├── CHANGELOG.md ├── LICENSE ├── Makefile ├── README.md ├── ansible.cfg ├── defaults └── main.yml ├── files ├── audit_6.2.10.sh ├── audit_6.2.11.sh ├── audit_6.2.12.sh ├── audit_6.2.13.sh ├── audit_6.2.14.sh ├── audit_6.2.15.sh ├── audit_6.2.16.sh ├── audit_6.2.17.sh ├── audit_6.2.18.sh ├── audit_6.2.19.sh ├── audit_6.2.6.sh ├── audit_6.2.7.sh ├── audit_6.2.8.sh └── audit_6.2.9.sh ├── handlers └── main.yml ├── meta └── main.yml ├── tasks ├── level-1.yml ├── level-1 │ ├── 1.1.1.1.yml │ ├── 1.1.1.2.yml │ ├── 1.1.1.3.yml │ ├── 1.1.1.4.yml │ ├── 1.1.1.5.yml │ ├── 1.1.1.6.yml │ ├── 1.1.1.7.yml │ ├── 1.1.1.8.yml │ ├── 1.1.10.yml │ ├── 1.1.14.yml │ ├── 1.1.15.yml │ ├── 1.1.16.yml │ ├── 1.1.17.yml │ ├── 1.1.18.yml │ ├── 1.1.19.yml │ ├── 1.1.3.yml │ ├── 1.1.4.yml │ ├── 1.1.5.yml │ ├── 1.1.8.yml │ ├── 1.1.9.yml │ ├── 1.2.1.yml │ ├── 1.2.2.yml │ ├── 1.2.3.yml │ ├── 1.3.1.yml │ ├── 1.3.2.yml │ ├── 1.4.1.yml │ ├── 1.4.2.yml │ ├── 1.4.3.yml │ ├── 1.5.1.yml │ ├── 1.5.2.yml │ ├── 1.5.3.yml │ ├── 1.5.4.yml │ ├── 1.7.1.1.yml │ ├── 1.7.1.2.yml │ ├── 1.7.1.3.yml │ ├── 1.7.1.4.yml │ ├── 1.7.1.5.yml │ ├── 1.7.1.6.yml │ ├── 1.8.yml │ ├── 2.1.1.yml │ ├── 2.1.10.yml │ ├── 2.1.11.yml │ ├── 2.1.2.yml │ ├── 2.1.3.yml │ ├── 2.1.4.yml │ ├── 2.1.5.yml │ ├── 2.1.6.yml │ ├── 2.1.7.yml │ ├── 2.1.8.yml │ ├── 2.1.9.yml │ ├── 2.2.1.1.yml │ ├── 2.2.1.2.yml │ ├── 2.2.1.3.yml │ ├── 2.2.10.yml │ ├── 2.2.11.yml │ ├── 2.2.12.yml │ ├── 2.2.13.yml │ ├── 2.2.14.yml │ ├── 2.2.15.yml │ ├── 2.2.16.yml │ ├── 2.2.2.yml │ ├── 2.2.3.yml │ ├── 2.2.4.yml │ ├── 2.2.5.yml │ ├── 2.2.6.yml │ ├── 2.2.7.yml │ ├── 2.2.8.yml │ ├── 2.2.9.yml │ ├── 2.3.1.yml │ ├── 2.3.2.yml │ ├── 2.3.3.yml │ ├── 2.3.4.yml │ ├── 2.3.5.yml │ ├── 3.1.1.yml │ ├── 3.1.2.yml │ ├── 3.2.1.yml │ ├── 3.2.2.yml │ ├── 3.2.3.yml │ ├── 3.2.4.yml │ ├── 3.2.5.yml │ ├── 3.2.6.yml │ ├── 3.2.7.yml │ ├── 3.2.8.yml │ ├── 3.3.1.yml │ ├── 3.3.2.yml │ ├── 3.3.3.yml │ ├── 3.4.1.yml │ ├── 3.4.2.yml │ ├── 3.4.3.yml │ ├── 3.4.4.yml │ ├── 3.4.5.yml │ ├── 3.5.1.yml │ ├── 3.5.2.yml │ ├── 3.5.3.yml │ ├── 3.5.4.yml │ ├── 3.6.1.yml │ ├── 3.6.2.yml │ ├── 3.6.3.yml │ ├── 3.6.4.yml │ ├── 3.6.5.yml │ ├── 4.2.1.1.yml │ ├── 4.2.1.2.yml │ ├── 4.2.1.3.yml │ ├── 4.2.1.4.yml │ ├── 4.2.1.5.yml │ ├── 4.2.2.1.yml │ ├── 4.2.2.2.yml │ ├── 4.2.2.3.yml │ ├── 4.2.2.4.yml │ ├── 4.2.2.5.yml │ ├── 4.2.3.yml │ ├── 4.2.4.yml │ ├── 4.3.yml │ ├── 5.1.1.yml │ ├── 5.1.2.yml │ ├── 5.1.3.yml │ ├── 5.1.4.yml │ ├── 5.1.5.yml │ ├── 5.1.6.yml │ ├── 5.1.7.yml │ ├── 5.1.8.yml │ ├── 5.2.1.yml │ ├── 5.2.10.yml │ ├── 5.2.11.yml │ ├── 5.2.12.yml │ ├── 5.2.13.yml │ ├── 5.2.14.yml │ ├── 5.2.15.yml │ ├── 5.2.16.yml │ ├── 5.2.2.yml │ ├── 5.2.3.yml │ ├── 5.2.4.yml │ ├── 5.2.5.yml │ ├── 5.2.6.yml │ ├── 5.2.7.yml │ ├── 5.2.8.yml │ ├── 5.2.9.yml │ ├── 5.3.1.yml │ ├── 5.3.2.yml │ ├── 5.3.3.yml │ ├── 5.3.4.yml │ ├── 5.4.1.1.yml │ ├── 5.4.1.2.yml │ ├── 5.4.1.3.yml │ ├── 5.4.1.4.yml │ ├── 5.4.2.yml │ ├── 5.4.3.yml │ ├── 5.4.4.yml │ ├── 5.5.yml │ ├── 6.1.10.yml │ ├── 6.1.11.yml │ ├── 6.1.12.yml │ ├── 6.1.13.yml │ ├── 6.1.14.yml │ ├── 6.1.2.yml │ ├── 6.1.3.yml │ ├── 6.1.4.yml │ ├── 6.1.5.yml │ ├── 6.1.6.yml │ ├── 6.1.7.yml │ ├── 6.1.8.yml │ ├── 6.1.9.yml │ ├── 6.2.1.yml │ ├── 6.2.10.yml │ ├── 6.2.11.yml │ ├── 6.2.12.yml │ ├── 6.2.13.yml │ ├── 6.2.14.yml │ ├── 6.2.15.yml │ ├── 6.2.16.yml │ ├── 6.2.17.yml │ ├── 6.2.18.yml │ ├── 6.2.19.yml │ ├── 6.2.2.yml │ ├── 6.2.3.yml │ ├── 6.2.4.yml │ ├── 6.2.5.yml │ ├── 6.2.6.yml │ ├── 6.2.7.yml │ ├── 6.2.8.yml │ ├── 6.2.9.yml │ └── stat_sshd_config.yml ├── level-2.yml ├── level-2 │ ├── 4.1.2.yml │ ├── 4.1.3.yml │ ├── 4.1.n.yml │ ├── 4.1.yml │ └── 6.1.1.yml ├── main.yml └── preflight.yml ├── templates ├── audit.rules.j2 ├── auditd.conf.j2 ├── chrony.conf.j2 ├── logrotate.conf.j2 ├── ntp.conf.j2 ├── old │ ├── password-auth-local.080818 │ ├── password-auth-local.j2 │ ├── password-auth-local.j2.27Aug18 │ ├── password-auth-local.j2.28Aug18 │ ├── password-auth-local.old │ ├── system-auth-local.080818 │ ├── system-auth-local.j2 │ ├── system-auth-local.j2.27Aug18 │ ├── system-auth-local.j2.27Aug18-01 │ └── system-auth-local.j2.28Aug18 ├── password-auth-local.j2 ├── snmpd.conf.j2 └── system-auth-local.j2 ├── tests ├── ansible-review │ ├── config.ini │ ├── standards.py │ └── standards.pyc ├── ansible.cfg ├── container.yml ├── inventory ├── playbook.yml └── templates │ └── Dockerfile.j2 └── vars └── main.yml /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 HarryHarcourt 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | ANSIBLE_TEST_PLAYBOOK_FILE = playbook.yml 2 | ANSIBLE_CONTAINER_PLAYBOOK_FILE = container.yml 3 | 4 | symlink-role: 5 | @mkdir -p tests/roles 6 | @rsync -a . tests/roles/anthcourtney.cis-amazon-linux --exclude 'tests/' --exclude '.git' 7 | 8 | test: symlink-role syntax test-ansible-2.0.2 test-ansible-2.1.3 test-ansible-2.2 9 | 10 | test-ansible-2.0.2: 11 | cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.0.2" 12 | 13 | test-ansible-2.1.3: 14 | cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.1.3" 15 | 16 | test-ansible-2.2: 17 | cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.2" 18 | 19 | syntax: 20 | cd tests && ansible-playbook --syntax-check -i localhost, $(ANSIBLE_TEST_PLAYBOOK_FILE) 21 | 22 | review: 23 | git ls-files | xargs ansible-review -c tests/ansible-review/config.ini 24 | -------------------------------------------------------------------------------- /ansible.cfg: -------------------------------------------------------------------------------- 1 | [defaults] 2 | roles_path = ../ 3 | 4 | command_warnings=False 5 | 6 | -------------------------------------------------------------------------------- /files/audit_6.2.10.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | for dir in `cat /etc/passwd | egrep -v '^(root|sync|halt|shutdown):' | awk -F: '($7 != "/sbin/nologin") { print $6 }'`; do 4 | for file in $dir/.[A-Za-z0-9]*; do 5 | if [ ! -h "$file" -a -f "$file" ]; then 6 | fileperm=`ls -ld $file | cut -f1 -d" "` 7 | 8 | if [ `echo $fileperm | cut -c6 ` != "-" ]; then 9 | echo "Group Write permission set on file $file" 10 | fi 11 | if [ `echo $fileperm | cut -c9 ` != "-" ]; then 12 | echo "Other Write permission set on file $file" 13 | fi 14 | fi 15 | done 16 | done 17 | -------------------------------------------------------------------------------- /files/audit_6.2.11.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | for dir in `cat /etc/passwd |\ 4 | awk -F: '{ print $6 }'`; do 5 | if [ ! -h "$dir/.forward" -a -f "$dir/.forward" ]; then 6 | echo ".forward file $dir/.forward exists" 7 | fi 8 | done 9 | -------------------------------------------------------------------------------- /files/audit_6.2.12.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | for dir in `cat /etc/passwd |\ 4 | awk -F: '{ print $6 }'`; do 5 | if [ ! -h "$dir/.netrc" -a -f "$dir/.netrc" ]; then 6 | echo ".netrc file $dir/.netrc exists" 7 | fi 8 | done 9 | -------------------------------------------------------------------------------- /files/audit_6.2.13.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | for dir in `cat /etc/passwd | egrep -v '(root|sync|halt|shutdown)' | awk -F: '($7 != "/sbin/nologin") { print $6 }'`; do 4 | for file in $dir/.netrc; do 5 | if [ ! -h "$file" -a -f "$file" ]; then 6 | fileperm=`ls -ld $file | cut -f1 -d" "` 7 | if [ `echo $fileperm | cut -c5 ` != "-" ]; then 8 | echo "Group Read set on $file" 9 | fi 10 | if [ `echo $fileperm | cut -c6 ` != "-" ]; then 11 | echo "Group Write set on $file" 12 | fi 13 | if [ `echo $fileperm | cut -c7 ` != "-" ]; then 14 | echo "Group Execute set on $file" 15 | fi 16 | if [ `echo $fileperm | cut -c8 ` != "-" ]; then 17 | echo "Other Read set on $file" 18 | fi 19 | if [ `echo $fileperm | cut -c9 ` != "-" ]; then 20 | echo "Other Write set on $file" 21 | fi 22 | if [ `echo $fileperm | cut -c10 ` != "-" ]; then 23 | echo "Other Execute set on $file" 24 | fi 25 | fi 26 | done 27 | done 28 | -------------------------------------------------------------------------------- /files/audit_6.2.14.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | for dir in `cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin") { print $6 }'`; do 4 | for file in $dir/.rhosts; do 5 | if [ ! -h "$file" -a -f "$file" ]; then 6 | echo ".rhosts file in $dir" 7 | fi 8 | done 9 | done 10 | -------------------------------------------------------------------------------- /files/audit_6.2.15.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | comm -23 <(cut -s -d: -f4 /etc/passwd | sort -u) <(cut -s -d: -f3 /etc/group | sort -u) | while read GROUP ; do 4 | echo "Group $GROUP is referenced by /etc/passwd but does not exist in /etc/group" 5 | done 6 | -------------------------------------------------------------------------------- /files/audit_6.2.16.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | FILE=/etc/passwd 4 | 5 | grep -v '^#' $FILE | cut -f3 -d":" | sort -n | uniq -d | while read DUPE ; do 6 | users=`awk -F: '($3 == n) { print $1 }' n="$DUPE" $FILE` 7 | echo "Duplicate UID ($DUPE): ${users}" 8 | done 9 | -------------------------------------------------------------------------------- /files/audit_6.2.17.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | FILE=/etc/group 4 | 5 | grep -v '^#' $FILE | cut -f3 -d":" | sort -n | uniq -d | while read DUPE ; do 6 | groups=`awk -F: '($3 == n) { print $1 }' n=$DUPE $FILE` 7 | echo "Duplicate GID ($DUPE): ${groups}" 8 | done 9 | -------------------------------------------------------------------------------- /files/audit_6.2.18.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | cat /etc/passwd | cut -f1 -d":" | sort -n | uniq -c | while read x ; do 4 | [ -z "${x}" ] && break 5 | set - $x 6 | if [ $1 -gt 1 ]; then 7 | uids=`awk -F: '($1 == n) { print $3 }' n=$2 /etc/passwd | xargs` 8 | echo "Duplicate User Name ($2): ${uids}" 9 | fi 10 | done 11 | -------------------------------------------------------------------------------- /files/audit_6.2.19.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | cat /etc/group | cut -f1 -d":" | sort -n | uniq -c | while read x ; do 4 | [ -z "${x}" ] && break 5 | set - $x 6 | if [ $1 -gt 1 ]; then 7 | gids=`gawk -F: '($1 == n) { print $3 }' n=$2 /etc/group | xargs` 8 | echo "Duplicate Group Name ($2): ${gids}" 9 | fi 10 | done 11 | -------------------------------------------------------------------------------- /files/audit_6.2.6.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ "`echo $PATH | grep :: `" != "" ]; then 4 | echo "Empty Directory in PATH (::)" 5 | fi 6 | 7 | if [ "`echo $PATH | grep :$`" != "" ]; then 8 | echo "Trailing : in PATH" 9 | fi 10 | 11 | p=`echo $PATH | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g'` 12 | set -- $p 13 | while [ "$1" != "" ]; do 14 | if [ "$1" = "." ]; then 15 | echo "PATH contains ." 16 | shift 17 | continue 18 | fi 19 | if [ -d $1 ]; then 20 | dirperm=`ls -ldH $1 | cut -f1 -d" "` 21 | if [ `echo $dirperm | cut -c6 ` != "-" ]; then 22 | echo "Group Write permission set on directory $1" 23 | fi 24 | if [ `echo $dirperm | cut -c9 ` != "-" ]; then 25 | echo "Other Write permission set on directory $1" 26 | fi 27 | dirown=`ls -ldH $1 | awk '{print $3}'` 28 | if [ "$dirown" != "root" ] ; then 29 | echo $1 is not owned by root 30 | fi 31 | else 32 | echo $1 is not a directory 33 | fi 34 | shift 35 | done 36 | -------------------------------------------------------------------------------- /files/audit_6.2.7.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | cat /etc/passwd | awk -F: '{ print $1 " " $3 " " $6 }' | while read user uid dir; do 4 | if [ $uid -ge 500 -a ! -d "$dir" -a $user != "nfsnobody" ]; then 5 | echo "$user:$dir" 6 | fi 7 | done 8 | -------------------------------------------------------------------------------- /files/audit_6.2.8.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | for dir in `cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin") { print $6 }'`; do 4 | dirperm=`ls -ld $dir | cut -f1 -d" "` 5 | if [ `echo $dirperm | cut -c6 ` != "-" ]; then 6 | echo "Group Write permission set on directory $dir" 7 | fi 8 | if [ `echo $dirperm | cut -c8 ` != "-" ]; then 9 | echo "Other Read permission set on directory $dir" 10 | fi 11 | if [ `echo $dirperm | cut -c9 ` != "-" ]; then 12 | echo "Other Write permission set on directory $dir" 13 | fi 14 | if [ `echo $dirperm | cut -c10 ` != "-" ]; then 15 | echo "Other Execute permission set on directory $dir" 16 | fi 17 | done 18 | -------------------------------------------------------------------------------- /files/audit_6.2.9.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | cat /etc/passwd | awk -F: '{ print $1 " " $3 " " $6 }' | while read user uid dir; do 4 | if [ $uid -ge 500 -a -d "$dir" -a $user != "nfsnobody" ]; then 5 | owner=$(stat -L -c "%U" "$dir") 6 | if [ "$owner" != "$user" ]; then 7 | echo "$dir:$user:$owner" 8 | fi 9 | fi 10 | done 11 | -------------------------------------------------------------------------------- /handlers/main.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.37 2 | --- 3 | 4 | - name: Restart sshd 5 | service: 6 | name: sshd 7 | state: restarted 8 | 9 | - name: Restart rsyslog 10 | service: 11 | name: rsyslog 12 | state: restarted 13 | 14 | - name: Flush ipv4 route 15 | command: "sysctl -w net.ipv4.route.flush=1" 16 | 17 | - name: Restart ntpd 18 | service: 19 | name: ntpd 20 | state: restarted 21 | 22 | - name: Restart chronyd 23 | service: 24 | name: chronyd 25 | state: restarted 26 | 27 | - name: Restart snmpd 28 | service: 29 | name: snmpd 30 | state: restarted 31 | 32 | - name: Restart auditd 33 | command: /usr/sbin/service auditd reload 34 | 35 | -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.25 2 | 3 | galaxy_info: 4 | author: Anth Courtney / Ben Wright 5 | description: Idempotent CIS Benchmarks for RHEL/CentOS Linux V2 6 | company: JemJuliet Pty Ltd / Interested Party 7 | license: MIT 8 | min_ansible_version: 2.0 9 | platforms: 10 | - name: EL 11 | versions: 12 | - "7" 13 | galaxy_tags: ['CIS','Linux','RHEL','EL','CentOS','hardening','benchmark','PCIDSS','compliance', 'idempotent'] 14 | dependencies: [] 15 | -------------------------------------------------------------------------------- /tasks/level-1/1.1.1.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Standards: 0.11 3 | 4 | # 1.1.1.1 - Ensure mounting of cramfs filesystems is disabled 5 | 6 | - name: 1.1.1.1 - Check if CIS modprobe configuration file exists 7 | stat: 8 | path: "{{ cis_modprobe_conf_filename }}" 9 | register: modprobe_1_1_1_1 10 | tags: 11 | - level-1 12 | - section-1 13 | - "1.1.1.1" 14 | - scored 15 | 16 | - name: 1.1.1.1 - Display registered value 17 | debug: 18 | msg: Output value for {{ modprobe_1_1_1_1 }} 19 | tags: 20 | - level-1 21 | - section-1 22 | - "1.1.1.1" 23 | - scored 24 | 25 | - name: 1.1.1.1 - Ensure mounting of cramfs filesystems is disabled 26 | copy: 27 | dest: "{{ cis_modprobe_conf_filename }}" 28 | content: "install cramfs /bin/true\n" 29 | when: modprobe_1_1_1_1.stat.exists is not defined or not modprobe_1_1_1_1.stat.exists 30 | tags: 31 | - level-1 32 | - section-1 33 | - "1.1.1.1" 34 | - scored 35 | 36 | - name: 1.1.1.1 - Ensure mounting of cramfs filesystems is disabled 37 | lineinfile: 38 | dest: "{{ cis_modprobe_conf_filename }}" 39 | regexp: "^install cramfs" 40 | line: "install cramfs /bin/true" 41 | when: modprobe_1_1_1_1.stat.exists is defined and modprobe_1_1_1_1.stat.exists 42 | tags: 43 | - level-1 44 | - section-1 45 | - "1.1.1.1" 46 | - scored 47 | 48 | -------------------------------------------------------------------------------- /tasks/level-1/1.1.1.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.1.2 - Ensure mounting of freevxfs filesystems is disabled 5 | 6 | - name: 1.1.1.2 - Check if CIS modprobe configuration file exists 7 | stat: 8 | path: "{{ cis_modprobe_conf_filename }}" 9 | register: modprobe_1_1_1_2 10 | tags: 11 | - level-1 12 | - section-1 13 | - "1.1.1.2" 14 | - scored 15 | 16 | - name: 1.1.1.2 - Ensure mounting of freevxfs filesystems is disabled 17 | copy: 18 | dest: "{{ cis_modprobe_conf_filename }}" 19 | content: "install freevxfs /bin/true\n" 20 | when: modprobe_1_1_1_2.stat.exists is not defined or not modprobe_1_1_1_2.stat.exists 21 | tags: 22 | - level-1 23 | - section-1 24 | - "1.1.1.2" 25 | - scored 26 | 27 | - name: 1.1.1.2 - Ensure mounting of freevxfs filesystems is disabled 28 | lineinfile: 29 | dest: "{{ cis_modprobe_conf_filename }}" 30 | regexp: "^install freevxfs" 31 | line: "install freevxfs /bin/true" 32 | when: modprobe_1_1_1_2.stat.exists is defined and modprobe_1_1_1_2.stat.exists 33 | tags: 34 | - level-1 35 | - section-1 36 | - "1.1.1.2" 37 | - scored 38 | 39 | -------------------------------------------------------------------------------- /tasks/level-1/1.1.1.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.1.3 - Ensure mounting of jffs2 filesystems is disabled 5 | 6 | - name: 1.1.1.3 - Check if CIS modprobe configuration file exists 7 | stat: 8 | path: "{{ cis_modprobe_conf_filename }}" 9 | register: modprobe_1_1_1_3 10 | tags: 11 | - level-1 12 | - section-1 13 | - "1.1.1.3" 14 | - scored 15 | 16 | - name: 1.1.1.3 - Ensure mounting of jffs2 filesystems is disabled 17 | copy: 18 | dest: "{{ cis_modprobe_conf_filename }}" 19 | content: "install jffs2 /bin/true\n" 20 | when: modprobe_1_1_1_3.stat.exists is not defined or not modprobe_1_1_1_3.stat.exists 21 | tags: 22 | - level-1 23 | - section-1 24 | - "1.1.1.3" 25 | - scored 26 | 27 | - name: 1.1.1.3 - Ensure mounting of jffs2 filesystems is disabled 28 | lineinfile: 29 | dest: "{{ cis_modprobe_conf_filename }}" 30 | regexp: "^install jffs2" 31 | line: "install jffs2 /bin/true" 32 | when: modprobe_1_1_1_3.stat.exists is defined and modprobe_1_1_1_3.stat.exists 33 | tags: 34 | - level-1 35 | - section-1 36 | - "1.1.1.3" 37 | - scored 38 | -------------------------------------------------------------------------------- /tasks/level-1/1.1.1.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.1.4 - Ensure mounting of hfs filesystems is disabled 5 | 6 | - name: 1.1.1.4 - Check if CIS modprobe configuration file exists 7 | stat: 8 | path: "{{ cis_modprobe_conf_filename }}" 9 | register: modprobe_1_1_1_4 10 | tags: 11 | - level-1 12 | - section-1 13 | - "1.1.1.4" 14 | - scored 15 | 16 | - name: 1.1.1.4 - Ensure mounting of hfs filesystems is disabled 17 | copy: 18 | dest: "{{ cis_modprobe_conf_filename }}" 19 | content: "install hfs /bin/true\n" 20 | when: modprobe_1_1_1_4.stat.exists is not defined or not modprobe_1_1_1_4.stat.exists 21 | tags: 22 | - level-1 23 | - section-1 24 | - "1.1.1.4" 25 | - scored 26 | 27 | - name: 1.1.1.4 - Ensure mounting of hfs filesystems is disabled 28 | lineinfile: 29 | dest: "{{ cis_modprobe_conf_filename }}" 30 | regexp: "^install hfs\\s+" 31 | line: "install hfs /bin/true" 32 | when: modprobe_1_1_1_4.stat.exists is defined and modprobe_1_1_1_4.stat.exists 33 | tags: 34 | - level-1 35 | - section-1 36 | - "1.1.1.4" 37 | - scored 38 | -------------------------------------------------------------------------------- /tasks/level-1/1.1.1.5.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.1.5 - Ensure mounting of hfsplus filesystems is disabled 5 | 6 | - name: 1.1.1.5 - Check if CIS modprobe configuration file exists 7 | stat: 8 | path: "{{ cis_modprobe_conf_filename }}" 9 | register: modprobe_1_1_1_5 10 | tags: 11 | - level-1 12 | - section-1 13 | - "1.1.1.5" 14 | - scored 15 | 16 | - name: 1.1.1.5 - Ensure mounting of hfsplus filesystems is disabled 17 | copy: 18 | dest: "{{ cis_modprobe_conf_filename }}" 19 | content: "install hfsplus /bin/true\n" 20 | when: modprobe_1_1_1_5.stat.exists is not defined or not modprobe_1_1_1_5.stat.exists 21 | tags: 22 | - level-1 23 | - section-1 24 | - "1.1.1.5" 25 | - scored 26 | 27 | - name: 1.1.1.5 - Ensure mounting of hfsplus filesystems is disabled 28 | lineinfile: 29 | dest: "{{ cis_modprobe_conf_filename }}" 30 | regexp: "^install hfsplus" 31 | line: "install hfsplus /bin/true" 32 | when: modprobe_1_1_1_5.stat.exists is defined and modprobe_1_1_1_5.stat.exists 33 | tags: 34 | - level-1 35 | - section-1 36 | - "1.1.1.5" 37 | - scored 38 | 39 | -------------------------------------------------------------------------------- /tasks/level-1/1.1.1.6.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.1.6 - Ensure mounting of squashfs filesystems is disabled 5 | 6 | - name: 1.1.1.6 - Check if CIS modprobe configuration file exists 7 | stat: 8 | path: "{{ cis_modprobe_conf_filename }}" 9 | register: modprobe_1_1_1_6 10 | tags: 11 | - level-1 12 | - section-1 13 | - "1.1.1.6" 14 | - scored 15 | 16 | - name: 1.1.1.6 - Ensure mounting of squashfs filesystems is disabled 17 | copy: 18 | dest: "{{ cis_modprobe_conf_filename }}" 19 | content: "install squashfs /bin/true\n" 20 | when: modprobe_1_1_1_6.stat.exists is not defined or not modprobe_1_1_1_6.stat.exists 21 | tags: 22 | - level-1 23 | - section-1 24 | - "1.1.1.6" 25 | - scored 26 | 27 | - name: 1.1.1.6 - Ensure mounting of squashfs filesystems is disabled 28 | lineinfile: 29 | dest: "{{ cis_modprobe_conf_filename }}" 30 | regexp: "^install squashfs" 31 | line: "install squashfs /bin/true" 32 | when: modprobe_1_1_1_6.stat.exists is defined and modprobe_1_1_1_6.stat.exists 33 | tags: 34 | - level-1 35 | - section-1 36 | - "1.1.1.6" 37 | - scored 38 | 39 | -------------------------------------------------------------------------------- /tasks/level-1/1.1.1.7.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.1.7 - Ensure mounting of udf filesystems is disabled 5 | 6 | - name: 1.1.1.7 - Check if CIS modprobe configuration file exists 7 | stat: 8 | path: "{{ cis_modprobe_conf_filename }}" 9 | register: modprobe_1_1_1_7 10 | tags: 11 | - level-1 12 | - section-1 13 | - "1.1.1.7" 14 | - scored 15 | 16 | - name: 1.1.1.7 - Ensure mounting of udf filesystems is disabled 17 | copy: 18 | dest: "{{ cis_modprobe_conf_filename }}" 19 | content: "install udf /bin/true\n" 20 | when: modprobe_1_1_1_7.stat.exists is not defined or not modprobe_1_1_1_7.stat.exists 21 | tags: 22 | - level-1 23 | - section-1 24 | - "1.1.1.7" 25 | - scored 26 | 27 | - name: 1.1.1.7 - Ensure mounting of udf filesystems is disabled 28 | lineinfile: 29 | dest: "{{ cis_modprobe_conf_filename }}" 30 | regexp: "^install udf" 31 | line: "install udf /bin/true" 32 | when: modprobe_1_1_1_7.stat.exists is defined and modprobe_1_1_1_7.stat.exists 33 | tags: 34 | - level-1 35 | - section-1 36 | - "1.1.1.7" 37 | - scored 38 | 39 | -------------------------------------------------------------------------------- /tasks/level-1/1.1.1.8.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.1.8 - Ensure mounting of FAT filesystems is disabled 5 | 6 | - name: 1.1.1.8 - Check if CIS modprobe configuration file exists 7 | stat: 8 | path: "{{ cis_modprobe_conf_filename }}" 9 | register: modprobe_1_1_1_8 10 | tags: 11 | - level-1 12 | - section-1 13 | - "1.1.1.8" 14 | - scored 15 | 16 | - name: 1.1.1.8 - Ensure mounting of vfat filesystems is disabled 17 | copy: 18 | dest: "{{ cis_modprobe_conf_filename }}" 19 | content: "install vfat /bin/true\n" 20 | when: modprobe_1_1_1_8.stat.exists is not defined or not modprobe_1_1_1_8.stat.exists 21 | tags: 22 | - level-1 23 | - section-1 24 | - "1.1.1.8" 25 | - scored 26 | 27 | - name: 1.1.1.8 - Ensure mounting of vfat filesystems is disabled 28 | lineinfile: 29 | dest: "{{ cis_modprobe_conf_filename }}" 30 | regexp: "^install vfat" 31 | line: "install vfat /bin/true" 32 | when: modprobe_1_1_1_8.stat.exists is defined and modprobe_1_1_1_8.stat.exists 33 | tags: 34 | - level-1 35 | - section-1 36 | - "1.1.1.8" 37 | - scored 38 | -------------------------------------------------------------------------------- /tasks/level-1/1.1.10.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.10 Ensure noexec option set on /var/tmp partition 5 | 6 | - name: 1.1.10 - Ensure noexec option set on /var/tmp partition 7 | mount: 8 | name: "{{ item.mount }}" 9 | state: mounted 10 | fstype: "{{ item.fstype }}" 11 | src: "{{ item.device }}" 12 | opts: "{{ item.options.split(',') | union(['noexec']) | join(',') }}" 13 | when: item.mount == '/var/tmp' 14 | with_items: "{{ ansible_mounts }}" 15 | tags: 16 | - level-1 17 | - section-1 18 | - "1.1.10" 19 | - scored 20 | -------------------------------------------------------------------------------- /tasks/level-1/1.1.14.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.14 Ensure nodev option set on /home partition 5 | 6 | - name: 1.1.14 - Ensure nodev option set on /home partition 7 | mount: 8 | name: "{{ item.mount }}" 9 | state: mounted 10 | fstype: "{{ item.fstype }}" 11 | src: "{{ item.device }}" 12 | opts: "{{ item.options.split(',') | union(['nodev']) | join(',') }}" 13 | when: item.mount == '/home' 14 | with_items: "{{ ansible_mounts }}" 15 | tags: 16 | - level-1 17 | - section-1 18 | - "1.1.14" 19 | - scored 20 | -------------------------------------------------------------------------------- /tasks/level-1/1.1.15.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.15 Ensure nodev option set on /dev/shm partition 5 | 6 | - name: 1.1.15 - Ensure nodev option set on /dev/shm partition 7 | mount: 8 | name: "{{ item.mount }}" 9 | state: mounted 10 | fstype: "{{ item.fstype }}" 11 | src: "{{ item.device }}" 12 | opts: "{{ item.options.split(',') | union(['nodev']) | join(',') }}" 13 | when: item.mount == '/dev/shm' 14 | with_items: "{{ ansible_mounts }}" 15 | tags: 16 | - level-1 17 | - section-1 18 | - "1.1.15" 19 | - scored 20 | -------------------------------------------------------------------------------- /tasks/level-1/1.1.16.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.16 Ensure nosuid option set on /dev/shm partition 5 | 6 | - name: 1.1.16 - Ensure nosuid option set on /dev/shm partition 7 | mount: 8 | name: "{{ item.mount }}" 9 | state: mounted 10 | fstype: "{{ item.fstype }}" 11 | src: "{{ item.device }}" 12 | opts: "{{ item.options.split(',') | union(['nosuid']) | join(',') }}" 13 | when: item.mount == '/dev/shm' 14 | with_items: "{{ ansible_mounts }}" 15 | tags: 16 | - level-1 17 | - section-1 18 | - "1.1.16" 19 | - scored 20 | -------------------------------------------------------------------------------- /tasks/level-1/1.1.17.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.17 Ensure noexec option set on /dev/shm partition 5 | 6 | - name: 1.1.17 - Ensure noexec option set on /dev/shm partition 7 | mount: 8 | name: "{{ item.mount }}" 9 | state: mounted 10 | fstype: "{{ item.fstype }}" 11 | src: "{{ item.device }}" 12 | opts: "{{ item.options.split(',') | union(['noexec']) | join(',') }}" 13 | when: item.mount == '/dev/shm' 14 | with_items: "{{ ansible_mounts }}" 15 | tags: 16 | - level-1 17 | - section-1 18 | - "1.1.17" 19 | - scored 20 | 21 | -------------------------------------------------------------------------------- /tasks/level-1/1.1.18.