Repository: florianutz/Ubuntu1804-CIS Branch: master Commit: 187ff8d54543 Files: 55 Total size: 174.1 KB Directory structure: gitextract_1yek9sw7/ ├── .ansible-lint ├── .github/ │ ├── ISSUE_TEMPLATE/ │ │ ├── bug_report.md │ │ └── feature_request.md │ └── workflows/ │ ├── ansible-lint.yml │ └── run-molecule.yml ├── .gitignore ├── .travis.yml ├── .yamllint ├── LICENSE ├── Makefile ├── README.md ├── defaults/ │ └── main.yml ├── files/ │ └── etc/ │ └── systemd/ │ └── system/ │ └── tmp.mount ├── handlers/ │ └── main.yml ├── meta/ │ └── main.yml ├── molecule/ │ └── default/ │ ├── INSTALL.rst │ ├── converge.yml │ ├── molecule.yml │ ├── prepare.yml │ ├── tests/ │ │ └── test_default.py │ └── verify.yml ├── requirements.txt ├── tasks/ │ ├── main.yml │ ├── post.yml │ ├── prelim.yml │ ├── section1.yml │ ├── section2.yml │ ├── section3.yml │ ├── section4.yml │ ├── section5.yml │ └── section6.yml ├── templates/ │ ├── at.allow.j2 │ ├── audit/ │ │ ├── ubuntu1804cis_rule_4_1_10.rules.j2 │ │ ├── ubuntu1804cis_rule_4_1_11.rules.j2 │ │ ├── ubuntu1804cis_rule_4_1_12.rules.j2 │ │ ├── ubuntu1804cis_rule_4_1_13.rules.j2 │ │ ├── ubuntu1804cis_rule_4_1_14.rules.j2 │ │ ├── ubuntu1804cis_rule_4_1_15.rules.j2 │ │ ├── ubuntu1804cis_rule_4_1_16.rules.j2 │ │ ├── ubuntu1804cis_rule_4_1_17.rules.j2 │ │ ├── ubuntu1804cis_rule_4_1_3.rules.j2 │ │ ├── ubuntu1804cis_rule_4_1_4.rules.j2 │ │ ├── ubuntu1804cis_rule_4_1_5.rules.j2 │ │ ├── ubuntu1804cis_rule_4_1_6.rules.j2 │ │ ├── ubuntu1804cis_rule_4_1_7.rules.j2 │ │ ├── ubuntu1804cis_rule_4_1_8.rules.j2 │ │ └── ubuntu1804cis_rule_4_1_9.rules.j2 │ ├── chrony.conf.j2 │ ├── cron.allow.j2 │ ├── etc/ │ │ ├── issue.j2 │ │ ├── issue.net.j2 │ │ └── motd.j2 │ ├── hosts.allow.j2 │ └── ntp.conf.j2 └── vars/ └── main.yml ================================================ FILE CONTENTS ================================================ ================================================ FILE: .ansible-lint ================================================ exclude_paths: - molecule/ - .github/ warn_list: - '204' skip_list: - experimental - yaml ================================================ FILE: .github/ISSUE_TEMPLATE/bug_report.md ================================================ --- name: Bug report about: Create a report to help us improve title: '' labels: '' assignees: '' --- **Describe the bug** A clear and concise description of what the bug is. **To Reproduce** Steps to reproduce the behavior: 1. Go to '...' 2. Click on '....' 3. Scroll down to '....' 4. See error **Expected behavior** A clear and concise description of what you expected to happen. **Software (please complete the following information):** - Ansible Version: [e.g. 2.9.0] - Role/Repo Version [e.g. 1.0.0, master] **Additional context** Add any other context about the problem here. ================================================ FILE: .github/ISSUE_TEMPLATE/feature_request.md ================================================ --- name: Feature request about: Suggest an idea for this project title: '' labels: '' assignees: '' --- **Is your feature request related to a problem? Please describe.** A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] **Describe the solution you'd like** A clear and concise description of what you want to happen. **Describe alternatives you've considered** A clear and concise description of any alternative solutions or features you've considered. **Additional context** Add any other context or screenshots about the feature request here. ================================================ FILE: .github/workflows/ansible-lint.yml ================================================ --- name: Lint the Playbook with Ansible Lint on: push: branches: [ master ] pull_request: branches: [ master ] jobs: build: runs-on: ubuntu-latest env: PY_COLORS: '1' ANSIBLE_FORCE_COLOR: '1' steps: - uses: actions/checkout@v2 - name: Lint Ansible Playbook uses: ansible/ansible-lint-action@master with: targets: | defaults/*.yml handlers/*.yml tasks/*.yml override-deps: | ansible==2.7 ansible-lint==4.2.0 args: "-c .ansible-lint -x 204" ================================================ FILE: .github/workflows/run-molecule.yml ================================================ --- name: Run the Molecule Test Suite on: push: branches: [ master ] pull_request: branches: [ master ] jobs: molecule: runs-on: ubuntu-latest env: PY_COLORS: '1' ANSIBLE_FORCE_COLOR: '1' steps: - uses: actions/checkout@v2 with: path: "${{ github.repository }}" - uses: gofrolist/molecule-action@v2 ================================================ FILE: .gitignore ================================================ *.swp *.retry .DS_Store test.yml tests/local-test.yml tests/.vagrant tests/Vagrantfile tests/test-inv tests/*.html tests/*.txt tests/*.retry .Python .molecule/ /bin/ /etc/ /include/ /lib/ pip-selfcheck.json /share/ molecule/default/cache /venv/ .venv *.bak* *.cache __pycache__ ================================================ FILE: .travis.yml ================================================ --- os: linux dist: focal #sudo: required services: - docker language: python python: - "3.8" before_install: #- docker pull solita/ubuntu-systemd:bionic # - make bin/python script: - make travis notifications: webhooks: https://galaxy.ansible.com/api/v1/notifications/ ================================================ FILE: .yamllint ================================================ extends: default rules: braces: max-spaces-inside: 1 level: error brackets: max-spaces-inside: 1 level: error line-length: disable # NOTE(retr0h): Templates no longer fail this lint rule. # Uncomment if running old Molecule templates. # truthy: disable ================================================ FILE: LICENSE ================================================ MIT License Copyright (c) 2020 Florian Utz Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ================================================ FILE: Makefile ================================================ # Makefile for Ubuntu1804-CIS .PHONY: help help: @echo @echo This Makefile is used to test this role. Typical use: @echo @echo ' make test' @echo ' make clean' @echo ' make travis' @echo @echo @echo To use the isolated environment from this directory: @echo @echo ' make venv' @echo ' . bin/activate' @echo @echo Molecule has built-in help @echo @echo # virtualenv allows isolation of python libraries .PHONY: venv venv: bin/python .PHONY: bin/python bin/python: pip -V || sudo easy_install pip # virtualenv allows isolation of python libraries virtualenv --version || sudo easy_install virtualenv # Now with those two we can isolate our test setup. virtualenv venv venv/bin/pip install -r requirements.txt # cleanup virtualenv and molecule leftovers .PHONY: clean clean: rm -rf .molecule venv molecule/default/cache .PHONY: test test: bin/python ( . venv/bin/activate && venv/bin/molecule test ) .PHONY: travis travis: pip install -r requirements.txt molecule test ================================================ FILE: README.md ================================================ Ubuntu 18.04 CIS STIG ================ [![Build Status](https://travis-ci.com/florianutz/Ubuntu1804-CIS.svg?branch=master)](https://travis-ci.com/florianutz/Ubuntu1804-CIS) [![Ansible Role](https://img.shields.io/badge/role-florianutz.Ubuntu1804--CIS-blue.svg)](https://galaxy.ansible.com/florianutz/Ubuntu1804-CIS/) Configure Ubuntu 18.04 machine to be CIS compliant. Level 1 and 2 findings will be corrected by default. This role **will make changes to the system** that could break things. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted. ## IMPORTANT INSTALL STEP If you want to install this via the `ansible-galaxy` command you'll need to run it like this: `ansible-galaxy install -p roles -r requirements.yml` With this in the file requirements.yml: ``` - src: https://github.com/florianutz/Ubuntu1804-CIS.git ``` Based on [CIS Ubuntu Benchmark v2.0.1 - 01-03-2020 ](https://www.cisecurity.org/cis-benchmarks/). This repo originated from work done by [MindPointGroup](https://github.com/MindPointGroup/RHEL7-CIS) Requirements ------------ You should carefully read through the tasks to make sure these changes will not break your systems before running this playbook. Role Variables -------------- There are many role variables defined in defaults/main.yml. This list shows the most important. **ubuntu1804cis_notauto**: Run CIS checks that we typically do NOT want to automate due to the high probability of breaking the system (Default: false) **ubuntu1804cis_section1**: CIS - General Settings (Section 1) (Default: true) **ubuntu1804cis_section2**: CIS - Services settings (Section 2) (Default: true) **ubuntu1804cis_section3**: CIS - Network settings (Section 3) (Default: true) **ubuntu1804cis_section4**: CIS - Logging and Auditing settings (Section 4) (Default: true) **ubuntu1804cis_section5**: CIS - Access, Authentication and Authorization settings (Section 5) (Default: true) **ubuntu1804cis_section6**: CIS - System Maintenance settings (Section 6) (Default: true) ##### Disable all selinux functions `ubuntu1804cis_selinux_disable: false` ##### Service variables: ###### These control whether a server should or should not be allowed to continue to run these services ``` ubuntu1804cis_avahi_server: false ubuntu1804cis_cups_server: false ubuntu1804cis_dhcp_server: false ubuntu1804cis_ldap_server: false ubuntu1804cis_telnet_server: false ubuntu1804cis_nfs_server: false ubuntu1804cis_rpc_server: false ubuntu1804cis_ntalk_server: false ubuntu1804cis_rsyncd_server: false ubuntu1804cis_tftp_server: false ubuntu1804cis_rsh_server: false ubuntu1804cis_nis_server: false ubuntu1804cis_snmp_server: false ubuntu1804cis_squid_server: false ubuntu1804cis_smb_server: false ubuntu1804cis_dovecot_server: false ubuntu1804cis_httpd_server: false ubuntu1804cis_vsftpd_server: false ubuntu1804cis_named_server: false ubuntu1804cis_bind: false ubuntu1804cis_vsftpd: false ubuntu1804cis_httpd: false ubuntu1804cis_dovecot: false ubuntu1804cis_samba: false ubuntu1804cis_squid: false ubuntu1804cis_net_snmp: false ``` ##### Designate server as a Mail server `ubuntu1804cis_is_mail_server: false` ##### System network parameters (host only OR host and router) `ubuntu1804cis_is_router: false` ##### IPv6 required `ubuntu1804cis_ipv6_required: true` ##### AIDE `ubuntu1804cis_config_aide: true` ###### AIDE cron settings ``` ubuntu1804cis_aide_cron: cron_user: root cron_file: /etc/crontab aide_job: '/usr/sbin/aide --check' aide_minute: 0 aide_hour: 5 aide_day: '*' aide_month: '*' aide_weekday: '*' ``` ##### Set to 'true' if X Windows is needed in your environment `ubuntu1804cis_xwindows_required: no` ##### Client application requirements ``` ubuntu1804cis_openldap_clients_required: false ubuntu1804cis_telnet_required: false ubuntu1804cis_talk_required: false ubuntu1804cis_rsh_required: false ubuntu1804cis_ypbind_required: false ``` ##### Time Synchronization ``` ubuntu1804cis_time_synchronization: chrony ubuntu1804cis_time_Synchronization: ntp ubuntu1804cis_time_synchronization_servers: - uri: "0.pool.ntp.org" config: "minpoll 8" - uri: "1.pool.ntp.org" config: "minpoll 8" - uri: "2.pool.ntp.org" config: "minpoll 8" - uri: "3.pool.ntp.org" config: "minpoll 8" ``` ##### - name: "SCORED | 1.1.5 | PATCH | Ensure noexec option set on /tmp partition" It is not implemented, noexec for /tmp will disrupt apt. /tmp contains executable scripts during package installation ``` ``` ##### 1.5.3 | PATCH | Ensure authentication required for single user mode It is disabled by default as it is setting random password for root. To enable it set: ```yaml ubuntu1804cis_rule_1_5_3: true ``` To use other than random password: ```yaml ubuntu1804cis_root_password: 'new password' ``` ##### 3.4.2 | PATCH | Ensure /etc/hosts.allow is configured ``` ubuntu1804cis_host_allow: - "10.0.0.0/255.0.0.0" - "172.16.0.0/255.240.0.0" - "192.168.0.0/255.255.0.0" ``` ``` ubuntu1804cis_firewall: firewalld ubuntu1804cis_firewall: iptables ``` ##### 5.3.1 | PATCH | Ensure password creation requirements are configured ``` ubuntu1804cis_pwquality: - key: 'minlen' value: '14' - key: 'dcredit' value: '-1' - key: 'ucredit' value: '-1' - key: 'ocredit' value: '-1' - key: 'lcredit' value: '-1' ``` Dependencies ------------ Ansible >= 2.4 and <= 2.7 (2.8 is not yet supported) Example Playbook ------------------------- ``` - name: Harden Server hosts: servers become: yes roles: - Ubuntu1804-CIS ``` To run the tasks in this repository, first create this file one level above the repository (i.e. the playbook .yml and the directory `Ubuntu1804-CIS` should be next to each other), then review the file `defaults/main.yml` and disable any rule/section you do not wish to execute. Assuming you named the file `site.yml`, run it with: ```bash ansible-playbook site.yml ``` Tags ---- Many tags are available for precise control of what is and is not changed. Some examples of using tags: ``` # Audit and patch the site ansible-playbook site.yml --tags="patch" ``` License ------- MIT ================================================ FILE: defaults/main.yml ================================================ --- # defaults file for Ubuntu1804-CIS ubuntu1804cis_skip_for_travis: false ubuntu1804cis_notauto: false ubuntu1804cis_section1: true ubuntu1804cis_section2: true ubuntu1804cis_section3: true ubuntu1804cis_section4: true ubuntu1804cis_section5: true ubuntu1804cis_section6: true ubuntu1804cis_selinux_disable: false ubuntu1804cis_auditd_disable: false # Ignore remount errors if you're building an image or are going to reboot anyway ubuntu1804cis_ignore_remount_errors: true # These variables correspond with the CIS rule IDs or paragraph numbers defined in # the CIS benchmark documents. # PLEASE NOTE: These work in coordination with the section # group variables and tags. # You must enable an entire section in order for the variables below to take effect. # Section 1 rules ubuntu1804cis_rule_1_1_1_1: true ubuntu1804cis_rule_1_1_1_2: true ubuntu1804cis_rule_1_1_1_3: true ubuntu1804cis_rule_1_1_1_4: true ubuntu1804cis_rule_1_1_1_5: true ubuntu1804cis_rule_1_1_1_6: true ubuntu1804cis_rule_1_1_1_7: true ubuntu1804cis_rule_1_1_1_8: false ubuntu1804cis_rule_1_1_2: true ubuntu1804cis_rule_1_1_3: true ubuntu1804cis_rule_1_1_4: true ubuntu1804cis_rule_1_1_5: false ubuntu1804cis_rule_1_1_6: true ubuntu1804cis_rule_1_1_7: true ubuntu1804cis_rule_1_1_8: true ubuntu1804cis_rule_1_1_9: true ubuntu1804cis_rule_1_1_10: true ubuntu1804cis_rule_1_1_11: true ubuntu1804cis_rule_1_1_12: true ubuntu1804cis_rule_1_1_13: true ubuntu1804cis_rule_1_1_14: true ubuntu1804cis_rule_1_1_15: true ubuntu1804cis_rule_1_1_16: true ubuntu1804cis_rule_1_1_17: true ubuntu1804cis_rule_1_1_18: true ubuntu1804cis_rule_1_1_19: true ubuntu1804cis_rule_1_1_20: true ubuntu1804cis_rule_1_1_21: true ubuntu1804cis_rule_1_1_22: true ubuntu1804cis_rule_1_1_23: true ubuntu1804cis_rule_1_2_1: true ubuntu1804cis_rule_1_2_2: true ubuntu1804cis_rule_1_3_1: true ubuntu1804cis_rule_1_3_2: true ubuntu1804cis_rule_1_3_3: true ubuntu1804cis_rule_1_4_1: true ubuntu1804cis_rule_1_4_2: true ubuntu1804cis_rule_1_5_1: true ubuntu1804cis_rule_1_5_2: true ubuntu1804cis_rule_1_5_2_disable_password: true ubuntu1804cis_rule_1_5_3: false ubuntu1804cis_rule_1_5_4: true ubuntu1804cis_rule_1_6_1: true ubuntu1804cis_rule_1_6_2: true ubuntu1804cis_rule_1_6_3: true ubuntu1804cis_rule_1_6_4: true ubuntu1804cis_rule_1_7_1_1: true ubuntu1804cis_rule_1_7_1_2: true ubuntu1804cis_rule_1_7_1_3: true ubuntu1804cis_rule_1_7_1_4: true ubuntu1804cis_rule_1_8_1_1: true ubuntu1804cis_rule_1_8_1_2: true ubuntu1804cis_rule_1_8_1_3: true ubuntu1804cis_rule_1_8_1_4: true ubuntu1804cis_rule_1_8_1_5: true ubuntu1804cis_rule_1_8_1_6: true ubuntu1804cis_rule_1_8_2: true ubuntu1804cis_rule_1_9: true # Section 2 rules ubuntu1804cis_rule_2_1_1: true ubuntu1804cis_rule_2_1_2: true ubuntu1804cis_rule_2_1_3: true ubuntu1804cis_rule_2_1_4: true ubuntu1804cis_rule_2_1_5: true ubuntu1804cis_rule_2_1_6: true ubuntu1804cis_rule_2_1_7: true ubuntu1804cis_rule_2_1_8: true ubuntu1804cis_rule_2_1_9: true ubuntu1804cis_rule_2_1_10: true ubuntu1804cis_rule_2_1_11: true ubuntu1804cis_rule_2_2_1_1: true ubuntu1804cis_rule_2_2_1_2: true ubuntu1804cis_rule_2_2_1_3: true ubuntu1804cis_rule_2_2_1_4: true ubuntu1804cis_rule_2_2_2: true ubuntu1804cis_rule_2_2_3: true ubuntu1804cis_rule_2_2_4: true ubuntu1804cis_rule_2_2_5: true ubuntu1804cis_rule_2_2_6: true ubuntu1804cis_rule_2_2_7: true ubuntu1804cis_rule_2_2_8: true ubuntu1804cis_rule_2_2_9: true ubuntu1804cis_rule_2_2_10: true ubuntu1804cis_rule_2_2_11: true ubuntu1804cis_rule_2_2_12: true ubuntu1804cis_rule_2_2_13: true ubuntu1804cis_rule_2_2_14: true ubuntu1804cis_rule_2_2_15: true ubuntu1804cis_rule_2_2_16: true ubuntu1804cis_rule_2_2_17: true ubuntu1804cis_rule_2_3_1: true ubuntu1804cis_rule_2_3_2: true ubuntu1804cis_rule_2_3_3: true ubuntu1804cis_rule_2_3_4: true ubuntu1804cis_rule_2_3_5: true # Section 3 rules ubuntu1804cis_rule_3_1_1: true ubuntu1804cis_rule_3_1_2: true ubuntu1804cis_rule_3_2_1: true ubuntu1804cis_rule_3_2_2: true ubuntu1804cis_rule_3_2_3: true ubuntu1804cis_rule_3_2_4: true ubuntu1804cis_rule_3_2_5: true ubuntu1804cis_rule_3_2_6: true ubuntu1804cis_rule_3_2_7: true ubuntu1804cis_rule_3_2_8: true ubuntu1804cis_rule_3_2_9: true ubuntu1804cis_rule_3_3_1: true ubuntu1804cis_rule_3_3_2: true ubuntu1804cis_rule_3_3_3: true ubuntu1804cis_rule_3_3_4: true ubuntu1804cis_rule_3_3_5: true ubuntu1804cis_rule_3_4_1: true ubuntu1804cis_rule_3_4_2: true ubuntu1804cis_rule_3_4_3: true ubuntu1804cis_rule_3_4_4: true ubuntu1804cis_rule_3_5_1_1: true ubuntu1804cis_rule_3_5_2_1: true ubuntu1804cis_rule_3_5_2_2: true ubuntu1804cis_rule_3_5_2_3: true ubuntu1804cis_rule_3_5_2_4: true ubuntu1804cis_rule_3_5_2_5: true ubuntu1804cis_rule_3_5_3_1: true ubuntu1804cis_rule_3_5_3_2: true ubuntu1804cis_rule_3_5_3_3: true ubuntu1804cis_rule_3_5_3_4: true ubuntu1804cis_rule_3_5_3_5: true ubuntu1804cis_rule_3_5_3_6: true ubuntu1804cis_rule_3_5_3_7: true ubuntu1804cis_rule_3_5_3_8: true ubuntu1804cis_rule_3_5_4_1_1: true ubuntu1804cis_rule_3_5_4_1_2: true ubuntu1804cis_rule_3_5_4_1_3: true ubuntu1804cis_rule_3_5_4_1_4: true ubuntu1804cis_rule_3_5_4_2_1: true ubuntu1804cis_rule_3_5_4_2_2: true ubuntu1804cis_rule_3_5_4_2_3: true ubuntu1804cis_rule_3_5_4_2_4: true ubuntu1804cis_rule_3_5_4_3_1: true ubuntu1804cis_rule_3_5_4_3_2: true ubuntu1804cis_rule_3_5_4_3_3: true ubuntu1804cis_rule_3_5_4_3_4: true ubuntu1804cis_rule_3_5_4_3_5: true ubuntu1804cis_rule_3_6: true ubuntu1804cis_rule_3_7: true # Section 4 rules ubuntu1804cis_rule_4_1_1_1: true ubuntu1804cis_rule_4_1_1_2: true ubuntu1804cis_rule_4_1_1_3: true ubuntu1804cis_rule_4_1_1_4: true ubuntu1804cis_rule_4_1_2_1: true ubuntu1804cis_rule_4_1_2_2: true ubuntu1804cis_rule_4_1_2_3: true ubuntu1804cis_rule_4_1_3: true ubuntu1804cis_rule_4_1_4: true ubuntu1804cis_rule_4_1_5: true ubuntu1804cis_rule_4_1_6: true ubuntu1804cis_rule_4_1_7: true ubuntu1804cis_rule_4_1_8: true ubuntu1804cis_rule_4_1_9: true ubuntu1804cis_rule_4_1_10: true ubuntu1804cis_rule_4_1_11: true ubuntu1804cis_rule_4_1_12: true ubuntu1804cis_rule_4_1_13: true ubuntu1804cis_rule_4_1_14: true ubuntu1804cis_rule_4_1_15: true ubuntu1804cis_rule_4_1_16: true ubuntu1804cis_rule_4_1_17: true ubuntu1804cis_rule_4_2_1_1: true ubuntu1804cis_rule_4_2_1_2: true ubuntu1804cis_rule_4_2_1_3: true