├── .ansible-lint ├── .github ├── ISSUE_TEMPLATE │ ├── bug_report.md │ └── feature_request.md └── workflows │ └── main.yml ├── .gitignore ├── .travis.yml ├── LICENSE ├── Makefile ├── README.md ├── _.yamllint ├── defaults └── main.yml ├── files └── etc │ └── systemd │ └── system │ └── tmp.mount ├── handlers └── main.yml ├── meta └── main.yml ├── molecule └── default │ ├── INSTALL.rst │ ├── converge.yml │ ├── molecule.yml │ ├── prepare.yml │ └── verify.yml ├── requirements.txt ├── tasks ├── main.yml ├── post.yml ├── prelim.yml ├── section1.yml ├── section2.yml ├── section3.yml ├── section4.yml ├── section5.yml └── section6.yml ├── templates ├── at.allow.j2 ├── audit │ ├── ubuntu2004cis_rule_4_1_10.rules.j2 │ ├── ubuntu2004cis_rule_4_1_11.rules.j2 │ ├── ubuntu2004cis_rule_4_1_12.rules.j2 │ ├── ubuntu2004cis_rule_4_1_13.rules.j2 │ ├── ubuntu2004cis_rule_4_1_14.rules.j2 │ ├── ubuntu2004cis_rule_4_1_15.rules.j2 │ ├── ubuntu2004cis_rule_4_1_16.rules.j2 │ ├── ubuntu2004cis_rule_4_1_17.rules.j2 │ ├── ubuntu2004cis_rule_4_1_3.rules.j2 │ ├── ubuntu2004cis_rule_4_1_4.rules.j2 │ ├── ubuntu2004cis_rule_4_1_5.rules.j2 │ ├── ubuntu2004cis_rule_4_1_6.rules.j2 │ ├── ubuntu2004cis_rule_4_1_7.rules.j2 │ ├── ubuntu2004cis_rule_4_1_8.rules.j2 │ └── ubuntu2004cis_rule_4_1_9.rules.j2 ├── chrony.conf.j2 ├── cron.allow.j2 ├── etc │ ├── issue.j2 │ ├── issue.net.j2 │ └── motd.j2 └── ntp.conf.j2 ├── tests └── inventory └── vars └── main.yml /.ansible-lint: -------------------------------------------------------------------------------- 1 | exclude_paths: 2 | - molecule/ 3 | - .github/ 4 | - .travis.yml 5 | warn_list: # or 'skip_list' to silence them completely 6 | - fqcn-builtins 7 | - risky-file-permissions 8 | - yaml 9 | skip_list: 10 | - experimental 11 | - line-length 12 | - truthy 13 | - braces 14 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Describe the bug** 11 | A clear and concise description of what the bug is. 12 | 13 | **To Reproduce** 14 | Steps to reproduce the behavior: 15 | 1. Go to '...' 16 | 2. Click on '....' 17 | 3. Scroll down to '....' 18 | 4. See error 19 | 20 | **Expected behavior** 21 | A clear and concise description of what you expected to happen. 22 | 23 | **Software (please complete the following information):** 24 | - Ansible Version: [e.g. 2.9.0] 25 | - Role/Repo Version [e.g. 1.0.0, master] 26 | 27 | **Additional context** 28 | Add any other context about the problem here. 29 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Is your feature request related to a problem? Please describe.** 11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 12 | 13 | **Describe the solution you'd like** 14 | A clear and concise description of what you want to happen. 15 | 16 | **Describe alternatives you've considered** 17 | A clear and concise description of any alternative solutions or features you've considered. 18 | 19 | **Additional context** 20 | Add any other context or screenshots about the feature request here. 21 | -------------------------------------------------------------------------------- /.github/workflows/main.yml: -------------------------------------------------------------------------------- 1 | name: Molecule 2 | 3 | on: 4 | push: 5 | branches: 6 | - main 7 | - dev* 8 | pull_request: 9 | 10 | jobs: 11 | molecule: 12 | runs-on: ubuntu-latest 13 | steps: 14 | - name: Checkout 15 | uses: actions/checkout@v2 16 | with: 17 | path: "${{ github.repository }}" 18 | 19 | - name: Molecule 20 | uses: gofrolist/molecule-action@v2 21 | with: 22 | molecule_command: test 23 | molecule_args: -d docker 24 | #molecule_working_dir: thedatabaseme/cookbooks/ansible/molecule/molecule_test_role 25 | env: 26 | ANSIBLE_FORCE_COLOR: '1' 27 | release: 28 | needs: 29 | - molecule 30 | runs-on: ubuntu-latest 31 | steps: 32 | - name: galaxy 33 | uses: robertdebock/galaxy-action@1.2.0 34 | with: 35 | galaxy_api_key: ${{ secrets.galaxy_api_key }} 36 | branch: main 37 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.swp 2 | *.retry 3 | .DS_Store 4 | test.yml 5 | tests/local-test.yml 6 | tests/.vagrant 7 | tests/Vagrantfile 8 | tests/test-inv 9 | tests/*.html 10 | tests/*.txt 11 | tests/*.retry 12 | .Python 13 | .molecule/ 14 | /bin/ 15 | /etc/ 16 | /include/ 17 | /lib/ 18 | pip-selfcheck.json 19 | /share/ 20 | molecule/default/cache 21 | /venv/ 22 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | --- 2 | os: linux 3 | dist: focal 4 | 5 | #sudo: required 6 | 7 | services: 8 | - docker 9 | 10 | language: python 11 | python: 12 | - "3.8" 13 | 14 | before_install: 15 | #- docker pull solita/ubuntu-systemd:bionic 16 | # - make bin/python 17 | 18 | script: 19 | - make travis 20 | 21 | notifications: 22 | webhooks: https://galaxy.ansible.com/api/v1/notifications/ 23 | 24 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 Florian Utz 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | # Makefile for Ubuntu2004-CIS 2 | .PHONY: help 3 | help: 4 | @echo 5 | @echo This Makefile is used to test this role. Typical use: 6 | @echo 7 | @echo ' make test' 8 | @echo ' make clean' 9 | @echo ' make travis' 10 | @echo 11 | @echo 12 | @echo To use the isolated environment from this directory: 13 | @echo 14 | @echo ' make venv' 15 | @echo ' . bin/activate' 16 | @echo 17 | @echo Molecule has built-in help 18 | @echo 19 | @echo 20 | 21 | # virtualenv allows isolation of python libraries 22 | .PHONY: venv 23 | venv: bin/python 24 | 25 | .PHONY: bin/python 26 | bin/python: 27 | pip -V || sudo easy_install pip 28 | # virtualenv allows isolation of python libraries 29 | virtualenv --version || sudo easy_install virtualenv 30 | # Now with those two we can isolate our test setup. 31 | virtualenv venv 32 | venv/bin/pip install -r requirements.txt 33 | 34 | # cleanup virtualenv and molecule leftovers 35 | .PHONY: clean 36 | clean: 37 | rm -rf .molecule venv molecule/default/cache 38 | 39 | .PHONY: test 40 | test: bin/python 41 | ( . venv/bin/activate && venv/bin/molecule test ) 42 | 43 | .PHONY: travis 44 | travis: 45 | pip install -r requirements.txt 46 | molecule test 47 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Ubuntu 20.04 CIS STIG 2 | ================ 3 | 4 | [![Build Status](https://travis-ci.com/florianutz/ubuntu2004_cis.svg?branch=main)](https://travis-ci.com/florianutz/ubuntu2004_cis) 5 | [![Ansible Role](https://img.shields.io/badge/role-florianutz.ubuntu2004--cis-blue.svg)](https://galaxy.ansible.com/florianutz/ubuntu2004_cis/) 6 | 7 | **This role is based on 18.04 migration. The tasks are correct in content, but have to be re-sorted to fit the 20.04 Benchmark. Contribution welcome.** 8 | 9 | Configure Ubuntu 20.04 machine to be CIS compliant. Level 1 and 2 findings will be corrected by default. 10 | 11 | This role **will make changes to the system** that could break things. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted. 12 | 13 | Based on [CIS Ubuntu Linux 20.04 LTS Benchmark - v1.0.0 - 07-21-2020 ](https://www.cisecurity.org/cis-benchmarks/). 14 | 15 | ## Feedback 16 | 17 | - If you like our work but cannot contribute to the code of the role by yourself, please take a moment to rate it in Ansible Galaxy. 18 | There you can easily give positive feedback to the developers about their work. 19 | [Galaxy Community Score](https://galaxy.ansible.com/florianutz/ubuntu2004_cis/) 20 | - If you find a bug within the role, but can't fix it yourself, please create a ticket with as many details as possible. Please keep in mind that all developers work on the project in their spare time, and it may take some time to get feedback [Issues Page](https://github.com/florianutz/ubuntu2004_cis/issues) 21 | 22 | ## IMPORTANT INSTALL STEP 23 | 24 | If you want to install this via the `ansible-galaxy` command you'll need to run it like this: 25 | 26 | `ansible-galaxy install -p roles -r requirements.yml` 27 | 28 | With this in the file requirements.yml: 29 | 30 | ``` 31 | - src: https://github.com/florianutz/ubuntu2004_cis.git 32 | ``` 33 | 34 | ## Example Playbook 35 | 36 | **You can find an example playbook below. please read the documentation anyway and check the settings for your case. For example, the default settings uninstall the X server!** 37 | 38 | ``` 39 | - name: Harden Server 40 | hosts: servers 41 | become: yes 42 | 43 | roles: 44 | - ubuntu2004_cis 45 | ``` 46 | 47 | To run the tasks in this repository, first create this file one level above the repository 48 | (i.e. the playbook .yml and the directory `ubuntu2004_cis` should be next to each other), 49 | then review the file `defaults/main.yml` and disable any rule/section you do not wish to execute. 50 | 51 | Assuming you named the file `site.yml`, run it with: 52 | ```bash 53 | ansible-playbook site.yml 54 | ``` 55 | 56 | ## Requirements 57 | 58 | You should carefully read through the tasks to make sure these changes will not break your systems before running this playbook. 59 | 60 | ## Role Variables 61 | 62 | There are many role variables defined in defaults/main.yml. This list shows the most important. 63 | 64 | **ubuntu2004cis_notauto**: Run CIS checks that we typically do NOT want to automate due to the high probability of breaking the system (Default: false) 65 | 66 | **ubuntu2004cis_section1**: CIS - General Settings (Section 1) (Default: true) 67 | 68 | **ubuntu2004cis_section2**: CIS - Services settings (Section 2) (Default: true) 69 | 70 | **ubuntu2004cis_section3**: CIS - Network settings (Section 3) (Default: true) 71 | 72 | **ubuntu2004cis_section4**: CIS - Logging and Auditing settings (Section 4) (Default: true) 73 | 74 | **ubuntu2004cis_section5**: CIS - Access, Authentication and Authorization settings (Section 5) (Default: true) 75 | 76 | **ubuntu2004cis_section6**: CIS - System Maintenance settings (Section 6) (Default: true) 77 | 78 | ### Disable all selinux functions 79 | `ubuntu2004cis_selinux_disable: false` 80 | 81 | ### Service variables 82 | ####These control whether a server should or should not be allowed to continue to run these services 83 | 84 | ``` 85 | ubuntu2004cis_avahi_server: false 86 | ubuntu2004cis_cups_server: false 87 | ubuntu2004cis_dhcp_server: false 88 | ubuntu2004cis_ldap_server: false 89 | ubuntu2004cis_telnet_server: false 90 | ubuntu2004cis_nfs_server: false 91 | ubuntu2004cis_rpc_server: false 92 | ubuntu2004cis_ntalk_server: false 93 | ubuntu2004cis_rsyncd_server: false 94 | ubuntu2004cis_tftp_server: false 95 | ubuntu2004cis_rsh_server: false 96 | ubuntu2004cis_nis_server: false 97 | ubuntu2004cis_snmp_server: false 98 | ubuntu2004cis_squid_server: false 99 | ubuntu2004cis_smb_server: false 100 | ubuntu2004cis_dovecot_server: false 101 | ubuntu2004cis_httpd_server: false 102 | ubuntu2004cis_vsftpd_server: false 103 | ubuntu2004cis_named_server: false 104 | ubuntu2004cis_allow_autofs: false 105 | ``` 106 | 107 | ### Designate server as a Mail server 108 | `ubuntu2004cis_is_mail_server: false` 109 | 110 | 111 | ####System network parameters (host only OR host and router) 112 | `ubuntu2004cis_is_router: false` 113 | 114 | 115 | ####IPv6 required 116 | `ubuntu2004cis_ipv6_required: true` 117 | 118 | 119 | ### AIDE 120 | `ubuntu2004cis_config_aide: true` 121 | 122 | #### AIDE cron settings 123 | ``` 124 | ubuntu2004cis_aide_cron: 125 | cron_user: root 126 | cron_file: /etc/crontab 127 | aide_job: '/usr/sbin/aide --check' 128 | aide_minute: 0 129 | aide_hour: 5 130 | aide_day: '*' 131 | aide_month: '*' 132 | aide_weekday: '*' 133 | ``` 134 | 135 | 136 | ### Set to 'true' if X Windows is needed in your environment 137 | `ubuntu2004cis_xwindows_required: no` 138 | 139 | 140 | ### Client application requirements 141 | ``` 142 | ubuntu2004cis_openldap_clients_required: false 143 | ubuntu2004cis_telnet_required: false 144 | ubuntu2004cis_talk_required: false 145 | ubuntu2004cis_rsh_required: false 146 | ubuntu2004cis_ypbind_required: false 147 | ubuntu2004cis_rpc_required: false 148 | ``` 149 | 150 | ### Time Synchronization 151 | ``` 152 | ubuntu2004cis_time_synchronization: chrony 153 | ubuntu2004cis_time_Synchronization: ntp 154 | 155 | ubuntu2004cis_time_synchronization_servers: 156 | - uri: "0.pool.ntp.org" 157 | config: "minpoll 8" 158 | - uri: "1.pool.ntp.org" 159 | config: "minpoll 8" 160 | - uri: "2.pool.ntp.org" 161 | config: "minpoll 8" 162 | - uri: "3.pool.ntp.org" 163 | config: "minpoll 8" 164 | 165 | ``` 166 | ### - name: "SCORED | 1.1.5 | PATCH | Ensure noexec option set on /tmp partition" 167 | It is not implemented, noexec for /tmp will disrupt apt. /tmp contains executable scripts during package installation 168 | ``` 169 | 170 | ``` 171 | ### 1.5.3 | PATCH | Ensure authentication required for single user mode 172 | It is disabled by default as it is setting random password for root. To enable it set: 173 | ```yaml 174 | ubuntu2004cis_rule_1_5_3: true 175 | ``` 176 | To use other than random password: 177 | ```yaml 178 | ubuntu2004cis_root_password: 'new password' 179 | ``` 180 | 181 | ``` 182 | ubuntu2004cis_firewall: firewalld 183 | ubuntu2004cis_firewall: iptables 184 | ``` 185 | 186 | ### 5.3.1 | PATCH | Ensure password creation requirements are configured 187 | ``` 188 | ubuntu2004cis_pwquality: 189 | - key: 'minlen' 190 | value: '14' 191 | - key: 'dcredit' 192 | value: '-1' 193 | - key: 'ucredit' 194 | value: '-1' 195 | - key: 'ocredit' 196 | value: '-1' 197 | - key: 'lcredit' 198 | value: '-1' 199 | ``` 200 | 201 | 202 | ## Dependencies 203 | 204 | Developed and testes with Ansible 2.10 205 | 206 | 207 | ## Tags 208 | 209 | Many tags are available for precise control of what is and is not changed. 