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.18 Ensure sticky bit is set on all world-writable directories 5 | 6 | - name: 1.1.18 - Ensure sticky bit is set on all world-writable directories - changed_when false 7 | shell: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002" 8 | register: shell_output 9 | changed_when: false 10 | tags: 11 | - level-1 12 | - section-1 13 | - "1.1.18" 14 | - scored 15 | 16 | #- name: 1.1.18 - Stdout from the shell command to check for errors 17 | # debug: 18 | # msg: "{{ shell_output.stdout_lines }}" 19 | # tags: 20 | # - level-1 21 | # - section-1 22 | # - "1.1.18" 23 | # - scored 24 | 25 | - name: 1.1.18 - Checking or Setting permissions on the world-writable directories 26 | file: 27 | path: "{{ item }}" 28 | mode: a+t 29 | with_items: 30 | - "{{ shell_output.stdout_lines }}" 31 | failed_when: shell_output.stderr is not defined 32 | tags: 33 | - level-1 34 | - section-1 35 | - "1.1.18" 36 | - scored 37 | -------------------------------------------------------------------------------- /tasks/level-1/1.1.19.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.19 - Disable Automounting 5 | 6 | - name: 1.1.19 - Disable autofs 7 | service: 8 | name: autofs 9 | enabled: false 10 | state: stopped 11 | register: autofs_result 12 | # failed_when: "autofs_result.failed and 'no service or tool found for: autofs' not in autofs_result.msg" 13 | failed_when: "autofs_result.failed and 'Could not find the requested service' not in autofs_result.msg" 14 | tags: 15 | - level-1 16 | - "1.1.19" 17 | - scored 18 | -------------------------------------------------------------------------------- /tasks/level-1/1.1.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.3 Ensure nodev option set on /tmp partition 5 | 6 | - name: 1.1.3 - Ensure nodev option set on /tmp partition 7 | mount: 8 | name: "{{ item.mount }}" 9 | state: mounted 10 | fstype: "{{ item.fstype }}" 11 | src: "{{ item.device }}" 12 | opts: "{{ item.options.split(',') | union(['nodev']) | join(',') }}" 13 | when: item.mount == '/tmp' 14 | with_items: "{{ ansible_mounts }}" 15 | tags: 16 | - level-1 17 | - section-1 18 | - "1.1.3" 19 | - scored 20 | -------------------------------------------------------------------------------- /tasks/level-1/1.1.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.4 Ensure nosuid option set on /tmp partition 5 | 6 | - name: 1.1.4 - Ensure nosuid option set on /tmp partition 7 | mount: 8 | name: "{{ item.mount }}" 9 | state: mounted 10 | fstype: "{{ item.fstype }}" 11 | src: "{{ item.device }}" 12 | opts: "{{ item.options.split(',') | union(['nosuid']) | join(',') }}" 13 | when: item.mount == '/tmp' 14 | with_items: "{{ ansible_mounts }}" 15 | tags: 16 | - level-1 17 | - section-1 18 | - "1.1.4" 19 | - scored 20 | -------------------------------------------------------------------------------- /tasks/level-1/1.1.5.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.5 Ensure noexec option set on /tmp partition 5 | 6 | - name: 1.1.5 - Ensure noexec option set on /tmp partition 7 | mount: 8 | name: "{{ item.mount }}" 9 | state: mounted 10 | fstype: "{{ item.fstype }}" 11 | src: "{{ item.device }}" 12 | opts: "{{ item.options.split(',') | union(['noexec']) | join(',') }}" 13 | when: item.mount == '/tmp' 14 | with_items: "{{ ansible_mounts }}" 15 | tags: 16 | - level-1 17 | - section-1 18 | - "1.1.5" 19 | - scored 20 | -------------------------------------------------------------------------------- /tasks/level-1/1.1.8.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.8 Ensure nodev option set on /var/tmp partition 5 | 6 | - name: 1.1.8 - Ensure nodev option set on /var/tmp partition 7 | mount: 8 | name: "{{ item.mount }}" 9 | state: mounted 10 | fstype: "{{ item.fstype }}" 11 | src: "{{ item.device }}" 12 | opts: "{{ item.options.split(',') | union(['nodev']) | join(',') }}" 13 | when: item.mount == '/var/tmp' 14 | with_items: "{{ ansible_mounts }}" 15 | tags: 16 | - level-1 17 | - section-1 18 | - "1.1.8" 19 | - scored 20 | -------------------------------------------------------------------------------- /tasks/level-1/1.1.9.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.9 Ensure nosuid option set on /var/tmp partition 5 | 6 | - name: 1.1.9 - Ensure nosuid option set on /var/tmp partition 7 | mount: 8 | name: "{{ item.mount }}" 9 | state: mounted 10 | fstype: "{{ item.fstype }}" 11 | src: "{{ item.device }}" 12 | opts: "{{ item.options.split(',') | union(['nosuid']) | join(',') }}" 13 | when: item.mount == '/var/tmp' 14 | with_items: "{{ ansible_mounts }}" 15 | tags: 16 | - level-1 17 | - section-1 18 | - "1.1.9" 19 | - scored 20 | -------------------------------------------------------------------------------- /tasks/level-1/1.2.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.2.1 - Ensure package manager repositories are configured 5 | 6 | # The remediation actions for this recommendation are site-specific, therefore we test that 7 | # executing 'yum repolist' results in no errors. 8 | - name: 1.2.1 - Verify that repositories are configured correctly 9 | command: yum repolist 10 | args: 11 | warn: false 12 | changed_when: false 13 | tags: 14 | - level-1 15 | - "1.2.1" 16 | - scored 17 | -------------------------------------------------------------------------------- /tasks/level-1/1.2.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.7 2 | --- 3 | 4 | # 1.2.2 Ensure GPG keys are configured 5 | 6 | # The remediation actions for this recommendation are site-specific, therefore we test that 7 | # executing the specified rpm command results in no errors. 8 | - name: 1.2.2 - Ensure GPG keys are configured 9 | shell: rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n' 10 | register: gpg_pubkey_check 11 | changed_when: false 12 | args: 13 | warn: false 14 | tags: 15 | - level-1 16 | - "1.2.2" 17 | - scored 18 | - skip_ansible_lint 19 | 20 | - name: 1.2.2 - Check GPG keys are configured 21 | debug: 22 | msg: RPM command output is {{ gpg_pubkey_check.stdout }} 23 | tags: 24 | - level-1 25 | - "1.2.2" 26 | - scored 27 | -------------------------------------------------------------------------------- /tasks/level-1/1.2.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.2.3 - Ensure gpgcheck is globally activated 5 | 6 | - name: 1.2.3 - Verify that gpgcheck is enabled in /etc/yum.conf 7 | lineinfile: 8 | regexp: "^gpgcheck" 9 | line: "gpgcheck=1" 10 | dest: "/etc/yum.conf" 11 | tags: 12 | - level-1 13 | - "1.2.3" 14 | - scored 15 | 16 | - name: 1.2.3 - Verify that gpgcheck is enabled for all repositories in /etc/yum.repos.d 17 | replace: 18 | regexp: "^gpgcheck=0" 19 | replace: "gpgcheck=1" 20 | dest: "{{ item }}" 21 | with_fileglob: 22 | - /etc/yum.repos.d/*.repo 23 | tags: 24 | - level-1 25 | - "1.2.3" 26 | - scored 27 | -------------------------------------------------------------------------------- /tasks/level-1/1.3.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.3.1 Ensure AIDE is installed 5 | 6 | - name: 1.3.1 - Ensure AIDE is installed 7 | yum: 8 | name: aide 9 | state: present 10 | tags: 11 | - level-1 12 | - section-1 13 | - "1.3.1" 14 | - scored 15 | 16 | - name: 1.3.1 - Check that aide database exists 17 | stat: 18 | path: "{{ cis_aide_database_filename }}" 19 | register: aide_1_3_1 20 | tags: 21 | - level-1 22 | - section-1 23 | - "1.3.1" 24 | - scored 25 | 26 | # We expect that 'aide --init' has been run and the generated database has been moved 27 | - name: 1.3.1 - Ensure aide database exists 28 | command: "{{ item }}" 29 | when: aide_1_3_1.stat.exists is not defined or not aide_1_3_1.stat.exists 30 | with_items: 31 | - "aide --init" 32 | - "mv {{ cis_aide_src_database_filename }} {{ cis_aide_database_filename }}" 33 | tags: 34 | - level-1 35 | - section-1 36 | - "1.3.1" 37 | - scored 38 | 39 | -------------------------------------------------------------------------------- /tasks/level-1/1.3.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.3.2 - Ensure filesystem integrity is regularly checked 5 | 6 | - name: 1.3.2 - Ensure cron is installed 7 | yum: 8 | name: cronie 9 | state: present 10 | tags: 11 | - level-1 12 | - section-1 13 | - "1.3.2" 14 | - scored 15 | 16 | - name: 1.3.2 - Create cron entry to run aide filesystem integrity check regularly 17 | cron: 18 | name: "CIS 1.3.2 - Run aide filesystem integrity check" 19 | user: "{{ cis_aide_cron_user }}" 20 | job: "{{ cis_aide_cron_job }}" 21 | minute: "{{ cis_aide_cron_minute }}" 22 | hour: "{{ cis_aide_cron_hour }}" 23 | weekday: "{{ cis_aide_cron_dow }}" 24 | day: "{{ cis_aide_cron_dom }}" 25 | month: "{{ cis_aide_cron_month }}" 26 | state: present 27 | tags: 28 | - level-1 29 | - section-1 30 | - "1.3.2" 31 | - scored 32 | -------------------------------------------------------------------------------- /tasks/level-1/1.4.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.4.1 Ensure permissions on bootloader config are configured 5 | 6 | - name: 1.4.1 - Check if grub bootloader file exists 7 | stat: 8 | path: "{{ cis_grub_bootloader_filename }}" 9 | register: grub_1_4_1 10 | tags: 11 | - level-1 12 | - "1.4.1" 13 | - scored 14 | 15 | - name: 1.4.1 - Set permissions on grub configuration 16 | file: 17 | path: "{{ cis_grub_bootloader_filename }}" 18 | owner: root 19 | group: root 20 | mode: "og-rwx" 21 | state: file 22 | when: grub_1_4_1.stat.exists 23 | tags: 24 | - level-1 25 | - "1.4.1" 26 | - scored 27 | -------------------------------------------------------------------------------- /tasks/level-1/1.4.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.4.2 - Ensure authentication is required for single user mode 5 | 6 | - name: 1.4.2 - Check if sysconfig init file exists 7 | stat: 8 | path: "{{ cis_sysconfig_init_filename }}" 9 | register: sysconfig_init_1_4_2 10 | tags: 11 | - level-1 12 | - "1.4.2" 13 | - scored 14 | 15 | - name: 1.4.2 - Ensure authentication is required for single-user mode 16 | copy: 17 | dest: "{{ cis_sysconfig_init_filename }}" 18 | content: "SINGLE=/sbin/sulogin\n" 19 | when: sysconfig_init_1_4_2.stat.exists is not defined or not sysconfig_init_1_4_2.stat.exists 20 | tags: 21 | - level-1 22 | - "1.4.2" 23 | - scored 24 | 25 | - name: 1.4.2 - Ensure authentication is required for single-user mode 26 | lineinfile: 27 | dest: "{{ cis_sysconfig_init_filename }}" 28 | regexp: "^SINGLE=" 29 | line: "SINGLE=/sbin/sulogin" 30 | when: sysconfig_init_1_4_2.stat.exists is defined and sysconfig_init_1_4_2.stat.exists 31 | tags: 32 | - level-1 33 | - "1.4.2" 34 | - scored 35 | 36 | -------------------------------------------------------------------------------- /tasks/level-1/1.4.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.4.3 - Ensure interactive boot is not enabled 5 | 6 | - name: 1.4.3 - Check if sysconfig init file exists 7 | stat: 8 | path: "{{ cis_sysconfig_init_filename }}" 9 | register: sysconfig_init_1_4_3 10 | tags: 11 | - level-1 12 | - "1.4.3" 13 | - scored 14 | 15 | - name: 1.4.3 - Ensure interactive boot is not enabled 16 | copy: 17 | dest: "{{ cis_sysconfig_init_filename }}" 18 | content: "PROMPT=no\n" 19 | when: sysconfig_init_1_4_3.stat.exists is not defined or not sysconfig_init_1_4_3.stat.exists 20 | tags: 21 | - level-1 22 | - "1.4.3" 23 | - scored 24 | 25 | - name: 1.4.3 - Ensure interactive boot is not enabled 26 | lineinfile: 27 | dest: "{{ cis_sysconfig_init_filename }}" 28 | regexp: "^PROMPT=" 29 | line: "PROMPT=no" 30 | when: sysconfig_init_1_4_3.stat.exists is defined and sysconfig_init_1_4_3.stat.exists 31 | tags: 32 | - level-1 33 | - "1.4.3" 34 | - scored 35 | 36 | -------------------------------------------------------------------------------- /tasks/level-1/1.5.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.5.1 Ensure core dumps are restricted 5 | 6 | - name: 1.5.1 - Check if security limits file exists 7 | stat: 8 | path: "{{ cis_security_limits_filename }}" 9 | register: security_limits_1_5_1 10 | tags: 11 | - level-1 12 | - "1.5.1" 13 | - scored 14 | 15 | - name: 1.5.1 - Ensure core dumps are restricted 16 | copy: 17 | dest: "{{ cis_security_limits_filename }}" 18 | content: "* hard core 0\n" 19 | when: security_limits_1_5_1.stat.exists is not defined or not security_limits_1_5_1.stat.exists 20 | tags: 21 | - level-1 22 | - "1.5.1" 23 | - scored 24 | 25 | - name: 1.5.1 - Ensure core dumps are restricted 26 | pam_limits: 27 | dest: "{{ cis_security_limits_filename }}" 28 | limit_item: "core" 29 | limit_type: "hard" 30 | domain: "*" 31 | value: "0" 32 | when: security_limits_1_5_1.stat.exists is defined and security_limits_1_5_1.stat.exists 33 | tags: 34 | - level-1 35 | - "1.5.1" 36 | - scored 37 | 38 | - name: 1.5.1 - Prevent suid programs from dumping core 39 | sysctl: 40 | ignoreerrors: yes 41 | name: fs.suid_dumpable 42 | value: 0 43 | state: present 44 | tags: 45 | - level-1 46 | - "1.5.1" 47 | - scored 48 | 49 | -------------------------------------------------------------------------------- /tasks/level-1/1.5.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.5.2 Ensure XD/NX support is enabled 5 | 6 | - name: 1.5.2 - Check if XD/NX support is enabled 7 | shell: "dmesg | grep NX" 8 | register: dmesg_1_5_2 9 | check_mode: no 10 | changed_when: False 11 | ignore_errors: true 12 | tags: 13 | - level-1 14 | - "1.5.2" 15 | - not-scored 16 | 17 | - name: 1.5.2 - Ensure XD/NX support is enabled 18 | fail: 19 | msg: "Ensure XD/NX support is enabled." 20 | when: 21 | - "'NX (Execute Disable) protection: active' not in dmesg_1_5_2.stdout" 22 | - fail_on_manual_remediation_actions 23 | tags: 24 | - level-1 25 | - "1.5.2" 26 | - not-scored 27 | 28 | - name: 1.5.2 - Ensure XD/NX support is enabled 29 | debug: 30 | msg: "*** ACTION REQUIRED *** Ensure XD/NX support is enabled." 31 | when: 32 | - "'NX (Execute Disable) protection: active' not in dmesg_1_5_2.stdout" 33 | - not fail_on_manual_remediation_actions 34 | tags: 35 | - level-1 36 | - "1.5.2" 37 | - not-scored 38 | 39 | -------------------------------------------------------------------------------- /tasks/level-1/1.5.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.5.3 Ensure address space layout randomization (ASLR) is enabled 5 | 6 | - name: 1.5.3 - Ensure address space layout randomization is enabled 7 | sysctl: 8 | ignoreerrors: yes 9 | name: kernel.randomize_va_space 10 | value: 2 11 | state: present 12 | tags: 13 | - level-1 14 | - "1.5.3" 15 | - scored 16 | -------------------------------------------------------------------------------- /tasks/level-1/1.5.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.9 2 | --- 3 | 4 | # 1.5.4 Ensure prelink is disabled 5 | 6 | - name: 1.5.4 - Check if prelink binary exists 7 | yum: 8 | list: prelink 9 | # name: prelink 10 | # state: present 11 | # command: which prelink 12 | # command: rpm -q prelink 13 | # ignore_errors: true 14 | register: which_1_5_4 15 | tags: 16 | - level-1 17 | - "1.5.4" 18 | - scored 19 | - skip_ansible_lint 20 | 21 | - name: 1.5.4 - Display registered output 22 | debug: 23 | msg: Ouput message is {{ which_1_5_4 }} 24 | tags: 25 | - level-1 26 | - "1.5.4" 27 | - scored 28 | - skip_ansible_lint 29 | 30 | - name: 1.5.4 - Restore prelinked binaries 31 | command: prelink -ua 32 | # when: which_1_5_4.rc is defined and which_1_5_4.rc == 0 33 | # when: which_1_5_4.results.yumstate == 'installed' 34 | # when: which_1_5_4.results | search("installed") 35 | when: "'installed' in which_1_5_4.results" 36 | tags: 37 | - level-1 38 | - "1.5.4" 39 | - scored 40 | - skip_ansible_lint 41 | 42 | - name: 1.5.4 - Ensure prelink is disabled 43 | yum: 44 | name: prelink 45 | state: absent 46 | tags: 47 | - level-1 48 | - "1.5.4" 49 | - scored 50 | -------------------------------------------------------------------------------- /tasks/level-1/1.7.1.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.7.1.1 Ensure message of the day is configured properly 5 | 6 | # /etc/motd is dynamically generated by pam on login. The intention of this check is to ensure that OS 7 | # information is not disclosed, therefore the more appropriate option is to ensure that the scripts which 8 | # generate motd, and which are related to system information which would otherwise be 9 | # displayed by mingetty options, are not present. 10 | # On amazon linux, this is the 30-banner script within /etc/update-motd.d/ 11 | - name: 1.7.1.1 - Ensure mingetty options are not used within motd 12 | file: 13 | path: "/etc/update-motd.d/30-banner" 14 | state: absent 15 | tags: 16 | - level-1 17 | - 1.7.1.1 18 | - scored 19 | -------------------------------------------------------------------------------- /tasks/level-1/1.7.1.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.7.1.2 Ensure local login warning banner is configured properly 5 | 6 | - name: 1.7.1.2 - Ensure local login warning banner is configured properly 7 | copy: 8 | content: "{{ cis_local_login_warning_banner }}" 9 | dest: "/etc/issue" 10 | tags: 11 | - level-1 12 | - 1.7.1.2 13 | - not-scored 14 | -------------------------------------------------------------------------------- /tasks/level-1/1.7.1.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.7.1.3 Ensure remote login warning banner is configured properly 5 | 6 | - name: 1.7.1.3 - Ensure remote login warning banner is configured properly 7 | copy: 8 | content: "{{ cis_remote_login_warning_banner }}" 9 | dest: "/etc/issue.net" 10 | tags: 11 | - level-1 12 | - 1.7.1.3 13 | - not-scored 14 | -------------------------------------------------------------------------------- /tasks/level-1/1.7.1.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.7.1.4 Ensure permissions on /etc/motd are configured 5 | 6 | - name: 1.7.1.4 - Ensure permissions on /etc/motd are configured 7 | file: 8 | path: "/etc/motd" 9 | owner: root 10 | group: root 11 | mode: 0644 12 | follow: yes 13 | tags: 14 | - level-1 15 | - 1.7.1.4 16 | - not-scored 17 | -------------------------------------------------------------------------------- /tasks/level-1/1.7.1.5.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.7.1.5 Ensure permissions on /etc/issue are configured 5 | 6 | - name: 1.7.1.5 - Ensure permissions on /etc/issue are configured 7 | file: 8 | path: "/etc/issue" 9 | owner: root 10 | group: root 11 | mode: 0644 12 | tags: 13 | - level-1 14 | - 1.7.1.5 15 | - scored 16 | -------------------------------------------------------------------------------- /tasks/level-1/1.7.1.6.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.7.1.6 Ensure permissions on /etc/issue.net are configured 5 | 6 | - name: 1.7.1.6 - Ensure permissions on /etc/issue.net are configured 7 | file: 8 | path: "/etc/issue.net" 9 | owner: root 10 | group: root 11 | mode: 0644 12 | tags: 13 | - level-1 14 | - 1.7.1.6 15 | - not-scored 16 | -------------------------------------------------------------------------------- /tasks/level-1/1.8.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.5 2 | --- 3 | 4 | # 1.8 Ensure updates, patches, and additional security software are installed 5 | 6 | - name: 1.8 - Ensure updates, patches, and additional security software are installed 7 | yum: 8 | name: "*" 9 | state: latest 10 | tags: 11 | - level-1 12 | - "1.8" 13 | - not-scored 14 | - skip_ansible_lint 15 | -------------------------------------------------------------------------------- /tasks/level-1/2.1.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.1.1 Ensure chargen services are not enabled if xinetd is installed 5 | 6 | - name: 2.1.1 - Ensure chargen services are not enabled 7 | service: 8 | name: "{{ item }}" 9 | enabled: false 10 | state: "{{ cis_chargen_state }}" 11 | with_items: 12 | - chargen-dgram 13 | - chargen-stream 14 | when: cis_xinetd_state != 'absent' 15 | tags: 16 | - level-1 17 | - section-2 18 | - "2.1.1" 19 | - scored 20 | -------------------------------------------------------------------------------- /tasks/level-1/2.1.10.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.1.10 Ensure rsync server is not enabled 5 | 6 | - name: 2.1.10 - Ensure rsync server is {{ cis_rsync_install.state }} 7 | yum: 8 | name: "{{ item.package }}" 9 | state: "{{ item.state }}" 10 | with_items: 11 | - "{{ cis_rsync_install }}" 12 | tags: 13 | - level-1 14 | - section-2 15 | - "2.1.10" 16 | - scored 17 | 18 | - name: 2.1.10 - If rsync server is installed set appropriate service - {{ cis_rsync_install.exception }} 19 | service: 20 | name: "{{ item.service }}" 21 | enabled: "{{ item.enabled }}" 22 | state: "{{ item.rstate }}" 23 | when: cis_rsync_install.state == 'present' 24 | with_items: 25 | - "{{ cis_rsync_install }}" 26 | tags: 27 | - level-1 28 | - section-2 29 | - "2.1.10" 30 | - scored 31 | 32 | -------------------------------------------------------------------------------- /tasks/level-1/2.1.11.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.1.11 Ensure xinetd server is not enabled 5 | 6 | - name: 2.1.11 - Ensure xinetd server is {{ cis_xinetd_install.state }} 7 | yum: 8 | name: "{{ item.package }}" 9 | state: "{{ item.state }}" 10 | with_items: 11 | - "{{ cis_xinetd_install }}" 12 | tags: 13 | - level-1 14 | - section-2 15 | - "2.1.11" 16 | - scored 17 | 18 | - name: 2.1.11 - If xinetd server is installed set appropriate service - {{ cis_xinetd_install.exception }} 19 | service: 20 | name: "{{ item.service }}" 21 | enabled: "{{ item.enabled }}" 22 | state: "{{ item.rstate }}" 23 | when: cis_xinetd_install.state == 'present' 24 | with_items: 25 | - "{{ cis_xinetd_install }}" 26 | tags: 27 | - level-1 28 | - section-2 29 | - "2.1.11" 30 | - scored 31 | 32 | -------------------------------------------------------------------------------- /tasks/level-1/2.1.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.1.2 Ensure daytime services are not enabled 5 | 6 | - name: 2.1.2 - Ensure daytime services are not enabled 7 | service: 8 | name: "{{ item }}" 9 | enabled: false 10 | state: "{{ cis_daytime_state }}" 11 | with_items: 12 | - daytime-dgram 13 | - daytime-stream 14 | when: cis_xinetd_state != 'absent' 15 | tags: 16 | - level-1 17 | - section-2 18 | - "2.1.2" 19 | - scored 20 | -------------------------------------------------------------------------------- /tasks/level-1/2.1.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.1.3 Ensure discard services are not enabled 5 | 6 | - name: 2.1.3 - Ensure discard services are not enabled 7 | service: 8 | name: "{{ item }}" 9 | enabled: false 10 | state: "{{ cis_discard_state }}" 11 | with_items: 12 | - discard-dgram 13 | - discard-stream 14 | when: cis_xinetd_state != 'absent' 15 | tags: 16 | - level-1 17 | - section-2 18 | - "2.1.3" 19 | - scored 20 | -------------------------------------------------------------------------------- /tasks/level-1/2.1.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.1.4 Ensure echo services are not enabled 5 | 6 | - name: 2.1.4 - Ensure echo services are not enabled 7 | service: 8 | name: "{{ item }}" 9 | enabled: false 10 | state: "{{ cis_echo_state }}" 11 | with_items: 12 | - echo-dgram 13 | - echo-stream 14 | when: cis_xinetd_state != 'absent' 15 | tags: 16 | - level-1 17 | - section-2 18 | - "2.1.4" 19 | - scored 20 | -------------------------------------------------------------------------------- /tasks/level-1/2.1.5.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.1.5 Ensure time services are not enabled 5 | 6 | - name: 2.1.5 - Ensure time services are not enabled 7 | service: 8 | name: "{{ item }}" 9 | enabled: false 10 | state: "{{ cis_time_state }}" 11 | with_items: 12 | - time-dgram 13 | - time-stream 14 | when: cis_xinetd_state != 'absent' 15 | tags: 16 | - level-1 17 | - section-2 18 | - "2.1.5" 19 | - scored 20 | -------------------------------------------------------------------------------- /tasks/level-1/2.1.6.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.1.6 Check rsh-server installation should be absent, else show exception {{ cis_rservices_install.rshserver_exception }} 5 | 6 | - name: 2.1.6 - Ensure rsh server is {{ cis_rservices_install.state }} 7 | yum: 8 | name: "{{ item.package }}" 9 | state: "{{ item.state }}" 10 | with_items: 11 | - "{{ cis_rservices_install }}" 12 | tags: 13 | - level-1 14 | - section-2 15 | - "2.1.6" 16 | - scored 17 | 18 | - name: 2.1.6 - If rsh server is installed start appropriate services 19 | service: 20 | name: "{{ item.service }}" 21 | enabled: "{{ item.enabled }}" 22 | state: "{{ item.state }}" 23 | when: cis_rservices_install.state == 'present' 24 | with_items: 25 | - "{{ cis_rservice_rexec }}" 26 | - "{{ cis_rservice_rlogin }}" 27 | - "{{ cis_rservice_rsh }}" 28 | tags: 29 | - level-1 30 | - section-2 31 | - "2.1.6" 32 | - scored 33 | 34 | 35 | #- name: 2.1.6 - Ensure rsh server is not enabled 36 | # service: 37 | # name: "{{ item }}" 38 | # enabled: false 39 | # state: stopped 40 | # with_items: 41 | # - rexec 42 | # - rlogin 43 | # - rsh 44 | # ignore_errors: true 45 | # tags: 46 | # - level-1 47 | # - section-2 48 | # - "2.1.6" 49 | # - scored 50 | -------------------------------------------------------------------------------- /tasks/level-1/2.1.7.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.1.7 Ensure talk server is not enabled 5 | 6 | - name: 2.1.7 - Ensure talkd server is {{ cis_talkd_install.state }} 7 | yum: 8 | name: "{{ item.package }}" 9 | state: "{{ item.state }}" 10 | with_items: 11 | - "{{ cis_talkd_install }}" 12 | tags: 13 | - level-1 14 | - section-2 15 | - "2.1.7" 16 | - scored 17 | 18 | - name: 2.1.7 - If talkd server is installed set appropriate service - {{ cis_talkd_install.exception }} 19 | service: 20 | name: "{{ item.service }}" 21 | enabled: "{{ item.enabled }}" 22 | state: "{{ item.rstate }}" 23 | when: cis_talkd_install.state == 'present' 24 | with_items: 25 | - "{{ cis_talkd_install }}" 26 | tags: 27 | - level-1 28 | - section-2 29 | - "2.1.7" 30 | - scored 31 | 32 | - name: 2.1.7 - Install talk client if required - {{ cis_talkd_install.client_state }} 33 | yum: 34 | name: "{{ item.client }}" 35 | state: "{{ item.client_state }}" 36 | with_items: 37 | - "{{ cis_talkd_install }}" 38 | tags: 39 | - level-1 40 | - section-2 41 | - "2.1.7" 42 | - scored 43 | -------------------------------------------------------------------------------- /tasks/level-1/2.1.8.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.1.8 Ensure telnet server is not enabled 5 | 6 | - name: 2.1.8 - Ensure telnet server is {{ cis_telnet_install.state }} 7 | yum: 8 | name: "{{ item.package }}" 9 | state: "{{ item.state }}" 10 | with_items: 11 | - "{{ cis_telnet_install }}" 12 | tags: 13 | - level-1 14 | - section-2 15 | - "2.1.8" 16 | - scored 17 | 18 | - name: 2.1.8 - If telnet server is installed set appropriate service - {{ cis_telnet_install.exception }} 19 | service: 20 | name: "{{ item.service }}" 21 | enabled: "{{ item.enabled }}" 22 | state: "{{ item.rstate }}" 23 | when: cis_telnet_install.state == 'present' 24 | with_items: 25 | - "{{ cis_telnet_install }}" 26 | tags: 27 | - level-1 28 | - section-2 29 | - "2.1.8" 30 | - scored 31 | -------------------------------------------------------------------------------- /tasks/level-1/2.1.9.