ubuntu1804cis_rule_4_2_1_4: true ubuntu1804cis_rule_4_2_1_5: true ubuntu1804cis_rule_4_2_1_6: true ubuntu1804cis_rule_4_2_2_1: true ubuntu1804cis_rule_4_2_2_2: true ubuntu1804cis_rule_4_2_2_3: true ubuntu1804cis_rule_4_2_3: true ubuntu1804cis_rule_4_3: true # Section 5 rules ubuntu1804cis_rule_5_1_1: true ubuntu1804cis_rule_5_1_2: true ubuntu1804cis_rule_5_1_3: true ubuntu1804cis_rule_5_1_4: true ubuntu1804cis_rule_5_1_5: true ubuntu1804cis_rule_5_1_6: true ubuntu1804cis_rule_5_1_7: true ubuntu1804cis_rule_5_1_8: true ubuntu1804cis_rule_5_2_1: true ubuntu1804cis_rule_5_2_2: true ubuntu1804cis_rule_5_2_3: true ubuntu1804cis_rule_5_2_4: true ubuntu1804cis_rule_5_2_5: true ubuntu1804cis_rule_5_2_6: true ubuntu1804cis_rule_5_2_7: true ubuntu1804cis_rule_5_2_8: true ubuntu1804cis_rule_5_2_9: true ubuntu1804cis_rule_5_2_10: true ubuntu1804cis_rule_5_2_11: true ubuntu1804cis_rule_5_2_12: true ubuntu1804cis_rule_5_2_13: true ubuntu1804cis_rule_5_2_14: true ubuntu1804cis_rule_5_2_15: true ubuntu1804cis_rule_5_2_16: true ubuntu1804cis_rule_5_2_17: true ubuntu1804cis_rule_5_2_18: true ubuntu1804cis_rule_5_2_19: true ubuntu1804cis_rule_5_2_20: true ubuntu1804cis_rule_5_2_21: true ubuntu1804cis_rule_5_2_22: true ubuntu1804cis_rule_5_2_23: true ubuntu1804cis_rule_5_3_1: true ubuntu1804cis_rule_5_3_2: true ubuntu1804cis_rule_5_3_3: true ubuntu1804cis_rule_5_3_4: true ubuntu1804cis_rule_5_4_1_1: true ubuntu1804cis_rule_5_4_1_2: true ubuntu1804cis_rule_5_4_1_3: true ubuntu1804cis_rule_5_4_1_4: true ubuntu1804cis_rule_5_4_1_5: true ubuntu1804cis_rule_5_4_2: true ubuntu1804cis_rule_5_4_3: true ubuntu1804cis_rule_5_4_4: true ubuntu1804cis_rule_5_4_5: true ubuntu1804cis_rule_5_5: true ubuntu1804cis_rule_5_6: false # Section 6 rules ubuntu1804cis_rule_6_1_1: true ubuntu1804cis_rule_6_1_2: true ubuntu1804cis_rule_6_1_3: true ubuntu1804cis_rule_6_1_4: true ubuntu1804cis_rule_6_1_5: true ubuntu1804cis_rule_6_1_6: true ubuntu1804cis_rule_6_1_7: true ubuntu1804cis_rule_6_1_8: true ubuntu1804cis_rule_6_1_9: true ubuntu1804cis_rule_6_1_10: true ubuntu1804cis_rule_6_1_11: true ubuntu1804cis_rule_6_1_12: true ubuntu1804cis_rule_6_1_13: true ubuntu1804cis_rule_6_1_14: true ubuntu1804cis_rule_6_2_1: true ubuntu1804cis_rule_6_2_2: true ubuntu1804cis_rule_6_2_3: true ubuntu1804cis_rule_6_2_4: true ubuntu1804cis_rule_6_2_5: true ubuntu1804cis_rule_6_2_6: true ubuntu1804cis_rule_6_2_7: true ubuntu1804cis_rule_6_2_8: true ubuntu1804cis_rule_6_2_9: true ubuntu1804cis_rule_6_2_10: true ubuntu1804cis_rule_6_2_11: true ubuntu1804cis_rule_6_2_12: true ubuntu1804cis_rule_6_2_14: true ubuntu1804cis_rule_6_2_15: true ubuntu1804cis_rule_6_2_16: true ubuntu1804cis_rule_6_2_17: true ubuntu1804cis_rule_6_2_18: true ubuntu1804cis_rule_6_2_19: true ubuntu1804cis_rule_6_2_20: true # Service configuration booleans set true to keep service ubuntu1804cis_avahi_server: false ubuntu1804cis_cups_server: false ubuntu1804cis_dhcp_server: false ubuntu1804cis_ldap_server: false ubuntu1804cis_telnet_server: false ubuntu1804cis_nfs_server: false ubuntu1804cis_rpc_server: false ubuntu1804cis_ntalk_server: false ubuntu1804cis_rsyncd_server: false ubuntu1804cis_tftp_server: false ubuntu1804cis_rsh_server: false ubuntu1804cis_nis_server: false ubuntu1804cis_snmp_server: false ubuntu1804cis_squid_server: false ubuntu1804cis_smb_server: false ubuntu1804cis_dovecot_server: false ubuntu1804cis_httpd_server: false ubuntu1804cis_vsftpd_server: false ubuntu1804cis_named_server: false ubuntu1804cis_nfs_rpc_server: false ubuntu1804cis_is_mail_server: false ubuntu1804cis_bind: false ubuntu1804cis_vsftpd: false ubuntu1804cis_httpd: false ubuntu1804cis_dovecot: false ubuntu1804cis_samba: false ubuntu1804cis_squid: false ubuntu1804cis_net_snmp: false ubuntu1804cis_allow_autofs: false # xinetd required ubuntu1804cis_xinetd_required: false # RedHat Satellite Subscription items ubuntu1804cis_rhnsd_required: false # 1.4.2 Bootloader password ubuntu1804cis_bootloader_password: random ubuntu1804cis_set_boot_pass: false # System network parameters (host only OR host and router) ubuntu1804cis_is_router: false # IPv6 required ubuntu1804cis_ipv6_required: true # AIDE ubuntu1804cis_config_aide: true # AIDE cron settings ubuntu1804cis_aide_cron: cron_user: root cron_file: /etc/crontab aide_job: '/usr/bin/aide.wrapper --config /etc/aide/aide.conf --check' aide_minute: 0 aide_hour: 5 aide_day: '*' aide_month: '*' aide_weekday: '*' # Whether or not to run tasks related to auditing/patching the desktop environment ubuntu1804cis_gui: false # Set to 'true' if X Windows is needed in your environment ubuntu1804cis_xwindows_required: false ubuntu1804cis_openldap_clients_required: false ubuntu1804cis_telnet_required: false ubuntu1804cis_talk_required: false ubuntu1804cis_rsh_required: false ubuntu1804cis_ypbind_required: false # Time Synchronization ubuntu1804cis_time_synchronization: chrony # ubuntu1804cis_time_synchronization: ntp ubuntu1804cis_time_synchronization_servers: - uri: "0.pool.ntp.org" config: "minpoll 8" - uri: "1.pool.ntp.org" config: "minpoll 8" - uri: "2.pool.ntp.org" config: "minpoll 8" - uri: "3.pool.ntp.org" config: "minpoll 8" # 3.3 TCP Wrappers ubuntu1804cis_setup_tcp_wrappers: false # 3.3.4 | PATCH | Ensure /etc/hosts.allow is configured ubuntu1804cis_host_allow: - "10.0.0.0/255.0.0.0" - "172.16.0.0/255.240.0.0" - "192.168.0.0/255.255.0.0" - "0.0.0.0/0.0.0.0" ubuntu1804cis_firewall: firewalld # ubuntu1804cis_firewall: iptables # ubuntu1804cis_firewall: ufw # ubuntu1804cis_firewall: nftables # 3.5.3.2 | PATCH | Ensure a table exists" ubuntu1804cis_nftables_table: filter ubuntu1804cis_firewall_services: - ssh - dhcpv6-client # Warning Banner Content (issue, issue.net, motd) ubuntu1804cis_warning_banner: | Authorized uses only. All activity may be monitored and reported. # End Banner ## Section 4 Vars ubuntu1804cis_auditd: admin_space_left_action: halt max_log_file_action: keep_logs max_audit_log_file_size: 10 backlog_limit: "8192" ubuntu1804cis_logrotate: "daily" ## Section 5 Vars ubuntu1804cis_at_allow_users: [] ubuntu1804cis_cron_allow_users: [] ubuntu1804cis_sshd: clientalivecountmax: 3 clientaliveinterval: 300 ciphers: "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr" macs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com" kexalgorithms: "curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256" logingracetime: 60 ### Make sure you understand the precedence when working with these values!! # allowusers: # allowgroups: systems dba # denyusers: # denygroups: ubuntu1804cis_pwquality: - key: 'minlen' value: '14' - key: 'dcredit' value: '-1' - key: 'ucredit' value: '-1' - key: 'ocredit' value: '-1' - key: 'lcredit' value: '-1' ubuntu1804cis_pass: max_days: 365 min_days: 1 warn_age: 7 inactive: 30 history: 5 ubuntu1804cis_password_change_date_in_future_action: expire # lock ubuntu1804cis_shell_timeout: 900 # Syslog system ubuntu1804cis_syslog: rsyslog # ubuntu1804cis_syslog: syslog-ng ubuntu1804cis_vartmp: source: /tmp fstype: false opts: "defaults, nodev, nosuid, noexec, bind" enabled: false # Apply upgrades (set to false if another patching system is in place) ubuntu1804cis_apply_upgrades: true ###### Multi OS Vars ########### prelim_check_package_command: RedHat: rpm -q Debian: dpkg -V auditd_package: RedHat: audit Debian: auditd cron_package: RedHat: cronie Debian: cron cron_service: RedHat: crond Debian: cron ntp_service: RedHat: ntpd Debian: ntp chrony_service: RedHat: chronyd Debian: chrony tcp_wrapper_package: RedHat: tcp_wrappers Debian: tcpd bashrc_file: RedHat: /etc/bashrc Debian: /etc/bash.bashrc tmp_mount_file: RedHat: /usr/lib/systemd/system/tmp.mount Debian: /usr/share/systemd/tmp.mount tmp_mount_options: RedHat: mode=1777,strictatime,noexec,nodev,nosuid Debian: mode=1777,strictatime,nodev,nosuid chrony_config_file: RedHat: /etc/chrony.conf Debian: /etc/chrony/chrony.conf ### Firewall ubuntu1804cis_setup_firewall: false ================================================ FILE: files/etc/systemd/system/tmp.mount ================================================ # This file is part of systemd. # # systemd is free software; you can redistribute it and/or modify it # under the terms of the GNU Lesser General Public License as published by # the Free Software Foundation; either version 2.1 of the License, or # (at your option) any later version. [Unit] Description=Temporary Directory Documentation=man:hier(7) Documentation=http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems ConditionPathIsSymbolicLink=!/tmp DefaultDependencies=no Conflicts=umount.target Before=local-fs.target umount.target [Mount] What=tmpfs Where=/tmp Type=tmpfs Options=mode=1777,strictatime,noexec,nodev,nosuid # Make 'systemctl enable tmp.mount' work: [Install] WantedBy=local-fs.target ================================================ FILE: handlers/main.yml ================================================ --- # handlers file for Ubuntu1804-CIS - name: sysctl flush ipv4 route table become: true sysctl: name: net.ipv4.route.flush value: "1" sysctl_set: true when: ansible_virtualization_type != "docker" - name: sysctl flush ipv6 route table become: true sysctl: name: net.ipv6.route.flush value: "1" sysctl_set: true when: ansible_virtualization_type != "docker" - name: systemd restart tmp.mount become: true systemd: name: tmp.mount daemon_reload: true enabled: true masked: false state: reloaded when: ansible_virtualization_type != "docker" ignore_errors: "{{ ubuntu1804cis_ignore_remount_errors }}" - name: systemd restart var-tmp.mount become: true systemd: name: var-tmp.mount daemon_reload: true enabled: true masked: false state: reloaded ignore_errors: "{{ ubuntu1804cis_ignore_remount_errors }}" - name: generate new grub config become: true command: grub-mkconfig -o "{{ grub_cfg.stat.path }}" notify: fix permissions after generate new grub config handler - name: fix permissions after generate new grub config handler become: true file: path: "/boot/grub/grub.cfg" owner: root group: root mode: 0400 when: - ansible_os_family == "Debian" - ubuntu1804cis_rule_1_4_1 - name: restart firewalld become: true service: name: firewalld state: restarted - name: reload nftables become: true service: name: nftables state: reloaded - name: restart xinetd become: true service: name: xinetd state: restarted - name: restart sshd become: true service: name: sshd state: restarted - name: reload dconf become: true command: dconf update - name: restart auditd become: true service: name: auditd state: restarted when: - not ubuntu1804cis_skip_for_travis tags: - skip_ansible_lint - name: load audit rules become: true command: /sbin/augenrules --load when: - not ubuntu1804cis_skip_for_travis tags: - skip_ansible_lint - name: restart systemd-coredump become: true service: name: systemd-coredump.socket daemon_reload: true enabled: true state: restarted - name: restart journald become: true service: name: systemd-journald state: restarted ================================================ FILE: meta/main.yml ================================================ --- galaxy_info: author: "florianutz" role_name: ubuntu1804_cis description: "Ansible role to apply Ubuntu 18.04 CIS Baseline" company: "none" license: MIT min_ansible_version: 2.6 namespace: florianutz platforms: - name: Ubuntu versions: - bionic galaxy_tags: - system - security - cis - hardening dependencies: [] collections: - ansible.posix ================================================ FILE: molecule/default/INSTALL.rst ================================================ ******* Install ******* Requirements ============ * Docker Engine * docker-py Install ======= .. code-block:: bash $ sudo pip install docker-py ================================================ FILE: molecule/default/converge.yml ================================================ --- - name: Converge hosts: all vars: ubuntu1804cis_skip_for_travis: true ubuntu1804cis_selinux_disable: true roles: - role: Ubuntu1804-CIS ================================================ FILE: molecule/default/molecule.yml ================================================ --- dependency: name: galaxy driver: name: docker lint: | set -e ansible-lint -c .ansible-lint platforms: - name: instance image: florianutz/docker-systemd:18.04 command: /lib/systemd/systemd tmpfs: - /run - /run/lock - /tmp volumes: - /sys/fs/cgroup:/sys/fs/cgroup:ro privileged: true command: /sbin/init provisioner: name: ansible lint: name: ansible-lint -c .ansible-lint enabled: true config_options: defaults: bin_ansible_callbacks: True callback_whitelist: profile_tasks,timer fact_caching: jsonfile fact_caching_connection: ./cache poll_interval: 3 forks: 100 conditional_bare_variables: false connection: pipelining: true scenario: name: default verifier: name: ansible ================================================ FILE: molecule/default/prepare.yml ================================================ --- - name: Prepare hosts: all gather_facts: false tasks: - name: install openssh-server for testing under docker apt: name: openssh-server state: present update_cache: yes - name: install grub files for testing under docker block: - name: create /boot/grub file: name: /boot/grub state: directory changed_when: false - name: touch /boot/grub/grub.cfg file: name: /boot/grub/grub.cfg state: touch changed_when: false - name: touch /etc/default/grub file: name: /etc/default/grub state: touch changed_when: false ================================================ FILE: molecule/default/tests/test_default.py ================================================ import os import testinfra.utils.ansible_runner testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') def test_hosts_file(host): f = host.file('/etc/hosts') assert f.exists assert f.user == 'root' assert f.group == 'root' ================================================ FILE: molecule/default/verify.yml ================================================ --- # This is an example playbook to execute Ansible tests. - name: Verify hosts: all tasks: - name: Example assertion assert: that: true ================================================ FILE: requirements.txt ================================================ molecule[docker]==3.0.8 ansible-lint==5.2.1 ================================================ FILE: tasks/main.yml ================================================ --- # tasks file for Ubuntu1804-CIS - name: Check OS version and family fail: msg: "This role can only be run agaist Ubuntu 18.04. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." when: - not ansible_distribution == "Ubuntu" - not ansible_distribution_release == "bionic" tags: - always - name: Check ansible version fail: msg: You must use ansible 2.3 or greater! when: not ansible_version.full is version_compare('2.3', '>=') tags: - always - include: prelim.yml become: true tags: - prelim_tasks - always - include: section1.yml become: true when: ubuntu1804cis_section1 tags: section1 - include: section2.yml become: true when: ubuntu1804cis_section2 tags: section2 - include: section3.yml become: true when: ubuntu1804cis_section3 tags: section3 - include: section4.yml become: true when: ubuntu1804cis_section4 tags: section4 - include: section5.yml become: true when: ubuntu1804cis_section5 tags: section5 - include: section6.yml become: true when: ubuntu1804cis_section6 tags: section6 - include: post.yml become: true tags: - post_tasks - always ================================================ FILE: tasks/post.yml ================================================ --- # Post tasks - name: "POST | Find removed but configured apt packages" shell: "set -o pipefail; dpkg --list | (grep ^rc || true) | tr -s ' ' | cut -d ' ' -f 2" args: executable: /bin/bash register: apt_rc_packages changed_when: false - name: "POST | Perform apt package cleanup" apt: name: "{{ apt_rc_packages.stdout_lines }}" state: absent purge: true changed_when: false ignore_errors: true when: not ansible_check_mode tags: - skip_ansible_lint ================================================ FILE: tasks/prelim.yml ================================================ --- # Preliminary tasks that should always be run # List users in order to look files inside each home directory - name: "PRELIM | List users accounts" command: "awk -F: '{print $1}' /etc/passwd" register: users changed_when: false check_mode: false - name: "PRELIM | Gather homes with wrong permissions on /home" shell: 'set -o pipefail; for dir in $(getent passwd | cut -d '':'' -f 6 | awk ''$1 ~ /^\/home\//''); do perm=$(stat -L -c "%A" "$dir" ); if [ -d $dir ] && ([ "${perm:7:3}" != "---" ] || [ "${perm:5:1}" == "w" ] ); then echo -n "$dir "; fi; done' args: executable: /bin/bash register: homes_with_perms changed_when: false check_mode: false - name: "PRELIM | Gather accounts with empty password fields" shell: "set -o pipefail; cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'" args: executable: /bin/bash register: empty_password_accounts changed_when: false check_mode: false - name: "PRELIM | Check if root has password" shell: 'set -o pipefail; getent shadow | grep root | awk -F: ''($2 == "*" || $2 == "!" ) { printf $2; }''' args: executable: /bin/bash register: current_root_password changed_when: false check_mode: false - name: "PRELIM | Gather UID 0 accounts other than root" shell: "set -o pipefail; cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" args: executable: /bin/bash register: uid_zero_accounts_except_root changed_when: false check_mode: false - name: "PRELIM | Run apt cache update" apt: update_cache: true changed_when: false - name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)" apt: name: "{{ auditd_package[ansible_os_family] }}" state: present install_recommends: false when: - not ubuntu1804cis_auditd_disable - name: "PRELIM | Section 5.1 | Configure cron" apt: name: "{{ cron_package[ansible_os_family] }}" state: present install_recommends: false - name: "PRELIM | Check if prelink package is installed" command: "{{ prelim_check_package_command[ansible_os_family] }} prelink" register: prelink_installed changed_when: false failed_when: false check_mode: false tags: - skip_ansible_lint - name: "PRELIM | Check if postfix package is installed" command: "{{ prelim_check_package_command[ansible_os_family] }} postfix" register: postfix_installed changed_when: false failed_when: false check_mode: false tags: - skip_ansible_lint # Individual service checks - name: "PRELIM | Check for xinetd service" shell: "set -o pipefail; systemctl show xinetd | grep LoadState | cut -d = -f 2" args: executable: /bin/bash register: xinetd_service_status changed_when: false check_mode: false - name: "PRELIM | Check for openbsd-inetd service" shell: "set -o pipefail; dpkg -s openbsd-inetd | grep -o 'ok installed'; true" args: executable: /bin/bash register: openbsd_inetd_service_status changed_when: false check_mode: false - name: "PRELIM | Check for ntpd service" shell: "set -o pipefail; systemctl show {{ ntp_service[ansible_os_family] }} | grep LoadState | cut -d = -f 2" args: executable: /bin/bash register: ntpd_service_status changed_when: false check_mode: false - name: "PRELIM | Check for chronyd service" shell: "set -o pipefail; systemctl show {{ chrony_service[ansible_os_family] }} | grep LoadState | cut -d = -f 2" args: executable: /bin/bash register: chronyd_service_status changed_when: false check_mode: false - name: "PRELIM | Check for