├── .gitignore
├── .gitmodules
├── README.md
├── archived
├── CONTRIBUTING.md
├── LICENSE
├── README.md
├── meltdown-spectre-linux.yml
├── meltdown-spectre-windows.yml
└── stig.yml
└── images
├── LEBlue.svg
├── LockdownEnterprise.svg
└── MPG-logo-mono-blue.svg
/.gitignore:
--------------------------------------------------------------------------------
1 | .DS_Store
2 |
--------------------------------------------------------------------------------
/.gitmodules:
--------------------------------------------------------------------------------
1 | [submodule "RHEL6-STIG"]
2 | path = RHEL6-STIG
3 | url = https://github.com/MindPointGroup/RHEL6-STIG
4 | [submodule "RHEL7-STIG"]
5 | path = RHEL7-STIG
6 | url = https://github.com/MindPointGroup/RHEL7-STIG.git
7 | [submodule "RHEL7-CIS"]
8 | path = RHEL7-CIS
9 | url = https://github.com/MindPointGroup/RHEL7-CIS
10 | [submodule "Windows-2012-Domain-Controller-STIG"]
11 | path = Windows-2012-Domain-Controller-STIG
12 | url = git@github.com:MindPointGroup/Windows-2012-Domain-Controller-STIG.git
13 | [submodule "Windows-2012-Member-Server-STIG"]
14 | path = Windows-2012-Member-Server-STIG
15 | url = git@github.com:MindPointGroup/Windows-2012-Member-Server-STIG.git
16 | [submodule "Windows-2008R2-Member-Server-STIG"]
17 | path = Windows-2008R2-Member-Server-STIG
18 | url = git@github.com:MindPointGroup/Windows-2008R2-Member-Server-STIG.git
19 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Archived: Ansible Lockdown
2 |
3 | Brought to you by [MindPoint Group][mpg]
4 |
5 | This content is no longer maintained.
6 |
7 | For the latest content and wider set of baselines, see:
8 |
9 | - [Lockdown Enterprise][lockdown]
10 | - [github.com/ansible-lockdown][repos]
11 |
12 | ## Join the discussion
13 |
14 | On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 | [mpg]: https://www.mindpointgroup.com/
24 | [lockdown]: http://www.lockdownenterprise.com
25 | [repos]: https://github.com/orgs/ansible-lockdown/repositories
26 |
--------------------------------------------------------------------------------
/archived/CONTRIBUTING.md:
--------------------------------------------------------------------------------
1 | Ansible Lockdown
2 | ================
3 |
4 | If you're reading this, hopefully you are considering helping out with the Lockdown project.
5 |
6 | Herein lies the contribution guidelines for helping out with this project. Do take the guidelines here literally. If you find issue with any of them or you see room for improvement, please let us know via a GitHub issue or via the [Lockdown mailing list][mail].
7 |
8 | ## Rules ##
9 |
10 | * Should you find any security exploit, please contact security@ansible.com immediately.
11 | * The Ansible [Code of Conduct][coc] still applies.
12 | * Should you wish to work on a completely new standard, GREAT, but please contact the mailing list first as we would want to make a repo for you to work from.
13 | * To contribute, fork and make a pull request against the devel branch.
14 |
15 | ## Style Guide ##
16 |
17 | All tasks should be in YAML literal.
18 |
19 | ```yml
20 | # This
21 | - name: Create a directory
22 | file:
23 | state: directory
24 | path: /tmp/deletethis
25 |
26 | # Not this
27 | - name: Create a directory
28 | file: state=directory path=/tmpt/deletethis
29 | ```
30 |
31 | There should be no space before a task hyphen.
32 |
33 | ```yml
34 | # This
35 | - name: Do something
36 |
37 | # Not this
38 | - name: Do something
39 | ```
40 |
41 | Module arguments should be indented four spaces.