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.1.9 Ensure tftp server is not enabled 5 | 6 | - name: 2.1.9 - Ensure tftp server is {{ cis_tftp_install.state }} 7 | yum: 8 | name: "{{ item.package }}" 9 | state: "{{ item.state }}" 10 | with_items: 11 | - "{{ cis_tftp_install }}" 12 | tags: 13 | - level-1 14 | - section-2 15 | - "2.1.9" 16 | - scored 17 | 18 | - name: 2.1.9 - If tftp server is installed set appropriate service - {{ cis_tftp_install.exception }} 19 | service: 20 | name: "{{ item.service }}" 21 | enabled: "{{ item.enabled }}" 22 | state: "{{ item.rstate }}" 23 | when: cis_tftp_install.state == 'present' 24 | with_items: 25 | - "{{ cis_tftp_install }}" 26 | tags: 27 | - level-1 28 | - section-2 29 | - "2.1.9" 30 | - scored 31 | 32 | - name: 2.1.9 - Install tftp client if required - {{ cis_tftp_install.client_state }} 33 | yum: 34 | name: "{{ item.client }}" 35 | state: "{{ item.client_state }}" 36 | with_items: 37 | - "{{ cis_tftp_install }}" 38 | tags: 39 | - level-1 40 | - section-2 41 | - "2.1.9" 42 | - scored 43 | -------------------------------------------------------------------------------- /tasks/level-1/2.2.1.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.2.1.1 Ensure time synchronisation is in use 5 | 6 | - name: 2.2.1.1 - Ensure ntp is installed 7 | package: 8 | name: "{{ item.name }}" 9 | state: "{{ item.state }}" 10 | when: cis_enable_ntp and not cis_enable_chrony 11 | with_items: 12 | - { name: "ntp", state: "present" } 13 | - { name: "chrony", state: "absent" } 14 | tags: 15 | - level-1 16 | - section-4 17 | - "2.2.1.1" 18 | - not-scored 19 | 20 | - name: 2.2.1.1 - Ensure chrony is installed 21 | package: 22 | name: "{{ item.name }}" 23 | state: "{{ item.state }}" 24 | when: cis_enable_chrony and not cis_enable_ntp 25 | with_items: 26 | - { name: "ntp", state: "absent" } 27 | - { name: "chrony", state: "present" } 28 | tags: 29 | - level-1 30 | - section-4 31 | - "2.2.1.1" 32 | - not-scored 33 | -------------------------------------------------------------------------------- /tasks/level-1/2.2.1.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.24 2 | --- 3 | 4 | # 2.2.1.2 Ensure ntp is configured 5 | 6 | - name: Install NTP configuration 7 | template: 8 | src: templates/ntp.conf.j2 9 | dest: /etc/ntp.conf 10 | mode: 0644 11 | owner: root 12 | group: root 13 | backup: true 14 | notify: Restart ntpd 15 | when: cis_enable_ntp and not cis_enable_chrony 16 | tags: 17 | - level-1 18 | - section-4 19 | - "2.2.1.2" 20 | - not-scored 21 | -------------------------------------------------------------------------------- /tasks/level-1/2.2.1.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.2.1.3 Ensure chrony is configured 5 | 6 | - name: Install chrony configuration 7 | template: 8 | src: templates/chrony.conf.j2 9 | dest: /etc/chrony.conf 10 | mode: 0644 11 | owner: root 12 | group: root 13 | backup: true 14 | notify: Restart chronyd 15 | when: cis_enable_chrony and not cis_enable_ntp 16 | tags: 17 | - level-1 18 | - section-4 19 | - "2.2.1.3" 20 | - not-scored 21 | -------------------------------------------------------------------------------- /tasks/level-1/2.2.10.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.2.10 Ensure HTTP services is not enabled 5 | 6 | - name: 2.2.10 - Ensure HTTP services are correct, to many varities to list 7 | yum: 8 | name: "{{ item.package }}" 9 | state: "{{ item.state }}" 10 | with_items: 11 | - "{{ cis_httpd_install }}" 12 | - "{{ cis_apache_install }}" 13 | - "{{ cis_apache2_install }}" 14 | - "{{ cis_nginx_install }}" 15 | - "{{ cis_lighttpd_install }}" 16 | tags: 17 | - level-1 18 | - "2.2.10" 19 | - scored 20 | 21 | - name: 2.2.10 - Ensure HTTP Service is correct, to many varities to list 22 | service: 23 | name: "{{ item.service }}" 24 | enabled: "{{ item.enabled }}" 25 | state: "{{ item.rstate }}" 26 | with_items: 27 | - "{{ cis_httpd_install }}" 28 | - "{{ cis_apache_install }}" 29 | - "{{ cis_apache2_install }}" 30 | - "{{ cis_nginx_install }}" 31 | - "{{ cis_lighttpd_install }}" 32 | when: item.state == "present" 33 | tags: 34 | - level-1 35 | - "2.2.10" 36 | - scored 37 | -------------------------------------------------------------------------------- /tasks/level-1/2.2.11.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.2.11 Ensure POP3 and IMAP services is not enabled 5 | 6 | - name: 2.2.11 - Ensure POP3 and IMAP services are correct, dovecot and cyrus-imapd 7 | yum: 8 | name: "{{ item.package }}" 9 | state: "{{ item.state }}" 10 | with_items: 11 | - "{{ cis_dovecot_install }}" 12 | - "{{ cis_cyrus_imapd_install }}" 13 | tags: 14 | - level-1 15 | - "2.2.11" 16 | - scored 17 | 18 | - name: 2.2.11 - Ensure POP3 and IMAP Service is correct, dovecot and cyrus-impad 19 | service: 20 | name: "{{ item.service }}" 21 | enabled: "{{ item.enabled }}" 22 | state: "{{ item.rstate }}" 23 | with_items: 24 | - "{{ cis_dovecot_install }}" 25 | - "{{ cis_cyrus_imapd_install }}" 26 | when: item.state == "present" 27 | tags: 28 | - level-1 29 | - "2.2.11" 30 | - scored 31 | -------------------------------------------------------------------------------- /tasks/level-1/2.2.12.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.2.12 Ensure SMB services is not enabled 5 | 6 | - name: 2.2.12 - Ensure SMB services are {{ cis_smb_install.state }} with exception {{ cis_smb_install.exception }} 7 | yum: 8 | name: "{{ item.package }}" 9 | state: "{{ item.state }}" 10 | with_items: 11 | - "{{ cis_smb_install }}" 12 | tags: 13 | - level-1 14 | - "2.2.12" 15 | - scored 16 | 17 | - name: 2.2.12 - Ensure SMB Service is correct {{ cis_smb_install.state }} state {{ cis_smb_install.rstate }} 18 | service: 19 | name: "{{ item.service }}" 20 | enabled: "{{ item.enabled }}" 21 | state: "{{ item.rstate }}" 22 | with_items: 23 | - "{{ cis_smb_install }}" 24 | when: item.state == "present" 25 | tags: 26 | - level-1 27 | - "2.2.12" 28 | - scored 29 | -------------------------------------------------------------------------------- /tasks/level-1/2.2.13.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.2.13 Ensure squid services is not enabled 5 | 6 | - name: 2.2.13 - Ensure Squid services are {{ cis_squid_install.state }} with exception {{ cis_squid_install.exception }} 7 | yum: 8 | name: "{{ item.package }}" 9 | state: "{{ item.state }}" 10 | with_items: 11 | - "{{ cis_squid_install }}" 12 | tags: 13 | - level-1 14 | - "2.2.13" 15 | - scored 16 | 17 | - name: 2.2.13 - Ensure Squid Service is correct {{ cis_squid_install.state }} state {{ cis_squid_install.rstate }} 18 | service: 19 | name: "{{ item.service }}" 20 | enabled: "{{ item.enabled }}" 21 | state: "{{ item.rstate }}" 22 | with_items: 23 | - "{{ cis_squid_install }}" 24 | when: item.state == "present" 25 | tags: 26 | - level-1 27 | - "2.2.13" 28 | - scored 29 | -------------------------------------------------------------------------------- /tasks/level-1/2.2.14.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.24 2 | --- 3 | 4 | # 2.2.14 Ensure SNMP services is not enabled 5 | 6 | - name: 2.2.14 - Ensure SNMP services are {{ cis_snmp_install.state }} with exception {{ cis_snmp_install.exception }} 7 | yum: 8 | name: "{{ item.package }}" 9 | state: "{{ item.state }}" 10 | with_items: 11 | - "{{ cis_snmp_install }}" 12 | tags: 13 | - level-1 14 | - "2.2.14" 15 | - scored 16 | 17 | - name: 2.2.14 - Ensure SNMP Service is correct {{ cis_snmp_install.state }} state {{ cis_snmp_install.rstate }} 18 | service: 19 | name: "{{ item.service }}" 20 | enabled: "{{ item.enabled }}" 21 | state: "{{ item.rstate }}" 22 | with_items: 23 | - "{{ cis_snmp_install }}" 24 | when: cis_snmp_install.state == "present" 25 | tags: 26 | - level-1 27 | - "2.2.14" 28 | - scored 29 | 30 | - name: Install SNMP configuration 31 | template: 32 | src: templates/snmpd.conf.j2 33 | dest: /etc/snmp/snmpd.conf 34 | mode: 0644 35 | owner: root 36 | group: root 37 | backup: true 38 | notify: Restart snmpd 39 | when: cis_snmp_install.state == "present" 40 | tags: 41 | - level-1 42 | - "2.2.14" 43 | - not-scored 44 | 45 | -------------------------------------------------------------------------------- /tasks/level-1/2.2.15.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.2.15 Ensure mail transfer agent is configured for local-only mode 5 | 6 | - name: 2.2.15 - Check if mail transfer agent is configured for local-only mode 7 | shell: "LC_ALL=C ss -tln | grep LIST | grep ':25[[:space:]]'" 8 | register: mta_2_2_15 9 | ignore_errors: true 10 | changed_when: false 11 | tags: 12 | - level-1 13 | - "2.2.15" 14 | - scored 15 | 16 | - name: 2.2.15 - Ensure mail transfer agent is configured for local-only mode 17 | fail: 18 | msg: "Detected mail transfer agent listening on non-loopback address." 19 | when: 20 | - mta_2_2_15.stdout_lines is defined and (mta_2_2_15.stdout_lines|count > 1 or '127.0.0.1:25' not in mta_2_2_15.stdout) 21 | - fail_on_manual_remediation_actions 22 | tags: 23 | - level-1 24 | - "2.2.15" 25 | - scored 26 | 27 | - name: 2.2.15 - Ensure mail transfer agent is configured for local-only mode 28 | debug: 29 | msg: "*** ACTION REQUIRED *** Detected mail transfer agent listening on non-loopback address." 30 | when: 31 | - mta_2_2_15.stdout_lines is defined and (mta_2_2_15.stdout_lines|count > 1 or '127.0.0.1:25' not in mta_2_2_15.stdout) 32 | - not fail_on_manual_remediation_actions 33 | tags: 34 | - level-1 35 | - "2.2.15" 36 | - scored 37 | 38 | -------------------------------------------------------------------------------- /tasks/level-1/2.2.16.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.2.16 Ensure NIS services is not enabled 5 | 6 | - name: 2.2.16 - Ensure NIS services is {{ cis_nis_install.state }} exception {{ cis_nis_install.exception }} 7 | yum: 8 | name: "{{ item.package }}" 9 | state: "{{ item.state }}" 10 | with_items: 11 | - "{{ cis_nis_install }}" 12 | tags: 13 | - level-1 14 | - "2.2.16" 15 | - scored 16 | 17 | - name: 2.2.16 - Ensure NIS Service is correct 18 | service: 19 | name: "{{ item.service }}" 20 | enabled: "{{ item.enabled }}" 21 | state: "{{ item.rstate }}" 22 | with_items: 23 | - "{{ cis_nis_install }}" 24 | when: item.state == "present" 25 | tags: 26 | - level-1 27 | - "2.2.16" 28 | - scored 29 | -------------------------------------------------------------------------------- /tasks/level-1/2.2.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.2.2 Ensure X Window System is not installed 5 | 6 | - name: 2.2.2 - Ensure X Window System is {{ cis_xwindows_install.state }}, exception {{ cis_xwindows_install.exception }} 7 | yum: 8 | name: "{{ item.package }}" 9 | state: "{{ item.state }}" 10 | with_items: 11 | - "{{ cis_xwindows_install }}" 12 | tags: 13 | - level-1 14 | - "2.2.2" 15 | - scored 16 | -------------------------------------------------------------------------------- /tasks/level-1/2.2.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.2.3 Ensure Avahi Server is not enabled 5 | 6 | - name: 2.2.3 - Ensure Avahi Server is {{ cis_avahi_install.state }}, exception {{ cis_avahi_install.exception }} 7 | yum: 8 | name: "{{ item.package }}" 9 | state: "{{ item.state }}" 10 | with_items: 11 | - "{{ cis_avahi_install }}" 12 | tags: 13 | - level-1 14 | - "2.2.3" 15 | - scored 16 | 17 | - name: 2.2.3 - Ensure Avahi Server is {{ cis_avahi_install.state }}, exception {{ cis_avahi_install.exception }} 18 | service: 19 | name: "{{ item.service }}" 20 | enabled: "{{ item.enabled }}" 21 | state: "{{ item.rstate }}" 22 | with_items: 23 | - "{{ cis_avahi_install }}" 24 | when: cis_avahi_install.state == "present" 25 | tags: 26 | - level-1 27 | - "2.2.3" 28 | - scored 29 | -------------------------------------------------------------------------------- /tasks/level-1/2.2.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.2.4 Ensure CUPS is not enabled 5 | 6 | - name: 2.2.4 - Ensure CUPS is {{ cis_cups_install.state }}, exception {{ cis_cups_install.exception }} 7 | yum: 8 | name: "{{ item.package }}" 9 | state: "{{ item.state }}" 10 | with_items: 11 | - "{{ cis_cups_install }}" 12 | tags: 13 | - level-1 14 | - "2.2.4" 15 | - scored 16 | 17 | - name: 2.2.4 - Ensure CUPS is {{ cis_cups_install.state }}, exception {{ cis_cups_install.exception }} 18 | service: 19 | name: "{{ item.service }}" 20 | enabled: "{{ item.enabled }}" 21 | state: "{{ item.rstate }}" 22 | with_items: 23 | - "{{ cis_cups_install }}" 24 | when: cis_cups_install.state == "present" 25 | tags: 26 | - level-1 27 | - "2.2.4" 28 | - scored 29 | -------------------------------------------------------------------------------- /tasks/level-1/2.2.5.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.2.5 Ensure DHCP Server is not enabled 5 | 6 | - name: 2.2.5 - Ensure DHCP Server is {{ cis_dhcpd_install.state }}, exception {{ cis_dhcpd_install.exception }} 7 | yum: 8 | name: "{{ item.package }}" 9 | state: "{{ item.state }}" 10 | with_items: 11 | - "{{ cis_dhcpd_install }}" 12 | tags: 13 | - level-1 14 | - "2.2.5" 15 | - scored 16 | 17 | - name: 2.2.5 - Ensure DHCP Server is {{ cis_dhcpd_install.state }}, exception {{ cis_dhcpd_install.exception }} 18 | service: 19 | name: "{{ item.service }}" 20 | enabled: "{{ item.enabled }}" 21 | state: "{{ item.rstate }}" 22 | with_items: 23 | - "{{ cis_dhcpd_install }}" 24 | when: cis_dhcpd_install.state == "present" 25 | tags: 26 | - level-1 27 | - "2.2.5" 28 | - scored 29 | -------------------------------------------------------------------------------- /tasks/level-1/2.2.6.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.2.6 Ensure LDAP server is not enabled 5 | 6 | - name: 2.2.6 - Ensure LDAP server is {{ cis_slapd_install.state }}, exception {{ cis_slapd_install.exception }} 7 | yum: 8 | name: "{{ item.package }}" 9 | state: "{{ item.state }}" 10 | with_items: 11 | - "{{ cis_slapd_install }}" 12 | tags: 13 | - level-1 14 | - "2.2.6" 15 | - scored 16 | 17 | - name: 2.2.6 - Ensure LDAP server is {{ cis_slapd_install.state }}, exception {{ cis_slapd_install.exception }} 18 | service: 19 | name: "{{ item.service }}" 20 | enabled: "{{ item.enabled }}" 21 | state: "{{ item.rstate }}" 22 | with_items: 23 | - "{{ cis_slapd_install }}" 24 | when: cis_slapd_install.state == "present" 25 | tags: 26 | - level-1 27 | - "2.2.6" 28 | - scored 29 | -------------------------------------------------------------------------------- /tasks/level-1/2.2.7.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.2.7 Ensure NFS and RPC Bind services is not enabled 5 | 6 | - name: 2.2.7 - Ensure NFS/RPC Bind services are correct, NFS is {{ cis_nfs_install.state }}, exception {{ cis_nfs_install.exception }}, RPC Bind is {{ cis_rpcbind_install.state }}, exception {{ cis_rpcbind_install.exception }} 7 | yum: 8 | name: "{{ item.package }}" 9 | state: "{{ item.state }}" 10 | with_items: 11 | - "{{ cis_nfs_install }}" 12 | - "{{ cis_rpcbind_install }}" 13 | tags: 14 | - level-1 15 | - "2.2.7" 16 | - scored 17 | 18 | - name: 2.2.7 - Ensure NFS/RPC Bind services are correct, NFS is {{ cis_nfs_install.rstate }}, exception {{ cis_nfs_install.exception }}, RPC Bind is {{ cis_rpcbind_install.rstate }}, exception {{ cis_rpcbind_install.exception }} 19 | service: 20 | name: "{{ item.service }}" 21 | enabled: "{{ item.enabled }}" 22 | state: "{{ item.rstate }}" 23 | with_items: 24 | - "{{ cis_nfs_install }}" 25 | - "{{ cis_rpcbind_install }}" 26 | when: cis_nfs_install.state == "present" 27 | tags: 28 | - level-1 29 | - "2.2.7" 30 | - scored 31 | -------------------------------------------------------------------------------- /tasks/level-1/2.2.8.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.2.8 Ensure NFS and RPC Bind services is not enabled 5 | 6 | - name: 2.2.8 - Ensure DNS Bind/Named services are correct {{ cis_named_install.state }}, exception {{ cis_named_install.exception }} 7 | yum: 8 | name: "{{ item.package }}" 9 | state: "{{ item.state }}" 10 | with_items: 11 | - "{{ cis_named_install }}" 12 | tags: 13 | - level-1 14 | - "2.2.8" 15 | - scored 16 | 17 | - name: 2.2.8 - Ensure DNS Bind/Named Service is correct {{ cis_named_install.rstate }}, exception {{ cis_named_install.exception }} 18 | service: 19 | name: "{{ item.service }}" 20 | enabled: "{{ item.enabled }}" 21 | state: "{{ item.rstate }}" 22 | with_items: 23 | - "{{ cis_named_install }}" 24 | when: cis_named_install.state == "present" 25 | tags: 26 | - level-1 27 | - "2.2.8" 28 | - scored 29 | -------------------------------------------------------------------------------- /tasks/level-1/2.2.9.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.2.9 Ensure FTP services is not enabled 5 | 6 | - name: 2.2.9 - Ensure FTP services are correct {{ cis_vsftpd_install.state }}, exception {{ cis_vsftpd_install.exception }} 7 | yum: 8 | name: "{{ item.package }}" 9 | state: "{{ item.state }}" 10 | with_items: 11 | - "{{ cis_vsftpd_install }}" 12 | tags: 13 | - level-1 14 | - "2.2.9" 15 | - scored 16 | 17 | - name: 2.2.9 - Ensure FTP Service is correct {{ cis_vsftpd_install.rstate }}, exception {{ cis_vsftpd_install.exception }} 18 | service: 19 | name: "{{ item.service }}" 20 | enabled: "{{ item.enabled }}" 21 | state: "{{ item.rstate }}" 22 | with_items: 23 | - "{{ cis_vsftpd_install }}" 24 | when: cis_vsftpd_install.state == "present" 25 | tags: 26 | - level-1 27 | - "2.2.9" 28 | - scored 29 | -------------------------------------------------------------------------------- /tasks/level-1/2.3.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.3.1 Ensure NIS Client is not installed 5 | 6 | - name: 2.3.1 - Ensure NIS Client is not installed 7 | yum: 8 | name: "ypbind" 9 | state: absent 10 | tags: 11 | - level-1 12 | - section-2 13 | - "2.3.1" 14 | - scored 15 | -------------------------------------------------------------------------------- /tasks/level-1/2.3.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.3.2 Ensure rsh client is not installed 5 | 6 | - name: 2.3.2 - Ensure rsh client is not installed 7 | yum: 8 | name: "rsh" 9 | state: absent 10 | tags: 11 | - level-1 12 | - section-2 13 | - "2.3.2" 14 | - scored 15 | -------------------------------------------------------------------------------- /tasks/level-1/2.3.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.3.3 Ensure talk client is not installed 5 | 6 | - name: 2.3.3 - Ensure talk client is not installed 7 | yum: 8 | name: "talk" 9 | state: absent 10 | tags: 11 | - level-1 12 | - "2.3.3" 13 | - scored 14 | -------------------------------------------------------------------------------- /tasks/level-1/2.3.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.3.4 Ensure telnet client is not installed 5 | 6 | - name: 2.3.4 - Ensure telnet client is not installed 7 | yum: 8 | name: "telnet" 9 | state: absent 10 | tags: 11 | - level-1 12 | - section-2 13 | - "2.3.4" 14 | - scored 15 | -------------------------------------------------------------------------------- /tasks/level-1/2.3.5.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.3.5 Ensure LDAP client is not installed 5 | 6 | - name: 2.3.5 - Ensure LDAP client is not installed 7 | yum: 8 | name: "openldap-clients" 9 | state: absent 10 | tags: 11 | - level-1 12 | - section-2 13 | - "2.3.5" 14 | - scored 15 | -------------------------------------------------------------------------------- /tasks/level-1/3.1.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.24 2 | --- 3 | 4 | # 3.1.1 Ensure IP forwarding is disabled 5 | 6 | - name: 3.1.1 - Ensure IP forwarding is disabled 7 | sysctl: 8 | ignoreerrors: true 9 | name: "{{ item.kernel_param }}" 10 | value: "{{ item.value }}" 11 | state: present 12 | with_items: 13 | - "{{ cis_v_3_1_1_ipv4_ip_forward }}" 14 | tags: 15 | - level-1 16 | - section-3 17 | - "3.1.1" 18 | - scored 19 | 20 | - name: 3.1.1 - Get IP forwarding value in active kernel parameters 21 | command: "cat {{ item.proc_src }}" 22 | register: v_3_1_1_kernel_param 23 | changed_when: false 24 | with_items: 25 | - "{{ cis_v_3_1_1_ipv4_ip_forward }}" 26 | tags: 27 | - level-1 28 | - section-3 29 | - "3.1.1" 30 | - scored 31 | 32 | - name: 3.1.1 - Displaying value 33 | debug: 34 | msg: The value for kernel_param_value is {{ v_3_1_1_kernel_param.results[0].stdout }} 35 | tags: 36 | - level-1 37 | - section-3 38 | - "3.1.1" 39 | - scored 40 | 41 | - name: 3.1.1 - Ensure IP forwarding is disabled in active kernel parameters 42 | command: "sysctl -w {{ item.kernel_param }}={{ item.value }}" 43 | with_items: 44 | - "{{ cis_v_3_1_1_ipv4_ip_forward }}" 45 | when: v_3_1_1_kernel_param.results[0].stdout|bool != item.value 46 | notify: Flush ipv4 route 47 | tags: 48 | - level-1 49 | - section-3 50 | - "3.1.1" 51 | - scored 52 | -------------------------------------------------------------------------------- /tasks/level-1/3.1.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.24 2 | --- 3 | 4 | # 3.1.2 Ensure packet redirect sending is disabled 5 | 6 | - name: 3.1.2 - Ensure packet redirect sending is disabled 7 | sysctl: 8 | ignoreerrors: true 9 | name: "{{ item.kernel_param }}" 10 | value: "{{ item.value }}" 11 | state: present 12 | with_items: 13 | - "{{ cis_v_3_1_2_ipv4_conf_all_send_redirects }}" 14 | - "{{ cis_v_3_1_2_ipv4_conf_default_send_redirects }}" 15 | tags: 16 | - level-1 17 | - section-3 18 | - "3.1.2" 19 | - scored 20 | 21 | - name: 3.1.2 - Get packet redirect settings from active kernel 22 | command: "cat {{ item.proc_src }}" 23 | register: v_3_1_2_kernel_param 24 | changed_when: false 25 | with_items: 26 | - "{{ cis_v_3_1_2_ipv4_conf_all_send_redirects }}" 27 | tags: 28 | - level-1 29 | - section-3 30 | - "3.1.2" 31 | - scored 32 | 33 | - name: 3.1.2 - Displaying value for all send_redirects 34 | debug: 35 | msg: The value for kernel_param_value is {{ v_3_1_2_kernel_param.results[0].stdout }} 36 | tags: 37 | - level-1 38 | - section-3 39 | - "3.1.2" 40 | - scored 41 | 42 | - name: 3.1.2 - Ensure packet redirect sending is disabled in active kernel parameters 43 | command: "sysctl -w {{ item.kernel_param }}={{ item.value }}" 44 | with_items: 45 | - "{{ cis_v_3_1_2_ipv4_conf_all_send_redirects }}" 46 | when: v_3_1_2_kernel_param.results[0].stdout|bool != item.value 47 | notify: Flush ipv4 route 48 | tags: 49 | - level-1 50 | - section-3 51 | - "3.1.2" 52 | - scored 53 | 54 | - name: 3.1.2 - Get packet redirect settings from active kernel 55 | command: "cat {{ item.proc_src }}" 56 | register: v_3_1_2_kernel_param 57 | changed_when: false 58 | with_items: 59 | - "{{ cis_v_3_1_2_ipv4_conf_default_send_redirects }}" 60 | tags: 61 | - level-1 62 | - section-3 63 | - "3.1.2" 64 | - scored 65 | 66 | - name: 3.1.2 - Displaying value for default send_redirects 67 | debug: 68 | msg: The value for kernel_param_value is {{ v_3_1_2_kernel_param.results[0].stdout }} 69 | tags: 70 | - level-1 71 | - section-3 72 | - "3.1.2" 73 | - scored 74 | 75 | - name: 3.1.2 - Ensure packet redirect sending is disabled in active kernel parameters 76 | command: "sysctl -w {{ item.kernel_param }}={{ item.value }}" 77 | with_items: 78 | - "{{ cis_v_3_1_2_ipv4_conf_default_send_redirects }}" 79 | when: v_3_1_2_kernel_param.results[0].stdout|bool != item.value 80 | notify: Flush ipv4 route 81 | tags: 82 | - level-1 83 | - section-3 84 | - "3.1.2" 85 | - scored 86 | -------------------------------------------------------------------------------- /tasks/level-1/3.2.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.24 2 | --- 3 | 4 | # 3.2.1 Ensure source routed packets are not accepted 5 | 6 | - name: 3.2.1 - Ensure source routed packets are not accepted 7 | sysctl: 8 | ignoreerrors: true 9 | name: "{{ item.kernel_param }}" 10 | value: "{{ item.value }}" 11 | state: present 12 | with_items: 13 | - "{{ cis_v_3_2_1_ipv4_conf_all_accept_source_route }}" 14 | - "{{ cis_v_3_2_1_ipv4_conf_default_accept_source_route }}" 15 | tags: 16 | - level-1 17 | - section-3 18 | - "3.2.1" 19 | - scored 20 | 21 | - name: 3.2.1 - Get source routed packets value from the active kernel parameters 22 | command: "cat {{ item.proc_src }}" 23 | register: v_3_2_1_kernel_param 24 | changed_when: false 25 | with_items: 26 | - "{{ cis_v_3_2_1_ipv4_conf_all_accept_source_route }}" 27 | tags: 28 | - level-1 29 | - section-3 30 | - "3.2.1" 31 | - scored 32 | 33 | - name: 3.2.1 - Displaying value of all source routed packets kernel parameter 34 | debug: 35 | msg: The value for kernel_param_value is {{ v_3_2_1_kernel_param.results[0].stdout }} 36 | 37 | - name: 3.2.1 - Ensure source routed packets are not accepted in active kernel parameters 38 | command: "sysctl -w {{ item.kernel_param }}={{ item.value }}" 39 | with_items: 40 | - "{{ cis_v_3_2_1_ipv4_conf_all_accept_source_route }}" 41 | when: v_3_2_1_kernel_param.results[0].stdout|bool != item.value 42 | notify: Flush ipv4 route 43 | tags: 44 | - level-1 45 | - section-3 46 | - "3.2.1" 47 | - scored 48 | 49 | - name: 3.2.1 - Get source routed packets value from the active kernel parameters 50 | command: "cat {{ item.proc_src }}" 51 | register: v_3_2_1_kernel_param 52 | changed_when: false 53 | with_items: 54 | - "{{ cis_v_3_2_1_ipv4_conf_default_accept_source_route }}" 55 | tags: 56 | - level-1 57 | - section-3 58 | - "3.2.1" 59 | - scored 60 | 61 | - name: 3.2.1 - Displaying value of all source routed packets kernel parameter 62 | debug: 63 | msg: The value for kernel_param_value is {{ v_3_2_1_kernel_param.results[0].stdout }} 64 | 65 | - name: 3.2.1 - Ensure source routed packets are not accepted in active kernel parameters 66 | command: "sysctl -w {{ item.kernel_param }}={{ item.value }}" 67 | with_items: 68 | - "{{ cis_v_3_2_1_ipv4_conf_default_accept_source_route }}" 69 | when: v_3_2_1_kernel_param.results[0].stdout|bool != item.value 70 | notify: Flush ipv4 route 71 | tags: 72 | - level-1 73 | - section-3 74 | - "3.2.1" 75 | - scored 76 | -------------------------------------------------------------------------------- /tasks/level-1/3.2.