systemd-timesyncd service" shell: "set -o pipefail; systemctl show systemd-timesyncd | grep LoadState | cut -d = -f 2" args: executable: /bin/bash register: systemd_timesyncd_service_status changed_when: false check_mode: false - name: "PRELIM | Check for avahi-daemon service" shell: "set -o pipefail; systemctl show avahi-daemon | grep LoadState | cut -d = -f 2" args: executable: /bin/bash register: avahi_service_status changed_when: false check_mode: false - name: "PRELIM | Check for cups service" shell: "set -o pipefail; systemctl show cups | grep LoadState | cut -d = -f 2" args: executable: /bin/bash register: cups_service_status changed_when: false check_mode: false - name: "PRELIM | Check for dhcpd service" shell: "set -o pipefail; systemctl show dhcpd | grep LoadState | cut -d = -f 2" args: executable: /bin/bash register: dhcpd_service_status changed_when: false check_mode: false - name: "PRELIM | Check for slapd service" shell: "set -o pipefail; systemctl show slapd | grep LoadState | cut -d = -f 2" args: executable: /bin/bash register: slapd_service_status changed_when: false check_mode: false - name: "PRELIM | Check for nfs service" shell: "set -o pipefail; systemctl show nfs | grep LoadState | cut -d = -f 2" args: executable: /bin/bash register: nfs_service_status changed_when: false check_mode: false - name: "PRELIM | Check for rpcbind service" shell: "set -o pipefail; systemctl show rpcbind | grep LoadState | cut -d = -f 2" args: executable: /bin/bash register: rpcbind_service_status changed_when: false check_mode: false - name: "PRELIM | Check for named service" shell: "set -o pipefail; systemctl show named | grep LoadState | cut -d = -f 2" args: executable: /bin/bash register: named_service_status changed_when: false check_mode: false - name: "PRELIM | Check for vsftpd service" shell: "set -o pipefail; systemctl show vsftpd | grep LoadState | cut -d = -f 2" args: executable: /bin/bash register: vsftpd_service_status changed_when: false check_mode: false - name: "PRELIM | Check for httpd service" shell: "set -o pipefail; systemctl show apache2 | grep LoadState | cut -d = -f 2" args: executable: /bin/bash register: httpd_service_status changed_when: false check_mode: false - name: "PRELIM | Check for dovecot service" shell: "set -o pipefail; systemctl show dovecot | grep LoadState | cut -d = -f 2" args: executable: /bin/bash register: dovecot_service_status changed_when: false check_mode: false - name: "PRELIM | Check for smb service" shell: "set -o pipefail; systemctl show smbd | grep LoadState | cut -d = -f 2" args: executable: /bin/bash register: smb_service_status changed_when: false check_mode: false - name: "PRELIM | Check for squid service" shell: "set -o pipefail; systemctl show squid | grep LoadState | cut -d = -f 2" args: executable: /bin/bash register: squid_service_status changed_when: false check_mode: false - name: "PRELIM | Check for snmpd service" shell: "set -o pipefail; systemctl show snmpd | grep LoadState | cut -d = -f 2" args: executable: /bin/bash register: snmpd_service_status changed_when: false check_mode: false - name: "PRELIM | Check for ypserv service" shell: "set -o pipefail; systemctl show nis | grep LoadState | cut -d = -f 2" args: executable: /bin/bash register: ypserv_service_status changed_when: false check_mode: false - name: "PRELIM | Check for rsh.socket service" shell: "set -o pipefail; systemctl show rsh.socket | grep LoadState | cut -d = -f 2" args: executable: /bin/bash register: rsh_service_status changed_when: false check_mode: false - name: "PRELIM | Check for rlogin.socket service" shell: "set -o pipefail; systemctl show rlogin.socket | grep LoadState | cut -d = -f 2" args: executable: /bin/bash register: rlogin_service_status changed_when: false check_mode: false - name: "PRELIM | Check for rexec.socket service" shell: "set -o pipefail; systemctl show rexec.socket | grep LoadState | cut -d = -f 2" args: executable: /bin/bash register: rexec_service_status changed_when: false check_mode: false - name: "PRELIM | Check for telnet service" shell: "set -o pipefail; systemctl show telnetd | grep LoadState | cut -d = -f 2" args: executable: /bin/bash register: telnet_service_status changed_when: false check_mode: false - name: "PRELIM | Check for tftp service" shell: "set -o pipefail; systemctl show tftpd-hpa | grep LoadState | cut -d = -f 2" args: executable: /bin/bash register: tftp_service_status changed_when: false check_mode: false - name: "PRELIM | Check for rsyncd service" shell: "set -o pipefail; systemctl show rsync | grep LoadState | cut -d = -f 2" args: executable: /bin/bash register: rsyncd_service_status changed_when: false check_mode: false - name: "PRELIM | Check for ntalk service" shell: "set -o pipefail; systemctl show ntalk | grep LoadState | cut -d = -f 2" args: executable: /bin/bash register: ntalk_service_status changed_when: false check_mode: false - name: "PRELIM | Check for autofs service" shell: "set -o pipefail; systemctl show autofs | grep LoadState | cut -d = -f 2" args: executable: /bin/bash register: autofs_service_status changed_when: false check_mode: false - name: "PRELIM | Check the grub.cfg configuration" stat: path: /boot/grub/grub.cfg register: grub_cfg - name: "PRELIM | Check the grub.conf configuration" stat: path: /boot/grub/grub.conf register: grub_conf - name: "PRELIM | Check the menu.lst configuration" stat: path: "/boot/grub/menu.lst" register: menu_lst - name: "PRELIM | Check that system accounts are non-login #1" shell: > set -o pipefail && egrep -v "^\+" /etc/passwd | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}' args: executable: /bin/bash register: system_accounts_non_login_1 changed_when: false check_mode: false - name: "PRELIM | Check that system accounts are non-login #2" shell: > set -o pipefail && for user in `awk -F: '($1!="root" && $3 < 1000) {print $1 }' /etc/passwd`; do passwd -S $user | awk -F ' ' '($2!="L") {print $1}'; done args: executable: /bin/bash register: system_accounts_non_login_2 changed_when: false check_mode: false - name: "PRELIM | Check that users last password change date are in the future" shell: | set -o pipefail; awk -F: '{print $1}' /etc/shadow | while read -r usr do if [[ $(date --date="$(chage --list "$usr" | grep '^Last password change' | cut -d: -f2)" +%s) > $(date +%s) ]];then echo "$usr" fi done args: executable: /bin/bash register: users_password_change_date_in_future changed_when: False check_mode: false ================================================ FILE: tasks/section1.yml ================================================ --- - name: "SCORED | 1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled" lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install cramfs(\\s|$)" line: "install cramfs /bin/true" state: present owner: root group: root mode: 0644 create: true when: - ubuntu1804cis_rule_1_1_1_1 tags: - level1 - scored - patch - cramfs - filesystems - rule_1.1.1.1 - name: "SCORED | 1.1.1.1 | PATCH | Remove cramfs module" modprobe: name: cramfs state: absent when: - ubuntu1804cis_rule_1_1_1_1 - not ubuntu1804cis_skip_for_travis tags: - level1 - scored - patch - cramfs - filesystems - rule_1.1.1.1 - name: "SCORED | 1.1.1.2 | PATCH | Ensure mounting of freevxfs filesystems is disabled" lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install freevxfs" line: "install freevxfs /bin/true" state: present create: true when: - ubuntu1804cis_rule_1_1_1_2 tags: - level1 - scored - patch - freevxfs - filesystems - rule_1.1.1.2 - name: "SCORED | 1.1.1.2 | PATCH | Remove freevxfs module" modprobe: name: freevxfs state: absent when: - ubuntu1804cis_rule_1_1_1_2 - not ubuntu1804cis_skip_for_travis tags: - level1 - scored - patch - freevxfs - filesystems - rule_1.1.1.2 - name: "SCORED | 1.1.1.3 | PATCH | Ensure mounting of jffs2 filesystems is disabled" lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install jffs2(\\s|$)" line: "install jffs2 /bin/true" state: present create: true when: - ubuntu1804cis_rule_1_1_1_3 tags: - level1 - scored - patch - jffs2 - filesystems - rule_1.1.1.3 - name: "SCORED | 1.1.1.3 | PATCH | Remove jffs2 module" modprobe: name: jffs2 state: absent when: - ubuntu1804cis_rule_1_1_1_3 - not ubuntu1804cis_skip_for_travis tags: - level1 - scored - patch - jffs2 - filesystems - rule_1.1.1.3 - name: "SCORED | 1.1.1.4 | PATCH | Ensure mounting of hfs filesystems is disabled" lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install hfs(\\s|$)" line: "install hfs /bin/true" state: present create: true when: - ubuntu1804cis_rule_1_1_1_4 tags: - level1 - scored - patch - hfs - filesystems - rule_1.1.1.4 - name: "SCORED | 1.1.1.4 | PATCH | Remove hfs module" modprobe: name: hfs state: absent when: - ubuntu1804cis_rule_1_1_1_4 - not ubuntu1804cis_skip_for_travis tags: - level1 - scored - patch - hfs - filesystems - rule_1.1.1.4 - name: "SCORED | 1.1.1.5 | PATCH | Ensure mounting of hfsplus filesystems is disabled" lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install hfsplus(\\s|$)" line: "install hfsplus /bin/true" state: present create: true when: - ubuntu1804cis_rule_1_1_1_5 tags: - level1 - scored - patch - hfsplus - filesystems - rule_1.1.1.5 - name: "SCORED | 1.1.1.5 | PATCH | Remove hfsplus module" modprobe: name: hfsplus state: absent when: - ubuntu1804cis_rule_1_1_1_5 - not ubuntu1804cis_skip_for_travis tags: - level1 - scored - patch - hfsplus - filesystems - rule_1.1.1.5 - name: "SCORED | 1.1.1.6 | PATCH | Ensure mounting of squashfs filesystems is disabled" lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install squashfs(\\s|$)" line: "install squashfs /bin/true" state: present create: true when: - ubuntu1804cis_rule_1_1_1_6 tags: - level1 - scored - patch - squashfs - filesystems - rule_1.1.1.6 - name: "SCORED | 1.1.1.6 | PATCH | Remove squashfs module" modprobe: name: squashfs state: absent when: - ubuntu1804cis_rule_1_1_1_6 - not ubuntu1804cis_skip_for_travis tags: - level1 - scored - patch - squashfs - filesystems - rule_1.1.1.6 - name: "SCORED | 1.1.1.7 | PATCH | Ensure mounting of udf filesystems is disabled" lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install udf(\\s|$)" line: "install udf /bin/true" state: present create: true when: - ubuntu1804cis_rule_1_1_1_7 tags: - level1 - scored - patch - udf - filesystems - rule_1.1.1.7 - name: "SCORED | 1.1.1.7 | PATCH | Remove udf module" modprobe: name: udf state: absent when: - ubuntu1804cis_rule_1_1_1_7 - not ubuntu1804cis_skip_for_travis tags: - level1 - scored - patch - udf - filesystems - rule_1.1.1.7 - name: "NOTSCORED | 1.1.1.8 | PATCH | Ensure mounting of FAT filesystems is limited" lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install vfat(\\s|$)" line: "install vfat /bin/true" state: present create: true when: - ubuntu1804cis_rule_1_1_1_8 tags: - level2 - notscored - patch - vfat - filesystems - rule_1.1.1.8 - name: "NOTSCORED | 1.1.1.8 | PATCH | Remove FAT module" modprobe: name: vfat state: absent when: - ubuntu1804cis_rule_1_1_1_8 - not ubuntu1804cis_skip_for_travis tags: - level2 - notscored - patch - vfat - filesystems - rule_1.1.1.8 - name: "SCORED | 1.1.2 | PATCH | Ensure separate partition exists for /tmp | enable and start/restart tmp.mount" copy: src: "{{ tmp_mount_file[ansible_os_family] }}" dest: /etc/systemd/system/tmp.mount owner: root group: root mode: 0644 force: true remote_src: true notify: - systemd restart tmp.mount when: - ubuntu1804cis_rule_1_1_2 - not ubuntu1804cis_skip_for_travis tags: - level2 - scored - patch - rule_1.1.2 - name: "SCORED | 1.1.2 | PATCH | Ensure separate partition exists for /tmp | enable and start/restart tmp.mount" systemd: name: tmp.mount daemon_reload: yes enabled: yes masked: no state: started when: - ubuntu1804cis_rule_1_1_2 - not ubuntu1804cis_skip_for_travis tags: - level2 - scored - patch - rule_1.1.2 - name: "SCORED | 1.1.3 | PATCH | Ensure nodev option set on /tmp partition\n SCORED | 1.1.4 | PATCH | Ensure nosuid option set on /tmp partition\n | drop custom tmp.mount" ini_file: path: "{{ item }}" section: Mount option: Options value: "{{ tmp_mount_options[ansible_os_family] }}" no_extra_spaces: true with_items: - "{{ tmp_mount_file[ansible_os_family] }}" - /etc/systemd/system/tmp.mount notify: - systemd restart tmp.mount when: - ubuntu1804cis_rule_1_1_3 - ubuntu1804cis_rule_1_1_4 tags: - level1 - scored - patch - rule_1.1.3 - rule_1.1.4 - name: "SCORED | 1.1.5 | PATCH | Ensure noexec option set on /tmp partition\n | drop custom tmp.mount" ini_file: path: "{{ item }}" section: Mount option: Options value: noexec no_extra_spaces: true with_items: - "{{ tmp_mount_file[ansible_os_family] }}" - /etc/systemd/system/tmp.mount notify: - systemd restart tmp.mount when: - ubuntu1804cis_rule_1_1_5 tags: - level1 - scored - patch - rule_1.1.5 - name: "SCORED | 1.1.6 | PATCH | Ensure separate partition exists for /var" shell: mount | grep "on /var " register: var_mounted changed_when: false failed_when: false when: - ubuntu1804cis_rule_1_1_6 tags: - level2 - scored - patch - rule_1.1.6 - skip_ansible_lint - name: "SCORED | 1.1.7 | PATCH | Ensure separate partition exists for /var/tmp" shell: mount | grep "on /var/tmp " register: var_tmp_mounted changed_when: false failed_when: false when: - ubuntu1804cis_rule_1_1_7 tags: - level2 - scored - patch - rule_1.1.7 - skip_ansible_lint - name: "SCORED | 1.1.8 | PATCH | Ensure nodev option set on /var/tmp partition\n SCORED | 1.1.9 | PATCH | Ensure nosuid option set on /var/tmp partition\n SCORED | 1.1.10 | PATCH | Ensure noexec option set on /var/tmp partition" mount: name: /var/tmp src: "{{ ubuntu1804cis_vartmp['source'] }}" state: mounted fstype: "{{ ubuntu1804cis_vartmp['fstype'] }}" opts: "{{ ubuntu1804cis_vartmp['opts'] }}" when: - ubuntu1804cis_vartmp['enabled'] == 'yes' - ubuntu1804cis_rule_1_1_8 - ubuntu1804cis_rule_1_1_9 - ubuntu1804cis_rule_1_1_10 tags: - level1 - scored - patch - rule_1.1.8 - rule_1.1.9 - rule_1.1.10 - name: "SCORED | 1.1.11 | PATCH | Ensure separate partition exists for /var/log" shell: mount | grep "on /var/log " register: var_log_mounted changed_when: false failed_when: false when: - ubuntu1804cis_rule_1_1_11 tags: - level2 - scored - patch - rule_1.1.11 - skip_ansible_lint - name: "SCORED | 1.1.12 | PATCH | Ensure separate partition exists for /var/log/audit" shell: mount | grep "on /var/log/audit " register: var_log_audit_mounted changed_when: false failed_when: false when: - ubuntu1804cis_rule_1_1_12 tags: - level2 - scored - patch - rule_1.1.12 - skip_ansible_lint - name: "SCORED | 1.1.13 | PATCH | Ensure separate partition exists for /home" shell: mount | grep "on /home " register: home_mounted changed_when: false failed_when: false when: - ubuntu1804cis_rule_1_1_13 tags: - level2 - scored - patch - rule_1.1.13 - skip_ansible_lint - name: "SCORED | 1.1.14 | PATCH | Ensure nodev option set on /home partition" mount: name: "/home" src: "{{ item.device }}" state: mounted fstype: "{{ item.fstype }}" opts: "nodev" when: - ubuntu1804cis_rule_1_1_14 - item.mount == "/home" with_items: - "{{ ansible_mounts }}" tags: - scored - level1 - patch - rule_1.1.14 - name: "SCORED | 1.1.15 | PATCH | Ensure nodev option set on /dev/shm partition\n SCORED | 1.1.16 | PATCH | Ensure nosuid option set on /dev/shm partition\n SCORED | 1.1.17 | PATCH | Ensure noexec option set on /dev/shm partition" mount: name: /dev/shm src: tmpfs state: mounted fstype: tmpfs opts: "defaults,nodev,nosuid,noexec" when: - ubuntu1804cis_rule_1_1_15 - ubuntu1804cis_rule_1_1_16 - ubuntu1804cis_rule_1_1_17 tags: - level1 - scored - patch - rule_1.1.15 - rule_1.1.16 - rule_1.1.17 - name: "NOTSCORED | 1.1.18 | PATCH | Ensure nodev option set on removable media partitions" command: /bin/true changed_when: false when: - ubuntu1804cis_rule_1_1_18 tags: - level1 - notscored - patch - rule_1.1.18 - notimplemented - name: "NOTSCORED | 1.1.19 | PATCH | Ensure nosuid option set on removable media partitions" command: /bin/true changed_when: false when: - ubuntu1804cis_rule_1_1_19 tags: - level1 - notscored - patch - rule_1.1.19 - notimplemented - name: "NOTSCORED | 1.1.20 | PATCH | Ensure noexec option set on removable media partitions" command: /bin/true changed_when: false when: - ubuntu1804cis_rule_1_1_20 tags: - level1 - notscored - patch - rule_1.1.20 - notimplemented - name: "SCORED | 1.1.21 | PATCH | Ensure sticky bit is set on all world-writable directories" shell: | set -o pipefail; df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t args: executable: /bin/bash changed_when: false failed_when: false when: - ubuntu1804cis_rule_1_1_21 # - sticky_bit_on_worldwritable_dirs_audit.rc == '0' tags: - level1 - scored - patch - rule_1.1.21 - name: "SCORED | 1.1.22 | PATCH | Disable Automounting" service: name: autofs enabled: false when: - not ubuntu1804cis_allow_autofs - autofs_service_status.stdout == "loaded" - ubuntu1804cis_rule_1_1_22 tags: - level1 - scored - patch - rule_1.1.22 - name: "SCORED | 1.1.23 | PATCH | Disable USB Storage" lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install usb-storage(\\s|$)" line: "install usb-storage /bin/true" state: present create: true when: - ubuntu1804cis_rule_1_1_23 tags: - level1 - scored - patch - udf - filesystems - rule_1.1.23 - name: "SCORED | 1.1.23 | PATCH | Remove usb-storage module" modprobe: name: usb-storage state: absent when: - ubuntu1804cis_rule_1_1_23 - not ubuntu1804cis_skip_for_travis tags: - level1 - scored - patch - usb - filesystems - rule_1.1.23 - name: "NOTSCORED | 1.2.1 | PATCH | Ensure package manager repositories are configured" command: /bin/true changed_when: false when: - ubuntu1804cis_rule_1_2_1 tags: - level1 - notscored - patch - rule_1.2.1 - name: "NOTSCORED | 1.2.2 | PATCH | Ensure GPG keys are configured" command: /bin/true changed_when: false when: - ubuntu1804cis_rule_1_2_2 tags: - level1 - notscored - patch - rule_1.2.2 - notimplemented - name: "SCORED | 1.3.1 | PATCH | Ensure sudo is installed" apt: name: - sudo state: present install_recommends: false when: - ubuntu1804cis_rule_1_3_1 tags: - level1 - scored - sudo - patch - rule_1.3.1 - name: "SCORED | 1.3.2 | PATCH | Ensure sudo commands use pty" lineinfile: dest: /etc/sudoers state: present regexp: '^Defaults use_pty' line: 'Defaults use_pty' validate: 'visudo -cf %s' when: - ubuntu1804cis_rule_1_3_2 tags: - level1 - scored - sudo - patch - rule_1.3.2 - name: "SCORED | 1.3.3 | PATCH | Ensure sudo log file exists" lineinfile: dest: /etc/sudoers state: present regexp: '^Defaults logfile.