42 |
43 | ```yml
44 | # This
45 | - name: Create a directory
46 | file:
47 | state: directory
48 | path: /tmp/deletethis
49 |
50 | # Not This
51 | - name: Create a directory
52 | file:
53 | state: directory
54 | path: /tmp/deletethis
55 | ```
56 |
57 | * There should be a single line break between tasks
58 | * Every task (except `prelim` tasks) should have, at a minimum and when applicable, the following tags in the following order:
59 | * Category level (`cat1`, `cat2`, `cat3`), applied in top level `main.yml` include except for prelim.yml
60 | * Severity level (`high`, `medium`, `low`), applied in top level `main.yml` include except for prelim.yml
61 | * Vulnerability ID number, STIG ID, or CIS rule number. Examples:
62 | * Vulnerability ID number in the case of RHEL6 STIG
63 | * STIG ID in case of RHEL7 STIG
64 | * Section, chapter, etc style rule number (ex. rule_1.1.1.1) in case of RHEL7 CIS
65 | * Descriptive tags to help with granular execution of tasks
66 | * Tags should be in multi-line format and indented four spaces just like module arguments above
67 |
68 | ```yml
69 | # This
70 | - name: "HIGH | V-38491 | AUDIT | There must be no hosts.equiv on the system"
71 | stat:
72 | path: /etc/hosts.equiv
73 | register: hosts_equiv_audit
74 | always_run: yes
75 | tags:
76 | - cat1
77 | - high
78 | - audit
79 | - V-38491
80 | - hosts_equiv
81 |
82 | # Not This
83 | - name: "HIGH | V-38491 | AUDIT | There must be no hosts.equiv on the system"
84 | stat:
85 | path: /etc/hosts.equiv
86 | register: hosts_equiv_audit
87 | always_run: yes
88 | tags:
89 | - cat1
90 | - high
91 | - audit
92 | - V-38491
93 | - hosts_equiv
94 | ```
95 |
96 | * Tasks should run sequentially by vulnerability ID as listed in the given standard.
97 | * Every task must be named and should adhere to the following convention:
98 |
99 | ```yml
100 | - name: "$severity | $id_number | (PATCH|AUDIT) | $description_provided_by_standard"
101 |
102 | - name: "HIGH | V-38476 | PATCH | Vendor-provided cryptographic certificates must be installed to verify the integrity of system software."
103 | ```
104 |
105 | * If a task requires a previous check of some sort, e.g., listing running services on the system, it should be grouped with other check tasks in a single task file rather than spread throughout the role tasks. They should also be tagged with `always` to ensure they are run every time.
106 | * There should only be one standard remediated or checked per task, even if several remediations could be combined into a single task. The goal is granular remediation at the expense of efficiency.
107 | * If multiple standards _must_ be combined into a single task, the name should adhere to the following convention:
108 |
109 | ```yml
110 | - name: "MEDIUM | V-38443 | PATCH | The /etc/gshadow file must be owned by root.\n
111 | MEDIUM | V-38448 | PATCH | The /etc/gshadow file must be group-owned by root.\n
112 | MEDIUM | V-38449 | PATCH | The /etc/gshadow file must have mode 0000.\n"
113 | ```
114 |
115 | * All fact gathering tasks should:
116 | * have `changed_when: no` unless a needed change has been detected
117 | * have `check_mode: no`
118 | * should include `failed_when` to ignore errors when appropriate.
119 | * register verbose variable names that end with `_audit`
120 |
121 | ### Running arbitrary commands ###
122 |
123 | When using `command`, `shell`, `raw`, or `script`, an appropriate `changed_when` and/or `failed_when` must be set on the task rather than `ignore_errors`. Do not simply ignore errors on a task unless absolutely necessary. Take the time to properly evaluate and define change and failure conditions.
124 |
125 | ### Configuration Validation ###
126 |
127 | It is quite common to modify critical system configuration files during the course of security hardening. These include things such as `sudoers`, PAM settings, and `sshd_config`. All these files have the potential to lock you out of the system completely if a syntax error is introduced into the file. When modifying the configuration of critical components such as those listed above, all tasks should use the `validate` parameter to ensure the file is syntactically correct before being put in to place. This will save you from the need to [bake a cake](http://jpmens.net/2013/02/12/sudo-bake-me-a-cake/).