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.24 2 | --- 3 | 4 | # 3.2.2 Ensure ICMP redirects are not accepted 5 | 6 | - name: 3.2.2 - Ensure ICMP redirects are not accepted 7 | sysctl: 8 | ignoreerrors: true 9 | name: "{{ item.kernel_param }}" 10 | value: "{{ item.value }}" 11 | state: present 12 | with_items: 13 | - "{{ cis_v_3_2_2_ipv4_conf_all_accept_redirects }}" 14 | - "{{ cis_v_3_2_2_ipv4_conf_default_accept_redirects }}" 15 | tags: 16 | - level-1 17 | - section-3 18 | - "3.2.2" 19 | - scored 20 | 21 | - name: 3.2.2 - Get ICMP redirect value from active kernel parameters 22 | command: "cat {{ item.proc_src }}" 23 | register: v_3_2_2_kernel_param 24 | changed_when: false 25 | with_items: 26 | - "{{ cis_v_3_2_2_ipv4_conf_all_accept_redirects }}" 27 | tags: 28 | - level-1 29 | - section-3 30 | - "3.2.2" 31 | - scored 32 | 33 | - name: 3.2.2 - Displaying value for all ICMP redirects 34 | debug: 35 | msg: The value for kernel_param_value is {{ v_3_2_2_kernel_param.results[0].stdout }} 36 | 37 | - name: 3.2.2 - Ensure ICMP redirects are not accepted by active kernel parameters 38 | command: "sysctl -w {{ item.kernel_param }}={{ item.value }}" 39 | with_items: 40 | - "{{ cis_v_3_2_2_ipv4_conf_all_accept_redirects }}" 41 | when: v_3_2_2_kernel_param.results[0].stdout|bool != item.value 42 | notify: Flush ipv4 route 43 | tags: 44 | - level-1 45 | - section-3 46 | - "3.2.2" 47 | - scored 48 | 49 | - name: 3.2.2 - Get ICMP default redirect value from active kernel parameters 50 | command: "cat {{ item.proc_src }}" 51 | register: v_3_2_2_kernel_param 52 | changed_when: false 53 | with_items: 54 | - "{{ cis_v_3_2_2_ipv4_conf_default_accept_redirects }}" 55 | tags: 56 | - level-1 57 | - section-3 58 | - "3.2.2" 59 | - scored 60 | 61 | - name: 3.2.2 - Displaying value for default ICMP redirects 62 | debug: 63 | msg: The value for kernel_param_value is {{ v_3_2_2_kernel_param.results[0].stdout }} 64 | 65 | - name: 3.2.2 - Ensure ICMP default redirects are not accepted by active kernel parameters 66 | command: "sysctl -w {{ item.kernel_param }}={{ item.value }}" 67 | with_items: 68 | - "{{ cis_v_3_2_2_ipv4_conf_default_accept_redirects }}" 69 | when: v_3_2_2_kernel_param.results[0].stdout|bool != item.value 70 | notify: Flush ipv4 route 71 | tags: 72 | - level-1 73 | - section-3 74 | - "3.2.2" 75 | - scored 76 | -------------------------------------------------------------------------------- /tasks/level-1/3.2.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.24 2 | --- 3 | 4 | # 3.2.3 Ensure secure ICMP redirects are not accepted 5 | 6 | - name: 3.2.3 - Ensure secure ICMP redirects are not accepted 7 | sysctl: 8 | ignoreerrors: true 9 | name: "{{ item.kernel_param }}" 10 | value: "{{ item.value }}" 11 | state: present 12 | with_items: 13 | - "{{ cis_v_3_2_3_ipv4_conf_all_secure_redirects }}" 14 | - "{{ cis_v_3_2_3_ipv4_conf_default_secure_redirects }}" 15 | tags: 16 | - level-1 17 | - section-3 18 | - "3.2.3" 19 | - scored 20 | 21 | - name: 3.2.3 - Get secure ICMP redirects value from active kernel parameters 22 | command: "cat {{ item.proc_src }}" 23 | register: v_3_2_3_kernel_param 24 | changed_when: false 25 | with_items: 26 | - "{{ cis_v_3_2_3_ipv4_conf_all_secure_redirects }}" 27 | tags: 28 | - level-1 29 | - section-3 30 | - "3.2.3" 31 | - scored 32 | 33 | - name: 3.2.3 - Displaying value for all ICMP secure redirects 34 | debug: 35 | msg: The value for kernel_param_value is {{ v_3_2_3_kernel_param.results[0].stdout }} 36 | 37 | - name: 3.2.3 - Ensure secure ICMP redirects are not accepted by active kernel parameters 38 | command: "sysctl -w {{ item.kernel_param }}={{ item.value }}" 39 | with_items: 40 | - "{{ cis_v_3_2_3_ipv4_conf_all_secure_redirects }}" 41 | when: v_3_2_3_kernel_param.results[0].stdout|bool != item.value 42 | notify: Flush ipv4 route 43 | tags: 44 | - level-1 45 | - section-3 46 | - "3.2.3" 47 | - scored 48 | 49 | - name: 3.2.3 - Get secure ICMP redirects value from active kernel parameters 50 | command: "cat {{ item.proc_src }}" 51 | register: v_3_2_3_kernel_param 52 | changed_when: false 53 | with_items: 54 | - "{{ cis_v_3_2_3_ipv4_conf_default_secure_redirects }}" 55 | tags: 56 | - level-1 57 | - section-3 58 | - "3.2.3" 59 | - scored 60 | 61 | - name: 3.2.3 - Displaying value for default ICMP secure redirects 62 | debug: 63 | msg: The value for kernel_param_value is {{ v_3_2_3_kernel_param.results[0].stdout }} 64 | 65 | - name: 3.2.3 - Ensure secure ICMP redirects are not accepted by active kernel parameters 66 | command: "sysctl -w {{ item.kernel_param }}={{ item.value }}" 67 | with_items: 68 | - "{{ cis_v_3_2_3_ipv4_conf_default_secure_redirects }}" 69 | when: v_3_2_3_kernel_param.results[0].stdout|bool != item.value 70 | notify: Flush ipv4 route 71 | tags: 72 | - level-1 73 | - section-3 74 | - "3.2.3" 75 | - scored 76 | -------------------------------------------------------------------------------- /tasks/level-1/3.2.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.24 2 | --- 3 | 4 | # 3.2.4 Ensure suspicious packets are logged 5 | 6 | - name: 3.2.4 - Ensure suspicious packets are logged 7 | sysctl: 8 | ignoreerrors: true 9 | name: "{{ item.kernel_param }}" 10 | value: "{{ item.value }}" 11 | state: present 12 | with_items: 13 | - "{{ cis_v_3_2_4_ipv4_conf_all_log_martians }}" 14 | - "{{ cis_v_3_2_4_ipv4_conf_default_log_martians }}" 15 | tags: 16 | - level-1 17 | - section-3 18 | - "3.2.4" 19 | - scored 20 | 21 | - name: 3.2.4 - Getting value for all suspicious packets from active kernel parameters 22 | command: "cat {{ item.proc_src }}" 23 | register: v_3_2_4_kernel_param 24 | changed_when: false 25 | with_items: 26 | - "{{ cis_v_3_2_4_ipv4_conf_all_log_martians }}" 27 | tags: 28 | - level-1 29 | - section-3 30 | - "3.2.4" 31 | - scored 32 | 33 | - name: 3.2.4 - Displaying value for all suspicious packets 34 | debug: 35 | msg: The value for kernel_param_value is {{ v_3_2_4_kernel_param.results[0].stdout }} 36 | 37 | - name: 3.2.4 - Ensure suspicious packets are logged by active kernel parameters 38 | command: "sysctl -w {{ item.kernel_param }}={{ item.value }}" 39 | with_items: 40 | - "{{ cis_v_3_2_4_ipv4_conf_all_log_martians }}" 41 | when: v_3_2_4_kernel_param.results[0].stdout|bool != item.value 42 | notify: Flush ipv4 route 43 | tags: 44 | - level-1 45 | - section-3 46 | - "3.2.4" 47 | - scored 48 | 49 | - name: 3.2.4 - Getting value for default suspicious packets from active kernel parameters 50 | command: "cat {{ item.proc_src }}" 51 | register: v_3_2_4_kernel_param 52 | changed_when: false 53 | with_items: 54 | - "{{ cis_v_3_2_4_ipv4_conf_default_log_martians }}" 55 | tags: 56 | - level-1 57 | - section-3 58 | - "3.2.4" 59 | - scored 60 | 61 | - name: 3.2.4 - Displaying value for default suspicious packets 62 | debug: 63 | msg: The value for kernel_param_value is {{ v_3_2_4_kernel_param.results[0].stdout }} 64 | 65 | - name: 3.2.4 - Ensure default suspicious packets are logged by active kernel parameters 66 | command: "sysctl -w {{ item.kernel_param }}={{ item.value }}" 67 | with_items: 68 | - "{{ cis_v_3_2_4_ipv4_conf_default_log_martians }}" 69 | when: v_3_2_4_kernel_param.results[0].stdout|bool != item.value 70 | notify: Flush ipv4 route 71 | tags: 72 | - level-1 73 | - section-3 74 | - "3.2.4" 75 | - scored 76 | -------------------------------------------------------------------------------- /tasks/level-1/3.2.5.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.24 2 | --- 3 | 4 | # 3.2.5 Ensure broadcast ICMP requests are ignored 5 | 6 | - name: 3.2.5 - Ensure broadcast ICMP requests are ignored 7 | sysctl: 8 | ignoreerrors: true 9 | name: "{{ item.kernel_param }}" 10 | value: "{{ item.value }}" 11 | state: present 12 | with_items: 13 | - "{{ cis_v_3_2_5_ipv4_icmp_echo_ignore_broadcasts }}" 14 | tags: 15 | - level-1 16 | - section-3 17 | - "3.2.5" 18 | - scored 19 | 20 | - name: 3.2.5 - Getting broadcast ICMP request values from active kernel 21 | command: "cat {{ item.proc_src }}" 22 | register: v_3_2_5_kernel_param 23 | changed_when: false 24 | with_items: 25 | - "{{ cis_v_3_2_5_ipv4_icmp_echo_ignore_broadcasts }}" 26 | tags: 27 | - level-1 28 | - section-3 29 | - "3.2.5" 30 | - scored 31 | 32 | - name: 3.2.5 - Displaying value for ICMP broadcast requests 33 | debug: 34 | msg: The value for kernel_param_value is {{ v_3_2_5_kernel_param.results[0].stdout }} 35 | 36 | - name: 3.2.5 - Ensure broadcast ICMP requests are ignored by active kernel parameters 37 | command: "sysctl -w {{ item.kernel_param }}={{ item.value }}" 38 | with_items: 39 | - "{{ cis_v_3_2_5_ipv4_icmp_echo_ignore_broadcasts }}" 40 | when: v_3_2_5_kernel_param.results[0].stdout|bool != item.value 41 | notify: Flush ipv4 route 42 | tags: 43 | - level-1 44 | - section-3 45 | - "3.2.5" 46 | - scored 47 | -------------------------------------------------------------------------------- /tasks/level-1/3.2.6.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.24 2 | --- 3 | 4 | # 3.2.6 Ensure bogus ICMP responses are ignored 5 | 6 | - name: 3.2.6 - Ensure bogus ICMP responses are ignored 7 | sysctl: 8 | ignoreerrors: true 9 | name: "{{ item.kernel_param }}" 10 | value: "{{ item.value }}" 11 | state: present 12 | with_items: 13 | - "{{ cis_v_3_2_6_ipv4_icmp_echo_ignore_bogus_error_responses }}" 14 | tags: 15 | - level-1 16 | - section-3 17 | - "3.2.6" 18 | - scored 19 | 20 | - name: 3.2.6 - Get bogus ICMP responses value from active kernel parameters 21 | command: "cat {{ item.proc_src }}" 22 | register: v_3_2_6_kernel_param 23 | changed_when: false 24 | with_items: 25 | - "{{ cis_v_3_2_6_ipv4_icmp_echo_ignore_bogus_error_responses }}" 26 | tags: 27 | - level-1 28 | - section-3 29 | - "3.2.6" 30 | - scored 31 | 32 | - name: 3.2.6 - Displaying value for bogus ICMP responses 33 | debug: 34 | msg: The value for kernel_param_value is {{ v_3_2_6_kernel_param.results[0].stdout }} 35 | 36 | - name: 3.2.6 - Ensure bogus ICMP responses are ignored by active kernel parameters 37 | command: "sysctl -w {{ item.kernel_param }}={{ item.value }}" 38 | with_items: 39 | - "{{ cis_v_3_2_6_ipv4_icmp_echo_ignore_bogus_error_responses }}" 40 | when: v_3_2_6_kernel_param.results[0].stdout|bool != item.value 41 | notify: Flush ipv4 route 42 | tags: 43 | - level-1 44 | - section-3 45 | - "3.2.6" 46 | - scored 47 | -------------------------------------------------------------------------------- /tasks/level-1/3.2.7.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.24 2 | --- 3 | 4 | # 3.2.7 Ensure Reverse Path Filtering is enabled 5 | 6 | - name: 3.2.7 - Ensure Reverse Path Filtering is enabled 7 | sysctl: 8 | ignoreerrors: true 9 | name: "{{ item.kernel_param }}" 10 | value: "{{ item.value }}" 11 | state: present 12 | with_items: 13 | - "{{ cis_v_3_2_7_ipv4_conf_all_rp_filter }}" 14 | - "{{ cis_v_3_2_7_ipv4_conf_default_rp_filter }}" 15 | tags: 16 | - level-1 17 | - section-3 18 | - "3.2.7" 19 | - scored 20 | 21 | - name: 3.2.7 - Get Reverse Path Filtering value from the active kernel parameters 22 | command: "cat {{ item.proc_src }}" 23 | register: v_3_2_7_kernel_param 24 | changed_when: false 25 | with_items: 26 | - "{{ cis_v_3_2_7_ipv4_conf_all_rp_filter }}" 27 | tags: 28 | - level-1 29 | - section-3 30 | - "3.2.7" 31 | - scored 32 | 33 | - name: 3.2.7 - Displaying value for the all Reverse Path Filtering 34 | debug: 35 | msg: The value for kernel_param_value is {{ v_3_2_7_kernel_param.results[0].stdout }} 36 | 37 | - name: 3.2.7 - Ensure Reverse Path Filtering is enabled by active kernel parameters 38 | command: "sysctl -w {{ item.kernel_param }}={{ item.value }}" 39 | with_items: 40 | - "{{ cis_v_3_2_7_ipv4_conf_all_rp_filter }}" 41 | when: v_3_2_7_kernel_param.results[0].stdout|bool != item.value 42 | notify: Flush ipv4 route 43 | tags: 44 | - level-1 45 | - section-3 46 | - "3.2.7" 47 | - scored 48 | 49 | - name: 3.2.7 - Get Reverse Path Filtering value from the active kernel parameters 50 | command: "cat {{ item.proc_src }}" 51 | register: v_3_2_7_kernel_param 52 | changed_when: false 53 | with_items: 54 | - "{{ cis_v_3_2_7_ipv4_conf_default_rp_filter }}" 55 | tags: 56 | - level-1 57 | - section-3 58 | - "3.2.7" 59 | - scored 60 | 61 | - name: 3.2.7 - Displaying value for the default Reverse Path Filtering 62 | debug: 63 | msg: The value for kernel_param_value is {{ v_3_2_7_kernel_param.results[0].stdout }} 64 | 65 | - name: 3.2.7 - Ensure Reverse Path Filtering is enabled by active kernel parameters 66 | command: "sysctl -w {{ item.kernel_param }}={{ item.value }}" 67 | with_items: 68 | - "{{ cis_v_3_2_7_ipv4_conf_default_rp_filter }}" 69 | when: v_3_2_7_kernel_param.results[0].stdout|bool != item.value 70 | notify: Flush ipv4 route 71 | tags: 72 | - level-1 73 | - section-3 74 | - "3.2.7" 75 | - scored 76 | -------------------------------------------------------------------------------- /tasks/level-1/3.2.8.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.24 2 | --- 3 | 4 | # 3.2.8 Ensure TCP SYN Cookies is enabled 5 | 6 | - name: 3.2.8 - Ensure TCP SYN Cookies is enabled 7 | sysctl: 8 | ignoreerrors: true 9 | name: "{{ item.kernel_param }}" 10 | value: "{{ item.value }}" 11 | state: present 12 | with_items: 13 | - "{{ cis_v_3_2_8_ipv4_tcp_syncookies }}" 14 | tags: 15 | - level-1 16 | - section-3 17 | - "3.2.8" 18 | - scored 19 | 20 | - name: 3.2.8 - Get TCP SYN Cookies value in active kernel parameters 21 | command: "cat {{ item.proc_src }}" 22 | register: v_3_2_8_kernel_param 23 | changed_when: false 24 | with_items: 25 | - "{{ cis_v_3_2_8_ipv4_tcp_syncookies }}" 26 | tags: 27 | - level-1 28 | - section-3 29 | - "3.2.8" 30 | - scored 31 | 32 | - name: 3.2.8 - Displaying value for TCP SYN Cookies 33 | debug: 34 | msg: The value for kernel_param_value is {{ v_3_2_8_kernel_param.results[0].stdout }} 35 | 36 | - name: 3.2.8 - Ensure TCP SYN Cookies is enabled by active kernel parameters 37 | command: "sysctl -w {{ item.kernel_param }}={{ item.value }}" 38 | with_items: 39 | - "{{ cis_v_3_2_8_ipv4_tcp_syncookies }}" 40 | when: v_3_2_8_kernel_param.results[0].stdout|bool != item.value 41 | notify: Flush ipv4 route 42 | tags: 43 | - level-1 44 | - section-3 45 | - "3.2.8" 46 | - scored 47 | -------------------------------------------------------------------------------- /tasks/level-1/3.3.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.24 2 | --- 3 | 4 | # 3.3.1 Ensure IPv6 router advertisements are not accepted 5 | 6 | - name: 3.3.1 - Ensure IPv6 router advertisements are not accepted 7 | sysctl: 8 | ignoreerrors: true 9 | name: "{{ item.kernel_param }}" 10 | value: "{{ item.value }}" 11 | state: present 12 | with_items: 13 | - "{{ cis_v_3_3_1_ipv6_conf_all_accept_ra }}" 14 | - "{{ cis_v_3_3_1_ipv6_conf_default_accept_ra }}" 15 | tags: 16 | - level-1 17 | - section-3 18 | - "3.3.1" 19 | - scored 20 | 21 | - name: 3.3.1 - Get IPv6 router advertisments 22 | command: "cat {{ item.proc_src }}" 23 | register: v_3_3_1_kernel_param 24 | changed_when: false 25 | with_items: 26 | - "{{ cis_v_3_3_1_ipv6_conf_all_accept_ra }}" 27 | tags: 28 | - level-1 29 | - section-3 30 | - "3.3.1" 31 | - scored 32 | 33 | - name: 3.3.1 - Displaying value for IPv6 advertisments 34 | debug: 35 | msg: The value for kernel_param_value is {{ v_3_3_1_kernel_param.results[0].stdout }} 36 | 37 | - name: 3.3.1 - Ensure IPv6 router advertisements are not accepted by active kernel parameters 38 | command: "sysctl -w {{ item.kernel_param }}={{ item.value }}" 39 | with_items: 40 | - "{{ cis_v_3_3_1_ipv6_conf_all_accept_ra }}" 41 | when: v_3_3_1_kernel_param.results[0].stdout|bool != item.value 42 | notify: Flush ipv4 route 43 | tags: 44 | - level-1 45 | - section-3 46 | - "3.3.1" 47 | - scored 48 | 49 | - name: 3.3.1 - Get IPv6 router advertisments - default 50 | command: "cat {{ item.proc_src }}" 51 | register: v_3_3_1_kernel_param 52 | changed_when: false 53 | with_items: 54 | - "{{ cis_v_3_3_1_ipv6_conf_default_accept_ra }}" 55 | tags: 56 | - level-1 57 | - section-3 58 | - "3.3.1" 59 | - scored 60 | 61 | - name: 3.3.1 - Displaying default value for IPv6 advertisments 62 | debug: 63 | msg: The value for kernel_param_value is {{ v_3_3_1_kernel_param.results[0].stdout }} 64 | 65 | - name: 3.3.1 - Ensure default IPv6 router advertisements are not accepted by active kernel parameters 66 | command: "sysctl -w {{ item.kernel_param }}={{ item.value }}" 67 | with_items: 68 | - "{{ cis_v_3_3_1_ipv6_conf_default_accept_ra }}" 69 | when: v_3_3_1_kernel_param.results[0].stdout|bool != item.value 70 | notify: Flush ipv4 route 71 | tags: 72 | - level-1 73 | - section-3 74 | - "3.3.1" 75 | - scored 76 | -------------------------------------------------------------------------------- /tasks/level-1/3.3.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.24 2 | --- 3 | 4 | # 3.3.2 Ensure IPv6 redirects are not accepted 5 | 6 | - name: 3.3.2 - Ensure IPv6 redirects are not accepted 7 | sysctl: 8 | ignoreerrors: true 9 | name: "{{ item.kernel_param }}" 10 | value: "{{ item.value }}" 11 | state: present 12 | with_items: 13 | - "{{ cis_v_3_3_2_ipv6_conf_all_accept_redirects }}" 14 | - "{{ cis_v_3_3_2_ipv6_conf_default_accept_redirects }}" 15 | tags: 16 | - level-1 17 | - section-3 18 | - "3.3.2" 19 | - scored 20 | 21 | - name: 3.3.2 - Get IPv6 redirects value from active kernel parameters 22 | command: "cat {{ item.proc_src }}" 23 | register: v_3_3_2_kernel_param 24 | changed_when: false 25 | with_items: 26 | - "{{ cis_v_3_3_2_ipv6_conf_all_accept_redirects }}" 27 | tags: 28 | - level-1 29 | - section-3 30 | - "3.3.2" 31 | - scored 32 | 33 | - name: 3.3.2 - Displaying value of IPv6 redirects all 34 | debug: 35 | msg: The value for kernel_param_value is {{ v_3_3_2_kernel_param.results[0].stdout }} 36 | 37 | - name: 3.3.2 - Ensure IPv6 redirects are not accepted by active kernel parameters 38 | command: "sysctl -w {{ item.kernel_param }}={{ item.value }}" 39 | with_items: 40 | - "{{ cis_v_3_3_2_ipv6_conf_all_accept_redirects }}" 41 | when: v_3_3_2_kernel_param.results[0].stdout|bool != item.value 42 | notify: Flush ipv4 route 43 | tags: 44 | - level-1 45 | - section-3 46 | - "3.3.2" 47 | - scored 48 | 49 | - name: 3.3.2 - Get IPv6 redirects value from active kernel parameters 50 | command: "cat {{ item.proc_src }}" 51 | register: v_3_3_2_kernel_param 52 | changed_when: false 53 | with_items: 54 | - "{{ cis_v_3_3_2_ipv6_conf_default_accept_redirects }}" 55 | tags: 56 | - level-1 57 | - section-3 58 | - "3.3.2" 59 | - scored 60 | 61 | - name: 3.3.2 - Displaying value of IPv6 redirects default 62 | debug: 63 | msg: The value for kernel_param_value is {{ v_3_3_2_kernel_param.results[0].stdout }} 64 | 65 | - name: 3.3.2 - Ensure IPv6 redirects are not accepted by active kernel parameters 66 | command: "sysctl -w {{ item.kernel_param }}={{ item.value }}" 67 | with_items: 68 | - "{{ cis_v_3_3_2_ipv6_conf_default_accept_redirects }}" 69 | when: v_3_3_2_kernel_param.results[0].stdout|bool != item.value 70 | notify: Flush ipv4 route 71 | tags: 72 | - level-1 73 | - section-3 74 | - "3.3.2" 75 | - scored 76 | -------------------------------------------------------------------------------- /tasks/level-1/3.3.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.3.3 - Ensure IPv6 is disabled 5 | 6 | - name: 3.3.3 - Check if CIS modprobe configuration file exists 7 | stat: 8 | path: "{{ cis_modprobe_conf_filename }}" 9 | register: modprobe_3_3_3 10 | tags: 11 | - level-1 12 | - section-3 13 | - "3.3.3" 14 | - scored 15 | 16 | - name: 3.3.3 - Ensure IPv6 is disabled 17 | copy: 18 | dest: "{{ cis_modprobe_conf_filename }}" 19 | content: "options ipv6 disable=1\n" 20 | when: modprobe_3_3_3.stat.exists is not defined or not modprobe_3_3_3.stat.exists 21 | tags: 22 | - level-1 23 | - section-3 24 | - "3.3.3" 25 | - scored 26 | 27 | - name: 3.3.3 - Ensure IPv6 is disabled 28 | lineinfile: 29 | dest: "{{ cis_modprobe_conf_filename }}" 30 | regexp: "^options ipv6 disable=" 31 | line: "options ipv6 disable=1" 32 | when: modprobe_3_3_3.stat.exists is defined and modprobe_3_3_3.stat.exists 33 | tags: 34 | - level-1 35 | - section-3 36 | - "3.3.3" 37 | - scored 38 | -------------------------------------------------------------------------------- /tasks/level-1/3.4.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.5 2 | --- 3 | 4 | # 3.4.1 Ensure TCP Wrappers is installed 5 | 6 | - name: 3.4.1 - Ensure TCP Wrappers is installed 7 | yum: 8 | name: "tcp_wrappers" 9 | state: latest 10 | tags: 11 | - level-1 12 | - section-3 13 | - "3.4.1" 14 | - scored 15 | - skip_ansible_lint 16 | -------------------------------------------------------------------------------- /tasks/level-1/3.4.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.32 2 | --- 3 | 4 | # 3.4.2 Ensure /etc/hosts.allow is configured 5 | # 6 | # 7 | 8 | - name: 3.4.2 - Check if /etc/hosts.allow configuration file exists 9 | stat: 10 | path: "/etc/hosts.allow" 11 | register: hosts_allow_3_4_2 12 | tags: 13 | - level-1 14 | - section-3 15 | - "3.4.2" 16 | - scored 17 | 18 | - name: 3.4.2 - Ensure /etc/hosts.allow is configured 19 | copy: 20 | dest: "/etc/hosts.allow" 21 | content: "ALL: {{ item }}" 22 | when: hosts_allow_3_4_2.stat.exists is not defined or not hosts_allow_3_4_2.stat.exists 23 | with_items: "{{ cis_hosts_allow_all_ips }}" 24 | tags: 25 | - level-1 26 | - section-3 27 | - "3.4.2" 28 | - scored 29 | 30 | - name: 3.4.2 - Ensure /etc/hosts.allow is configured 31 | lineinfile: 32 | dest: "/etc/hosts.allow" 33 | line: "ALL: {{ item }}" 34 | when: hosts_allow_3_4_2.stat.exists is defined and hosts_allow_3_4_2.stat.exists 35 | with_items: "{{ cis_hosts_allow_all_ips }}" 36 | tags: 37 | - level-1 38 | - section-3 39 | - "3.4.2" 40 | - scored 41 | -------------------------------------------------------------------------------- /tasks/level-1/3.4.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.4.3 Ensure /etc/hosts.deny is configured 5 | 6 | - name: 3.4.3 - Check if /etc/hosts.deny configuration file exists 7 | stat: 8 | path: "/etc/hosts.deny" 9 | register: hosts_deny_3_4_3 10 | tags: 11 | - level-1 12 | - section-3 13 | - "3.4.3" 14 | - scored 15 | 16 | - name: 3.4.3 - Ensure /etc/hosts.deny is configured 17 | copy: 18 | path: "/etc/hosts.deny" 19 | content: "ALL: ALL\n" 20 | when: hosts_deny_3_4_3.stat.exists is not defined or not hosts_deny_3_4_3.stat.exists 21 | tags: 22 | - level-1 23 | - section-3 24 | - "3.4.3" 25 | - scored 26 | 27 | - name: 3.4.3 - Ensure /etc/hosts.deny is configured 28 | lineinfile: 29 | dest: "/etc/hosts.deny" 30 | regexp: "^ALL:" 31 | line: "ALL: ALL" 32 | when: hosts_deny_3_4_3.stat.exists is defined and hosts_deny_3_4_3.stat.exists 33 | tags: 34 | - level-1 35 | - section-3 36 | - "3.4.3" 37 | - scored 38 | -------------------------------------------------------------------------------- /tasks/level-1/3.4.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.4.4 Ensure permissions on /etc/hosts.allow are configured 5 | 6 | - name: 3.4.4 - Ensure permissions on /etc/hosts.allow are configured 7 | file: 8 | path: "/etc/hosts.allow" 9 | owner: root 10 | group: root 11 | mode: 0644 12 | tags: 13 | - level-1 14 | - section-3 15 | - "3.4.4" 16 | - scored 17 | -------------------------------------------------------------------------------- /tasks/level-1/3.4.5.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.4.5 Ensure permissions on /etc/hosts.deny are configured 5 | 6 | - name: 3.4.5 - Ensure permissions on /etc/hosts.deny are configured 7 | file: 8 | path: "/etc/hosts.deny" 9 | owner: root 10 | group: root 11 | mode: 0644 12 | tags: 13 | - level-1 14 | - section-3 15 | - "3.4.5" 16 | - scored 17 | -------------------------------------------------------------------------------- /tasks/level-1/3.5.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.5.1 - Ensure DCCP is disabled 5 | 6 | - name: 3.5.1 - Check if CIS modprobe configuration file exists 7 | stat: 8 | path: "{{ cis_modprobe_conf_filename }}" 9 | register: modprobe_3_5_1 10 | tags: 11 | - level-1 12 | - section-3 13 | - "3.5.1" 14 | - not-scored 15 | 16 | - name: 3.5.1 - Ensure DCCP is disabled 17 | copy: 18 | dest: "{{ cis_modprobe_conf_filename }}" 19 | content: "install dccp /bin/true\n" 20 | when: modprobe_3_5_1.stat.exists is not defined or not modprobe_3_5_1.stat.exists 21 | tags: 22 | - level-1 23 | - section-3 24 | - "3.5.1" 25 | - not-scored 26 | 27 | - name: 3.5.1 - Ensure DCCP is disabled 28 | lineinfile: 29 | dest: "{{ cis_modprobe_conf_filename }}" 30 | regexp: "^install dccp\\s+" 31 | line: "install dccp /bin/true" 32 | when: modprobe_3_5_1.stat.exists is defined and modprobe_3_5_1.stat.exists 33 | tags: 34 | - level-1 35 | - section-3 36 | - "3.5.1" 37 | - not-scored 38 | -------------------------------------------------------------------------------- /tasks/level-1/3.5.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.5.2 - Ensure SCTP is disabled 5 | 6 | - name: 3.5.2 - Check if CIS modprobe configuration file exists 7 | stat: 8 | path: "{{ cis_modprobe_conf_filename }}" 9 | register: modprobe_3_5_2 10 | tags: 11 | - level-1 12 | - section-3 13 | - "3.5.2" 14 | - not-scored 15 | 16 | - name: 3.5.2 - Ensure SCTP is disabled 17 | copy: 18 | dest: "{{ cis_modprobe_conf_filename }}" 19 | content: "install sctp /bin/true\n" 20 | when: modprobe_3_5_2.stat.exists is not defined or not modprobe_3_5_2.stat.exists 21 | tags: 22 | - level-1 23 | - section-3 24 | - "3.5.2" 25 | - not-scored 26 | 27 | - name: 3.5.2 - Ensure SCTP is disabled 28 | lineinfile: 29 | dest: "{{ cis_modprobe_conf_filename }}" 30 | regexp: "^install sctp\\s+" 31 | line: "install sctp /bin/true" 32 | when: modprobe_3_5_2.stat.exists is defined and modprobe_3_5_2.stat.exists 33 | tags: 34 | - level-1 35 | - section-3 36 | - "3.5.2" 37 | - not-scored 38 | 39 | -------------------------------------------------------------------------------- /tasks/level-1/3.5.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.5.3 - Ensure RDS is disabled 5 | 6 | - name: 3.5.3 - Check if CIS modprobe configuration file exists 7 | stat: 8 | path: "{{ cis_modprobe_conf_filename }}" 9 | register: modprobe_3_5_3 10 | tags: 11 | - level-1 12 | - section-3 13 | - "3.5.3" 14 | - not-scored 15 | 16 | - name: 3.5.3 - Ensure RDS is disabled 17 | copy: 18 | dest: "{{ cis_modprobe_conf_filename }}" 19 | content: "install rds /bin/true\n" 20 | when: modprobe_3_5_3.stat.exists is not defined or not modprobe_3_5_3.stat.exists 21 | tags: 22 | - level-1 23 | - section-3 24 | - "3.5.3" 25 | - not-scored 26 | 27 | - name: 3.5.3 - Ensure RDS is disabled 28 | lineinfile: 29 | dest: "{{ cis_modprobe_conf_filename }}" 30 | regexp: "^install rds\\s+" 31 | line: "install rds /bin/true" 32 | when: modprobe_3_5_3.stat.exists is defined and modprobe_3_5_3.stat.exists 33 | tags: 34 | - level-1 35 | - section-3 36 | - "3.5.3" 37 | - not-scored 38 | -------------------------------------------------------------------------------- /tasks/level-1/3.5.