*' line: 'Defaults logfile="/var/log/sudo.log"' validate: 'visudo -cf %s' when: - ubuntu1804cis_rule_1_3_3 tags: - level1 - scored - sudo - patch - rule_1.3.3 - name: "SCORED | 1.4.1 | PATCH | Ensure AIDE is installed (install nullmailer instead of postfix)" apt: name: - nullmailer state: present install_recommends: false when: - ubuntu1804cis_rule_1_4_1 - not postfix_installed.rc == 0 tags: - level1 - scored - aide - patch - rule_1.4.1 - name: "SCORED | 1.4.1 | PATCH | Ensure AIDE is installed" apt: name: - aide - aide-common state: present install_recommends: false when: - ubuntu1804cis_rule_1_4_1 tags: - level1 - scored - aide - patch - rule_1.4.1 - name: "SCORED | 1.4.1 | PATCH | Stat AIDE DB" stat: path=/var/lib/aide/aide.db register: aide_db tags: - level1 - scored - aide - patch - rule_1.4.1 - name: "SCORED | 1.4.1 | PATCH | Init AIDE | This may take a LONG time" command: /usr/sbin/aideinit args: creates: /var/lib/aide/aide.db when: - ubuntu1804cis_config_aide - ubuntu1804cis_rule_1_4_1 - not aide_db.stat.exists - not ubuntu1804cis_skip_for_travis tags: - level1 - scored - aide - patch - rule_1.4.1 - name: "SCORED | 1.4.2 | PATCH | Ensure filesystem integrity is regularly checked" cron: name: Run AIDE integrity check weekly cron_file: "{{ ubuntu1804cis_aide_cron['cron_file'] }}" user: "{{ ubuntu1804cis_aide_cron['cron_user'] }}" minute: "{{ ubuntu1804cis_aide_cron['aide_minute'] | default('0') }}" hour: "{{ ubuntu1804cis_aide_cron['aide_hour'] | default('5') }}" day: "{{ ubuntu1804cis_aide_cron['aide_day'] | default('*') }}" month: "{{ ubuntu1804cis_aide_cron['aide_month'] | default('*') }}" weekday: "{{ ubuntu1804cis_aide_cron['aide_weekday'] | default('*') }}" job: "{{ ubuntu1804cis_aide_cron['aide_job'] }}" when: - ubuntu1804cis_rule_1_4_2 tags: - level1 - scored - aide - file_integrity - patch - rule_1.4.2 - name: "SCORED | 1.5.1 | PATCH | Ensure permissions on bootloader config are configured for grub.cfg" file: path: "/boot/grub/grub.cfg" owner: root group: root mode: 0400 when: - ansible_os_family == "Debian" - ubuntu1804cis_rule_1_5_1 tags: - level1 - scored - grub - patch - rule_1.5.1 - name: "SCORED | 1.5.1 | PATCH | Ensure permissions on bootloader config are configured for grub.conf" file: path: "/boot/grub/grub.conf" owner: root group: root mode: 0400 when: - ansible_os_family == "Debian" - ubuntu1804cis_rule_1_5_1 - grub_conf.stat.exists tags: - level1 - scored - grub - patch - rule_1.5.1 - name: "SCORED | 1.5.1 | PATCH | Ensure permissions on bootloader config are configured for menu.lst" file: path: "/boot/grub/menu.lst" owner: root group: root mode: 0400 when: - ansible_os_family == "Debian" - ubuntu1804cis_rule_1_5_1 - menu_lst.stat.exists tags: - level1 - scored - grub - patch - rule_1.5.1 - name: "SCORED | 1.5.2 | PATCH | Ensure bootloader password is set - generate password" shell: "set -o pipefail; if [ '{{ ubuntu1804cis_bootloader_password }}' == 'random' ]; then PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c12); else PASSWORD='{{ ubuntu1804cis_bootloader_password }}'; fi; echo -e \"$PASSWORD\n$PASSWORD\" | grub-mkpasswd-pbkdf2 | awk '/grub.pbkdf/{print$NF}'" register: grub_pass args: executable: /bin/bash when: - ubuntu1804cis_set_boot_pass - ubuntu1804cis_rule_1_5_2 tags: - level1 - scored - grub - patch - rule_1.5.2 - notimplemented - name: "SCORED | 1.5.2 | PATCH | Ensure bootloader password is set - generate config" copy: dest: /etc/grub.d/00_password content: "cat << EOF\nset superusers=\"root\"\npassword_pbkdf2 root {{ grub_pass.stdout }}\nEOF" owner: root group: root mode: 0755 notify: generate new grub config when: - ubuntu1804cis_set_boot_pass and grub_pass is defined and grub_pass.stdout is defined and grub_pass.stdout | length >0 - ubuntu1804cis_rule_1_5_2 tags: - level1 - scored - grub - patch - rule_1.5.2 - name: "SCORED | 1.5.2 | PATCH | Ensure bootloader password is set - disable password for system boot" replace: path: /etc/grub.d/10_linux regexp: '--class os"' replace: '--class os --unrestricted"' notify: generate new grub config when: - ubuntu1804cis_set_boot_pass - ubuntu1804cis_rule_1_5_2 - ubuntu1804cis_rule_1_5_2_disable_password tags: - level1 - scored - grub - patch - rule_1.5.2 - name: "SCORED | 1.5.3 | PATCH | Ensure authentication required for single user mode" shell: "set -o pipefail; if [ '{{ ubuntu1804cis_root_password }}' == 'random' ]; then PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c24); else PASSWORD='{{ ubuntu1804cis_root_password }}'; fi; echo \"root:$PASSWORD\" | chpasswd" args: executable: /bin/bash when: - ubuntu1804cis_rule_1_5_3 - current_root_password.stdout | length > 0 tags: - level1 - scored - patch - rule_1.5.3 - notimplemented - name: "NOTSCORED | 1.5.4 | PATCH | Ensure interactive boot is not enabled" command: /bin/true changed_when: false when: - ubuntu1804cis_rule_1_5_4 tags: - level1 - notscored - patch - rule_1.5.4 - notimplemented - name: "SCORED | 1.6.1 | PATCH | Ensure XD/NX support is enabled" shell: | set -o pipefail; dmesg | grep -E "NX|XD" | grep " active" args: executable: /bin/bash changed_when: false when: - ubuntu1804cis_rule_1_6_1 - not ubuntu1804cis_skip_for_travis tags: - level1 - scored - patch - rule_1.6.1 - name: "SCORED | 1.6.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled" sysctl: name: kernel.randomize_va_space value: "2" state: present reload: true sysctl_set: true ignoreerrors: true when: - ubuntu1804cis_rule_1_6_2 tags: - level1 - scored - patch - sysctl - rule_1.6.2 - name: "SCORED | 1.6.3 | PATCH | Ensure prelink is disabled" command: prelink -ua when: - prelink_installed.rc == 0 - ubuntu1804cis_rule_1_6_3 tags: - level1 - scored - patch - rule_1.6.3 - name: "SCORED | 1.6.3 | PATCH | Ensure prelink is disabled" apt: name: prelink state: absent when: - ubuntu1804cis_rule_1_6_3 tags: - level1 - scored - patch - rule_1.6.3 - name: "SCORED | 1.6.4 | PATCH | Ensure core dumps are restricted" sysctl: name: fs.suid_dumpable value: "0" state: present reload: true sysctl_set: true ignoreerrors: true when: - ubuntu1804cis_rule_1_6_4 tags: - level1 - scored - sysctl - patch - rule_1.6.4 - name: "SCORED | 1.6.4 | PATCH | Ensure systemd-coredump is installed" apt: name: systemd-coredump state: present notify: restart systemd-coredump when: - ubuntu1804cis_rule_1_6_4 tags: - level1 - scored - patch - rule_1.6.4 - name: "SCORED | 1.6.4 | PATCH | Ensure hard core 0 is set" lineinfile: dest: /etc/security/limits.conf line: '* hard core 0' regexp: '(^#)?\*\s+hard\s+core\s+[0-9]+' state: present create: true insertbefore: "# End of file" notify: restart systemd-coredump when: - ubuntu1804cis_rule_1_6_4 tags: - level1 - scored - patch - rule_1.6.4 - name: "SCORED | 1.7.1.1 | PATCH | Ensure AppArmor is installed" apt: name: '{{ item }}' state: present with_items: - apparmor - apparmor-utils when: - ubuntu1804cis_rule_1_7_1_1 tags: - level1 - scored - patch - rule_1.7.1.1 - name: "SCORED | 1.7.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration" block: - name: "SCORED | 1.7.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration" replace: dest: /etc/default/grub regexp: '^(GRUB_CMDLINE_LINUX=(?!.*apparmor)\"[^\"]*)(\".*)' replace: '\1 apparmor=1 security=apparmor\2' notify: - generate new grub config - name: "SCORED | 1.7.1.2 | PATCH | Ensure AppArmor Security is enabled in the bootloader configuration" replace: dest: /etc/default/grub regexp: '^(GRUB_CMDLINE_LINUX=(?!.*security)\"[^\"]*)(\".*)' replace: '\1 security=apparmor\2' notify: - generate new grub config when: - ubuntu1804cis_rule_1_7_1_2 tags: - level1 - scored - patch - rule_1.7.1.2 - name: "SCORED | 1.7.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode" command: /bin/true changed_when: false when: - ubuntu1804cis_rule_1_7_1_3 tags: - level1 - scored - patc3 - rule_1.7.1.3 - notimplemented - name: "SCORED | 1.7.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing" command: /bin/true changed_when: false when: - ubuntu1804cis_rule_1_7_1_4 tags: - level1 - scored - patch - rule_1.7.1.4 - notimplemented - name: "SCORED | 1.8.1.1 | PATCH | Ensure message of the day is configured properly" template: src: etc/motd.j2 dest: /etc/motd when: - ubuntu1804cis_rule_1_8_1_1 tags: - level1 - scored - patch - banner - rule_1.8.1.1 - name: "SCORED | 1.8.1.2 | PATCH | Ensure local login warning banner is configured properly" template: src: etc/issue.j2 dest: /etc/issue when: - ubuntu1804cis_rule_1_8_1_2 tags: - level1 - scored - patch - banner - rule_1.8.1.2 - name: "SCORED | 1.8.1.3 | PATCH | Ensure remote login warning banner is configured properly" template: src: etc/issue.net.j2 dest: /etc/issue.net when: - ubuntu1804cis_rule_1_8_1_3 tags: - level1 - scored - patch - banner - rule_1.8.1.3 - name: "SCORED | 1.8.1.4 | PATCH | Ensure permissions on /etc/motd are configured" file: dest: /etc/motd state: file owner: root group: root mode: 0644 when: - ubuntu1804cis_rule_1_8_1_4 tags: - level1 - scored - patch - perms - rule_1.8.1.4 - name: "SCORED | 1.8.1.5 | PATCH | Ensure permissions on /etc/issue are configured" file: dest: /etc/issue state: file owner: root group: root mode: 0644 when: - ubuntu1804cis_rule_1_8_1_5 tags: - level1 - scored - patch - perms - rule_1.8.1.5 - name: "SCORED | 1.8.1.6 | PATCH | Ensure permissions on /etc/issue.net are configured" file: dest: /etc/issue.net state: file owner: root group: root mode: 0644 when: - ubuntu1804cis_rule_1_8_1_6 tags: - level1 - scored - patch - perms - rule_1.8.1.6 - name: "SCORED | 1.8.2 | PATCH | Ensure GDM login banner is configured" lineinfile: dest: "{{ item.file }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" state: present create: true owner: root group: root mode: 0644 with_items: - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' } - { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' } - { file: '/etc/dconf/profile/gdm', regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults' } - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' } - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-enable', line: 'banner-message-enable=true' } - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-text', line: "banner-message-text='{{ ubuntu1804cis_warning_banner }}' " } when: - ubuntu1804cis_gui - ubuntu1804cis_rule_1_8_2 tags: - level1 - scored - patch - banner - rule_1.8.2 - name: "NOTSCORED | 1.9 | PATCH | Ensure updates, patches, and additional security software are installed" apt: upgrade: dist when: - ubuntu1804cis_apply_upgrades tags: - level1 - notscored - patch - rule_1.8 - skip_ansible_lint ================================================ FILE: tasks/section2.yml ================================================ --- - name: "SCORED | 2.1.1 | PATCH | Ensure chargen services are not enabled | chargen-dgram,chargen-stream" block: - name: "SCORED | 2.1.1 | PATCH | Ensure chargen services are not enabled | chargen-dgram" stat: path: /etc/xinetd.d/chargen-dgram register: chargen_dgram_service - name: "SCORED | 2.1.1 | PATCH | Ensure chargen services are not enabled | chargen-dgram" service: name: chargen-dgram enabled: no notify: restart xinetd when: - chargen_dgram_service.stat.exists - name: "SCORED | 2.1.1 | PATCH | Ensure chargen services are not enabled | chargen-stream" stat: path: /etc/xinetd.d/chargen-stream register: chargen_stream_service - name: "SCORED | 2.1.1 | PATCH | Ensure chargen services are not enabled | chargen-stream" service: name: chargen-stream enabled: no notify: restart xinetd when: - chargen_stream_service.stat.exists when: - ubuntu1804cis_rule_2_1_1 tags: - level1 - scored - services - patch - rule_2.1.1 - skip_ansible_lint - name: "SCORED | 2.1.2 | PATCH | Ensure daytime services are not enabled | daytime-dgram,daytime-stream" block: - name: "SCORED | 2.1.2 | PATCH | Ensure daytime services are not enabled | daytime-dgram" stat: path: /etc/xinetd.d/daytime-dgram register: daytime_dgram_service - name: "SCORED | 2.1.2 | PATCH | Ensure daytime services are not enabled | daytime-dgram" service: name: daytime-dgram enabled: no notify: restart xinetd when: - daytime_dgram_service.stat.exists - name: "SCORED | 2.1.2 | PATCH | Ensure daytime services are not enabled | daytime-stream" stat: path: /etc/xinetd.d/daytime-stream register: daytime_stream_service - name: "SCORED | 2.1.2 | PATCH | Ensure daytime services are not enabled | daytime-stream" service: name: daytime-stream enabled: no notify: restart xinetd when: - daytime_stream_service.stat.exists when: - ubuntu1804cis_rule_2_1_2 tags: - level1 - scored - patch - rule_2.1.2 - skip_ansible_lint - name: "SCORED | 2.1.3 | PATCH | Ensure discard services are not enabled | discard-dgram,discard-stream" block: - name: "SCORED | 2.1.3 | PATCH | Ensure discard services are not enabled | discard-dgram" stat: path: /etc/xinetd.d/discard-dgram register: discard_dgram_service - name: "SCORED | 2.1.3 | PATCH | Ensure discard services are not enabled | discard-dgram" service: name: discard-dgram enabled: no notify: restart xinetd when: - discard_dgram_service.stat.exists - name: "SCORED | 2.1.3 | PATCH | Ensure discard services are not enabled | discard-stream" stat: path: /etc/xinetd.d/discard-stream register: discard_stream_service - name: "SCORED | 2.1.3 | PATCH | Ensure discard services are not enabled | discard-stream" service: name: discard-stream enabled: no notify: restart xinetd when: - discard_stream_service.stat.exists when: - ubuntu1804cis_rule_2_1_3 tags: - level1 - scored - patch - rule_2.1.3 - skip_ansible_lint - name: "SCORED | 2.1.4 | PATCH | Ensure echo services are not enabled | echo-dgram,echo-stream" block: - name: "SCORED | 2.1.4 | PATCH | Ensure echo services are not enabled | echo-dgram" stat: path: /etc/xinetd.d/echo-dgram register: echo_dgram_service - name: "SCORED | 2.1.4 | PATCH | Ensure echo services are not enabled | echo-dgram" service: name: echo-dgram enabled: no notify: restart xinetd when: - echo_dgram_service.stat.exists - name: "SCORED | 2.1.4 | PATCH | Ensure echo services are not enabled | echo-stream" stat: path: /etc/xinetd.d/echo-stream register: echo_stream_service - name: "SCORED | 2.1.4 | PATCH | Ensure echo services are not enabled | echo-stream" service: name: echo-stream enabled: no notify: restart xinetd when: - echo_stream_service.stat.exists when: - ubuntu1804cis_rule_2_1_4 tags: - level1 - scored - patch - rule_2.1.4 - skip_ansible_lint - name: "SCORED | 2.1.5 | PATCH | Ensure time services are not enabled | time-dgram,time-stream" block: - name: "SCORED | 2.1.5 | PATCH | Ensure time services are not enabled | time-dgram" stat: path: /etc/xinetd.d/time-dgram register: time_dgram_service - name: "SCORED | 2.1.5 | PATCH | Ensure time services are not enabled | time-dgram" service: name: time-dgram enabled: no notify: restart xinetd when: - time_dgram_service.stat.exists - name: "SCORED | 2.1.5 | PATCH | Ensure time services are not enabled | time-stream" stat: path: /etc/xinetd.d/time-stream register: time_stream_service - name: "SCORED | 2.1.5 | PATCH | Ensure time services are not enabled | time-stream" service: name: time-stream enabled: no notify: restart xinetd when: - time_stream_service.stat.exists when: - ubuntu1804cis_rule_2_1_5 tags: - level1 - scored - patch - rule_2.1.5 - skip_ansible_lint - name: "SCORED | 2.1.6 | PATCH | Ensure rsh server is not enabled | rsh, rlogin, rexec" block: - name: "SCORED | 2.1.6 | PATCH | Ensure rsh server is not enabled | rsh" service: name: rsh.socket state: stopped enabled: false when: - not ubuntu1804cis_rsh_server - rsh_service_status.stdout == "loaded" - ubuntu1804cis_rule_2_1_6 - name: "SCORED | 2.1.6 | PATCH | Ensure rsh server is not enabled | rlogin" service: name: rlogin.socket state: stopped enabled: false when: - not ubuntu1804cis_rsh_server - rlogin_service_status.stdout == "loaded" - ubuntu1804cis_rule_2_1_6 - name: "SCORED | 2.1.6 | PATCH | Ensure rsh server is not enabled | rexec" service: name: rexec.socket state: stopped enabled: false when: - not ubuntu1804cis_rsh_server - rexec_service_status.stdout == "loaded" - ubuntu1804cis_rule_2_1_6 tags: - level1 - scored - patch - rule_2.1.6 - name: "SCORED | 2.1.7 | PATCH | Ensure talk server is not enabled" service: name: ntalk state: stopped enabled: false when: - not ubuntu1804cis_ntalk_server - ntalk_service_status.stdout == "loaded" - ubuntu1804cis_rule_2_1_7 tags: - level1 - scored - patch - rule_2.1.7 - name: "SCORED | 2.1.8 | PATCH | Ensure telnet server is not enabled" service: name: telnetd state: stopped enabled: false when: - not ubuntu1804cis_telnet_server - telnet_service_status.stdout == "loaded" - ubuntu1804cis_rule_2_1_8 tags: - level1 - scored - patch - rule_2.1.8 - name: "SCORED | 2.1.9 | PATCH | Ensure tftp server is not enabled" service: name: tftpd-hpa state: stopped enabled: no when: - not ubuntu1804cis_tftp_server - ubuntu1804cis_rule_2_1_9 - tftp_service_status.stdout == "loaded" tags: - level1 - scored - patch - rule_2.1.9 - name: "SCORED | 2.1.10 | PATCH | Ensure xinetd is not enabled" service: name: xinetd state: stopped enabled: false when: - xinetd_service_status.stdout == "loaded" - not ubuntu1804cis_xinetd_required - ubuntu1804cis_rule_2_1_10 tags: - level1 - patch - scored - rule_2.1.10 - name: "SCORED | 2.1.11 | PATCH | Ensure openbsd-inetd is not installed" apt: name: openbsd-inetd state: absent when: - openbsd_inetd_service_status.stdout == "ok installed" - ubuntu1804cis_rule_2_1_11 tags: - level1 - patch - scored - rule_2.1.11 - name: "SCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use" block: - name: "SCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use - service install" apt: name: "{{ ubuntu1804cis_time_synchronization }}" state: present install_recommends: false - name: "SCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use - service start" service: name: "{{ ubuntu1804cis_time_synchronization }}" state: started enabled: true - name: "SCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use - service stop ntp" service: name: "{{ ntp_service[ansible_os_family] }}" state: stopped enabled: false when: - ubuntu1804cis_time_synchronization == "chrony" - ntpd_service_status.stdout == "loaded" - name: "SCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use - service stop chrony" service: name: chronyd state: stopped enabled: false ignore_errors: true when: - ubuntu1804cis_time_synchronization == "ntp" - chronyd_service_status.stdout == "loaded" - name: "SCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use - mask systemd-timesyncd" systemd: name: systemd-timesyncd enabled: no masked: yes when: - ubuntu1804cis_time_synchronization == "ntp" - systemd_timesyncd_service_status.stdout == "loaded" when: - ubuntu1804cis_rule_2_2_1_1 tags: - level1 - scored - ntp - chrony - patch - rule_2.2.1.1 - name: "NOTSCORED | 2.2.1.2 | PATCH | Ensure systemd-timesyncd is configured" command: /bin/true changed_when: false when: - ubuntu1804cis_rule_2_2_1_2 tags: - level1 - notscored - patch - rule_2.2.1.2 - notimplemented - name: "SCORED | 2.2.1.3 | PATCH | Ensure chrony is configured" block: - name: "SCORED | 2.2.1.3 | PATCH | Ensure chrony is configured | create chrony.conf" template: src: chrony.conf.j2 dest: "{{ chrony_config_file[ansible_os_family] }}" owner: root group: root mode: 0644 - name: "SCORED | 2.2.1.3 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd" lineinfile: dest: /etc/sysconfig/chronyd regexp: "^(#)?OPTIONS" line: "OPTIONS=\"-u chrony\"" state: present create: true when: - ubuntu1804cis_time_synchronization == "chrony" - ubuntu1804cis_rule_2_2_1_3 tags: - level1 - scored - chrony - patch - rule_2.2.1.3 - name: "SCORED | 2.2.1.4 | PATCH | Ensure ntp is configured" block: - name: "SCORED | 2.2.1.4 | PATCH | Ensure ntp is configured | modify /etc/ntp.conf" template: src: ntp.conf.j2 dest: /etc/ntp.conf owner: root group: root mode: 0644 - name: "SCORED | 2.2.1.4 | PATCH | Ensure ntp is configured | modify /etc/init.d/ntp" lineinfile: dest: /etc/init.d/ntp regexp: "^RUNASUSER" line: "RUNASUSER=ntp" when: - ubuntu1804cis_time_synchronization == "ntp" - ubuntu1804cis_rule_2_2_1_4 tags: - level1 - scored - ntp - patch - rule_2.2.1.4 - name: "SCORED | 2.2.2 | PATCH | Ensure X Window System is not installed" apt: name: - "xorg" - "x11*" state: absent when: - not ubuntu1804cis_xwindows_required - ubuntu1804cis_rule_2_2_2 tags: - level1 - scored - xwindows - patch - rule_2.2.2 - name: "SCORED | 2.2.3 | PATCH | Ensure Avahi Server is not enabled" service: name: avahi-daemon state: stopped enabled: false when: - not ubuntu1804cis_avahi_server - avahi_service_status.stdout == "loaded" - ubuntu1804cis_rule_2_2_3 tags: - level1 - scored - avahi - services - patch - rule_2.2.3 - name: "SCORED | 2.2.4 | PATCH | Ensure CUPS is not enabled" service: name: cups state: stopped enabled: false when: - not ubuntu1804cis_cups_server - cups_service_status.stdout == "loaded" - ubuntu1804cis_rule_2_2_4 tags: - level1 - scored - cups - services - patch - rule_2.2.4 - name: "SCORED | 2.2.5 | PATCH | Ensure DHCP Server is not enabled" service: name: dhcpd state: stopped enabled: false when: - not ubuntu1804cis_dhcp_server - dhcpd_service_status.stdout == "loaded" - ubuntu1804cis_rule_2_2_5 tags: - level1 - scored - dhcp - services - patch - rule_2.2.5 - name: "SCORED | 2.2.6 | PATCH | Ensure LDAP server is not enabled" service: name: slapd state: stopped enabled: false when: - not ubuntu1804cis_ldap_server - slapd_service_status.stdout == "loaded" - ubuntu1804cis_rule_2_2_6 tags: - level1 - scored - ldap - services - patch - rule_2.2.6 - name: "SCORED | 2.2.7 | PATCH | Ensure NFS and RPC are not enabled" service: name: nfs state: stopped enabled: false when: - not ubuntu1804cis_nfs_rpc_server - nfs_service_status.stdout == "loaded" - ubuntu1804cis_rule_2_2_7 tags: - level1 - scored - nfs - rpc - services - patch - rule_2.2.7 - name: "SCORED | 2.2.7 | PATCH | Ensure RPC is not enabled" service: name: rpcbind state: stopped enabled: false when: - not ubuntu1804cis_nfs_rpc_server - rpcbind_service_status.stdout == "loaded" - ubuntu1804cis_rule_2_2_7 tags: - level1 - scored - nfs - rpc - services - patch - rule_2.2.7 - name: "SCORED | 2.2.8 | PATCH | Ensure DNS Server is not enabled" service: name: named state: stopped enabled: false when: - not ubuntu1804cis_named_server - named_service_status.stdout == "loaded" - ubuntu1804cis_rule_2_2_8 tags: - level1 - scored - dns - services - patch - rule_2.2.8 - name: "SCORED | 2.2.9 | PATCH | Ensure FTP Server is not enabled" service: name: vsftpd state: stopped enabled: false when: - not ubuntu1804cis_vsftpd_server - vsftpd_service_status.stdout == "loaded" - ubuntu1804cis_rule_2_2_9 tags: - level1 - scored - ftp - services - patch - rule_2.2.9 - name: "SCORED | 2.2.10 | PATCH | Ensure HTTP server is not enabled" service: name: apache2 state: stopped enabled: false when: - not ubuntu1804cis_httpd_server - httpd_service_status.stdout == "loaded" - ubuntu1804cis_rule_2_2_10 tags: - level1 - scored - http - services - patch - rule_2.2.10 - name: "SCORED | 2.2.11 | PATCH | Ensure IMAP and POP3 server is not enabled" service: name: dovecot state: stopped enabled: false when: - not ubuntu1804cis_dovecot_server - dovecot_service_status.stdout == "loaded" - ubuntu1804cis_rule_2_2_11 tags: - level1 - scored - imap - pop3 - services - patch - rule_2.2.11 - name: "SCORED | 2.2.12 | PATCH | Ensure Samba is not enabled" service: name: smbd state: stopped enabled: false when: - not ubuntu1804cis_smb_server - smb_service_status.stdout == "loaded" - ubuntu1804cis_rule_2_2_12 tags: - level1 - scored - samba - services - patch - rule_2.2.12 - name: "SCORED | 2.2.13 | PATCH | Ensure HTTP Proxy Server is not enabled" service: name: squid state: stopped enabled: false when: - not ubuntu1804cis_squid_server - squid_service_status.stdout == "loaded" - ubuntu1804cis_rule_2_2_13 tags: - level1 - scored - http_proxy - services - patch - rule_2.2.13 - name: "SCORED | 2.2.14 | PATCH | Ensure SNMP Server is not enabled" service: name: snmpd state: stopped enabled: false when: - not ubuntu1804cis_snmp_server - snmpd_service_status.stdout == "loaded" - ubuntu1804cis_rule_2_2_14 tags: - level1 - scored - snmp - services - patch - rule_2.2.14 - name: "SCORED | 2.2.15 | PATCH | Ensure mail transfer agent is configured for local-only mode" lineinfile: dest: /etc/postfix/main.cf regexp: "^(#)?inet_interfaces" line: "inet_interfaces = localhost" when: - not ubuntu1804cis_is_mail_server - postfix_installed.rc == 0 - ubuntu1804cis_rule_2_2_15 tags: - level1 - scored - patch - rule_2.2.15 - name: "SCORED | 2.2.16 | PATCH | Ensure rsync service is not enabled " service: name: rsync state: stopped enabled: false when: - not ubuntu1804cis_rsyncd_server - rsyncd_service_status.stdout == "loaded" - ubuntu1804cis_rule_2_2_16 tags: - level1 - scored - rsync - services - patch - rule_2.2.16 - name: "SCORED | 2.2.17 | PATCH | Ensure NIS Server is not enabled" service: name: nis state: stopped enabled: false when: - not ubuntu1804cis_nis_server - ypserv_service_status.stdout == "loaded" - ubuntu1804cis_rule_2_2_17 tags: - level1 - scored - nis - services - patch - rule_2.2.17 - name: "SCORED | 2.3.1 | PATCH | Ensure NIS Client is not installed" apt: name: yp-tools state: absent when: - not ubuntu1804cis_ypbind_required - ubuntu1804cis_rule_2_3_1 tags: - level1 - scored - patch - rule_2.3.1 - name: "SCORED | 2.3.2 | PATCH | Ensure rsh client is not installed" apt: name: rsh state: absent when: - not ubuntu1804cis_rsh_required - ubuntu1804cis_rule_2_3_2 tags: - level1 - scored - patch - rule_2.3.2 - name: "SCORED | 2.3.3 | PATCH | Ensure talk client is not installed" apt: name: talk state: absent when: - not ubuntu1804cis_talk_required - ubuntu1804cis_rule_2_3_3 tags: - level1 - scored - patch - rule_2.3.3 - name: "SCORED | 2.3.4 | PATCH | Ensure telnet client is not installed" apt: name: telnet state: absent when: - not ubuntu1804cis_telnet_required - ubuntu1804cis_rule_2_3_4 tags: - level1 - scored - patch - rule_2.3.4 - name: "SCORED | 2.3.5 | PATCH | Ensure LDAP client is not installed" apt: name: ldap-utils state: absent when: - not ubuntu1804cis_openldap_clients_required - ubuntu1804cis_rule_2_3_5 tags: - level1 - scored - patch - rule_2.3.5 ================================================ FILE: tasks/section3.yml ================================================ --- - name: "SCORED | 3.1.1 | PATCH | Ensure packet redirect sending is disabled" sysctl: name: '{{ item.name }}' value: '{{ item.value }}' sysctl_set: true state: present reload: true ignoreerrors: true with_items: - { name: net.ipv4.conf.all.send_redirects, value: 0 } - { name: net.ipv4.conf.default.send_redirects, value: 0 } when: - not ubuntu1804cis_is_router - ubuntu1804cis_rule_3_1_1 notify: - sysctl flush ipv4 route table tags: - level1 - scored - patch - sysctl - rule_3.1.1 - name: "SCORED | 3.1.2 | PATCH | Ensure IP forwarding is disabled" block: - name: "SCORED | 3.1.2 | PATCH | Ensure IP forwarding is disabled | ipv4" sysctl: name: net.ipv4.ip_forward value: "0" state: present reload: true ignoreerrors: true notify: - sysctl flush ipv4 route table - name: "SCORED | 3.1.2 | PATCH | Ensure IP forwarding is disabled | ipv6" sysctl: name: net.ipv6.conf.all.forwarding value: "0" state: present reload: true ignoreerrors: true when: ubuntu1804cis_ipv6_required notify: - sysctl flush ipv6 route table when: - not ubuntu1804cis_is_router - ubuntu1804cis_rule_3_1_2 tags: - level1 - scored - patch - sysctl - rule_3.1.2 - name: "SCORED | 3.2.1 | PATCH | Ensure source routed packets are not accepted" block: - name: "SCORED | 3.2.1 | PATCH | Ensure source routed packets are not accepted | ipv4" sysctl: name: '{{ item.name }}' value: '{{ item.value }}' sysctl_set: true state: present reload: true ignoreerrors: true with_items: - { name: net.ipv4.conf.all.accept_source_route, value: 0 } - { name: net.ipv4.conf.default.accept_source_route, value: 0 } notify: - sysctl flush ipv4 route table - name: "SCORED | 3.2.1 | PATCH | Ensure source routed packets are not accepted | ipv6" sysctl: name: '{{ item.name }}' value: '{{ item.value }}' sysctl_set: true state: present reload: true ignoreerrors: true with_items: - { name: net.ipv6.conf.all.accept_source_route, value: 0 } - { name: net.ipv6.conf.default.accept_source_route, value: 0 } when: - ubuntu1804cis_ipv6_required notify: - sysctl flush ipv6 route table when: - ubuntu1804cis_rule_3_2_1 tags: - level1 - scored - patch - sysctl - rule_3.2.1 - name: "SCORED | 3.2.2 | PATCH | Ensure ICMP redirects are not accepted | ipv4,ipv6" block: - name: "SCORED | 3.2.2 | PATCH | Ensure ICMP redirects are not accepted | ipv4" sysctl: name: '{{ item.name }}' value: '{{ item.value }}' sysctl_set: true state: present reload: true ignoreerrors: true with_items: - { name: net.ipv4.conf.all.accept_redirects, value: 0 } - { name: net.ipv4.conf.default.accept_redirects, value: 0 } notify: - sysctl flush ipv4 route table - name: "SCORED | 3.2.2 | PATCH | Ensure ICMP redirects are not accepted | ipv6" sysctl: name: '{{ item.name }}' value: '{{ item.value }}' sysctl_set: true state: present reload: true ignoreerrors: true with_items: - { name: net.ipv6.conf.all.accept_redirects, value: 0 } - { name: net.ipv6.conf.default.accept_redirects, value: 0 } when: - ubuntu1804cis_ipv6_required notify: - sysctl flush ipv6 route table when: - ubuntu1804cis_rule_3_2_2 tags: - level1 - scored - patch - sysctl - rule_3.2.2 - name: "SCORED | 3.2.3 | PATCH | Ensure secure ICMP redirects are not accepted" sysctl: name: '{{ item.name }}' value: '{{ item.value }}' sysctl_set: true state: present reload: true ignoreerrors: true with_items: - { name: net.ipv4.conf.all.secure_redirects, value: 0 } - { name: net.ipv4.conf.default.secure_redirects, value: 0 } when: - ubuntu1804cis_rule_3_2_3 notify: - sysctl flush ipv4 route table tags: - level1 - scored - patch - sysctl - rule_3.2.3 - name: "SCORED | 3.2.4 | PATCH | Ensure suspicious packets are logged" sysctl: name: '{{ item.name }}' value: '{{ item.value }}' sysctl_set: true state: present reload: true ignoreerrors: true with_items: - { name: net.ipv4.conf.all.log_martians, value: 1 } - { name: net.ipv4.conf.default.log_martians, value: 1 } when: - ubuntu1804cis_rule_3_2_4 notify: - sysctl flush ipv4 route table tags: - level1 - scored - patch - sysctl - rule_3.2.4 - name: "SCORED | 3.2.5 | PATCH | Ensure broadcast ICMP requests are ignored" sysctl: name: net.ipv4.icmp_echo_ignore_broadcasts value: "1" state: present reload: true ignoreerrors: true when: - ubuntu1804cis_rule_3_2_5 notify: - sysctl flush ipv4 route table tags: - level1 - scored - patch - sysctl - rule_3.2.5 - name: "SCORED | 3.2.6 | PATCH | Ensure bogus ICMP responses are ignored" sysctl: name: net.ipv4.icmp_ignore_bogus_error_responses value: "1" state: present reload: true ignoreerrors: true when: - ubuntu1804cis_rule_3_2_6 notify: - sysctl flush ipv4 route table tags: - level1 - scored - patch - sysctl - rule_3.2.6 - name: "SCORED | 3.2.7 | PATCH | Ensure Reverse Path Filtering is enabled" sysctl: name: '{{ item.name }}' value: '{{ item.value }}' sysctl_set: true state: present reload: true ignoreerrors: true with_items: - { name: net.ipv4.conf.all.rp_filter, value: 1 } - { name: net.ipv4.conf.default.rp_filter, value: 1 } when: - ubuntu1804cis_rule_3_2_7 notify: - sysctl flush ipv4 route table tags: - level1 - scored - patch - sysctl - rule_3.2.7 - name: "SCORED | 3.2.8 | PATCH | Ensure TCP SYN Cookies is enabled" sysctl: name: net.ipv4.tcp_syncookies value: '1' state: present reload: true ignoreerrors: true when: - ubuntu1804cis_rule_3_2_8 notify: - sysctl flush ipv4 route table tags: - level1 - scored - patch - sysctl - rule_3.2.8 - name: "SCORED | 3.2.9 | PATCH | Ensure IPv6 router advertisements are not accepted" sysctl: name: '{{ item.name }}' value: '{{ item.value }}' state: present reload: true ignoreerrors: true with_items: - { name: net.ipv6.conf.all.accept_ra, value: 0 } - { name: net.ipv6.conf.default.accept_ra, value: 0 } when: - ubuntu1804cis_ipv6_required - ubuntu1804cis_rule_3_2_9 notify: - sysctl flush ipv6 route table tags: - level1 - scored - patch - sysctl - rule_3.2.9 - name: "NOTSCORED | 3.3.1 | PATCH | Ensure TCP Wrappers is installed" apt: name: "{{ tcp_wrapper_package[ansible_os_family] }}" state: present install_recommends: false when: - ubuntu1804cis_setup_tcp_wrappers - ubuntu1804cis_rule_3_3_1 tags: - level1 - notscored - patch - rule_3.3.1 - name: "NOTSCORED | 3.3.2 | PATCH | Ensure /etc/hosts.allow is configured" template: src: hosts.allow.j2 dest: /etc/hosts.allow when: - ubuntu1804cis_setup_tcp_wrappers - ubuntu1804cis_rule_3_3_2 tags: - level1 - notscored - patch - rule_3.3.2 - name: "NOTSCORED | 3.3.3 | PATCH | Ensure /etc/hosts.deny is configured" lineinfile: dest: /etc/hosts.deny regexp: "^(#)?ALL" line: "ALL: ALL" when: - ubuntu1804cis_setup_tcp_wrappers - ubuntu1804cis_rule_3_3_3 tags: - level1 - notscored - patch - rule_3.3.3 - name: "SCORED | 3.3.4 | PATCH | Ensure permissions on /etc/hosts.allow are configured" template: src: hosts.allow.j2 dest: /etc/hosts.allow owner: root group: root mode: 0644 when: - ubuntu1804cis_setup_tcp_wrappers - ubuntu1804cis_rule_3_3_4 tags: - level1 - scored - patch - rule_3.3.4 - name: "SCORED | 3.3.5 | PATCH | Ensure permissions on /etc/hosts.deny are configured" file: dest: /etc/hosts.deny owner: root group: root mode: 0644 when: - ubuntu1804cis_setup_tcp_wrappers - ubuntu1804cis_rule_3_3_5 tags: - level1 - scored - patch - rule_3.3.5 - name: "SCORED | 3.4.1 | PATCH | Ensure DCCP is disabled" lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install dccp(\\s|$)" line: "install dccp /bin/true" create: true when: - ubuntu1804cis_rule_3_4_1 tags: - level2 - scored - patch - rule_3.4.1 - name: "SCORED | 3.4.2 | PATCH | Ensure SCTP is disabled" lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install sctp(\\s|$)" line: "install sctp /bin/true" create: true when: - ubuntu1804cis_rule_3_4_2 tags: - level2 - scored - patch - rule_3.4.2 - name: "SCORED | 3.4.3 | PATCH | Ensure RDS is disabled" lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install rds(\\s|$)" line: "install rds /bin/true" create: true when: - ubuntu1804cis_rule_3_4_3 tags: - level2 - scored - patch - rule_3.4.3 - name: "SCORED | 3.4.4 | PATCH | Ensure TIPC is disabled" lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install tipc(\\s|$)" line: "install tipc /bin/true" create: true when: - ubuntu1804cis_rule_3_4_4 tags: - level2 - scored - patch - rule_3.4.4 - name: "SCORED | 3.5.1.1 | PATCH | Ensure a Firewall package is installed | firewalld(CUSTOM),ufw,nftables,iptables" block: - name: "SCORED | 3.5.1.1 | PATCH | Ensure a Firewall package is installed | firewalld | CUSTOM" apt: name: firewalld state: present install_recommends: false when: - ubuntu1804cis_firewall == "firewalld" - name: "SCORED | 3.5.1.1 | PATCH | Ensure a Firewall package is installed | ufw" apt: name: ufw state: present install_recommends: false when: - ubuntu1804cis_firewall == "ufw" - name: "SCORED | 3.5.1.1 | PATCH | Ensure a Firewall package is installed | nftables" apt: name: nftables state: present install_recommends: false when: - ubuntu1804cis_firewall == "nftables" - name: "SCORED | 3.5.1.1 | PATCH | Ensure a Firewall package is installed | iptables" apt: name: iptables state: present install_recommends: false when: - ubuntu1804cis_firewall == "iptables" when: - ubuntu1804cis_rule_3_5_1_1 - ubuntu1804cis_setup_firewall tags: - level1 - scored - patch - rule_3.5.1.1 - name: "SCORED | 3.5.2.1 | PATCH | Ensure ufw service is enabled" service: name: ufw state: started enabled: true when: - ubuntu1804cis_rule_3_5_2_1 - ubuntu1804cis_firewall == "ufw" - ubuntu1804cis_setup_firewall tags: - level1 - scored - patch - rule_3.5.2.1 - name: "SCORED | 3.5.2.2 | PATCH | Ensure default deny firewall policy" ufw: rule: "{{ item.rule }}" direction: "{{ item.direction }}" with_items: - { rule: deny, direction: incoming } - { rule: deny, direction: outgoing } - { rule: deny, direction: routed } when: - ubuntu1804cis_rule_3_5_2_2 - ubuntu1804cis_firewall == "ufw" - ubuntu1804cis_setup_firewall tags: - level1 - scored - patch - rule_3.5.2.2 - name: "SCORED | 3.5.2.3 | PATCH | Ensure loopback traffic is configured" block: - name: "SCORED | 3.5.2.3 | PATCH | Ensure loopback traffic is configured| ingress lo allow any" ufw: rule: allow direction: in interface: lo - name: "SCORED | 3.5.2.3 | PATCH | Ensure loopback traffic is configured | ingress deny from lo network ipv4" ufw: rule: deny direction: in from: "127.0.0.0/8" - name: "SCORED | 3.5.2.3 | PATCH | Ensure loopback traffic is configured | ingress deny from lo network ipv6" ufw: rule: deny direction: in from: "::1" when: ubuntu1804cis_ipv6_required when: - ubuntu1804cis_rule_3_5_2_3 - ubuntu1804cis_firewall == "ufw" - ubuntu1804cis_setup_firewall tags: - level1 - scored - patch - rule_3.5.2.3 - name: "NOTSCORED | 3.5.2.4 | PATCH | Ensure outbound and established connections are configured" ufw: rule: allow direction: out interface: all when: - ubuntu1804cis_rule_3_5_2_4 - ubuntu1804cis_firewall == "ufw" - ubuntu1804cis_setup_firewall tags: - level1 - notscored - patch - rule_3.5.2.4 - name: "NOTSCORED | 3.5.2.5 | PATCH | Ensure firewall rules exist for all open ports" block: - name: "NOTSCORED | 3.5.2.5 | PATCH | Ensure firewall rules exist for all open ports| ssh" ufw: rule: allow proto: tcp port: '22' - name: "NOTSCORED | 3.5.2.5 | PATCH | Ensure firewall rules exist for all open ports| dns" ufw: rule: allow proto: "{{ item }}" port: '53' loop: - tcp - udp when: - ubuntu1804cis_rule_3_5_2_5 - ubuntu1804cis_firewall == "ufw" - ubuntu1804cis_setup_firewall tags: - level1 - notscored - patch - rule_3.5.2.5 - name: "NOTSCORED | 3.5.3.1 | PATCH | Ensure iptables are flushed | ipv4, ipv6" block: - name: "NOTSCORED | 3.5.3.1 | PATCH | Ensure iptables are flushed | ipv4" iptables: flush: yes - name: "NOTSCORED | 3.5.3.1 | PATCH | Ensure iptables are flushed | ipv6" iptables: flush: yes ip_version: ipv6 when: ubuntu1804cis_ipv6_required when: - ubuntu1804cis_rule_3_5_3_1 - ubuntu1804cis_firewall == "nftables" - ubuntu1804cis_setup_firewall tags: - level1 - notscored - patch - rule_3.5.3.1 - name: "SCORED | 3.5.3.2 | PATCH | Ensure a table exists" shell: | nft create table inet {{ ubuntu1804cis_nftables_table }} args: executable: /bin/bash changed_when: false check_mode: false # default table name exist when install nftables by apt # nft create table will raise an error ignore_errors: true when: - ubuntu1804cis_rule_3_5_3_2 - ubuntu1804cis_firewall == "nftables" - ubuntu1804cis_setup_firewall tags: - level1 - scored - patch - rule_3.5.3.2 - name: "SCORED | 3.5.3.3 | PATCH | Ensure base chains exist" shell: | nft chain inet {{ ubuntu1804cis_nftables_table }} {{ item }} { type filter hook {{ item }} priority 0\; } args: executable: /bin/bash loop: - input - forward - output changed_when: false check_mode: false when: - ubuntu1804cis_rule_3_5_3_3 - ubuntu1804cis_firewall == "nftables" - ubuntu1804cis_setup_firewall tags: - level1 - scored - patch - rule_3.5.3.3 - name: "SCORED | 3.5.3.4 | PATCH | Ensure loopback traffic is configured" block: - name: "SCORED | 3.5.3.4 | PATCH | Ensure loopback traffic is configured | ingress lo allow nay" shell: | nft add rule inet {{ ubuntu1804cis_nftables_table }} input iif lo accept args: executable: /bin/bash changed_when: false check_mode: false - name: "SCORED | 3.5.3.4 | PATCH | Ensure loopback traffic is configured | ingress deny from lo network ipv4" shell: | nft add rule inet {{ ubuntu1804cis_nftables_table }} input