128 |
129 | [coc]:https://docs.ansible.com/ansible/latest/community/code_of_conduct.html
130 | [mail]:https://groups.google.com/forum/#!forum/ansible-lockdown
131 |
--------------------------------------------------------------------------------
/archived/LICENSE:
--------------------------------------------------------------------------------
1 | The MIT License (MIT)
2 |
3 | Copyright (c) 2015 Ansible
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
23 |
--------------------------------------------------------------------------------
/archived/README.md:
--------------------------------------------------------------------------------
1 | # Ansible Lockdown
2 |
3 | ## Brought to you by [MindPoint Group][mpg]
4 |
5 | ## For the latest content and wider set of baselines this has been moved to:
6 |
7 | - ### [Lockdown Enterprise][lockdown]
8 |
9 | - ### [Repositories][repos]
10 |
11 | ## Join us
12 |
13 | On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | [mpg]: https://www.mindpointgroup.com/
23 | [lockdown]: http://www.lockdownenterprise.com
24 | [repos]: https://github.com/orgs/ansible-lockdown/repositories
25 |
--------------------------------------------------------------------------------
/archived/meltdown-spectre-linux.yml:
--------------------------------------------------------------------------------
1 | # https://meltdownattack.com
2 |
3 | - name: Patch Linux systems against Meltdown and Spectre
4 | hosts: "{{ target_hosts | default('all') }}"
5 | become: yes
6 |
7 | vars:
8 | reboot_after_update: no
9 | packages:
10 | # https://access.redhat.com/security/vulnerabilities/speculativeexecution
11 | RedHat7:
12 | - kernel-3.10.0-693.11.6.el7
13 | - microcode_ctl-2.1-22.2.el7
14 | - perf-3.10.0-693.11.6.el7
15 | - python-perf-3.10.0-693.11.6.el7
16 | RedHat6:
17 | - kernel-2.6.32-696.18.7.el6
18 | - kernel-firmware-2.6.32-696.18.7.el6
19 | - perf-2.6.32-696.18.7.el6
20 | - python-perf-2.6.32-696.18.7.el6
21 |
22 | # https://www.debian.org/security/2018/dsa-4078
23 | Debian7: []
24 | Debian8: []
25 | Debian9:
26 | - linux-image-4.9.0-5-amd64
27 |
28 | # https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
29 | Ubuntu14: []
30 | Ubuntu16: []
31 |
32 | tasks:
33 | - name: RHEL | Install kernel updates
34 | yum:
35 | name: "{{ packages[ansible_os_family ~ ansible_distribution_major_version] }}"
36 | state: present
37 | when: ansible_pkg_mgr == 'yum'
38 | notify: reboot system
39 |
40 | - name: DEBIAN | Install kernel updates
41 | apt:
42 | name: "{{ item }}"
43 | state: present
44 | update_cache: yes
45 | cache_valid_time: 3600
46 | with_items: "{{ packages[ansible_distribution ~ ansible_distribution_major_version] }}"
47 | when: ansible_pkg_mgr == 'apt'
48 | notify: reboot system
49 |
50 | handlers:
51 | - name: reboot system
52 | shell: sleep 3; reboot
53 | async: 15
54 | poll: 0
55 | when: reboot_after_update
56 |
57 |
--------------------------------------------------------------------------------
/archived/meltdown-spectre-windows.yml:
--------------------------------------------------------------------------------
1 | # https://meltdownattack.com
2 | # https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution
3 |
4 | - name: Patch Windows systems against Meltdown and Spectre
5 | hosts: "{{ target_hosts | default('all') }}"
6 |
7 | vars:
8 | reboot_after_update: no
9 | registry_keys:
10 | - path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
11 | name: FeatureSettingsOverride
12 | data: 0
13 | type: dword
14 |
15 | - path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
16 | name: FeatureSettingsOverrideMask
17 | data: 3
18 | type: dword
19 |
20 | # https://support.microsoft.com/en-us/help/4072699
21 | - path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat
22 | name: cadca5fe-87d3-4b96-b7fb-a231484277cc
23 | type: dword
24 | data: '0x00000000'
25 |
26 | tasks:
27 | - name: Install security updates
28 | win_updates:
29 | category_names:
30 | - SecurityUpdates
31 | notify: reboot windows system
32 |
33 | - name: Enable kernel protections
34 | win_regedit:
35 | path: "{{ item.path }}"
36 | name: "{{ item.name }}"
37 | data: "{{ item.data }}"
38 | type: "{{ item.type }}"
39 | with_items: "{{ registry_keys }}"
40 |
41 | handlers:
42 | - name: reboot windows system
43 | win_reboot:
44 | shutdown_timeout: 3600
45 | reboot_timeout: 3600
46 | when: reboot_after_update
47 |
