_required: false\nubuntu1804cis_telnet_required: false\nubuntu1804cis_talk_required: false\nubuntu1804cis_rsh_required: false\nubuntu1804cis_ypbind_required: false\n\n# Time Synchronization\nubuntu1804cis_time_synchronization: chrony\n# ubuntu1804cis_time_synchronization: ntp\n\nubuntu1804cis_time_synchronization_servers:\n - uri: \"0.pool.ntp.org\"\n config: \"minpoll 8\"\n - uri: \"1.pool.ntp.org\"\n config: \"minpoll 8\"\n - uri: \"2.pool.ntp.org\"\n config: \"minpoll 8\"\n - uri: \"3.pool.ntp.org\"\n config: \"minpoll 8\"\n\n# 3.3 TCP Wrappers\nubuntu1804cis_setup_tcp_wrappers: false\n\n# 3.3.4 | PATCH | Ensure /etc/hosts.allow is configured\nubuntu1804cis_host_allow:\n - \"10.0.0.0/255.0.0.0\"\n - \"172.16.0.0/255.240.0.0\"\n - \"192.168.0.0/255.255.0.0\"\n - \"0.0.0.0/0.0.0.0\"\n\nubuntu1804cis_firewall: firewalld\n# ubuntu1804cis_firewall: iptables\n# ubuntu1804cis_firewall: ufw\n# ubuntu1804cis_firewall: nftables\n\n# 3.5.3.2 | PATCH | Ensure a table exists\"\nubuntu1804cis_nftables_table: filter\n\nubuntu1804cis_firewall_services:\n - ssh\n - dhcpv6-client\n\n# Warning Banner Content (issue, issue.net, motd)\nubuntu1804cis_warning_banner: |\n Authorized uses only. All activity may be monitored and reported.\n# End Banner\n\n## Section 4 Vars\nubuntu1804cis_auditd:\n admin_space_left_action: halt\n max_log_file_action: keep_logs\n max_audit_log_file_size: 10\n backlog_limit: \"8192\"\n\nubuntu1804cis_logrotate: \"daily\"\n\n## Section 5 Vars\nubuntu1804cis_at_allow_users: []\nubuntu1804cis_cron_allow_users: []\n\nubuntu1804cis_sshd:\n clientalivecountmax: 3\n clientaliveinterval: 300\n ciphers: \"chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\"\n macs: \"hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com\"\n kexalgorithms: \"curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256\"\n logingracetime: 60\n ### Make sure you understand the precedence when working with these values!!\n # allowusers:\n # allowgroups: systems dba\n # denyusers:\n # denygroups:\n\nubuntu1804cis_pwquality:\n - key: 'minlen'\n value: '14'\n - key: 'dcredit'\n value: '-1'\n - key: 'ucredit'\n value: '-1'\n - key: 'ocredit'\n value: '-1'\n - key: 'lcredit'\n value: '-1'\n\nubuntu1804cis_pass:\n max_days: 365\n min_days: 1\n warn_age: 7\n inactive: 30\n history: 5\n\nubuntu1804cis_password_change_date_in_future_action: expire # lock\n\nubuntu1804cis_shell_timeout: 900\n# Syslog system\nubuntu1804cis_syslog: rsyslog\n# ubuntu1804cis_syslog: syslog-ng\n\nubuntu1804cis_vartmp:\n source: /tmp\n fstype: false\n opts: \"defaults, nodev, nosuid, noexec, bind\"\n enabled: false\n\n# Apply upgrades (set to false if another patching system is in place)\nubuntu1804cis_apply_upgrades: true\n\n###### Multi OS Vars ###########\nprelim_check_package_command:\n RedHat: rpm -q\n Debian: dpkg -V\nauditd_package:\n RedHat: audit\n Debian: auditd\ncron_package:\n RedHat: cronie\n Debian: cron\ncron_service:\n RedHat: crond\n Debian: cron\nntp_service:\n RedHat: ntpd\n Debian: ntp\nchrony_service:\n RedHat: chronyd\n Debian: chrony\ntcp_wrapper_package:\n RedHat: tcp_wrappers\n Debian: tcpd\nbashrc_file:\n RedHat: /etc/bashrc\n Debian: /etc/bash.bashrc\ntmp_mount_file:\n RedHat: /usr/lib/systemd/system/tmp.mount\n Debian: /usr/share/systemd/tmp.mount\ntmp_mount_options:\n RedHat: mode=1777,strictatime,noexec,nodev,nosuid\n Debian: mode=1777,strictatime,nodev,nosuid\nchrony_config_file:\n RedHat: /etc/chrony.conf\n Debian: /etc/chrony/chrony.conf\n\n### Firewall\nubuntu1804cis_setup_firewall: false\n" }, { "path": "files/etc/systemd/system/tmp.mount", "content": "# This file is part of systemd.\n#\n# systemd is free software; you can redistribute it and/or modify it\n# under the terms of the GNU Lesser General Public License as published by\n# the Free Software Foundation; either version 2.1 of the License, or\n# (at your option) any later version.\n\n[Unit]\nDescription=Temporary Directory\nDocumentation=man:hier(7)\nDocumentation=http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems\nConditionPathIsSymbolicLink=!/tmp\nDefaultDependencies=no\nConflicts=umount.target\nBefore=local-fs.target umount.target\n\n[Mount]\nWhat=tmpfs\nWhere=/tmp\nType=tmpfs\nOptions=mode=1777,strictatime,noexec,nodev,nosuid\n\n# Make 'systemctl enable tmp.mount' work:\n[Install]\nWantedBy=local-fs.target\n" }, { "path": "handlers/main.yml", "content": "---\n# handlers file for Ubuntu1804-CIS\n\n- name: sysctl flush ipv4 route table\n become: true\n sysctl:\n name: net.ipv4.route.flush\n value: \"1\"\n sysctl_set: true\n when: ansible_virtualization_type != \"docker\"\n\n- name: sysctl flush ipv6 route table\n become: true\n sysctl:\n name: net.ipv6.route.flush\n value: \"1\"\n sysctl_set: true\n when: ansible_virtualization_type != \"docker\"\n\n- name: systemd restart tmp.mount\n become: true\n systemd:\n name: tmp.mount\n daemon_reload: true\n enabled: true\n masked: false\n state: reloaded\n when: ansible_virtualization_type != \"docker\"\n ignore_errors: \"{{ ubuntu1804cis_ignore_remount_errors }}\"\n\n- name: systemd restart var-tmp.mount\n become: true\n systemd:\n name: var-tmp.mount\n daemon_reload: true\n enabled: true\n masked: false\n state: reloaded\n ignore_errors: \"{{ ubuntu1804cis_ignore_remount_errors }}\"\n\n- name: generate new grub config\n become: true\n command: grub-mkconfig -o \"{{ grub_cfg.stat.path }}\"\n notify: fix permissions after generate new grub config handler\n\n- name: fix permissions after generate new grub config handler\n become: true\n file:\n path: \"/boot/grub/grub.cfg\"\n owner: root\n group: root\n mode: 0400\n when:\n - ansible_os_family == \"Debian\"\n - ubuntu1804cis_rule_1_4_1\n\n- name: restart firewalld\n become: true\n service:\n name: firewalld\n state: restarted\n\n- name: reload nftables\n become: true\n service:\n name: nftables\n state: reloaded\n\n- name: restart xinetd\n become: true\n service:\n name: xinetd\n state: restarted\n\n- name: restart sshd\n become: true\n service:\n name: sshd\n state: restarted\n\n- name: reload dconf\n become: true\n command: dconf update\n\n- name: restart auditd\n become: true\n service:\n name: auditd\n state: restarted\n when:\n - not ubuntu1804cis_skip_for_travis\n tags:\n - skip_ansible_lint\n\n- name: load audit rules\n become: true\n command: /sbin/augenrules --load\n when:\n - not ubuntu1804cis_skip_for_travis\n tags:\n - skip_ansible_lint\n\n- name: restart systemd-coredump\n become: true\n service:\n name: systemd-coredump.socket\n daemon_reload: true\n enabled: true\n state: restarted\n\n- name: restart journald\n become: true\n service:\n name: systemd-journald\n state: restarted\n" }, { "path": "meta/main.yml", "content": "---\ngalaxy_info:\n author: \"florianutz\"\n role_name: ubuntu1804_cis\n description: \"Ansible role to apply Ubuntu 18.04 CIS Baseline\"\n company: \"none\"\n license: MIT\n min_ansible_version: 2.6\n namespace: florianutz\n\n\n platforms:\n - name: Ubuntu\n versions:\n - bionic\n\n galaxy_tags:\n - system\n - security\n - cis\n - hardening\n\ndependencies: []\n\ncollections:\n - ansible.posix\n" }, { "path": "molecule/default/INSTALL.rst", "content": "*******\nInstall\n*******\n\nRequirements\n============\n\n* Docker Engine\n* docker-py\n\nInstall\n=======\n\n.. code-block:: bash\n\n $ sudo pip install docker-py\n" }, { "path": "molecule/default/converge.yml", "content": "---\n- name: Converge\n hosts: all\n vars:\n ubuntu1804cis_skip_for_travis: true\n ubuntu1804cis_selinux_disable: true\n roles:\n - role: Ubuntu1804-CIS\n" }, { "path": "molecule/default/molecule.yml", "content": "---\ndependency:\n name: galaxy\ndriver:\n name: docker\nlint: |\n set -e\n ansible-lint -c .ansible-lint\nplatforms:\n - name: instance\n image: florianutz/docker-systemd:18.04\n command: /lib/systemd/systemd\n tmpfs:\n - /run\n - /run/lock\n - /tmp\n volumes:\n - /sys/fs/cgroup:/sys/fs/cgroup:ro\n privileged: true\n command: /sbin/init\nprovisioner:\n name: ansible\n lint:\n name: ansible-lint -c .ansible-lint\n enabled: true\n config_options:\n defaults:\n bin_ansible_callbacks: True\n callback_whitelist: profile_tasks,timer\n fact_caching: jsonfile\n fact_caching_connection: ./cache\n poll_interval: 3\n forks: 100\n conditional_bare_variables: false\n connection:\n pipelining: true\nscenario:\n name: default\nverifier:\n name: ansible\n" }, { "path": "molecule/default/prepare.yml", "content": "---\n- name: Prepare\n hosts: all\n gather_facts: false\n tasks:\n - name: install openssh-server for testing under docker\n apt:\n name: openssh-server\n state: present\n update_cache: yes\n - name: install grub files for testing under docker\n block:\n - name: create /boot/grub\n file:\n name: /boot/grub\n state: directory\n changed_when: false\n\n - name: touch /boot/grub/grub.cfg\n file:\n name: /boot/grub/grub.cfg\n state: touch\n changed_when: false\n\n - name: touch /etc/default/grub\n file:\n name: /etc/default/grub\n state: touch\n changed_when: false\n " }, { "path": "molecule/default/tests/test_default.py", "content": "import os\n\nimport testinfra.utils.ansible_runner\n\ntestinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(\n os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')\n\n\ndef test_hosts_file(host):\n f = host.file('/etc/hosts')\n\n assert f.exists\n assert f.user == 'root'\n assert f.group == 'root'\n" }, { "path": "molecule/default/verify.yml", "content": "---\n# This is an example playbook to execute Ansible tests.\n\n- name: Verify\n hosts: all\n tasks:\n - name: Example assertion\n assert:\n that: true\n" }, { "path": "requirements.txt", "content": "molecule[docker]==3.0.8\nansible-lint==5.2.1\n" }, { "path": "tasks/main.yml", "content": "---\n# tasks file for Ubuntu1804-CIS\n- name: Check OS version and family\n fail:\n msg: \"This role can only be run agaist Ubuntu 18.04. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported.\"\n when:\n - not ansible_distribution == \"Ubuntu\"\n - not ansible_distribution_release == \"bionic\"\n tags:\n - always\n\n- name: Check ansible version\n fail:\n msg: You must use ansible 2.3 or greater!\n when: not ansible_version.full is version_compare('2.3', '>=')\n tags:\n - always\n\n- include: prelim.yml\n become: true\n tags:\n - prelim_tasks\n - always\n\n- include: section1.yml\n become: true\n when: ubuntu1804cis_section1\n tags: section1\n\n- include: section2.yml\n become: true\n when: ubuntu1804cis_section2\n tags: section2\n\n- include: section3.yml\n become: true\n when: ubuntu1804cis_section3\n tags: section3\n\n- include: section4.yml\n become: true\n when: ubuntu1804cis_section4\n tags: section4\n\n- include: section5.yml\n become: true\n when: ubuntu1804cis_section5\n tags: section5\n\n- include: section6.yml\n become: true\n when: ubuntu1804cis_section6\n tags: section6\n\n- include: post.yml\n become: true\n tags:\n - post_tasks\n - always\n" }, { "path": "tasks/post.yml", "content": "---\n# Post tasks\n\n- name: \"POST | Find removed but configured apt packages\"\n shell: \"set -o pipefail;\n dpkg --list | (grep ^rc || true) | tr -s ' ' | cut -d ' ' -f 2\"\n args:\n executable: /bin/bash\n register: apt_rc_packages\n changed_when: false\n\n- name: \"POST | Perform apt package cleanup\"\n apt:\n name: \"{{ apt_rc_packages.stdout_lines }}\"\n state: absent\n purge: true\n changed_when: false\n ignore_errors: true\n when: not ansible_check_mode\n tags:\n - skip_ansible_lint\n" }, { "path": "tasks/prelim.yml", "content": "---\n# Preliminary tasks that should always be run\n# List users in order to look files inside each home directory\n- name: \"PRELIM | List users accounts\"\n command: \"awk -F: '{print $1}' /etc/passwd\"\n register: users\n changed_when: false\n check_mode: false\n\n- name: \"PRELIM | Gather homes with wrong permissions on /home\"\n shell: 'set -o pipefail;\n for dir in $(getent passwd | cut -d '':'' -f 6 | awk ''$1 ~ /^\\/home\\//'');\n do\n perm=$(stat -L -c \"%A\" \"$dir\" );\n if [ -d $dir ] && ([ \"${perm:7:3}\" != \"---\" ] || [ \"${perm:5:1}\" == \"w\" ] );\n then\n echo -n \"$dir \";\n fi;\n done'\n args:\n executable: /bin/bash\n register: homes_with_perms\n changed_when: false\n check_mode: false\n\n- name: \"PRELIM | Gather accounts with empty password fields\"\n shell: \"set -o pipefail;\n cat /etc/shadow | awk -F: '($2 == \\\"\\\" ) {j++;print $1; } END {exit j}'\"\n args:\n executable: /bin/bash\n register: empty_password_accounts\n changed_when: false\n check_mode: false\n\n- name: \"PRELIM | Check if root has password\"\n shell: 'set -o pipefail;\n getent shadow | grep root | awk -F: ''($2 == \"*\" || $2 == \"!\" ) { printf $2; }'''\n args:\n executable: /bin/bash\n register: current_root_password\n changed_when: false\n check_mode: false\n\n- name: \"PRELIM | Gather UID 0 accounts other than root\"\n shell: \"set -o pipefail;\n cat /etc/passwd | awk -F: '($3 == 0 && $1 != \\\"root\\\") {i++;print $1 } END {exit i}'\"\n args:\n executable: /bin/bash\n register: uid_zero_accounts_except_root\n changed_when: false\n check_mode: false\n\n- name: \"PRELIM | Run apt cache update\"\n apt:\n update_cache: true\n changed_when: false\n\n- name: \"PRELIM | Section 4.1 | Configure System Accounting (auditd)\"\n apt:\n name: \"{{ auditd_package[ansible_os_family] }}\"\n state: present\n install_recommends: false\n when:\n - not ubuntu1804cis_auditd_disable\n\n- name: \"PRELIM | Section 5.1 | Configure cron\"\n apt:\n name: \"{{ cron_package[ansible_os_family] }}\"\n state: present\n install_recommends: false\n\n- name: \"PRELIM | Check if prelink package is installed\"\n command: \"{{ prelim_check_package_command[ansible_os_family] }} prelink\"\n register: prelink_installed\n changed_when: false\n failed_when: false\n check_mode: false\n tags:\n - skip_ansible_lint\n\n- name: \"PRELIM | Check if postfix package is installed\"\n command: \"{{ prelim_check_package_command[ansible_os_family] }} postfix\"\n register: postfix_installed\n changed_when: false\n failed_when: false\n check_mode: false\n tags:\n - skip_ansible_lint\n\n# Individual service checks\n- name: \"PRELIM | Check for xinetd service\"\n shell: \"set -o pipefail;\n systemctl show xinetd | grep LoadState | cut -d = -f 2\"\n args:\n executable: /bin/bash\n register: xinetd_service_status\n changed_when: false\n check_mode: false\n\n- name: \"PRELIM | Check for openbsd-inetd service\"\n shell: \"set -o pipefail;\n dpkg -s openbsd-inetd | grep -o 'ok installed'; true\"\n args:\n executable: /bin/bash\n register: openbsd_inetd_service_status\n changed_when: false\n check_mode: false\n\n- name: \"PRELIM | Check for ntpd service\"\n shell: \"set -o pipefail;\n systemctl show {{ ntp_service[ansible_os_family] }} | grep LoadState | cut -d = -f 2\"\n args:\n executable: /bin/bash\n register: ntpd_service_status\n changed_when: false\n check_mode: false\n\n- name: \"PRELIM | Check for chronyd service\"\n shell: \"set -o pipefail;\n systemctl show {{ chrony_service[ansible_os_family] }} | grep LoadState | cut -d = -f 2\"\n args:\n executable: /bin/bash\n register: chronyd_service_status\n changed_when: false\n check_mode: false\n\n- name: \"PRELIM | Check for systemd-timesyncd service\"\n shell: \"set -o pipefail;\n systemctl show systemd-timesyncd | grep LoadState | cut -d = -f 2\"\n args:\n executable: /bin/bash\n register: systemd_timesyncd_service_status\n changed_when: false\n check_mode: false\n\n- name: \"PRELIM | Check for avahi-daemon service\"\n shell: \"set -o pipefail;\n systemctl show avahi-daemon | grep LoadState | cut -d = -f 2\"\n args:\n executable: /bin/bash\n register: avahi_service_status\n changed_when: false\n check_mode: false\n\n- name: \"PRELIM | Check for cups service\"\n shell: \"set -o pipefail;\n systemctl show cups | grep LoadState | cut -d = -f 2\"\n args:\n executable: /bin/bash\n register: cups_service_status\n changed_when: false\n check_mode: false\n\n- name: \"PRELIM | Check for dhcpd service\"\n shell: \"set -o pipefail;\n systemctl show dhcpd | grep LoadState | cut -d = -f 2\"\n args:\n executable: /bin/bash\n register: dhcpd_service_status\n changed_when: false\n check_mode: false\n\n- name: \"PRELIM | Check for slapd service\"\n shell: \"set -o pipefail;\n systemctl show slapd | grep LoadState | cut -d = -f 2\"\n args:\n executable: /bin/bash\n register: slapd_service_status\n changed_when: false\n check_mode: false\n\n- name: \"PRELIM | Check for nfs service\"\n shell: \"set -o pipefail;\n systemctl show nfs | grep LoadState | cut -d = -f 2\"\n args:\n executable: /bin/bash\n register: nfs_service_status\n changed_when: false\n check_mode: false\n\n- name: \"PRELIM | Check for rpcbind service\"\n shell: \"set -o pipefail;\n systemctl show rpcbind | grep LoadState | cut -d = -f 2\"\n args:\n executable: /bin/bash\n register: rpcbind_service_status\n changed_when: false\n check_mode: false\n\n- name: \"PRELIM | Check for named service\"\n shell: \"set -o pipefail;\n systemctl show named | grep LoadState | cut -d = -f 2\"\n args:\n executable: /bin/bash\n register: named_service_status\n changed_when: false\n check_mode: false\n\n- name: \"PRELIM | Check for vsftpd service\"\n shell: \"set -o pipefail;\n systemctl show vsftpd | grep LoadState | cut -d = -f 2\"\n args:\n executable: /bin/bash\n register: vsftpd_service_status\n changed_when: false\n check_mode: false\n\n- name: \"PRELIM | Check for httpd service\"\n shell: \"set -o pipefail;\n systemctl show apache2 | grep LoadState | cut -d = -f 2\"\n args:\n executable: /bin/bash\n register: httpd_service_status\n changed_when: false\n check_mode: false\n\n- name: \"PRELIM | Check for dovecot service\"\n shell: \"set -o pipefail;\n systemctl show dovecot | grep LoadState | cut -d = -f 2\"\n args:\n executable: /bin/bash\n