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.5.4 - Ensure TIPC is disabled 5 | 6 | - name: 3.5.4 - Check if CIS modprobe configuration file exists 7 | stat: 8 | path: "{{ cis_modprobe_conf_filename }}" 9 | register: modprobe_3_5_4 10 | tags: 11 | - level-1 12 | - section-3 13 | - "3.5.4" 14 | - not-scored 15 | 16 | - name: 3.5.4 - Ensure TIPC is disabled 17 | copy: 18 | dest: "{{ cis_modprobe_conf_filename }}" 19 | content: "install tipc /bin/true\n" 20 | when: modprobe_3_5_4.stat.exists is not defined or not modprobe_3_5_4.stat.exists 21 | tags: 22 | - level-1 23 | - section-3 24 | - "3.5.4" 25 | - not-scored 26 | 27 | - name: 3.5.4 - Ensure TIPC is disabled 28 | lineinfile: 29 | dest: "{{ cis_modprobe_conf_filename }}" 30 | regexp: "^install tipc\\s+" 31 | line: "install tipc /bin/true" 32 | when: modprobe_3_5_4.stat.exists is defined and modprobe_3_5_4.stat.exists 33 | tags: 34 | - level-1 35 | - section-3 36 | - "3.5.4" 37 | - not-scored 38 | -------------------------------------------------------------------------------- /tasks/level-1/3.6.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.6.1 Ensure firewalld is installed 5 | # NOTE REPLACED IPTABLES WITH FIREWALLD 6 | 7 | - name: 3.6.1 - Ensure firewalld is installed 8 | yum: 9 | name: "{{ cis_firewalld_install.package }}" 10 | state: "{{ cis_firewalld_install.state }}" 11 | with_items: 12 | - "{{ cis_firewalld_install }}" 13 | when: cis_firewalld_install.state == "present" 14 | tags: 15 | - level-1 16 | - section-3 17 | - "3.6.1" 18 | - scored 19 | 20 | - name: 3.6.1 - Ensure firewalld is started 21 | service: 22 | name: "{{ cis_firewalld_install.service }}" 23 | enabled: "{{ cis_firewalld_install.enabled }}" 24 | state: "{{ cis_firewalld_install.rstate }}" 25 | with_items: 26 | - "{{ cis_firewalld_install }}" 27 | when: cis_firewalld_install.state == "present" 28 | tags: 29 | - level-1 30 | - section-3 31 | - "3.6.1" 32 | - scored 33 | -------------------------------------------------------------------------------- /tasks/level-1/3.6.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.6.2 Ensure default deny firewall policy 5 | 6 | - name: 3.6.2 - Ensure default deny firewall policy 7 | debug: 8 | msg: "WARNING - This check has not been implemented yet." 9 | tags: 10 | - level-1 11 | - section-3 12 | - "3.6.2" 13 | - scored 14 | -------------------------------------------------------------------------------- /tasks/level-1/3.6.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.6.3 Ensure loopback traffic is configured 5 | 6 | - name: 3.6.3 - Ensure loopback traffic is configured 7 | debug: 8 | msg: "WARNING - This check has not been implemented yet." 9 | tags: 10 | - level-1 11 | - section-3 12 | - "3.6.3" 13 | - scored 14 | -------------------------------------------------------------------------------- /tasks/level-1/3.6.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.6.4 Ensure outbound and established connections are configured 5 | 6 | - name: 3.6.4 - Ensure outbound and established connections are configured 7 | debug: 8 | msg: "WARNING - This check has not been implemented yet." 9 | tags: 10 | - level-1 11 | - section-3 12 | - "3.6.4" 13 | - not-scored 14 | -------------------------------------------------------------------------------- /tasks/level-1/3.6.5.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.6.5 Ensure firewall rules exist for all open ports 5 | 6 | - name: 3.6.5 - Ensure firewall rules exist for all open ports 7 | debug: 8 | msg: "WARNING - This check has not been implemented yet." 9 | tags: 10 | - level-1 11 | - section-3 12 | - "3.6.5" 13 | - not-scored 14 | -------------------------------------------------------------------------------- /tasks/level-1/4.2.1.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.5 2 | --- 3 | 4 | # 4.2.1.1 Ensure rsyslog Service is enabled 5 | 6 | - name: 4.2.1.1 - Check if rsyslog is installed 7 | yum: 8 | name: rsyslog 9 | state: present 10 | when: cis_enable_rsyslog 11 | # register: rsyslog_4_2_1_1 12 | tags: 13 | - level-1 14 | - section-4 15 | - "4.2.1.1" 16 | - scored 17 | - skip_ansible_lint 18 | 19 | - name: 4.2.1.1 - Ensure rsyslog Service is enabled 20 | service: 21 | name: "rsyslog" 22 | enabled: true 23 | state: started 24 | when: 25 | - cis_enable_rsyslog 26 | # - rsyslog_4_2_1_1.rc is not defined or rsyslog_4_2_1_1.rc == 0 27 | ignore_errors: false 28 | tags: 29 | - level-1 30 | - section-4 31 | - "4.2.1.1" 32 | - scored 33 | -------------------------------------------------------------------------------- /tasks/level-1/4.2.1.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 4.2.1.2 Ensure logging is configured 5 | 6 | - name: 4.2.1.2 - Ensure logging is configured 7 | debug: 8 | msg: "WARNING - This check has not been implemented yet." 9 | tags: 10 | - level-1 11 | - section-4 12 | - "4.2.1.2" 13 | - not-scored 14 | - todo 15 | -------------------------------------------------------------------------------- /tasks/level-1/4.2.1.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 4.2.1.3 Ensure rsyslog default file permissions configured 5 | 6 | - name: 4.2.1.3 - Ensure rsyslog default file permissions configured 7 | lineinfile: 8 | regexp: "^\\$FileCreateMode\\s+" 9 | line: "$FileCreateMode 0640" 10 | insertbefore: BOF 11 | dest: "/etc/rsyslog.conf" 12 | when: cis_enable_rsyslog 13 | notify: 14 | - Restart rsyslog 15 | tags: 16 | - level-1 17 | - section-4 18 | - "4.2.1.3" 19 | - scored 20 | -------------------------------------------------------------------------------- /tasks/level-1/4.2.1.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host 5 | 6 | - name: 4.2.1.4 - Ensure rsyslog is configured to send logs to a remote log host 7 | lineinfile: 8 | regexp: "^#?\\*\\.\\*\\s+" 9 | line: "*.* @@{{ cis_rsyslog_remote_loghost_address }}" 10 | dest: "/etc/rsyslog.conf" 11 | when: cis_enable_rsyslog 12 | tags: 13 | - level-1 14 | - section-4 15 | - "4.2.1.4" 16 | - scored 17 | -------------------------------------------------------------------------------- /tasks/level-1/4.2.1.5.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 4.2.1.5 Ensure remote rsyslog messages are only accepted on designated log hosts 5 | 6 | - name: 4.2.1.5 - Ensure remote rsyslog messages are only accepted on designated log hosts 7 | lineinfile: 8 | regexp: "{{ item.regexp }}" 9 | line: "{{ item.line }}" 10 | dest: "/etc/rsyslog.conf" 11 | state: present 12 | when: cis_enable_rsyslog and cis_rsyslog_accept_remote_messages 13 | with_items: 14 | - { regexp: "^#?\\$ModLoad\\s+imtcp.so", line: "$ModLoad imtcp.so" } 15 | - { regexp: "^#?\\$InputTCPServerRun\\s+", line: "$InputTCPServerRun 514" } 16 | notify: Restart rsyslog 17 | tags: 18 | - level-1 19 | - section-4 20 | - "4.2.1.5" 21 | - scored 22 | 23 | - name: 4.2.1.5 - Ensure remote rsyslog messages are not accepted on non-designated log hosts 24 | lineinfile: 25 | regexp: "{{ item }}" 26 | dest: "/etc/rsyslog.conf" 27 | state: absent 28 | when: cis_enable_rsyslog and not cis_rsyslog_accept_remote_messages 29 | with_items: 30 | - "^#?\\$ModLoad\\s+imtcp.so" 31 | - "^#?\\$InputTCPServerRun\\s+514" 32 | notify: Restart rsyslog 33 | tags: 34 | - level-1 35 | - section-4 36 | - "4.2.1.5" 37 | - scored 38 | 39 | -------------------------------------------------------------------------------- /tasks/level-1/4.2.2.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.5 2 | --- 3 | 4 | # 4.2.2.1 Ensure syslog-ng service is enabled 5 | 6 | - name: 4.2.2.1 - Check if syslog-ng is installed 7 | yum: 8 | name: syslog-ng 9 | state: present 10 | # command: yum -q list syslog-ng 11 | # ignore_errors: true 12 | # register: syslog_ng_4_2_2_1 13 | when: cis_enable_syslog_ng 14 | tags: 15 | - level-1 16 | - section-4 17 | - "4.2.2.1" 18 | - scored 19 | - skip_ansible_lint 20 | 21 | - name: 4.2.2.1 - Ensure syslog-ng service is enabled 22 | service: 23 | name: "syslog-ng" 24 | enabled: true 25 | state: started 26 | when: 27 | - cis_enable_syslog_ng 28 | # - syslog_ng_4_2_2_1 is defined 29 | - syslog_ng_4_2_2_1.rc is not defined or syslog_ng_4_2_2_1.rc == 0 30 | ignore_errors: false 31 | tags: 32 | - level-1 33 | - section-4 34 | - "4.2.2.1" 35 | - scored 36 | -------------------------------------------------------------------------------- /tasks/level-1/4.2.2.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 4.2.2.2 Ensure logging is configured 5 | 6 | - name: 4.2.2.2 - Ensure logging is configured 7 | debug: 8 | msg: "WARNING - This check has not been implemented yet." 9 | tags: 10 | - level-1 11 | - section-4 12 | - "4.2.2.2" 13 | - not-scored 14 | - todo 15 | -------------------------------------------------------------------------------- /tasks/level-1/4.2.2.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 4.2.2.3 Ensure syslog-ng default file permissions configured 5 | 6 | - name: 4.2.2.3 - Ensure syslog-ng default file permissions configured 7 | debug: 8 | msg: "WARNING - This check has not been implemented yet." 9 | tags: 10 | - level-1 11 | - section-4 12 | - "4.2.2.3" 13 | - scored 14 | - todo 15 | -------------------------------------------------------------------------------- /tasks/level-1/4.2.2.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 4.2.2.4 Ensure syslog-ng is configured to send logs to a remote log host 5 | 6 | - name: 4.2.2.4 - Ensure syslog-ng is configured to send logs to a remote log host 7 | debug: 8 | msg: "WARNING - This check has not been implemented yet." 9 | tags: 10 | - level-1 11 | - section-4 12 | - "4.2.2.4" 13 | - not-scored 14 | - todo 15 | -------------------------------------------------------------------------------- /tasks/level-1/4.2.2.5.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 4.2.2.5 Ensure remote syslog-ng messages are only accepted on designated log hosts 5 | 6 | - name: 4.2.2.5 - Ensure remote syslog-ng messages are only accepted on designated log hosts 7 | debug: 8 | msg: "WARNING - This check has not been implemented yet." 9 | tags: 10 | - level-1 11 | - section-4 12 | - "4.2.2.5" 13 | - not-scored 14 | - todo 15 | -------------------------------------------------------------------------------- /tasks/level-1/4.2.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 4.2.3 Ensure rsyslog or syslog-ng is installed 5 | 6 | - name: 4.2.3 - Ensure rsyslog is installed 7 | yum: 8 | name: "{{ item.name }}" 9 | state: "{{ item.state }}" 10 | when: cis_enable_rsyslog and not cis_enable_syslog_ng 11 | with_items: 12 | - { name: "rsyslog", state: "present" } 13 | - { name: "syslog-ng", state: "absent" } 14 | tags: 15 | - level-1 16 | - section-4 17 | - "4.2.3" 18 | - scored 19 | 20 | - name: 4.2.3 - Ensure syslog-ng is installed 21 | yum: 22 | name: "{{ item.name }}" 23 | state: "{{ item.state }}" 24 | enablerepo: epel 25 | when: cis_enable_syslog_ng and not cis_enable_rsyslog 26 | with_items: 27 | - { name: "rsyslog", state: "absent" } 28 | - { name: "syslog-ng", state: "present" } 29 | tags: 30 | - level-1 31 | - section-4 32 | - "4.2.3" 33 | - scored 34 | -------------------------------------------------------------------------------- /tasks/level-1/4.2.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.21 2 | --- 3 | 4 | # 4.2.4 Ensure permissions on all logfiles are configured 5 | 6 | - name: 4.2.4 - Find logfiles in /var/log 7 | shell: "find /var/log -type f" 8 | register: find_logfiles_4_2_4 9 | changed_when: false 10 | tags: 11 | - level-1 12 | - section-4 13 | - "4.2.4" 14 | - scored 15 | - skip_ansible_lint 16 | 17 | - name: 4.2.4 - Ensure permissions on all logfiles are configured appropriately 18 | file: 19 | path: "{{ item }}" 20 | mode: 0730 21 | with_items: 22 | - "{{ find_logfiles_4_2_4.stdout_lines }}" 23 | tags: 24 | - level-1 25 | - section-4 26 | - "4.2.4" 27 | - scored 28 | -------------------------------------------------------------------------------- /tasks/level-1/4.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.25 2 | --- 3 | 4 | # 4.3 - Ensure logrotate is configured 5 | 6 | - name: Install logrotate configuration 7 | template: 8 | src: templates/logrotate.conf.j2 9 | dest: /etc/logrotate.conf 10 | mode: 0644 11 | owner: root 12 | group: root 13 | backup: true 14 | tags: 15 | - level-1 16 | - section-4 17 | - "2.2.1.2" 18 | - not-scored 19 | -------------------------------------------------------------------------------- /tasks/level-1/5.1.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.1.1 Ensure cron daemon is enabled 5 | 6 | - name: 5.1.1 - Ensure cron is installed 7 | yum: 8 | name: cronie 9 | state: present 10 | tags: 11 | - level-1 12 | - section-5 13 | - "5.1.1" 14 | - scored 15 | 16 | - name: 5.1.1 - Ensure cron daemon is enabled 17 | service: 18 | name: "crond" 19 | enabled: true 20 | state: started 21 | ignore_errors: false 22 | tags: 23 | - level-1 24 | - section-5 25 | - "5.1.1" 26 | - scored 27 | -------------------------------------------------------------------------------- /tasks/level-1/5.1.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.1.2 Ensure permissions on /etc/crontab are configured 5 | 6 | - name: 5.1.2 - Ensure permissions on /etc/crontab are configured 7 | file: 8 | path: "/etc/crontab" 9 | owner: root 10 | group: root 11 | mode: 0600 12 | tags: 13 | - level-1 14 | - section-5 15 | - "5.1.2" 16 | - scored 17 | -------------------------------------------------------------------------------- /tasks/level-1/5.1.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.1.3 Ensure permissions on /etc/cron.hourly are configured 5 | 6 | - name: 5.1.3 - Ensure permissions on /etc/cron.hourly are configured 7 | file: 8 | path: "/etc/cron.hourly" 9 | owner: root 10 | group: root 11 | mode: 0600 12 | tags: 13 | - level-1 14 | - section-5 15 | - "5.1.3" 16 | - scored 17 | -------------------------------------------------------------------------------- /tasks/level-1/5.1.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.1.4 Ensure permissions on /etc/cron.daily are configured 5 | 6 | - name: 5.1.4 - Ensure permissions on /etc/cron.daily are configured 7 | file: 8 | path: "/etc/cron.daily" 9 | owner: root 10 | group: root 11 | mode: 0600 12 | tags: 13 | - level-1 14 | - section-5 15 | - "5.1.4" 16 | - scored 17 | -------------------------------------------------------------------------------- /tasks/level-1/5.1.5.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.1.5 Ensure permissions on /etc/cron.weekly are configured 5 | 6 | - name: 5.1.5 - Ensure permissions on /etc/cron.weekly are configured 7 | file: 8 | path: "/etc/cron.weekly" 9 | owner: root 10 | group: root 11 | mode: 0600 12 | tags: 13 | - level-1 14 | - section-5 15 | - "5.1.5" 16 | - scored 17 | -------------------------------------------------------------------------------- /tasks/level-1/5.1.6.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.1.6 Ensure permissions on /etc/cron.monthly are configured 5 | 6 | - name: 5.1.6 - Ensure permissions on /etc/cron.monthly are configured 7 | file: 8 | path: "/etc/cron.monthly" 9 | owner: root 10 | group: root 11 | mode: 0600 12 | tags: 13 | - level-1 14 | - section-6 15 | - "5.1.6" 16 | - scored 17 | -------------------------------------------------------------------------------- /tasks/level-1/5.1.7.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.1.7 Ensure permissions on /etc/cron.d are configured 5 | 6 | - name: 5.1.7 - Ensure permissions on /etc/cron.d are configured 7 | file: 8 | path: "/etc/cron.d" 9 | owner: root 10 | group: root 11 | mode: 0600 12 | state: directory 13 | tags: 14 | - level-1 15 | - section-5 16 | - "5.1.7" 17 | - scored 18 | -------------------------------------------------------------------------------- /tasks/level-1/5.1.8.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.21 2 | --- 3 | 4 | # 5.1.8 Ensure at/cron is restricted to authorized users 5 | 6 | - name: 5.1.8 - Ensure /etc/cron.deny and /etc/at.deny do not exist 7 | file: 8 | path: "{{ item }}" 9 | state: absent 10 | with_items: 11 | - "/etc/at.deny" 12 | - "/etc/cron.deny" 13 | tags: 14 | - level-1 15 | - section-5 16 | - "5.1.8" 17 | - scored 18 | 19 | - name: 5.1.8 - Check at.allow for presents 20 | stat: 21 | path: /etc/at.allow 22 | register: at 23 | tags: 24 | - level-1 25 | - section-5 26 | - "5.1.8" 27 | - scored 28 | 29 | - name: 5.1.8 - Ensure at is restricted to authorized users 30 | file: 31 | path: /etc/at.allow 32 | state: file 33 | owner: root 34 | group: root 35 | mode: 0600 36 | when: at.stat.exists == true 37 | tags: 38 | - level-1 39 | - section-5 40 | - "5.1.8" 41 | - scored 42 | 43 | - name: 5.1.8 - Check cron.allow for presents 44 | stat: 45 | path: /etc/cron.allow 46 | register: cron 47 | tags: 48 | - level-1 49 | - section-5 50 | - "5.1.8" 51 | - scored 52 | 53 | - name: 5.1.8 - Ensure cron is restricted to authorized users 54 | file: 55 | path: /etc/cron.allow 56 | state: file 57 | owner: root 58 | group: root 59 | mode: 0600 60 | when: cron.stat.exists == true 61 | tags: 62 | - level-1 63 | - section-5 64 | - "5.1.8" 65 | - scored 66 | -------------------------------------------------------------------------------- /tasks/level-1/5.2.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured 5 | 6 | - include: stat_sshd_config.yml 7 | tags: 8 | - level-1 9 | - section-5 10 | - "5.2.1" 11 | - scored 12 | 13 | - name: 5.2.1 - Ensure permissions on /etc/ssh/sshd_config are configured 14 | file: 15 | path: /etc/ssh/sshd_config 16 | owner: root 17 | group: root 18 | mode: 0600 19 | when: sshd_config.stat.exists 20 | tags: 21 | - level-1 22 | - section-5 23 | - "5.2.1" 24 | - scored 25 | -------------------------------------------------------------------------------- /tasks/level-1/5.2.10.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.2.10 - Ensure SSH PermitUserEnvironment is disabled 5 | 6 | - include: stat_sshd_config.yml 7 | tags: 8 | - level-1 9 | - section-5 10 | - "5.2.10" 11 | - scored 12 | 13 | - name: 5.2.10 - Ensure SSH PermitUserEnvironment is disabled 14 | lineinfile: 15 | regexp: "^PermitUserEnvironment\\s+" 16 | line: "PermitUserEnvironment no" 17 | dest: "/etc/ssh/sshd_config" 18 | when: sshd_config.stat.exists 19 | notify: 20 | - Restart sshd 21 | tags: 22 | - level-1 23 | - section-5 24 | - "5.2.10" 25 | - scored 26 | -------------------------------------------------------------------------------- /tasks/level-1/5.2.11.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.2.11 - Ensure only approved ciphers are used 5 | 6 | - include: stat_sshd_config.yml 7 | tags: 8 | - level-1 9 | - section-5 10 | - "5.2.11" 11 | - scored 12 | 13 | - name: 5.2.11 - Ensure only approved ciphers are used 14 | lineinfile: 15 | regexp: "^Ciphers\\s+" 16 | line: "Ciphers {{ cis_sshd_ciphers }}" 17 | dest: "/etc/ssh/sshd_config" 18 | when: sshd_config.stat.exists 19 | notify: 20 | - Restart sshd 21 | tags: 22 | - level-1 23 | - section-5 24 | - "5.2.11" 25 | - scored 26 | -------------------------------------------------------------------------------- /tasks/level-1/5.2.12.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.2.12 - Ensure only approved MAC algorithms are used 5 | 6 | - include: stat_sshd_config.yml 7 | tags: 8 | - level-1 9 | - section-5 10 | - "5.2.12" 11 | - scored 12 | 13 | - name: 5.2.12 - Ensure only approved MAC algorithms are used 14 | lineinfile: 15 | regexp: "^MACs\\s+" 16 | line: "MACs {{ cis_sshd_macs }}" 17 | dest: "/etc/ssh/sshd_config" 18 | when: sshd_config.stat.exists 19 | notify: 20 | - Restart sshd 21 | tags: 22 | - level-1 23 | - section-5 24 | - "5.2.12" 25 | - scored 26 | -------------------------------------------------------------------------------- /tasks/level-1/5.2.13.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.2.13 - Ensure SSH Idle Timeout Interval is configured 5 | 6 | - include: stat_sshd_config.yml 7 | tags: 8 | - level-1 9 | - section-5 10 | - "5.2.13" 11 | - scored 12 | 13 | - name: 5.2.13 - Ensure SSH Client Alive Interval is configured 14 | lineinfile: 15 | regexp: "^ClientAliveInterval\\s+" 16 | line: "ClientAliveInterval {{ cis_sshd_client_alive_interval }}" 17 | dest: "/etc/ssh/sshd_config" 18 | when: sshd_config.stat.exists 19 | notify: 20 | - Restart sshd 21 | tags: 22 | - level-1 23 | - section-5 24 | - "5.2.13" 25 | - scored 26 | 27 | - name: 5.2.13 - Ensure SSH Client Alive Count Max is configured 28 | lineinfile: 29 | regexp: "^ClientAliveCountMax\\s+" 30 | line: "ClientAliveCountMax {{ cis_sshd_client_alive_count_max }}" 31 | dest: "/etc/ssh/sshd_config" 32 | when: sshd_config.stat.exists 33 | notify: 34 | - Restart sshd 35 | tags: 36 | - level-1 37 | - section-5 38 | - "5.2.13" 39 | - scored 40 | -------------------------------------------------------------------------------- /tasks/level-1/5.2.14.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.2.14 - Ensure SSH LoginGraceTime is set to one minute or less 5 | 6 | - include: stat_sshd_config.yml 7 | tags: 8 | - level-1 9 | - section-5 10 | - "5.2.14" 11 | - scored 12 | 13 | - name: 5.2.14 - Ensure SSH LoginGraceTime is set to one minute or less 14 | lineinfile: 15 | regexp: "^LoginGraceTime\\s+" 16 | line: "LoginGraceTime {{ cis_sshd_login_grace_time }}" 17 | dest: "/etc/ssh/sshd_config" 18 | when: sshd_config.stat.exists 19 | notify: 20 | - Restart sshd 21 | tags: 22 | - level-1 23 | - section-5 24 | - "5.2.14" 25 | - scored 26 | -------------------------------------------------------------------------------- /tasks/level-1/5.2.15.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.2.15 Ensure SSH access is limited 5 | 6 | - include: stat_sshd_config.yml 7 | tags: 8 | - level-1 9 | - section-5 10 | - "5.2.15" 11 | - scored 12 | 13 | - name: 5.2.15 - Configure SSH AllowUsers 14 | lineinfile: 15 | regexp: "^#?AllowUsers\\s+" 16 | line: "AllowUsers {{ cis_sshd_allow_users }}" 17 | dest: "/etc/ssh/sshd_config" 18 | when: 19 | - sshd_config.stat.exists 20 | - cis_sshd_allow_users is defined and cis_sshd_allow_users|trim != "" 21 | notify: Restart sshd 22 | tags: 23 | - level-1 24 | - section-5 25 | - "5.2.15" 26 | - scored 27 | 28 | - name: 5.2.15 - Configure SSH AllowGroups 29 | lineinfile: 30 | regexp: "^#?AllowGroups\\s+" 31 | line: "AllowGroups {{ cis_sshd_allow_groups }}" 32 | dest: "/etc/ssh/sshd_config" 33 | when: 34 | - sshd_config.stat.exists 35 | - cis_sshd_allow_groups is defined and cis_sshd_allow_groups|trim != "" 36 | notify: Restart sshd 37 | tags: 38 | - level-1 39 | - section-5 40 | - "5.2.15" 41 | - scored 42 | 43 | - name: 5.2.15 - Configure SSH DenyUsers 44 | lineinfile: 45 | regexp: "^#?DenyUsers\\s+" 46 | line: "DenyUsers {{ cis_sshd_deny_users }}" 47 | dest: "/etc/ssh/sshd_config" 48 | when: 49 | - sshd_config.stat.exists 50 | - cis_sshd_deny_users is defined and cis_sshd_deny_users|trim != "" 51 | notify: Restart sshd 52 | tags: 53 | - level-1 54 | - section-5 55 | - "5.2.15" 56 | - scored 57 | 58 | - name: 5.2.15 - Configure SSH DenyGroups 59 | lineinfile: 60 | regexp: "^#?DenyGroups\\s+" 61 | line: "DenyGroups {{ cis_sshd_deny_groups }}" 62 | dest: "/etc/ssh/sshd_config" 63 | when: 64 | - sshd_config.stat.exists 65 | - cis_sshd_deny_groups is defined and cis_sshd_deny_groups|trim != "" 66 | notify: Restart sshd 67 | tags: 68 | - level-1 69 | - section-5 70 | - "5.2.15" 71 | - scored 72 | -------------------------------------------------------------------------------- /tasks/level-1/5.2.16.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.2.16 - Ensure SSH warning banner is configured 5 | 6 | - include: stat_sshd_config.yml 7 | tags: 8 | - level-1 9 | - section-5 10 | - "5.2.16" 11 | - scored 12 | 13 | - name: 5.2.16 - Ensure SSH warning banner is configured 14 | lineinfile: 15 | regexp: "^Banner\\s+" 16 | line: "Banner {{ cis_sshd_banner }}" 17 | dest: "/etc/ssh/sshd_config" 18 | when: sshd_config.stat.exists 19 | notify: 20 | - Restart sshd 21 | tags: 22 | - level-1 23 | - section-5 24 | - "5.2.16" 25 | - scored 26 | -------------------------------------------------------------------------------- /tasks/level-1/5.2.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.2.2 - Ensure SSH Protocol is set to 2 5 | 6 | - include: stat_sshd_config.yml 7 | tags: 8 | - level-1 9 | - section-5 10 | - "5.2.2" 11 | - scored 12 | 13 | - name: 5.2.2 - Ensure SSH Protocol is set to 2 14 | lineinfile: 15 | regexp: "^Protocol\\s+" 16 | line: "Protocol 2" 17 | dest: "/etc/ssh/sshd_config" 18 | notify: "Restart sshd" 19 | when: sshd_config.stat.exists 20 | tags: 21 | - level-1 22 | - section-5 23 | - "5.2.2" 24 | - scored 25 | -------------------------------------------------------------------------------- /tasks/level-1/5.2.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.2.3 - Ensure SSH LogLevel is set to INFO 5 | 6 | - include: stat_sshd_config.yml 7 | tags: 8 | - level-1 9 | - section-5 10 | - "5.2.3" 11 | - scored 12 | 13 | - name: 5.2.3 - Ensure SSH LogLevel is set to INFO 14 | lineinfile: 15 | regexp: "^LogLevel\\s+" 16 | line: "LogLevel INFO" 17 | dest: "/etc/ssh/sshd_config" 18 | when: sshd_config.stat.exists 19 | notify: 20 | - Restart sshd 21 | tags: 22 | - level-1 23 | - section-5 24 | - "5.2.3" 25 | - scored 26 | -------------------------------------------------------------------------------- /tasks/level-1/5.2.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.2.4 - Ensure SSH X11 forwarding is disabled 5 | 6 | - include: stat_sshd_config.yml 7 | tags: 8 | - level-1 9 | - section-5 10 | - "5.2.4" 11 | - scored 12 | 13 | - name: 5.2.4 - Ensure SSH X11 forwarding is disabled 14 | lineinfile: 15 | regexp: "^X11Forwarding\\s+" 16 | line: "X11Forwarding no" 17 | dest: "/etc/ssh/sshd_config" 18 | when: sshd_config.stat.exists 19 | notify: 20 | - Restart sshd 21 | tags: 22 | - level-1 23 | - section-5 24 | - "5.2.4" 25 | - scored 26 | -------------------------------------------------------------------------------- /tasks/level-1/5.2.5.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.2.5 - Ensure SSH MaxAuthTries is set to 4 or less 5 | 6 | - include: stat_sshd_config.yml 7 | tags: 8 | - level-1 9 | - section-5 10 | - "5.2.5" 11 | - scored 12 | 13 | - name: 5.2.5 - Ensure SSH MaxAuthTries is set to 4 or less 14 | lineinfile: 15 | regexp: "^MaxAuthTries\\s+" 16 | line: "MaxAuthTries {{ cis_sshd_max_auth_tries }}" 17 | dest: "/etc/ssh/sshd_config" 18 | when: sshd_config.stat.exists 19 | notify: 20 | - Restart sshd 21 | tags: 22 | - level-1 23 | - section-5 24 | - "5.2.5" 25 | - scored 26 | -------------------------------------------------------------------------------- /tasks/level-1/5.2.6.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.2.6 - Ensure SSH IgnoreRhosts is enabled 5 | 6 | - include: stat_sshd_config.yml 7 | tags: 8 | - level-1 9 | - section-5 10 | - "5.2.6" 11 | - scored 12 | 13 | - name: 5.2.6 - Ensure SSH IgnoreRhosts is enabled 14 | lineinfile: 15 | regexp: "^IgnoreRhosts\\s+" 16 | line: "IgnoreRhosts yes" 17 | dest: "/etc/ssh/sshd_config" 18 | when: sshd_config.stat.exists 19 | notify: 20 | - Restart sshd 21 | tags: 22 | - level-1 23 | - section-5 24 | - "5.2.6" 25 | - scored 26 | -------------------------------------------------------------------------------- /tasks/level-1/5.2.7.