210 | 211 | Some examples of using tags: 212 | 213 | ``` 214 | # Audit and patch the site 215 | ansible-playbook site.yml --tags="patch" 216 | ``` 217 | 218 | ## List of Recommendations: 219 | 220 | **1 Initial Setup** 221 | - **1.1 Filesystem Configuration** 222 | - 1.1.1 Disable unused filesystems 223 | - 1.1.1.1 Ensure mounting of cramfs filesystems is disabled (Automated) 224 | - 1.1.1.2 Ensure mounting of freevxfs filesystems is disabled - (Automated) 225 | - 1.1.1.3 Ensure mounting of jffs2 filesystems is disabled (Automated) 226 | - 1.1.1.4 Ensure mounting of hfs filesystems is disabled (Automated) 227 | - 1.1.1.5 Ensure mounting of hfsplus filesystems is disabled - (Automated) 228 | - 1.1.1.6 Ensure mounting of udf filesystems is disabled (Automated) 229 | - 1.1.1.7 Ensure mounting of FAT filesystems is limited (Manual) 230 | - 1.1.2 Ensure /tmp is configured (Automated) 231 | - 1.1.3 Ensure nodev option set on /tmp partition (Automated) 232 | - 1.1.4 Ensure nosuid option set on /tmp partition (Automated) 233 | - 1.1.5 Ensure noexec option set on /tmp partition (Automated) 234 | - 1.1.6 Ensure /dev/shm is configured (Automated) 235 | - 1.1.7 Ensure nodev option set on /dev/shm partition (Automated) 236 | - 1.1.8 Ensure nosuid option set on /dev/shm partition (Automated) 237 | - 1.1.9 Ensure noexec option set on /dev/shm partition (Automated) 238 | - 1.1.10 Ensure separate partition exists for /var (Automated) 239 | - 1.1.11 Ensure separate partition exists for /var/tmp (Automated) 240 | - 1.1.12 Ensure nodev option set on /var/tmp partition (Automated) 241 | - 1.1.13 Ensure nosuid option set on /var/tmp partition (Automated) 242 | - 1.1.14 Ensure noexec option set on /var/tmp partition (Automated) 243 | - 1.1.15 Ensure separate partition exists for /var/log (Automated) 244 | - 1.1.16 Ensure separate partition exists for /var/log/audit - (Automated) 245 | - 1.1.17 Ensure separate partition exists for /home (Automated) 246 | - 1.1.18 Ensure nodev option set on /home partition (Automated) 247 | - ~~1.1.19 Ensure nodev option set on removable media partitions (Manual)~~ 248 | - ~~1.1.20 Ensure nosuid option set on removable media partitions - (Manual)~~ 249 | - ~~1.1.21 Ensure noexec option set on removable media partitions - (Manual)~~ 250 | - 1.1.22 Ensure sticky bit is set on all world-writable directories - (Automated) 251 | - 1.1.23 Disable Automounting (Automated) 252 | - 1.1.24 Disable USB Storage (Automated) 253 | - **~~1.2 Configure Software Updates~~** 254 | - ~~1.2.1 Ensure package manager repositories are configured (Manual)~~ 255 | - ~~1.2.2 Ensure GPG keys are configured (Manual)~~ 256 | - **1.3 Configure sudo** 257 | - 1.3.1 Ensure sudo is installed (Automated) 258 | - 1.3.2 Ensure sudo commands use pty (Automated) 259 | - 1.3.3 Ensure sudo log file exists (Automated) 260 | - **1.4 Filesystem Integrity Checking** 261 | - 1.4.1 Ensure AIDE is installed (Automated) 262 | - 1.4.2 Ensure filesystem integrity is regularly checked (Automated) 263 | - **1.5 Secure Boot Settings** 264 | - 1.5.1 Ensure bootloader password is set (Automated) 265 | - 1.5.2 Ensure permissions on bootloader config are configured - (Automated) 266 | - 1.5.3 Ensure authentication required for single user mode (Automated) 267 | - **1.6 Additional Process Hardening** 268 | - 1.6.1 Ensure XD/NX support is enabled (Automated) 269 | - 1.6.2 Ensure address space layout randomization (ASLR) is enabled - (Automated) 270 | - 1.6.3 Ensure prelink is disabled (Automated) 271 | - 1.6.4 Ensure core dumps are restricted (Automated) 272 | - **1.7 Mandatory Access Control** 273 | - 1.7.1 Configure AppArmor 274 | - 1.7.1.1 Ensure AppArmor is installed (Automated) 275 | - 1.7.1.2 Ensure AppArmor is enabled in the bootloader configuration - (Automated) 276 | - ~~1.7.1.3 Ensure all AppArmor Profiles are in enforce or complain mode - (Automated)~~ 277 | - ~~1.7.1.4 Ensure all AppArmor Profiles are enforcing (Automated)~~ 278 | - **1.8 Warning Banners** 279 | - 1.8.1 Command Line Warning Banners 280 | - 1.8.1.1 Ensure message of the day is configured properly (Automated) 281 | - 1.8.1.2 Ensure local login warning banner is configured properly - (Automated) 282 | - 1.8.1.3 Ensure remote login warning banner is configured properly - (Automated) 283 | - 1.8.1.4 Ensure permissions on /etc/motd are configured (Automated) 284 | - 1.8.1.5 Ensure permissions on /etc/issue are configured (Automated) 285 | - 1.8.1.6 Ensure permissions on /etc/issue.net are configured - (Automated) 286 | - **1.9 Ensure updates, patches, and additional security software are - installed (Manual)** 287 | - **1.10 Ensure GDM is removed or login is configured (Automated)** 288 | 289 | **2 Services** 290 | - **2.1 inetd Services** 291 | - 2.1.1 Ensure xinetd is not installed (Automated) 292 | - 2.1.2 Ensure openbsd-inetd is not installed (Automated) 293 | - **2.2 Special Purpose Services** 294 | - 2.2.1 Time Synchronization 295 | - 2.2.1.1 Ensure time synchronization is in use (Automated) 296 | - ~~2.2.1.2 Ensure systemd-timesyncd is configured (Manual)~~ 297 | - 2.2.1.3 Ensure chrony is configured (Automated) 298 | - 2.2.1.4 Ensure ntp is configured (Automated) 299 | - 2.2.2 Ensure X Window System is not installed (Automated) 300 | - 2.2.3 Ensure Avahi Server is not installed (Automated) 301 | - 2.2.4 Ensure CUPS is not installed (Automated) 302 | - 2.2.5 Ensure DHCP Server is not installed (Automated) 303 | - 2.2.6 Ensure LDAP server is not installed (Automated) 304 | - 2.2.7 Ensure NFS is not installed (Automated) 305 | - 2.2.8 Ensure DNS Server is not installed (Automated) 306 | - 2.2.9 Ensure FTP Server is not installed (Automated) 307 | - 2.2.10 Ensure HTTP server is not installed (Automated) 308 | - 2.2.11 Ensure IMAP and POP3 server are not installed (Automated) 309 | - 2.2.12 Ensure Samba is not installed (Automated) 310 | - 2.2.13 Ensure HTTP Proxy Server is not installed (Automated) 311 | - 2.2.14 Ensure SNMP Server is not installed (Automated) 312 | - 2.2.15 Ensure mail transfer agent is configured for local-only mode - (Automated) 313 | - 2.2.16 Ensure rsync service is not installed (Automated) 314 | - 2.2.17 Ensure NIS Server is not installed (Automated) 315 | - **2.3 Service Clients** 316 | - 2.3.1 Ensure NIS Client is not installed (Automated) 317 | - 2.3.2 Ensure rsh client is not installed (Automated) 318 | - 2.3.3 Ensure talk client is not installed (Automated) 319 | - 2.3.4 Ensure telnet client is not installed (Automated) 320 | - 2.3.5 Ensure LDAP client is not installed (Automated) 321 | - 2.3.6 Ensure RPC is not installed (Automated) 322 | - **2.4 Ensure nonessential services are removed or masked (Manual)** 323 | 324 | **3 Network Configuration** 325 | - **3.1 Disable unused network protocols and devices** 326 | - 3.1.1 Disable IPv6 (Manual) 327 | - 3.1.2 Ensure wireless interfaces are disabled (Automated) 328 | - **3.2 Network Parameters (Host-Only)** 329 | - 3.2.1 Ensure packet redirect sending is disabled (Automated) 330 | - 3.2.2 Ensure IP forwarding is disabled (Automated) 331 | - **3.3 Network Parameters (Host and Router)** 332 | - 3.3.1 Ensure source-routed packets are not accepted (Automated) 333 | - 3.3.2 Ensure ICMP redirects are not accepted (Automated) 334 | - 3.3.3 Ensure secure ICMP redirects are not accepted (Automated) 335 | - 3.3.4 Ensure suspicious packets are logged (Automated) 336 | - 3.3.5 Ensure broadcast ICMP requests are ignored (Automated) 337 | - 3.3.6 Ensure bogus ICMP responses are ignored (Automated) 338 | - 3.3.7 Ensure Reverse Path Filtering is enabled (Automated) 339 | - 3.3.8 Ensure TCP SYN Cookies is enabled (Automated) 340 | - 3.3.9 Ensure IPv6 router advertisements are not accepted (Automated) 341 | - **3.4 Uncommon Network Protocols** 342 | - 3.4.1 Ensure DCCP is disabled (Automated) 343 | - 3.4.2 Ensure SCTP is disabled (Automated) 344 | - 3.4.3 Ensure RDS is disabled (Automated) 345 | - 3.4.4 Ensure TIPC is disabled (Automated) 346 | - **3.5 Firewall Configuration** 347 | - 3.5.1 Configure UncomplicatedFirewall 348 | - 3.5.1.1 Ensure Uncomplicated Firewall is installed (Automated) 349 | - 3.5.1.2 Ensure iptables-persistent is not installed (Automated) 350 | - 3.5.1.3 Ensure ufw service is enabled (Automated) 351 | - 3.5.1.4 Ensure loopback traffic is configured (Automated) 352 | - 3.5.1.5 Ensure outbound connections are configured (Manual) 353 | - 3.5.1.6 Ensure firewall rules exist for all open ports (Manual) 354 | - 3.5.1.7 Ensure default deny firewall policy (Automated) 355 | - ~~3.5.2 Configure nftables~~ 356 | - ~~3.5.2.1 Ensure nftables is installed (Automated)~~ 357 | - ~~3.5.2.2 Ensure Uncomplicated Firewall is not installed or disabled - (Automated)~~ 358 | - ~~3.5.2.3 Ensure iptables are flushed (Manual)~~ 359 | - ~~3.5.2.4 Ensure a table exists (Automated)~~ 360 | - ~~3.5.2.5 Ensure base chains exist (Automated)~~ 361 | - ~~3.5.2.6 Ensure loopback traffic is configured (Automated)~~ 362 | - ~~3.5.2.7 Ensure outbound and established connections are configured - (Manual)~~ 363 | - ~~3.5.2.8 Ensure default deny firewall policy (Automated)~~ 364 | - ~~3.5.2.9 Ensure nftables service is enabled (Automated)~~ 365 | - ~~3.5.2.10 Ensure nftables rules are permanent (Automated)~~ 366 | - ~~3.5.3 Configure iptables~~ 367 | - ~~3.5.3.1.1 Ensure iptables packages are installed (Automated)~~ 368 | - ~~3.5.3.1.2 Ensure nftables is not installed (Automated)~~ 369 | - ~~3.5.3.1.3 Ensure Uncomplicated Firewall is not installed or disabled - (Automated)~~ 370 | - ~~3.5.3.2.1 Ensure default deny firewall policy (Automated)~~ 371 | - ~~3.5.3.2.2 Ensure loopback traffic is configured (Automated)~~ 372 | - ~~3.5.3.2.3 Ensure outbound and established connections are configured - (Manual)~~ 373 | - ~~3.5.3.2.4 Ensure firewall rules exist for all open ports (Automated)~~ 374 | - ~~3.5.3.3.1 Ensure IPv6 default deny firewall policy (Automated)~~ 375 | - ~~3.5.3.3.2 Ensure IPv6 loopback traffic is configured (Automated)~~ 376 | - ~~3.5.3.3.3 Ensure IPv6 outbound and established connections are - configured (Manual)~~ 377 | - ~~3.5.3.3.4 Ensure IPv6 firewall rules exist for all open ports - (Manual)~~ 378 | 379 | **4 Logging and Auditing** 380 | - **4.1 Configure System Accounting (auditd)** 381 | - 4.1.1 Ensure auditing is enabled 382 | - 4.1.1.1 Ensure auditd is installed (Automated) 383 | - 4.1.1.2 Ensure auditd service is enabled (Automated) 384 | - 4.1.1.3 Ensure auditing for processes that start prior to auditd is - enabled (Automated) 385 | - 4.1.1.4 Ensure audit_backlog_limit is sufficient (Automated) 386 | - 4.1.2 Configure Data Retention 387 | - 4.1.2.1 Ensure audit log storage size is configured (Automated) 388 | - 4.1.2.2 Ensure audit logs are not automatically deleted (Automated) 389 | - 4.1.2.3 Ensure system is disabled when audit logs are full - (Automated) 390 | - 4.1.3 Ensure events that modify date and time information are - collected (Automated) 391 | - 4.1.4 Ensure events that modify user/group information are collected - (Automated) 392 | - 4.1.5 Ensure events that modify the system's network environment are - collected (Automated) 393 | - 4.1.6 Ensure events that modify the system's Mandatory Access - Controls are collected (Automated) 394 | - 4.1.7 Ensure login and logout events are collected (Automated) 395 | - 4.1.8 Ensure session initiation information is collected (Automated) 396 | - 4.1.9 Ensure discretionary access control permission modification - events are collected (Automated) 397 | - 4.1.10 Ensure unsuccessful unauthorized file access attempts are - collected (Automated) 398 | - 4.1.11 Ensure use of privileged commands is collected (Automated) 399 | - 4.1.12 Ensure successful file system mounts are collected (Automated) 400 | - 4.1.13 Ensure file deletion events by users are collected (Automated) 401 | - 4.1.14 Ensure changes to system administration scope (sudoers) is - collected (Automated) 402 | - 4.1.15 Ensure system administrator command executions (sudo) are - collected (Automated) 403 | - 4.1.16 Ensure kernel module loading and unloading is collected - (Automated) 404 | - 4.1.17 Ensure the audit configuration is immutable (Automated) 405 | - **4.2 Configure Logging** 406 | - 4.2.1 Configure rsyslog 407 | - 4.2.1.1 Ensure rsyslog is installed (Automated) 408 | - 4.2.1.2 Ensure rsyslog Service is enabled (Automated) 409 | - ~~4.2.1.3 Ensure logging is configured (Manual)~~ 410 | - 4.2.1.4 