register: dovecot_service_status\n changed_when: false\n check_mode: false\n\n- name: \"PRELIM | Check for smb service\"\n shell: \"set -o pipefail;\n systemctl show smbd | grep LoadState | cut -d = -f 2\"\n args:\n executable: /bin/bash\n register: smb_service_status\n changed_when: false\n check_mode: false\n\n- name: \"PRELIM | Check for squid service\"\n shell: \"set -o pipefail;\n systemctl show squid | grep LoadState | cut -d = -f 2\"\n args:\n executable: /bin/bash\n register: squid_service_status\n changed_when: false\n check_mode: false\n\n- name: \"PRELIM | Check for snmpd service\"\n shell: \"set -o pipefail;\n systemctl show snmpd | grep LoadState | cut -d = -f 2\"\n args:\n executable: /bin/bash\n register: snmpd_service_status\n changed_when: false\n check_mode: false\n\n- name: \"PRELIM | Check for ypserv service\"\n shell: \"set -o pipefail;\n systemctl show nis | grep LoadState | cut -d = -f 2\"\n args:\n executable: /bin/bash\n register: ypserv_service_status\n changed_when: false\n check_mode: false\n\n- name: \"PRELIM | Check for rsh.socket service\"\n shell: \"set -o pipefail;\n systemctl show rsh.socket | grep LoadState | cut -d = -f 2\"\n args:\n executable: /bin/bash\n register: rsh_service_status\n changed_when: false\n check_mode: false\n\n- name: \"PRELIM | Check for rlogin.socket service\"\n shell: \"set -o pipefail;\n systemctl show rlogin.socket | grep LoadState | cut -d = -f 2\"\n args:\n executable: /bin/bash\n register: rlogin_service_status\n changed_when: false\n check_mode: false\n\n- name: \"PRELIM | Check for rexec.socket service\"\n shell: \"set -o pipefail;\n systemctl show rexec.socket | grep LoadState | cut -d = -f 2\"\n args:\n executable: /bin/bash\n register: rexec_service_status\n changed_when: false\n check_mode: false\n\n- name: \"PRELIM | Check for telnet service\"\n shell: \"set -o pipefail;\n systemctl show telnetd | grep LoadState | cut -d = -f 2\"\n args:\n executable: /bin/bash\n register: telnet_service_status\n changed_when: false\n check_mode: false\n\n- name: \"PRELIM | Check for tftp service\"\n shell: \"set -o pipefail;\n systemctl show tftpd-hpa | grep LoadState | cut -d = -f 2\"\n args:\n executable: /bin/bash\n register: tftp_service_status\n changed_when: false\n check_mode: false\n\n- name: \"PRELIM | Check for rsyncd service\"\n shell: \"set -o pipefail;\n systemctl show rsync | grep LoadState | cut -d = -f 2\"\n args:\n executable: /bin/bash\n register: rsyncd_service_status\n changed_when: false\n check_mode: false\n\n- name: \"PRELIM | Check for ntalk service\"\n shell: \"set -o pipefail;\n systemctl show ntalk | grep LoadState | cut -d = -f 2\"\n args:\n executable: /bin/bash\n register: ntalk_service_status\n changed_when: false\n check_mode: false\n\n- name: \"PRELIM | Check for autofs service\"\n shell: \"set -o pipefail;\n systemctl show autofs | grep LoadState | cut -d = -f 2\"\n args:\n executable: /bin/bash\n register: autofs_service_status\n changed_when: false\n check_mode: false\n\n- name: \"PRELIM | Check the grub.cfg configuration\"\n stat:\n path: /boot/grub/grub.cfg\n register: grub_cfg\n\n- name: \"PRELIM | Check the grub.conf configuration\"\n stat:\n path: /boot/grub/grub.conf\n register: grub_conf\n\n- name: \"PRELIM | Check the menu.lst configuration\"\n stat:\n path: \"/boot/grub/menu.lst\"\n register: menu_lst\n\n- name: \"PRELIM | Check that system accounts are non-login #1\"\n shell: >\n set -o pipefail &&\n egrep -v \"^\\+\" /etc/passwd | awk -F: '($1!=\"root\" && $1!=\"sync\" &&\n $1!=\"shutdown\" && $1!=\"halt\" && $3<1000 && $7!=\"/usr/sbin/nologin\" &&\n $7!=\"/bin/false\") {print}'\n args:\n executable: /bin/bash\n register: system_accounts_non_login_1\n changed_when: false\n check_mode: false\n\n\n- name: \"PRELIM | Check that system accounts are non-login #2\"\n shell: >\n set -o pipefail &&\n for user in `awk -F: '($1!=\"root\" && $3 < 1000) {print $1 }' /etc/passwd`; do\n passwd -S $user | awk -F ' ' '($2!=\"L\") {print $1}'; done\n args:\n executable: /bin/bash\n register: system_accounts_non_login_2\n changed_when: false\n check_mode: false\n\n- name: \"PRELIM | Check that users last password change date are in the future\"\n shell: |\n set -o pipefail;\n awk -F: '{print $1}' /etc/shadow | while read -r usr\n do\n if [[ $(date --date=\"$(chage --list \"$usr\" | grep '^Last password change' | cut -d: -f2)\" +%s) > $(date +%s) ]];then\n echo \"$usr\"\n fi\n done\n args:\n executable: /bin/bash\n register: users_password_change_date_in_future\n changed_when: False\n check_mode: false\n" }, { "path": "tasks/section1.yml", "content": "---\n- name: \"SCORED | 1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled\"\n lineinfile:\n dest: /etc/modprobe.d/CIS.conf\n regexp: \"^(#)?install cramfs(\\\\s|$)\"\n line: \"install cramfs /bin/true\"\n state: present\n owner: root\n group: root\n mode: 0644\n create: true\n when:\n - ubuntu1804cis_rule_1_1_1_1\n tags:\n - level1\n - scored\n - patch\n - cramfs\n - filesystems\n - rule_1.1.1.1\n\n- name: \"SCORED | 1.1.1.1 | PATCH | Remove cramfs module\"\n modprobe:\n name: cramfs\n state: absent\n when:\n - ubuntu1804cis_rule_1_1_1_1\n - not ubuntu1804cis_skip_for_travis\n tags:\n - level1\n - scored\n - patch\n - cramfs\n - filesystems\n - rule_1.1.1.1\n\n- name: \"SCORED | 1.1.1.2 | PATCH | Ensure mounting of freevxfs filesystems is disabled\"\n lineinfile:\n dest: /etc/modprobe.d/CIS.conf\n regexp: \"^(#)?install freevxfs\"\n line: \"install freevxfs /bin/true\"\n state: present\n create: true\n when:\n - ubuntu1804cis_rule_1_1_1_2\n tags:\n - level1\n - scored\n - patch\n - freevxfs\n - filesystems\n - rule_1.1.1.2\n\n- name: \"SCORED | 1.1.1.2 | PATCH | Remove freevxfs module\"\n modprobe:\n name: freevxfs\n state: absent\n when:\n - ubuntu1804cis_rule_1_1_1_2\n - not ubuntu1804cis_skip_for_travis\n tags:\n - level1\n - scored\n - patch\n - freevxfs\n - filesystems\n - rule_1.1.1.2\n\n- name: \"SCORED | 1.1.1.3 | PATCH | Ensure mounting of jffs2 filesystems is disabled\"\n lineinfile:\n dest: /etc/modprobe.d/CIS.conf\n regexp: \"^(#)?install jffs2(\\\\s|$)\"\n line: \"install jffs2 /bin/true\"\n state: present\n create: true\n when:\n - ubuntu1804cis_rule_1_1_1_3\n tags:\n - level1\n - scored\n - patch\n - jffs2\n - filesystems\n - rule_1.1.1.3\n\n- name: \"SCORED | 1.1.1.3 | PATCH | Remove jffs2 module\"\n modprobe:\n name: jffs2\n state: absent\n when:\n - ubuntu1804cis_rule_1_1_1_3\n - not ubuntu1804cis_skip_for_travis\n tags:\n - level1\n - scored\n - patch\n - jffs2\n - filesystems\n - rule_1.1.1.3\n\n- name: \"SCORED | 1.1.1.4 | PATCH | Ensure mounting of hfs filesystems is disabled\"\n lineinfile:\n dest: /etc/modprobe.d/CIS.conf\n regexp: \"^(#)?install hfs(\\\\s|$)\"\n line: \"install hfs /bin/true\"\n state: present\n create: true\n when:\n - ubuntu1804cis_rule_1_1_1_4\n tags:\n - level1\n - scored\n - patch\n - hfs\n - filesystems\n - rule_1.1.1.4\n\n- name: \"SCORED | 1.1.1.4 | PATCH | Remove hfs module\"\n modprobe:\n name: hfs\n state: absent\n when:\n - ubuntu1804cis_rule_1_1_1_4\n - not ubuntu1804cis_skip_for_travis\n tags:\n - level1\n - scored\n - patch\n - hfs\n - filesystems\n - rule_1.1.1.4\n\n- name: \"SCORED | 1.1.1.5 | PATCH | Ensure mounting of hfsplus filesystems is disabled\"\n lineinfile:\n dest: /etc/modprobe.d/CIS.conf\n regexp: \"^(#)?install hfsplus(\\\\s|$)\"\n line: \"install hfsplus /bin/true\"\n state: present\n create: true\n when:\n - ubuntu1804cis_rule_1_1_1_5\n tags:\n - level1\n - scored\n - patch\n - hfsplus\n - filesystems\n - rule_1.1.1.5\n\n- name: \"SCORED | 1.1.1.5 | PATCH | Remove hfsplus module\"\n modprobe:\n name: hfsplus\n state: absent\n when:\n - ubuntu1804cis_rule_1_1_1_5\n - not ubuntu1804cis_skip_for_travis\n tags:\n - level1\n - scored\n - patch\n - hfsplus\n - filesystems\n - rule_1.1.1.5\n\n- name: \"SCORED | 1.1.1.6 | PATCH | Ensure mounting of squashfs filesystems is disabled\"\n lineinfile:\n dest: /etc/modprobe.d/CIS.conf\n regexp: \"^(#)?install squashfs(\\\\s|$)\"\n line: \"install squashfs /bin/true\"\n state: present\n create: true\n when:\n - ubuntu1804cis_rule_1_1_1_6\n tags:\n - level1\n - scored\n - patch\n - squashfs\n - filesystems\n - rule_1.1.1.6\n\n- name: \"SCORED | 1.1.1.6 | PATCH | Remove squashfs module\"\n modprobe:\n name: squashfs\n state: absent\n when:\n - ubuntu1804cis_rule_1_1_1_6\n - not ubuntu1804cis_skip_for_travis\n tags:\n - level1\n - scored\n - patch\n - squashfs\n - filesystems\n - rule_1.1.1.6\n\n- name: \"SCORED | 1.1.1.7 | PATCH | Ensure mounting of udf filesystems is disabled\"\n lineinfile:\n dest: /etc/modprobe.d/CIS.conf\n regexp: \"^(#)?install udf(\\\\s|$)\"\n line: \"install udf /bin/true\"\n state: present\n create: true\n when:\n - ubuntu1804cis_rule_1_1_1_7\n tags:\n - level1\n - scored\n - patch\n - udf\n - filesystems\n - rule_1.1.1.7\n\n- name: \"SCORED | 1.1.1.7 | PATCH | Remove udf module\"\n modprobe:\n name: udf\n state: absent\n when:\n - ubuntu1804cis_rule_1_1_1_7\n - not ubuntu1804cis_skip_for_travis\n tags:\n - level1\n - scored\n - patch\n - udf\n - filesystems\n - rule_1.1.1.7\n\n- name: \"NOTSCORED | 1.1.1.8 | PATCH | Ensure mounting of FAT filesystems is limited\"\n lineinfile:\n dest: /etc/modprobe.d/CIS.conf\n regexp: \"^(#)?install vfat(\\\\s|$)\"\n line: \"install vfat /bin/true\"\n state: present\n create: true\n when:\n - ubuntu1804cis_rule_1_1_1_8\n tags:\n - level2\n - notscored\n - patch\n - vfat\n - filesystems\n - rule_1.1.1.8\n\n- name: \"NOTSCORED | 1.1.1.8 | PATCH | Remove FAT module\"\n modprobe:\n name: vfat\n state: absent\n when:\n - ubuntu1804cis_rule_1_1_1_8\n - not ubuntu1804cis_skip_for_travis\n tags:\n - level2\n - notscored\n - patch\n - vfat\n - filesystems\n - rule_1.1.1.8\n\n- name: \"SCORED | 1.1.2 | PATCH | Ensure separate partition exists for /tmp | enable and start/restart tmp.mount\"\n copy:\n src: \"{{ tmp_mount_file[ansible_os_family] }}\"\n dest: /etc/systemd/system/tmp.mount\n owner: root\n group: root\n mode: 0644\n force: true\n remote_src: true\n notify:\n - systemd restart tmp.mount\n when:\n - ubuntu1804cis_rule_1_1_2\n - not ubuntu1804cis_skip_for_travis\n tags:\n - level2\n - scored\n - patch\n - rule_1.1.2\n\n- name: \"SCORED | 1.1.2 | PATCH | Ensure separate partition exists for /tmp | enable and start/restart tmp.mount\"\n systemd:\n name: tmp.mount\n daemon_reload: yes\n enabled: yes\n masked: no\n state: started\n when:\n - ubuntu1804cis_rule_1_1_2\n - not ubuntu1804cis_skip_for_travis\n tags:\n - level2\n - scored\n - patch\n - rule_1.1.2\n\n- name: \"SCORED | 1.1.3 | PATCH | Ensure nodev option set on /tmp partition\\n\n SCORED | 1.1.4 | PATCH | Ensure nosuid option set on /tmp partition\\n\n | drop custom tmp.mount\"\n ini_file:\n path: \"{{ item }}\"\n section: Mount\n option: Options\n value: \"{{ tmp_mount_options[ansible_os_family] }}\"\n no_extra_spaces: true\n with_items:\n - \"{{ tmp_mount_file[ansible_os_family] }}\"\n - /etc/systemd/system/tmp.mount\n notify:\n - systemd restart tmp.mount\n when:\n - ubuntu1804cis_rule_1_1_3\n - ubuntu1804cis_rule_1_1_4\n tags:\n - level1\n - scored\n - patch\n - rule_1.1.3\n - rule_1.1.4\n\n- name: \"SCORED | 1.1.5 | PATCH | Ensure noexec option set on /tmp partition\\n\n | drop custom tmp.mount\"\n ini_file:\n path: \"{{ item }}\"\n section: Mount\n option: Options\n value: noexec\n no_extra_spaces: true\n with_items:\n - \"{{ tmp_mount_file[ansible_os_family] }}\"\n - /etc/systemd/system/tmp.mount\n notify:\n - systemd restart tmp.mount\n when:\n - ubuntu1804cis_rule_1_1_5\n tags:\n - level1\n - scored\n - patch\n - rule_1.1.5\n\n- name: \"SCORED | 1.1.6 | PATCH | Ensure separate partition exists for /var\"\n shell: mount | grep \"on /var \"\n register: var_mounted\n changed_when: false\n failed_when: false\n when:\n - ubuntu1804cis_rule_1_1_6\n tags:\n - level2\n - scored\n - patch\n - rule_1.1.6\n - skip_ansible_lint\n\n- name: \"SCORED | 1.1.7 | PATCH | Ensure separate partition exists for /var/tmp\"\n shell: mount | grep \"on /var/tmp \"\n register: var_tmp_mounted\n changed_when: false\n failed_when: false\n when:\n - ubuntu1804cis_rule_1_1_7\n tags:\n - level2\n - scored\n - patch\n - rule_1.1.7\n - skip_ansible_lint\n\n- name:\n \"SCORED | 1.1.8 | PATCH | Ensure nodev option set on /var/tmp partition\\n\n SCORED | 1.1.9 | PATCH | Ensure nosuid option set on /var/tmp partition\\n\n SCORED | 1.1.10 | PATCH | Ensure noexec option set on /var/tmp partition\"\n mount:\n name: /var/tmp\n src: \"{{ ubuntu1804cis_vartmp['source'] }}\"\n state: mounted\n fstype: \"{{ ubuntu1804cis_vartmp['fstype'] }}\"\n opts: \"{{ ubuntu1804cis_vartmp['opts'] }}\"\n when:\n - ubuntu1804cis_vartmp['enabled'] == 'yes'\n - ubuntu1804cis_rule_1_1_8\n - ubuntu1804cis_rule_1_1_9\n - ubuntu1804cis_rule_1_1_10\n tags:\n - level1\n - scored\n - patch\n - rule_1.1.8\n - rule_1.1.9\n - rule_1.1.10\n\n- name: \"SCORED | 1.1.11 | PATCH | Ensure separate partition exists for /var/log\"\n shell: mount | grep \"on /var/log \"\n register: var_log_mounted\n changed_when: false\n failed_when: false\n when:\n - ubuntu1804cis_rule_1_1_11\n tags:\n - level2\n - scored\n - patch\n - rule_1.1.11\n - skip_ansible_lint\n\n- name: \"SCORED | 1.1.12 | PATCH | Ensure separate partition exists for /var/log/audit\"\n shell: mount | grep \"on /var/log/audit \"\n register: var_log_audit_mounted\n changed_when: false\n failed_when: false\n when:\n - ubuntu1804cis_rule_1_1_12\n tags:\n - level2\n - scored\n - patch\n - rule_1.1.12\n - skip_ansible_lint\n\n- name: \"SCORED | 1.1.13 | PATCH | Ensure separate partition exists for /home\"\n shell: mount | grep \"on /home \"\n register: home_mounted\n changed_when: false\n failed_when: false\n when:\n - ubuntu1804cis_rule_1_1_13\n tags:\n - level2\n - scored\n - patch\n - rule_1.1.13\n - skip_ansible_lint\n\n- name: \"SCORED | 1.1.14 | PATCH | Ensure nodev option set on /home partition\"\n mount:\n name: \"/home\"\n src: \"{{ item.device }}\"\n state: mounted\n fstype: \"{{ item.fstype }}\"\n opts: \"nodev\"\n when:\n - ubuntu1804cis_rule_1_1_14\n - item.mount == \"/home\"\n with_items:\n - \"{{ ansible_mounts }}\"\n tags:\n - scored\n - level1\n - patch\n - rule_1.1.14\n\n- name:\n \"SCORED | 1.1.15 | PATCH | Ensure nodev option set on /dev/shm partition\\n\n SCORED | 1.1.16 | PATCH | Ensure nosuid option set on /dev/shm partition\\n\n SCORED | 1.1.17 | PATCH | Ensure noexec option set on /dev/shm partition\"\n mount:\n name: /dev/shm\n src: tmpfs\n state: mounted\n fstype: tmpfs\n opts: \"defaults,nodev,nosuid,noexec\"\n when:\n - ubuntu1804cis_rule_1_1_15\n - ubuntu1804cis_rule_1_1_16\n - ubuntu1804cis_rule_1_1_17\n tags:\n - level1\n - scored\n - patch\n - rule_1.1.15\n - rule_1.1.16\n - rule_1.1.17\n\n- name: \"NOTSCORED | 1.1.18 | PATCH | Ensure nodev option set on removable media partitions\"\n command: /bin/true\n changed_when: false\n when:\n - ubuntu1804cis_rule_1_1_18\n tags:\n - level1\n - notscored\n - patch\n - rule_1.1.18\n - notimplemented\n\n- name: \"NOTSCORED | 1.1.19 | PATCH | Ensure nosuid option set on removable media partitions\"\n command: /bin/true\n changed_when: false\n when:\n - ubuntu1804cis_rule_1_1_19\n tags:\n - level1\n - notscored\n - patch\n - rule_1.1.19\n - notimplemented\n\n- name: \"NOTSCORED | 1.1.20 | PATCH | Ensure noexec option set on removable media partitions\"\n command: /bin/true\n changed_when: false\n when:\n - ubuntu1804cis_rule_1_1_20\n tags:\n - level1\n - notscored\n - patch\n - rule_1.1.20\n - notimplemented\n\n- name: \"SCORED | 1.1.21 | PATCH | Ensure sticky bit is set on all world-writable directories\"\n shell: |\n set -o pipefail;\n df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t\n args:\n executable: /bin/bash\n changed_when: false\n failed_when: false\n when:\n - ubuntu1804cis_rule_1_1_21\n # - sticky_bit_on_worldwritable_dirs_audit.rc == '0'\n tags:\n - level1\n - scored\n - patch\n - rule_1.1.21\n\n- name: \"SCORED | 1.1.22 | PATCH | Disable Automounting\"\n service:\n name: autofs\n enabled: false\n when:\n - not ubuntu1804cis_allow_autofs\n - autofs_service_status.stdout == \"loaded\"\n - ubuntu1804cis_rule_1_1_22\n tags:\n - level1\n - scored\n - patch\n - rule_1.1.22\n\n- name: \"SCORED | 1.1.23 | PATCH | Disable USB Storage\"\n lineinfile:\n dest: /etc/modprobe.d/CIS.conf\n regexp: \"^(#)?install usb-storage(\\\\s|$)\"\n line: \"install usb-storage /bin/true\"\n state: present\n create: true\n when:\n - ubuntu1804cis_rule_1_1_23\n tags:\n - level1\n - scored\n - patch\n - udf\n - filesystems\n - rule_1.1.23\n\n- name: \"SCORED | 1.1.23 | PATCH | Remove usb-storage module\"\n modprobe:\n name: usb-storage\n state: absent\n when:\n - ubuntu1804cis_rule_1_1_23\n - not ubuntu1804cis_skip_for_travis\n tags:\n - level1\n - scored\n - patch\n - usb\n - filesystems\n - rule_1.1.23\n\n- name: \"NOTSCORED | 1.2.1 | PATCH | Ensure package manager repositories are configured\"\n command: /bin/true\n changed_when: false\n when:\n - ubuntu1804cis_rule_1_2_1\n tags:\n - level1\n - notscored\n - patch\n - rule_1.2.1\n\n- name: \"NOTSCORED | 1.2.2 | PATCH | Ensure GPG keys are configured\"\n command: /bin/true\n changed_when: false\n when:\n - ubuntu1804cis_rule_1_2_2\n tags:\n - level1\n - notscored\n - patch\n - rule_1.2.2\n - notimplemented\n\n- name: \"SCORED | 1.3.1 | PATCH | Ensure sudo is installed\"\n apt:\n name:\n - sudo\n state: present\n install_recommends: false\n when:\n - ubuntu1804cis_rule_1_3_1\n tags:\n - level1\n - scored\n - sudo\n - patch\n - rule_1.3.1\n\n- name: \"SCORED | 1.3.2 | PATCH | Ensure sudo commands use pty\"\n lineinfile:\n dest: /etc/sudoers\n state: present\n regexp: '^Defaults use_pty'\n line: 'Defaults use_pty'\n validate: 'visudo -cf %s'\n when:\n - ubuntu1804cis_rule_1_3_2\n tags:\n - level1\n - scored\n - sudo\n - patch\n - rule_1.3.2\n\n- name: \"SCORED | 1.3.3 | PATCH | Ensure sudo log file exists\"\n lineinfile:\n dest: /etc/sudoers\n state: present\n regexp: '^Defaults logfile.