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.2.7 - Ensure SSH HostbasedAuthentication is disabled 5 | 6 | - include: stat_sshd_config.yml 7 | tags: 8 | - level-1 9 | - section-5 10 | - "5.2.7" 11 | - scored 12 | 13 | - name: 5.2.7 - Ensure SSH HostbasedAuthentication is disabled 14 | lineinfile: 15 | regexp: "^HostbasedAuthentication\\s+" 16 | line: "HostbasedAuthentication no" 17 | dest: "/etc/ssh/sshd_config" 18 | when: sshd_config.stat.exists 19 | notify: 20 | - Restart sshd 21 | tags: 22 | - level-1 23 | - section-5 24 | - "5.2.7" 25 | - scored 26 | -------------------------------------------------------------------------------- /tasks/level-1/5.2.8.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.2.8 - Ensure SSH root login is disabled 5 | 6 | - include: stat_sshd_config.yml 7 | tags: 8 | - level-1 9 | - section-5 10 | - "5.2.8" 11 | - scored 12 | 13 | - name: 5.2.8 - Ensure SSH root login is disabled 14 | lineinfile: 15 | regexp: "^PermitRootLogin\\s+" 16 | line: "PermitRootLogin no" 17 | dest: "/etc/ssh/sshd_config" 18 | when: sshd_config.stat.exists 19 | notify: 20 | - Restart sshd 21 | tags: 22 | - level-1 23 | - section-5 24 | - "5.2.8" 25 | - scored 26 | -------------------------------------------------------------------------------- /tasks/level-1/5.2.9.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.2.9 - Ensure SSH PermitEmptyPasswords is disabled 5 | 6 | - include: stat_sshd_config.yml 7 | tags: 8 | - level-1 9 | - section-5 10 | - "5.2.9" 11 | - scored 12 | 13 | - name: 5.2.9 - Ensure SSH PermitEmptyPasswords is disabled 14 | lineinfile: 15 | regexp: "^PermitEmptyPasswords\\s+" 16 | line: "PermitEmptyPasswords no" 17 | dest: "/etc/ssh/sshd_config" 18 | when: sshd_config.stat.exists 19 | notify: 20 | - Restart sshd 21 | tags: 22 | - level-1 23 | - section-5 24 | - "5.2.9" 25 | - scored 26 | -------------------------------------------------------------------------------- /tasks/level-1/5.3.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.3.1 Ensure password creation requirements are configured 5 | 6 | - name: 5.3.1 - Ensure password creation requirements are configured 7 | lineinfile: 8 | dest: "/etc/security/pwquality.conf" 9 | regexp: "{{ item.regexp }}" 10 | line: "{{ item.line }}" 11 | state: present 12 | create: yes 13 | with_items: 14 | - { regexp: "^#?minlen=", line: "minlen={{ cis_pwquality_minlen }}" } 15 | - { regexp: "^#?dcredit=", line: "dcredit={{ cis_pwquality_dcredit }}" } 16 | - { regexp: "^#?ucredit=", line: "ucredit={{ cis_pwquality_ucredit }}" } 17 | - { regexp: "^#?ocredit=", line: "ocredit={{ cis_pwquality_ocredit }}" } 18 | - { regexp: "^#?lcredit=", line: "lcredit={{ cis_pwquality_lcredit }}" } 19 | tags: 20 | - level-1 21 | - section-5 22 | - "5.3.1" 23 | - scored 24 | -------------------------------------------------------------------------------- /tasks/level-1/5.3.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.35 2 | --- 3 | 4 | # 5.3.2 Ensure lockout for failed password attempts is configured 5 | - name: 5.3.2 and 5.3.3 - Ensure authconfig is installed for linking and later command running 6 | yum: 7 | name: authconfig 8 | state: present 9 | 10 | - name: 5.3.2 and 5.3.3 - Ensure lockout for failed login attempts and password history - for password-auth and system-auth 11 | template: 12 | src: 'templates/{{ item.src }}' 13 | dest: '/etc/pam.d/{{ item.dest }}' 14 | owner: root 15 | group: root 16 | mode: 0644 17 | backup: yes 18 | with_items: 19 | - { src: 'password-auth-local.j2', dest: 'password-auth-local' } 20 | - { src: 'system-auth-local.j2', dest: 'system-auth-local' } 21 | tags: 22 | - level-1 23 | - section-5 24 | - "5.3.2" 25 | - scored 26 | 27 | - name: 5.3.2 and 5.3.3 - Link password|system-auth-local to password|system-auth 28 | file: 29 | src: '/etc/pam.d/{{ item.src }}' 30 | dest: '/etc/pam.d/{{ item.dest }}' 31 | owner: root 32 | group: root 33 | state: link 34 | with_items: 35 | - { src: 'password-auth-ac', dest: 'password-auth' } 36 | - { src: 'system-auth-ac', dest: 'system-auth' } 37 | tags: 38 | - level-1 39 | - section-5 40 | - "5.3.2" 41 | - scored 42 | -------------------------------------------------------------------------------- /tasks/level-1/5.3.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.3.3 Ensure password reuse is limited 5 | 6 | - name: 5.3.3 - Ensure password reuse is limited 7 | debug: 8 | msg: "WARNING - This check has not been implemented yet." 9 | tags: 10 | - level-1 11 | - section-5 12 | - "5.3.3" 13 | - scored 14 | - todo 15 | -------------------------------------------------------------------------------- /tasks/level-1/5.3.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.34 2 | --- 3 | 4 | # 5.3.4 Ensure password hashing algorithm is SHA-512 5 | 6 | - name: 5.3.4 - Check password hashing algorithm is SHA-512 7 | command: awk /sha512/ /etc/pam.d/password-auth 8 | register: sha512_check 9 | changed_when: false 10 | tags: 11 | - level-1 12 | - section-5 13 | - "5.3.4" 14 | - scored 15 | 16 | - name: 5.3.4 - Ensure password hashing algorithm is SHA-512 17 | command: "authconfig --update --passalgo=sha512" 18 | when: sha512_check.stdout is undefined 19 | changed_when: false 20 | tags: 21 | - level-1 22 | - section-5 23 | - "5.3.4" 24 | - scored 25 | 26 | - name: 5.3.4 - Ensure all password configuration is up to date 27 | command: "authconfig --updateall" 28 | changed_when: false 29 | tags: 30 | - level-1 31 | - section-5 32 | - "5.3.4" 33 | - scored 34 | -------------------------------------------------------------------------------- /tasks/level-1/5.4.1.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.5 2 | --- 3 | 4 | # 5.4.1.1 Ensure password expiration is 90 days or less 5 | 6 | - name: 5.4.1.1 - Obtain a list of user accounts 7 | shell: "egrep ^[^:]+:[^\\!*] /etc/shadow | cut -d: -f1" 8 | register: egrep_5_4_1_1 9 | check_mode: no 10 | changed_when: False 11 | tags: 12 | - level-1 13 | - section-5 14 | - "5.4.1.1" 15 | - scored 16 | - skip_ansible_lint 17 | 18 | - name: 5.4.1.1 - Ensure password expiration is 90 days or less 19 | lineinfile: 20 | dest: "/etc/login.defs" 21 | regexp: "^PASS_MAX_DAYS\\s+" 22 | line: "PASS_MAX_DAYS {{ cis_pass_max_days }}" 23 | tags: 24 | - level-1 25 | - section-5 26 | - "5.4.1.1" 27 | - scored 28 | 29 | - name: 5.4.1.1 - Set password expiration for all user accounts 30 | shell: "chage --maxdays {{ cis_pass_max_days }} {{ item }}" 31 | with_items: 32 | - "{{ egrep_5_4_1_1.stdout_lines|default([]) }}" 33 | changed_when: false 34 | tags: 35 | - level-1 36 | - section-5 37 | - "5.4.1.1" 38 | - scored 39 | - skip_ansible_lint 40 | -------------------------------------------------------------------------------- /tasks/level-1/5.4.1.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.22 2 | --- 3 | 4 | # 5.4.1.2 Ensure minimum days between password changes is 7 or more 5 | 6 | - name: 5.4.1.2 - Obtain a list of user accounts 7 | shell: "egrep ^[^:]+:[^\\!*] /etc/shadow | cut -d: -f1" 8 | register: egrep_5_4_1_2 9 | check_mode: no 10 | changed_when: False 11 | tags: 12 | - level-1 13 | - section-5 14 | - "5.4.1.2" 15 | - scored 16 | - skip_ansible_lint 17 | 18 | - name: 5.4.1.2 - Ensure minimum days between password changes is 7 or more 19 | lineinfile: 20 | dest: "/etc/login.defs" 21 | regexp: "^PASS_MIN_DAYS\\s+" 22 | line: "PASS_MIN_DAYS {{ cis_pass_min_days }}" 23 | tags: 24 | - level-1 25 | - section-5 26 | - "5.4.1.2" 27 | - scored 28 | 29 | #- name: 5.4.1.2 - Display the users where chage will address 30 | # debug: 31 | # msg: Users are - {{ egrep_5_4_1_2.stdout }} 32 | # tags: 33 | # - level-1 34 | # - section-5 35 | # - "5.4.1.2" 36 | # - scored 37 | 38 | #- name: 5.4.1.2 - Set minimum password change interval for all user accounts with passwords 39 | # shell: "chage --mindays {{ cis_pass_min_days }} {{ item }}" 40 | # with_items: 41 | # - "{{ egrep_5_4_1_2.stdout_lines|default([]) }}" 42 | # when: egrep_5_4_1_2.stdout != "" 43 | # changed_when: false 44 | # tags: 45 | # - level-1 46 | # - section-5 47 | # - "5.4.1.2" 48 | # - scored 49 | # - skip_ansible_lint 50 | -------------------------------------------------------------------------------- /tasks/level-1/5.4.1.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.5 2 | --- 3 | 4 | # 5.4.1.3 Ensure password expiration warning days is 7 or more 5 | 6 | - name: 5.4.1.3 - Obtain a list of user accounts 7 | shell: "egrep ^[^:]+:[^\\!*] /etc/shadow | cut -d: -f1" 8 | register: egrep_5_4_1_3 9 | check_mode: no 10 | changed_when: False 11 | tags: 12 | - level-1 13 | - section-5 14 | - "5.4.1.3" 15 | - scored 16 | - skip_ansible_lint 17 | 18 | - name: 5.4.1.3 - Ensure password expiration warning days is 7 or more 19 | lineinfile: 20 | dest: "/etc/login.defs" 21 | regexp: "^PASS_WARN_AGE\\s+" 22 | line: "PASS_WARN_AGE {{ cis_pass_warn_age }}" 23 | tags: 24 | - level-1 25 | - section-5 26 | - "5.4.1.3" 27 | - scored 28 | 29 | - name: 5.4.1.3 - Set password expiration warning for all user accounts 30 | shell: "chage --warndays {{ cis_pass_warn_age }} {{ item }}" 31 | with_items: "{{ egrep_5_4_1_3.stdout_lines|default([]) }}" 32 | changed_when: false 33 | tags: 34 | - level-1 35 | - section-5 36 | - "5.4.1.3" 37 | - scored 38 | - skip_ansible_lint 39 | -------------------------------------------------------------------------------- /tasks/level-1/5.4.1.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.5 2 | --- 3 | 4 | # 5.4.1.4 Ensure inactive password lock is 30 days or less 5 | 6 | - name: 5.4.1.4 - Obtain a list of user accounts 7 | shell: "egrep ^[^:]+:[^\\!*] /etc/shadow | cut -d: -f1" 8 | register: egrep_5_4_1_4 9 | check_mode: no 10 | changed_when: False 11 | tags: 12 | - level-1 13 | - section-5 14 | - "5.4.1.4" 15 | - scored 16 | - skip_ansible_lint 17 | 18 | - name: 5.4.1.4 - Ensure inactive password lock is 30 days or less 19 | lineinfile: 20 | dest: "/etc/default/useradd" 21 | regexp: "^INACTIVE" 22 | line: "INACTIVE={{ cis_pass_inactive_lock }}" 23 | state: present 24 | tags: 25 | - level-1 26 | - section-5 27 | - "5.4.1.4" 28 | - scored 29 | 30 | - name: 5.4.1.4 - Display ist of users accounts 31 | debug: 32 | msg: Inactive user accounts {{ egrep_5_4_1_4.stdout_lines|default([]) }} 33 | tags: 34 | - level-1 35 | - section-5 36 | - "5.4.1.4" 37 | - scored 38 | 39 | - name: 5.4.1.4 - Set inactive password lock for all user accounts 40 | shell: "chage --inactive {{ cis_pass_inactive_lock }} {{ item }}" 41 | with_items: 42 | - "{{ egrep_5_4_1_4.stdout_lines|default([]) }}" 43 | changed_when: false 44 | tags: 45 | - level-1 46 | - section-5 47 | - "5.4.1.4" 48 | - scored 49 | - skip_ansible_lint 50 | -------------------------------------------------------------------------------- /tasks/level-1/5.4.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.5 2 | --- 3 | 4 | # 5.4.2 Ensure system accounts are non-login 5 | 6 | - name: 5.4.2 - Retrieve system accounts 7 | shell: "awk -F: '($3 < 500) {print $1 }' /etc/passwd | grep -v ^#" 8 | register: audit_5_4_2 9 | check_mode: no 10 | changed_when: False 11 | tags: 12 | - level-1 13 | - section-5 14 | - "5.4.2" 15 | - scored 16 | - skip_ansible_lint 17 | 18 | - name: 5.4.2 - Lock system user passwords 19 | shell: "usermod -L {{ item }}" 20 | with_items: 21 | - "{{ audit_5_4_2.stdout_lines|default([]) }}" 22 | when: item != "root" 23 | changed_when: false 24 | tags: 25 | - level-1 26 | - section-5 27 | - "5.4.2" 28 | - scored 29 | - skip_ansible_lint 30 | 31 | - name: 5.4.2 - Ensure system accounts are non-login 32 | user: 33 | name: "{{ item }}" 34 | shell: "/sbin/nologin" 35 | with_items: 36 | - "{{ audit_5_4_2.stdout_lines|default([]) }}" 37 | when: "item not in cis_skip_lock_users" 38 | tags: 39 | - level-1 40 | - section-5 41 | - "5.4.2" 42 | - scored 43 | -------------------------------------------------------------------------------- /tasks/level-1/5.4.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.4.3 Ensure default group for the root account is GID 0 5 | 6 | - name: 5.4.3 - Check the GID of the root group 7 | shell: 'grep "^root:" /etc/passwd | cut -f4 -d:' 8 | # shell: "cat /etc/passwd | awk -F: '($3 == 0) { print $1 }'" 9 | register: cat_5_4_3 10 | check_mode: no 11 | changed_when: False 12 | tags: 13 | - level-1 14 | - section-5 15 | - "5.4.3" 16 | - scored 17 | 18 | - name: 5.4.3 - Display the output for the GID of the root group 19 | debug: 20 | msg: The value of root GID is - {{ cat_5_4_3.stdout }} 21 | tags: 22 | - level-1 23 | - section-5 24 | - "5.4.3" 25 | - scored 26 | 27 | - name: 5.4.3 - Ensure default group for the root account is GID 0 28 | command: usermod -g 0 root 29 | when: cat_5_4_3.stdout is not defined or cat_5_4_3.stdout != "0" 30 | tags: 31 | - level-1 32 | - section-5 33 | - "5.4.3" 34 | - scored 35 | -------------------------------------------------------------------------------- /tasks/level-1/5.4.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.4.4 Ensure default user umask is 027 or more restrictive 5 | 6 | - name: 5.4.4 - Ensure default user umask is 027 or more restrictive 7 | lineinfile: 8 | regexp: "^umask\\s+" 9 | line: "umask {{ cis_umask_default }}" 10 | dest: "{{ item }}" 11 | with_items: "{{ cis_umask_shell_files }}" 12 | tags: 13 | - level-1 14 | - section-5 15 | - "5.4.4" 16 | - scored 17 | -------------------------------------------------------------------------------- /tasks/level-1/5.5.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.5 Ensure access to the su command is restricted 5 | 6 | - name: 5.5 - Ensure access to the su command is restricted 7 | lineinfile: 8 | regexp: "^auth\\s+" 9 | line: "auth required pam_wheel.so use_uid" 10 | dest: "/etc/pam.d/su" 11 | tags: 12 | - level-1 13 | - section-5 14 | - "5.5" 15 | - scored 16 | 17 | - name: 5.5 - Configure wheel group members who can access the su command 18 | lineinfile: 19 | regexp: "^wheel:" 20 | line: "wheel:x:10:{{ cis_wheel_group_members }}" 21 | dest: "/etc/group" 22 | tags: 23 | - level-1 24 | - section-5 25 | - "5.5" 26 | - scored 27 | -------------------------------------------------------------------------------- /tasks/level-1/6.1.10.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.5 2 | --- 3 | 4 | # 6.1.10 Ensure no world writable files exist 5 | 6 | - name: 6.1.10 - Audit if any world writable files exist 7 | shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 8 | register: audit_6_1_10 9 | changed_when: false 10 | tags: 11 | - level-1 12 | - section-6 13 | - "6.1.10" 14 | - scored 15 | - skip_ansible_lint 16 | 17 | - name: 6.1.10 - Ensure no world writable files exist 18 | fail: 19 | msg: "{{ audit_6_1_10.stdout_lines }}" 20 | when: 21 | - audit_6_1_10.stdout_lines is defined and audit_6_1_10.stdout_lines|length > 0 22 | - fail_on_manual_remediation_actions 23 | tags: 24 | - level-1 25 | - section-6 26 | - "6.1.10" 27 | - scored 28 | 29 | - name: 6.1.10 - Ensure no world writable files exist 30 | debug: 31 | msg: "*** ACTION REQUIRED *** {{ audit_6_1_10.stdout }}" 32 | when: 33 | - audit_6_1_10.stdout_lines is defined and audit_6_1_10.stdout_lines|length > 0 34 | - not fail_on_manual_remediation_actions 35 | tags: 36 | - level-1 37 | - section-6 38 | - "6.1.10" 39 | - scored 40 | -------------------------------------------------------------------------------- /tasks/level-1/6.1.11.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.5 2 | --- 3 | 4 | # 6.1.11 Ensure no unowned files or directories exist 5 | 6 | - name: 6.1.11 - Audit if any unowned files or directories exist 7 | shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser 8 | register: audit_6_1_11 9 | changed_when: false 10 | tags: 11 | - level-1 12 | - section-6 13 | - "6.1.11" 14 | - scored 15 | - skip_ansible_lint 16 | 17 | - name: 6.1.11 - Ensure no unowned files or directories exist 18 | fail: 19 | msg: "{{ audit_6_1_11.stdout_lines }}" 20 | when: 21 | - audit_6_1_11.stdout_lines is defined and audit_6_1_11.stdout_lines|length > 0 22 | - fail_on_manual_remediation_actions 23 | tags: 24 | - level-1 25 | - section-6 26 | - "6.1.11" 27 | - scored 28 | 29 | - name: 6.1.11 - Ensure no unowned files or directories exist 30 | debug: 31 | msg: "*** ACTION REQUIRED *** {{ audit_6_1_11.stdout }}" 32 | when: 33 | - audit_6_1_11.stdout_lines is defined and audit_6_1_11.stdout_lines|length > 0 34 | - not fail_on_manual_remediation_actions 35 | tags: 36 | - level-1 37 | - section-6 38 | - "6.1.11" 39 | - scored 40 | -------------------------------------------------------------------------------- /tasks/level-1/6.1.12.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.5 2 | --- 3 | 4 | # 6.1.12 Ensure no ungrouped files or directories exist 5 | 6 | - name: 6.1.12 - Audit if any ungrouped files or directories exist 7 | shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup 8 | register: audit_6_1_12 9 | changed_when: false 10 | tags: 11 | - level-1 12 | - section-6 13 | - "6.1.12" 14 | - scored 15 | - skip_ansible_lint 16 | 17 | - name: 6.1.12 - Ensure no ungrouped files or directories exist 18 | fail: 19 | msg: "{{ audit_6_1_12.stdout_lines }}" 20 | when: 21 | - audit_6_1_12.stdout_lines is defined and audit_6_1_12.stdout_lines|length > 0 22 | - fail_on_manual_remediation_actions 23 | tags: 24 | - level-1 25 | - section-6 26 | - "6.1.12" 27 | - scored 28 | 29 | - name: 6.1.12 - Ensure no ungrouped files or directories exist 30 | debug: 31 | msg: "*** ACTION REQUIRED *** {{ audit_6_1_12.stdout }}" 32 | when: 33 | - audit_6_1_12.stdout_lines is defined and audit_6_1_12.stdout_lines|length > 0 34 | - not fail_on_manual_remediation_actions 35 | tags: 36 | - level-1 37 | - section-6 38 | - "6.1.12" 39 | - scored 40 | -------------------------------------------------------------------------------- /tasks/level-1/6.1.13.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.5 2 | --- 3 | 4 | # 6.1.13 Audit SUID executables 5 | 6 | - name: 6.1.13 - Check if any SUID executables exist 7 | shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup 8 | register: audit_6_1_13 9 | changed_when: false 10 | tags: 11 | - level-1 12 | - section-6 13 | - "6.1.13" 14 | - scored 15 | - skip_ansible_lint 16 | 17 | - name: 6.1.13 - Audit SUID executables 18 | fail: 19 | msg: "{{ audit_6_1_13.stdout_lines }}" 20 | when: 21 | - audit_6_1_13.stdout_lines is defined and audit_6_1_13.stdout_lines|length > 0 22 | - fail_on_manual_remediation_actions 23 | tags: 24 | - level-1 25 | - section-6 26 | - "6.1.13" 27 | - scored 28 | 29 | - name: 6.1.13 - Audit SUID executables 30 | debug: 31 | msg: "*** ACTION REQUIRED *** {{ audit_6_1_13.stdout }}" 32 | when: 33 | - audit_6_1_13.stdout_lines is defined and audit_6_1_13.stdout_lines|length > 0 34 | - not fail_on_manual_remediation_actions 35 | tags: 36 | - level-1 37 | - section-6 38 | - "6.1.13" 39 | - scored 40 | -------------------------------------------------------------------------------- /tasks/level-1/6.1.14.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.5 2 | --- 3 | 4 | # 6.1.14 Audit SGID executables 5 | 6 | - name: 6.1.14 - Check if any SGID executables exist 7 | shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000 8 | register: audit_6_1_14 9 | changed_when: false 10 | tags: 11 | - level-1 12 | - section-6 13 | - "6.1.14" 14 | - scored 15 | - skip_ansible_lint 16 | 17 | - name: 6.1.14 - Audit SGID executables 18 | fail: 19 | msg: "{{ audit_6_1_14.stdout }}" 20 | when: 21 | - audit_6_1_14.stdout_lines is defined and audit_6_1_14.stdout_lines|length > 0 22 | - fail_on_manual_remediation_actions 23 | tags: 24 | - level-1 25 | - section-6 26 | - "6.1.14" 27 | - scored 28 | 29 | - name: 6.1.14 - Audit SGID executables 30 | debug: 31 | msg: "*** ACTION REQUIRED *** {{ audit_6_1_14.stdout }}" 32 | when: 33 | - audit_6_1_14.stdout_lines is defined and audit_6_1_14.stdout_lines|length > 0 34 | - not fail_on_manual_remediation_actions 35 | tags: 36 | - level-1 37 | - section-6 38 | - "6.1.14" 39 | - scored 40 | -------------------------------------------------------------------------------- /tasks/level-1/6.1.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.1.2 Ensure permissions on /etc/passwd are configured 5 | 6 | - name: 6.1.2 - Ensure permissions on /etc/passwd are configured 7 | file: 8 | path: /etc/passwd 9 | owner: root 10 | group: root 11 | mode: 0644 12 | tags: 13 | - level-1 14 | - section-6 15 | - "6.1.2" 16 | - scored 17 | -------------------------------------------------------------------------------- /tasks/level-1/6.1.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.1.3 Ensure permissions on /etc/shadow are configured 5 | 6 | - name: 6.1.3 - Ensure permissions on /etc/shadow are configured 7 | file: 8 | path: /etc/shadow 9 | owner: root 10 | group: root 11 | mode: 0000 12 | tags: 13 | - level-1 14 | - section-6 15 | - "6.1.3" 16 | - scored 17 | -------------------------------------------------------------------------------- /tasks/level-1/6.1.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.1.4 Ensure permissions on /etc/group are configured 5 | 6 | - name: 6.1.4 - Ensure permissions on /etc/group are configured 7 | file: 8 | path: /etc/group 9 | owner: root 10 | group: root 11 | mode: 0644 12 | tags: 13 | - level-1 14 | - section-6 15 | - "6.1.4" 16 | - scored 17 | -------------------------------------------------------------------------------- /tasks/level-1/6.1.5.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.1.5 Ensure permissions on /etc/gshadow are configured 5 | 6 | - name: 6.1.5 - Ensure permissions on /etc/gshadow are configured 7 | file: 8 | path: /etc/gshadow 9 | owner: root 10 | group: root 11 | mode: 0000 12 | tags: 13 | - level-1 14 | - section-6 15 | - "6.1.5" 16 | - scored 17 | -------------------------------------------------------------------------------- /tasks/level-1/6.1.6.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.24 2 | --- 3 | 4 | # 6.1.6 Ensure permissions on /etc/passwd- are configured 5 | 6 | - name: 6.1.6 - Discover permissions on /etc/passwd- (as Ansible cannot file it) 7 | stat: 8 | path: "/etc/passwd-" 9 | register: cis_st 10 | tags: 11 | - level-1 12 | - section-6 13 | - "6.1.6" 14 | - scored 15 | 16 | - name: 6.1.6 - Display the file /etc/passd- mode 17 | debug: 18 | msg: The file mode is {{ cis_st.stat.mode }} expecting 0600 19 | tags: 20 | - level-1 21 | - section-6 22 | - "6.1.6" 23 | - scored 24 | 25 | - name: 6.1.6 - Ensure permissions on /etc/passwd- are configured 26 | file: 27 | path: "/etc/passwd-" 28 | owner: root 29 | group: root 30 | mode: 0600 31 | when: cis_st.stat.mode != 0600 32 | tags: 33 | - level-1 34 | - section-6 35 | - "6.1.6" 36 | - scored 37 | -------------------------------------------------------------------------------- /tasks/level-1/6.1.7.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.1.7 Ensure permissions on /etc/shadow- are configured 5 | 6 | - name: 6.1.7 - Ensure permissions on /etc/shadow- are configured 7 | file: 8 | path: /etc/shadow- 9 | owner: root 10 | group: root 11 | mode: 0000 12 | tags: 13 | - level-1 14 | - section-6 15 | - "6.1.7" 16 | - scored 17 | -------------------------------------------------------------------------------- /tasks/level-1/6.1.8.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.1.8 Ensure permissions on /etc/group- are configured 5 | 6 | - name: 6.1.8 - Ensure permissions on /etc/group- are configured 7 | file: 8 | path: /etc/group- 9 | owner: root 10 | group: root 11 | mode: 0600 12 | tags: 13 | - level-1 14 | - section-6 15 | - "6.1.8" 16 | - scored 17 | -------------------------------------------------------------------------------- /tasks/level-1/6.1.9.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.1.9 Ensure permissions on /etc/gshadow- are configured 5 | 6 | - name: 6.1.9 - Ensure permissions on /etc/gshadow- are configured 7 | file: 8 | path: /etc/gshadow- 9 | owner: root 10 | group: root 11 | mode: 0600 12 | tags: 13 | - level-1 14 | - section-6 15 | - "6.1.9" 16 | - scored 17 | -------------------------------------------------------------------------------- /tasks/level-1/6.2.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.1 Ensure password fields are not empty 5 | 6 | - name: 6.2.1 - Identify any accounts without passwords 7 | shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) { print $1 }'" 8 | register: accounts_6_2_1 9 | check_mode: no 10 | changed_when: False 11 | tags: 12 | - level-1 13 | - section-6 14 | - "6.2.1" 15 | - scored 16 | 17 | - name: 6.2.1 - Lock any accounts without passwords 18 | command: "passwd -l {{ item }}" 19 | with_items: "{{ accounts_6_2_1.stdout_lines|default([]) }}" 20 | when: accounts_6_2_1.stdout_lines is defined 21 | tags: 22 | - level-1 23 | - section-6 24 | - "6.2.1" 25 | - scored 26 | -------------------------------------------------------------------------------- /tasks/level-1/6.2.10.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.10 Ensure users' dot files are not group or world writable 5 | 6 | - name: 6.2.10 - Audit users' dot files permissions 7 | script: "{{ role_path }}/files/audit_6.2.10.sh" 8 | check_mode: no 9 | changed_when: false 10 | register: audit_6_2_10 11 | tags: 12 | - level-1 13 | - section-6 14 | - "6.2.10" 15 | - scored 16 | 17 | - name: 6.2.10 - Ensure users' dot files are not group or world writable 18 | fail: 19 | msg: "{{ audit_6_2_10.stdout }}" 20 | when: 21 | - audit_6_2_10.stdout_lines is defined and audit_6_2_10.stdout_lines|length > 0 22 | - fail_on_manual_remediation_actions 23 | tags: 24 | - level-1 25 | - section-6 26 | - "6.2.10" 27 | - scored 28 | 29 | - name: 6.2.10 - Ensure users' dot files are not group or world writable 30 | debug: 31 | msg: "*** ACTION REQUIRED *** {{ audit_6_2_10.stdout }}" 32 | when: 33 | - audit_6_2_10.stdout_lines is defined and audit_6_2_10.stdout_lines|length > 0 34 | - not fail_on_manual_remediation_actions 35 | tags: 36 | - level-1 37 | - section-6 38 | - "6.2.10" 39 | - scored 40 | -------------------------------------------------------------------------------- /tasks/level-1/6.2.11.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.11 Ensure no users have .forward files 5 | 6 | - name: 6.2.11 - Audit users' forward files 7 | script: "{{ role_path }}/files/audit_6.2.11.sh" 8 | check_mode: no 9 | changed_when: False 10 | register: audit_6_2_11 11 | tags: 12 | - level-1 13 | - section-6 14 | - "6.2.11" 15 | - scored 16 | 17 | - name: 6.2.11 - Ensure no users have .forward files 18 | fail: 19 | msg: "{{ audit_6_2_11.stdout }}" 20 | when: 21 | - audit_6_2_11.stdout_lines is defined and audit_6_2_11.stdout_lines|length > 0 22 | - fail_on_manual_remediation_actions 23 | tags: 24 | - level-1 25 | - section-6 26 | - "6.2.11" 27 | - scored 28 | 29 | - name: 6.2.11 - Ensure no users have .forward files 30 | debug: 31 | msg: "*** ACTION REQUIRED *** {{ audit_6_2_11.stdout }}" 32 | when: 33 | - audit_6_2_11.stdout_lines is defined and audit_6_2_11.stdout_lines|length > 0 34 | - not fail_on_manual_remediation_actions 35 | tags: 36 | - level-1 37 | - section-6 38 | - "6.2.11" 39 | - scored 40 | 41 | -------------------------------------------------------------------------------- /tasks/level-1/6.2.12.