--------------------------------------------------------------------------------
/archived/stig.yml:
--------------------------------------------------------------------------------
1 | - name: Run the appropriate STIG
2 | hosts: "{{ target_hosts | default('all') }}"
3 |
4 | roles:
5 | - role: RHEL6-STIG
6 | when:
7 | - ansible_os_family == 'RedHat'
8 | - ansible_distribution_major_version | version_compare('6', '=')
9 |
10 | - role: RHEL7-STIG
11 | when:
12 | - ansible_os_family == 'RedHat'
13 | - ansible_distribution_major_version | version_compare('7', '=')
14 |
15 |
--------------------------------------------------------------------------------
/images/LEBlue.svg:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/images/LockdownEnterprise.svg:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/images/MPG-logo-mono-blue.svg:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
18 |
19 |
20 | 
21 |
22 |
23 | [mpg]: https://www.mindpointgroup.com/
24 | [lockdown]: http://www.lockdownenterprise.com
25 | [repos]: https://github.com/orgs/ansible-lockdown/repositories
26 |
--------------------------------------------------------------------------------
/archived/CONTRIBUTING.md:
--------------------------------------------------------------------------------
1 | Ansible Lockdown
2 | ================
3 |
4 | If you're reading this, hopefully you are considering helping out with the Lockdown project.
5 |
6 | Herein lies the contribution guidelines for helping out with this project. Do take the guidelines here literally. If you find issue with any of them or you see room for improvement, please let us know via a GitHub issue or via the [Lockdown mailing list][mail].
7 |
8 | ## Rules ##
9 |
10 | * Should you find any security exploit, please contact security@ansible.com immediately.
11 | * The Ansible [Code of Conduct][coc] still applies.
12 | * Should you wish to work on a completely new standard, GREAT, but please contact the mailing list first as we would want to make a repo for you to work from.
13 | * To contribute, fork and make a pull request against the devel branch.
14 |
15 | ## Style Guide ##
16 |
17 | All tasks should be in YAML literal.
18 |
19 | ```yml
20 | # This
21 | - name: Create a directory
22 | file:
23 | state: directory
24 | path: /tmp/deletethis
25 |
26 | # Not this
27 | - name: Create a directory
28 | file: state=directory path=/tmpt/deletethis
29 | ```
30 |
31 | There should be no space before a task hyphen.
32 |
33 | ```yml
34 | # This
35 | - name: Do something
36 |
37 | # Not this
38 | - name: Do something
39 | ```
40 |
41 | Module arguments should be indented four spaces.
42 |
43 | ```yml
44 | # This
45 | - name: Create a directory
46 | file:
47 | state: directory
48 | path: /tmp/deletethis
49 |
50 | # Not This
51 | - name: Create a directory
52 | file:
53 | state: directory
54 | path: /tmp/deletethis
55 | ```
56 |
57 | * There should be a single line break between tasks
58 | * Every task (except `prelim` tasks) should have, at a minimum and when applicable, the following tags in the following order:
59 | * Category level (`cat1`, `cat2`, `cat3`), applied in top level `main.yml` include except for prelim.yml
60 | * Severity level (`high`, `medium`, `low`), applied in top level `main.yml` include except for prelim.yml
61 | * Vulnerability ID number, STIG ID, or CIS rule number. Examples:
62 | * Vulnerability ID number in the case of RHEL6 STIG
63 | * STIG ID in case of RHEL7 STIG
64 | * Section, chapter, etc style rule number (ex. rule_1.1.1.1) in case of RHEL7 CIS
65 | * Descriptive tags to help with granular execution of tasks
66 | * Tags should be in multi-line format and indented four spaces just like module arguments above
67 |
68 | ```yml
69 | # This
70 | - name: "HIGH | V-38491 | AUDIT | There must be no hosts.equiv on the system"
71 | stat:
72 | path: /etc/hosts.equiv
73 | register: hosts_equiv_audit
74 | always_run: yes
75 | tags:
76 | - cat1
77 | - high
78 | - audit
79 | - V-38491
80 | - hosts_equiv
81 |
82 | # Not This
83 | - name: "HIGH | V-38491 | AUDIT | There must be no hosts.equiv on the system"
84 | stat:
85 | path: /etc/hosts.equiv
86 | register: hosts_equiv_audit
87 | always_run: yes
88 | tags:
89 | - cat1
90 | - high
91 | - audit
92 | - V-38491
93 | - hosts_equiv
94 | ```
95 |
96 | * Tasks should run sequentially by vulnerability ID as listed in the given standard.