*'\n line: 'Defaults logfile=\"/var/log/sudo.log\"'\n validate: 'visudo -cf %s'\n when:\n - ubuntu1804cis_rule_1_3_3\n tags:\n - level1\n - scored\n - sudo\n - patch\n - rule_1.3.3\n\n- name: \"SCORED | 1.4.1 | PATCH | Ensure AIDE is installed (install nullmailer instead of postfix)\"\n apt:\n name:\n - nullmailer\n state: present\n install_recommends: false\n when:\n - ubuntu1804cis_rule_1_4_1\n - not postfix_installed.rc == 0\n tags:\n - level1\n - scored\n - aide\n - patch\n - rule_1.4.1\n\n- name: \"SCORED | 1.4.1 | PATCH | Ensure AIDE is installed\"\n apt:\n name:\n - aide\n - aide-common\n state: present\n install_recommends: false\n when:\n - ubuntu1804cis_rule_1_4_1\n tags:\n - level1\n - scored\n - aide\n - patch\n - rule_1.4.1\n\n- name: \"SCORED | 1.4.1 | PATCH | Stat AIDE DB\"\n stat: path=/var/lib/aide/aide.db\n register: aide_db\n tags:\n - level1\n - scored\n - aide\n - patch\n - rule_1.4.1\n\n- name: \"SCORED | 1.4.1 | PATCH | Init AIDE | This may take a LONG time\"\n command: /usr/sbin/aideinit\n args:\n creates: /var/lib/aide/aide.db\n when:\n - ubuntu1804cis_config_aide\n - ubuntu1804cis_rule_1_4_1\n - not aide_db.stat.exists\n - not ubuntu1804cis_skip_for_travis\n tags:\n - level1\n - scored\n - aide\n - patch\n - rule_1.4.1\n\n- name: \"SCORED | 1.4.2 | PATCH | Ensure filesystem integrity is regularly checked\"\n cron:\n name: Run AIDE integrity check weekly\n cron_file: \"{{ ubuntu1804cis_aide_cron['cron_file'] }}\"\n user: \"{{ ubuntu1804cis_aide_cron['cron_user'] }}\"\n minute: \"{{ ubuntu1804cis_aide_cron['aide_minute'] | default('0') }}\"\n hour: \"{{ ubuntu1804cis_aide_cron['aide_hour'] | default('5') }}\"\n day: \"{{ ubuntu1804cis_aide_cron['aide_day'] | default('*') }}\"\n month: \"{{ ubuntu1804cis_aide_cron['aide_month'] | default('*') }}\"\n weekday: \"{{ ubuntu1804cis_aide_cron['aide_weekday'] | default('*') }}\"\n job: \"{{ ubuntu1804cis_aide_cron['aide_job'] }}\"\n when:\n - ubuntu1804cis_rule_1_4_2\n tags:\n - level1\n - scored\n - aide\n - file_integrity\n - patch\n - rule_1.4.2\n\n- name: \"SCORED | 1.5.1 | PATCH | Ensure permissions on bootloader config are configured for grub.cfg\"\n file:\n path: \"/boot/grub/grub.cfg\"\n owner: root\n group: root\n mode: 0400\n when:\n - ansible_os_family == \"Debian\"\n - ubuntu1804cis_rule_1_5_1\n tags:\n - level1\n - scored\n - grub\n - patch\n - rule_1.5.1\n\n- name: \"SCORED | 1.5.1 | PATCH | Ensure permissions on bootloader config are configured for grub.conf\"\n file:\n path: \"/boot/grub/grub.conf\"\n owner: root\n group: root\n mode: 0400\n when:\n - ansible_os_family == \"Debian\"\n - ubuntu1804cis_rule_1_5_1\n - grub_conf.stat.exists\n tags:\n - level1\n - scored\n - grub\n - patch\n - rule_1.5.1\n\n- name: \"SCORED | 1.5.1 | PATCH | Ensure permissions on bootloader config are configured for menu.lst\"\n file:\n path: \"/boot/grub/menu.lst\"\n owner: root\n group: root\n mode: 0400\n when:\n - ansible_os_family == \"Debian\"\n - ubuntu1804cis_rule_1_5_1\n - menu_lst.stat.exists\n tags:\n - level1\n - scored\n - grub\n - patch\n - rule_1.5.1\n\n- name: \"SCORED | 1.5.2 | PATCH | Ensure bootloader password is set - generate password\"\n shell: \"set -o pipefail;\n if [ '{{ ubuntu1804cis_bootloader_password }}' == 'random' ];\n then PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c12); else PASSWORD='{{ ubuntu1804cis_bootloader_password }}';\n fi;\n echo -e \\\"$PASSWORD\\n$PASSWORD\\\" | grub-mkpasswd-pbkdf2 | awk '/grub.pbkdf/{print$NF}'\"\n register: grub_pass\n args:\n executable: /bin/bash\n when:\n - ubuntu1804cis_set_boot_pass\n - ubuntu1804cis_rule_1_5_2\n tags:\n - level1\n - scored\n - grub\n - patch\n - rule_1.5.2\n - notimplemented\n\n- name: \"SCORED | 1.5.2 | PATCH | Ensure bootloader password is set - generate config\"\n copy:\n dest: /etc/grub.d/00_password\n content: \"cat << EOF\\nset superusers=\\\"root\\\"\\npassword_pbkdf2 root {{ grub_pass.stdout }}\\nEOF\"\n owner: root\n group: root\n mode: 0755\n notify: generate new grub config\n when:\n - ubuntu1804cis_set_boot_pass and grub_pass is defined and grub_pass.stdout is defined and grub_pass.stdout | length >0\n - ubuntu1804cis_rule_1_5_2\n tags:\n - level1\n - scored\n - grub\n - patch\n - rule_1.5.2\n\n- name: \"SCORED | 1.5.2 | PATCH | Ensure bootloader password is set - disable password for system boot\"\n replace:\n path: /etc/grub.d/10_linux\n regexp: '--class os\"'\n replace: '--class os --unrestricted\"'\n notify: generate new grub config\n when:\n - ubuntu1804cis_set_boot_pass\n - ubuntu1804cis_rule_1_5_2\n - ubuntu1804cis_rule_1_5_2_disable_password\n tags:\n - level1\n - scored\n - grub\n - patch\n - rule_1.5.2\n\n- name: \"SCORED | 1.5.3 | PATCH | Ensure authentication required for single user mode\"\n shell: \"set -o pipefail;\n if [ '{{ ubuntu1804cis_root_password }}' == 'random' ];\n then PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c24); else PASSWORD='{{ ubuntu1804cis_root_password }}';\n fi;\n echo \\\"root:$PASSWORD\\\" | chpasswd\"\n args:\n executable: /bin/bash\n when:\n - ubuntu1804cis_rule_1_5_3\n - current_root_password.stdout | length > 0\n tags:\n - level1\n - scored\n - patch\n - rule_1.5.3\n - notimplemented\n\n- name: \"NOTSCORED | 1.5.4 | PATCH | Ensure interactive boot is not enabled\"\n command: /bin/true\n changed_when: false\n when:\n - ubuntu1804cis_rule_1_5_4\n tags:\n - level1\n - notscored\n - patch\n - rule_1.5.4\n - notimplemented\n\n- name: \"SCORED | 1.6.1 | PATCH | Ensure XD/NX support is enabled\"\n shell: |\n set -o pipefail;\n dmesg | grep -E \"NX|XD\" | grep \" active\"\n args:\n executable: /bin/bash\n changed_when: false\n when:\n - ubuntu1804cis_rule_1_6_1\n - not ubuntu1804cis_skip_for_travis\n tags:\n - level1\n - scored\n - patch\n - rule_1.6.1\n\n- name: \"SCORED | 1.6.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled\"\n sysctl:\n name: kernel.randomize_va_space\n value: \"2\"\n state: present\n reload: true\n sysctl_set: true\n ignoreerrors: true\n when:\n - ubuntu1804cis_rule_1_6_2\n tags:\n - level1\n - scored\n - patch\n - sysctl\n - rule_1.6.2\n\n- name: \"SCORED | 1.6.3 | PATCH | Ensure prelink is disabled\"\n command: prelink -ua\n when:\n - prelink_installed.rc == 0\n - ubuntu1804cis_rule_1_6_3\n tags:\n - level1\n - scored\n - patch\n - rule_1.6.3\n\n- name: \"SCORED | 1.6.3 | PATCH | Ensure prelink is disabled\"\n apt:\n name: prelink\n state: absent\n when:\n - ubuntu1804cis_rule_1_6_3\n tags:\n - level1\n - scored\n - patch\n - rule_1.6.3\n\n- name: \"SCORED | 1.6.4 | PATCH | Ensure core dumps are restricted\"\n sysctl:\n name: fs.suid_dumpable\n value: \"0\"\n state: present\n reload: true\n sysctl_set: true\n ignoreerrors: true\n when:\n - ubuntu1804cis_rule_1_6_4\n tags:\n - level1\n - scored\n - sysctl\n - patch\n - rule_1.6.4\n\n- name: \"SCORED | 1.6.4 | PATCH | Ensure systemd-coredump is installed\"\n apt:\n name: systemd-coredump\n state: present\n notify: restart systemd-coredump\n when:\n - ubuntu1804cis_rule_1_6_4\n tags:\n - level1\n - scored\n - patch\n - rule_1.6.4\n\n- name: \"SCORED | 1.6.4 | PATCH | Ensure hard core 0 is set\"\n lineinfile:\n dest: /etc/security/limits.conf\n line: '* hard core 0'\n regexp: '(^#)?\\*\\s+hard\\s+core\\s+[0-9]+'\n state: present\n create: true\n insertbefore: \"# End of file\"\n notify: restart systemd-coredump\n when:\n - ubuntu1804cis_rule_1_6_4\n tags:\n - level1\n - scored\n - patch\n - rule_1.6.4\n\n- name: \"SCORED | 1.7.1.1 | PATCH | Ensure AppArmor is installed\"\n apt:\n name: '{{ item }}'\n state: present\n with_items:\n - apparmor\n - apparmor-utils\n when:\n - ubuntu1804cis_rule_1_7_1_1\n tags:\n - level1\n - scored\n - patch\n - rule_1.7.1.1\n\n- name: \"SCORED | 1.7.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration\"\n block:\n - name: \"SCORED | 1.7.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration\"\n replace:\n dest: /etc/default/grub\n regexp: '^(GRUB_CMDLINE_LINUX=(?!.*apparmor)\\\"[^\\\"]*)(\\\".*)'\n replace: '\\1 apparmor=1 security=apparmor\\2'\n notify:\n - generate new grub config\n\n - name: \"SCORED | 1.7.1.2 | PATCH | Ensure AppArmor Security is enabled in the bootloader configuration\"\n replace:\n dest: /etc/default/grub\n regexp: '^(GRUB_CMDLINE_LINUX=(?!.*security)\\\"[^\\\"]*)(\\\".*)'\n replace: '\\1 security=apparmor\\2'\n notify:\n - generate new grub config\n when:\n - ubuntu1804cis_rule_1_7_1_2\n tags:\n - level1\n - scored\n - patch\n - rule_1.7.1.2\n\n- name: \"SCORED | 1.7.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode\"\n command: /bin/true\n changed_when: false\n when:\n - ubuntu1804cis_rule_1_7_1_3\n tags:\n - level1\n - scored\n - patc3\n - rule_1.7.1.3\n - notimplemented\n\n- name: \"SCORED | 1.7.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing\"\n command: /bin/true\n changed_when: false\n when:\n - ubuntu1804cis_rule_1_7_1_4\n tags:\n - level1\n - scored\n - patch\n - rule_1.7.1.4\n - notimplemented\n\n- name: \"SCORED | 1.8.1.1 | PATCH | Ensure message of the day is configured properly\"\n template:\n src: etc/motd.j2\n dest: /etc/motd\n when:\n - ubuntu1804cis_rule_1_8_1_1\n tags:\n - level1\n - scored\n - patch\n - banner\n - rule_1.8.1.1\n\n- name: \"SCORED | 1.8.1.2 | PATCH | Ensure local login warning banner is configured properly\"\n template:\n src: etc/issue.j2\n dest: /etc/issue\n when:\n - ubuntu1804cis_rule_1_8_1_2\n tags:\n - level1\n - scored\n - patch\n - banner\n - rule_1.8.1.2\n\n- name: \"SCORED | 1.8.1.3 | PATCH | Ensure remote login warning banner is configured properly\"\n template:\n src: etc/issue.net.j2\n dest: /etc/issue.net\n when:\n - ubuntu1804cis_rule_1_8_1_3\n tags:\n - level1\n - scored\n - patch\n - banner\n - rule_1.8.1.3\n\n- name: \"SCORED | 1.8.1.4 | PATCH | Ensure permissions on /etc/motd are configured\"\n file:\n dest: /etc/motd\n state: file\n owner: root\n group: root\n mode: 0644\n when:\n - ubuntu1804cis_rule_1_8_1_4\n tags:\n - level1\n - scored\n - patch\n - perms\n - rule_1.8.1.4\n\n- name: \"SCORED | 1.8.1.5 | PATCH | Ensure permissions on /etc/issue are configured\"\n file:\n dest: /etc/issue\n state: file\n owner: root\n group: root\n mode: 0644\n when:\n - ubuntu1804cis_rule_1_8_1_5\n tags:\n - level1\n - scored\n - patch\n - perms\n - rule_1.8.1.5\n\n- name: \"SCORED | 1.8.1.6 | PATCH | Ensure permissions on /etc/issue.net are configured\"\n file:\n dest: /etc/issue.net\n state: file\n owner: root\n group: root\n mode: 0644\n when:\n - ubuntu1804cis_rule_1_8_1_6\n tags:\n - level1\n - scored\n - patch\n - perms\n - rule_1.8.1.6\n\n- name: \"SCORED | 1.8.2 | PATCH | Ensure GDM login banner is configured\"\n lineinfile:\n dest: \"{{ item.file }}\"\n regexp: \"{{ item.regexp }}\"\n line: \"{{ item.line }}\"\n state: present\n create: true\n owner: root\n group: root\n mode: 0644\n with_items:\n - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' }\n - { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' }\n - { file: '/etc/dconf/profile/gdm', regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults' }\n - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: '\\[org\\/gnome\\/login-screen\\]', line: '[org/gnome/login-screen]' }\n - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-enable', line: 'banner-message-enable=true' }\n - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-text', line: \"banner-message-text='{{ ubuntu1804cis_warning_banner }}' \" }\n when:\n - ubuntu1804cis_gui\n - ubuntu1804cis_rule_1_8_2\n tags:\n - level1\n - scored\n - patch\n - banner\n - rule_1.8.2\n\n- name: \"NOTSCORED | 1.9 | PATCH | Ensure updates, patches, and additional security software are installed\"\n apt:\n upgrade: dist\n when:\n - ubuntu1804cis_apply_upgrades\n tags:\n - level1\n - notscored\n - patch\n - rule_1.8\n - skip_ansible_lint\n" }, { "path": "tasks/section2.yml", "content": "---\n- name: \"SCORED | 2.1.1 | PATCH | Ensure chargen services are not enabled | chargen-dgram,chargen-stream\"\n block:\n - name: \"SCORED | 2.1.1 | PATCH | Ensure chargen services are not enabled | chargen-dgram\"\n stat:\n path: /etc/xinetd.d/chargen-dgram\n register: chargen_dgram_service\n\n - name: \"SCORED | 2.1.1 | PATCH | Ensure chargen services are not enabled | chargen-dgram\"\n service:\n name: chargen-dgram\n enabled: no\n notify: restart xinetd\n when:\n - chargen_dgram_service.stat.exists\n\n - name: \"SCORED | 2.1.1 | PATCH | Ensure chargen services are not enabled | chargen-stream\"\n stat:\n path: /etc/xinetd.d/chargen-stream\n register: chargen_stream_service\n\n - name: \"SCORED | 2.1.1 | PATCH | Ensure chargen services are not enabled | chargen-stream\"\n service:\n name: chargen-stream\n enabled: no\n notify: restart xinetd\n when:\n - chargen_stream_service.stat.exists\n when:\n - ubuntu1804cis_rule_2_1_1\n tags:\n - level1\n - scored\n - services\n - patch\n - rule_2.1.1\n - skip_ansible_lint\n\n- name: \"SCORED | 2.1.2 | PATCH | Ensure daytime services are not enabled | daytime-dgram,daytime-stream\"\n block:\n - name: \"SCORED | 2.1.2 | PATCH | Ensure daytime services are not enabled | daytime-dgram\"\n stat:\n path: /etc/xinetd.d/daytime-dgram\n register: daytime_dgram_service\n\n - name: \"SCORED | 2.1.2 | PATCH | Ensure daytime services are not enabled | daytime-dgram\"\n service:\n name: daytime-dgram\n enabled: no\n notify: restart xinetd\n when:\n - daytime_dgram_service.stat.exists\n\n - name: \"SCORED | 2.1.2 | PATCH | Ensure daytime services are not enabled | daytime-stream\"\n stat:\n path: /etc/xinetd.d/daytime-stream\n register: daytime_stream_service\n\n - name: \"SCORED | 2.1.2 | PATCH | Ensure daytime services are not enabled | daytime-stream\"\n service:\n name: daytime-stream\n enabled: no\n notify: restart xinetd\n when:\n - daytime_stream_service.stat.exists\n when:\n - ubuntu1804cis_rule_2_1_2\n tags:\n - level1\n - scored\n - patch\n - rule_2.1.2\n - skip_ansible_lint\n\n- name: \"SCORED | 2.1.3 | PATCH | Ensure discard services are not enabled | discard-dgram,discard-stream\"\n block:\n - name: \"SCORED | 2.1.3 | PATCH | Ensure discard services are not enabled | discard-dgram\"\n stat:\n path: /etc/xinetd.d/discard-dgram\n register: discard_dgram_service\n\n - name: \"SCORED | 2.1.3 | PATCH | Ensure discard services are not enabled | discard-dgram\"\n service:\n name: discard-dgram\n enabled: no\n notify: restart xinetd\n when:\n - discard_dgram_service.stat.exists\n\n - name: \"SCORED | 2.1.3 | PATCH | Ensure discard services are not enabled | discard-stream\"\n stat:\n path: /etc/xinetd.d/discard-stream\n register: discard_stream_service\n\n - name: \"SCORED | 2.1.3 | PATCH | Ensure discard services are not enabled | discard-stream\"\n service:\n name: discard-stream\n enabled: no\n notify: restart xinetd\n when:\n - discard_stream_service.stat.exists\n when:\n - ubuntu1804cis_rule_2_1_3\n tags:\n - level1\n - scored\n - patch\n - rule_2.1.3\n - skip_ansible_lint\n\n- name: \"SCORED | 2.1.4 | PATCH | Ensure echo services are not enabled | echo-dgram,echo-stream\"\n block:\n - name: \"SCORED | 2.1.4 | PATCH | Ensure echo services are not enabled | echo-dgram\"\n stat:\n path: /etc/xinetd.d/echo-dgram\n register: echo_dgram_service\n\n - name: \"SCORED | 2.1.4 | PATCH | Ensure echo services are not enabled | echo-dgram\"\n service:\n name: echo-dgram\n enabled: no\n notify: restart xinetd\n when:\n - echo_dgram_service.stat.exists\n\n - name: \"SCORED | 2.1.4 | PATCH | Ensure echo services are not enabled | echo-stream\"\n stat:\n path: /etc/xinetd.d/echo-stream\n register: echo_stream_service\n\n - name: \"SCORED | 2.1.4 | PATCH | Ensure echo services are not enabled | echo-stream\"\n service:\n name: echo-stream\n enabled: no\n notify: restart xinetd\n when:\n - echo_stream_service.stat.exists\n when:\n - ubuntu1804cis_rule_2_1_4\n tags:\n - level1\n - scored\n - patch\n - rule_2.1.4\n - skip_ansible_lint\n\n- name: \"SCORED | 2.1.5 | PATCH | Ensure time services are not enabled | time-dgram,time-stream\"\n block:\n - name: \"SCORED | 2.1.5 | PATCH | Ensure time services are not enabled | time-dgram\"\n stat:\n path: /etc/xinetd.d/time-dgram\n register: time_dgram_service\n\n - name: \"SCORED | 2.1.5 | PATCH | Ensure time services are not enabled | time-dgram\"\n service:\n name: time-dgram\n enabled: no\n notify: restart xinetd\n when:\n - time_dgram_service.stat.exists\n\n - name: \"SCORED | 2.1.5 | PATCH | Ensure time services are not enabled | time-stream\"\n stat:\n path: /etc/xinetd.d/time-stream\n register: time_stream_service\n\n - name: \"SCORED | 2.1.5 | PATCH | Ensure time services are not enabled | time-stream\"\n service:\n name: time-stream\n enabled: no\n notify: restart xinetd\n when:\n - time_stream_service.stat.exists\n when:\n - ubuntu1804cis_rule_2_1_5\n tags:\n - level1\n - scored\n - patch\n - rule_2.1.5\n - skip_ansible_lint\n\n- name: \"SCORED | 2.1.6 | PATCH | Ensure rsh server is not enabled | rsh, rlogin, rexec\"\n block:\n - name: \"SCORED | 2.1.6 | PATCH | Ensure rsh server is not enabled | rsh\"\n service:\n name: rsh.socket\n state: stopped\n enabled: false\n when:\n - not ubuntu1804cis_rsh_server\n - rsh_service_status.stdout == \"loaded\"\n - ubuntu1804cis_rule_2_1_6\n\n - name: \"SCORED | 2.1.6 | PATCH | Ensure rsh server is not enabled | rlogin\"\n service:\n name: rlogin.socket\n state: stopped\n enabled: false\n when:\n - not ubuntu1804cis_rsh_server\n - rlogin_service_status.stdout == \"loaded\"\n - ubuntu1804cis_rule_2_1_6\n\n - name: \"SCORED | 2.1.6 | PATCH | Ensure rsh server is not enabled | rexec\"\n service:\n name: rexec.socket\n