Ensure rsyslog default file permissions configured - (Automated) 411 | - ~~4.2.1.5 Ensure rsyslog is configured to send logs to a remote log - host (Automated)~~ 412 | - ~~4.2.1.6 Ensure remote rsyslog messages are only accepted on - designated log hosts. (Manual)~~ 413 | - 4.2.2 Configure journald 414 | - 4.2.2.1 Ensure journald is configured to send logs to rsyslog - (Automated) 415 | - 4.2.2.2 Ensure journald is configured to compress large log files - (Automated) 416 | - 4.2.2.3 Ensure journald is configured to write logfiles to - persistent disk (Automated) 417 | - 4.2.3 Ensure permissions on all logfiles are configured (Automated) 418 | - **4.3 Ensure logrotate is configured (Manual)** 419 | - **4.4 Ensure logrotate assigns appropriate permissions (Automated)** 420 | 421 | **5 Access, Authentication and Authorization** 422 | - **5.1 Configure time-based job schedulers** 423 | - 5.1.1 Ensure cron daemon is enabled and running (Automated) 424 | - 5.1.2 Ensure permissions on /etc/crontab are configured (Automated) 425 | - 5.1.3 Ensure permissions on /etc/cron.hourly are configured - (Automated) 426 | - 5.1.4 Ensure permissions on /etc/cron.daily are configured - (Automated) 427 | - 5.1.5 Ensure permissions on /etc/cron.weekly are configured - (Automated) 428 | - 5.1.6 Ensure permissions on /etc/cron.monthly are configured - (Automated) 429 | - 5.1.7 Ensure permissions on /etc/cron.d are configured (Automated) 430 | - 5.1.8 Ensure cron is restricted to authorized users (Automated) 431 | - 5.1.9 Ensure at is restricted to authorized users (Automated) 432 | - **5.2 Configure SSH Server** 433 | - 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured - (Automated) 434 | - 5.2.2 Ensure permissions on SSH private host key files are - configured (Automated) 435 | - 5.2.3 Ensure permissions on SSH public host key files are configured - (Automated) 436 | - 5.2.4 Ensure SSH LogLevel is appropriate (Automated) 437 | - 5.2.5 Ensure SSH X11 forwarding is disabled (Automated) 438 | - 5.2.6 Ensure SSH MaxAuthTries is set to 4 or less (Automated) 439 | - 5.2.7 Ensure SSH IgnoreRhosts is enabled (Automated) 440 | - 5.2.8 Ensure SSH HostbasedAuthentication is disabled (Automated) 441 | - 5.2.9 Ensure SSH root login is disabled (Automated) 442 | - 5.2.10 Ensure SSH PermitEmptyPasswords is disabled (Automated) 443 | - 5.2.11 Ensure SSH PermitUserEnvironment is disabled (Automated) 444 | - 5.2.12 Ensure only strong Ciphers are used (Automated) 445 | - 5.2.13 Ensure only strong MAC algorithms are used (Automated) 446 | - 5.2.14 Ensure only strong Key Exchange algorithms are used - (Automated) 447 | - 5.2.15 Ensure SSH Idle Timeout Interval is configured (Automated) 448 | - 5.2.16 Ensure SSH LoginGraceTime is set to one minute or less - (Automated) 449 | - 5.2.17 Ensure SSH access is limited (Automated) 450 | - 5.2.18 Ensure SSH warning banner is configured (Automated) 451 | - 5.2.19 Ensure SSH PAM is enabled (Automated) 452 | - 5.2.20 Ensure SSH AllowTcpForwarding is disabled (Automated) 453 | - 5.2.21 Ensure SSH MaxStartups is configured (Automated) 454 | - 5.2.22 Ensure SSH MaxSessions is limited (Automated) 455 | - **5.3 Configure PAM** 456 | - 5.3.1 Ensure password creation requirements are configured - (Automated) 457 | - 5.3.2 Ensure lockout for failed password attempts is configured - (Automated) 458 | - 5.3.3 Ensure password reuse is limited (Automated) 459 | - 5.3.4 Ensure password hashing algorithm is SHA-512 (Automated) 460 | - **5.4 User Accounts and Environment** 461 | - 5.4.1 Set Shadow Password Suite Parameters 462 | - 5.4.1.1 Ensure password expiration is 365 days or less (Automated) 463 | - 5.4.1.2 Ensure minimum days between password changes is configured - (Automated) 464 | - 5.4.1.3 Ensure password expiration warning days is 7 or more - (Automated) 465 | - 5.4.1.4 Ensure inactive password lock is 30 days or less (Automated) 466 | - 5.4.1.5 Ensure all users last password change date is in the past - (Automated) 467 | - 5.4.2 Ensure system accounts are secured (Automated) 468 | - 5.4.3 Ensure default group for the root account is GID 0 (Automated) 469 | - 5.4.4 Ensure default user umask is 027 or more restrictive - (Automated) 470 | - 5.4.5 Ensure default user shell timeout is 900 seconds or less - (Automated) 471 | - **~~5.5 Ensure root login is restricted to system console (Manual)~~** 472 | - **5.6 Ensure access to the su command is restricted (Automated)** 473 | 474 | **6 System Maintenance** 475 | - **6.1 System File Permissions** 476 | - ~~6.1.1 Audit system file permissions (Manual)~~ 477 | - 6.1.2 Ensure permissions on /etc/passwd are configured (Automated) 478 | - 6.1.3 Ensure permissions on /etc/gshadow- are configured Automated) 479 | - 6.1.4 Ensure permissions on /etc/shadow are configured (Automated) 480 | - 6.1.5 Ensure permissions on /etc/group are configured (Automated) 481 | - 6.1.6 Ensure permissions on /etc/passwd- are configured (Automated) 482 | - 6.1.7 Ensure permissions on /etc/shadow- are configured (Automated) 483 | - 6.1.8 Ensure permissions on /etc/group- are configured (Automated) 484 | - 6.1.9 Ensure permissions on /etc/gshadow are configured (Automated) 485 | - ~~6.1.10 Ensure no world writable files exist (Automated)~~ 486 | - ~~6.1.11 Ensure no unowned files or directories exist (Automated)~~ 487 | - ~~6.1.12 Ensure no ungrouped files or directories exist (Automated)~~ 488 | - ~~6.1.13 Audit SUID executables (Manual)~~ 489 | - ~~6.1.14 Audit SGID executables (Manual)~~ 490 | - **6.2 User and Group Settings** 491 | - 6.2.1 Ensure password fields are not empty (Automated) 492 | - 6.2.2 Ensure root is the only UID 0 account (Automated) 493 | - 6.2.3 Ensure root PATH Integrity (Automated) 494 | - ~~6.2.4 Ensure all users' home directories exist (Automated)~~ 495 | - 6.2.5 Ensure users' home directories permissions are 750 or more - restrictive (Automated) 496 | - ~~6.2.6 Ensure users own their home directories (Automated)~~ 497 | - ~~6.2.7 Ensure users' dot files are not group or world writable - (Automated)~~ 498 | - 6.2.8 Ensure no users have .forward files (Automated) 499 | - 6.2.9 Ensure no users have .netrc files (Automated) 500 | - ~~6.2.10 Ensure users' .netrc Files are not group or world accessible - (Automated)~~ 501 | - 6.2.11 Ensure no users have .rhosts files (Automated) 502 | - ~~6.2.12 Ensure aFor ll groups in /etc/passwd exist in /etc/group - (Automated)~~ 503 | - ~~6.2.13 Ensure no duplicate UIDs exist (Automated)~~ 504 | - ~~6.2.14 Ensure no duplicate GIDs exist (Automated)~~ 505 | - ~~6.2.15 Ensure no duplicate user names exist (Automated)~~ 506 | - ~~6.2.16 Ensure no duplicate group names exist (Automated)~~ 507 | - ~~6.2.17 Ensure shadow group is empty (Automated)~~ 508 | 509 | ## License 510 | 511 | 512 | MIT 513 | 514 | 515 | ## other 516 | 517 | This repo originated from work done by [MindPointGroup](https://github.com/MindPointGroup/RHEL7-CIS) 518 | -------------------------------------------------------------------------------- /_.yamllint: -------------------------------------------------------------------------------- 1 | extends: default 2 | 3 | rules: 4 | braces: 5 | max-spaces-inside: 1 6 | level: error 7 | brackets: 8 | max-spaces-inside: 1 9 | level: error 10 | line-length: disable 11 | # NOTE(retr0h): Templates no longer fail this lint rule. 12 | # Uncomment if running old Molecule templates. 13 | # truthy: disable 14 | -------------------------------------------------------------------------------- /defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for Ubuntu2004-CIS 3 | ubuntu2004cis_skip_for_travis: false 4 | 5 | ubuntu2004cis_notauto: false 6 | ubuntu2004cis_section1: true 7 | ubuntu2004cis_section2: true 8 | ubuntu2004cis_section3: true 9 | ubuntu2004cis_section4: true 10 | ubuntu2004cis_section5: true 11 | ubuntu2004cis_section6: true 12 | 13 | ubuntu2004cis_selinux_disable: false 14 | ubuntu2004cis_auditd_disable: false 15 | 16 | # Ignore remount errors if you're building an image or are going to reboot anyway 17 | ubuntu2004cis_ignore_remount_errors: false 18 | 19 | # These variables correspond with the CIS rule IDs or paragraph numbers defined in 20 | # the CIS benchmark documents. 21 | # PLEASE NOTE: These work in coordination with the section # group variables and tags. 22 | # You must enable an entire section in order for the variables below to take effect. 23 | # Section 1 rules 24 | ubuntu2004cis_rule_1_1_1_1: true 25 | ubuntu2004cis_rule_1_1_1_2: true 26 | ubuntu2004cis_rule_1_1_1_3: true 27 | ubuntu2004cis_rule_1_1_1_4: true 28 | ubuntu2004cis_rule_1_1_1_5: true 29 | ubuntu2004cis_rule_1_1_1_6: true 30 | ubuntu2004cis_rule_1_1_1_7: true 31 | ubuntu2004cis_rule_1_1_2: true 32 | ubuntu2004cis_rule_1_1_3: true 33 | ubuntu2004cis_rule_1_1_4: true 34 | ubuntu2004cis_rule_1_1_5: false 35 | ubuntu2004cis_rule_1_1_6: true 36 | ubuntu2004cis_rule_1_1_7: true 37 | ubuntu2004cis_rule_1_1_8: true 38 | ubuntu2004cis_rule_1_1_9: true 39 | ubuntu2004cis_rule_1_1_10: true 40 | ubuntu2004cis_rule_1_1_11: true 41 | ubuntu2004cis_rule_1_1_12: true 42 | ubuntu2004cis_rule_1_1_13: true 43 | ubuntu2004cis_rule_1_1_14: true 44 | ubuntu2004cis_rule_1_1_15: true 45 | ubuntu2004cis_rule_1_1_16: true 46 | ubuntu2004cis_rule_1_1_17: true 47 | ubuntu2004cis_rule_1_1_18: true 48 | ubuntu2004cis_rule_1_1_19: true 49 | ubuntu2004cis_rule_1_1_20: true 50 | ubuntu2004cis_rule_1_1_21: true 51 | ubuntu2004cis_rule_1_1_22: true 52 | ubuntu2004cis_rule_1_1_23: true 53 | ubuntu2004cis_rule_1_1_24: true 54 | ubuntu2004cis_rule_1_2_1: true 55 | ubuntu2004cis_rule_1_2_2: true 56 | ubuntu2004cis_rule_1_3_1: true 57 | ubuntu2004cis_rule_1_3_2: true 58 | ubuntu2004cis_rule_1_3_3: true 59 | ubuntu2004cis_rule_1_4_1: true 60 | ubuntu2004cis_rule_1_4_2: true 61 | ubuntu2004cis_rule_1_5_1: true 62 | ubuntu2004cis_rule_1_5_1_disable_password: true 63 | ubuntu2004cis_rule_1_5_2: true 64 | ubuntu2004cis_rule_1_5_3: false 65 | ubuntu2004cis_rule_1_5_4: true 66 | ubuntu2004cis_rule_1_6_1: true 67 | ubuntu2004cis_rule_1_6_2: true 68 | ubuntu2004cis_rule_1_6_3: true 69 | ubuntu2004cis_rule_1_6_4: true 70 | ubuntu2004cis_rule_1_7_1_1: true 71 | ubuntu2004cis_rule_1_7_1_2: true 72 | ubuntu2004cis_rule_1_7_1_3: true 73 | ubuntu2004cis_rule_1_7_1_4: true 74 | ubuntu2004cis_rule_1_8_1_1: true 75 | ubuntu2004cis_rule_1_8_1_2: true 76 | ubuntu2004cis_rule_1_8_1_3: true 77 | ubuntu2004cis_rule_1_8_1_4: true 78 | ubuntu2004cis_rule_1_8_1_5: true 79 | ubuntu2004cis_rule_1_8_1_6: true 80 | ubuntu2004cis_rule_1_9: true 81 | ubuntu2004cis_rule_1_10: true 82 | 83 | # Section 2 rules 84 | ubuntu2004cis_rule_2_1_1: true 85 | ubuntu2004cis_rule_2_1_2: true 86 | ubuntu2004cis_rule_2_1_3: true 87 | ubuntu2004cis_rule_2_1_4: true 88 | ubuntu2004cis_rule_2_1_5: true 89 | ubuntu2004cis_rule_2_1_6: true 90 | ubuntu2004cis_rule_2_1_7: true 91 | ubuntu2004cis_rule_2_1_8: true 92 | ubuntu2004cis_rule_2_1_9: true 93 | ubuntu2004cis_rule_2_1_10: true 94 | ubuntu2004cis_rule_2_1_11: true 95 | ubuntu2004cis_rule_2_2_1_1: true 96 | ubuntu2004cis_rule_2_2_1_2: true 97 | ubuntu2004cis_rule_2_2_1_3: true 98 | ubuntu2004cis_rule_2_2_1_4: true 99 | ubuntu2004cis_rule_2_2_2: true 100 | ubuntu2004cis_rule_2_2_3: true 101 | ubuntu2004cis_rule_2_2_4: true 102 | ubuntu2004cis_rule_2_2_5: true 103 | ubuntu2004cis_rule_2_2_6: true 104 | ubuntu2004cis_rule_2_2_7: true 105 | ubuntu2004cis_rule_2_2_8: true 106 | ubuntu2004cis_rule_2_2_9: true 107 | ubuntu2004cis_rule_2_2_10: true 108 | ubuntu2004cis_rule_2_2_11: true 109 | ubuntu2004cis_rule_2_2_12: true 110 | ubuntu2004cis_rule_2_2_13: true 111 | ubuntu2004cis_rule_2_2_14: true 112 | ubuntu2004cis_rule_2_2_15: true 113 | ubuntu2004cis_rule_2_2_16: true 114 | ubuntu2004cis_rule_2_2_17: true 115 | ubuntu2004cis_rule_2_3_1: true 116 | ubuntu2004cis_rule_2_3_2: true 117 | ubuntu2004cis_rule_2_3_3: true 118 | ubuntu2004cis_rule_2_3_4: true 119 | ubuntu2004cis_rule_2_3_5: true 120 | ubuntu2004cis_rule_2_3_6: true 121 | ubuntu2004cis_rule_2_4: true 122 | 123 | # Section 3 rules 124 | ubuntu2004cis_rule_3_1_1: true 125 | ubuntu2004cis_rule_3_1_2: true 126 | ubuntu2004cis_rule_3_2_1: true 127 | ubuntu2004cis_rule_3_2_2: true 128 | ubuntu2004cis_rule_3_3_1: true 129 | ubuntu2004cis_rule_3_3_2: true 130 | ubuntu2004cis_rule_3_3_3: true 131 | ubuntu2004cis_rule_3_3_4: true 132 | ubuntu2004cis_rule_3_3_5: true 133 | ubuntu2004cis_rule_3_3_6: true 134 | ubuntu2004cis_rule_3_3_7: true 135 | ubuntu2004cis_rule_3_3_8: true 136 | ubuntu2004cis_rule_3_3_9: true 137 | ubuntu2004cis_rule_3_4_1: true 138 | ubuntu2004cis_rule_3_4_2: true 139 | ubuntu2004cis_rule_3_4_3: true 140 | ubuntu2004cis_rule_3_4_4: true 141 | ubuntu2004cis_rule_3_5_1_1: true 142 | ubuntu2004cis_rule_3_5_1_2: true 143 | ubuntu2004cis_rule_3_5_1_3: true 144 | ubuntu2004cis_rule_3_5_1_4: true 145 | ubuntu2004cis_rule_3_5_1_5: true 146 | ubuntu2004cis_rule_3_5_1_6: true 147 | ubuntu2004cis_rule_3_5_1_7: true 148 | ubuntu2004cis_rule_3_5_2_1: true 149 | ubuntu2004cis_rule_3_5_2_2: true 150 | ubuntu2004cis_rule_3_5_2_3: true 151 | ubuntu2004cis_rule_3_5_2_4: true 152 | ubuntu2004cis_rule_3_5_2_5: true 153 | ubuntu2004cis_rule_3_5_2_6: true 154 | ubuntu2004cis_rule_3_5_2_7: true 155 | ubuntu2004cis_rule_3_5_2_8: true 156 | ubuntu2004cis_rule_3_5_2_9: true 157 | ubuntu2004cis_rule_3_5_2_10: true 158 | ubuntu2004cis_rule_3_5_3_1_1: true 159 | ubuntu2004cis_rule_3_5_3_1_2: true 160 | ubuntu2004cis_rule_3_5_3_1_3: true 161 | ubuntu2004cis_rule_3_5_3_2_1: true 162 | ubuntu2004cis_rule_3_5_3_2_2: true 163 | ubuntu2004cis_rule_3_5_3_2_3: true 164 | ubuntu2004cis_rule_3_5_3_2_4: true 165 | ubuntu2004cis_rule_3_5_3_3_1: true 166 | ubuntu2004cis_rule_3_5_3_3_2: true 167 | ubuntu2004cis_rule_3_5_3_3_3: true 168 | ubuntu2004cis_rule_3_5_3_3_4: true 169 | 170 | # Section 4 rules 171 | ubuntu2004cis_rule_4_1_1_1: true 172 | ubuntu2004cis_rule_4_1_1_2: true 173 | ubuntu2004cis_rule_4_1_1_3: true 174 | ubuntu2004cis_rule_4_1_1_4: true 175 | ubuntu2004cis_rule_4_1_2_1: true 176 | ubuntu2004cis_rule_4_1_2_2: true 177 | ubuntu2004cis_rule_4_1_2_3: true 178 | ubuntu2004cis_rule_4_1_3: true 179 | ubuntu2004cis_rule_4_1_4: true 180 | ubuntu2004cis_rule_4_1_5: true 181 | ubuntu2004cis_rule_4_1_6: true 182 | ubuntu2004cis_rule_4_1_7: true 183 | ubuntu2004cis_rule_4_1_8: true 184 | ubuntu2004cis_rule_4_1_9: true 185 | ubuntu2004cis_rule_4_1_10: true 186 | ubuntu2004cis_rule_4_1_11: true 187 | ubuntu2004cis_rule_4_1_12: true 188 | ubuntu2004cis_rule_4_1_13: true 189 | ubuntu2004cis_rule_4_1_14: true 190 | ubuntu2004cis_rule_4_1_15: true 191 | ubuntu2004cis_rule_4_1_16: true 192 | ubuntu2004cis_rule_4_1_17: true 193 | ubuntu2004cis_rule_4_2_1_1: true 194 | ubuntu2004cis_rule_4_2_1_2: true 195 | ubuntu2004cis_rule_4_2_1_3: true 196 | ubuntu2004cis_rule_4_2_1_4: true 197 | ubuntu2004cis_rule_4_2_1_5: true 198 | ubuntu2004cis_rule_4_2_1_6: true 199 | ubuntu2004cis_rule_4_2_2_1: true 200 | ubuntu2004cis_rule_4_2_2_2: true 201 | ubuntu2004cis_rule_4_2_2_3: true 202 | ubuntu2004cis_rule_4_2_3: true 203 | ubuntu2004cis_rule_4_3: true 204 | ubuntu2004cis_rule_4_4: true 205 | 206 | # Section 5 rules 207 | ubuntu2004cis_rule_5_1_1: true 208 | ubuntu2004cis_rule_5_1_2: true 209 | ubuntu2004cis_rule_5_1_3: true 210 | ubuntu2004cis_rule_5_1_4: true 211 | ubuntu2004cis_rule_5_1_5: true 212 | ubuntu2004cis_rule_5_1_6: true 213 | ubuntu2004cis_rule_5_1_7: true 214 | ubuntu2004cis_rule_5_1_8: true 215 | ubuntu2004cis_rule_5_1_9: true 216 | ubuntu2004cis_rule_5_2_1: true 217 | ubuntu2004cis_rule_5_2_2: true 218 | ubuntu2004cis_rule_5_2_3: true 219 | ubuntu2004cis_rule_5_2_4: true 220 | ubuntu2004cis_rule_5_2_5: true 221 | ubuntu2004cis_rule_5_2_6: true 222 | ubuntu2004cis_rule_5_2_7: true 223 | ubuntu2004cis_rule_5_2_8: true 224 | ubuntu2004cis_rule_5_2_9: true 225 | ubuntu2004cis_rule_5_2_10: true 226 | ubuntu2004cis_rule_5_2_11: true 227 | ubuntu2004cis_rule_5_2_12: true 228 | ubuntu2004cis_rule_5_2_13: true 229 | ubuntu2004cis_rule_5_2_14: true 230 | ubuntu2004cis_rule_5_2_15: true 231 | ubuntu2004cis_rule_5_2_16: true 232 | ubuntu2004cis_rule_5_2_17: true 233 | ubuntu2004cis_rule_5_2_18: true 234 | ubuntu2004cis_rule_5_2_19: true 235 | ubuntu2004cis_rule_5_2_20: true 236 | ubuntu2004cis_rule_5_2_21: true 237 | ubuntu2004cis_rule_5_2_22: true 238 | ubuntu2004cis_rule_5_3_1: true 239 | ubuntu2004cis_rule_5_3_2: true 240 | ubuntu2004cis_rule_5_3_3: true 241 | ubuntu2004cis_rule_5_3_4: true 242 | ubuntu2004cis_rule_5_4_1_1: true 243 | ubuntu2004cis_rule_5_4_1_2: true 244 | ubuntu2004cis_rule_5_4_1_3: true 245 | ubuntu2004cis_rule_5_4_1_4: true 246 | ubuntu2004cis_rule_5_4_1_5: true 247 | ubuntu2004cis_rule_5_4_2: true 248 | ubuntu2004cis_rule_5_4_3: true 249 | ubuntu2004cis_rule_5_4_4: true 250 | ubuntu2004cis_rule_5_4_5: true 251 | ubuntu2004cis_rule_5_5: true 252 | ubuntu2004cis_rule_5_6: false 253 | 254 | # Section 6 rules 255 | ubuntu2004cis_rule_6_1_1: true 256 | ubuntu2004cis_rule_6_1_2: true 257 | ubuntu2004cis_rule_6_1_3: true 258 | ubuntu2004cis_rule_6_1_4: true 259 | ubuntu2004cis_rule_6_1_5: true 260 | ubuntu2004cis_rule_6_1_6: true 261 | ubuntu2004cis_rule_6_1_7: true 262 | ubuntu2004cis_rule_6_1_8: true 263 | ubuntu2004cis_rule_6_1_9: true 264 | ubuntu2004cis_rule_6_1_10: true 265 | ubuntu2004cis_rule_6_1_11: true 266 | ubuntu2004cis_rule_6_1_12: true 267 | ubuntu2004cis_rule_6_1_13: true 268 | ubuntu2004cis_rule_6_1_14: true 269 | ubuntu2004cis_rule_6_2_1: true 270 | ubuntu2004cis_rule_6_2_2: true 271 | ubuntu2004cis_rule_6_2_3: true 272 | ubuntu2004cis_rule_6_2_4: true 273 | ubuntu2004cis_rule_6_2_5: true 274 | ubuntu2004cis_rule_6_2_6: true 275 | ubuntu2004cis_rule_6_2_7: true 276 | ubuntu2004cis_rule_6_2_8: true 277 | ubuntu2004cis_rule_6_2_9: true 278 | ubuntu2004cis_rule_6_2_10: true 279 | ubuntu2004cis_rule_6_2_11: true 280 | ubuntu2004cis_rule_6_2_12: true 281 | ubuntu2004cis_rule_6_2_13: true 282 | ubuntu2004cis_rule_6_2_14: true 283 | ubuntu2004cis_rule_6_2_15: true 284 | ubuntu2004cis_rule_6_2_16: true 285 | ubuntu2004cis_rule_6_2_17: true 286 | 287 | # Service configuration booleans set true to keep service 288 | ubuntu2004cis_avahi_server: false 289 | ubuntu2004cis_cups_server: false 290 | ubuntu2004cis_dhcp_server: false 291 | ubuntu2004cis_ldap_server: false 292 | ubuntu2004cis_telnet_server: false 293 | ubuntu2004cis_nfs_server: false 294 | ubuntu2004cis_rpc_server: false 295 | ubuntu2004cis_ntalk_server: false 296 | ubuntu2004cis_rsyncd_server: false 297 | ubuntu2004cis_tftp_server: false 298 | ubuntu2004cis_rsh_server: false 299 | ubuntu2004cis_nis_server: false 300 | ubuntu2004cis_snmp_server: false 301 | ubuntu2004cis_squid_server: false 302 | ubuntu2004cis_smb_server: false 303 | ubuntu2004cis_dovecot_server: false 304 | ubuntu2004cis_httpd_server: false 305 | ubuntu2004cis_vsftpd_server: false 306 | ubuntu2004cis_named_server: false 307 | ubuntu2004cis_nfs_rpc_server: false 308 | ubuntu2004cis_is_mail_server: false 309 | ubuntu2004cis_allow_autofs: false 310 | 311 | # xinetd required 312 | ubuntu2004cis_xinetd_required: false 313 | 314 | # RedHat Satellite Subscription items 315 | ubuntu2004cis_rhnsd_required: false 316 | 317 | # 1.4.2 Bootloader password 318 | ubuntu2004cis_bootloader_password: random 319 | ubuntu2004cis_set_boot_pass: false 320 | 321 | # System network parameters (host only OR host and router) 322 | ubuntu2004cis_is_router: false 323 | 324 | # IPv6 required 325 | ubuntu2004cis_ipv6_required: true 326 | 327 | # AIDE 328 | ubuntu2004cis_config_aide: true 329 | # AIDE cron settings 330 | ubuntu2004cis_aide_cron: 331 | cron_user: root 332 | cron_file: aide 333 | aide_job: '/usr/bin/aide.wrapper --config /etc/aide/aide.conf --check' 334 | aide_minute: 0 335 | aide_hour: 5 336 | aide_day: '*' 337 | aide_month: '*' 338 | aide_weekday: '*' 339 | 340 | # Whether or not to run tasks related to auditing/patching the desktop environment 341 | ubuntu2004cis_gui: false 342 | 343 | # Set to 'true' if X Windows is needed in your environment 344 | ubuntu2004cis_xwindows_required: false 345 | 346 | ubuntu2004cis_openldap_clients_required: false 347 | ubuntu2004cis_telnet_required: false 348 | ubuntu2004cis_talk_required: false 349 | ubuntu2004cis_rsh_required: false 350 | ubuntu2004cis_ypbind_required: false 351 | ubuntu2004cis_rpc_required: false 352 | 353 | # Time Synchronization 354 | ubuntu2004cis_time_synchronization: chrony 355 | # ubuntu2004cis_time_synchronization: ntp 356 | 357 | ubuntu2004cis_time_synchronization_servers: 358 | - uri: "0.pool.ntp.org" 359 | config: "minpoll 8" 360 | - uri: "1.pool.ntp.org" 361 | config: "minpoll 8" 362 | - uri: "2.pool.ntp.org" 363 | config: "minpoll 8" 364 | - uri: "3.pool.ntp.org" 365 | config: "minpoll 8" 366 | 367 | # 3.3 TCP Wrappers 368 | ubuntu2004cis_setup_tcp_wrappers: false 369 | 370 | ubuntu2004cis_firewall: firewalld 371 | # ubuntu2004cis_firewall: iptables 372 | # ubuntu2004cis_firewall: ufw 373 | # ubuntu2004cis_firewall: nftables 374 | 375 | # 3.5.3.2 | PATCH | Ensure a table exists" 376 | ubuntu2004cis_nftables_table: filter 377 | 378 | ubuntu2004cis_firewall_services: 379 | - ssh 380 | - dhcpv6-client 381 | 382 | # Warning Banner Content (issue, issue.net, motd) 383 | ubuntu2004cis_warning_banner: | 384 | Authorized uses only. All activity may be monitored and reported. 385 | # End Banner 386 | 387 | ## Section 4 Vars 388 | ubuntu2004cis_auditd: 389 | admin_space_left_action: halt 390 | max_log_file_action: keep_logs 391 | max_audit_log_file_size: 10 392 | backlog_limit: "8192" 393 | 394 | ubuntu2004cis_logrotate: "daily" 395 | 396 | ## Section 5 Vars 397 | ubuntu2004cis_at_allow_users: [] 398 | ubuntu2004cis_cron_allow_users: [] 399 | 400 | ubuntu2004cis_sshd: 401 | clientalivecountmax: 3 402 | clientaliveinterval: 300 403 | ciphers: "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr" 404 | macs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com" 405 | kexalgorithms: "curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256" 406 | logingracetime: 60 407 | ### Make sure you understand the precedence when working with these values!! 408 | # allowusers: 409 | # allowgroups: systems dba 410 | # denyusers: 411 | # denygroups: 412 | 413 | ubuntu2004cis_pwquality: 414 | - key: 'minlen' 415 | value: '14' 416 | - key: 'dcredit' 417 | value: '-1' 418 | - key: 'ucredit' 419 | value: '-1' 420 | - key: 'ocredit' 421 | value: '-1' 422 | - key: 'lcredit' 423 | value: '-1' 424 | 425 | ubuntu2004cis_pass: 426 | max_days: 365 427 | min_days: 1 428 | warn_age: 7 429 | inactive: 30 430 | history: 5 431 | 432 | ubuntu2004cis_password_change_date_in_future_action: expire # lock 433 | 434 | ubuntu2004cis_shell_timeout: 900 435 | # Syslog system 436 | ubuntu2004cis_syslog: rsyslog 437 | # ubuntu2004cis_syslog: syslog-ng 438 | 439 | ubuntu2004cis_vartmp: 440 | source: /tmp 441 | fstype: false 442 | opts: "defaults, nodev, nosuid, noexec, bind" 443 | enabled: false 444 | 445 | # Apply upgrades (set to false if another patching system is in place) 446 | ubuntu2004cis_apply_upgrades: true 447 | 448 | ###### Multi OS Vars ########### 449 | prelim_check_package_command: 450 | RedHat: rpm -q 451 | Debian: dpkg -V 452 | auditd_package: 453 | RedHat: audit 454 | Debian: auditd 455 | cron_package: 456 | RedHat: cronie 457 | Debian: cron 458 | cron_service: 459 | RedHat: crond 460 | Debian: cron 461 | ntp_service: 462 | RedHat: ntpd 463 | Debian: ntp 464 | chrony_service: 465 | RedHat: chronyd 466 | Debian: chrony 467 | tcp_wrapper_package: 468 | RedHat: tcp_wrappers 469 | Debian: tcpd 470 | bashrc_file: 471 | RedHat: /etc/bashrc 472 | Debian: /etc/bash.bashrc 473 | tmp_mount_file: 474 | RedHat: /usr/lib/systemd/system/tmp.mount 475 | Debian: /usr/share/systemd/tmp.mount 476 | tmp_mount_options: 477 | RedHat: mode=1777,strictatime,noexec,nodev,nosuid 478 | Debian: mode=1777,strictatime,nodev,nosuid 479 | chrony_config_file: 480 | RedHat: /etc/chrony.conf 481 | Debian: /etc/chrony/chrony.conf 482 | chrony_system_user: 483 | RedHat: chrony 484 | Debian: _chrony 485 | 486 | ### Firewall 487 | ubuntu2004cis_setup_firewall: false 488 | -------------------------------------------------------------------------------- /files/etc/systemd/system/tmp.mount: -------------------------------------------------------------------------------- 1 | # This file is part of systemd. 2 | # 3 | # systemd is free software; you can redistribute it and/or modify it 4 | # under the terms of the GNU Lesser General Public License as published by 5 | # the Free Software Foundation; either version 2.1 of the License, or 6 | # (at your option) any later version. 7 | 8 | [Unit] 9 | Description=Temporary Directory 10 | Documentation=man:hier(7) 11 | Documentation=http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems 12 | ConditionPathIsSymbolicLink=!