ip saddr 127.0.0.0/8 counter drop args: executable: /bin/bash changed_when: false check_mode: false - name: "SCORED | 3.5.3.4 | PATCH | Ensure loopback traffic is configured | ingress deny from lo network ipv6" shell: | nft add rule inet {{ ubuntu1804cis_nftables_table }} input ip6 saddr ::1 counter drop args: executable: /bin/bash changed_when: false check_mode: false when: ubuntu1804cis_ipv6_required when: - ubuntu1804cis_rule_3_5_3_4 - ubuntu1804cis_firewall == "nftables" - ubuntu1804cis_setup_firewall tags: - level1 - scored - patch - rule_3.5.3.4 - name: "NOTSCORED | 3.5.3.5 | PATCH | Ensure outbound and established connections are configured" shell: | nft add rule inet {{ ubuntu1804cis_nftables_table }} input ip protocol {{ item }} ct state established accept nft add rule inet {{ ubuntu1804cis_nftables_table }} output ip protocol {{ item }} ct state new,related,established accept args: executable: /bin/bash loop: - tcp - udp - icmp changed_when: false check_mode: false when: - ubuntu1804cis_rule_3_5_3_5 - ubuntu1804cis_firewall == "nftables" - ubuntu1804cis_setup_firewall tags: - level1 - notscored - patch - rule_3.5.3.5 - name: "SCORED | 3.5.3.6 | PATCH | Ensure base chains exist" shell: | nft chain inet {{ ubuntu1804cis_nftables_table }} {{ item }} { policy drop \; } args: executable: /bin/bash loop: - input - forward - output changed_when: false check_mode: false when: - ubuntu1804cis_rule_3_5_3_6 - ubuntu1804cis_firewall == "nftables" - ubuntu1804cis_setup_firewall tags: - level1 - scored - patch - rule_3.5.3.6 - name: "SCORED | 3.5.3.7 | PATCH | Ensure nftables service is enabled" service: name: nftables state: started enabled: true when: - ubuntu1804cis_rule_3_5_3_7 - ubuntu1804cis_firewall == "nftables" - ubuntu1804cis_setup_firewall tags: - level1 - scored - patch - rule_3.5.3.7 - name: "SCORED | 3.5.3.8 | PATCH | Ensure nftables rules are permanent" shell: nft list table inet {{ ubuntu1804cis_nftables_table }} > /etc/nftables.conf when: - ubuntu1804cis_rule_3_5_3_8 - ubuntu1804cis_firewall == "nftables" - ubuntu1804cis_setup_firewall tags: - level1 - scored - patch - rule_3.5.3.8 - name: "SCORED | 3.5.4.1.1 | PATCH | Ensure default deny firewall policy" iptables: chain: "{{ item }}" policy: DROP loop: - INPUT - OUTPUT - FORWARD when: - ubuntu1804cis_rule_3_5_4_1_1 - ubuntu1804cis_firewall == "iptables" - ubuntu1804cis_setup_firewall tags: - level1 - scored - patch - rule_3.5.4.1.1 - name: "SCORED | 3.5.4.1.2 | PATCH | Ensure loopback traffic is configured" block: - name: "SCORED | 3.5.4.1.2 | PATCH | Ensure loopback traffic is configured| ingress lo allow any" iptables: chain: INPUT jump: ACCEPT in_interface: lo - name: "SCORED | 3.5.4.1.2 | PATCH | Ensure loopback traffic is configured| egress lo allow any" iptables: chain: INPUT jump: ACCEPT in_interface: lo - name: "SCORED | 3.5.4.1.2 | PATCH | Ensure loopback traffic is configured| ingress deny from lo network" iptables: chain: INPUT jump: DROP source: 127.0.0.0/8 when: - ubuntu1804cis_rule_3_5_4_1_2 - ubuntu1804cis_firewall == "iptables" - ubuntu1804cis_setup_firewall tags: - level1 - scored - patch - rule_3.5.4.1.2 - name: "NOTSCORED | 3.5.4.1.3 | PATCH | Ensure outbound and established connections are configured" block: - name: "NOTSCORED | 3.5.4.1.3 | PATCH | Ensure outbound and established connections are configured | input " iptables: chain: INPUT jump: ACCEPT ctstate: NEW,ESTABLISHED protocol: "{{ item }}" loop: - tcp - udp - icmp - name: "NOTSCORED | 3.5.4.1.3 | PATCH | Ensure outbound and established connections are configured | output" iptables: chain: OUTPUT jump: ACCEPT ctstate: NEW,ESTABLISHED protocol: "{{ item }}" loop: - tcp - udp - icmp when: - ubuntu1804cis_rule_3_5_4_1_3 - ubuntu1804cis_firewall == "iptables" - ubuntu1804cis_setup_firewall tags: - level1 - notscored - patch - rule_3.5.4.1.3 - name: "SCORED | 3.5.4.1.4 | PATCH | Ensure firewall rules exist for all open ports" block: - name: "SCORED | 3.5.4.1.4 | PATCH | Ensure firewall rules exist for all open ports| ssh" iptables: chain: INPUT jump: ACCEPT ctstate: NEW protocol: tcp destination_port: 22 - name: "SCORED | 3.5.4.1.4 | PATCH | Ensure firewall rules exist for all open ports| dns" iptables: chain: INPUT jump: ACCEPT ctstate: NEW protocol: "{{ item }}" destination_port: 53 loop: - tcp - udp when: - ubuntu1804cis_rule_3_5_4_1_4 - ubuntu1804cis_firewall == "iptables" - ubuntu1804cis_setup_firewall tags: - level1 - scored - patch - rule_3.5.4.1.4 - name: "SCORED | 3.5.4.2.1 | PATCH | Ensure IPv6 default deny firewall policy" iptables: chain: "{{ item }}" policy: DROP ip_version: ipv6 loop: - INPUT - OUTPUT - FORWARD when: - ubuntu1804cis_rule_3_5_4_2_1 - ubuntu1804cis_firewall == "iptables" - ubuntu1804cis_setup_firewall - ubuntu1804cis_ipv6_required tags: - level1 - scored - patch - rule_3.5.4.2.1 - name: "SCORED | 3.5.4.2.2 | PATCH | Ensure IPv6 loopback traffic is configured" block: - name: "SCORED | 3.5.4.2.2 | PATCH | Ensure IPv6 loopback traffic is configured| ingress lo allow any" iptables: chain: INPUT jump: ACCEPT in_interface: lo ip_version: ipv6 - name: "SCORED | 3.5.4.2.2 | PATCH | Ensure IPv6 loopback traffic is configured| egress lo allow any" iptables: chain: INPUT jump: ACCEPT in_interface: lo ip_version: ipv6 - name: "SCORED | 3.5.4.2.2 | PATCH | Ensure IPv6 loopback traffic is configured| ingress deny from lo network" iptables: chain: INPUT jump: DROP source: "::1" ip_version: ipv6 when: - ubuntu1804cis_rule_3_5_4_2_2 - ubuntu1804cis_firewall == "iptables" - ubuntu1804cis_setup_firewall - ubuntu1804cis_ipv6_required tags: - level1 - scored - patch - rule_3.5.4.2.2 - name: "NOTSCORED | 3.5.4.2.3 | PATCH | Ensure IPv6 outbound and established connections are configured" block: - name: "NOTSCORED | 3.5.4.2.3 | PATCH | Ensure IPv6 outbound and established connections are configured | input " iptables: chain: INPUT jump: ACCEPT ctstate: NEW,ESTABLISHED protocol: "{{ item }}" ip_version: ipv6 loop: - tcp - udp - icmp - name: "NOTSCORED | 3.5.4.2.3 | PATCH | Ensure IPv6 outbound and established connections are configured | output" iptables: chain: OUTPUT jump: ACCEPT ctstate: NEW,ESTABLISHED protocol: "{{ item }}" ip_version: ipv6 loop: - tcp - udp - icmp when: - ubuntu1804cis_rule_3_5_4_2_3 - ubuntu1804cis_firewall == "iptables" - ubuntu1804cis_setup_firewall - ubuntu1804cis_ipv6_required tags: - level1 - notscored - patch - rule_3.5.4.2.3 - name: "NOTSCORED | 3.5.4.2.4 | PATCH | Ensure IPv6 firewall rules exist for all open ports" block: - name: "NOTSCORED | 3.5.4.2.4 | PATCH | Ensure IPv6 firewall rules exist for all open ports| ssh" iptables: chain: INPUT jump: ACCEPT ctstate: NEW protocol: tcp destination_port: 22 ip_version: ipv6 - name: "NOTSCORED | 3.5.4.2.4 | PATCH | Ensure IPv6 firewall rules exist for all open ports| dns" iptables: chain: INPUT jump: ACCEPT ctstate: NEW protocol: "{{ item }}" destination_port: 53 ip_version: ipv6 loop: - tcp - udp when: - ubuntu1804cis_rule_3_5_4_2_4 - ubuntu1804cis_firewall == "iptables" - ubuntu1804cis_setup_firewall - ubuntu1804cis_ipv6_required tags: - level1 - notscored - patch - rule_3.5.4.2.4 - name: "SCORED | 3.5.4.3.1 | PATCH | Ensure firewalld is installed and started | CUSTOM" apt: name: firewalld state: present install_recommends: false when: - ubuntu1804cis_rule_3_5_4_3_1 - ubuntu1804cis_firewall == "firewalld" - ubuntu1804cis_setup_firewall tags: - level1 - scored - patch - rule_3.5.4.3.1 - name: "SCORED | 3.5.4.3.2 | PATCH | Ensure firewalld is installed and started | CUSTOM" service: name: firewalld state: started enabled: true when: - ubuntu1804cis_rule_3_5_4_3_2 - ubuntu1804cis_firewall == "firewalld" - ubuntu1804cis_setup_firewall tags: - level1 - scored - patch - rule_3.5.4.3.2 - name: "SCORED | 3.5.4.3.3 | PATCH | Ensure default deny firewall policy | CUSTOM" lineinfile: dest: /etc/firewalld/firewalld.conf regexp: "^DefaultZone" line: "DefaultZone=drop" when: - ubuntu1804cis_rule_3_5_4_3_3 - ubuntu1804cis_firewall == "firewalld" - ubuntu1804cis_setup_firewall tags: - level1 - scored - patch - rule_3.5.4.3.3 - name: "SCORED | 3.5.4.3.4 | PATCH | Ensure default deny firewall policy | CUSTOM" firewalld: state: enabled zone: drop permanent: true when: - ubuntu1804cis_rule_3_5_4_3_4 - ubuntu1804cis_firewall == "firewalld" - ubuntu1804cis_setup_firewall tags: - level1 - scored - patch - rule_3.5.4.3.4 - name: "SCORED | 3.5.4.3.5 | PATCH | Ensure firewall rules exist for all open ports | CUSTOM" firewalld: service: "{{ item }}" state: enabled zone: drop permanent: true immediate: true when: - ubuntu1804cis_rule_3_5_4_3_5 - ubuntu1804cis_firewall == "firewalld" - ubuntu1804cis_setup_firewall notify: restart firewalld with_items: "{{ ubuntu1804cis_firewall_services }}" tags: - level1 - scored - patch - rule_3.5.4.3.5 - name: "NOTSCORED | 3.7 | Disable IPv6" replace: dest: /etc/default/grub regexp: '^(GRUB_CMDLINE_LINUX=(?!.*ipv6.disable)\"[^\"]*)(\".*)' replace: '\1 ipv6.disable=1\2' ignore_errors: true when: - ubuntu1804cis_rule_3_7 notify: - generate new grub config tags: - level2 - notscored - patch - rule_3.7 ================================================ FILE: tasks/section4.yml ================================================ --- - name: "SCORED | 4.1.1.1 | PATCH | Ensure auditd is installed" apt: name: audispd-plugins state: present install_recommends: false when: - not ubuntu1804cis_skip_for_travis - ubuntu1804cis_rule_4_1_1_1 tags: - level2 - scored - patch - auditd - rule_4.1.1.1 - name: "SCORED | 4.1.1.2 | PATCH | Ensure auditd service is enabled" service: name: auditd state: started enabled: true when: - not ubuntu1804cis_skip_for_travis - ubuntu1804cis_rule_4_1_1_2 tags: - level2 - scored - patch - auditd - rule_4.1.1.2 - name: "SCORED | 4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" replace: dest: /etc/default/grub regexp: '^(GRUB_CMDLINE_LINUX=(?!.*audit)\"[^\"]*)(\".*)' replace: '\1 audit=1\2' notify: - generate new grub config when: - ubuntu1804cis_rule_4_1_1_3 tags: - level2 - scored - patch - auditd - rule_4.1.1.3 - name: "SCORED | 4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient" replace: dest: /etc/default/grub regexp: '^(GRUB_CMDLINE_LINUX=(?!.*audit_backlog_limit)\"[^\"]*)(\".*)' replace: '\1 audit_backlog_limit={{ ubuntu1804cis_auditd.backlog_limit }}\2' ignore_errors: true notify: - generate new grub config when: - ubuntu1804cis_rule_4_1_1_4 tags: - level2 - scored - patch - auditd - rule_4.1.1.4 - name: "SCORED | 4.1.2.1 | PATCH | Ensure audit log storage size is configured" lineinfile: dest: /etc/audit/auditd.conf regexp: "^max_log_file( |=)" line: "max_log_file = {{ ubuntu1804cis_auditd.max_audit_log_file_size }}" state: present create: yes when: - ubuntu1804cis_rule_4_1_2_1 notify: - restart auditd tags: - level2 - scored - patch - auditd - rule_4.1.2.1 - name: "SCORED | 4.1.2.2 | PATCH | Ensure audit logs are not automatically deleted" lineinfile: dest: /etc/audit/auditd.conf regexp: "^max_log_file_action" line: "max_log_file_action = {{ ubuntu1804cis_auditd['max_log_file_action'] }}" state: present create: yes when: - ubuntu1804cis_rule_4_1_2_2 notify: - restart auditd tags: - level2 - scored - patch - auditd - rule_4.1.2.2 - name: "SCORED | 4.1.2.3 | PATCH | Ensure system is disabled when audit logs are full" lineinfile: dest: /etc/audit/auditd.conf regexp: "^admin_space_left_action" line: "admin_space_left_action = {{ ubuntu1804cis_auditd['admin_space_left_action'] }}" state: present create: yes when: - ubuntu1804cis_rule_4_1_2_3 notify: - restart auditd tags: - level2 - scored - patch - auditd - rule_4.1.2.3 - name: "SCORED | 4.1.1.2 | PATCH | Ensure email on non-admin audit space alert" lineinfile: dest: /etc/audit/auditd.conf regexp: "^space_left_action" line: "space_left_action = email" state: present create: yes when: - ubuntu1804cis_rule_4_1_1_2 notify: - restart auditd tags: - level2 - scored - patch - auditd - rule_4.1.1.2 - name: "SCORED | 4.1.3 | PATCH | Ensure events that modify date and time information are collected" template: src: audit/ubuntu1804cis_rule_4_1_3.rules.j2 dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_3.rules owner: root group: root mode: 0600 when: - ubuntu1804cis_rule_4_1_3 notify: - load audit rules - restart auditd tags: - level2 - scored - patch - auditd - rule_4.1.3 - name: "SCORED | 4.1.4 | PATCH | Ensure events that modify user/group information are collected" template: src: audit/ubuntu1804cis_rule_4_1_4.rules.j2 dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_4.rules owner: root group: root mode: 0600 when: - ubuntu1804cis_rule_4_1_4 notify: - load audit rules - restart auditd tags: - level2 - scored - patch - auditd - rule_4.1.4 - name: "SCORED | 4.1.5 | PATCH | Ensure events that modify the system's network environment are collected" template: src: audit/ubuntu1804cis_rule_4_1_5.rules.j2 dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_5.rules owner: root group: root mode: 0600 when: - ubuntu1804cis_rule_4_1_5 notify: - load audit rules - restart auditd tags: - level2 - scored - patch - auditd - rule_4.1.5 - name: "SCORED | 4.1.6 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" template: src: audit/ubuntu1804cis_rule_4_1_6.rules.j2 dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_6.rules owner: root group: root mode: 0600 when: - ubuntu1804cis_rule_4_1_6 notify: - load audit rules - restart auditd tags: - level2 - scored - patch - auditd - rule_4.1.6 - name: "SCORED | 4.1.7 | PATCH | Ensure login and logout events are collected" template: src: audit/ubuntu1804cis_rule_4_1_7.rules.j2 dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_7.rules owner: root group: root mode: 0600 when: - ubuntu1804cis_rule_4_1_7 notify: - load audit rules - restart auditd tags: - level2 - scored - patch - auditd - rule_4.1.7 - name: "SCORED | 4.1.8 | PATCH | Ensure session initiation information is collected" template: src: audit/ubuntu1804cis_rule_4_1_8.rules.j2 dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_8.rules owner: root group: root mode: 0600 when: - ubuntu1804cis_rule_4_1_8 notify: - load audit rules - restart auditd tags: - level2 - scored - patch - auditd - rule_4.1.8 - name: "SCORED | 4.1.9 | PATCH | Ensure discretionary access control permission modification events are collected" template: src: audit/ubuntu1804cis_rule_4_1_9.rules.j2 dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_9.rules owner: root group: root mode: 0600 when: - ubuntu1804cis_rule_4_1_9 notify: - load audit rules - restart auditd tags: - level2 - scored - patch - auditd - rule_4.1.9 - name: "SCORED | 4.1.10 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected" template: src: audit/ubuntu1804cis_rule_4_1_10.rules.j2 dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_10.rules owner: root group: root mode: 0600 when: - ubuntu1804cis_rule_4_1_10 notify: - load audit rules - restart auditd tags: - level2 - scored - patch - auditd - rule_4.1.10 - name: "SCORED | 4.1.11 | PATCH | Ensure use of privileged commands is collected" block: - name: "SCORED | 4.1.11 | PATCH | Get list of setuid/setguid binaries" shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done register: priv_procs changed_when: false check_mode: false - name: "SCORED | 4.1.11 | PATCH | Ensure use of privileged commands is collected" template: src: audit/ubuntu1804cis_rule_4_1_11.rules.j2 dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_11.rules owner: root group: root mode: 0600 notify: - load audit rules - restart auditd when: - ubuntu1804cis_rule_4_1_11 tags: - level2 - scored - patch - auditd - rule_4.1.11 - name: "SCORED | 4.1.12 | PATCH | Ensure successful file system mounts are collected" template: src: audit/ubuntu1804cis_rule_4_1_12.rules.j2 dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_12.rules owner: root group: root mode: 0600 when: - ubuntu1804cis_rule_4_1_12 notify: - load audit rules - restart auditd tags: - level2 - scored - patch - auditd - rule_4.1.12 - name: "SCORED | 4.1.13 | PATCH | Ensure file deletion events by users are collected" template: src: audit/ubuntu1804cis_rule_4_1_13.rules.j2 dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_13.rules owner: root group: root mode: 0600 when: - ubuntu1804cis_rule_4_1_13 notify: - load audit rules - restart auditd tags: - level2 - scored - patch - auditd - rule_4.1.13 - name: "SCORED | 4.1.14 | PATCH | Ensure changes to system administration scope (sudoers) is collected" template: src: audit/ubuntu1804cis_rule_4_1_14.rules.j2 dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_14.rules owner: root group: root mode: 0600 when: - ubuntu1804cis_rule_4_1_14 notify: - load audit rules - restart auditd tags: - level2 - scored - patch - auditd - rule_4.1.14 - name: "SCORED | 4.1.15 | PATCH | Ensure system administrator actions (sudolog) are collected" template: src: audit/ubuntu1804cis_rule_4_1_15.rules.j2 dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_15.rules owner: root group: root mode: 0600 when: - ubuntu1804cis_rule_4_1_15 notify: - load audit rules - restart auditd tags: - level2 - scored - patch - auditd - rule_4.1.15 - name: "SCORED | 4.1.16 | PATCH | Ensure kernel module loading and unloading is collected" template: src: audit/ubuntu1804cis_rule_4_1_16.rules.j2 dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_16.rules owner: root group: root mode: 0600 when: - ubuntu1804cis_rule_4_1_16 notify: - load audit rules - restart auditd tags: - level2 - scored - patch - auditd - rule_4.1.16 - name: "SCORED | 4.1.17 | PATCH | Ensure the audit configuration is immutable" template: src: audit/ubuntu1804cis_rule_4_1_17.rules.j2 dest: /etc/audit/rules.d/ubuntu1804cis_rule_4_1_17.rules owner: root group: root mode: 0600 when: - ubuntu1804cis_rule_4_1_17 notify: - load audit rules - restart auditd tags: - level2 - scored - patch - auditd - rule_4.1.17 - name: "SCORED | 4.2.1.1 | PATCH | Ensure rsyslog or is installed" apt: name: rsyslog state: present install_recommends: false when: - ubuntu1804cis_rule_4_2_1_1 - ubuntu1804cis_syslog == "rsyslog" tags: - level1 - scored - patch - syslog - rule_4.2.1.1 - name: "SCORED | 4.2.1.2 | PATCH | Ensure rsyslog Service is enabled" service: name: rsyslog enabled: yes changed_when: false when: - ubuntu1804cis_rule_4_2_1_2 - ubuntu1804cis_syslog == "rsyslog" tags: - level1 - scored - patch - syslog - rule_4.2.1.2 - name: "NOTSCORED | 4.2.1.3 | PATCH | Ensure logging is configured" command: /bin/true changed_when: false when: - ubuntu1804cis_rule_4_2_1_3 tags: - level1 - notscored - patch - syslog - rule_4.2.1.3 - notimplemented - name: "SCORED | 4.2.1.4 | PATCH | Ensure rsyslog default file permissions configured" lineinfile: dest: /etc/rsyslog.conf regexp: '^\$FileCreateMode' line: '$FileCreateMode 0640' when: - ubuntu1804cis_rule_4_2_1_4 tags: - level1 - scored - patch - syslog - rule_4.2.1.4 - name: "SCORED | 4.2.1.5 | PATCH | Ensure rsyslog is configured to send logs to a remote log host" command: /bin/true changed_when: false when: - ubuntu1804cis_rule_4_2_1_5 tags: - level1 - scored - patch - syslog - rule_4.2.1.5 - notimplemented - name: "NOTSCORED | 4.2.1.6 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts." command: /bin/true changed_when: false when: - ubuntu1804cis_rule_4_2_1_6 tags: - level1 - notscored - patch - syslog - rule_4.2.1.6 - notimplemented - name: "SCORED | 4.2.2.1 | PATCH | Ensure journald is configured to send logs to rsyslog" lineinfile: dest: /etc/systemd/journald.conf regexp: "(#)?ForwardToSyslog=(yes|no)" line: ForwardToSyslog=yes changed_when: false when: - ubuntu1804cis_rule_4_2_2_1 notify: - restart journald tags: - level1 - scored - patch - syslog - rule_4.2.2.1 - name: "SCORED | 4.2.2.2 | PATCH | Ensure journald is configured to compress large log files" lineinfile: dest: /etc/systemd/journald.conf regexp: "(#)?Compress=(yes|no)" line: Compress=yes when: - ubuntu1804cis_rule_4_2_2_2 notify: - restart journald tags: - level1 - scored - patch - syslog - rule_4.2.2.2 - name: "SCORED | 4.2.2.3 | PATCH | Ensure journald is configured to write logfiles to persistent disk" lineinfile: dest: /etc/systemd/journald.conf regexp: "(#)?Storage=(auto|persistent)" line: Storage=persistent when: - ubuntu1804cis_rule_4_2_2_3 notify: - restart journald tags: - level1 - scored - patch - syslog - rule_4.2.2.3 - name: "SCORED | 4.2.3 | PATCH | Ensure permissions on all logfiles are configured" command: find /var/log -type f -exec chmod g-wx,o-rwx {} + changed_when: false failed_when: false when: - ubuntu1804cis_rule_4_2_3 tags: - level1 - scored - patch - syslog - rule_4.2.3 - name: "NOTSCORED | 4.3 | PATCH | Ensure logrotate is configured" block: - name: "NOTSCORED | 4.3 | PATCH | Register logrotate.d files" find: paths: /etc/logrotate.d/ register: log_rotates - name: "NOTSCORED | 4.3 | PATCH | Ensure logrotate.conf exists" file: path: /etc/logrotate.conf state: touch changed_when: false - name: "NOTSCORED | 4.3 | PATCH | Ensure logrotate is configured" replace: path: "{{ item.path }}" regexp: '^(\s*)(daily|weekly|monthly|yearly)$' replace: "\\1{{ ubuntu1804cis_logrotate }}" with_items: - "{{ log_rotates.files }}" - { path: "/etc/logrotate.conf" } when: - ubuntu1804cis_rule_4_3 tags: - level1 - notscored - patch - syslog - rule_4.3 ================================================ FILE: tasks/section5.yml ================================================ --- - name: "SCORED | 5.1.1 | PATCH | Ensure cron daemon is enabled" service: name: "{{ cron_service[ansible_os_family] }}" enabled: true when: - ubuntu1804cis_rule_5_1_1 tags: - level1 - scored - patch - cron - rule_5.1.1 - name: "SCORED | 5.1.2 | PATCH | Ensure permissions on /etc/crontab are configured" file: dest: /etc/crontab owner: root group: root mode: 0600 when: - ubuntu1804cis_rule_5_1_2 tags: - level1 - scored - patch - cron - rule_5.1.2 - name: "SCORED | 5.