state: stopped\n enabled: false\n when:\n - not ubuntu1804cis_rsh_server\n - rexec_service_status.stdout == \"loaded\"\n - ubuntu1804cis_rule_2_1_6\n tags:\n - level1\n - scored\n - patch\n - rule_2.1.6\n\n- name: \"SCORED | 2.1.7 | PATCH | Ensure talk server is not enabled\"\n service:\n name: ntalk\n state: stopped\n enabled: false\n when:\n - not ubuntu1804cis_ntalk_server\n - ntalk_service_status.stdout == \"loaded\"\n - ubuntu1804cis_rule_2_1_7\n tags:\n - level1\n - scored\n - patch\n - rule_2.1.7\n\n- name: \"SCORED | 2.1.8 | PATCH | Ensure telnet server is not enabled\"\n service:\n name: telnetd\n state: stopped\n enabled: false\n when:\n - not ubuntu1804cis_telnet_server\n - telnet_service_status.stdout == \"loaded\"\n - ubuntu1804cis_rule_2_1_8\n tags:\n - level1\n - scored\n - patch\n - rule_2.1.8\n\n- name: \"SCORED | 2.1.9 | PATCH | Ensure tftp server is not enabled\"\n service:\n name: tftpd-hpa\n state: stopped\n enabled: no\n when:\n - not ubuntu1804cis_tftp_server\n - ubuntu1804cis_rule_2_1_9\n - tftp_service_status.stdout == \"loaded\"\n tags:\n - level1\n - scored\n - patch\n - rule_2.1.9\n\n- name: \"SCORED | 2.1.10 | PATCH | Ensure xinetd is not enabled\"\n service:\n name: xinetd\n state: stopped\n enabled: false\n when:\n - xinetd_service_status.stdout == \"loaded\"\n - not ubuntu1804cis_xinetd_required\n - ubuntu1804cis_rule_2_1_10\n tags:\n - level1\n - patch\n - scored\n - rule_2.1.10\n\n- name: \"SCORED | 2.1.11 | PATCH | Ensure openbsd-inetd is not installed\"\n apt:\n name: openbsd-inetd\n state: absent\n when:\n - openbsd_inetd_service_status.stdout == \"ok installed\"\n - ubuntu1804cis_rule_2_1_11\n tags:\n - level1\n - patch\n - scored\n - rule_2.1.11\n\n- name: \"SCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use\"\n block:\n - name: \"SCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use - service install\"\n apt:\n name: \"{{ ubuntu1804cis_time_synchronization }}\"\n state: present\n install_recommends: false\n\n - name: \"SCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use - service start\"\n service:\n name: \"{{ ubuntu1804cis_time_synchronization }}\"\n state: started\n enabled: true\n\n - name: \"SCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use - service stop ntp\"\n service:\n name: \"{{ ntp_service[ansible_os_family] }}\"\n state: stopped\n enabled: false\n when:\n - ubuntu1804cis_time_synchronization == \"chrony\"\n - ntpd_service_status.stdout == \"loaded\"\n\n - name: \"SCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use - service stop chrony\"\n service:\n name: chronyd\n state: stopped\n enabled: false\n ignore_errors: true\n when:\n - ubuntu1804cis_time_synchronization == \"ntp\"\n - chronyd_service_status.stdout == \"loaded\"\n\n - name: \"SCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use - mask systemd-timesyncd\"\n systemd:\n name: systemd-timesyncd\n enabled: no\n masked: yes\n when:\n - ubuntu1804cis_time_synchronization == \"ntp\"\n - systemd_timesyncd_service_status.stdout == \"loaded\"\n\n when:\n - ubuntu1804cis_rule_2_2_1_1\n tags:\n - level1\n - scored\n - ntp\n - chrony\n - patch\n - rule_2.2.1.1\n\n- name: \"NOTSCORED | 2.2.1.2 | PATCH | Ensure systemd-timesyncd is configured\"\n command: /bin/true\n changed_when: false\n when:\n - ubuntu1804cis_rule_2_2_1_2\n tags:\n - level1\n - notscored\n - patch\n - rule_2.2.1.2\n - notimplemented\n\n- name: \"SCORED | 2.2.1.3 | PATCH | Ensure chrony is configured\"\n block:\n - name: \"SCORED | 2.2.1.3 | PATCH | Ensure chrony is configured | create chrony.conf\"\n template:\n src: chrony.conf.j2\n dest: \"{{ chrony_config_file[ansible_os_family] }}\"\n owner: root\n group: root\n mode: 0644\n\n - name: \"SCORED | 2.2.1.3 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd\"\n lineinfile:\n dest: /etc/sysconfig/chronyd\n regexp: \"^(#)?OPTIONS\"\n line: \"OPTIONS=\\\"-u chrony\\\"\"\n state: present\n create: true\n when:\n - ubuntu1804cis_time_synchronization == \"chrony\"\n - ubuntu1804cis_rule_2_2_1_3\n tags:\n - level1\n - scored\n - chrony\n - patch\n - rule_2.2.1.3\n\n- name: \"SCORED | 2.2.1.4 | PATCH | Ensure ntp is configured\"\n block:\n - name: \"SCORED | 2.2.1.4 | PATCH | Ensure ntp is configured | modify /etc/ntp.conf\"\n template:\n src: ntp.conf.j2\n dest: /etc/ntp.conf\n owner: root\n group: root\n mode: 0644\n\n - name: \"SCORED | 2.2.1.4 | PATCH | Ensure ntp is configured | modify /etc/init.d/ntp\"\n lineinfile:\n dest: /etc/init.d/ntp\n regexp: \"^RUNASUSER\"\n line: \"RUNASUSER=ntp\"\n when:\n - ubuntu1804cis_time_synchronization == \"ntp\"\n - ubuntu1804cis_rule_2_2_1_4\n tags:\n - level1\n - scored\n - ntp\n - patch\n - rule_2.2.1.4\n\n- name: \"SCORED | 2.2.2 | PATCH | Ensure X Window System is not installed\"\n apt:\n name:\n - \"xorg\"\n - \"x11*\"\n state: absent\n when:\n - not ubuntu1804cis_xwindows_required\n - ubuntu1804cis_rule_2_2_2\n tags:\n - level1\n - scored\n - xwindows\n - patch\n - rule_2.2.2\n\n- name: \"SCORED | 2.2.3 | PATCH | Ensure Avahi Server is not enabled\"\n service:\n name: avahi-daemon\n state: stopped\n enabled: false\n when:\n - not ubuntu1804cis_avahi_server\n - avahi_service_status.stdout == \"loaded\"\n - ubuntu1804cis_rule_2_2_3\n tags:\n - level1\n - scored\n - avahi\n - services\n - patch\n - rule_2.2.3\n\n- name: \"SCORED | 2.2.4 | PATCH | Ensure CUPS is not enabled\"\n service:\n name: cups\n state: stopped\n enabled: false\n when:\n - not ubuntu1804cis_cups_server\n - cups_service_status.stdout == \"loaded\"\n - ubuntu1804cis_rule_2_2_4\n tags:\n - level1\n - scored\n - cups\n - services\n - patch\n - rule_2.2.4\n\n- name: \"SCORED | 2.2.5 | PATCH | Ensure DHCP Server is not enabled\"\n service:\n name: dhcpd\n state: stopped\n enabled: false\n when:\n - not ubuntu1804cis_dhcp_server\n - dhcpd_service_status.stdout == \"loaded\"\n - ubuntu1804cis_rule_2_2_5\n tags:\n - level1\n - scored\n - dhcp\n - services\n - patch\n - rule_2.2.5\n\n- name: \"SCORED | 2.2.6 | PATCH | Ensure LDAP server is not enabled\"\n service:\n name: slapd\n state: stopped\n enabled: false\n when:\n - not ubuntu1804cis_ldap_server\n - slapd_service_status.stdout == \"loaded\"\n - ubuntu1804cis_rule_2_2_6\n tags:\n - level1\n - scored\n - ldap\n - services\n - patch\n - rule_2.2.6\n\n- name: \"SCORED | 2.2.7 | PATCH | Ensure NFS and RPC are not enabled\"\n service:\n name: nfs\n state: stopped\n enabled: false\n when:\n - not ubuntu1804cis_nfs_rpc_server\n - nfs_service_status.stdout == \"loaded\"\n - ubuntu1804cis_rule_2_2_7\n tags:\n - level1\n - scored\n - nfs\n - rpc\n - services\n - patch\n - rule_2.2.7\n\n- name: \"SCORED | 2.2.7 | PATCH | Ensure RPC is not enabled\"\n service:\n name: rpcbind\n state: stopped\n enabled: false\n when:\n - not ubuntu1804cis_nfs_rpc_server\n - rpcbind_service_status.stdout == \"loaded\"\n - ubuntu1804cis_rule_2_2_7\n tags:\n - level1\n - scored\n - nfs\n - rpc\n - services\n - patch\n - rule_2.2.7\n\n- name: \"SCORED | 2.2.8 | PATCH | Ensure DNS Server is not enabled\"\n service:\n name: named\n state: stopped\n enabled: false\n when:\n - not ubuntu1804cis_named_server\n - named_service_status.stdout == \"loaded\"\n - ubuntu1804cis_rule_2_2_8\n tags:\n - level1\n - scored\n - dns\n - services\n - patch\n - rule_2.2.8\n\n- name: \"SCORED | 2.2.9 | PATCH | Ensure FTP Server is not enabled\"\n service:\n name: vsftpd\n state: stopped\n enabled: false\n when:\n - not ubuntu1804cis_vsftpd_server\n - vsftpd_service_status.stdout == \"loaded\"\n - ubuntu1804cis_rule_2_2_9\n tags:\n - level1\n - scored\n - ftp\n - services\n - patch\n - rule_2.2.9\n\n- name: \"SCORED | 2.2.10 | PATCH | Ensure HTTP server is not enabled\"\n service:\n name: apache2\n state: stopped\n enabled: false\n when:\n - not ubuntu1804cis_httpd_server\n - httpd_service_status.stdout == \"loaded\"\n - ubuntu1804cis_rule_2_2_10\n tags:\n - level1\n - scored\n - http\n - services\n - patch\n - rule_2.2.10\n\n- name: \"SCORED | 2.2.11 | PATCH | Ensure IMAP and POP3 server is not enabled\"\n service:\n name: dovecot\n state: stopped\n enabled: false\n when:\n - not ubuntu1804cis_dovecot_server\n - dovecot_service_status.stdout == \"loaded\"\n - ubuntu1804cis_rule_2_2_11\n tags:\n - level1\n - scored\n - imap\n - pop3\n - services\n - patch\n - rule_2.2.11\n\n- name: \"SCORED | 2.2.12 | PATCH | Ensure Samba is not enabled\"\n service:\n name: smbd\n state: stopped\n enabled: false\n when:\n - not ubuntu1804cis_smb_server\n - smb_service_status.stdout == \"loaded\"\n - ubuntu1804cis_rule_2_2_12\n tags:\n - level1\n - scored\n - samba\n - services\n - patch\n - rule_2.2.12\n\n- name: \"SCORED | 2.2.13 | PATCH | Ensure HTTP Proxy Server is not enabled\"\n service:\n name: squid\n state: stopped\n enabled: false\n when:\n - not ubuntu1804cis_squid_server\n - squid_service_status.stdout == \"loaded\"\n - ubuntu1804cis_rule_2_2_13\n tags:\n - level1\n - scored\n - http_proxy\n - services\n - patch\n - rule_2.2.13\n\n- name: \"SCORED | 2.2.14 | PATCH | Ensure SNMP Server is not enabled\"\n service:\n name: snmpd\n state: stopped\n enabled: false\n when:\n - not ubuntu1804cis_snmp_server\n - snmpd_service_status.stdout == \"loaded\"\n - ubuntu1804cis_rule_2_2_14\n tags:\n - level1\n - scored\n - snmp\n - services\n - patch\n - rule_2.2.14\n\n- name: \"SCORED | 2.2.15 | PATCH | Ensure mail transfer agent is configured for local-only mode\"\n lineinfile:\n dest: /etc/postfix/main.cf\n regexp: \"^(#)?inet_interfaces\"\n line: \"inet_interfaces = localhost\"\n when:\n - not ubuntu1804cis_is_mail_server\n - postfix_installed.rc == 0\n - ubuntu1804cis_rule_2_2_15\n tags:\n - level1\n - scored\n - patch\n - rule_2.2.15\n\n- name: \"SCORED | 2.2.16 | PATCH | Ensure rsync service is not enabled \"\n service:\n name: rsync\n state: stopped\n enabled: false\n when:\n - not ubuntu1804cis_rsyncd_server\n - rsyncd_service_status.stdout == \"loaded\"\n - ubuntu1804cis_rule_2_2_16\n tags:\n - level1\n - scored\n - rsync\n - services\n - patch\n - rule_2.2.16\n\n- name: \"SCORED | 2.2.17 | PATCH | Ensure NIS Server is not enabled\"\n service:\n name: nis\n state: stopped\n enabled: false\n when:\n - not ubuntu1804cis_nis_server\n - ypserv_service_status.stdout == \"loaded\"\n - ubuntu1804cis_rule_2_2_17\n tags:\n - level1\n - scored\n - nis\n - services\n - patch\n - rule_2.2.17\n\n- name: \"SCORED | 2.3.1 | PATCH | Ensure NIS Client is not installed\"\n apt:\n name: yp-tools\n state: absent\n when:\n - not ubuntu1804cis_ypbind_required\n - ubuntu1804cis_rule_2_3_1\n tags:\n - level1\n - scored\n - patch\n - rule_2.3.1\n\n- name: \"SCORED | 2.3.2 | PATCH | Ensure rsh client is not installed\"\n apt:\n name: rsh\n state: absent\n when:\n - not ubuntu1804cis_rsh_required\n - ubuntu1804cis_rule_2_3_2\n tags:\n - level1\n - scored\n - patch\n - rule_2.3.2\n\n- name: \"SCORED | 2.3.3 | PATCH | Ensure talk client is not installed\"\n apt:\n name: talk\n state: absent\n when:\n - not ubuntu1804cis_talk_required\n - ubuntu1804cis_rule_2_3_3\n tags:\n - level1\n - scored\n - patch\n - rule_2.3.3\n\n- name: \"SCORED | 2.3.4 | PATCH | Ensure telnet client is not installed\"\n apt:\n name: telnet\n state: absent\n when:\n - not ubuntu1804cis_telnet_required\n - ubuntu1804cis_rule_2_3_4\n tags:\n - level1\n - scored\n - patch\n - rule_2.3.4\n\n- name: \"SCORED | 2.3.5 | PATCH | Ensure LDAP client is not installed\"\n apt:\n name: ldap-utils\n state: absent\n when:\n - not ubuntu1804cis_openldap_clients_required\n - ubuntu1804cis_rule_2_3_5\n tags:\n - level1\n - scored\n - patch\n - rule_2.3.5\n" }, { "path": "tasks/section3.yml", "content": "---\n- name: \"SCORED | 3.1.1 | PATCH | Ensure packet redirect sending is disabled\"\n sysctl:\n name: '{{ item.name }}'\n value: '{{ item.value }}'\n sysctl_set: true\n state: present\n reload: true\n ignoreerrors: true\n with_items:\n - { name: net.ipv4.conf.all.send_redirects, value: 0 }\n - { name: net.ipv4.conf.default.send_redirects, value: 0 }\n when:\n - not ubuntu1804cis_is_router\n - ubuntu1804cis_rule_3_1_1\n notify:\n - sysctl flush ipv4 route table\n tags:\n - level1\n - scored\n - patch\n - sysctl\n - rule_3.1.1\n\n- name: \"SCORED | 3.1.2 | PATCH | Ensure IP forwarding is disabled\"\n block:\n - name: \"SCORED | 3.1.2 | PATCH | Ensure IP forwarding is disabled | ipv4\"\n sysctl:\n name: net.ipv4.ip_forward\n value: \"0\"\n state: present\n reload: true\n ignoreerrors: true\n notify:\n - sysctl flush ipv4 route table\n\n - name: \"SCORED | 3.1.2 | PATCH | Ensure IP forwarding is disabled | ipv6\"\n sysctl:\n name: net.ipv6.conf.all.forwarding\n value: \"0\"\n state: present\n reload: true\n ignoreerrors: true\n when: ubuntu1804cis_ipv6_required\n notify:\n - sysctl flush ipv6 route table\n when:\n - not ubuntu1804cis_is_router\n - ubuntu1804cis_rule_3_1_2\n tags:\n - level1\n - scored\n - patch\n - sysctl\n - rule_3.1.2\n\n- name: \"SCORED | 3.2.1 | PATCH | Ensure source routed packets are not accepted\"\n block:\n - name: \"SCORED | 3.2.1 | PATCH | Ensure source routed packets are not accepted | ipv4\"\n sysctl:\n name: '{{ item.name }}'\n value: '{{ item.value }}'\n sysctl_set: true\n state: present\n reload: true\n ignoreerrors: true\n with_items:\n - { name: net.ipv4.conf.all.accept_source_route, value: 0 }\n - { name: net.ipv4.conf.default.accept_source_route, value: 0 }\n notify:\n - sysctl flush ipv4 route table\n\n - name: \"SCORED | 3.2.1 | PATCH | Ensure source routed packets are not accepted | ipv6\"\n sysctl:\n name: '{{ item.name }}'\n value: '{{ item.value }}'\n sysctl_set: true\n state: present\n reload: true\n ignoreerrors: true\n with_items:\n - { name: net.ipv6.conf.all.accept_source_route, value: 0 }\n - { name: net.ipv6.conf.default.accept_source_route, value: 0 }\n when:\n - ubuntu1804cis_ipv6_required\n notify:\n - sysctl flush ipv6 route table\n when:\n - ubuntu1804cis_rule_3_2_1\n tags:\n - level1\n - scored\n - patch\n - sysctl\n - rule_3.2.1\n\n- name: \"SCORED | 3.2.2 | PATCH | Ensure ICMP redirects are not accepted | ipv4,ipv6\"\n block:\n - name: \"SCORED | 3.2.2 | PATCH | Ensure ICMP redirects are not accepted | ipv4\"\n sysctl:\n name: '{{ item.name }}'\n value: '{{ item.value }}'\n sysctl_set: true\n state: present\n reload: true\n ignoreerrors: true\n with_items:\n - { name: net.ipv4.conf.all.accept_redirects, value: 0 }\n - { name: net.ipv4.conf.default.accept_redirects, value: 0 }\n notify:\n - sysctl flush ipv4 route table\n\n - name: \"SCORED | 3.2.2 | PATCH | Ensure ICMP redirects are not accepted | ipv6\"\n sysctl:\n name: '{{ item.name }}'\n value: '{{ item.value }}'\n sysctl_set: true\n state: present\n reload: true\n ignoreerrors: true\n with_items:\n - { name: net.ipv6.conf.all.accept_redirects, value: 0 }\n - { name: net.ipv6.conf.default.accept_redirects, value: 0 }\n when:\n - ubuntu1804cis_ipv6_required\n notify:\n - sysctl flush ipv6 route table\n when:\n - ubuntu1804cis_rule_3_2_2\n tags:\n - level1\n - scored\n - patch\n - sysctl\n - rule_3.2.2\n\n- name: \"SCORED | 3.2.3 | PATCH | Ensure secure ICMP redirects are not accepted\"\n sysctl:\n name: '{{ item.name }}'\n value: '{{ item.value }}'\n sysctl_set: true\n state: present\n reload: true\n ignoreerrors: true\n with_items:\n - { name: net.ipv4.conf.all.secure_redirects, value: 0 }\n - { name: net.ipv4.conf.default.secure_redirects, value: 0 }\n when:\n - ubuntu1804cis_rule_3_2_3\n notify:\n - sysctl flush ipv4 route table\n tags:\n - level1\n - scored\n - patch\n - sysctl\n - rule_3.2.3\n\n- name: \"SCORED | 3.2.4 | PATCH | Ensure suspicious packets are logged\"\n sysctl:\n name: '{{ item.name }}'\n value: '{{ item.value }}'\n sysctl_set: true\n state: present\n reload: true\n ignoreerrors: true\n with_items:\n - { name: net.ipv4.conf.all.log_martians, value: 1 }\n - { name: net.ipv4.conf.default.log_martians, value: 1 }\n when:\n - ubuntu1804cis_rule_3_2_4\n notify:\n - sysctl flush ipv4 route table\n tags:\n - level1\n - scored\n - patch\n - sysctl\n - rule_3.2.4\n\n- name: \"SCORED | 3.2.5 | PATCH | Ensure broadcast ICMP requests are ignored\"\n sysctl:\n name: net.ipv4.icmp_echo_ignore_broadcasts\n value: \"1\"\n state: present\n reload: true\n ignoreerrors: true\n when:\n - ubuntu1804cis_rule_3_2_5\n notify:\n - sysctl flush ipv4 route table\n tags:\n - level1\n - scored\n - patch\n - sysctl\n - rule_3.2.5\n\n- name: \"SCORED | 3.2.6 | PATCH | Ensure bogus ICMP responses are ignored\"\n sysctl:\n name: net.ipv4.icmp_ignore_bogus_error_responses\n value: \"1\"\n state: present\n reload: true\n ignoreerrors: true\n when:\n - ubuntu1804cis_rule_3_2_6\n notify:\n - sysctl flush ipv4 route table\n tags:\n - level1\n - scored\n - patch\n - sysctl\n - rule_3.2.6\n\n- name: \"SCORED | 3.2.7 | PATCH | Ensure Reverse Path Filtering is enabled\"\n sysctl:\n name: '{{ item.name }}'\n value: '{{ item.value }}'\n sysctl_set: true\n state: present\n reload: true\n ignoreerrors: true\n with_items:\n - { name: net.ipv4.conf.all.rp_filter, value: 1 }\n - { name: net.ipv4.conf.default.rp_filter, value: 1 }\n when:\n - ubuntu1804cis_rule_3_2_7\n notify:\n - sysctl flush ipv4 route table\n tags:\n - level1\n - scored\n - patch\n - sysctl\n - rule_3.2.7\n\n- name: \"SCORED | 3.2.8 | PATCH | Ensure TCP SYN Cookies is enabled\"\n sysctl:\n name: net.ipv4.tcp_syncookies\n value: '1'\n state: present\n reload: true\n ignoreerrors: true\n when:\n - ubuntu1804cis_rule_3_2_8\n notify:\n - sysctl flush ipv4 route table\n tags:\n - level1\n - scored\n - patch\n - sysctl\n - rule_3.2.8\n\n- name: \"SCORED | 3.2.9 | PATCH | Ensure IPv6 router advertisements are not accepted\"\n sysctl:\n name: '{{ item.name }}'\n value: '{{ item.value }}'\n state: present\n reload: true\n ignoreerrors: true\n with_items:\n - { name: net.ipv6.conf.all.accept_ra, value: 0 }\n - { name: net.ipv6.conf.default.accept_ra, value: 0 }\n when:\n - ubuntu1804cis_ipv6_required\n - ubuntu1804cis_rule_3_2_9\n notify:\n - sysctl flush ipv6 route table\n tags:\n - level1\n - scored\n - patch\n - sysctl\n - rule_3.2.9\n\n- name: \"NOTSCORED | 3.3.1 | PATCH | Ensure TCP Wrappers is installed\"\n apt:\n name: \"{{ tcp_wrapper_package[ansible_os_family] }}\"\n state: present\n install_recommends: false\n when:\n - ubuntu1804cis_setup_tcp_wrappers\n - ubuntu1804cis_rule_3_3_1\n tags:\n - level1\n - notscored\n - patch\n - rule_3.3.1\n\n- name: \"NOTSCORED | 3.3.2 | PATCH | Ensure /etc/hosts.allow is configured\"\n template:\n src: hosts.allow.j2\n dest: /etc/hosts.allow\n when:\n - ubuntu1804cis_setup_tcp_wrappers\n - ubuntu1804cis_rule_3_3_2\n tags:\n - level1\n - notscored\n - patch\n - rule_3.3.2\n\n- name: \"NOTSCORED | 3.3.3 | PATCH | Ensure /etc/hosts.deny is configured\"\n lineinfile:\n dest: /etc/hosts.deny\n regexp: \"^(#)?ALL\"\n line: \"ALL: ALL\"\n when:\n - ubuntu1804cis_setup_tcp_wrappers\n - ubuntu1804cis_rule_3_3_3\n tags:\n - level1\n - notscored\n - patch\n - rule_3.3.3\n\n- name: \"SCORED | 3.3.4 | PATCH | Ensure permissions on /etc/hosts.allow are configured\"\n template:\n src: hosts.allow.j2\n dest: /etc/hosts.allow\n owner: root\n group: root\n mode: 0644\n when:\n - ubuntu1804cis_setup_tcp_wrappers\n - ubuntu1804cis_rule_3_3_4\n tags:\n - level1\n - scored\n - patch\n - rule_3.3.4\n\n- name: \"SCORED | 3.3.5 | PATCH | Ensure permissions on /etc/hosts.deny are configured\"\n file:\n dest: /etc/hosts.deny\n owner: root\n group: root\n mode: 0644\n when:\n - ubuntu1804cis_setup_tcp_wrappers\n - ubuntu1804cis_rule_3_3_5\n tags:\n - level1\n - scored\n - patch\n - rule_3.3.5\n\n- name: \"SCORED | 3.4.1 | PATCH | Ensure DCCP is disabled\"\n lineinfile:\n dest: /etc/modprobe.d/CIS.conf\n regexp: \"^(#)?install dccp(\\\\s|$)\"\n line: \"install dccp /bin/true\"\n create: true\n when:\n - ubuntu1804cis_rule_3_4_1\n tags:\n - level2\n - scored\n - patch\n - rule_3.4.1\n\n- name: \"SCORED | 3.4.2 | PATCH | Ensure SCTP is disabled\"\n lineinfile:\n dest: /etc/modprobe.d/CIS.conf\n regexp: \"^(#)?install sctp(\\\\s|$)\"\n line: \"install sctp /bin/true\"\n create: true\n when:\n - ubuntu1804cis_rule_3_4_2\n tags:\n - level2\n - scored\n - patch\n - rule_3.4.2\n\n- name: \"SCORED | 3.4.3 | PATCH | Ensure RDS is disabled\"\n lineinfile:\n dest: /etc/modprobe.d/CIS.conf\n regexp: \"^(#)?install rds(\\\\s|$)\"\n line: \"install rds /bin/true\"\n create: true\n when:\n - ubuntu1804cis_rule_3_4_3\n tags:\n - level2\n - scored\n - patch\n - rule_3.4.3\n\n- name: \"SCORED | 3.4.4 | PATCH | Ensure TIPC is disabled\"\n lineinfile:\n dest: /etc/modprobe.d/CIS.conf\n regexp: \"^(#)?install tipc(\\\\s|$)\"\n line: \"install tipc /bin/true\"\n create: true\n when:\n - ubuntu1804cis_rule_3_4_4\n tags:\n - level2\n - scored\n - patch\n - rule_3.4.4\n\n- name: \"SCORED | 3.5.1.1 | PATCH | Ensure a Firewall package is installed | firewalld(CUSTOM),ufw,nftables,iptables\"\n block:\n - name: \"SCORED | 3.5.1.1 | PATCH | Ensure a Firewall package is installed | firewalld | CUSTOM\"\n apt:\n name: firewalld\n state: present\n install_recommends: false\n when:\n - ubuntu1804cis_firewall == \"firewalld\"\n\n - name: \"SCORED | 3.5.1.1 | PATCH | Ensure a Firewall package is installed | ufw\"\n apt:\n name: ufw\n state: present\n install_recommends: false\n when:\n - ubuntu1804cis_firewall == \"ufw\"\n\n - name: \"SCORED | 3.5.1.1 | PATCH | Ensure a Firewall package is installed | nftables\"\n apt:\n name: nftables\n state: present\n install_recommends: false\n when:\n - ubuntu1804cis_firewall == \"nftables\"\n\n - name: \"SCORED | 3.5.1.1 | PATCH | Ensure a Firewall package is installed | iptables\"\n apt:\n name: iptables\n state: present\n install_recommends: false\n when:\n - ubuntu1804cis_firewall == \"iptables\"\n when:\n - ubuntu1804cis_rule_3_5_1_1\n - ubuntu1804cis_setup_firewall\n tags:\n - level1\n - scored\n - patch\n - rule_3.5.1.1\n\n- name: \"SCORED | 3.5.2.1 | PATCH | Ensure ufw service is enabled\"\n service:\n name: ufw\n state: started\n enabled: true\n when:\n - ubuntu1804cis_rule_3_5_2_1\n - ubuntu1804cis_firewall == \"ufw\"\n - ubuntu1804cis_setup_firewall\n tags:\n - level1\n - scored\n - patch\n - rule_3.5.2.1\n\n- name: \"SCORED | 3.5.2.2 | PATCH | Ensure default deny firewall policy\"\n ufw:\n rule: \"{{ item.rule }}\"\n direction: \"{{ item.direction }}\"\n with_items:\n - { rule: deny, direction: incoming }\n - { rule: deny, direction: outgoing }\n - { rule: deny, direction: routed }\n when:\n - ubuntu1804cis_rule_3_5_2_2\n - ubuntu1804cis_firewall == \"ufw\"\n - ubuntu1804cis_setup_firewall\n tags:\n - level1\n - scored\n - patch\n - rule_3.5.2.2\n\n- name: \"SCORED | 3.5.2.3 | PATCH | Ensure loopback traffic is configured\"\n block:\n - name: \"SCORED | 3.5.2.3 | PATCH | Ensure loopback traffic is configured| ingress lo allow any\"\n ufw:\n rule: allow\n direction: in\n interface: lo\n\n - name: \"SCORED | 3.5.2.3 | PATCH | Ensure loopback traffic is configured | ingress deny from lo network ipv4\"\n ufw:\n rule: deny\n direction: in\n from: \"127.0.0.0/8\"\n\n - name: \"SCORED | 3.5.2.3 | PATCH | Ensure loopback traffic is configured | ingress deny from lo network ipv6\"\n ufw:\n rule: deny\n direction: in\n from: \"::1\"\n when: ubuntu1804cis_ipv6_required\n when:\n - ubuntu1804cis_rule_3_5_2_3\n - ubuntu1804cis_firewall == \"ufw\"\n - ubuntu1804cis_setup_firewall\n tags:\n - level1\n - scored\n - patch\n - rule_3.5.2.3\n\n- name: \"NOTSCORED | 3.5.2.4 | PATCH | Ensure outbound and established connections are configured\"\n ufw:\n rule: allow\n direction: out\n interface: all\n when:\n - ubuntu1804cis_rule_3_5_2_4\n - ubuntu1804cis_firewall == \"ufw\"\n - ubuntu1804cis_setup_firewall\n tags:\n - level1\n - notscored\n - patch\n - rule_3.5.2.4\n\n- name: \"NOTSCORED | 3.5.2.5 | PATCH | Ensure firewall rules exist for all open ports\"\n block:\n - name: \"NOTSCORED | 3.5.2.5 | PATCH | Ensure firewall rules exist for all open ports| ssh\"\n ufw:\n rule: allow\n proto: tcp\n port: '22'\n\n - name: \"NOTSCORED | 3.5.2.5 | PATCH | Ensure firewall rules exist for all open ports| dns\"\n ufw:\n rule: allow\n proto: \"{{ item }}\"\n port: '53'\n loop:\n - tcp\n - udp\n when:\n - ubuntu1804cis_rule_3_5_2_5\n - ubuntu1804cis_firewall == \"ufw\"\n - ubuntu1804cis_setup_firewall\n tags:\n - level1\n - notscored\n - patch\n - rule_3.5.2.5\n\n- name: \"NOTSCORED | 3.5.3.1 | PATCH | Ensure iptables are flushed | ipv4, ipv6\"\n block:\n - name: \"NOTSCORED | 3.5.3.1 | PATCH | Ensure iptables are flushed | ipv4\"\n iptables:\n flush: yes\n\n - name: \"NOTSCORED | 3.5.3.1 | PATCH | Ensure iptables are flushed | ipv6\"\n iptables:\n flush: yes\n ip_version: ipv6\n when: ubuntu1804cis_ipv6_required\n when:\n - ubuntu1804cis_rule_3_5_3_1\n - ubuntu1804cis_firewall == \"nftables\"\n - ubuntu1804cis_setup_firewall\n tags:\n - level1\n - notscored\n - patch\n - rule_3.5.3.1\n\n- name: \"SCORED | 3.5.3.2 | PATCH | Ensure a table exists\"\n shell: |\n nft create table inet {{ ubuntu1804cis_nftables_table }}\n args:\n executable: /bin/bash\n changed_when: false\n check_mode: false\n # default table name exist when install nftables by apt\n # nft create table will raise an error\n ignore_errors: true\n when:\n - ubuntu1804cis_rule_3_5_3_2\n - ubuntu1804cis_firewall == \"nftables\"\n - ubuntu1804cis_setup_firewall\n tags:\n - level1\n - scored\n - patch\n - rule_3.5.3.2\n\n- name: \"SCORED | 3.5.3.3 | PATCH | Ensure base chains exist\"\n shell: |\n nft chain inet {{ ubuntu1804cis_nftables_table }} {{ item }} { type filter hook {{ item }} priority 0\\; }\n args:\n executable: /bin/bash\n loop:\n - input\n - forward\n - output\n changed_when: false\n check_mode: false\n when:\n - ubuntu1804cis_rule_3_5_3_3\n - ubuntu1804cis_firewall == \"nftables\"\n - ubuntu1804cis_setup_firewall\n tags:\n - level1\n - scored\n - patch\n - rule_3.5.3.3\n\n- name: \"SCORED | 3.5.3.4 | PATCH | Ensure loopback traffic is configured\"\n block:\n - name: \"SCORED | 3.5.3.4 | PATCH | Ensure loopback traffic is configured | ingress lo allow nay\"\n shell: |\n nft add rule inet {{ ubuntu1804cis_nftables_table }} input iif lo accept\n args:\n executable: /bin/bash\n changed_when: false\n check_mode: false\n\n - name: \"SCORED | 3.5.3.4 | PATCH | Ensure loopback traffic is configured | ingress deny from lo network ipv4\"\n shell: |\n nft add rule inet {{ ubuntu1804cis_nftables_table }} input ip saddr 127.0.0.0/8 counter drop\n args:\n executable: /bin/bash\n changed_when: false\n check_mode: false\n\n - name: \"SCORED | 3.5.3.4 | PATCH | Ensure loopback traffic is configured | ingress deny from lo network ipv6\"\n shell: |\n nft add rule inet {{ ubuntu1804cis_nftables_table }} input ip6 saddr ::1 counter drop\n args:\n executable: /bin/bash\n changed_when: false\n check_mode: false\n when: ubuntu1804cis_ipv6_required\n when:\n - ubuntu1804cis_rule_3_5_3_4\n - ubuntu1804cis_firewall == \"nftables\"\n - ubuntu1804cis_setup_firewall\n tags:\n - level1\n - scored\n - patch\n - rule_3.5.3.4\n\n- name: \"NOTSCORED | 3.5.3.5 | PATCH | Ensure outbound and established connections are configured\"\n shell: |\n nft add rule inet {{ ubuntu1804cis_nftables_table }} input ip protocol {{ item }} ct state established accept\n nft add rule inet {{ ubuntu1804cis_nftables_table }} output ip protocol {{ item }} ct state new,related,established accept\n args:\n executable: /bin/bash\n loop:\n - tcp\n - udp\n - icmp\n changed_when: false\n check_mode: false\n when:\n - ubuntu1804cis_rule_3_5_3_5\n - ubuntu1804cis_firewall == \"nftables\"\n - ubuntu1804cis_setup_firewall\n tags:\n - level1\n - notscored\n - patch\n - rule_3.5.3.5\n\n- name: \"SCORED | 3.5.3.6 | PATCH | Ensure base chains exist\"\n shell: |\n nft chain inet {{ ubuntu1804cis_nftables_table }} {{ item }} { policy drop \\; }\n args:\n executable: /bin/bash\n loop:\n - input\n - forward\n - output\n changed_when: false\n check_mode: false\n when:\n - ubuntu1804cis_rule_3_5_3_6\n - ubuntu1804cis_firewall == \"nftables\"\n - ubuntu1804cis_setup_firewall\n tags:\n - level1\n - scored\n - patch\n - rule_3.5.3.6\n\n- name: \"SCORED | 3.5.3.7 | PATCH | Ensure nftables service is enabled\"\n service:\n name: nftables\n state: started\n enabled: true\n when:\n - ubuntu1804cis_rule_3_5_3_7\n - ubuntu1804cis_firewall == \"nftables\"\n - ubuntu1804cis_setup_firewall\n tags:\n - level1\n - scored\n - patch\n - rule_3.5.3.7\n\n- name: \"SCORED | 3.5.3.8 | PATCH | Ensure nftables rules are permanent\"\n shell:\n nft list table inet {{ ubuntu1804cis_nftables_table }} > /etc/nftables.conf\n when:\n - ubuntu1804cis_rule_3_5_3_8\n - ubuntu1804cis_firewall == \"nftables\"\n - ubuntu1804cis_setup_firewall\n tags:\n - level1\n - scored\n - patch\n - rule_3.5.3.8\n\n- name: \"SCORED | 3.5.4.1.1 | PATCH | Ensure default deny firewall policy\"\n iptables:\n chain: \"{{ item }}\"\n policy: DROP\n loop:\n - INPUT\n - OUTPUT\n - FORWARD\n when:\n - ubuntu1804cis_rule_3_5_4_1_1\n - ubuntu1804cis_firewall == \"iptables\"\n - ubuntu1804cis_setup_firewall\n tags:\n - level1\n - scored\n - patch\n - rule_3.5.4.1.1\n\n- name: \"SCORED | 3.5.4.1.2 | PATCH | Ensure loopback traffic is configured\"\n block:\n - name: \"SCORED | 3.5.4.1.2 | PATCH | Ensure loopback traffic is configured| ingress lo allow any\"\n iptables:\n chain: INPUT\n jump: ACCEPT\n in_interface: lo\n\n - name: \"SCORED | 3.5.4.1.2 | PATCH | Ensure loopback traffic is configured| egress lo allow any\"\n iptables:\n chain: INPUT\n jump: ACCEPT\n in_interface: lo\n\n - name: \"SCORED | 3.5.4.1.2 | PATCH | Ensure loopback traffic is configured| ingress deny from lo network\"\n iptables:\n chain: INPUT\n jump: DROP\n source: 127.0.0.0/8\n when:\n - ubuntu1804cis_rule_3_5_4_1_2\n - ubuntu1804cis_firewall == \"iptables\"\n - ubuntu1804cis_setup_firewall\n tags:\n - level1\n - scored\n - patch\n - rule_3.5.4.1.2\n\n- name: \"NOTSCORED | 3.5.4.1.3 | PATCH | Ensure outbound and established connections are configured\"\n block:\n - name: \"NOTSCORED | 3.5.4.1.3 | PATCH | Ensure outbound and established connections are configured | input \"\n iptables:\n chain: INPUT\n jump: ACCEPT\n ctstate: NEW,ESTABLISHED\n protocol: \"{{ item }}\"\n loop:\n - tcp\n - udp\n - icmp\n\n - name: \"NOTSCORED | 3.5.4.1.3 | PATCH | Ensure outbound and established connections are configured | output\"\n iptables:\n chain: OUTPUT\n jump: ACCEPT\n ctstate: NEW,ESTABLISHED\n protocol: \"{{ item }}\"\n loop:\n - tcp\n - udp\n - icmp\n when:\n - ubuntu1804cis_rule_3_5_4_1_3\n - ubuntu1804cis_firewall == \"iptables\"\n - ubuntu1804cis_setup_firewall\n tags:\n - level1\n - notscored\n - patch\n - rule_3.5.4.1.3\n\n- name: \"SCORED | 3.5.4.1.4 | PATCH | Ensure firewall rules exist for all open ports\"\n block:\n - name: \"SCORED | 3.5.4.1.4 | PATCH | Ensure firewall rules exist for all open ports| ssh\"\n iptables:\n chain: INPUT\n jump: ACCEPT\n ctstate: NEW\n protocol: tcp\n destination_port: 22\n\n - name: \"SCORED | 3.5.4.1.4 | PATCH | Ensure firewall rules exist for all open ports| dns\"\n iptables:\n chain: INPUT\n jump: ACCEPT\n ctstate: NEW\n protocol: \"{{ item }}\"\n destination_port: 53\n loop:\n - tcp\n - udp\n when:\n - ubuntu1804cis_rule_3_5_4_1_4\n - ubuntu1804cis_firewall == \"iptables\"\n - ubuntu1804cis_setup_firewall\n tags:\n - level1\n - scored\n - patch\n - rule_3.5.4.1.4\n\n- name: \"SCORED | 3.5.4.2.1 | PATCH | Ensure IPv6 default deny firewall policy\"\n iptables:\n chain: \"{{ item }}\"\n policy: DROP\n ip_version: ipv6\n loop:\n - INPUT\n - OUTPUT\n - FORWARD\n when:\n - ubuntu1804cis_rule_3_5_4_2_1\n - ubuntu1804cis_firewall == \"iptables\"\n - ubuntu1804cis_setup_firewall\n - ubuntu1804cis_ipv6_required\n tags:\n - level1\n - scored\n - patch\n - rule_3.5.4.2.1\n\n- name: \"SCORED | 3.5.4.2.2 | PATCH | Ensure IPv6 loopback traffic is configured\"\n block:\n - name: \"SCORED | 3.5.4.2.2 | PATCH | Ensure IPv6 loopback traffic is configured| ingress lo allow any\"\n iptables:\n chain: INPUT\n jump: ACCEPT\n in_interface: lo\n ip_version: ipv6\n\n - name: \"SCORED | 3.5.4.2.2 | PATCH | Ensure IPv6 loopback traffic is configured| egress lo allow any\"\n iptables:\n chain: INPUT\n jump: ACCEPT\n in_interface: lo\n ip_version: ipv6\n\n - name: \"SCORED | 3.5.4.2.2 | PATCH | Ensure IPv6 loopback traffic is configured| ingress deny from lo network\"\n iptables:\n chain: INPUT\n jump: DROP\n source: \"::1\"\n ip_version: ipv6\n when:\n - ubuntu1804cis_rule_3_5_4_2_2\n - ubuntu1804cis_firewall == \"iptables\"\n - ubuntu1804cis_setup_firewall\n - ubuntu1804cis_ipv6_required\n tags:\n - level1\n - scored\n - patch\n - rule_3.5.4.2.2\n\n- name: \"NOTSCORED | 3.5.4.2.3 | PATCH | Ensure IPv6 outbound and established connections are configured\"\n block:\n - name: \"NOTSCORED | 3.5.4.2.3 | PATCH | Ensure IPv6 outbound and established connections are configured | input \"\n iptables:\n chain: INPUT\n jump: ACCEPT\n ctstate: NEW,ESTABLISHED\n protocol: \"{{ item }}\"\n ip_version: ipv6\n loop:\n - tcp\n - udp\n - icmp\n\n - name: \"NOTSCORED | 3.5.4.2.3 | PATCH | Ensure IPv6 outbound and established connections are configured | output\"\n iptables:\n chain: OUTPUT\n jump: ACCEPT\n ctstate: NEW,ESTABLISHED\n protocol: \"{{ item }}\"\n ip_version: ipv6\n loop:\n - tcp\n - udp\n - icmp\n when:\n - ubuntu1804cis_rule_3_5_4_2_3\n - ubuntu1804cis_firewall == \"iptables\"\n - ubuntu1804cis_setup_firewall\n - ubuntu1804cis_ipv6_required\n tags:\n - level1\n - notscored\n - patch\n - rule_3.5.4.2.3\n\n- name: \"NOTSCORED | 3.5.4.2.4 | PATCH | Ensure IPv6 firewall rules exist for all open ports\"\n block:\n - name: \"NOTSCORED | 3.5.4.2.4 | PATCH | Ensure IPv6 firewall rules exist for all open ports| ssh\"\n iptables:\n chain: INPUT\n jump: ACCEPT\n ctstate: NEW\n protocol: tcp\n destination_port: 22\n ip_version: ipv6\n\n - name: \"NOTSCORED | 3.5.4.2.4 | PATCH | Ensure IPv6 firewall rules exist for all open ports| dns\"\n iptables:\n chain: INPUT\n jump: ACCEPT\n ctstate: NEW\n protocol: \"{{ item }}\"\n destination_port: 53\n ip_version: ipv6\n loop:\n - tcp\n - udp\n when:\n - ubuntu1804cis_rule_3_5_4_2_4\n - ubuntu1804cis_firewall == \"iptables\"\n - ubuntu1804cis_setup_firewall\n - ubuntu1804cis_ipv6_required\n tags:\n - level1\n - notscored\n - patch\n - rule_3.5.4.2.4\n\n- name: \"SCORED | 3.5.4.3.1 | PATCH | Ensure firewalld is installed and started | CUSTOM\"\n apt:\n name: firewalld\n state: present\n install_recommends: false\n when:\n - ubuntu1804cis_rule_3_5_4_3_1\n - ubuntu1804cis_firewall == \"firewalld\"\n - ubuntu1804cis_setup_firewall\n tags:\n - level1\n - scored\n - patch\n - rule_3.5.4.3.1\n\n- name: \"SCORED | 3.5.4.3.2 | PATCH | Ensure firewalld is installed and started | CUSTOM\"\n service:\n name: firewalld\n state: started\n enabled: true\n when:\n - ubuntu1804cis_rule_3_5_4_3_2\n - ubuntu1804cis_firewall == \"firewalld\"\n - ubuntu1804cis_setup_firewall\n tags:\n - level1\n - scored\n - patch\n - rule_3.5.4.3.2\n\n- name: \"SCORED | 3.5.4.3.3 | PATCH | Ensure default deny firewall policy | CUSTOM\"\n lineinfile:\n dest: /etc/firewalld/firewalld.conf\n regexp: \"^DefaultZone\"\n line: \"DefaultZone=drop\"\n when:\n - ubuntu1804cis_rule_3_5_4_3_3\n - ubuntu1804cis_firewall == \"firewalld\"\n - ubuntu1804cis_setup_firewall\n tags:\n - level1\n - scored\n - patch\n - rule_3.5.4.3.3\n\n- name: \"SCORED | 3.5.4.3.4 | PATCH | Ensure default deny firewall policy | CUSTOM\"\n firewalld:\n state: enabled\n zone: drop\n permanent: true\n when:\n - ubuntu1804cis_rule_3_5_4_3_4\n - ubuntu1804cis_firewall == \"firewalld\"\n - ubuntu1804cis_setup_firewall\n tags:\n - level1\n - scored\n - patch\n - rule_3.5.4.3.4\n\n- name: \"SCORED | 3.5.4.3.5 | PATCH | Ensure firewall rules exist for all open ports | CUSTOM\"\n firewalld:\n service: \"{{ item }}\"\n state: enabled\n zone: drop\n permanent: true\n immediate: true\n when:\n - ubuntu1804cis_rule_3_5_4_3_5\n - ubuntu1804cis_firewall == \"firewalld\"\n - ubuntu1804cis_setup_firewall\n notify: restart firewalld\n with_items: \"{{ ubuntu1804cis_firewall_services }}\"\n tags:\n - level1\n - scored\n - patch\n - rule_3.5.4.3.5\n\n- name: \"NOTSCORED | 3.7 | Disable IPv6\"\n replace:\n dest: /etc/default/grub\n regexp: '^(GRUB_CMDLINE_LINUX=(?!.