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.12 Ensure no users have .netrc files 5 | 6 | - name: 6.2.12 - Audit users'.netrc files 7 | script: "{{ role_path }}/files/audit_6.2.12.sh" 8 | check_mode: no 9 | changed_when: False 10 | register: audit_6_2_12 11 | tags: 12 | - level-1 13 | - section-6 14 | - "6.2.12" 15 | - scored 16 | 17 | - name: 6.2.12 - Ensure no users have .netrc files 18 | fail: 19 | msg: "{{ audit_6_2_12.stdout_lines }}" 20 | when: 21 | - audit_6_2_12.stdout_lines is defined and audit_6_2_12.stdout_lines|length > 0 22 | - fail_on_manual_remediation_actions 23 | tags: 24 | - level-1 25 | - section-6 26 | - "6.2.12" 27 | - scored 28 | 29 | - name: 6.2.12 - Ensure no users have .netrc files 30 | debug: 31 | msg: "*** ACTION REQUIRED *** {{ audit_6_2_12.stdout }}" 32 | when: 33 | - audit_6_2_12.stdout_lines is defined and audit_6_2_12.stdout_lines|length > 0 34 | - not fail_on_manual_remediation_actions 35 | tags: 36 | - level-1 37 | - section-6 38 | - "6.2.12" 39 | - scored 40 | 41 | -------------------------------------------------------------------------------- /tasks/level-1/6.2.13.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.13 Ensure users' .netrc Files are not group or world accessible 5 | 6 | - name: 6.2.13 - Audit users'.netrc permissions 7 | script: "{{ role_path }}/files/audit_6.2.13.sh" 8 | check_mode: no 9 | changed_when: False 10 | register: audit_6_2_13 11 | tags: 12 | - level-1 13 | - section-6 14 | - "6.2.13" 15 | - scored 16 | 17 | - name: 6.2.13 - Ensure users' .netrc Files are not group or world accessible 18 | fail: 19 | msg: "{{ audit_6_2_13.stdout }}" 20 | when: 21 | - audit_6_2_13.stdout_lines is defined and audit_6_2_13.stdout_lines|length > 0 22 | - fail_on_manual_remediation_actions 23 | tags: 24 | - level-1 25 | - section-6 26 | - "6.2.13" 27 | - scored 28 | 29 | - name: 6.2.13 - Ensure users' .netrc Files are not group or world accessible 30 | debug: 31 | msg: "*** ACTION REQUIRED *** {{ audit_6_2_13.stdout }}" 32 | when: 33 | - audit_6_2_13.stdout_lines is defined and audit_6_2_13.stdout_lines|length > 0 34 | - not fail_on_manual_remediation_actions 35 | tags: 36 | - level-1 37 | - section-6 38 | - "6.2.13" 39 | - scored 40 | 41 | -------------------------------------------------------------------------------- /tasks/level-1/6.2.14.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.14 Ensure no users have .rhosts files 5 | 6 | - name: 6.2.14 - Audit users'.rhosts files 7 | script: "{{ role_path }}/files/audit_6.2.14.sh" 8 | check_mode: no 9 | changed_when: False 10 | register: audit_6_2_14 11 | tags: 12 | - level-1 13 | - section-6 14 | - "6.2.14" 15 | - scored 16 | 17 | - name: 6.2.14 - Ensure no users have .rhosts files 18 | fail: 19 | msg: "{{ audit_6_2_14.stdout_lines }}" 20 | when: 21 | - audit_6_2_14.stdout_lines is defined and audit_6_2_14.stdout_lines|length > 0 22 | - fail_on_manual_remediation_actions 23 | tags: 24 | - level-1 25 | - section-6 26 | - "6.2.14" 27 | - scored 28 | 29 | - name: 6.2.14 - Ensure no users have .rhosts files 30 | debug: 31 | msg: "*** ACTION REQUIRED *** {{ audit_6_2_14.stdout }}" 32 | when: 33 | - audit_6_2_14.stdout_lines is defined and audit_6_2_14.stdout_lines|length > 0 34 | - not fail_on_manual_remediation_actions 35 | tags: 36 | - level-1 37 | - section-6 38 | - "6.2.14" 39 | - scored 40 | 41 | -------------------------------------------------------------------------------- /tasks/level-1/6.2.15.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.15 Ensure all groups in /etc/passwd exist in /etc/group 5 | 6 | - name: 6.2.15 - Audit existence of groups listed in /etc/passwd against /etc/group 7 | script: "{{ role_path }}/files/audit_6.2.15.sh" 8 | check_mode: no 9 | changed_when: False 10 | register: audit_6_2_15 11 | tags: 12 | - level-1 13 | - section-6 14 | - "6.2.15" 15 | - scored 16 | 17 | - name: 6.2.15 - Ensure all groups in /etc/passwd exist in /etc/group 18 | fail: 19 | msg: "{{ audit_6_2_15.stdout_lines }}" 20 | when: 21 | - audit_6_2_15.stdout_lines is defined and audit_6_2_15.stdout_lines|length > 0 22 | - fail_on_manual_remediation_actions 23 | tags: 24 | - level-1 25 | - section-6 26 | - "6.2.15" 27 | - scored 28 | 29 | - name: 6.2.15 - Ensure all groups in /etc/passwd exist in /etc/group 30 | debug: 31 | msg: "*** ACTION REQUIRED *** {{ audit_6_2_15.stdout }}" 32 | when: 33 | - audit_6_2_15.stdout_lines is defined and audit_6_2_15.stdout_lines|length > 0 34 | - not fail_on_manual_remediation_actions 35 | tags: 36 | - level-1 37 | - section-6 38 | - "6.2.15" 39 | - scored 40 | 41 | -------------------------------------------------------------------------------- /tasks/level-1/6.2.16.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.16 Ensure no duplicate UIDs exist 5 | 6 | - name: 6.2.16 - Check if duplicate UIDs exist 7 | script: "{{ role_path }}/files/audit_6.2.16.sh" 8 | check_mode: no 9 | changed_when: False 10 | register: audit_6_2_16 11 | tags: 12 | - level-1 13 | - section-6 14 | - "6.2.16" 15 | - scored 16 | 17 | - name: 6.2.16 - Ensure no duplicate UIDs exist 18 | fail: 19 | msg: "{{ audit_6_2_16.stdout_lines }}" 20 | when: 21 | - audit_6_2_16.stdout_lines is defined and audit_6_2_16.stdout_lines|length > 0 22 | - fail_on_manual_remediation_actions 23 | tags: 24 | - level-1 25 | - section-6 26 | - "6.2.16" 27 | - scored 28 | 29 | - name: 6.2.16 - Ensure no duplicate UIDs exist 30 | debug: 31 | msg: "*** ACTION REQUIRED *** {{ audit_6_2_16.stdout }}" 32 | when: 33 | - audit_6_2_16.stdout_lines is defined and audit_6_2_16.stdout_lines|length > 0 34 | - not fail_on_manual_remediation_actions 35 | tags: 36 | - level-1 37 | - section-6 38 | - "6.2.16" 39 | - scored 40 | 41 | -------------------------------------------------------------------------------- /tasks/level-1/6.2.17.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.17 Ensure no duplicate GIDs exist 5 | 6 | - name: 6.2.17 - Check if duplicate GIDs exist 7 | script: "{{ role_path }}/files/audit_6.2.17.sh" 8 | check_mode: no 9 | changed_when: False 10 | register: audit_6_2_17 11 | tags: 12 | - level-1 13 | - section-6 14 | - "6.2.17" 15 | - scored 16 | 17 | - name: 6.2.17 - Ensure no duplicate GIDs exist 18 | fail: 19 | msg: "{{ audit_6_2_17.stdout_lines }}" 20 | when: 21 | - audit_6_2_17.stdout_lines is defined and audit_6_2_17.stdout_lines|length > 0 22 | - fail_on_manual_remediation_actions 23 | tags: 24 | - level-1 25 | - section-6 26 | - "6.2.17" 27 | - scored 28 | 29 | - name: 6.2.17 - Ensure no duplicate GIDs exist 30 | debug: 31 | msg: "*** ACTION REQUIRED *** {{ audit_6_2_17.stdout }}" 32 | when: 33 | - audit_6_2_17.stdout_lines is defined and audit_6_2_17.stdout_lines|length > 0 34 | - not fail_on_manual_remediation_actions 35 | tags: 36 | - level-1 37 | - section-6 38 | - "6.2.17" 39 | - scored 40 | 41 | -------------------------------------------------------------------------------- /tasks/level-1/6.2.18.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.18 Ensure no duplicate user names exist 5 | 6 | - name: 6.2.18 - Check if duplicate user names exist 7 | script: "{{ role_path }}/files/audit_6.2.18.sh" 8 | check_mode: no 9 | changed_when: False 10 | register: audit_6_2_18 11 | tags: 12 | - level-1 13 | - section-6 14 | - "6.2.18" 15 | - scored 16 | 17 | - name: 6.2.18 - Ensure no duplicate user names exist 18 | fail: 19 | msg: "{{ audit_6_2_18.stdout_lines }}" 20 | when: 21 | - audit_6_2_18.stdout_lines is defined and audit_6_2_18.stdout_lines|length > 0 22 | - fail_on_manual_remediation_actions 23 | tags: 24 | - level-1 25 | - section-6 26 | - "6.2.18" 27 | - scored 28 | 29 | - name: 6.2.18 - Ensure no duplicate user names exist 30 | debug: 31 | msg: "*** ACTION REQUIRED *** {{ audit_6_2_18.stdout }}" 32 | when: 33 | - audit_6_2_18.stdout_lines is defined and audit_6_2_18.stdout_lines|length > 0 34 | - not fail_on_manual_remediation_actions 35 | tags: 36 | - level-1 37 | - section-6 38 | - "6.2.18" 39 | - scored 40 | 41 | -------------------------------------------------------------------------------- /tasks/level-1/6.2.19.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.19 Ensure no duplicate group names exist 5 | 6 | - name: 6.2.19 - Check if duplicate group names exist 7 | script: "{{ role_path }}/files/audit_6.2.19.sh" 8 | check_mode: no 9 | changed_when: False 10 | register: audit_6_2_19 11 | tags: 12 | - level-1 13 | - section-6 14 | - "6.2.19" 15 | - scored 16 | 17 | - name: 6.2.19 - Ensure no duplicate group names exist 18 | fail: 19 | msg: "{{ audit_6_2_19.stdout_lines }}" 20 | when: 21 | - audit_6_2_19.stdout_lines is defined and audit_6_2_19.stdout_lines|length > 0 22 | - fail_on_manual_remediation_actions 23 | tags: 24 | - level-1 25 | - section-6 26 | - "6.2.19" 27 | - scored 28 | 29 | - name: 6.2.19 - Ensure no duplicate group names exist 30 | debug: 31 | msg: "*** ACTION REQUIRED *** {{ audit_6_2_19.stdout }}" 32 | when: 33 | - audit_6_2_19.stdout_lines is defined and audit_6_2_19.stdout_lines|length > 0 34 | - not fail_on_manual_remediation_actions 35 | tags: 36 | - level-1 37 | - section-6 38 | - "6.2.19" 39 | - scored 40 | 41 | -------------------------------------------------------------------------------- /tasks/level-1/6.2.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd 5 | 6 | - name: 6.2.2 - Ensure no legacy "+" entries exist in /etc/passwd 7 | replace: 8 | dest: "/etc/passwd" 9 | regexp: "^\\+:.*\n" 10 | tags: 11 | - level-1 12 | - section-6 13 | - "6.2.2" 14 | - scored 15 | -------------------------------------------------------------------------------- /tasks/level-1/6.2.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.3 Ensure no legacy "+" entries exist in /etc/shadow 5 | 6 | - name: 6.2.3 - Ensure no legacy "+" entries exist in /etc/shadow 7 | replace: 8 | dest: "/etc/shadow" 9 | regexp: "^\\+:.*\n" 10 | tags: 11 | - level-1 12 | - section-6 13 | - "6.2.3" 14 | - scored 15 | -------------------------------------------------------------------------------- /tasks/level-1/6.2.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.4 Ensure no legacy "+" entries exist in /etc/group 5 | 6 | - name: 6.2.4 - Ensure no legacy "+" entries exist in /etc/group 7 | replace: 8 | dest: "/etc/group" 9 | regexp: "^\\+:.*\n" 10 | tags: 11 | - level-1 12 | - section-6 13 | - "6.2.4" 14 | - scored 15 | -------------------------------------------------------------------------------- /tasks/level-1/6.2.5.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.5 Ensure root is the only UID 0 account 5 | 6 | - name: 6.2.5 - Ensure root is the only UID 0 account 7 | shell: "cat /etc/passwd | awk -F: '($3 == 0) { print $1 }'" 8 | check_mode: no 9 | changed_when: False 10 | register: cat_6_2_5 11 | tags: 12 | - level-1 13 | - section-6 14 | - "6.2.5" 15 | - scored 16 | 17 | - name: 6.2.5 - Fail if root is not the only UID 0 account 18 | fail: 19 | msg: "root is not the only UID 0 account." 20 | when: 21 | - cat_6_2_5.stdout_lines is defined and (cat_6_2_5.stdout_lines|length > 1 or (cat_6_2_5.stdout_lines|length == 1 and 'root' not in cat_6_2_5.stdout_lines)) 22 | - fail_on_manual_remediation_actions 23 | tags: 24 | - level-1 25 | - section-6 26 | - "6.2.5" 27 | - scored 28 | 29 | - name: 6.2.5 - Warn if root is not the only UID 0 account 30 | debug: 31 | msg: "*** ACTION REQUIRED *** root is not the only UID 0 account" 32 | when: 33 | - cat_6_2_5.stdout_lines is defined and (cat_6_2_5.stdout_lines|length > 1 or (cat_6_2_5.stdout_lines|length == 1 and 'root' not in cat_6_2_5.stdout_lines)) 34 | - not fail_on_manual_remediation_actions 35 | tags: 36 | - level-1 37 | - section-6 38 | - "6.2.5" 39 | - scored 40 | -------------------------------------------------------------------------------- /tasks/level-1/6.2.6.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.6 Ensure root PATH Integrity 5 | 6 | - name: 6.2.6 - Audit root PATH Integrity 7 | script: "{{ role_path }}/files/audit_6.2.6.sh" 8 | check_mode: no 9 | changed_when: False 10 | register: audit_6_2_6 11 | tags: 12 | - level-1 13 | - section-6 14 | - "6.2.6" 15 | - scored 16 | 17 | - name: 6.2.6 - Ensure root PATH Integrity 18 | fail: 19 | msg: "{{ audit_6_2_6.stdout_lines }}" 20 | when: 21 | - audit_6_2_6.stdout_lines is defined and audit_6_2_6.stdout_lines|length > 0 22 | - fail_on_manual_remediation_actions 23 | tags: 24 | - level-1 25 | - section-6 26 | - "6.2.6" 27 | - scored 28 | 29 | - name: 6.2.6 - Ensure root PATH Integrity 30 | debug: 31 | msg: "*** ACTION REQUIRED *** {{ audit_6_2_6.stdout }}" 32 | when: 33 | - audit_6_2_6.stdout_lines is defined and audit_6_2_6.stdout_lines|length > 0 34 | - not fail_on_manual_remediation_actions 35 | tags: 36 | - level-1 37 | - section-6 38 | - "6.2.6" 39 | - scored 40 | 41 | -------------------------------------------------------------------------------- /tasks/level-1/6.2.7.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.7 Ensure all users' home directories exist 5 | 6 | - name: 6.2.7 - Audit existence of users' home directories 7 | script: "{{ role_path }}/files/audit_6.2.7.sh" 8 | check_mode: no 9 | changed_when: False 10 | register: audit_6_2_7 11 | tags: 12 | - level-1 13 | - section-6 14 | - "6.2.7" 15 | - scored 16 | 17 | - name: 6.2.7 - Ensure users' home directories exist. 18 | user: 19 | name: "{{ item.split(':')[0] }}" 20 | home: "{{ item.split(':')[1] }}" 21 | when: audit_6_2_7.stdout_lines is defined and audit_6_2_7.stdout_lines|length > 0 22 | with_items: "{{ audit_6_2_7.stdout_lines }}" 23 | tags: 24 | - level-1 25 | - section-6 26 | - "6.2.7" 27 | - scored 28 | -------------------------------------------------------------------------------- /tasks/level-1/6.2.8.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.8 Ensure users' home directories permissions are 750 or more restrictive 5 | 6 | - name: 6.2.8 - Audit users' home directories permissions 7 | script: "{{ role_path }}/files/audit_6.2.8.sh" 8 | check_mode: no 9 | changed_when: False 10 | register: audit_6_2_8 11 | tags: 12 | - level-1 13 | - section-6 14 | - "6.2.8" 15 | - scored 16 | 17 | - name: 6.2.8 - Ensure users' home directories permissions are 750 or more restrictive 18 | fail: 19 | msg: "{{ audit_6_2_8.stdout_lines }}" 20 | when: 21 | - audit_6_2_8.stdout_lines is defined and audit_6_2_8.stdout_lines|length > 0 22 | - fail_on_manual_remediation_actions 23 | tags: 24 | - level-1 25 | - section-6 26 | - "6.2.8" 27 | - scored 28 | 29 | - name: 6.2.8 - Ensure users' home directories permissions are 750 or more restrictive 30 | debug: 31 | msg: "*** ACTION REQUIRED *** {{ audit_6_2_8.stdout }}" 32 | when: 33 | - audit_6_2_8.stdout_lines is defined and audit_6_2_8.stdout_lines|length > 0 34 | - not fail_on_manual_remediation_actions 35 | tags: 36 | - level-1 37 | - section-6 38 | - "6.2.8" 39 | - scored 40 | 41 | -------------------------------------------------------------------------------- /tasks/level-1/6.2.9.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.9 Ensure users own their home directories 5 | 6 | - name: 6.2.9 - Audit ownership of users' home directories 7 | script: "{{ role_path }}/files/audit_6.2.9.sh" 8 | check_mode: no 9 | changed_when: False 10 | register: audit_6_2_9 11 | tags: 12 | - level-1 13 | - section-6 14 | - "6.2.9" 15 | - scored 16 | 17 | - name: 6.2.9 - Ensure users own their home directories 18 | file: 19 | owner: "{{ item.split(':')[1] }}" 20 | path: "{{ item.split(':')[0] }}" 21 | state: directory 22 | follow: yes 23 | when: audit_6_2_9.stdout_lines is defined and audit_6_2_9.stdout_lines|length > 0 24 | with_items: "{{ audit_6_2_9.stdout_lines }}" 25 | tags: 26 | - level-1 27 | - section-6 28 | - "6.2.9" 29 | - scored 30 | 31 | -------------------------------------------------------------------------------- /tasks/level-1/stat_sshd_config.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Check if /etc/ssh/sshd_config exists 4 | stat: 5 | path: /etc/ssh/sshd_config 6 | register: sshd_config 7 | -------------------------------------------------------------------------------- /tasks/level-2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.28 2 | --- 3 | 4 | # Note call 4.1.2 before 4.1 to ensure auditd is installed prior to installing the configuration file 5 | - include: "level-2/4.1.2.yml" 6 | when: "'4.1.2' not in cis_level_2_exclusions" 7 | - include: "level-2/4.1.yml" 8 | when: "'4.1' not in cis_level_2_exclusions" 9 | - include: "level-2/4.1.3.yml" 10 | when: "'4.1.3' not in cis_level_2_exclusions" 11 | # Note merged 4.1.4 - 4.1.17 merged into 4.1.n for now 12 | - include: "level-2/4.1.n.yml" 13 | when: "'4.1.n' not in cis_level_2_exclusions" 14 | - include: "level-2/6.1.1.yml" 15 | when: "'6.1.1' not in cis_level_2_exclusions" 16 | -------------------------------------------------------------------------------- /tasks/level-2/4.1.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.27 2 | --- 3 | 4 | # 4.1.2 Ensure auditd Service is enabled 5 | 6 | - name: 4.1.2 - Check if auditd is installed 7 | yum: 8 | name: audit 9 | state: present 10 | # when: cis_enable_rsyslog 11 | # register: rsyslog_4_2_1_1 12 | tags: 13 | - level-2 14 | - section-4 15 | - "4.1.2" 16 | - scored 17 | - skip_ansible_lint 18 | 19 | - name: 4.1.2 - Ensure auditd Service is enabled 20 | service: 21 | name: "auditd" 22 | enabled: true 23 | state: started 24 | when: 25 | # - cis_enable_rsyslog 26 | # - rsyslog_4_2_1_1.rc is not defined or rsyslog_4_2_1_1.rc == 0 27 | ignore_errors: false 28 | tags: 29 | - level-2 30 | - section-4 31 | - "4.1.2" 32 | - scored 33 | -------------------------------------------------------------------------------- /tasks/level-2/4.1.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.28 2 | --- 3 | 4 | # 4.1.3 Ensure auditing for processes that start prior to auditd is enabled 5 | 6 | - name: 4.1.3 - Ensure auditing for processes that start prior to auditd is enabled 7 | lineinfile: 8 | regexp: "^GRUB_CMDLINE_LINUX=" 9 | line: 'GRUB_CMDLINE_LINUX="console=ttyS0,115200n8 console=tty0 net.ifnames=0 crashkernel=auto audit=1"' 10 | state: present 11 | dest: "/etc/default/grub" 12 | backup: yes 13 | tags: 14 | - level-2 15 | - section-4 16 | - "4.1.3" 17 | - scored 18 | 19 | - name: 4.1.3 - Run the command to update the Grub Configuration 20 | command: "grub2-mkconfig > /boot/grub2/grub.cfg" 21 | changed_when: false 22 | tags: 23 | - level-2 24 | - section-4 25 | - "4.1.3" 26 | - scored 27 | -------------------------------------------------------------------------------- /tasks/level-2/4.1.n.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.28 2 | --- 3 | 4 | # 4.1.4 - 4.1.17- Ensure the audit.rules file is configured 5 | 6 | - name: 4.1.n - Install or update audit.rules file 7 | template: 8 | src: templates/audit.rules.j2 9 | dest: /etc/audit/rules.d/audit.rules 10 | mode: 0600 11 | owner: root 12 | group: root 13 | backup: true 14 | notify: 15 | - Restart auditd 16 | tags: 17 | - level-2 18 | - section-4 19 | - "4.1.n" 20 | - scored 21 | -------------------------------------------------------------------------------- /tasks/level-2/4.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.27 2 | --- 3 | 4 | # 4.1 - Ensure the auditd.conf file is configured 5 | 6 | - name: 4.1 - Install or update auditd.conf file 7 | template: 8 | src: templates/auditd.conf.j2 9 | dest: /etc/audit/auditd.conf 10 | mode: 0640 11 | owner: root 12 | group: root 13 | backup: true 14 | notify: 15 | - Restart auditd 16 | tags: 17 | - level-2 18 | - section-4 19 | - "4.1" 20 | - not-scored 21 | -------------------------------------------------------------------------------- /tasks/level-2/6.1.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.5 2 | --- 3 | 4 | # 6.1.1 Audit system file permissions 5 | 6 | - name: 6.1.1 - Audit system file permissions 7 | shell: rpm -Va --nomtime --nosize --nomd5 --nolinkto 8 | register: audit_6_1_1 9 | tags: 10 | - level-2 11 | - section-6 12 | - "6.1.1" 13 | - scored 14 | - skip_ansible_lint 15 | 16 | - name: 6.1.1 - Audit system file permissions 17 | fail: 18 | msg: "{{ audit_6_1_1.stdout }}" 19 | when: 20 | - audit_6_1_1.stdout_lines is defined and audit_6_1_1.stdout_lines|length > 0 21 | - fail_on_manual_remediation_actions 22 | tags: 23 | - level-2 24 | - section-6 25 | - "6.1.1" 26 | - scored 27 | 28 | - name: 6.1.1 - Audit system file permissions 29 | debug: 30 | msg: "*** ACTION REQUIRED *** {{ audit_6_1_1.stdout }}" 31 | when: 32 | - audit_6_1_1.stdout_lines is defined and audit_6_1_1.stdout_lines|length > 0 33 | - not fail_on_manual_remediation_actions 34 | tags: 35 | - level-2 36 | - section-6 37 | - "6.1.1" 38 | - scored 39 | -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | - include: preflight.yml 5 | when: cis_apply_level_1_profile or cis_apply_level_2_profile 6 | 7 | - include: "level-1.yml" 8 | become: yes 9 | when: cis_apply_level_1_profile 10 | 11 | - include: "level-2.yml" 12 | become: yes 13 | when: cis_apply_level_2_profile 14 | -------------------------------------------------------------------------------- /tasks/preflight.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.31 2 | --- 3 | 4 | # Preflight checks 5 | 6 | - name: Preflight - Fail if host is not suitable for this benchmark 7 | fail: 8 | msg: "This benchmark is not suitable for the destination operating system, ansible_distribution is - {{ ansible_distribution }}, ansible_distribution_version is - {{ ansible_distribution_version }}, ansible_distribution_version is {{ ansible_distribution_version }}, cis_target_os_versions is {{ cis_target_os_versions }}, cis_target_os_distribution is {{ cis_target_os_distribution }}" 9 | when: (ansible_distribution is not defined) or 10 | (ansible_distribution_version is not defined) or 11 | (ansible_distribution_major_version+"."+ansible_distribution_version.split('.')[1]|default('0') not in cis_target_os_versions) or 12 | (ansible_distribution not in cis_target_os_distribution) 13 | tags: always 14 | -------------------------------------------------------------------------------- /templates/audit.rules.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | # 3 | ## First rule - delete all 4 | -D 5 | 6 | ## Increase the buffers to survive stress events. 7 | ## Make this bigger for busy systems 8 | -b 8192 9 | 10 | ## Set failure mode to syslog 11 | -f 1 12 | 13 | ## 4.1.4 Ensure events that modify date and time information are collected 14 | -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change 15 | -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time- change 16 | -a always,exit -F arch=b64 -S clock_settime -k time-change 17 | -a always,exit -F arch=b32 -S clock_settime -k time-change 18 | -w /etc/localtime -p wa -k time-change 19 | 20 | ## 4.1.5 Ensure events that modify user/group information are collected 21 | -w /etc/group -p wa -k identity 22 | -w /etc/passwd -p wa -k identity 23 | -w /etc/gshadow -p wa -k identity 24 | -w /etc/shadow -p wa -k identity 25 | -w /etc/security/opasswd -p wa -k identity 26 | 27 | ## 4.1.6 Ensure events that modify the system's network environment are collected 28 | -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale 29 | -w /etc/issue.net -p wa -k system-locale 30 | -w /etc/hosts -p wa -k system-locale 31 | -w /etc/sysconfig/network -p wa -k system-locale 32 | 33 | ## 4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected 34 | -w /etc/selinux/ -p wa -k MAC-policy 35 | 36 | ## 4.1.8 Ensure login and logout events are collected 37 | -w /var/log/lastlog -p wa -k logins 38 | -w /var/run/faillock/ -p wa -k logins 39 | 40 | ## 4.1.9 Ensure session initiation information is collected 41 | -w /var/run/utmp -p wa -k session 42 | -w /var/log/wtmp -p wa -k session 43 | -w /var/log/btmp -p wa -k session 44 | 45 | ## 4.1.10 Ensure discretionary access control permission modification events are collected 46 | -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod 47 | -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod 48 | -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod 49 | -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod 50 | -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod 51 | -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 52 | -k perm_mod 53 | 54 | ## 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected 55 | -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access 56 | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access 57 | -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access 58 | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access 59 | 60 | ## 4.1.12 Ensure use of privileged commands is collected 61 | ## Need to run separate command to gather the executable list 62 | 63 | ## 4.1.13 Ensure successful file system mounts are collected 64 | -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts 65 | -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts 66 | 67 | ## 4.1.14 Ensure file deletion events by users are collected 68 | -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete 69 | -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete 70 | 71 | ## 4.1.15 Ensure changes to system administration scope (sudoers) is collected 72 | -w /etc/sudoers -p wa -k scope 73 | -w /etc/sudoers.d -p wa -k scope 74 | 75 | ## 4.1.16 Ensure system administrator actions (sudolog) are collected 76 | -w /var/log/sudo.log -p wa -k actions 77 | 78 | ## 4.1.17 Ensure kernel module loading and unloading is collected 79 | -w /sbin/insmod -p x -k modules 80 | -w /sbin/rmmod -p x -k modules 81 | -w /sbin/modprobe -p x -k modules 82 | -a always,exit arch=b64 -S init_module -S delete_module -k modules 83 | 84 | ## 4.1.18 Ensure the audit configuration is immutable 85 | -e 2 86 | -------------------------------------------------------------------------------- /templates/auditd.conf.