97 | * Every task must be named and should adhere to the following convention:
98 |
99 | ```yml
100 | - name: "$severity | $id_number | (PATCH|AUDIT) | $description_provided_by_standard"
101 |
102 | - name: "HIGH | V-38476 | PATCH | Vendor-provided cryptographic certificates must be installed to verify the integrity of system software."
103 | ```
104 |
105 | * If a task requires a previous check of some sort, e.g., listing running services on the system, it should be grouped with other check tasks in a single task file rather than spread throughout the role tasks. They should also be tagged with `always` to ensure they are run every time.
106 | * There should only be one standard remediated or checked per task, even if several remediations could be combined into a single task. The goal is granular remediation at the expense of efficiency.
107 | * If multiple standards _must_ be combined into a single task, the name should adhere to the following convention:
108 |
109 | ```yml
110 | - name: "MEDIUM | V-38443 | PATCH | The /etc/gshadow file must be owned by root.\n
111 | MEDIUM | V-38448 | PATCH | The /etc/gshadow file must be group-owned by root.\n
112 | MEDIUM | V-38449 | PATCH | The /etc/gshadow file must have mode 0000.\n"
113 | ```
114 |
115 | * All fact gathering tasks should:
116 | * have `changed_when: no` unless a needed change has been detected
117 | * have `check_mode: no`
118 | * should include `failed_when` to ignore errors when appropriate.
119 | * register verbose variable names that end with `_audit`
120 |
121 | ### Running arbitrary commands ###
122 |
123 | When using `command`, `shell`, `raw`, or `script`, an appropriate `changed_when` and/or `failed_when` must be set on the task rather than `ignore_errors`. Do not simply ignore errors on a task unless absolutely necessary. Take the time to properly evaluate and define change and failure conditions.
124 |
125 | ### Configuration Validation ###
126 |
127 | It is quite common to modify critical system configuration files during the course of security hardening. These include things such as `sudoers`, PAM settings, and `sshd_config`. All these files have the potential to lock you out of the system completely if a syntax error is introduced into the file. When modifying the configuration of critical components such as those listed above, all tasks should use the `validate` parameter to ensure the file is syntactically correct before being put in to place. This will save you from the need to [bake a cake](http://jpmens.net/2013/02/12/sudo-bake-me-a-cake/).
128 |
129 | [coc]:https://docs.ansible.com/ansible/latest/community/code_of_conduct.html
130 | [mail]:https://groups.google.com/forum/#!forum/ansible-lockdown
131 |
--------------------------------------------------------------------------------
/archived/LICENSE:
--------------------------------------------------------------------------------
1 | The MIT License (MIT)
2 |
3 | Copyright (c) 2015 Ansible
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
23 |
--------------------------------------------------------------------------------
/archived/README.md:
--------------------------------------------------------------------------------
1 | # Ansible Lockdown
2 |
3 | ## Brought to you by [MindPoint Group][mpg]
4 |
5 | ## For the latest content and wider set of baselines this has been moved to:
6 |
7 | - ### [Lockdown Enterprise][lockdown]
8 |
9 | - ### [Repositories][repos]
10 |
11 | ## Join us
12 |
13 | On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users
14 |
15 |
16 | 
17 |
18 |
19 |