*ipv6.disable)\\\"[^\\\"]*)(\\\".*)'\n replace: '\\1 ipv6.disable=1\\2'\n ignore_errors: true\n when:\n - ubuntu1804cis_rule_3_7\n notify:\n - generate new grub config\n tags:\n - level2\n - notscored\n - patch\n - rule_3.7\n" }, { "path": "tasks/section4.yml", "content": "---\n- name: \"SCORED | 4.1.1.1 | PATCH | Ensure auditd is installed\"\n apt:\n name: audispd-plugins\n state: present\n install_recommends: false\n when:\n - not ubuntu1804cis_skip_for_travis\n - ubuntu1804cis_rule_4_1_1_1\n tags:\n - level2\n - scored\n - patch\n - auditd\n - rule_4.1.1.1\n\n- name: \"SCORED | 4.1.1.2 | PATCH | Ensure auditd service is enabled\"\n service:\n name: auditd\n state: started\n enabled: true\n when:\n - not ubuntu1804cis_skip_for_travis\n - ubuntu1804cis_rule_4_1_1_2\n tags:\n - level2\n - scored\n - patch\n - auditd\n - rule_4.1.1.2\n\n- name: \"SCORED | 4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled\"\n replace:\n dest: /etc/default/grub\n regexp: '^(GRUB_CMDLINE_LINUX=(?!.*audit)\\\"[^\\\"]*)(\\\".*)'\n replace: '\\1 audit=1\\2'\n notify:\n - generate new grub config\n when:\n - ubuntu1804cis_rule_4_1_1_3\n tags:\n - level2\n - scored\n - patch\n - auditd\n - rule_4.1.1.3\n\n- name: \"SCORED | 4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient\"\n replace:\n dest: /etc/default/grub\n regexp: '^(GRUB_CMDLINE_LINUX=(?!.*audit_backlog_limit)\\\"[^\\\"]*)(\\\".*)'\n replace: '\\1 audit_backlog_limit={{ ubuntu1804cis_auditd.backlog_limit }}\\2'\n ignore_errors: true\n notify:\n - generate new grub config\n when:\n - ubuntu1804cis_rule_4_1_1_4\n tags:\n - level2\n - scored\n - patch\n - auditd\n - rule_4.1.1.4\n\n- name: \"SCORED | 4.1.2.1 | PATCH | Ensure audit log storage size is configured\"\n lineinfile:\n dest: /etc/audit/auditd.conf\n regexp: \"^max_log_file( |=)\"\n line: \"max_log_file = {{ ubuntu1804cis_auditd.max_audit_log_file_size }}\"\n state: present\n create: yes\n when:\n - ubuntu1804cis_rule_4_1_2_1\n notify:\n - restart auditd\n tags:\n - level2\n - scored\n - patch\n - auditd\n - rule_4.1.2.1\n\n- name: \"SCORED | 4.1.2.2 | PATCH | Ensure audit logs are not automatically deleted\"\n lineinfile:\n dest: /etc/audit/auditd.conf\n regexp: \"^max_log_file_action\"\n line: \"max_log_file_action = {{ ubuntu1804cis_auditd['max_log_file_action'] }}\"\n state: present\n create: yes\n when:\n - ubuntu1804cis_rule_4_1_2_2\n notify:\n - restart auditd\n tags:\n - level2\n - scored\n - patch\n - auditd\n - rule_4.1.2.2\n\n- name: \"SCORED | 4.1.2.3 | PATCH | Ensure system is disabled when audit logs are full\"\n lineinfile:\n dest: /etc/audit/auditd.conf\n regexp: \"^admin_space_left_action\"\n line: \"admin_space_left_action = {{ ubuntu1804cis_auditd['admin_space_left_action'] }}\"\n state: present\n create: yes\n when:\n - ubuntu1804cis_rule_4_1_2_3\n notify:\n - restart auditd\n tags:\n - level2\n - scored\n - patch\n - auditd\n - rule_4.1.2.3\n\n- name: \"SCORED | 4.1.1.2 | PATCH | Ensure email on non-admin audit space alert\"\n lineinfile:\n dest: /etc/audit/auditd.conf\n regexp: \"^space_left_action\"\n line: \"space_left_action = email\"\n state: present\n create: yes\n when:\n - ubuntu1804cis_rule_4_1_1_2\n notify:\n - restart auditd\n tags:\n - level2\n - scored\n - patch\n - auditd\n - rule_4.1.1.2\n\n- name: \"SCORED | 4.1.3 | PATCH | Ensure events that modify date and time information are collected\"\n template:\n src: audit/ubuntu1804cis_rule_4_1_3.rules.j2\n dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_3.rules\n owner: root\n group: root\n mode: 0600\n when:\n - ubuntu1804cis_rule_4_1_3\n notify:\n - load audit rules\n - restart auditd\n tags:\n - level2\n - scored\n - patch\n - auditd\n - rule_4.1.3\n\n- name: \"SCORED | 4.1.4 | PATCH | Ensure events that modify user/group information are collected\"\n template:\n src: audit/ubuntu1804cis_rule_4_1_4.rules.j2\n dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_4.rules\n owner: root\n group: root\n mode: 0600\n when:\n - ubuntu1804cis_rule_4_1_4\n notify:\n - load audit rules\n - restart auditd\n tags:\n - level2\n - scored\n - patch\n - auditd\n - rule_4.1.4\n\n- name: \"SCORED | 4.1.5 | PATCH | Ensure events that modify the system's network environment are collected\"\n template:\n src: audit/ubuntu1804cis_rule_4_1_5.rules.j2\n dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_5.rules\n owner: root\n group: root\n mode: 0600\n when:\n - ubuntu1804cis_rule_4_1_5\n notify:\n - load audit rules\n - restart auditd\n tags:\n - level2\n - scored\n - patch\n - auditd\n - rule_4.1.5\n\n- name: \"SCORED | 4.1.6 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected\"\n template:\n src: audit/ubuntu1804cis_rule_4_1_6.rules.j2\n dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_6.rules\n owner: root\n group: root\n mode: 0600\n when:\n - ubuntu1804cis_rule_4_1_6\n notify:\n - load audit rules\n - restart auditd\n tags:\n - level2\n - scored\n - patch\n - auditd\n - rule_4.1.6\n\n- name: \"SCORED | 4.1.7 | PATCH | Ensure login and logout events are collected\"\n template:\n src: audit/ubuntu1804cis_rule_4_1_7.rules.j2\n dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_7.rules\n owner: root\n group: root\n mode: 0600\n when:\n - ubuntu1804cis_rule_4_1_7\n notify:\n - load audit rules\n - restart auditd\n tags:\n - level2\n - scored\n - patch\n - auditd\n - rule_4.1.7\n\n- name: \"SCORED | 4.1.8 | PATCH | Ensure session initiation information is collected\"\n template:\n src: audit/ubuntu1804cis_rule_4_1_8.rules.j2\n dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_8.rules\n owner: root\n group: root\n mode: 0600\n when:\n - ubuntu1804cis_rule_4_1_8\n notify:\n - load audit rules\n - restart auditd\n tags:\n - level2\n - scored\n - patch\n - auditd\n - rule_4.1.8\n\n- name: \"SCORED | 4.1.9 | PATCH | Ensure discretionary access control permission modification events are collected\"\n template:\n src: audit/ubuntu1804cis_rule_4_1_9.rules.j2\n dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_9.rules\n owner: root\n group: root\n mode: 0600\n when:\n - ubuntu1804cis_rule_4_1_9\n notify:\n - load audit rules\n - restart auditd\n tags:\n - level2\n - scored\n - patch\n - auditd\n - rule_4.1.9\n\n- name: \"SCORED | 4.1.10 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected\"\n template:\n src: audit/ubuntu1804cis_rule_4_1_10.rules.j2\n dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_10.rules\n owner: root\n group: root\n mode: 0600\n when:\n - ubuntu1804cis_rule_4_1_10\n notify:\n - load audit rules\n - restart auditd\n tags:\n - level2\n - scored\n - patch\n - auditd\n - rule_4.1.10\n\n- name: \"SCORED | 4.1.11 | PATCH | Ensure use of privileged commands is collected\"\n block:\n\n - name: \"SCORED | 4.1.11 | PATCH | Get list of setuid/setguid binaries\"\n shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done\n register: priv_procs\n changed_when: false\n check_mode: false\n\n - name: \"SCORED | 4.1.11 | PATCH | Ensure use of privileged commands is collected\"\n template:\n src: audit/ubuntu1804cis_rule_4_1_11.rules.j2\n dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_11.rules\n owner: root\n group: root\n mode: 0600\n notify:\n - load audit rules\n - restart auditd\n when:\n - ubuntu1804cis_rule_4_1_11\n tags:\n - level2\n - scored\n - patch\n - auditd\n - rule_4.1.11\n\n- name: \"SCORED | 4.1.12 | PATCH | Ensure successful file system mounts are collected\"\n template:\n src: audit/ubuntu1804cis_rule_4_1_12.rules.j2\n dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_12.rules\n owner: root\n group: root\n mode: 0600\n when:\n - ubuntu1804cis_rule_4_1_12\n notify:\n - load audit rules\n - restart auditd\n tags:\n - level2\n - scored\n - patch\n - auditd\n - rule_4.1.12\n\n- name: \"SCORED | 4.1.13 | PATCH | Ensure file deletion events by users are collected\"\n template:\n src: audit/ubuntu1804cis_rule_4_1_13.rules.j2\n dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_13.rules\n owner: root\n group: root\n mode: 0600\n when:\n - ubuntu1804cis_rule_4_1_13\n notify:\n - load audit rules\n - restart auditd\n tags:\n - level2\n - scored\n - patch\n - auditd\n - rule_4.1.13\n\n- name: \"SCORED | 4.1.14 | PATCH | Ensure changes to system administration scope (sudoers) is collected\"\n template:\n src: audit/ubuntu1804cis_rule_4_1_14.rules.j2\n dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_14.rules\n owner: root\n group: root\n mode: 0600\n when:\n - ubuntu1804cis_rule_4_1_14\n notify:\n - load audit rules\n - restart auditd\n tags:\n - level2\n - scored\n - patch\n - auditd\n - rule_4.1.14\n\n- name: \"SCORED | 4.1.15 | PATCH | Ensure system administrator actions (sudolog) are collected\"\n template:\n src: audit/ubuntu1804cis_rule_4_1_15.rules.j2\n dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_15.rules\n owner: root\n group: root\n mode: 0600\n when:\n - ubuntu1804cis_rule_4_1_15\n notify:\n - load audit rules\n - restart auditd\n tags:\n - level2\n - scored\n - patch\n - auditd\n - rule_4.1.15\n\n- name: \"SCORED | 4.1.16 | PATCH | Ensure kernel module loading and unloading is collected\"\n template:\n src: audit/ubuntu1804cis_rule_4_1_16.rules.j2\n dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_16.rules\n owner: root\n group: root\n mode: 0600\n when:\n - ubuntu1804cis_rule_4_1_16\n notify:\n - load audit rules\n - restart auditd\n tags:\n - level2\n - scored\n - patch\n - auditd\n - rule_4.1.16\n\n- name: \"SCORED | 4.1.17 | PATCH | Ensure the audit configuration is immutable\"\n template:\n src: audit/ubuntu1804cis_rule_4_1_17.rules.j2\n dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_17.rules\n owner: root\n group: root\n mode: 0600\n when:\n - ubuntu1804cis_rule_4_1_17\n notify:\n - load audit rules\n - restart auditd\n tags:\n - level2\n - scored\n - patch\n - auditd\n - rule_4.1.17\n\n- name: \"SCORED | 4.2.1.1 | PATCH | Ensure rsyslog or is installed\"\n apt:\n name: rsyslog\n state: present\n install_recommends: false\n when:\n - ubuntu1804cis_rule_4_2_1_1\n - ubuntu1804cis_syslog == \"rsyslog\"\n tags:\n - level1\n - scored\n - patch\n - syslog\n - rule_4.2.1.1\n\n- name: \"SCORED | 4.2.1.2 | PATCH | Ensure rsyslog Service is enabled\"\n service:\n name: rsyslog\n enabled: yes\n changed_when: false\n when:\n - ubuntu1804cis_rule_4_2_1_2\n - ubuntu1804cis_syslog == \"rsyslog\"\n tags:\n - level1\n - scored\n - patch\n - syslog\n - rule_4.2.1.2\n\n- name: \"NOTSCORED | 4.2.1.3 | PATCH | Ensure logging is configured\"\n command: /bin/true\n changed_when: false\n when:\n - ubuntu1804cis_rule_4_2_1_3\n tags:\n - level1\n - notscored\n - patch\n - syslog\n - rule_4.2.1.3\n - notimplemented\n\n- name: \"SCORED | 4.2.1.4 | PATCH | Ensure rsyslog default file permissions configured\"\n lineinfile:\n dest: /etc/rsyslog.conf\n regexp: '^\\$FileCreateMode'\n line: '$FileCreateMode 0640'\n when:\n - ubuntu1804cis_rule_4_2_1_4\n tags:\n - level1\n - scored\n - patch\n - syslog\n - rule_4.2.1.4\n\n- name: \"SCORED | 4.2.1.5 | PATCH | Ensure rsyslog is configured to send logs to a remote log host\"\n command: /bin/true\n changed_when: false\n when:\n - ubuntu1804cis_rule_4_2_1_5\n tags:\n - level1\n - scored\n - patch\n - syslog\n - rule_4.2.1.5\n - notimplemented\n\n- name: \"NOTSCORED | 4.2.1.6 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts.\"\n command: /bin/true\n changed_when: false\n when:\n - ubuntu1804cis_rule_4_2_1_6\n tags:\n - level1\n - notscored\n - patch\n - syslog\n - rule_4.2.1.6\n - notimplemented\n\n- name: \"SCORED | 4.2.2.1 | PATCH | Ensure journald is configured to send logs to rsyslog\"\n lineinfile:\n dest: /etc/systemd/journald.conf\n regexp: \"(#)?ForwardToSyslog=(yes|no)\"\n line: ForwardToSyslog=yes\n changed_when: false\n when:\n - ubuntu1804cis_rule_4_2_2_1\n notify:\n - restart journald\n tags:\n - level1\n - scored\n - patch\n - syslog\n - rule_4.2.2.1\n\n- name: \"SCORED | 4.2.2.2 | PATCH | Ensure journald is configured to compress large log files\"\n lineinfile:\n dest: /etc/systemd/journald.conf\n regexp: \"(#)?Compress=(yes|no)\"\n line: Compress=yes\n when:\n - ubuntu1804cis_rule_4_2_2_2\n notify:\n - restart journald\n tags:\n - level1\n - scored\n - patch\n - syslog\n - rule_4.2.2.2\n\n- name: \"SCORED | 4.2.2.3 | PATCH | Ensure journald is configured to write logfiles to persistent disk\"\n lineinfile:\n dest: /etc/systemd/journald.conf\n regexp: \"(#)?Storage=(auto|persistent)\"\n line: Storage=persistent\n when:\n - ubuntu1804cis_rule_4_2_2_3\n notify:\n - restart journald\n tags:\n - level1\n - scored\n - patch\n - syslog\n - rule_4.2.2.3\n\n- name: \"SCORED | 4.2.3 | PATCH | Ensure permissions on all logfiles are configured\"\n command: find /var/log -type f -exec chmod g-wx,o-rwx {} +\n changed_when: false\n failed_when: false\n when:\n - ubuntu1804cis_rule_4_2_3\n tags:\n - level1\n - scored\n - patch\n - syslog\n - rule_4.2.3\n\n- name: \"NOTSCORED | 4.3 | PATCH | Ensure logrotate is configured\"\n block:\n - name: \"NOTSCORED | 4.3 | PATCH | Register logrotate.d files\"\n find:\n paths: /etc/logrotate.d/\n register: log_rotates\n\n - name: \"NOTSCORED | 4.3 | PATCH | Ensure logrotate.conf exists\"\n file:\n path: /etc/logrotate.conf\n state: touch\n changed_when: false\n\n - name: \"NOTSCORED | 4.3 | PATCH | Ensure logrotate is configured\"\n replace:\n path: \"{{ item.path }}\"\n regexp: '^(\\s*)(daily|weekly|monthly|yearly)$'\n replace: \"\\\\1{{ ubuntu1804cis_logrotate }}\"\n with_items:\n - \"{{ log_rotates.files }}\"\n - { path: \"/etc/logrotate.conf\" }\n when:\n - ubuntu1804cis_rule_4_3\n tags:\n - level1\n - notscored\n - patch\n - syslog\n - rule_4.3\n" }, { "path": "tasks/section5.yml", "content": "---\n- name: \"SCORED | 5.1.1 | PATCH | Ensure cron daemon is enabled\"\n service:\n name: \"{{ cron_service[ansible_os_family] }}\"\n enabled: true\n when:\n - ubuntu1804cis_rule_5_1_1\n tags:\n - level1\n - scored\n - patch\n - cron\n - rule_5.1.1\n\n- name: \"SCORED | 5.1.2 | PATCH | Ensure permissions on /etc/crontab are configured\"\n file:\n dest: /etc/crontab\n owner: root\n group: root\n mode: 0600\n when:\n - ubuntu1804cis_rule_5_1_2\n tags:\n - level1\n - scored\n - patch\n - cron\n - rule_5.1.2\n\n- name: \"SCORED | 5.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured\"\n file:\n dest: /etc/cron.hourly\n state: directory\n owner: root\n group: root\n mode: 0700\n when:\n - ubuntu1804cis_rule_5_1_3\n tags:\n - level1\n - scored\n - patch\n - cron\n - rule_5.1.3\n\n- name: \"SCORED | 5.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured\"\n file:\n dest: /etc/cron.daily\n state: directory\n owner: root\n group: root\n mode: 0700\n when:\n - ubuntu1804cis_rule_5_1_4\n tags:\n - level1\n - scored\n - patch\n - cron\n - rule_5.1.4\n\n- name: \"SCORED | 5.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured\"\n file:\n dest: /etc/cron.weekly\n state: directory\n owner: root\n group: root\n mode: 0700\n when:\n - ubuntu1804cis_rule_5_1_5\n tags:\n - level1\n - scored\n - patch\n - cron\n - rule_5.1.5\n\n- name: \"SCORED | 5.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured\"\n file:\n dest: /etc/cron.monthly\n state: directory\n owner: root\n group: root\n mode: 0700\n when:\n - ubuntu1804cis_rule_5_1_6\n tags:\n - level1\n - scored\n - patch\n - cron\n - rule_5.1.6\n\n- name: \"SCORED | 5.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured\"\n file:\n dest: /etc/cron.d\n state: directory\n owner: root\n group: root\n mode: 0700\n when:\n - ubuntu1804cis_rule_5_1_7\n tags:\n - level1\n - scored\n - patch\n - cron\n - rule_5.1.7\n\n- name: \"SCORED | 5.1.8 | PATCH | Ensure at/cron is restricted to authorized users\"\n block:\n - name: \"SCORED | 5.1.8 | PATCH | Ensure at is restricted to authorized users\"\n file:\n dest: /etc/at.deny\n state: absent\n\n - name: \"SCORED | 5.1.8 | PATCH | Ensure at is restricted to authorized users\"\n template:\n src: at.allow.j2\n dest: /etc/at.allow\n owner: root\n group: root\n mode: 0600\n\n - name: \"SCORED | 5.1.8 | PATCH | Ensure cron is restricted to authorized users\"\n file:\n dest: /etc/cron.deny\n state: absent\n\n - name: \"SCORED | 5.1.8 | PATCH | Ensure cron is restricted to authorized users\"\n template:\n src: cron.allow.j2\n dest: /etc/cron.allow\n owner: root\n group: root\n mode: 0600\n when:\n - ubuntu1804cis_rule_5_1_8\n tags:\n - level1\n - scored\n - patch\n - cron\n - rule_5.1.8\n\n- name: \"SCORED | 5.2.