/tmp 13 | DefaultDependencies=no 14 | Conflicts=umount.target 15 | Before=local-fs.target umount.target 16 | 17 | [Mount] 18 | What=tmpfs 19 | Where=/tmp 20 | Type=tmpfs 21 | Options=mode=1777,strictatime,noexec,nodev,nosuid 22 | 23 | # Make 'systemctl enable tmp.mount' work: 24 | [Install] 25 | WantedBy=local-fs.target 26 | -------------------------------------------------------------------------------- /handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for Ubuntu2004-CIS 3 | 4 | - name: sysctl flush ipv4 route table 5 | become: true 6 | sysctl: 7 | name: net.ipv4.route.flush 8 | value: "1" 9 | sysctl_set: true 10 | when: ansible_virtualization_type != "docker" 11 | 12 | - name: sysctl flush ipv6 route table 13 | become: true 14 | sysctl: 15 | name: net.ipv6.route.flush 16 | value: "1" 17 | sysctl_set: true 18 | when: ansible_virtualization_type != "docker" 19 | 20 | - name: systemd restart tmp.mount 21 | become: true 22 | systemd: 23 | name: tmp.mount 24 | daemon_reload: true 25 | enabled: true 26 | masked: false 27 | state: reloaded 28 | when: ansible_virtualization_type != "docker" 29 | ignore_errors: "{{ ubuntu2004cis_ignore_remount_errors }}" 30 | 31 | - name: systemd restart var-tmp.mount 32 | become: true 33 | systemd: 34 | name: var-tmp.mount 35 | daemon_reload: true 36 | enabled: true 37 | masked: false 38 | state: reloaded 39 | ignore_errors: "{{ ubuntu2004cis_ignore_remount_errors }}" 40 | 41 | - name: generate new grub config 42 | become: true 43 | command: grub-mkconfig -o "{{ grub_cfg.stat.path }}" 44 | notify: fix permissions after generate new grub config handler 45 | 46 | - name: fix permissions after generate new grub config handler 47 | become: true 48 | file: 49 | path: "/boot/grub/grub.cfg" 50 | owner: root 51 | group: root 52 | mode: 0400 53 | when: 54 | - ansible_os_family == "Debian" 55 | - ubuntu2004cis_rule_1_4_1 56 | 57 | - name: restart firewalld 58 | become: true 59 | service: 60 | name: firewalld 61 | state: restarted 62 | 63 | - name: reload nftables 64 | become: true 65 | service: 66 | name: nftables 67 | state: reloaded 68 | 69 | - name: restart xinetd 70 | become: true 71 | service: 72 | name: xinetd 73 | state: restarted 74 | 75 | - name: restart sshd 76 | become: true 77 | service: 78 | name: sshd 79 | state: restarted 80 | 81 | - name: reload dconf 82 | become: true 83 | command: dconf update 84 | 85 | - name: restart auditd 86 | become: true 87 | service: 88 | name: auditd 89 | state: restarted 90 | when: 91 | - not ubuntu2004cis_skip_for_travis 92 | tags: 93 | - skip_ansible_lint 94 | 95 | - name: load audit rules 96 | become: true 97 | command: /sbin/augenrules --load 98 | when: 99 | - not ubuntu2004cis_skip_for_travis 100 | tags: 101 | - skip_ansible_lint 102 | 103 | - name: restart systemd-coredump 104 | become: true 105 | service: 106 | name: systemd-coredump.socket 107 | daemon_reload: true 108 | enabled: true 109 | state: restarted 110 | 111 | - name: restart journald 112 | become: true 113 | service: 114 | name: systemd-journald 115 | state: restarted 116 | -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | galaxy_info: 3 | author: "Florian Utz" 4 | description: "Ansible role to apply Ubuntu 20.04 CIS Baseline" 5 | company: "none" 6 | license: MIT 7 | min_ansible_version: 2.9 8 | role_name: ubuntu2004_cis 9 | namespace: florianutz 10 | 11 | platforms: 12 | - name: Ubuntu 13 | versions: 14 | - focal 15 | 16 | galaxy_tags: 17 | - system 18 | - security 19 | - cis 20 | - hardening 21 | 22 | dependencies: [] 23 | -------------------------------------------------------------------------------- /molecule/default/INSTALL.rst: -------------------------------------------------------------------------------- 1 | ******* 2 | Install 3 | ******* 4 | 5 | Requirements 6 | ============ 7 | 8 | * Docker Engine 9 | * docker-py 10 | 11 | Install 12 | ======= 13 | 14 | .. code-block:: bash 15 | 16 | $ sudo pip install docker-py 17 | -------------------------------------------------------------------------------- /molecule/default/converge.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Converge 3 | hosts: all 4 | vars: 5 | ubuntu2004cis_skip_for_travis: true 6 | ubuntu2004cis_selinux_disable: true 7 | roles: 8 | - role: ubuntu2004_cis 9 | -------------------------------------------------------------------------------- /molecule/default/molecule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | dependency: 3 | name: galaxy 4 | driver: 5 | name: docker 6 | lint: | 7 | set -e 8 | ansible-lint 9 | platforms: 10 | - name: instance 11 | image: florianutz/docker-systemd:20.04 12 | command: /lib/systemd/systemd 13 | tmpfs: 14 | - /run 15 | - /run/lock 16 | - /tmp 17 | volumes: 18 | - /sys/fs/cgroup:/sys/fs/cgroup:ro 19 | privileged: true 20 | # command: /sbin/init 21 | provisioner: 22 | name: ansible 23 | lint: 24 | name: ansible-lint 25 | enabled: true 26 | config_options: 27 | defaults: 28 | bin_ansible_callbacks: True 29 | callbacks_enabled: profile_tasks,timer 30 | fact_caching: jsonfile 31 | fact_caching_connection: ./cache 32 | poll_interval: 3 33 | forks: 100 34 | conditional_bare_variables: false 35 | connection: 36 | pipelining: true 37 | #scenario: 38 | # name: default 39 | verifier: 40 | name: ansible 41 | -------------------------------------------------------------------------------- /molecule/default/prepare.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Prepare 3 | hosts: all 4 | gather_facts: false 5 | tasks: 6 | - name: install openssh-server for testing under docker 7 | apt: 8 | name: openssh-server 9 | state: present 10 | update_cache: yes 11 | - name: install grub files for testing under docker 12 | block: 13 | - name: create /boot/grub 14 | file: 15 | name: /boot/grub 16 | state: directory 17 | changed_when: false 18 | 19 | - name: touch /boot/grub/grub.cfg 20 | file: 21 | name: /boot/grub/grub.cfg 22 | state: touch 23 | changed_when: false 24 | 25 | - name: touch /etc/default/grub 26 | file: 27 | name: /etc/default/grub 28 | state: touch 29 | changed_when: false -------------------------------------------------------------------------------- /molecule/default/verify.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # This is an example playbook to execute Ansible tests. 3 | 4 | - name: Verify 5 | hosts: all 6 | tasks: 7 | - name: Example assertion 8 | assert: 9 | that: true 10 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | molecule[docker]==3.0.8 2 | ansible-lint==5.2.1 3 | -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for Ubuntu2004-CIS 3 | - name: Check OS version and family 4 | fail: 5 | msg: "This role can only be run agaist Ubuntu 20.04. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." 6 | when: 7 | - not ansible_distribution == "Ubuntu" 8 | - not ansible_distribution_release == "focal" 9 | tags: 10 | - always 11 | 12 | - name: Check ansible version 13 | fail: 14 | msg: You must use ansible 2.3 or greater! 15 | when: not ansible_version.full is version_compare('2.3', '>=') 16 | tags: 17 | - always 18 | 19 | - include: prelim.yml 20 | become: true 21 | tags: 22 | - prelim_tasks 23 | - always 24 | 25 | - include: section1.yml 26 | become: true 27 | when: ubuntu2004cis_section1 28 | tags: section1 29 | 30 | - include: section2.yml 31 | become: true 32 | when: ubuntu2004cis_section2 33 | tags: section2 34 | 35 | - include: section3.yml 36 | become: true 37 | when: ubuntu2004cis_section3 38 | tags: section3 39 | 40 | - include: section4.yml 41 | become: true 42 | when: ubuntu2004cis_section4 43 | tags: section4 44 | 45 | - include: section5.yml 46 | become: true 47 | when: ubuntu2004cis_section5 48 | tags: section5 49 | 50 | - include: section6.yml 51 | become: true 52 | when: ubuntu2004cis_section6 53 | tags: section6 54 | 55 | - include: post.yml 56 | become: true 57 | tags: 58 | - post_tasks 59 | - always 60 | -------------------------------------------------------------------------------- /tasks/post.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Post tasks 3 | 4 | - name: "POST | Find removed but configured apt packages" 5 | shell: "set -o pipefail; 6 | dpkg --list | (grep ^rc || true) | tr -s ' ' | cut -d ' ' -f 2" 7 | args: 8 | executable: /bin/bash 9 | register: apt_rc_packages 10 | changed_when: false 11 | 12 | - name: "POST | Perform apt package cleanup" 13 | apt: 14 | name: "{{ apt_rc_packages.stdout_lines }}" 15 | state: absent 16 | purge: true 17 | changed_when: false 18 | ignore_errors: true 19 | when: not ansible_check_mode 20 | tags: 21 | - skip_ansible_lint 22 | -------------------------------------------------------------------------------- /tasks/prelim.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Preliminary tasks that should always be run 3 | # List users in order to look files inside each home directory 4 | - name: "PRELIM | List users accounts" 5 | command: "awk -F: '{print $1}' /etc/passwd" 6 | register: users 7 | changed_when: false 8 | check_mode: false 9 | 10 | - name: "PRELIM | Gather homes with wrong permissions on /home" 11 | shell: 'set -o pipefail; 12 | for dir in $(getent passwd | cut -d '':'' -f 6 | awk ''$1 ~ /^\/home\//''); 13 | do 14 | perm=$(stat -L -c "%A" "$dir" ); 15 | if [ -d $dir ] && ([ "${perm:7:3}" != "---" ] || [ "${perm:5:1}" == "w" ] ); 16 | then 17 | echo -n "$dir "; 18 | fi; 19 | done' 20 | args: 21 | executable: /bin/bash 22 | register: homes_with_perms 23 | changed_when: false 24 | check_mode: false 25 | 26 | - name: "PRELIM | Gather accounts with empty password fields" 27 | shell: "set -o pipefail; 28 | cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'" 29 | args: 30 | executable: /bin/bash 31 | register: empty_password_accounts 32 | changed_when: false 33 | check_mode: false 34 | 35 | - name: "PRELIM | Check if root has password" 36 | shell: 'set -o pipefail; 37 | getent shadow | grep root | awk -F: ''($2 == "*" || $2 == "!" ) { printf $2; }''' 38 | args: 39 | executable: /bin/bash 40 | register: current_root_password 41 | changed_when: false 42 | check_mode: false 43 | 44 | - name: "PRELIM | Gather UID 0 accounts other than root" 45 | shell: "set -o pipefail; 46 | cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" 47 | args: 48 | executable: /bin/bash 49 | register: uid_zero_accounts_except_root 50 | changed_when: false 51 | check_mode: false 52 | 53 | - name: "PRELIM | Run apt cache update" 54 | apt: 55 | update_cache: true 56 | changed_when: false 57 | 58 | - name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)" 59 | apt: 60 | name: "{{ auditd_package[ansible_os_family] }}" 61 | state: present 62 | install_recommends: false 63 | when: 64 | - not ubuntu2004cis_auditd_disable 65 | 66 | - name: "PRELIM | Section 5.1 | Configure cron" 67 | apt: 68 | name: "{{ cron_package[ansible_os_family] }}" 69 | state: present 70 | install_recommends: false 71 | 72 | - name: "PRELIM | Check if prelink package is installed" 73 | command: "{{ prelim_check_package_command[ansible_os_family] }} prelink" 74 | register: prelink_installed 75 | changed_when: false 76 | failed_when: false 77 | check_mode: false 78 | tags: 79 | - skip_ansible_lint 80 | 81 | - name: "PRELIM | Check if postfix package is installed" 82 | command: "{{ prelim_check_package_command[ansible_os_family] }} postfix" 83 | register: postfix_installed 84 | changed_when: false 85 | failed_when: false 86 | check_mode: false 87 | tags: 88 | - skip_ansible_lint 89 | 90 | # Individual service checks 91 | - name: "PRELIM | Check for xinetd service" 92 | shell: "set -o pipefail; 93 | systemctl show xinetd | grep LoadState | cut -d = -f 2" 94 | args: 95 | executable: /bin/bash 96 | register: xinetd_service_status 97 | changed_when: false 98 | check_mode: false 99 | 100 | - name: "PRELIM | Check for openbsd-inetd service" 101 | shell: "set -o pipefail; 102 | dpkg -s openbsd-inetd | grep -o 'ok installed'; true" 103 | args: 104 | executable: /bin/bash 105 | register: openbsd_inetd_service_status 106 | changed_when: false 107 | check_mode: false 108 | 109 | - name: "PRELIM | Check for ntpd service" 110 | shell: "set -o pipefail; 111 | systemctl show {{ ntp_service[ansible_os_family] }} | grep LoadState | cut -d = -f 2" 112 | args: 113 | executable: /bin/bash 114 | register: ntpd_service_status 115 | changed_when: false 116 | check_mode: false 117 | 118 | - name: "PRELIM | Check for chronyd service" 119 | shell: "set -o pipefail; 120 | systemctl show {{ chrony_service[ansible_os_family] }} | grep LoadState | cut -d = -f 2" 121 | args: 122 | executable: /bin/bash 123 | register: chronyd_service_status 124 | changed_when: false 125 | check_mode: false 126 | 127 | - name: "PRELIM | Check for systemd-timesyncd service" 128 | shell: "set -o pipefail; 129 | systemctl show systemd-timesyncd | grep LoadState | cut -d = -f 2" 130 | args: 131 | executable: /bin/bash 132 | register: systemd_timesyncd_service_status 133 | changed_when: false 134 | check_mode: false 135 | 136 | - name: "PRELIM | Check for avahi-daemon service" 137 | shell: "set -o pipefail; 138 | systemctl show avahi-daemon | grep LoadState | cut -d = -f 2" 139 | args: 140 | executable: /bin/bash 141 | register: avahi_service_status 142 | changed_when: false 143 | check_mode: false 144 | 145 | - name: "PRELIM | Check for cups service" 146 | shell: "set -o pipefail; 147 | systemctl show cups | grep LoadState | cut -d = -f 2" 148 | args: 149 | executable: /bin/bash 150 | register: cups_service_status 151 | changed_when: false 152 | check_mode: false 153 | 154 | - name: "PRELIM | Check for dhcpd service" 155 | shell: "set -o pipefail; 156 | systemctl show dhcpd | grep LoadState | cut -d = -f 2" 157 | args: 158 | executable: /bin/bash 159 | register: dhcpd_service_status 160 | changed_when: false 161 | check_mode: false 162 | 163 | - name: "PRELIM | Check for slapd service" 164 | shell: "set -o pipefail; 165 | systemctl show slapd | grep LoadState | cut -d = -f 2" 166 | args: 167 | executable: /bin/bash 168 | register: slapd_service_status 169 | changed_when: false 170 | check_mode: false 171 | 172 | - name: "PRELIM | Check for nfs service" 173 | shell: "set -o pipefail; 174 | systemctl show nfs | grep LoadState | cut -d = -f 2" 175 | args: 176 | executable: /bin/bash 177 | register: nfs_service_status 178 | changed_when: false 179 | check_mode: false 180 | 181 | - name: "PRELIM | Check for rpcbind service" 182 | shell: "set -o pipefail; 183 | systemctl show rpcbind | grep LoadState | cut -d = -f 2" 184 | args: 185 | executable: /bin/bash 186 | register: rpcbind_service_status 187 | changed_when: false 188 | check_mode: false 189 | 190 | - name: "PRELIM | Check for named service" 191 | shell: "set -o pipefail; 192 | systemctl show named | grep LoadState | cut -d = -f 2" 193 | args: 194 | executable: /bin/bash 195 | register: named_service_status 196 | changed_when: false 197 | check_mode: false 198 | 199 | - name: "PRELIM | Check for vsftpd service" 200 | shell: "set -o pipefail; 201 | systemctl show vsftpd | grep LoadState | cut -d = -f 2" 202 | args: 203 | executable: /bin/bash 204 | register: vsftpd_service_status 205 | changed_when: false 206 | check_mode: false 207 | 208 | - name: "PRELIM | Check for httpd service" 209 | shell: "set -o pipefail; 210 | systemctl show apache2 | grep LoadState | cut -d = -f 2" 211 | args: 212 | executable: /bin/bash 213 | register: httpd_service_status 214 | changed_when: false 215 | check_mode: false 216 | 217 | - name: "PRELIM | Check for dovecot service" 218 | shell: "set -o pipefail; 219 | systemctl show dovecot | grep LoadState | cut -d = -f 2" 220 | args: 221 | executable: /bin/bash 222 | register: dovecot_service_status 223 | changed_when: false 224 | check_mode: false 225 | 226 | - name: "PRELIM | Check for smb service" 227 | shell: "set -o pipefail; 228 | systemctl show smbd | grep LoadState | cut -d = -f 2" 229 | args: 230 | executable: /bin/bash 231 | register: smb_service_status 232 | changed_when: false 233 | check_mode: false 234 | 235 | - name: "PRELIM | Check for squid service" 236 | shell: "set -o pipefail; 237 | systemctl show squid | grep LoadState | cut -d = -f 2" 238 | args: 239 | executable: /bin/bash 240 | register: squid_service_status 241 | changed_when: false 242 | check_mode: false 243 | 244 | - name: "PRELIM | Check for snmpd service" 245 | shell: "set -o pipefail; 246 | systemctl show snmpd | grep LoadState | cut -d = -f 2" 247 | args: 248 | executable: /bin/bash 249 | register: snmpd_service_status 250 | changed_when: false 251 | check_mode: false 252 | 253 | - name: "PRELIM | Check for ypserv service" 254 | shell: "set -o pipefail; 255 | systemctl show nis | grep LoadState | cut -d = -f 2" 256 | args: 257 | executable: /bin/bash 258 | register: ypserv_service_status 259 | changed_when: false 260 | check_mode: false 261 | 262 | - name: "PRELIM | Check for rsh.socket service" 263 | shell: "set -o pipefail; 264 | systemctl show rsh.socket | grep LoadState | cut -d = -f 2" 265 | args: 266 | executable: /bin/bash 267 | register: rsh_service_status 268 | changed_when: false 269 | check_mode: false 270 | 271 | - name: "PRELIM | Check for rlogin.socket service" 272 | shell: "set -o pipefail; 273 | systemctl show rlogin.socket | grep LoadState | cut -d = -f 2" 274 | args: 275 | executable: /bin/bash 276 | register: rlogin_service_status 277 | changed_when: false 278 | check_mode: false 279 | 280 | - name: "PRELIM | Check for rexec.socket service" 281 | shell: "set -o pipefail; 282 | systemctl show rexec.socket | grep LoadState | cut -d = -f 2" 283 | args: 284 | executable: /bin/bash 285 | register: rexec_service_status 286 | changed_when: false 287 | check_mode: false 288 | 289 | - name: "PRELIM | Check for telnet service" 290 | shell: "set -o pipefail; 291 | systemctl show telnetd | grep LoadState | cut -d = -f 2" 292 | args: 293 | executable: /bin/bash 294 | register: telnet_service_status 295 | changed_when: false 296 | check_mode: false 297 | 298 | - name: "PRELIM | Check for tftp service" 299 | shell: "set -o pipefail; 300 | systemctl show tftpd-hpa | grep LoadState | cut -d = -f 2" 301 | args: 302 | executable: /bin/bash 303 | register: tftp_service_status 304 | changed_when: false 305 | check_mode: false 306 | 307 | - name: "PRELIM | Check for rsyncd service" 308 | shell: "set -o pipefail; 309 | systemctl show rsync | grep LoadState | cut -d = -f 2" 310 | args: 311 | executable: /bin/bash 312 | register: rsyncd_service_status 313 | changed_when: false 314 | check_mode: false 315 | 316 | - name: "PRELIM | Check for ntalk service" 317 | shell: "set -o pipefail; 318 | systemctl show ntalk | grep LoadState | cut -d = -f 2" 319 | args: 320 | executable: /bin/bash 321 | register: ntalk_service_status 322 | changed_when: false 323 | check_mode: false 324 | 325 | - name: "PRELIM | Check for autofs service" 326 | shell: "set -o pipefail; 327 | systemctl show autofs | grep LoadState | cut -d = -f 2" 328 | args: 329 | executable: /bin/bash 330 | register: autofs_service_status 331 | changed_when: false 332 | check_mode: false 333 | 334 | - name: "PRELIM | Check the grub.cfg configuration" 335 | stat: 336 | path: /boot/grub/grub.cfg 337 | register: grub_cfg 338 | 339 | - name: "PRELIM | Check the grub.conf configuration" 340 | stat: 341 | path: /boot/grub/grub.conf 342 | register: grub_conf 343 | 344 | - name: "PRELIM | Check the menu.lst configuration" 345 | stat: 346 | path: "/boot/grub/menu.lst" 347 | register: menu_lst 348 | 349 | - name: "PRELIM | Check that system accounts are non-login #1" 350 | shell: > 351 | set -o pipefail && 352 | egrep -v "^\+" /etc/passwd | awk -F: '($1!="root" && $1!="sync" && 353 | $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && 354 | $7!="/bin/false") {print}' 355 | args: 356 | executable: /bin/bash 357 | register: system_accounts_non_login_1 358 | changed_when: false 359 | check_mode: false 360 | 361 | 362 | - name: "PRELIM | Check that system accounts are non-login #2" 363 | shell: > 364 | set -o pipefail && 365 | for user in `awk -F: '($1!="root" && $3 < 1000) {print $1 }' /etc/passwd`; do 366 | passwd -S $user | awk -F ' ' '($2!="L") {print $1}'; done 367 | args: 368 | executable: /bin/bash 369 | register: system_accounts_non_login_2 370 | changed_when: false 371 | check_mode: false 372 | 373 | - name: "PRELIM | Check that users last password change date are in the future" 374 | shell: | 375 | set -o pipefail; 376 | awk -F: '{print $1}' /etc/shadow | while read -r usr 377 | do 378 | if [[ $(date --date="$(chage --list "$usr" | grep '^Last password change' | cut -d: -f2)" +%s) > $(date +%s) ]];then 379 | echo "$usr" 380 | fi 381 | done 382 | args: 383 | executable: /bin/bash 384 | register: users_password_change_date_in_future 385 | changed_when: False 386 | check_mode: false 387 | -------------------------------------------------------------------------------- /tasks/section1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: "SCORED | 1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled" 3 | lineinfile: 4 | dest: /etc/modprobe.d/CIS.conf 5 | regexp: "^(#)?install cramfs(\\s|$)" 6 | line: "install cramfs /bin/true" 7 | state: present 8 | owner: root 9 | group: root 10 | mode: 0644 11 | create: true 12 | when: 13 | - ubuntu2004cis_rule_1_1_1_1 14 | tags: 15 | - level1 16 | - scored 17 | - patch 18 | - cramfs 19 | - filesystems 20 | - rule_1.1.1.1 21 | 22 | - name: "SCORED | 1.1.1.1 | PATCH | Remove cramfs module" 23 | modprobe: 24 | name: cramfs 25 | state: absent 26 | when: 27 | - ubuntu2004cis_rule_1_1_1_1 28 | - not ubuntu2004cis_skip_for_travis 29 | tags: 30 | - level1 31 | - scored 32 | - patch 33 | - cramfs 34 | - filesystems 35 | - rule_1.1.1.1 36 | 37 | - name: "SCORED | 1.1.1.2 | PATCH | Ensure mounting of freevxfs filesystems is disabled" 38 | lineinfile: 39 | dest: /etc/modprobe.d/CIS.conf 40 | regexp: "^(#)?install freevxfs" 41 | line: "install freevxfs /bin/true" 42 | state: present 43 | create: true 44 | when: 45 | - ubuntu2004cis_rule_1_1_1_2 46 | tags: 47 | - level1 48 | - scored 49 | - patch 50 | - freevxfs 51 | - filesystems 52 | - rule_1.1.1.2 53 | 54 | - name: "SCORED | 1.1.1.2 | PATCH | Remove freevxfs module" 55 | modprobe: 56 | name: freevxfs 57 | state: absent 58 | when: 59 | - ubuntu2004cis_rule_1_1_1_2 60 | - not ubuntu2004cis_skip_for_travis 61 | tags: 62 | - level1 63 | - scored 64 | - patch 65 | - freevxfs 66 | - filesystems 67 | - rule_1.1.1.2 68 | 69 | - name: "SCORED | 1.1.1.3 | PATCH | Ensure mounting of jffs2 filesystems is disabled" 70 | lineinfile: 71 | dest: /etc/modprobe.d/CIS.conf 72 | regexp: "^(#)?install jffs2(\\s|$)" 73 | line: "install jffs2 /bin/true" 74 | state: present 75 | create: true 76 | when: 77 | - ubuntu2004cis_rule_1_1_1_3 78 | tags: 79 | - level1 80 | - scored 81 | - patch 82 | - jffs2 83 | - filesystems 84 | - rule_1.1.1.3 85 | 86 | - name: "SCORED | 1.1.1.3 | PATCH | Remove jffs2 module" 87 | modprobe: 88 | name: jffs2 89 | state: absent 90 | when: 91 | - ubuntu2004cis_rule_1_1_1_3 92 | - not ubuntu2004cis_skip_for_travis 93 | tags: 94 | - level1 95 | - scored 96 | - patch 97 | - jffs2 98 | - filesystems 99 | - rule_1.1.1.3 100 | 101 | - name: "SCORED | 1.1.1.4 | PATCH | Ensure mounting of hfs filesystems is disabled" 102 | lineinfile: 103 | dest: /etc/modprobe.d/CIS.conf 104 | regexp: "^(#)?install hfs(\\s|$)" 105 | line: "install hfs /bin/true" 106 | state: present 107 | create: true 108 | when: 109 | - ubuntu2004cis_rule_1_1_1_4 110 | tags: 111 | - level1 112 | - scored 113 | - patch 114 | - hfs 115 | - filesystems 116 | - rule_1.1.1.4 117 | 118 | - name: "SCORED | 1.1.1.4 | PATCH | Remove hfs module" 119 | modprobe: 120 | name: hfs 121 | state: absent 122 | when: 123 | - ubuntu2004cis_rule_1_1_1_4 124 | - not ubuntu2004cis_skip_for_travis 125 | tags: 126 | - level1 127 | - scored 128 | - patch 129 | - hfs 130 | - filesystems 131 | - rule_1.1.1.4 132 | 133 | - name: "SCORED | 1.1.1.5 | PATCH | Ensure mounting of hfsplus filesystems is disabled" 134 | lineinfile: 135 | dest: /etc/modprobe.d/CIS.conf 136 | regexp: "^(#)?install hfsplus(\\s|$)" 137 | line: "install hfsplus /bin/true" 138 | state: present 139 | create: true 140 | when: 141 | - ubuntu2004cis_rule_1_1_1_5 142 | tags: 143 | - level1 144 | - scored 145 | - patch 146 | - hfsplus 147 | - filesystems 148 | - rule_1.1.1.5 149 | 150 | - name: "SCORED | 1.1.1.5 | PATCH | Remove hfsplus module" 151 | modprobe: 152 | name: hfsplus 153 | state: absent 154 | when: 155 | - ubuntu2004cis_rule_1_1_1_5 156 | - not ubuntu2004cis_skip_for_travis 157 | tags: 158 | - level1 159 | - scored 160 | - patch 161 | - hfsplus 162 | - filesystems 163 | - rule_1.1.1.5 164 | 165 | - name: "NOTSCORED | 1.1.1.6 | PATCH | Ensure mounting of squashfs filesystems is disabled" 166 | command: /bin/true 167 | changed_when: false 168 | when: 169 | - ubuntu2004cis_rule_1_1_1_6 170 | tags: 171 | - level2 172 | - notscored 173 | - patch 174 | - squashfs 175 | - filesystems 176 | - rule_1.1.1.6 177 | - notimplemented 178 | 179 | - name: "SCORED | 1.1.1.7 | PATCH | Ensure mounting of udf filesystems is disabled" 180 | lineinfile: 181 | dest: /etc/modprobe.d/CIS.conf 182 | regexp: "^(#)?install udf(\\s|$)" 183 | line: "install udf /bin/true" 184 | state: present 185 | create: true 186 | when: 187 | - ubuntu2004cis_rule_1_1_1_7 188 | tags: 189 | - level1 190 | - scored 191 | - patch 192 | - udf 193 | - filesystems 194 | - rule_1.1.1.7 195 | 196 | - name: "SCORED | 1.1.1.7 | PATCH | Remove udf module" 197 | modprobe: 198 | name: udf 199 | state: absent 200 | when: 201 | - ubuntu2004cis_rule_1_1_1_7 202 | - not ubuntu2004cis_skip_for_travis 203 | tags: 204 | - level1 205 | - scored 206 | - patch 207 | - udf 208 | - filesystems 209 | - rule_1.1.1.7 210 | 211 | - name: "SCORED | 1.1.2 | PATCH | Ensure separate partition exists for /tmp | enable and start/restart tmp.mount" 212 | copy: 213 | src: "{{ tmp_mount_file[ansible_os_family] }}" 214 | dest: /etc/systemd/system/tmp.mount 215 | owner: root 216 | group: root 217 | mode: 0644 218 | force: true 219 | remote_src: true 220 | notify: 221 | - systemd restart tmp.mount 222 | when: 223 | - ubuntu2004cis_rule_1_1_2 224 | - not ubuntu2004cis_skip_for_travis 225 | tags: 226 | - level1 227 | - scored 228 | - patch 229 | - rule_1.1.2 230 | 231 | - name: "SCORED | 1.1.2 | PATCH | Ensure separate partition exists for /tmp | enable and start/restart tmp.mount" 232 | systemd: 233 | name: tmp.mount 234 | daemon_reload: yes 235 | enabled: yes 236 | masked: no 237 | state: started 238 | when: 239 | - ubuntu2004cis_rule_1_1_2 240 | - not ubuntu2004cis_skip_for_travis 241 | tags: 242 | - level1 243 | - scored 244 | - patch 245 | - rule_1.1.2 246 | 247 | - name: "SCORED | 1.1.3 | PATCH | Ensure nodev option set on /tmp partition\n 248 | SCORED | 1.1.4 | PATCH | Ensure nosuid option set on /tmp partition\n 249 | SCORED | 1.1.5 | PATCH | Ensure noexec option set on /tmp partition\n 250 | | drop custom tmp.mount" 251 | ini_file: 252 | path: "{{ item }}" 253 | section: Mount 254 | option: Options 255 | value: "{{ tmp_mount_options[ansible_os_family] }}" 256 | no_extra_spaces: true 257 | with_items: 258 | - "{{ tmp_mount_file[ansible_os_family] }}" 259 | - /etc/systemd/system/tmp.mount 260 | notify: 261 | - systemd restart