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" file: dest: /etc/cron.hourly state: directory owner: root group: root mode: 0700 when: - ubuntu1804cis_rule_5_1_3 tags: - level1 - scored - patch - cron - rule_5.1.3 - name: "SCORED | 5.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" file: dest: /etc/cron.daily state: directory owner: root group: root mode: 0700 when: - ubuntu1804cis_rule_5_1_4 tags: - level1 - scored - patch - cron - rule_5.1.4 - name: "SCORED | 5.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" file: dest: /etc/cron.weekly state: directory owner: root group: root mode: 0700 when: - ubuntu1804cis_rule_5_1_5 tags: - level1 - scored - patch - cron - rule_5.1.5 - name: "SCORED | 5.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" file: dest: /etc/cron.monthly state: directory owner: root group: root mode: 0700 when: - ubuntu1804cis_rule_5_1_6 tags: - level1 - scored - patch - cron - rule_5.1.6 - name: "SCORED | 5.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" file: dest: /etc/cron.d state: directory owner: root group: root mode: 0700 when: - ubuntu1804cis_rule_5_1_7 tags: - level1 - scored - patch - cron - rule_5.1.7 - name: "SCORED | 5.1.8 | PATCH | Ensure at/cron is restricted to authorized users" block: - name: "SCORED | 5.1.8 | PATCH | Ensure at is restricted to authorized users" file: dest: /etc/at.deny state: absent - name: "SCORED | 5.1.8 | PATCH | Ensure at is restricted to authorized users" template: src: at.allow.j2 dest: /etc/at.allow owner: root group: root mode: 0600 - name: "SCORED | 5.1.8 | PATCH | Ensure cron is restricted to authorized users" file: dest: /etc/cron.deny state: absent - name: "SCORED | 5.1.8 | PATCH | Ensure cron is restricted to authorized users" template: src: cron.allow.j2 dest: /etc/cron.allow owner: root group: root mode: 0600 when: - ubuntu1804cis_rule_5_1_8 tags: - level1 - scored - patch - cron - rule_5.1.8 - name: "SCORED | 5.2.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" file: dest: /etc/ssh/sshd_config state: file owner: root group: root mode: 0600 when: - ubuntu1804cis_rule_5_2_1 tags: - level1 - scored - patch - sshd - rule_5.2.1 - name: "SCORED | 5.2.2 | PATCH | 5.2.2 Ensure permissions on SSH private host key files are configured" block: - name: "SCORED | 5.2.2 | PATCH | 5.2.2 Ensure permissions on SSH private host key files are configured | find keys" find: paths: /etc/ssh patterns: "ssh_host_*_key" register: ssh_private_host_keys - name: "SCORED | 5.2.2 | PATCH | 5.2.2 Ensure permissions on SSH private host key files are configured | change permissions" file: dest: "{{ item.path }}" state: file owner: root group: root mode: 0600 with_items: "{{ ssh_private_host_keys.files }}" when: - ubuntu1804cis_rule_5_2_2 tags: - level1 - scored - patch - sshd - rule_5.2.2 - name: "SCORED | 5.2.3 | PATCH | 5.2.3 Ensure permissions on SSH public host key files are configured" block: - name: "SCORED | 5.2.3 | PATCH | 5.2.3 Ensure permissions on SSH public host key files are configured | find keys" find: paths: /etc/ssh patterns: "ssh_host_*_key.pub" register: ssh_public_host_keys - name: "SCORED | 5.2.3 | PATCH | 5.2.3 Ensure permissions on SSH public host key files are configured | change permissions" file: dest: "{{ item.path }}" state: file owner: root group: root mode: 0644 with_items: "{{ ssh_public_host_keys.files }}" when: - ubuntu1804cis_rule_5_2_3 tags: - level1 - scored - patch - sshd - rule_5.2.3 - name: "SCORED | 5.2.4 | PATCH | Ensure SSH Protocol is not set to 1" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^Protocol' line: 'Protocol 2' when: - ubuntu1804cis_rule_5_2_4 tags: - level1 - scored - patch - sshd - rule_5.2.4 - name: "SCORED | 5.2.5 | PATCH | Ensure SSH LogLevel is set to INFO" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^LogLevel' line: 'LogLevel INFO' when: - ubuntu1804cis_rule_5_2_5 tags: - level1 - scored - patch - sshd - rule_5.2.5 - name: "SCORED | 5.2.6 | PATCH | Ensure SSH X11 forwarding is disabled" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^X11Forwarding' line: 'X11Forwarding no' when: - ubuntu1804cis_rule_5_2_6 tags: - level1 - scored - patch - sshd - rule_5.2.6 - name: "SCORED | 5.2.7 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^(#)?MaxAuthTries \d' line: 'MaxAuthTries 4' when: - ubuntu1804cis_rule_5_2_7 tags: - level1 - scored - patch - sshd - rule_5.2.7 - name: "SCORED | 5.2.8 | PATCH | Ensure SSH IgnoreRhosts is enabled" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^IgnoreRhosts' line: 'IgnoreRhosts yes' when: - ubuntu1804cis_rule_5_2_8 tags: - level1 - scored - patch - sshd - rule_5.2.8 - name: "SCORED | 5.2.9 | PATCH | Ensure SSH HostbasedAuthentication is disabled" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^HostbasedAuthentication' line: 'HostbasedAuthentication no' when: - ubuntu1804cis_rule_5_2_9 tags: - level1 - scored - patch - sshd - rule_5.2.9 - name: "SCORED | 5.2.10 | PATCH | Ensure SSH root login is disabled" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^PermitRootLogin' line: 'PermitRootLogin no' when: - ubuntu1804cis_rule_5_2_10 tags: - level1 - scored - patch - sshd - rule_5.2.10 - name: "SCORED | 5.2.11 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^PermitEmptyPasswords' line: 'PermitEmptyPasswords no' when: - ubuntu1804cis_rule_5_2_11 tags: - level1 - scored - patch - sshd - rule_5.2.11 - name: "SCORED | 5.2.12 | PATCH | Ensure SSH PermitUserEnvironment is disabled" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^PermitUserEnvironment' line: 'PermitUserEnvironment no' when: - ubuntu1804cis_rule_5_2_12 tags: - level1 - scored - patch - sshd - rule_5.2.12 - name: "SCORED | 5.2.13 | PATCH | Ensure only strong Ciphers are used" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^Ciphers' line: "Ciphers {{ ubuntu1804cis_sshd['ciphers'] }}" when: - ubuntu1804cis_rule_5_2_13 tags: - level1 - scored - patch - sshd - rule_5.2.13 - name: "SCORED | 5.2.14 | PATCH | Ensure only approved MAC algorithms are used" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^MACs' line: "MACs {{ ubuntu1804cis_sshd['macs'] }}" when: - ubuntu1804cis_rule_5_2_14 tags: - level1 - scored - patch - sshd - rule_5.2.14 - name: "SCORED | 5.2.15 | PATCH | Ensure only strong Key Exchange algorithms are used" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^KexAlgorithms' line: "KexAlgorithms {{ ubuntu1804cis_sshd['kexalgorithms'] }}" when: - ubuntu1804cis_rule_5_2_15 tags: - level1 - scored - patch - sshd - rule_5.2.15 - name: "SCORED | 5.2.16 | PATCH | Ensure SSH Idle Timeout Interval is configured" block: - name: "SCORED | 5.2.16 | PATCH | Ensure SSH Idle Timeout Interval is configured" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^ClientAliveInterval' line: "ClientAliveInterval {{ ubuntu1804cis_sshd['clientaliveinterval'] }}" - name: "SCORED | 5.2.16 | PATCH | Ensure SSH ClientAliveCountMax set to <= 3" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^ClientAliveCountMax' line: "ClientAliveCountMax {{ ubuntu1804cis_sshd['clientalivecountmax'] }}" when: - ubuntu1804cis_rule_5_2_16 tags: - level1 - scored - patch - sshd - rule_5.2.16 - name: "SCORED | 5.2.17 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^LoginGraceTime' line: "LoginGraceTime 60" when: - ubuntu1804cis_rule_5_2_17 tags: - level1 - scored - patch - sshd - rule_5.2.17 - name: "SCORED | 5.2.18 | PATCH | Ensure SSH access is limited" block: - name: "SCORED | 5.2.18 | PATCH | Ensure SSH access is limited | allowusers" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^AllowUsers' line: "AllowUsers {{ ubuntu1804cis_sshd['allowusers'] }}" when: - "ubuntu1804cis_sshd['allowusers']|default('')" - name: "SCORED | 5.2.18 | PATCH | Ensure SSH access is limited | allowgroups" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^AllowGroups' line: "AllowGroups {{ ubuntu1804cis_sshd['allowgroups'] }}" when: - "ubuntu1804cis_sshd['allowgroups']|default('')" - name: "SCORED | 5.2.18 | PATCH | Ensure SSH access is limited | denyusers" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^DenyUsers' line: "DenyUsers {{ ubuntu1804cis_sshd['denyusers'] }}" when: - "ubuntu1804cis_sshd['denyusers']|default('')" - name: "SCORED | 5.2.18 | PATCH | Ensure SSH access is limited | denygroups" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^DenyGroups' line: "DenyGroups {{ ubuntu1804cis_sshd['denygroups'] }}" when: - "ubuntu1804cis_sshd['denygroups']|default('')" when: - ubuntu1804cis_rule_5_2_18 tags: - level1 - scored - patch - sshd - rule_5.2.18 - name: "SCORED | 5.2.19 | PATCH | Ensure SSH warning banner is configured" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^Banner' line: 'Banner /etc/issue.net' when: - ubuntu1804cis_rule_5_2_19 tags: - level1 - scored - patch - sshd - rule_5.2.19 - name: "SCORED | 5.2.20 | PATCH | Ensure SSH PAM is enabled" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^UsePAM' line: 'UsePAM yes' when: - ubuntu1804cis_rule_5_2_20 tags: - level1 - scored - patch - sshd - rule_5.2.20 - name: "SCORED | 5.2.21 | PATCH | Ensure SSH AllowTcpForwarding is disabled" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^AllowTcpForwarding' line: 'AllowTcpForwarding no' when: - ubuntu1804cis_rule_5_2_21 tags: - level2 - scored - patch - sshd - rule_5.2.21 - name: "SCORED | 5.2.22 | PATCH | Ensure SSH MaxStartups is configured" lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^MaxStartups' line: 'MaxStartups 10:30:60' when: - ubuntu1804cis_rule_5_2_22 tags: - level1 - scored - patch - sshd - rule_5.2.22 - name: "SCORED | 5.2.23 | PATCH | Ensure SSH MaxSessions is set to 4 or less " lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^MaxSessions' line: 'MaxSessions 4' notify: - restart sshd when: - ubuntu1804cis_rule_5_2_23 tags: - level1 - scored - patch - sshd - rule_5.2.23 - name: "SCORED | 5.3.1 | PATCH | Ensure password creation requirements are configured" block: - name: "SCORED | 5.3.1 | PATCH | Ensure lipam-pwquality is installed" apt: name: libpam-pwquality state: present install_recommends: false - name: "SCORED | 5.3.1 | PATCH | Ensure password creation requirements are configured" lineinfile: state: present create: yes dest: /etc/security/pwquality.conf regexp: '^{{ item.key }}' line: '{{ item.key }} = {{ item.value }}' with_items: - "{{ ubuntu1804cis_pwquality }}" when: - ubuntu1804cis_rule_5_3_1 tags: - level1 - scored - patch - rule_5.3.1 - name: "SCORED | 5.3.2 | PATCH | Ensure lockout for failed password attempts is configured" block: - name: "SCORED | 5.3.2 | PATCH | Ensure lockout for failed password attempts is configured - /etc/pam.d/common-account" lineinfile: dest: /etc/pam.d/common-account line: 'account required pam_tally2.so' - name: "SCORED | 5.3.2 | PATCH | Ensure lockout for failed password attempts is configured - /etc/pam.d/common-auth" lineinfile: dest: /etc/pam.d/common-auth line: 'auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900' when: - ubuntu1804cis_rule_5_3_2 tags: - level1 - scored - patch - rule_5.3.2 - name: "SCORED | 5.3.3 | PATCH | Ensure password reuse is limited" lineinfile: dest: /etc/pam.d/common-password line: "password required pam_pwhistory.so remember={{ ubuntu1804cis_pass['history'] }}" when: - ubuntu1804cis_rule_5_3_3 tags: - level1 - scored - patch - rule_5.3.3 - name: "SCORED | 5.3.4 | PATCH | Ensure password hashing algorithm is SHA-512" command: authconfig --passalgo=sha512 --update changed_when: false failed_when: false when: - ubuntu1804cis_rule_5_3_4 tags: - level1 - scored - patch - rule_5.3.4 - name: "SCORED | 5.4.1.1 | PATCH | Ensure password expiration is 365 days or less" lineinfile: state: present dest: /etc/login.defs regexp: '^PASS_MAX_DAYS' line: "PASS_MAX_DAYS {{ ubuntu1804cis_pass['max_days'] }}" when: - ubuntu1804cis_rule_5_4_1_1 tags: - level1 - scored - patch - rule_5.4.1.1 - name: "SCORED | 5.4.1.2 | PATCH | Ensure minimum days between password changes is configured" lineinfile: state: present dest: /etc/login.defs regexp: '^PASS_MIN_DAYS' line: "PASS_MIN_DAYS {{ ubuntu1804cis_pass['min_days'] }}" when: - ubuntu1804cis_rule_5_4_1_2 tags: - level1 - scored - patch - rule_5.4.1.2 - name: "SCORED | 5.4.1.3 | PATCH | Ensure password expiration warning days is 7 or more" lineinfile: state: present dest: /etc/login.defs regexp: '^PASS_WARN_AGE' line: "PASS_WARN_AGE {{ ubuntu1804cis_pass['warn_age'] }}" when: - ubuntu1804cis_rule_5_4_1_3 tags: - level1 - scored - patch - rule_5.4.1.3 - name: "SCORED | 5.4.1.4 | PATCH | Ensure inactive password lock is 30 days or less" lineinfile: state: present dest: /etc/default/useradd regexp: '^INACTIVE' line: "INACTIVE={{ ubuntu1804cis_pass['inactive'] }}" when: - ubuntu1804cis_rule_5_4_1_4 tags: - level1 - scored - patch - rule_5.4.1.4 - name: "SCORED | 5.4.1.5 | PATCH | Ensure all users last password change date is in the past" block: - name: "SCORED | 5.4.1.5 | PATCH | Ensure all users last password change date is in the past| lock users" user: name: "{{ item }}" password_lock: yes" loop: "{{ users_password_change_date_in_future.stdout_lines }}" when: - ubuntu1804cis_password_change_date_in_future_action == 'lock' - name: "SCORED | 5.4.1.5 | PATCH | Ensure all users last password change date is in the past| expire users" user: name: "{{ item }}" expires: 1422403387 loop: "{{ users_password_change_date_in_future.stdout_lines }}" when: - ubuntu1804cis_password_change_date_in_future_action == 'expire' when: - ubuntu1804cis_rule_5_4_1_5 - users_password_change_date_in_future.stdout_lines | length > 0 tags: - level1 - scored - patch - rule_5.4.1.5 - name: "SCORED | 5.4.2 | PATCH | Ensure system accounts are secured" command: > for user in `awk -F: '($3 < 1000) {print $1 }' /etc/passwd`; do if [ $user != "root" ]; then usermod -L $user if [ $user != "sync" ] && [ $user != "shutdown" ] && [ $user != "halt" ]; then usermod -s /usr/sbin/nologin $user fi fi done changed_when: false when: - ubuntu1804cis_rule_5_4_2 - system_accounts_non_login_1.stdout - system_accounts_non_login_2.stdout tags: - level1 - patch - rule_5.4.2 - scored - name: "SCORED | 5.4.3 | PATCH | Ensure default group for the root account is GID 0" command: usermod -g 0 root changed_when: false failed_when: false when: - ubuntu1804cis_rule_5_4_3 tags: - level1 - patch - rule_5.4.3 - scored - name: "SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive" block: - name: "SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive - /etc/bash.bashrc" lineinfile: state: present dest: /etc/bash.bashrc create: true regexp: '^umask ' line: 'umask 027' - name: "SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive - /etc/profile" lineinfile: state: present dest: /etc/profile create: true regexp: '^umask ' line: 'umask 027' - name: "SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive - /etc/profile.d/99-umask.sh" lineinfile: state: present dest: /etc/profile.d/99-umask.sh create: true regexp: '^umask ' line: 'umask 027' when: - ubuntu1804cis_rule_5_4_4 tags: - level1 - patch - rule_5.4.4 - scored - name: "SCORED | 5.4.5 | PATCH | Ensure default user shell timeout is 900 seconds or less" block: - name: "SCORED | 5.4.5 | PATCH | Ensure default user shell timeout is 900 seconds or less - /etc/bash.bashrc" lineinfile: state: present dest: /etc/bash.bashrc create: true regexp: '^TMOUT=' line: "TMOUT={{ ubuntu1804cis_shell_timeout }}" - name: "SCORED | 5.4.5 | PATCH | Ensure default user shell timeout is 900 seconds or less - /etc/profile" lineinfile: state: present dest: /etc/profile create: true regexp: '^TMOUT=' line: "TMOUT={{ ubuntu1804cis_shell_timeout }}" - name: "SCORED | 5.4.5 | PATCH | Ensure default user shell timeout is 900 seconds or less - /etc/profile.d/99-tmout.sh" lineinfile: state: present dest: /etc/profile.d/99-tmout.sh create: true regexp: '^TMOUT=' line: "TMOUT={{ ubuntu1804cis_shell_timeout }}" when: - ubuntu1804cis_rule_5_4_5 tags: - level1 - patch - rule_5.4.5 - scored - name: "NOTSCORED | 5.5 | PATCH | Ensure root login is restricted to system console" command: /bin/true changed_when: false when: - ubuntu1804cis_rule_5_5 tags: - level1 - patch - rule_5.5 - notscored - notimplemented - name: "SCORED | 5.6 | PATCH | Ensure access to the su command is restricted" lineinfile: state: present dest: /etc/pam.d/su regexp: '^(#)?auth\s+required\s+pam_wheel\.so' line: "auth required pam_wheel.so use_uid" when: - ubuntu1804cis_rule_5_6 tags: - level1 - patch - rule_5.6 - scored - name: "SCORED | 5.6 | PATCH | Ensure access to the su command is restricted - sudo group contains root" user: name: root groups: sudo when: - ubuntu1804cis_rule_5_6 tags: - level1 - patch - rule_5.6 - scored ================================================ FILE: tasks/section6.yml ================================================ --- - name: "NOTSCORED | 6.1.1 | PATCH | Audit system file permissions" command: /bin/true changed_when: false when: - ubuntu1804cis_rule_6_1_1 tags: - level2 - notscored - patch - rule_6.1.1 - notimplemented - name: "SCORED | 6.1.2 | PATCH | Ensure permissions on /etc/passwd are configured" file: dest: /etc/passwd owner: root group: root mode: 0644 when: - ubuntu1804cis_rule_6_1_2 tags: - level1 - scored - patch - rule_6.1.2 - name: "SCORED | 6.1.3 | PATCH | Ensure permissions on /etc/gshadow- are configured" file: dest: /etc/gshadow- owner: root group: shadow mode: 0640 when: - ubuntu1804cis_rule_6_1_3 tags: - level1 - scored - patch - rule_6.1.3 - name: "SCORED | 6.1.4 | PATCH | Ensure permissions on /etc/shadow are configured" file: dest: /etc/shadow owner: root group: shadow mode: 0640 when: - ubuntu1804cis_rule_6_1_4 tags: - level1 - scored - patch - rule_6.1.4 - name: "SCORED | 6.1.5 | PATCH | Ensure permissions on /etc/group are configured" file: dest: /etc/group owner: root group: root mode: 0644 when: - ubuntu1804cis_rule_6_1_5 tags: - level1 - scored - patch - rule_6.1.5 - name: "SCORED | 6.1.6 | PATCH | Ensure permissions on /etc/passwd- are configured" file: dest: /etc/passwd- owner: root group: root mode: 0600 when: - ubuntu1804cis_rule_6_1_6 tags: - level1 - scored - patch - rule_6.1.6 - name: "SCORED | 6.1.7 | PATCH | Ensure permissions on /etc/shadow- are configured" file: dest: /etc/shadow- owner: root group: shadow mode: 0600 when: - ubuntu1804cis_rule_6_1_7 tags: - level1 - scored - patch - rule_6.1.7 - name: "SCORED | 6.1.8 | PATCH | Ensure permissions on /etc/group- are configured" file: dest: /etc/group- owner: root group: root mode: 0644 when: - ubuntu1804cis_rule_6_1_8 tags: - level1 - scored - patch - rule_6.1.8 - name: "SCORED | 6.1.9 | PATCH | Ensure permissions on /etc/gshadow are configured" file: dest: /etc/gshadow owner: root group: shadow mode: 0640 when: - ubuntu1804cis_rule_6_1_9 tags: - level1 - scored - patch - rule_6.1.9 - name: "SCORED | 6.1.10 | PATCH | Ensure no world writable files exist" command: /bin/true changed_when: false when: - ubuntu1804cis_rule_6_1_10 tags: - level1 - scored - patch - rule_6.1.10 - notimplemented - name: "SCORED | 6.1.11 | PATCH | Ensure no unowned files or directories exist" command: /bin/true changed_when: false when: - ubuntu1804cis_rule_6_1_11 tags: - level1 - scored - patch - rule_6.1.11 - notimplemented - name: "SCORED | 6.1.12 | PATCH | Ensure no ungrouped files or directories exist" command: /bin/true changed_when: false when: - ubuntu1804cis_rule_6_1_12 tags: - level1 - scored - patch - rule_6.1.12 - notimplemented - name: "NOTSCORED | 6.1.13 | PATCH | Audit SUID executables" command: /bin/true changed_when: false when: - ubuntu1804cis_rule_6_1_13 tags: - level1 - notscored - patch - rule_6.1.13 - notimplemented - name: "NOTSCORED | 6.1.14 | PATCH | Audit SGID executables" command: /bin/true changed_when: false when: - ubuntu1804cis_rule_6_1_14 tags: - level1 - notscored - patch - rule_6.1.14 - notimplemented - name: "SCORED | 6.2.1 | PATCH | Ensure password fields are not empty" command: passwd -l {{ item }} changed_when: false failed_when: false with_items: "{{ empty_password_accounts.stdout_lines }}" when: - empty_password_accounts.rc - ubuntu1804cis_rule_6_2_1 tags: - level1 - scored - patch - rule_6.2.1 - name: "SCORED | 6.2.2 | PATCH | Ensure no legacy '+' entries exist in /etc/passwd" lineinfile: regexp: '^\+' state: absent path: /etc/passwd when: - ubuntu1804cis_rule_6_2_2 tags: - level1 - scored - patch - rule_6.2.2 - name: "SCORED | 6.2.3 | PATCH | Ensure no legacy '+' entries exist in /etc/shadow" lineinfile: regexp: '^\+' state: absent path: /etc/shadow when: - ubuntu1804cis_rule_6_2_3 tags: - level1 - scored - patch - rule_6.2.3 - name: "SCORED | 6.2.4 | PATCH | Ensure no legacy '+' entries exist in /etc/group" lineinfile: regexp: '^\+' state: absent path: /etc/group when: - ubuntu1804cis_rule_6_2_4 tags: - level1 - scored - patch - rule_6.2.4 - name: "SCORED | 6.2.5 | PATCH | Ensure root is the only UID 0 account" command: passwd -l {{ item }} changed_when: false failed_when: false with_items: "{{ uid_zero_accounts_except_root.stdout_lines }}" when: - uid_zero_accounts_except_root.rc - ubuntu1804cis_rule_6_2_5 tags: - level1 - scored - patch - rule_6.2.5 - name: "SCORED | 6.2.6 | PATCH | Ensure root PATH Integrity" block: - name: "SCORED | 6.2.6 | PATCH | Ensure root PATH Integrity (unimplemented)" command: /bin/true changed_when: false tags: - level1 - scored - patch - rule_6.2.6 - notimplemented - name: "SCORED | 6.2.6 | PATCH | Ensure root PATH Integrity (collect paths)" shell: | set -o pipefail; sudopath=($(grep secure_path /etc/sudoers | cut -f2 -d= |cut -f2 -d\")) IFS=: for i in ${sudopath[*]} do if [ -d "$i" ] then newsudopath+=($i) fi done echo "${newsudopath[*]}" args: executable: /bin/bash register: fixsudo changed_when: false check_mode: false tags: - level1 - scored - patch - rule_6.2.6 - name: "SCORED | 6.2.6 | PATCH | Ensure root PATH Integrity (fix paths)" lineinfile: dest: /etc/sudoers regexp: "(.*secure_path=).*" line: '\1"{{ fixsudo.stdout_lines[0] }}"' backrefs: true when: - fixsudo.stdout_lines[0] tags: - level1 - scored - patch - rule_6.2.6 when: - ubuntu1804cis_rule_6_2_6 - name: "SCORED | 6.2.7 | PATCH | Ensure all users' home directories exist" command: /bin/true changed_when: false when: - ubuntu1804cis_rule_6_2_7 tags: - level1 - scored - patch - rule_6.2.7 - notimplemented - name: "SCORED | 6.2.8 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" shell: | for dir in {{ homes_with_perms.stdout }}; do chmod g-w,o-rwx $dir; done when: - ubuntu1804cis_rule_6_2_8 - homes_with_perms.stdout | length > 0 tags: - level1 - scored - patch - rule_6.2.8 - name: "SCORED | 6.2.9 | PATCH | Ensure users own their home directories" command: /bin/true changed_when: false when: - ubuntu1804cis_rule_6_2_9 tags: - level1 - scored - patch - rule_6.2.9 - notimplemented - name: "SCORED | 6.2.10 | PATCH | Ensure users' dot files are not group or world writable" command: /bin/true changed_when: false when: - ubuntu1804cis_rule_6_2_10 tags: - level1 - scored - patch - rule_6.2.10 - notimplemented - name: "SCORED | 6.2.11 | PATCH | Ensure no users have .forward files" file: state: absent dest: "~{{ item }}/.forward" with_items: "{{ users.stdout_lines }}" when: - ubuntu1804cis_rule_6_2_11 tags: - level1 - scored - patch - rule_6.2.11 - name: "SCORED | 6.2.12 | PATCH | Ensure no users have .netrc files" file: state: absent dest: "~{{ item }}/.netrc" with_items: "{{ users.stdout_lines }}" when: - ubuntu1804cis_rule_6_2_12 tags: - level1 - scored - patch - rule_6.2.12 - name: "SCORED | 6.2.14 | PATCH | Ensure no users have .rhosts files" file: state: absent dest: "~{{ item }}/.rhosts" with_items: "{{ users.stdout_lines }}" when: - ubuntu1804cis_rule_6_2_14 tags: - level1 - scored - patch - rule_6.2.14 - name: "SCORED | 6.2.15 | PATCH | Ensure all groups in /etc/passwd exist in /etc/group" command: /bin/true changed_when: false when: - ubuntu1804cis_rule_6_2_15 tags: - level1 - scored - patch - rule_6.2.15 - notimplemented - name: "SCORED | 6.2.16 | PATCH | Ensure no duplicate UIDs exist" command: /bin/true changed_when: false when: - ubuntu1804cis_rule_6_2_16 tags: - level1 - scored - patch - rule_6.2.16 - notimplemented - name: "SCORED | 6.2.17 | PATCH | Ensure no duplicate GIDs exist" command: /bin/true changed_when: false when: - ubuntu1804cis_rule_6_2_17 tags: - level1 - scored - patch - rule_6.2.17 - notimplemented - name: "SCORED | 6.2.18 | PATCH | Ensure no duplicate user names exist" command: /bin/true changed_when: false when: - ubuntu1804cis_rule_6_2_18 tags: - level1 - scored - patch - rule_6.2.18 - notimplemented - name: "SCORED | 6.2.19 | PATCH | Ensure no duplicate group names exist" command: /bin/true changed_when: false when: - ubuntu1804cis_rule_6_2_19 tags: - level1 - scored - patch - rule_6.2.19 - notimplemented - name: "SCORED | 6.2.20 | PATCH | Ensure shadow group is empty" command: /bin/true changed_when: false when: - ubuntu1804cis_rule_6_2_20 tags: - level1 - scored - patch - rule_6.2.20 - notimplemented ================================================ FILE: templates/at.allow.j2 ================================================ {% for user in ubuntu1804cis_at_allow_users %} {{ user }} {% endfor %} ================================================ FILE: templates/audit/ubuntu1804cis_rule_4_1_10.rules.j2 ================================================ -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access {% if ansible_architecture == 'x86_64' -%} -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access {% endif %} ================================================ FILE: templates/audit/ubuntu1804cis_rule_4_1_11.rules.j2 ================================================ {% for proc in priv_procs.stdout_lines -%} -a always,exit -F path={{ proc }} -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged {% endfor %} ================================================ FILE: templates/audit/ubuntu1804cis_rule_4_1_12.rules.j2 ================================================ -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts {% if ansible_architecture == 'x86_64' -%} -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts {% endif %} ================================================ FILE: templates/audit/ubuntu1804cis_rule_4_1_13.rules.j2 ================================================ -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete {% if ansible_architecture == 'x86_64' -%} -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete {% endif %} ================================================ FILE: templates/audit/ubuntu1804cis_rule_4_1_14.rules.j2 ================================================ -w /etc/sudoers -p wa -k scope -w /etc/sudoers.d/ -p wa -k scope ================================================ FILE: templates/audit/ubuntu1804cis_rule_4_1_15.rules.j2 ================================================ -w /var/log/sudo.log -p wa -k actions ================================================ FILE: templates/audit/ubuntu1804cis_rule_4_1_16.rules.j2 ================================================ -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules {% if ansible_architecture == 'x86_64' -%} -a always,exit -F arch=b64 -S init_module -S delete_module -k modules {% endif %} -a always,exit -F arch=b32 -S init_module -S delete_module -k modules ================================================ FILE: templates/audit/ubuntu1804cis_rule_4_1_17.rules.j2 ================================================ -e 2 ================================================ FILE: templates/audit/ubuntu1804cis_rule_4_1_3.rules.j2 ================================================ -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change {% if ansible_architecture == 'x86_64' -%} -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b64 -S clock_settime -k time-change {% endif %} -w /etc/localtime -p wa -k time-change ================================================ FILE: templates/audit/ubuntu1804cis_rule_4_1_4.rules.j2 ================================================ -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity ================================================ FILE: templates/audit/ubuntu1804cis_rule_4_1_5.rules.j2 ================================================ {% if ansible_architecture == 'x86_64' -%} -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale {% endif %} -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/network -p wa -k system-locale -w /etc/networks -p wa -k system-locale ================================================ FILE: templates/audit/ubuntu1804cis_rule_4_1_6.rules.j2 ================================================ -w /etc/apparmor/ -p wa -k MAC-policy -w /etc/apparmor.d/ -p wa -k MAC-policy ================================================ FILE: templates/audit/ubuntu1804cis_rule_4_1_7.rules.j2 ================================================ -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/log/tallylog -p wa -k logins ================================================ FILE: templates/audit/ubuntu1804cis_rule_4_1_8.rules.j2 ================================================ -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k logins -w /var/log/btmp -p wa -k logins ================================================ FILE: templates/audit/ubuntu1804cis_rule_4_1_9.rules.j2 ================================================ -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod {% if ansible_architecture == 'x86_64' -%} -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod {% endif %} ================================================ FILE: templates/chrony.conf.j2 ================================================ # This the default chrony.conf file for the Debian chrony package. After # editing this file use the command 'invoke-rc.d chrony restart' to make # your changes take effect. John Hasler 1998-2008 # See www.pool.ntp.org for an explanation of these servers. Please # consider joining the project if possible. If you can't or don't want to # use these servers I suggest that you try your ISP's nameservers. We mark # the servers 'offline' so that chronyd won't try to connect when the link # is down. Scripts in /etc/ppp/ip-up.d and /etc/ppp/ip-down.d use chronyc # commands to switch it on when a dialup link comes up and off when it goes # down. Code in /etc/init.d/chrony attempts to determine whether or not # the link is up at boot time and set the online status accordingly. If # you have an always-on connection such as cable omit the 'offline' # directive and chronyd will default to online. # # Note that if Chrony tries to go "online" and dns lookup of the servers # fails they will be discarded. Thus under some circumstances it is # better to use IP numbers than host names. {% for server in ubuntu1804cis_time_synchronization_servers -%} server {{ server.uri }} {{ server.config }} {% endfor %} # Look here for the admin password needed for chronyc. The initial # password is generated by a random process at install time. You may # change it if you wish. keyfile /etc/chrony/chrony.keys # Set runtime command key. Note that if you change the key (not the # password) to anything other than 1 you will need to edit # /etc/ppp/ip-up.d/chrony, /etc/ppp/ip-down.d/chrony, /etc/init.d/chrony # and /etc/cron.weekly/chrony as these scripts use it to get the password. commandkey 1 # I moved the driftfile to /var/lib/chrony to comply with the Debian # filesystem standard. driftfile /var/lib/chrony/chrony.drift # Comment this line out to turn off logging. log tracking measurements statistics logdir /var/log/chrony # Stop bad estimates upsetting machine clock. maxupdateskew 100.0 # Dump measurements when daemon exits. dumponexit # Specify directory for dumping measurements. dumpdir /var/lib/chrony # Let computer be a server when it is unsynchronised. local stratum 10 # Allow computers on the unrouted nets to use the server. #allow 10/8 #allow 192.168/16 #allow 172.16/12 # This directive forces `chronyd' to send a message to syslog if it # makes a system clock adjustment larger than a threshold value in seconds. logchange 0.5 # This directive defines an email address to which mail should be sent # if chronyd applies a correction exceeding a particular threshold to the # system clock. # mailonchange root@localhost 0.5 # This directive tells chrony to regulate the real-time clock and tells it # Where to store related data. It may not work on some newer motherboards # that use the HPET real-time clock. It requires enhanced real-time # support in the kernel. I've commented it out because with certain # combinations of motherboard and kernel it is reported to cause lockups. # rtcfile /var/lib/chrony/chrony.rtc # If the last line of this file reads 'rtconutc' chrony will assume that # the CMOS clock is on UTC (GMT). If it reads '# rtconutc' or is absent # chrony will assume local time. The line (if any) was written by the # chrony postinst based on what it found in /etc/default/rcS. You may # change it if necessary. rtconutc ================================================ FILE: templates/cron.allow.j2 ================================================ {% for user in ubuntu1804cis_cron_allow_users %} {{ user }} {% endfor %} ================================================ FILE: templates/etc/issue.j2 ================================================ {{ ubuntu1804cis_warning_banner }} ================================================ FILE: templates/etc/issue.net.j2 ================================================ {{ ubuntu1804cis_warning_banner }} ================================================ FILE: templates/etc/motd.j2 ================================================ {{ ubuntu1804cis_warning_banner }} ================================================ FILE: templates/hosts.allow.j2 ================================================ # # hosts.allow This file contains access rules which are used to # allow or deny connections to network services that # either use the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers # ALL: {% for iprange in ubuntu1804cis_host_allow -%}{{ iprange }}{% if not loop.last %}, {% endif %}{% endfor %} ================================================ FILE: templates/ntp.conf.j2 ================================================ # For more information about this file, see the man pages # ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5). driftfile /var/lib/ntp/drift # Permit time synchronization with our time source, but do not # permit the source to query or modify the service on this system. #restrict default nomodify notrap nopeer noquery restrict -4 default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery # Permit all access over the loopback interface. This could # be tightened as well, but to do so would effect some of # the administrative functions. restrict 127.0.0.1 restrict ::1 # Hosts on local network are less restricted. #restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap # Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). {% for server in ubuntu1804cis_time_synchronization_servers -%} server {{ server.uri }} {{ server.config }} {% endfor %} #broadcast 192.168.1.255 autokey # broadcast server #broadcastclient # broadcast client #broadcast 224.0.1.1 autokey # multicast server #multicastclient 224.0.1.1 # multicast client #manycastserver 239.255.254.254 # manycast server #manycastclient 239.255.254.254 autokey # manycast client # Enable public key cryptography. #crypto # includefile /etc/ntp/crypto/pw # Key file containing the keys and key identifiers used when operating # with symmetric key cryptography. # keys /etc/ntp/keys # Specify the key identifiers which are trusted. #trustedkey 4 8 42 # Specify the key identifier to use with the ntpdc utility. #requestkey 8 # Specify the key identifier to use with the ntpq utility. #controlkey 8 # Enable writing of statistics records. #statistics clockstats cryptostats loopstats peerstats # Disable the monitoring facility to prevent amplification attacks using ntpdc # monlist command when default restrict does not include the noquery flag. See # CVE-2013-5211 for more details. # Note: Monitoring will not be disabled with the limited restriction flag. disable monitor ================================================ FILE: vars/main.yml ================================================ --- # vars file for Ubuntu1804-CIS