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | # 3 | # This is set based on the CIS Benchmarks section 4.1 4 | # 5 | # This file controls the configuration of the audit daemon 6 | # 7 | 8 | local_events = {{ cis_local_events }} 9 | write_logs = {{ cis_write_logs }} 10 | log_file = {{ cis_log_file }} 11 | log_group = {{ cis_log_group }} 12 | log_format = {{ cis_log_format }} 13 | flush = {{ cis_flush }} 14 | freq = {{ cis_freq }} 15 | max_log_file = {{ cis_max_log_file }} 16 | num_logs = {{ cis_num_logs }} 17 | priority_boost = {{ cis_priority_boost }} 18 | disp_qos = {{ cis_disp_qos }} 19 | dispatcher = {{ cis_dispatcher }} 20 | name_format = {{ cis_name_format }} 21 | ##name = {{ cis_name }} 22 | max_log_file_action = {{ cis_max_log_file_action }} 23 | space_left = {{ cis_space_left }} 24 | space_left_action = {{ cis_space_left_action }} 25 | action_mail_acct = {{ cis_action_mail_acct }} 26 | admin_space_left = {{ cis_admin_space_left }} 27 | admin_space_left_action = {{ cis_admin_space_left_action }} 28 | disk_full_action = {{ cis_disk_full_action }} 29 | disk_error_action = {{ cis_disk_error_action }} 30 | use_libwrap = {{ cis_use_libwrap }} 31 | ##tcp_listen_port = {{ cis_tcp_listen_port }} 32 | tcp_listen_queue = {{ cis_tcp_listen_queue }} 33 | tcp_max_per_addr = {{ cis_tcp_max_per_addr }} 34 | ##tcp_client_ports = {{ cis_tcp_client_ports }} 35 | tcp_client_max_idle = {{ cis_tcp_client_max_idle }} 36 | enable_krb5 = {{ cis_enable_krb5 }} 37 | krb5_principal = {{ cis_krb5_principal }} 38 | ##krb5_key_file = {{ cis_krb5_key_file }} 39 | distribute_network = {{ cis_distribute_network }} 40 | -------------------------------------------------------------------------------- /templates/chrony.conf.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | # 3 | # Use public servers from the pool.ntp.org project. 4 | # Please consider joining the pool (http://www.pool.ntp.org/join.html). 5 | #server 0.centos.pool.ntp.org iburst 6 | #server 1.centos.pool.ntp.org iburst 7 | #server 2.centos.pool.ntp.org iburst 8 | #server 3.centos.pool.ntp.org iburst 9 | 10 | # Our NTP Servers: 11 | {{ cis_chrony_servers }} 12 | 13 | # Record the rate at which the system clock gains/losses time. 14 | driftfile /var/lib/chrony/drift 15 | 16 | # Allow the system clock to be stepped in the first three updates 17 | # if its offset is larger than 1 second. 18 | makestep 1.0 3 19 | 20 | # Enable kernel synchronization of the real-time clock (RTC). 21 | rtcsync 22 | 23 | # Enable hardware timestamping on all interfaces that support it. 24 | #hwtimestamp * 25 | 26 | # Increase the minimum number of selectable sources required to adjust 27 | # the system clock. 28 | #minsources 2 29 | 30 | # Allow NTP client access from local network. 31 | #allow 192.168.0.0/16 32 | 33 | # Serve time even if not synchronized to a time source. 34 | #local stratum 10 35 | 36 | # Specify file containing keys for NTP authentication. 37 | #keyfile /etc/chrony.keys 38 | 39 | # Specify directory for log files. 40 | logdir /var/log/chrony 41 | 42 | # Select which information is logged. 43 | #log measurements statistics tracking 44 | -------------------------------------------------------------------------------- /templates/logrotate.conf.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | # 3 | # see "man logrotate" for details 4 | # rotate log files weekly 5 | # weekly 6 | {{ cis_logrotate_period }} 7 | 8 | # keep 4 weeks worth of backlogs 9 | # rotate 4 10 | {{ cis_logrotate_keep }} 11 | 12 | # create new (empty) log files after rotating old ones 13 | # create 14 | {{ cis_logrotate_create }} 15 | 16 | # use date as a suffix of the rotated file 17 | # dateext 18 | {{ cis_logrotate_suffix }} 19 | 20 | # uncomment this if you want your log files compressed 21 | #compress 22 | 23 | # RPM packages drop log rotation information into this directory 24 | include /etc/logrotate.d 25 | 26 | # no packages own wtmp and btmp -- we'll rotate them here 27 | /var/log/wtmp { 28 | monthly 29 | create 0664 root utmp 30 | minsize 1M 31 | rotate 1 32 | } 33 | 34 | /var/log/btmp { 35 | missingok 36 | monthly 37 | create 0600 root utmp 38 | rotate 1 39 | } 40 | 41 | # system-specific logs may be also be configured here. 42 | -------------------------------------------------------------------------------- /templates/ntp.conf.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | # 3 | # For more information about this file, see the man pages 4 | # ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5). 5 | 6 | driftfile /var/lib/ntp/drift 7 | 8 | # Permit time synchronization with our time source, but do not 9 | # permit the source to query or modify the service on this system. 10 | restrict default kod nomodify notrap nopeer noquery 11 | restrict -6 default kod nomodify notrap nopeer noquery 12 | 13 | # The configuration directive tinker panic 0 instructs NTP not to 14 | # give up if it sees a large jump in time. This is important for coping 15 | # with large time drifts and also resuming virtual machines from their 16 | # suspended state. 17 | tinker panic 0 18 | 19 | # Permit all access over the loopback interface. This could 20 | # be tightened as well, but to do so would effect some of 21 | # the administrative functions. 22 | restrict 127.0.0.1 23 | restrict -6 ::1 24 | 25 | # Hosts on local network are less restricted. 26 | #restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap 27 | 28 | # Use public servers from the pool.ntp.org project. 29 | # Please consider joining the pool (http://www.pool.ntp.org/join.html). 30 | #server 0.rhel.pool.ntp.org 31 | #server 1.rhel.pool.ntp.org 32 | #server 2.rhel.pool.ntp.org 33 | 34 | #broadcast 192.168.1.255 autokey # broadcast server 35 | #broadcastclient # broadcast client 36 | #broadcast 224.0.1.1 autokey # multicast server 37 | #multicastclient 224.0.1.1 # multicast client 38 | #manycastserver 239.255.254.254 # manycast server 39 | #manycastclient 239.255.254.254 autokey # manycast client 40 | 41 | # Undisciplined Local Clock. This is a fake driver intended for backup 42 | # and when no outside source of synchronized time is available. 43 | #server 127.127.1.0 # local clock 44 | #fudge 127.127.1.0 stratum 10 45 | 46 | # Enable public key cryptography. 47 | #crypto 48 | 49 | #includefile /etc/ntp/crypto/pw 50 | 51 | # Key file containing the keys and key identifiers used when operating 52 | # with symmetric key cryptography. 53 | #keys /etc/ntp/keys 54 | 55 | # Specify the key identifiers which are trusted. 56 | #trustedkey 4 8 42 57 | 58 | # Specify the key identifier to use with the ntpdc utility. 59 | #requestkey 8 60 | 61 | # Specify the key identifier to use with the ntpq utility. 62 | #controlkey 8 63 | 64 | # Enable writing of statistics records. 65 | #statistics clockstats cryptostats loopstats peerstats 66 | 67 | # Eliminate unnecessary synchronization messages 68 | logconfig -syncstatus +sysevents 69 | 70 | {% if ansible_distribution_major_version|int >= 6 %} 71 | # Bind to just the primary interface 72 | interface ignore wildcard 73 | interface listen {{ansible_default_ipv4.address}} 74 | 75 | {% endif %} 76 | # Our ntp sources 77 | {% if 'INFS_NTP' in group_names %} 78 | {{ cis_ntp_servers }} 79 | {% else %} 80 | {{ cis_ntp_clients }} 81 | {% endif %} 82 | -------------------------------------------------------------------------------- /templates/old/password-auth-local.080818: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | # 3 | # Instructions provided by RedHat in the following link: 4 | # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/chap-Hardening_Your_System_with_Tools_and_Services.html 5 | # Modified to meet CIS requirements - testing 6 | auth required pam_faillock.so preauth audit silent deny={{ cis_pwfailed_attempts }} unlock_time={{ cis_pwunlock_time }} 7 | auth [success=1 default=bad] pam_unix.so 8 | auth [default=die] pam_faillock.so authfail audit deny={{ cis_pwfailed_attempts }} unlock_time={{ cis_pwunlock_time }} 9 | auth sufficient pam_faillock.so authsucc audit deny={{ cis_pwfailed_attempts }} unlock_time={{ cis_pwunlock_time }} 10 | auth include password-auth-ac 11 | 12 | account required pam_faillock.so 13 | account include password-auth-ac 14 | 15 | password requisite pam_pwquality.so try_first_pass 16 | password requisite pam_pwquality.so retry={{ cis_pwretry_number }} 17 | password sufficient pam_unix.so remember={{ cis_pwreuse_number }} 18 | password sufficient pam_unix.so {{ cis_passwd_hash }} 19 | password include password-auth-ac 20 | 21 | session include password-auth-ac 22 | -------------------------------------------------------------------------------- /templates/old/password-auth-local.j2: -------------------------------------------------------------------------------- 1 | # Template file generated by Ansible 2 | # Instructions provided by RedHat in the following link: 3 | # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/chap-Hardening_Your_System_with_Tools_and_Services.html 4 | # 5 | auth required pam_faillock.so preauth audit silent deny={{ cis_pwfailed_attempts }} unlock_time={{ cis_pwunlock_time }} 6 | auth sufficient pam_faillock.so authsucc audit deny={{ cis_pwfailed_attempts }} unlock_time={{ cis_pwunlock_time }} 7 | auth include password-auth-ac 8 | auth [default=die] pam_faillock.so authfail audit deny={{ cis_pwfailed_attempts }} unlock_time={{ cis_pwunlock_time }} 9 | 10 | account required pam_faillock.so 11 | account include password-auth-ac 12 | 13 | password requisite pam_pwquality.so try_first_pass 14 | password requisite pam_pwquality.so retry={{ cis_pwretry_number }} 15 | password sufficient pam_unix.so remember={{ cis_pwreuse_number }} 16 | password sufficient pam_unix.so {{ cis_passwd_hash }} 17 | password include password-auth-ac 18 | 19 | session include password-auth-ac 20 | -------------------------------------------------------------------------------- /templates/old/password-auth-local.j2.27Aug18: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | # 3 | # Instructions provided by RedHat in the following link: 4 | # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/chap-Hardening_Your_System_with_Tools_and_Services.html 5 | # Modified to meet CIS requirements - testing 6 | auth required pam_faillock.so preauth audit silent deny={{ cis_pwfailed_attempts }} unlock_time={{ cis_pwunlock_time }} 7 | auth [success=1 default=bad] pam_unix.so 8 | auth [default=die] pam_faillock.so authfail audit deny={{ cis_pwfailed_attempts }} unlock_time={{ cis_pwunlock_time }} 9 | auth sufficient pam_faillock.so authsucc audit deny={{ cis_pwfailed_attempts }} unlock_time={{ cis_pwunlock_time }} 10 | auth include password-auth-ac 11 | 12 | account required pam_faillock.so 13 | account include password-auth-ac 14 | 15 | password requisite pam_pwquality.so try_first_pass retry={{ cis_pwretry_number }} 16 | password sufficient pam_unix.so remember={{ cis_pwreuse_number }} 17 | password sufficient pam_unix.so {{ cis_passwd_hash }} 18 | password include password-auth-ac 19 | 20 | session include password-auth-ac 21 | -------------------------------------------------------------------------------- /templates/old/password-auth-local.j2.28Aug18: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | # 3 | # Instructions provided by RedHat in the following link: 4 | # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/chap-Hardening_Your_System_with_Tools_and_Services.html 5 | # Modified to meet CIS requirements - testing 6 | auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900 7 | auth sufficient pam_unix.so nullok try_first_pass 8 | auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 9 | auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900 10 | auth sufficient pam_unix.so nullok try_first_pass 11 | 12 | #auth required pam_faillock.so preauth audit silent deny={{ cis_pwfailed_attempts }} unlock_time={{ cis_pwunlock_time }} 13 | #auth [success=1 default=bad] pam_unix.so 14 | #auth [default=die] pam_faillock.so authfail audit deny={{ cis_pwfailed_attempts }} unlock_time={{ cis_pwunlock_time }} 15 | #auth sufficient pam_faillock.so authsucc audit deny={{ cis_pwfailed_attempts }} unlock_time={{ cis_pwunlock_time }} 16 | 17 | account required pam_faillock.so 18 | #account include password-auth-ac 19 | 20 | password requisite pam_pwquality.so try_first_pass retry={{ cis_pwretry_number }} 21 | password sufficient pam_unix.so remember={{ cis_pwreuse_number }} 22 | password sufficient pam_unix.so {{ cis_passwd_hash }} 23 | #password include password-auth-ac 24 | 25 | #session include password-auth-ac 26 | -------------------------------------------------------------------------------- /templates/old/password-auth-local.old: -------------------------------------------------------------------------------- 1 | #%PAM-1.0 2 | # This file is a template file put in place by Ansible 3 | # It is following the guidance provided by RedHat to set the failed and password history settings 4 | # See here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/chap-Hardening_Your_System_with_Tools_and_Services.html 5 | # It would be better to use an external / centralized system to manage users however through SSSD 6 | # User changes will be destroyed the next time authconfig is run. 7 | auth required pam_env.so 8 | auth sufficient pam_unix.so nullok try_first_pass 9 | auth requisite pam_succeed_if.so uid >= 1000 quiet_success 10 | auth required pam_deny.so 11 | 12 | account required pam_unix.so 13 | account sufficient pam_localuser.so 14 | account sufficient pam_succeed_if.so uid < 1000 quiet 15 | account required pam_permit.so 16 | 17 | password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= 18 | password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok 19 | password required pam_deny.so 20 | 21 | session optional pam_keyinit.so revoke 22 | session required pam_limits.so 23 | -session optional pam_systemd.so 24 | session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid 25 | session required pam_unix.so 26 | -------------------------------------------------------------------------------- /templates/old/system-auth-local.080818: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | # 3 | # This is a file generated from a template from Ansible 4 | # Instructions were provided by RedHat from the following site: 5 | # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/chap-Hardening_Your_System_with_Tools_and_Services.html 6 | # 7 | auth required pam_faillock.so preauth audit silent deny={{ cis_pwfailed_attempts }} unlock_time={{ cis_pwunlock_time }} 8 | auth [success=1 default=bad] pam_unix.so 9 | auth [default=die] pam_faillock.so authfail audit deny={{ cis_pwfailed_attempts }} unlock_time={{ cis_pwunlock_time }} 10 | auth sufficient pam_faillock.so authsucc audit deny={{ cis_pwfailed_attempts }} unlock_time={{ cis_pwunlock_time }} 11 | auth include password-auth-ac 12 | 13 | account required pam_faillock.so 14 | account include system-auth-ac 15 | 16 | password requisite pam_pwquality.so try_first_pass 17 | password requisite pam_pwquality.so retry={{ cis_pwretry_number }} 18 | password sufficient pam_unix.so remember={{ cis_pwreuse_number }} 19 | password sufficient pam_unix.so {{ cis_passwd_hash }} 20 | password include system-auth-ac 21 | 22 | session include system-auth-ac 23 | -------------------------------------------------------------------------------- /templates/old/system-auth-local.j2: -------------------------------------------------------------------------------- 1 | # This is a file generated from a template from Ansible 2 | # Instructions were provided by RedHat from the following site: 3 | # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/chap-Hardening_Your_System_with_Tools_and_Services.html 4 | # 5 | auth required pam_faillock.so preauth audit silent deny={{ cis_pwfailed_attempts }} unlock_time={{ cis_pwunlock_time }} 6 | auth sufficient pam_faillock.so authsucc audit deny={{ cis_pwfailed_attempts }} unlock_time={{ cis_pwunlock_time }} 7 | auth include password-auth-ac 8 | auth [default=die] pam_faillock.so authfail audit deny={{ cis_pwfailed_attempts }} unlock_time={{ cis_pwunlock_time }} 9 | 10 | account required pam_faillock.so 11 | account include system-auth-ac 12 | 13 | password requisite pam_pwquality.so try_first_pass 14 | password requisite pam_pwquality.so retry={{ cis_pwretry_number }} 15 | password sufficient pam_unix.so remember={{ cis_pwreuse_number }} 16 | password sufficient pam_unix.so {{ cis_passwd_hash }} 17 | password include system-auth-ac 18 | 19 | session include system-auth-ac 20 | -------------------------------------------------------------------------------- /templates/old/system-auth-local.j2.27Aug18: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | # 3 | # This is a file generated from a template from Ansible 4 | # Instructions were provided by RedHat from the following site: 5 | # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/chap-Hardening_Your_System_with_Tools_and_Services.html 6 | # 7 | auth required pam_faillock.so preauth audit silent deny={{ cis_pwfailed_attempts }} unlock_time={{ cis_pwunlock_time }} 8 | auth [success=1 default=bad] pam_unix.so 9 | auth [default=die] pam_faillock.so authfail audit deny={{ cis_pwfailed_attempts }} unlock_time={{ cis_pwunlock_time }} 10 | auth sufficient pam_faillock.so authsucc audit deny={{ cis_pwfailed_attempts }} unlock_time={{ cis_pwunlock_time }} 11 | auth include password-auth-ac 12 | 13 | account required pam_faillock.so 14 | account include system-auth-ac 15 | 16 | password requisite pam_pwquality.so try_first_pass retry={{ cis_pwretry_number }} 17 | password sufficient pam_unix.so remember={{ cis_pwreuse_number }} 18 | password sufficient pam_unix.so {{ cis_passwd_hash }} 19 | password include system-auth-ac 20 | 21 | session include system-auth-ac 22 | -------------------------------------------------------------------------------- /templates/old/system-auth-local.j2.27Aug18-01: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | # 3 | # This is a file generated from a template from Ansible 4 | # Instructions were provided by RedHat from the following site: 5 | # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/chap-Hardening_Your_System_with_Tools_and_Services.html 6 | # 7 | auth required pam_faillock.so preauth audit silent deny={{ cis_pwfailed_attempts }} unlock_time={{ cis_pwunlock_time }} 8 | auth [success=1 default=bad] pam_unix.so 9 | auth [default=die] pam_faillock.so authfail audit deny={{ cis_pwfailed_attempts }} unlock_time={{ cis_pwunlock_time }} 10 | auth sufficient pam_faillock.so authsucc audit deny={{ cis_pwfailed_attempts }} unlock_time={{ cis_pwunlock_time }} 11 | auth include system-auth-ac 12 | 13 | account required pam_faillock.so 14 | account include system-auth-ac 15 | 16 | password requisite pam_pwquality.so try_first_pass retry={{ cis_pwretry_number }} 17 | password sufficient pam_unix.so remember={{ cis_pwreuse_number }} 18 | password sufficient pam_unix.so {{ cis_passwd_hash }} 19 | password include system-auth-ac 20 | 21 | session include system-auth-ac 22 | -------------------------------------------------------------------------------- /templates/old/system-auth-local.j2.28Aug18: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | # 3 | # This is a file generated from a template from Ansible 4 | # Instructions were provided by RedHat from the following site: 5 | # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/chap-Hardening_Your_System_with_Tools_and_Services.html 6 | # 7 | auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900 8 | auth sufficient pam_unix.so nullok try_first_pass 9 | auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 10 | auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900 11 | auth sufficient pam_unix.so nullok try_first_pass 12 | #auth required pam_faillock.so preauth audit silent deny={{ cis_pwfailed_attempts }} unlock_time={{ cis_pwunlock_time }} 13 | #auth [success=1 default=bad] pam_unix.so 14 | #auth [default=die] pam_faillock.so authfail audit deny={{ cis_pwfailed_attempts }} unlock_time={{ cis_pwunlock_time }} 15 | #auth sufficient pam_faillock.so authsucc audit deny={{ cis_pwfailed_attempts }} unlock_time={{ cis_pwunlock_time }} 16 | 17 | account required pam_faillock.so 18 | #account include system-auth-ac 19 | 20 | password requisite pam_pwquality.so try_first_pass retry={{ cis_pwretry_number }} 21 | password sufficient pam_unix.so remember={{ cis_pwreuse_number }} 22 | password sufficient pam_unix.so {{ cis_passwd_hash }} 23 | #password include system-auth-ac 24 | 25 | #session include system-auth-ac 26 | -------------------------------------------------------------------------------- /templates/password-auth-local.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | # 3 | # Template version: 1.1.33 4 | # Instructions provided by RedHat in the following link: 5 | # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/chap-Hardening_Your_System_with_Tools_and_Services.html 6 | # Modified to meet CIS requirements - testing 7 | # This has been challenging - not a place you want to play in 8 | auth required pam_faillock.so preauth audit silent deny={{ cis_pwfailed_attempts }} unlock_time={{ cis_pwunlock_time }} 9 | auth [success=1 default=bad] pam_unix.so 10 | auth [default=die] pam_faillock.so authfail audit deny={{ cis_pwfailed_attempts }} unlock_time={{ cis_pwunlock_time }} 11 | auth sufficient pam_faillock.so authsucc audit deny={{ cis_pwfailed_attempts }} unlock_time={{ cis_pwunlock_time }} 12 | 13 | account required pam_faillock.so 14 | account include password-auth-ac 15 | 16 | password requisite pam_pwquality.so try_first_pass retry={{ cis_pwretry_number }} 17 | password sufficient pam_unix.so remember={{ cis_pwreuse_number }} 18 | password sufficient pam_unix.so {{ cis_passwd_hash }} 19 | password include password-auth-ac 20 | 21 | session include password-auth-ac 22 | -------------------------------------------------------------------------------- /templates/system-auth-local.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | # 3 | # Template version: 1.1.34 4 | # This is a file generated from a template from Ansible 5 | # Instructions were provided by RedHat from the following site: 6 | # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/chap-Hardening_Your_System_with_Tools_and_Services.html 7 | # Moved back to the CIS Benchmarks versions 8 | # This has been challenging - I would not play too much in this space 9 | auth required pam_faillock.so preauth audit silent deny={{ cis_pwfailed_attempts }} unlock_time={{ cis_pwunlock_time }} 10 | auth [success=1 default=bad] pam_unix.so 11 | auth [default=die] pam_faillock.so authfail audit deny={{ cis_pwfailed_attempts }} unlock_time={{ cis_pwunlock_time }} 12 | auth sufficient pam_faillock.so authsucc audit deny={{ cis_pwfailed_attempts }} unlock_time={{ cis_pwunlock_time }} 13 | 14 | account required pam_faillock.so 15 | account include system-auth-ac 16 | 17 | password requisite pam_pwquality.so try_first_pass retry={{ cis_pwretry_number }} 18 | password sufficient pam_unix.so remember={{ cis_pwreuse_number }} 19 | password sufficient pam_unix.so {{ cis_passwd_hash }} 20 | password include system-auth-ac 21 | 22 | session include system-auth-ac 23 | -------------------------------------------------------------------------------- /tests/ansible-review/config.ini: -------------------------------------------------------------------------------- 1 | [rules] 2 | standards = tests/ansible-review/ 3 | -------------------------------------------------------------------------------- /tests/ansible-review/standards.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/HarryHarcourt/Ansible-RHEL7-CIS-Benchmarks/f5b769109f1e084b4eae149cea2a9453bb182d01/tests/ansible-review/standards.pyc -------------------------------------------------------------------------------- /tests/ansible.cfg: -------------------------------------------------------------------------------- 1 | [defaults] 2 | roles_path = ../../ 3 | -------------------------------------------------------------------------------- /tests/container.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | - hosts: localhost 5 | connection: local 6 | 7 | vars: 8 | test_ansible_version: "2.2" 9 | sanitised_test_ansible_version: "{{ test_ansible_version | regex_replace('\\.','_') }}" 10 | docker_image_name: "anthcourtney/cis-amazon-linux-{{ sanitised_test_ansible_version }}" 11 | docker_container_name: "anthcourtney-cis-amazon-linux-{{ sanitised_test_ansible_version }}" 12 | 13 | tasks: 14 | 15 | - block: 16 | - name: Create temp directory 17 | file: 18 | path: "{{ playbook_dir }}/tmp" 19 | state: directory 20 | 21 | - name: Create Dockerfile 22 | template: 23 | src: "{{ playbook_dir }}/templates/Dockerfile.j2" 24 | dest: "{{ playbook_dir }}/tmp/Dockerfile" 25 | 26 | - name: Build docker image 27 | docker_image: 28 | name: "{{ docker_image_name }}" 29 | state: present 30 | path: . 31 | dockerfile: "{{ playbook_dir }}/tmp/Dockerfile" 32 | force: yes 33 | 34 | - name: Test playbook within docker container 35 | docker_container: 36 | command: "/sbin/my_init -- ansible-playbook -i localhost, --e \"cis_level_1_exclusions=['3.2.8','5.3.4']\" playbook.yml" 37 | detach: false 38 | image: "{{ docker_image_name }}" 39 | name: "{{ docker_container_name }}" 40 | privileged: yes 41 | state: started 42 | 43 | always: 44 | - name: Cleanup docker container 45 | docker_container: 46 | name: "{{ docker_container_name }}" 47 | state: absent 48 | 49 | - name: Cleanup temp directory 50 | file: 51 | path: "{{ playbook_dir }}/tmp" 52 | state: absent 53 | -------------------------------------------------------------------------------- /tests/inventory: -------------------------------------------------------------------------------- 1 | localhost -------------------------------------------------------------------------------- /tests/playbook.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | - hosts: localhost 5 | connection: local 6 | become: yes 7 | 8 | roles: 9 | - anthcourtney.cis-amazon-linux 10 | -------------------------------------------------------------------------------- /tests/templates/Dockerfile.j2: -------------------------------------------------------------------------------- 1 | FROM lambdalinux/baseimage-amzn:2016.09-000 2 | 3 | RUN \ 4 | # Install ansible 5 | yum -y install \ 6 | gcc \ 7 | libffi-devel \ 8 | openssl-devel \ 9 | python27-devel \ 10 | python27-pip && \ 11 | pip-2.7 install ansible=={{ test_ansible_version }} 12 | 13 | ADD . /tmp 14 | 15 | WORKDIR /tmp 16 | -------------------------------------------------------------------------------- /vars/main.yml: -------------------------------------------------------------------------------- 1 | # Standards: 1.1.37 2 | --- 3 | 4 | # Modified by Ben to test impact 5 | # cis_target_os_distribution: "Amazon" 6 | cis_target_os_distribution: 7 | - "RedHat" 8 | - "CentOS" 9 | cis_target_os_versions: 10 | - "7.1" 11 | - "7.2" 12 | - "7.3" 13 | - "7.4" 14 | - "7.5" 15 | - "7.6" 16 | - "7.7" 17 | cis_modprobe_conf_filename: "/etc/modprobe.d/CIS.conf" 18 | cis_aide_database_filename: "/var/lib/aide/aide.db.gz" 19 | # cis_grub_bootloader_filename: "/boot/grub/menu.lst" 20 | cis_grub_bootloader_filename: "/boot/grub2/grub.cfg" 21 | cis_sysconfig_init_filename: "/etc/sysconfig/init" 22 | cis_security_limits_filename: "/etc/security/limits.conf" 23 | --------------------------------------------------------------------------------