tmp.mount 262 | when: 263 | - ubuntu2004cis_rule_1_1_3 264 | - ubuntu2004cis_rule_1_1_4 265 | - ubuntu2004cis_rule_1_1_5 266 | tags: 267 | - level1 268 | - scored 269 | - patch 270 | - rule_1.1.3 271 | - rule_1.1.4 272 | - rule_1.1.5 273 | 274 | - name: "SCORED | 1.1.6 | PATCH | Ensure /dev/shm is configured\n 275 | SCORED | 1.1.7 | PATCH | Ensure nodev option set on /dev/shm partition\n 276 | SCORED | 1.1.8 | PATCH | Ensure nosuid option set on /dev/shm partition\n 277 | SCORED | 1.1.9 | PATCH | Ensure noexec option set on /dev/shm partition" 278 | mount: 279 | name: /dev/shm 280 | src: tmpfs 281 | state: mounted 282 | fstype: tmpfs 283 | opts: "defaults,nodev,nosuid,noexec" 284 | when: 285 | - ubuntu2004cis_rule_1_1_6 286 | - ubuntu2004cis_rule_1_1_7 287 | - ubuntu2004cis_rule_1_1_8 288 | - ubuntu2004cis_rule_1_1_9 289 | tags: 290 | - level1 291 | - scored 292 | - patch 293 | - rule_1.1.6 294 | - rule_1.1.7 295 | - rule_1.1.8 296 | - rule_1.1.9 297 | 298 | - name: "SCORED | 1.1.10 | PATCH | Ensure separate partition exists for /var" 299 | shell: mount | grep "on /var " 300 | register: var_mounted 301 | changed_when: false 302 | failed_when: false 303 | args: 304 | warn: false 305 | when: 306 | - ubuntu2004cis_rule_1_1_10 307 | tags: 308 | - level2 309 | - scored 310 | - patch 311 | - rule_1.1.10 312 | - skip_ansible_lint 313 | 314 | - name: "SCORED | 1.1.11 | PATCH | Ensure separate partition exists for /var/tmp" 315 | shell: mount | grep "on /var/tmp " 316 | register: var_tmp_mounted 317 | changed_when: false 318 | failed_when: false 319 | args: 320 | warn: false 321 | when: 322 | - ubuntu2004cis_rule_1_1_11 323 | tags: 324 | - level2 325 | - scored 326 | - patch 327 | - rule_1.1.11 328 | - skip_ansible_lint 329 | 330 | - name: "SCORED | 1.1.12 | PATCH | Ensure nodev option set on /var/tmp partition\n 331 | SCORED | 1.1.13 | PATCH | Ensure nosuid option set on /var/tmp partition\n 332 | SCORED | 1.1.14 | PATCH | Ensure noexec option set on /var/tmp partition" 333 | mount: 334 | name: /var/tmp 335 | src: "{{ ubuntu2004cis_vartmp['source'] }}" 336 | state: mounted 337 | fstype: "{{ ubuntu2004cis_vartmp['fstype'] }}" 338 | opts: "{{ ubuntu2004cis_vartmp['opts'] }}" 339 | when: 340 | - ubuntu2004cis_vartmp['enabled'] == 'yes' 341 | - ubuntu2004cis_rule_1_1_12 342 | - ubuntu2004cis_rule_1_1_13 343 | - ubuntu2004cis_rule_1_1_14 344 | tags: 345 | - level1 346 | - scored 347 | - patch 348 | - rule_1.1.12 349 | - rule_1.1.13 350 | - rule_1.1.14 351 | 352 | - name: "SCORED | 1.1.15 | PATCH | Ensure separate partition exists for /var/log" 353 | shell: mount | grep "on /var/log " 354 | register: var_log_mounted 355 | changed_when: false 356 | failed_when: false 357 | args: 358 | warn: false 359 | when: 360 | - ubuntu2004cis_rule_1_1_15 361 | tags: 362 | - level2 363 | - scored 364 | - patch 365 | - rule_1.1.15 366 | - skip_ansible_lint 367 | 368 | - name: "SCORED | 1.1.16 | PATCH | Ensure separate partition exists for /var/log/audit" 369 | shell: mount | grep "on /var/log/audit " 370 | register: var_log_audit_mounted 371 | changed_when: false 372 | failed_when: false 373 | args: 374 | warn: false 375 | when: 376 | - ubuntu2004cis_rule_1_1_16 377 | tags: 378 | - level2 379 | - scored 380 | - patch 381 | - rule_1.1.16 382 | - skip_ansible_lint 383 | 384 | - name: "SCORED | 1.1.17 | PATCH | Ensure separate partition exists for /home" 385 | shell: mount | grep "on /home " 386 | register: home_mounted 387 | changed_when: false 388 | failed_when: false 389 | args: 390 | warn: false 391 | when: 392 | - ubuntu2004cis_rule_1_1_17 393 | tags: 394 | - level2 395 | - scored 396 | - patch 397 | - rule_1.1.17 398 | - skip_ansible_lint 399 | 400 | - name: "SCORED | 1.1.18 | PATCH | Ensure nodev option set on /home partition" 401 | mount: 402 | name: "/home" 403 | src: "{{ item.device }}" 404 | state: mounted 405 | fstype: "{{ item.fstype }}" 406 | opts: "nodev" 407 | when: 408 | - ubuntu2004cis_rule_1_1_18 409 | - item.mount == "/home" 410 | with_items: 411 | - "{{ ansible_mounts }}" 412 | tags: 413 | - scored 414 | - level1 415 | - patch 416 | - rule_1.1.18 417 | 418 | - name: "NOTSCORED | 1.1.19 | PATCH | Ensure nodev option set on removable media partitions" 419 | command: /bin/true 420 | changed_when: false 421 | when: 422 | - ubuntu2004cis_rule_1_1_19 423 | tags: 424 | - level1 425 | - notscored 426 | - patch 427 | - rule_1.1.19 428 | - notimplemented 429 | 430 | - name: "NOTSCORED | 1.1.20 | PATCH | Ensure nosuid option set on removable media partitions" 431 | command: /bin/true 432 | changed_when: false 433 | when: 434 | - ubuntu2004cis_rule_1_1_20 435 | tags: 436 | - level1 437 | - notscored 438 | - patch 439 | - rule_1.1.20 440 | - notimplemented 441 | 442 | - name: "NOTSCORED | 1.1.21 | PATCH | Ensure noexec option set on removable media partitions" 443 | command: /bin/true 444 | changed_when: false 445 | when: 446 | - ubuntu2004cis_rule_1_1_21 447 | tags: 448 | - level1 449 | - notscored 450 | - patch 451 | - rule_1.1.21 452 | - notimplemented 453 | 454 | - name: "SCORED | 1.1.22 | PATCH | Ensure sticky bit is set on all world-writable directories" 455 | shell: | 456 | set -o pipefail; 457 | df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t 458 | args: 459 | executable: /bin/bash 460 | changed_when: false 461 | failed_when: false 462 | when: 463 | - ubuntu2004cis_rule_1_1_22 464 | # - sticky_bit_on_worldwritable_dirs_audit.rc == '0' 465 | tags: 466 | - level1 467 | - scored 468 | - patch 469 | - rule_1.1.22 470 | 471 | - name: "SCORED | 1.1.23 | PATCH | Disable Automounting" 472 | service: 473 | name: autofs 474 | enabled: false 475 | when: 476 | - not ubuntu2004cis_allow_autofs 477 | - autofs_service_status.stdout == "loaded" 478 | - ubuntu2004cis_rule_1_1_23 479 | tags: 480 | - level1 481 | - scored 482 | - patch 483 | - rule_1.1.23 484 | 485 | - name: "SCORED | 1.1.24 | PATCH | Disable USB Storage" 486 | lineinfile: 487 | dest: /etc/modprobe.d/CIS.conf 488 | regexp: "^(#)?install usb-storage(\\s|$)" 489 | line: "install usb-storage /bin/true" 490 | state: present 491 | create: true 492 | when: 493 | - ubuntu2004cis_rule_1_1_24 494 | tags: 495 | - level1 496 | - scored 497 | - patch 498 | - udf 499 | - filesystems 500 | - rule_1.1.24 501 | 502 | - name: "SCORED | 1.1.24 | PATCH | Remove usb-storage module" 503 | modprobe: 504 | name: usb-storage 505 | state: absent 506 | when: 507 | - ubuntu2004cis_rule_1_1_24 508 | - not ubuntu2004cis_skip_for_travis 509 | tags: 510 | - level1 511 | - scored 512 | - patch 513 | - usb 514 | - filesystems 515 | - rule_1.1.24 516 | 517 | - name: "NOTSCORED | 1.2.1 | PATCH | Ensure package manager repositories are configured" 518 | command: /bin/true 519 | changed_when: false 520 | when: 521 | - ubuntu2004cis_rule_1_2_1 522 | tags: 523 | - level1 524 | - notscored 525 | - patch 526 | - rule_1.2.1 527 | - notimplemented 528 | 529 | - name: "NOTSCORED | 1.2.2 | PATCH | Ensure GPG keys are configured" 530 | command: /bin/true 531 | changed_when: false 532 | when: 533 | - ubuntu2004cis_rule_1_2_2 534 | tags: 535 | - level1 536 | - notscored 537 | - patch 538 | - rule_1.2.2 539 | - notimplemented 540 | 541 | - name: "SCORED | 1.3.1 | PATCH | Ensure sudo is installed" 542 | apt: 543 | name: 544 | - sudo 545 | state: present 546 | install_recommends: false 547 | when: 548 | - ubuntu2004cis_rule_1_3_1 549 | tags: 550 | - level1 551 | - scored 552 | - sudo 553 | - patch 554 | - rule_1.3.1 555 | 556 | - name: "SCORED | 1.3.2 | PATCH | Ensure sudo commands use pty" 557 | lineinfile: 558 | dest: /etc/sudoers 559 | state: present 560 | regexp: '^Defaults use_pty' 561 | line: 'Defaults use_pty' 562 | validate: 'visudo -cf %s' 563 | when: 564 | - ubuntu2004cis_rule_1_3_2 565 | tags: 566 | - level1 567 | - scored 568 | - sudo 569 | - patch 570 | - rule_1.3.2 571 | 572 | - name: "SCORED | 1.3.3 | PATCH | Ensure sudo log file exists" 573 | lineinfile: 574 | dest: /etc/sudoers 575 | state: present 576 | regexp: '^Defaults logfile.*' 577 | line: 'Defaults logfile="/var/log/sudo.log"' 578 | validate: 'visudo -cf %s' 579 | when: 580 | - ubuntu2004cis_rule_1_3_3 581 | tags: 582 | - level1 583 | - scored 584 | - sudo 585 | - patch 586 | - rule_1.3.3 587 | 588 | - name: "SCORED | 1.4.1 | PATCH | Ensure AIDE is installed (install nullmailer instead of postfix)" 589 | apt: 590 | name: 591 | - nullmailer 592 | state: present 593 | install_recommends: false 594 | when: 595 | - ubuntu2004cis_rule_1_4_1 596 | - not postfix_installed.rc == 0 597 | tags: 598 | - level1 599 | - scored 600 | - aide 601 | - patch 602 | - rule_1.4.1 603 | 604 | - name: "SCORED | 1.4.1 | PATCH | Ensure AIDE is installed" 605 | apt: 606 | name: 607 | - aide 608 | - aide-common 609 | state: present 610 | install_recommends: false 611 | when: 612 | - ubuntu2004cis_rule_1_4_1 613 | tags: 614 | - level1 615 | - scored 616 | - aide 617 | - patch 618 | - rule_1.4.1 619 | 620 | - name: "SCORED | 1.4.1 | PATCH | Stat AIDE DB" 621 | stat: path=/var/lib/aide/aide.db 622 | register: aide_db 623 | tags: 624 | - level1 625 | - scored 626 | - aide 627 | - patch 628 | - rule_1.4.1 629 | 630 | - name: "SCORED | 1.4.1 | PATCH | Init AIDE | This may take a LONG time" 631 | command: /usr/sbin/aideinit 632 | args: 633 | creates: /var/lib/aide/aide.db 634 | when: 635 | - ubuntu2004cis_config_aide 636 | - ubuntu2004cis_rule_1_4_1 637 | - not aide_db.stat.exists 638 | - not ubuntu2004cis_skip_for_travis 639 | tags: 640 | - level1 641 | - scored 642 | - aide 643 | - patch 644 | - rule_1.4.1 645 | 646 | - name: "SCORED | 1.4.1 | PATCH | Stat AIDE daily cron" 647 | stat: path=/etc/cron.daily/aide 648 | register: aide_daily_cron 649 | tags: 650 | - level1 651 | - scored 652 | - aide 653 | - file_integrity 654 | - patch 655 | - rule_1.4.2 656 | 657 | - name: "SCORED | 1.4.2 | PATCH | Ensure filesystem integrity is regularly checked" 658 | cron: 659 | name: Run AIDE integrity check weekly 660 | cron_file: "{{ ubuntu2004cis_aide_cron['cron_file'] }}" 661 | user: "{{ ubuntu2004cis_aide_cron['cron_user'] }}" 662 | minute: "{{ ubuntu2004cis_aide_cron['aide_minute'] | default('0') }}" 663 | hour: "{{ ubuntu2004cis_aide_cron['aide_hour'] | default('5') }}" 664 | day: "{{ ubuntu2004cis_aide_cron['aide_day'] | default('*') }}" 665 | month: "{{ ubuntu2004cis_aide_cron['aide_month'] | default('*') }}" 666 | weekday: "{{ ubuntu2004cis_aide_cron['aide_weekday'] | default('0') }}" 667 | job: "{{ ubuntu2004cis_aide_cron['aide_job'] }}" 668 | when: 669 | - ubuntu2004cis_rule_1_4_2 670 | - not aide_daily_cron.stat.exists 671 | tags: 672 | - level1 673 | - scored 674 | - aide 675 | - file_integrity 676 | - patch 677 | - rule_1.4.2 678 | 679 | - name: "SCORED | 1.5.1 | PATCH | Ensure bootloader password is set - generate password" 680 | shell: "set -o pipefail; 681 | if [ '{{ ubuntu2004cis_bootloader_password }}' == 'random' ]; 682 | then PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c12); else PASSWORD='{{ ubuntu2004cis_bootloader_password }}'; 683 | fi; 684 | echo -e \"$PASSWORD\n$PASSWORD\" | grub-mkpasswd-pbkdf2 | awk '/grub.pbkdf/{print$NF}'" 685 | register: grub_pass 686 | args: 687 | executable: /bin/bash 688 | when: 689 | - ubuntu2004cis_set_boot_pass 690 | - ubuntu2004cis_rule_1_5_1 691 | tags: 692 | - level1 693 | - scored 694 | - grub 695 | - patch 696 | - rule_1.5.1 697 | 698 | - name: "SCORED | 1.5.1 | PATCH | Ensure bootloader password is set - generate config" 699 | copy: 700 | dest: /etc/grub.d/00_password 701 | content: "cat << EOF\nset superusers=\"root\"\npassword_pbkdf2 root {{ grub_pass.stdout }}\nEOF" 702 | owner: root 703 | group: root 704 | mode: 0755 705 | notify: generate new grub config 706 | when: 707 | - ubuntu2004cis_set_boot_pass and grub_pass is defined and grub_pass.stdout is defined and grub_pass.stdout | length >0 708 | - ubuntu2004cis_rule_1_5_1 709 | tags: 710 | - level1 711 | - scored 712 | - grub 713 | - patch 714 | - rule_1.5.1 715 | 716 | - name: "SCORED | 1.5.1 | PATCH | Ensure bootloader password is set - disable password for system boot" 717 | replace: 718 | path: /etc/grub.d/10_linux 719 | regexp: '--class os"' 720 | replace: '--class os --unrestricted"' 721 | notify: generate new grub config 722 | when: 723 | - ubuntu2004cis_set_boot_pass 724 | - ubuntu2004cis_rule_1_5_1 725 | - ubuntu2004cis_rule_1_5_1_disable_password 726 | tags: 727 | - level1 728 | - scored 729 | - grub 730 | - patch 731 | - rule_1.5.1 732 | 733 | - name: "SCORED | 1.5.2 | PATCH | Ensure permissions on bootloader config are configured for grub.cfg" 734 | file: 735 | path: "/boot/grub/grub.cfg" 736 | owner: root 737 | group: root 738 | mode: 0400 739 | when: 740 | - ansible_os_family == "Debian" 741 | - ubuntu2004cis_rule_1_5_2 742 | tags: 743 | - level1 744 | - scored 745 | - grub 746 | - patch 747 | - rule_1.5.2 748 | 749 | - name: "SCORED | 1.5.2 | PATCH | Ensure permissions on bootloader config are configured for grub.conf" 750 | file: 751 | path: "/boot/grub/grub.conf" 752 | owner: root 753 | group: root 754 | mode: 0400 755 | when: 756 | - ansible_os_family == "Debian" 757 | - ubuntu2004cis_rule_1_5_2 758 | - grub_conf.stat.exists 759 | tags: 760 | - level1 761 | - scored 762 | - grub 763 | - patch 764 | - rule_1.5.2 765 | 766 | - name: "SCORED | 1.5.2 | PATCH | Ensure permissions on bootloader config are configured for menu.lst" 767 | file: 768 | path: "/boot/grub/menu.lst" 769 | owner: root 770 | group: root 771 | mode: 0400 772 | when: 773 | - ansible_os_family == "Debian" 774 | - ubuntu2004cis_rule_1_5_2 775 | - menu_lst.stat.exists 776 | tags: 777 | - level1 778 | - scored 779 | - grub 780 | - patch 781 | - rule_1.5.2 782 | 783 | - name: "SCORED | 1.5.3 | PATCH | Ensure authentication required for single user mode" 784 | shell: "set -o pipefail; 785 | if [ '{{ ubuntu2004cis_root_password }}' == 'random' ]; 786 | then PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c24); else PASSWORD='{{ ubuntu2004cis_root_password }}'; 787 | fi; 788 | echo \"root:$PASSWORD\" | chpasswd" 789 | args: 790 | executable: /bin/bash 791 | when: 792 | - ubuntu2004cis_rule_1_5_3 793 | - current_root_password.stdout | length > 0 794 | tags: 795 | - level1 796 | - scored 797 | - patch 798 | - rule_1.5.3 799 | 800 | - name: "SCORED | 1.6.1 | PATCH | Ensure XD/NX support is enabled" 801 | shell: | 802 | set -o pipefail; 803 | dmesg | grep -E "NX|XD" | grep " active" 804 | args: 805 | executable: /bin/bash 806 | changed_when: false 807 | when: 808 | - ubuntu2004cis_rule_1_6_1 809 | - not ubuntu2004cis_skip_for_travis 810 | tags: 811 | - level1 812 | - scored 813 | - patch 814 | - rule_1.6.1 815 | 816 | - name: "SCORED | 1.6.