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured\"\n file:\n dest: /etc/ssh/sshd_config\n state: file\n owner: root\n group: root\n mode: 0600\n when:\n - ubuntu1804cis_rule_5_2_1\n tags:\n - level1\n - scored\n - patch\n - sshd\n - rule_5.2.1\n\n- name: \"SCORED | 5.2.2 | PATCH | 5.2.2 Ensure permissions on SSH private host key files are configured\"\n block:\n - name: \"SCORED | 5.2.2 | PATCH | 5.2.2 Ensure permissions on SSH private host key files are configured | find keys\"\n find:\n paths: /etc/ssh\n patterns: \"ssh_host_*_key\"\n register: ssh_private_host_keys\n\n - name: \"SCORED | 5.2.2 | PATCH | 5.2.2 Ensure permissions on SSH private host key files are configured | change permissions\"\n file:\n dest: \"{{ item.path }}\"\n state: file\n owner: root\n group: root\n mode: 0600\n with_items: \"{{ ssh_private_host_keys.files }}\"\n when:\n - ubuntu1804cis_rule_5_2_2\n tags:\n - level1\n - scored\n - patch\n - sshd\n - rule_5.2.2\n\n- name: \"SCORED | 5.2.3 | PATCH | 5.2.3 Ensure permissions on SSH public host key files are configured\"\n block:\n - name: \"SCORED | 5.2.3 | PATCH | 5.2.3 Ensure permissions on SSH public host key files are configured | find keys\"\n find:\n paths: /etc/ssh\n patterns: \"ssh_host_*_key.pub\"\n register: ssh_public_host_keys\n\n - name: \"SCORED | 5.2.3 | PATCH | 5.2.3 Ensure permissions on SSH public host key files are configured | change permissions\"\n file:\n dest: \"{{ item.path }}\"\n state: file\n owner: root\n group: root\n mode: 0644\n with_items: \"{{ ssh_public_host_keys.files }}\"\n when:\n - ubuntu1804cis_rule_5_2_3\n tags:\n - level1\n - scored\n - patch\n - sshd\n - rule_5.2.3\n\n- name: \"SCORED | 5.2.4 | PATCH | Ensure SSH Protocol is not set to 1\"\n lineinfile:\n state: present\n dest: /etc/ssh/sshd_config\n regexp: '^Protocol'\n line: 'Protocol 2'\n when:\n - ubuntu1804cis_rule_5_2_4\n tags:\n - level1\n - scored\n - patch\n - sshd\n - rule_5.2.4\n\n- name: \"SCORED | 5.2.5 | PATCH | Ensure SSH LogLevel is set to INFO\"\n lineinfile:\n state: present\n dest: /etc/ssh/sshd_config\n regexp: '^LogLevel'\n line: 'LogLevel INFO'\n when:\n - ubuntu1804cis_rule_5_2_5\n tags:\n - level1\n - scored\n - patch\n - sshd\n - rule_5.2.5\n\n- name: \"SCORED | 5.2.6 | PATCH | Ensure SSH X11 forwarding is disabled\"\n lineinfile:\n state: present\n dest: /etc/ssh/sshd_config\n regexp: '^X11Forwarding'\n line: 'X11Forwarding no'\n when:\n - ubuntu1804cis_rule_5_2_6\n tags:\n - level1\n - scored\n - patch\n - sshd\n - rule_5.2.6\n\n- name: \"SCORED | 5.2.7 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less\"\n lineinfile:\n state: present\n dest: /etc/ssh/sshd_config\n regexp: '^(#)?MaxAuthTries \\d'\n line: 'MaxAuthTries 4'\n when:\n - ubuntu1804cis_rule_5_2_7\n tags:\n - level1\n - scored\n - patch\n - sshd\n - rule_5.2.7\n\n- name: \"SCORED | 5.2.8 | PATCH | Ensure SSH IgnoreRhosts is enabled\"\n lineinfile:\n state: present\n dest: /etc/ssh/sshd_config\n regexp: '^IgnoreRhosts'\n line: 'IgnoreRhosts yes'\n when:\n - ubuntu1804cis_rule_5_2_8\n tags:\n - level1\n - scored\n - patch\n - sshd\n - rule_5.2.8\n\n- name: \"SCORED | 5.2.9 | PATCH | Ensure SSH HostbasedAuthentication is disabled\"\n lineinfile:\n state: present\n dest: /etc/ssh/sshd_config\n regexp: '^HostbasedAuthentication'\n line: 'HostbasedAuthentication no'\n when:\n - ubuntu1804cis_rule_5_2_9\n tags:\n - level1\n - scored\n - patch\n - sshd\n - rule_5.2.9\n\n- name: \"SCORED | 5.2.10 | PATCH | Ensure SSH root login is disabled\"\n lineinfile:\n state: present\n dest: /etc/ssh/sshd_config\n regexp: '^PermitRootLogin'\n line: 'PermitRootLogin no'\n when:\n - ubuntu1804cis_rule_5_2_10\n tags:\n - level1\n - scored\n - patch\n - sshd\n - rule_5.2.10\n\n- name: \"SCORED | 5.2.11 | PATCH | Ensure SSH PermitEmptyPasswords is disabled\"\n lineinfile:\n state: present\n dest: /etc/ssh/sshd_config\n regexp: '^PermitEmptyPasswords'\n line: 'PermitEmptyPasswords no'\n when:\n - ubuntu1804cis_rule_5_2_11\n tags:\n - level1\n - scored\n - patch\n - sshd\n - rule_5.2.11\n\n- name: \"SCORED | 5.2.12 | PATCH | Ensure SSH PermitUserEnvironment is disabled\"\n lineinfile:\n state: present\n dest: /etc/ssh/sshd_config\n regexp: '^PermitUserEnvironment'\n line: 'PermitUserEnvironment no'\n when:\n - ubuntu1804cis_rule_5_2_12\n tags:\n - level1\n - scored\n - patch\n - sshd\n - rule_5.2.12\n\n- name: \"SCORED | 5.2.13 | PATCH | Ensure only strong Ciphers are used\"\n lineinfile:\n state: present\n dest: /etc/ssh/sshd_config\n regexp: '^Ciphers'\n line: \"Ciphers {{ ubuntu1804cis_sshd['ciphers'] }}\"\n when:\n - ubuntu1804cis_rule_5_2_13\n tags:\n - level1\n - scored\n - patch\n - sshd\n - rule_5.2.13\n\n- name: \"SCORED | 5.2.14 | PATCH | Ensure only approved MAC algorithms are used\"\n lineinfile:\n state: present\n dest: /etc/ssh/sshd_config\n regexp: '^MACs'\n line: \"MACs {{ ubuntu1804cis_sshd['macs'] }}\"\n when:\n - ubuntu1804cis_rule_5_2_14\n tags:\n - level1\n - scored\n - patch\n - sshd\n - rule_5.2.14\n\n- name: \"SCORED | 5.2.15 | PATCH | Ensure only strong Key Exchange algorithms are used\"\n lineinfile:\n state: present\n dest: /etc/ssh/sshd_config\n regexp: '^KexAlgorithms'\n line: \"KexAlgorithms {{ ubuntu1804cis_sshd['kexalgorithms'] }}\"\n when:\n - ubuntu1804cis_rule_5_2_15\n tags:\n - level1\n - scored\n - patch\n - sshd\n - rule_5.2.15\n\n- name: \"SCORED | 5.2.16 | PATCH | Ensure SSH Idle Timeout Interval is configured\"\n block:\n - name: \"SCORED | 5.2.16 | PATCH | Ensure SSH Idle Timeout Interval is configured\"\n lineinfile:\n state: present\n dest: /etc/ssh/sshd_config\n regexp: '^ClientAliveInterval'\n line: \"ClientAliveInterval {{ ubuntu1804cis_sshd['clientaliveinterval'] }}\"\n\n - name: \"SCORED | 5.2.16 | PATCH | Ensure SSH ClientAliveCountMax set to <= 3\"\n lineinfile:\n state: present\n dest: /etc/ssh/sshd_config\n regexp: '^ClientAliveCountMax'\n line: \"ClientAliveCountMax {{ ubuntu1804cis_sshd['clientalivecountmax'] }}\"\n when:\n - ubuntu1804cis_rule_5_2_16\n tags:\n - level1\n - scored\n - patch\n - sshd\n - rule_5.2.16\n\n- name: \"SCORED | 5.2.17 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less\"\n lineinfile:\n state: present\n dest: /etc/ssh/sshd_config\n regexp: '^LoginGraceTime'\n line: \"LoginGraceTime 60\"\n when:\n - ubuntu1804cis_rule_5_2_17\n tags:\n - level1\n - scored\n - patch\n - sshd\n - rule_5.2.17\n\n- name: \"SCORED | 5.2.18 | PATCH | Ensure SSH access is limited\"\n block:\n - name: \"SCORED | 5.2.18 | PATCH | Ensure SSH access is limited | allowusers\"\n lineinfile:\n state: present\n dest: /etc/ssh/sshd_config\n regexp: '^AllowUsers'\n line: \"AllowUsers {{ ubuntu1804cis_sshd['allowusers'] }}\"\n when:\n - \"ubuntu1804cis_sshd['allowusers']|default('')\"\n\n - name: \"SCORED | 5.2.18 | PATCH | Ensure SSH access is limited | allowgroups\"\n lineinfile:\n state: present\n dest: /etc/ssh/sshd_config\n regexp: '^AllowGroups'\n line: \"AllowGroups {{ ubuntu1804cis_sshd['allowgroups'] }}\"\n when:\n - \"ubuntu1804cis_sshd['allowgroups']|default('')\"\n\n - name: \"SCORED | 5.2.18 | PATCH | Ensure SSH access is limited | denyusers\"\n lineinfile:\n state: present\n dest: /etc/ssh/sshd_config\n regexp: '^DenyUsers'\n line: \"DenyUsers {{ ubuntu1804cis_sshd['denyusers'] }}\"\n when:\n - \"ubuntu1804cis_sshd['denyusers']|default('')\"\n\n - name: \"SCORED | 5.2.18 | PATCH | Ensure SSH access is limited | denygroups\"\n lineinfile:\n state: present\n dest: /etc/ssh/sshd_config\n regexp: '^DenyGroups'\n line: \"DenyGroups {{ ubuntu1804cis_sshd['denygroups'] }}\"\n when:\n - \"ubuntu1804cis_sshd['denygroups']|default('')\"\n when:\n - ubuntu1804cis_rule_5_2_18\n tags:\n - level1\n - scored\n - patch\n - sshd\n - rule_5.2.18\n\n- name: \"SCORED | 5.2.19 | PATCH | Ensure SSH warning banner is configured\"\n lineinfile:\n state: present\n dest: /etc/ssh/sshd_config\n regexp: '^Banner'\n line: 'Banner /etc/issue.net'\n when:\n - ubuntu1804cis_rule_5_2_19\n tags:\n - level1\n - scored\n - patch\n - sshd\n - rule_5.2.19\n\n- name: \"SCORED | 5.2.20 | PATCH | Ensure SSH PAM is enabled\"\n lineinfile:\n state: present\n dest: /etc/ssh/sshd_config\n regexp: '^UsePAM'\n line: 'UsePAM yes'\n when:\n - ubuntu1804cis_rule_5_2_20\n tags:\n - level1\n - scored\n - patch\n - sshd\n - rule_5.2.20\n\n- name: \"SCORED | 5.2.21 | PATCH | Ensure SSH AllowTcpForwarding is disabled\"\n lineinfile:\n state: present\n dest: /etc/ssh/sshd_config\n regexp: '^AllowTcpForwarding'\n line: 'AllowTcpForwarding no'\n when:\n - ubuntu1804cis_rule_5_2_21\n tags:\n - level2\n - scored\n - patch\n - sshd\n - rule_5.2.21\n\n- name: \"SCORED | 5.2.22 | PATCH | Ensure SSH MaxStartups is configured\"\n lineinfile:\n state: present\n dest: /etc/ssh/sshd_config\n regexp: '^MaxStartups'\n line: 'MaxStartups 10:30:60'\n when:\n - ubuntu1804cis_rule_5_2_22\n tags:\n - level1\n - scored\n - patch\n - sshd\n - rule_5.2.22\n\n- name: \"SCORED | 5.2.23 | PATCH | Ensure SSH MaxSessions is set to 4 or less \"\n lineinfile:\n state: present\n dest: /etc/ssh/sshd_config\n regexp: '^MaxSessions'\n line: 'MaxSessions 4'\n notify:\n - restart sshd\n when:\n - ubuntu1804cis_rule_5_2_23\n tags:\n - level1\n - scored\n - patch\n - sshd\n - rule_5.2.23\n\n- name: \"SCORED | 5.3.1 | PATCH | Ensure password creation requirements are configured\"\n block:\n - name: \"SCORED | 5.3.1 | PATCH | Ensure lipam-pwquality is installed\"\n apt:\n name: libpam-pwquality\n state: present\n install_recommends: false\n\n - name: \"SCORED | 5.3.1 | PATCH | Ensure password creation requirements are configured\"\n lineinfile:\n state: present\n create: yes\n dest: /etc/security/pwquality.conf\n regexp: '^{{ item.key }}'\n line: '{{ item.key }} = {{ item.value }}'\n with_items:\n - \"{{ ubuntu1804cis_pwquality }}\"\n when:\n - ubuntu1804cis_rule_5_3_1\n tags:\n - level1\n - scored\n - patch\n - rule_5.3.1\n\n- name: \"SCORED | 5.3.2 | PATCH | Ensure lockout for failed password attempts is configured\"\n block:\n - name: \"SCORED | 5.3.2 | PATCH | Ensure lockout for failed password attempts is configured - /etc/pam.d/common-account\"\n lineinfile:\n dest: /etc/pam.d/common-account\n line: 'account required pam_tally2.so'\n\n - name: \"SCORED | 5.3.2 | PATCH | Ensure lockout for failed password attempts is configured - /etc/pam.d/common-auth\"\n lineinfile:\n dest: /etc/pam.d/common-auth\n line: 'auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900'\n when:\n - ubuntu1804cis_rule_5_3_2\n tags:\n - level1\n - scored\n - patch\n - rule_5.3.2\n\n- name: \"SCORED | 5.3.3 | PATCH | Ensure password reuse is limited\"\n lineinfile:\n dest: /etc/pam.d/common-password\n line: \"password required pam_pwhistory.so remember={{ ubuntu1804cis_pass['history'] }}\"\n when:\n - ubuntu1804cis_rule_5_3_3\n tags:\n - level1\n - scored\n - patch\n - rule_5.3.3\n\n- name: \"SCORED | 5.3.4 | PATCH | Ensure password hashing algorithm is SHA-512\"\n command: authconfig --passalgo=sha512 --update\n changed_when: false\n failed_when: false\n when:\n - ubuntu1804cis_rule_5_3_4\n tags:\n - level1\n - scored\n - patch\n - rule_5.3.4\n\n- name: \"SCORED | 5.4.1.1 | PATCH | Ensure password expiration is 365 days or less\"\n lineinfile:\n state: present\n dest: /etc/login.defs\n regexp: '^PASS_MAX_DAYS'\n line: \"PASS_MAX_DAYS {{ ubuntu1804cis_pass['max_days'] }}\"\n when:\n - ubuntu1804cis_rule_5_4_1_1\n tags:\n - level1\n - scored\n - patch\n - rule_5.4.1.1\n\n- name: \"SCORED | 5.4.1.2 | PATCH | Ensure minimum days between password changes is configured\"\n lineinfile:\n state: present\n dest: /etc/login.defs\n regexp: '^PASS_MIN_DAYS'\n line: \"PASS_MIN_DAYS {{ ubuntu1804cis_pass['min_days'] }}\"\n when:\n - ubuntu1804cis_rule_5_4_1_2\n tags:\n - level1\n - scored\n - patch\n - rule_5.4.1.2\n\n- name: \"SCORED | 5.4.1.3 | PATCH | Ensure password expiration warning days is 7 or more\"\n lineinfile:\n state: present\n dest: /etc/login.defs\n regexp: '^PASS_WARN_AGE'\n line: \"PASS_WARN_AGE {{ ubuntu1804cis_pass['warn_age'] }}\"\n when:\n - ubuntu1804cis_rule_5_4_1_3\n tags:\n - level1\n - scored\n - patch\n - rule_5.4.1.3\n\n- name: \"SCORED | 5.4.1.4 | PATCH | Ensure inactive password lock is 30 days or less\"\n lineinfile:\n state: present\n dest: /etc/default/useradd\n regexp: '^INACTIVE'\n line: \"INACTIVE={{ ubuntu1804cis_pass['inactive'] }}\"\n when:\n - ubuntu1804cis_rule_5_4_1_4\n tags:\n - level1\n - scored\n - patch\n - rule_5.4.1.4\n\n- name: \"SCORED | 5.4.1.5 | PATCH | Ensure all users last password change date is in the past\"\n block:\n - name: \"SCORED | 5.4.1.5 | PATCH | Ensure all users last password change date is in the past| lock users\"\n user:\n name: \"{{ item }}\"\n password_lock: yes\"\n loop: \"{{ users_password_change_date_in_future.stdout_lines }}\"\n when:\n - ubuntu1804cis_password_change_date_in_future_action == 'lock'\n\n - name: \"SCORED | 5.4.1.5 | PATCH | Ensure all users last password change date is in the past| expire users\"\n user:\n name: \"{{ item }}\"\n expires: 1422403387\n loop: \"{{ users_password_change_date_in_future.stdout_lines }}\"\n when:\n - ubuntu1804cis_password_change_date_in_future_action == 'expire'\n when:\n - ubuntu1804cis_rule_5_4_1_5\n - users_password_change_date_in_future.stdout_lines | length > 0\n tags:\n - level1\n - scored\n - patch\n - rule_5.4.1.5\n\n- name: \"SCORED | 5.4.2 | PATCH | Ensure system accounts are secured\"\n command: >\n for user in `awk -F: '($3 < 1000) {print $1 }' /etc/passwd`; do\n if [ $user != \"root\" ]; then\n usermod -L $user\n if [ $user != \"sync\" ] && [ $user != \"shutdown\" ] && [ $user != \"halt\" ];\n then\n usermod -s /usr/sbin/nologin $user\n fi\n fi\n done\n changed_when: false\n when:\n - ubuntu1804cis_rule_5_4_2\n - system_accounts_non_login_1.stdout\n - system_accounts_non_login_2.stdout\n tags:\n - level1\n - patch\n - rule_5.4.2\n - scored\n\n- name: \"SCORED | 5.4.3 | PATCH | Ensure default group for the root account is GID 0\"\n command: usermod -g 0 root\n changed_when: false\n failed_when: false\n when:\n - ubuntu1804cis_rule_5_4_3\n tags:\n - level1\n - patch\n - rule_5.4.3\n - scored\n\n- name: \"SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive\"\n block:\n - name: \"SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive - /etc/bash.bashrc\"\n lineinfile:\n state: present\n dest: /etc/bash.bashrc\n create: true\n regexp: '^umask '\n line: 'umask 027'\n\n - name: \"SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive - /etc/profile\"\n lineinfile:\n state: present\n dest: /etc/profile\n create: true\n regexp: '^umask '\n line: 'umask 027'\n\n - name: \"SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive - /etc/profile.d/99-umask.sh\"\n lineinfile:\n state: present\n dest: /etc/profile.d/99-umask.sh\n create: true\n regexp: '^umask '\n line: 'umask 027'\n when:\n - ubuntu1804cis_rule_5_4_4\n tags:\n - level1\n - patch\n - rule_5.4.4\n - scored\n\n- name: \"SCORED | 5.4.5 | PATCH | Ensure default user shell timeout is 900 seconds or less\"\n block:\n - name: \"SCORED | 5.4.5 | PATCH | Ensure default user shell timeout is 900 seconds or less - /etc/bash.bashrc\"\n lineinfile:\n state: present\n dest: /etc/bash.bashrc\n create: true\n regexp: '^TMOUT='\n line: \"TMOUT={{ ubuntu1804cis_shell_timeout }}\"\n\n - name: \"SCORED | 5.4.5 | PATCH | Ensure default user shell timeout is 900 seconds or less - /etc/profile\"\n lineinfile:\n state: present\n dest: /etc/profile\n create: true\n regexp: '^TMOUT='\n line: \"TMOUT={{ ubuntu1804cis_shell_timeout }}\"\n\n - name: \"SCORED | 5.4.5 | PATCH | Ensure default user shell timeout is 900 seconds or less - /etc/profile.d/99-tmout.sh\"\n lineinfile:\n state: present\n dest: /etc/profile.d/99-tmout.sh\n create: true\n regexp: '^TMOUT='\n line: \"TMOUT={{ ubuntu1804cis_shell_timeout }}\"\n when:\n - ubuntu1804cis_rule_5_4_5\n tags:\n - level1\n - patch\n - rule_5.4.5\n - scored\n\n- name: \"NOTSCORED | 5.5 | PATCH | Ensure root login is restricted to system console\"\n command: /bin/true\n changed_when: false\n when:\n - ubuntu1804cis_rule_5_5\n tags:\n - level1\n - patch\n - rule_5.5\n - notscored\n - notimplemented\n\n- name: \"SCORED | 5.6 | PATCH | Ensure access to the su command is restricted\"\n lineinfile:\n state: present\n dest: /etc/pam.d/su\n regexp: '^(#)?auth\\s+required\\s+pam_wheel\\.so'\n line: \"auth required pam_wheel.so use_uid\"\n when:\n - ubuntu1804cis_rule_5_6\n tags:\n - level1\n - patch\n - rule_5.6\n - scored\n\n- name: \"SCORED | 5.6 | PATCH | Ensure access to the su command is restricted - sudo group contains root\"\n user:\n name: root\n groups: sudo\n when:\n - ubuntu1804cis_rule_5_6\n tags:\n - level1\n - patch\n - rule_5.6\n - scored\n" }, { "path": "tasks/section6.yml", "content": "---\n- name: \"NOTSCORED | 6.1.1 | PATCH | Audit system file permissions\"\n command: /bin/true\n changed_when: false\n when:\n - ubuntu1804cis_rule_6_1_1\n tags:\n - level2\n - notscored\n - patch\n - rule_6.1.1\n - notimplemented\n\n- name: \"SCORED | 6.1.2 | PATCH | Ensure permissions on /etc/passwd are configured\"\n file:\n dest: /etc/passwd\n owner: root\n group: root\n mode: 0644\n when:\n - ubuntu1804cis_rule_6_1_2\n tags:\n - level1\n - scored\n - patch\n - rule_6.1.2\n\n- name: \"SCORED | 6.1.3 | PATCH | Ensure permissions on /etc/gshadow- are configured\"\n file:\n dest: /etc/gshadow-\n owner: root\n group: shadow\n mode: 0640\n when:\n - ubuntu1804cis_rule_6_1_3\n tags:\n - level1\n - scored\n - patch\n - rule_6.1.3\n\n\n- name: \"SCORED | 6.1.4 | PATCH | Ensure permissions on /etc/shadow are configured\"\n file:\n dest: /etc/shadow\n owner: root\n group: shadow\n mode: 0640\n when:\n - ubuntu1804cis_rule_6_1_4\n tags:\n - level1\n - scored\n - patch\n - rule_6.1.4\n\n- name: \"SCORED | 6.1.5 | PATCH | Ensure permissions on /etc/group are configured\"\n file:\n dest: /etc/group\n owner: root\n group: root\n mode: 0644\n when:\n - ubuntu1804cis_rule_6_1_5\n tags:\n - level1\n - scored\n - patch\n - rule_6.1.5\n\n- name: \"SCORED | 6.1.6 | PATCH | Ensure permissions on /etc/passwd- are configured\"\n file:\n dest: /etc/passwd-\n owner: root\n group: root\n mode: 0600\n when:\n - ubuntu1804cis_rule_6_1_6\n tags:\n - level1\n - scored\n - patch\n - rule_6.1.6\n\n- name: \"SCORED | 6.1.7 | PATCH | Ensure permissions on /etc/shadow- are configured\"\n file:\n dest: /etc/shadow-\n owner: root\n group: shadow\n mode: 0600\n when:\n - ubuntu1804cis_rule_6_1_7\n tags:\n - level1\n - scored\n - patch\n - rule_6.1.7\n\n- name: \"SCORED | 6.1.8 | PATCH | Ensure permissions on /etc/group- are configured\"\n file:\n dest: /etc/group-\n owner: root\n group: root\n mode: 0644\n when:\n - ubuntu1804cis_rule_6_1_8\n tags:\n - level1\n - scored\n - patch\n - rule_6.1.8\n\n- name: \"SCORED | 6.1.9 | PATCH | Ensure permissions on /etc/gshadow are configured\"\n file:\n dest: /etc/gshadow\n owner: root\n group: shadow\n mode: 0640\n when:\n - ubuntu1804cis_rule_6_1_9\n tags:\n - level1\n - scored\n - patch\n - rule_6.1.9\n\n- name: \"SCORED | 6.1.10 | PATCH | Ensure no world writable files exist\"\n command: /bin/true\n changed_when: false\n when:\n - ubuntu1804cis_rule_6_1_10\n tags:\n - level1\n - scored\n - patch\n - rule_6.1.10\n - notimplemented\n\n- name: \"SCORED | 6.1.11 | PATCH | Ensure no unowned files or directories exist\"\n command: /bin/true\n changed_when: false\n when:\n - ubuntu1804cis_rule_6_1_11\n tags:\n - level1\n - scored\n - patch\n - rule_6.1.11\n - notimplemented\n\n- name: \"SCORED | 6.1.12 | PATCH | Ensure no ungrouped files or directories exist\"\n command: /bin/true\n changed_when: false\n when:\n - ubuntu1804cis_rule_6_1_12\n tags:\n - level1\n - scored\n - patch\n - rule_6.1.12\n - notimplemented\n\n- name: \"NOTSCORED | 6.1.13 | PATCH | Audit SUID executables\"\n command: /bin/true\n changed_when: false\n when:\n - ubuntu1804cis_rule_6_1_13\n tags:\n - level1\n - notscored\n - patch\n - rule_6.1.13\n - notimplemented\n\n- name: \"NOTSCORED | 6.1.14 | PATCH | Audit SGID executables\"\n command: /bin/true\n changed_when: false\n when:\n - ubuntu1804cis_rule_6_1_14\n tags:\n - level1\n - notscored\n - patch\n - rule_6.1.14\n - notimplemented\n\n- name: \"SCORED | 6.2.1 | PATCH | Ensure password fields are not empty\"\n command: passwd -l {{ item }}\n changed_when: false\n failed_when: false\n with_items: \"{{ empty_password_accounts.stdout_lines }}\"\n when:\n - empty_password_accounts.rc\n - ubuntu1804cis_rule_6_2_1\n tags:\n - level1\n - scored\n - patch\n - rule_6.2.1\n\n- name: \"SCORED | 6.2.2 | PATCH | Ensure no legacy '+' entries exist in /etc/passwd\"\n lineinfile:\n regexp: '^\\+'\n state: absent\n path: /etc/passwd\n when:\n - ubuntu1804cis_rule_6_2_2\n tags:\n - level1\n - scored\n - patch\n - rule_6.2.2\n\n- name: \"SCORED | 6.2.3 | PATCH | Ensure no legacy '+' entries exist in /etc/shadow\"\n lineinfile:\n regexp: '^\\+'\n state: absent\n path: /etc/shadow\n when:\n - ubuntu1804cis_rule_6_2_3\n tags:\n - level1\n - scored\n - patch\n - rule_6.2.3\n\n- name: \"SCORED | 6.2.4 | PATCH | Ensure no legacy '+' entries exist in /etc/group\"\n lineinfile:\n regexp: '^\\+'\n state: absent\n path: /etc/group\n when:\n - ubuntu1804cis_rule_6_2_4\n tags:\n - level1\n - scored\n - patch\n - rule_6.2.4\n\n- name: \"SCORED | 6.2.5 | PATCH | Ensure root is the only UID 0 account\"\n command: passwd -l {{ item }}\n changed_when: false\n failed_when: false\n with_items: \"{{ uid_zero_accounts_except_root.stdout_lines }}\"\n when:\n - uid_zero_accounts_except_root.rc\n - ubuntu1804cis_rule_6_2_5\n tags:\n - level1\n - scored\n - patch\n - rule_6.2.5\n\n- name: \"SCORED | 6.2.6 | PATCH | Ensure root PATH Integrity\"\n block:\n - name: \"SCORED | 6.2.6 | PATCH | Ensure root PATH Integrity (unimplemented)\"\n command: /bin/true\n changed_when: false\n tags:\n - level1\n - scored\n - patch\n - rule_6.2.6\n - notimplemented\n\n - name: \"SCORED | 6.2.6 | PATCH | Ensure root PATH Integrity (collect paths)\"\n shell: |\n set -o pipefail;\n sudopath=($(grep secure_path /etc/sudoers | cut -f2 -d= |cut -f2 -d\\\"))\n IFS=:\n for i in ${sudopath[*]}\n do\n if [ -d \"$i\" ]\n then newsudopath+=($i)\n fi\n done\n echo \"${newsudopath[*]}\"\n args:\n executable: /bin/bash\n register: fixsudo\n changed_when: false\n check_mode: false\n tags:\n - level1\n - scored\n - patch\n - rule_6.2.6\n\n - name: \"SCORED | 6.2.6 | PATCH | Ensure root PATH Integrity (fix paths)\"\n lineinfile:\n dest: /etc/sudoers\n regexp: \"(.*secure_path=).*\"\n line: '\\1\"{{ fixsudo.stdout_lines[0] }}\"'\n backrefs: true\n when:\n - fixsudo.stdout_lines[0]\n tags:\n - level1\n - scored\n - patch\n - rule_6.2.6\n when:\n - ubuntu1804cis_rule_6_2_6\n\n- name: \"SCORED | 6.2.7 | PATCH | Ensure all users' home directories exist\"\n command: /bin/true\n changed_when: false\n when:\n - ubuntu1804cis_rule_6_2_7\n tags:\n - level1\n - scored\n - patch\n - rule_6.2.7\n - notimplemented\n\n- name: \"SCORED | 6.2.8 | PATCH | Ensure users' home directories permissions are 750 or more restrictive\"\n shell: |\n for dir in {{ homes_with_perms.stdout }};\n do\n chmod g-w,o-rwx $dir;\n done\n when:\n - ubuntu1804cis_rule_6_2_8\n - homes_with_perms.stdout | length > 0\n tags:\n - level1\n - scored\n - patch\n - rule_6.2.8\n\n- name: \"SCORED | 6.2.9 | PATCH | Ensure users own their home directories\"\n command: /bin/true\n changed_when: false\n when:\n - ubuntu1804cis_rule_6_2_9\n tags:\n - level1\n - scored\n - patch\n - rule_6.2.9\n - notimplemented\n\n- name: \"SCORED | 6.2.10 | PATCH | Ensure users' dot files are not group or world writable\"\n command: /bin/true\n changed_when: false\n when:\n - ubuntu1804cis_rule_6_2_10\n tags:\n - level1\n - scored\n - patch\n - rule_6.2.10\n - notimplemented\n\n- name: \"SCORED | 6.2.11 | PATCH | Ensure no users have .forward files\"\n file:\n state: absent\n dest: \"~{{ item }}/.forward\"\n with_items: \"{{ users.stdout_lines }}\"\n when:\n - ubuntu1804cis_rule_6_2_11\n tags:\n - level1\n - scored\n - patch\n - rule_6.2.11\n\n- name: \"SCORED | 6.2.12 | PATCH | Ensure no users have .netrc files\"\n file:\n state: absent\n dest: \"~{{ item }}/.netrc\"\n with_items: \"{{ users.stdout_lines }}\"\n when:\n - ubuntu1804cis_rule_6_2_12\n tags:\n - level1\n - scored\n - patch\n - rule_6.2.12\n\n- name: \"SCORED | 6.2.14 | PATCH | Ensure no users have .rhosts files\"\n file:\n state: absent\n dest: \"~{{ item }}/.rhosts\"\n with_items: \"{{ users.stdout_lines }}\"\n when:\n - ubuntu1804cis_rule_6_2_14\n tags:\n - level1\n - scored\n - patch\n - rule_6.2.14\n\n- name: \"SCORED | 6.2.15 | PATCH | Ensure all groups in /etc/passwd exist in /etc/group\"\n command: /bin/true\n changed_when: false\n when:\n - ubuntu1804cis_rule_6_2_15\n tags:\n - level1\n - scored\n - patch\n - rule_6.2.15\n - notimplemented\n\n- name: \"SCORED | 6.2.16 | PATCH | Ensure no duplicate UIDs exist\"\n command: /bin/true\n changed_when: false\n when:\n - ubuntu1804cis_rule_6_2_16\n tags:\n - level1\n - scored\n - patch\n - rule_6.2.16\n - notimplemented\n\n- name: \"SCORED | 6.2.17 | PATCH | Ensure no duplicate GIDs exist\"\n command: /bin/true\n changed_when: false\n when:\n - ubuntu1804cis_rule_6_2_17\n tags:\n - level1\n - scored\n - patch\n - rule_6.2.17\n - notimplemented\n\n- name: \"SCORED | 6.2.18 | PATCH | Ensure no duplicate user names exist\"\n command: /bin/true\n changed_when: false\n when:\n - ubuntu1804cis_rule_6_2_18\n tags:\n - level1\n - scored\n - patch\n - rule_6.2.18\n - notimplemented\n\n- name: \"SCORED | 6.2.19 | PATCH | Ensure no duplicate group names exist\"\n command: /bin/true\n changed_when: false\n when:\n - ubuntu1804cis_rule_6_2_19\n tags:\n - level1\n - scored\n - patch\n - rule_6.2.19\n - notimplemented\n\n- name: \"SCORED | 6.2.20 | PATCH | Ensure shadow group is empty\"\n command: /bin/true\n changed_when: false\n when:\n - ubuntu1804cis_rule_6_2_20\n tags:\n - level1\n - scored\n - patch\n - rule_6.2.20\n - notimplemented\n" }, { "path": "templates/at.allow.j2", "content": "{% for user in ubuntu1804cis_at_allow_users %}\n{{ user }}\n{% endfor %}\n" }, { "path": "templates/audit/ubuntu1804cis_rule_4_1_10.rules.j2", "content": "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n{% if ansible_architecture == 'x86_64' -%} \n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access\n-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access\n{% endif %}\n" }, { "path": "templates/audit/ubuntu1804cis_rule_4_1_11.rules.j2", "content": "{% for proc in priv_procs.stdout_lines -%} \n-a always,exit -F path={{ proc }} -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged\n{% endfor %}\n" }, { "path": "templates/audit/ubuntu1804cis_rule_4_1_12.rules.j2", "content": "-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n{% if ansible_architecture == 'x86_64' -%} \n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts\n{% endif %}\n" }, { "path": "templates/audit/ubuntu1804cis_rule_4_1_13.rules.j2", "content": "-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n{% if ansible_architecture == 'x86_64' -%} \n-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete\n{% endif %}\n" }, { "path": "templates/audit/ubuntu1804cis_rule_4_1_14.rules.j2", "content": "-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d/ -p wa -k scope\n" }, { "path": "templates/audit/ubuntu1804cis_rule_4_1_15.rules.j2", "content": "-w /var/log/sudo.log -p wa -k actions\n" }, { "path": "templates/audit/ubuntu1804cis_rule_4_1_16.rules.j2", "content": "-w /sbin/insmod -p x -k modules\n-w /sbin/rmmod -p x -k modules\n-w /sbin/modprobe -p x -k modules\n{% if ansible_architecture == 'x86_64' -%} \n-a always,exit -F arch=b64 -S init_module -S delete_module -k modules\n{% endif %}\n-a always,exit -F arch=b32 -S init_module -S delete_module -k modules\n" }, { "path": "templates/audit/ubuntu1804cis_rule_4_1_17.rules.j2", "content": "-e 2\n" }, { "path": "templates/audit/ubuntu1804cis_rule_4_1_3.rules.j2", "content": "-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change\n-a always,exit -F arch=b32 -S clock_settime -k time-change\n{% if ansible_architecture == 'x86_64' -%} \n-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change\n-a always,exit -F arch=b64 -S clock_settime -k time-change\n{% endif %}\n-w /etc/localtime -p wa -k time-change\n" }, { "path": "templates/audit/ubuntu1804cis_rule_4_1_4.rules.j2", "content": "-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n" }, { "path": "templates/audit/ubuntu1804cis_rule_4_1_5.rules.j2", "content": "{% if ansible_architecture == 'x86_64' -%} \n-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale\n{% endif %}\n-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/network -p wa -k system-locale\n-w /etc/networks -p wa -k system-locale\n" }, { "path": "templates/audit/ubuntu1804cis_rule_4_1_6.rules.j2", "content": "-w /etc/apparmor/ -p wa -k MAC-policy\n-w /etc/apparmor.d/ -p wa -k MAC-policy\n" }, { "path": "templates/audit/ubuntu1804cis_rule_4_1_7.rules.j2", "content": "-w /var/log/faillog -p wa -k logins\n-w /var/log/lastlog -p wa -k logins\n-w /var/log/tallylog -p wa -k logins\n" }, { "path": "templates/audit/ubuntu1804cis_rule_4_1_8.rules.j2", "content": "-w /var/run/utmp -p wa -k session\n-w /var/log/wtmp -p wa -k logins\n-w /var/log/btmp -p wa -k logins\n" }, { "path": "templates/audit/ubuntu1804cis_rule_4_1_9.rules.j2", "content": "-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n{% if ansible_architecture == 'x86_64' -%} \n-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod\n{% endif %}\n" }, { "path": "templates/chrony.conf.j2", "content": "# This the default chrony.conf file for the Debian chrony package. After\n# editing this file use the command 'invoke-rc.d chrony restart' to make\n# your changes take effect. John Hasler 1998-2008\n\n# See www.pool.ntp.org for an explanation of these servers. Please\n# consider joining the project if possible. If you can't or don't want to\n# use these servers I suggest that you try your ISP's nameservers. We mark\n# the servers 'offline' so that chronyd won't try to connect when the link\n# is down. Scripts in /etc/ppp/ip-up.d and /etc/ppp/ip-down.d use chronyc\n# commands to switch it on when a dialup link comes up and off when it goes\n# down. Code in /etc/init.d/chrony attempts to determine whether or not\n# the link is up at boot time and set the online status accordingly. If\n# you have an always-on connection such as cable omit the 'offline'\n# directive and chronyd will default to online.\n#\n# Note that if Chrony tries to go \"online\" and dns lookup of the servers\n# fails they will be discarded. Thus under some circumstances it is\n# better to use IP numbers than host names.\n\n{% for server in ubuntu1804cis_time_synchronization_servers -%}\nserver {{ server.uri }} {{ server.config }}\n{% endfor %}\n\n# Look here for the admin password needed for chronyc. The initial\n# password is generated by a random process at install time. You may\n# change it if you wish.\n\nkeyfile /etc/chrony/chrony.keys\n\n# Set runtime command key. Note that if you change the key (not the\n# password) to anything other than 1 you will need to edit\n# /etc/ppp/ip-up.d/chrony, /etc/ppp/ip-down.d/chrony, /etc/init.d/chrony\n# and /etc/cron.weekly/chrony as these scripts use it to get the password.\n\ncommandkey 1\n\n# I moved the driftfile to /var/lib/chrony to comply with the Debian\n# filesystem standard.\n\ndriftfile /var/lib/chrony/chrony.drift\n\n# Comment this line out to turn off logging.\n\nlog tracking measurements statistics\nlogdir /var/log/chrony\n\n# Stop bad estimates upsetting machine clock.\n\nmaxupdateskew 100.0\n\n# Dump measurements when daemon exits.\n\ndumponexit\n\n# Specify directory for dumping measurements.\n\ndumpdir /var/lib/chrony\n\n# Let computer be a server when it is unsynchronised.\n\nlocal stratum 10\n\n# Allow computers on the unrouted nets to use the server.\n\n#allow 10/8\n#allow 192.168/16\n#allow 172.16/12\n\n# This directive forces `chronyd' to send a message to syslog if it\n# makes a system clock adjustment larger than a threshold value in seconds.\n\nlogchange 0.5\n\n# This directive defines an email address to which mail should be sent\n# if chronyd applies a correction exceeding a particular threshold to the\n# system clock.\n\n# mailonchange root@localhost 0.5\n\n# This directive tells chrony to regulate the real-time clock and tells it\n# Where to store related data. It may not work on some newer motherboards\n# that use the HPET real-time clock. It requires enhanced real-time\n# support in the kernel. I've commented it out because with certain\n# combinations of motherboard and kernel it is reported to cause lockups.\n\n# rtcfile /var/lib/chrony/chrony.rtc\n\n# If the last line of this file reads 'rtconutc' chrony will assume that\n# the CMOS clock is on UTC (GMT). If it reads '# rtconutc' or is absent\n# chrony will assume local time. The line (if any) was written by the\n# chrony postinst based on what it found in /etc/default/rcS. You may\n# change it if necessary.\nrtconutc\n" }, { "path": "templates/cron.allow.j2", "content": "{% for user in ubuntu1804cis_cron_allow_users %}\n{{ user }}\n{% endfor %}\n" }, { "path": "templates/etc/issue.j2", "content": "{{ ubuntu1804cis_warning_banner }}\n" }, { "path": "templates/etc/issue.net.j2", "content": "{{ ubuntu1804cis_warning_banner }}\n" }, { "path": "templates/etc/motd.j2", "content": "{{ ubuntu1804cis_warning_banner }}\n" }, { "path": "templates/hosts.allow.j2", "content": "#\n# hosts.allow\tThis file contains access rules which are used to\n#\t\tallow or deny connections to network services that\n#\t\teither use the tcp_wrappers library or that have been\n#\t\tstarted through a tcp_wrappers-enabled xinetd.\n#\n#\t\tSee 'man 5 hosts_options' and 'man 5 hosts_access'\n#\t\tfor information on rule syntax.\n#\t\tSee 'man tcpd' for information on tcp_wrappers\n#\nALL: {% for iprange in ubuntu1804cis_host_allow -%}{{ iprange }}{% if not loop.last %}, {% endif %}{% endfor %}\n" }, { "path": "templates/ntp.conf.j2", "content": "# For more information about this file, see the man pages\n# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).\n\ndriftfile /var/lib/ntp/drift\n\n# Permit time synchronization with our time source, but do not\n# permit the source to query or modify the service on this system.\n#restrict default nomodify notrap nopeer noquery\nrestrict -4 default kod nomodify notrap nopeer noquery\nrestrict -6 default kod nomodify notrap nopeer noquery\n\n# Permit all access over the loopback interface. This could\n# be tightened as well, but to do so would effect some of\n# the administrative functions.\nrestrict 127.0.0.1\nrestrict ::1\n\n# Hosts on local network are less restricted.\n#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap\n\n# Use public servers from the pool.ntp.org project.\n# Please consider joining the pool (http://www.pool.ntp.org/join.html).\n{% for server in ubuntu1804cis_time_synchronization_servers -%}\nserver {{ server.uri }} {{ server.config }}\n{% endfor %}\n\n#broadcast 192.168.1.255 autokey # broadcast server\n#broadcastclient # broadcast client\n#broadcast 224.0.1.1 autokey # multicast server\n#multicastclient 224.0.1.1 # multicast client\n#manycastserver 239.255.254.254 # manycast server\n#manycastclient 239.255.254.254 autokey # manycast client\n\n# Enable public key cryptography.\n#crypto\n\n# includefile /etc/ntp/crypto/pw\n\n# Key file containing the keys and key identifiers used when operating\n# with symmetric key cryptography.\n# keys /etc/ntp/keys\n\n# Specify the key identifiers which are trusted.\n#trustedkey 4 8 42\n\n# Specify the key identifier to use with the ntpdc utility.\n#requestkey 8\n\n# Specify the key identifier to use with the ntpq utility.\n#controlkey 8\n\n# Enable writing of statistics records.\n#statistics clockstats cryptostats loopstats peerstats\n\n# Disable the monitoring facility to prevent amplification attacks using ntpdc\n# monlist command when default restrict does not include the noquery flag. See\n# CVE-2013-5211 for more details.\n# Note: Monitoring will not be disabled with the limited restriction flag.\ndisable monitor\n" }, { "path": "vars/main.yml", "content": "---\n# vars file for Ubuntu1804-CIS\n" } ]