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled" 817 | sysctl: 818 | name: kernel.randomize_va_space 819 | value: "2" 820 | state: present 821 | reload: true 822 | sysctl_set: true 823 | ignoreerrors: true 824 | when: 825 | - ubuntu2004cis_rule_1_6_2 826 | tags: 827 | - level1 828 | - scored 829 | - patch 830 | - sysctl 831 | - rule_1.6.2 832 | 833 | - name: "SCORED | 1.6.3 | PATCH | Ensure prelink is disabled" 834 | command: prelink -ua 835 | when: 836 | - prelink_installed.rc == 0 837 | - ubuntu2004cis_rule_1_6_3 838 | tags: 839 | - level1 840 | - scored 841 | - patch 842 | - rule_1.6.3 843 | 844 | - name: "SCORED | 1.6.3 | PATCH | Ensure prelink is disabled" 845 | apt: 846 | name: prelink 847 | state: absent 848 | when: 849 | - ubuntu2004cis_rule_1_6_3 850 | tags: 851 | - level1 852 | - scored 853 | - patch 854 | - rule_1.6.3 855 | 856 | - name: "SCORED | 1.6.4 | PATCH | Ensure core dumps are restricted" 857 | sysctl: 858 | name: fs.suid_dumpable 859 | value: "0" 860 | state: present 861 | reload: true 862 | sysctl_set: true 863 | ignoreerrors: true 864 | when: 865 | - ubuntu2004cis_rule_1_6_4 866 | tags: 867 | - level1 868 | - scored 869 | - sysctl 870 | - patch 871 | - rule_1.6.4 872 | 873 | - name: "SCORED | 1.6.4 | PATCH | Ensure systemd-coredump is installed" 874 | apt: 875 | name: systemd-coredump 876 | state: present 877 | notify: restart systemd-coredump 878 | when: 879 | - ubuntu2004cis_rule_1_6_4 880 | tags: 881 | - level1 882 | - scored 883 | - patch 884 | - rule_1.6.4 885 | 886 | - name: "SCORED | 1.6.4 | PATCH | Ensure hard core 0 is set" 887 | lineinfile: 888 | dest: /etc/security/limits.conf 889 | line: '* hard core 0' 890 | regexp: '(^#)?\*\s+hard\s+core\s+[0-9]+' 891 | state: present 892 | create: true 893 | insertbefore: "# End of file" 894 | notify: restart systemd-coredump 895 | when: 896 | - ubuntu2004cis_rule_1_6_4 897 | tags: 898 | - level1 899 | - scored 900 | - patch 901 | - rule_1.6.4 902 | 903 | - name: "SCORED | 1.7.1.1 | PATCH | Ensure AppArmor is installed" 904 | apt: 905 | name: 906 | - apparmor 907 | - apparmor-utils 908 | state: present 909 | when: 910 | - ubuntu2004cis_rule_1_7_1_1 911 | tags: 912 | - level1 913 | - scored 914 | - patch 915 | - rule_1.7.1.1 916 | 917 | - name: "SCORED | 1.7.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration" 918 | block: 919 | - name: "SCORED | 1.7.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration" 920 | replace: 921 | dest: /etc/default/grub 922 | regexp: '^(GRUB_CMDLINE_LINUX=(?!.*apparmor)\"[^\"]*)(\".*)' 923 | replace: '\1 apparmor=1 security=apparmor\2' 924 | notify: 925 | - generate new grub config 926 | 927 | - name: "SCORED | 1.7.1.2 | PATCH | Ensure AppArmor Security is enabled in the bootloader configuration" 928 | replace: 929 | dest: /etc/default/grub 930 | regexp: '^(GRUB_CMDLINE_LINUX=(?!.*security)\"[^\"]*)(\".*)' 931 | replace: '\1 security=apparmor\2' 932 | notify: 933 | - generate new grub config 934 | when: 935 | - ubuntu2004cis_rule_1_7_1_2 936 | tags: 937 | - level1 938 | - scored 939 | - patch 940 | - rule_1.7.1.2 941 | 942 | - name: "SCORED | 1.7.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode" 943 | command: /bin/true 944 | changed_when: false 945 | when: 946 | - ubuntu2004cis_rule_1_7_1_3 947 | tags: 948 | - level1 949 | - scored 950 | - patch 951 | - rule_1.7.1.3 952 | - notimplemented 953 | 954 | - name: "SCORED | 1.7.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing" 955 | command: /bin/true 956 | changed_when: false 957 | when: 958 | - ubuntu2004cis_rule_1_7_1_4 959 | tags: 960 | - level1 961 | - scored 962 | - patch 963 | - rule_1.7.1.4 964 | - notimplemented 965 | 966 | - name: "SCORED | 1.8.1.1 | PATCH | Ensure message of the day is configured properly" 967 | template: 968 | src: etc/motd.j2 969 | dest: /etc/motd 970 | when: 971 | - ubuntu2004cis_rule_1_8_1_1 972 | tags: 973 | - level1 974 | - scored 975 | - patch 976 | - banner 977 | - rule_1.8.1.1 978 | 979 | - name: "SCORED | 1.8.1.2 | PATCH | Ensure local login warning banner is configured properly" 980 | template: 981 | src: etc/issue.j2 982 | dest: /etc/issue 983 | when: 984 | - ubuntu2004cis_rule_1_8_1_2 985 | tags: 986 | - level1 987 | - scored 988 | - patch 989 | - banner 990 | - rule_1.8.1.2 991 | 992 | - name: "SCORED | 1.8.1.3 | PATCH | Ensure remote login warning banner is configured properly" 993 | template: 994 | src: etc/issue.net.j2 995 | dest: /etc/issue.net 996 | when: 997 | - ubuntu2004cis_rule_1_8_1_3 998 | tags: 999 | - level1 1000 | - scored 1001 | - patch 1002 | - banner 1003 | - rule_1.8.1.3 1004 | 1005 | - name: "SCORED | 1.8.1.4 | PATCH | Ensure permissions on /etc/motd are configured" 1006 | file: 1007 | dest: /etc/motd 1008 | state: file 1009 | owner: root 1010 | group: root 1011 | mode: 0644 1012 | when: 1013 | - ubuntu2004cis_rule_1_8_1_4 1014 | tags: 1015 | - level1 1016 | - scored 1017 | - patch 1018 | - perms 1019 | - rule_1.8.1.4 1020 | 1021 | - name: "SCORED | 1.8.1.5 | PATCH | Ensure permissions on /etc/issue are configured" 1022 | file: 1023 | dest: /etc/issue 1024 | state: file 1025 | owner: root 1026 | group: root 1027 | mode: 0644 1028 | when: 1029 | - ubuntu2004cis_rule_1_8_1_5 1030 | tags: 1031 | - level1 1032 | - scored 1033 | - patch 1034 | - perms 1035 | - rule_1.8.1.5 1036 | 1037 | - name: "SCORED | 1.8.1.6 | PATCH | Ensure permissions on /etc/issue.net are configured" 1038 | file: 1039 | dest: /etc/issue.net 1040 | state: file 1041 | owner: root 1042 | group: root 1043 | mode: 0644 1044 | when: 1045 | - ubuntu2004cis_rule_1_8_1_6 1046 | tags: 1047 | - level1 1048 | - scored 1049 | - patch 1050 | - perms 1051 | - rule_1.8.1.6 1052 | 1053 | - name: "NOTSCORED | 1.9 | PATCH | Ensure updates, patches, and additional security software are installed" 1054 | apt: 1055 | upgrade: dist 1056 | when: 1057 | - ubuntu2004cis_apply_upgrades 1058 | tags: 1059 | - level1 1060 | - notscored 1061 | - patch 1062 | - rule_1.9 1063 | - skip_ansible_lint 1064 | 1065 | - name: "SCORED | 1.10 | PATCH | Ensure GDM login banner is configured" 1066 | lineinfile: 1067 | dest: "{{ item.file }}" 1068 | regexp: "{{ item.regexp }}" 1069 | line: "{{ item.line }}" 1070 | state: present 1071 | create: true 1072 | owner: root 1073 | group: root 1074 | mode: 0644 1075 | with_items: 1076 | - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' } 1077 | - { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' } 1078 | - { file: '/etc/dconf/profile/gdm', regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults' } 1079 | - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' } 1080 | - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-enable', line: 'banner-message-enable=true' } 1081 | - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-text', line: "banner-message-text='{{ ubuntu2004cis_warning_banner }}' " } 1082 | when: 1083 | - ubuntu2004cis_gui 1084 | - ubuntu2004cis_rule_1_10 1085 | tags: 1086 | - level1 1087 | - scored 1088 | - patch 1089 | - banner 1090 | - rule_1.10 1091 | -------------------------------------------------------------------------------- /tasks/section2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: "SCORED | 2.1.1 | PATCH | Ensure chargen services are not enabled | chargen-dgram,chargen-stream" 3 | block: 4 | - name: "SCORED | 2.1.1 | PATCH | Ensure chargen services are not enabled | chargen-dgram" 5 | stat: 6 | path: /etc/xinetd.d/chargen-dgram 7 | register: chargen_dgram_service 8 | 9 | - name: "SCORED | 2.1.1 | PATCH | Ensure chargen services are not enabled | chargen-dgram" 10 | service: 11 | name: chargen-dgram 12 | enabled: no 13 | notify: restart xinetd 14 | when: 15 | - chargen_dgram_service.stat.exists 16 | 17 | - name: "SCORED | 2.1.1 | PATCH | Ensure chargen services are not enabled | chargen-stream" 18 | stat: 19 | path: /etc/xinetd.d/chargen-stream 20 | register: chargen_stream_service 21 | 22 | - name: "SCORED | 2.1.1 | PATCH | Ensure chargen services are not enabled | chargen-stream" 23 | service: 24 | name: chargen-stream 25 | enabled: no 26 | notify: restart xinetd 27 | when: 28 | - chargen_stream_service.stat.exists 29 | when: 30 | - ubuntu2004cis_rule_2_1_1 31 | tags: 32 | - level1 33 | - scored 34 | - services 35 | - patch 36 | - rule_2.1.1 37 | - skip_ansible_lint 38 | 39 | - name: "SCORED | 2.1.2 | PATCH | Ensure daytime services are not enabled | daytime-dgram,daytime-stream" 40 | block: 41 | - name: "SCORED | 2.1.2 | PATCH | Ensure daytime services are not enabled | daytime-dgram" 42 | stat: 43 | path: /etc/xinetd.d/daytime-dgram 44 | register: daytime_dgram_service 45 | 46 | - name: "SCORED | 2.1.2 | PATCH | Ensure daytime services are not enabled | daytime-dgram" 47 | service: 48 | name: daytime-dgram 49 | enabled: no 50 | notify: restart xinetd 51 | when: 52 | - daytime_dgram_service.stat.exists 53 | 54 | - name: "SCORED | 2.1.2 | PATCH | Ensure daytime services are not enabled | daytime-stream" 55 | stat: 56 | path: /etc/xinetd.d/daytime-stream 57 | register: daytime_stream_service 58 | 59 | - name: "SCORED | 2.1.2 | PATCH | Ensure daytime services are not enabled | daytime-stream" 60 | service: 61 | name: daytime-stream 62 | enabled: no 63 | notify: restart xinetd 64 | when: 65 | - daytime_stream_service.stat.exists 66 | when: 67 | - ubuntu2004cis_rule_2_1_2 68 | tags: 69 | - level1 70 | - scored 71 | - patch 72 | - rule_2.1.2 73 | - skip_ansible_lint 74 | 75 | - name: "SCORED | 2.1.3 | PATCH | Ensure discard services are not enabled | discard-dgram,discard-stream" 76 | block: 77 | - name: "SCORED | 2.1.3 | PATCH | Ensure discard services are not enabled | discard-dgram" 78 | stat: 79 | path: /etc/xinetd.d/discard-dgram 80 | register: discard_dgram_service 81 | 82 | - name: "SCORED | 2.1.3 | PATCH | Ensure discard services are not enabled | discard-dgram" 83 | service: 84 | name: discard-dgram 85 | enabled: no 86 | notify: restart xinetd 87 | when: 88 | - discard_dgram_service.stat.exists 89 | 90 | - name: "SCORED | 2.1.3 | PATCH | Ensure discard services are not enabled | discard-stream" 91 | stat: 92 | path: /etc/xinetd.d/discard-stream 93 | register: discard_stream_service 94 | 95 | - name: "SCORED | 2.1.3 | PATCH | Ensure discard services are not enabled | discard-stream" 96 | service: 97 | name: discard-stream 98 | enabled: no 99 | notify: restart xinetd 100 | when: 101 | - discard_stream_service.stat.exists 102 | when: 103 | - ubuntu2004cis_rule_2_1_3 104 | tags: 105 | - level1 106 | - scored 107 | - patch 108 | - rule_2.1.3 109 | - skip_ansible_lint 110 | 111 | - name: "SCORED | 2.1.4 | PATCH | Ensure echo services are not enabled | echo-dgram,echo-stream" 112 | block: 113 | - name: "SCORED | 2.1.4 | PATCH | Ensure echo services are not enabled | echo-dgram" 114 | stat: 115 | path: /etc/xinetd.d/echo-dgram 116 | register: echo_dgram_service 117 | 118 | - name: "SCORED | 2.1.4 | PATCH | Ensure echo services are not enabled | echo-dgram" 119 | service: 120 | name: echo-dgram 121 | enabled: no 122 | notify: restart xinetd 123 | when: 124 | - echo_dgram_service.stat.exists 125 | 126 | - name: "SCORED | 2.1.4 | PATCH | Ensure echo services are not enabled | echo-stream" 127 | stat: 128 | path: /etc/xinetd.d/echo-stream 129 | register: echo_stream_service 130 | 131 | - name: "SCORED | 2.1.4 | PATCH | Ensure echo services are not enabled | echo-stream" 132 | service: 133 | name: echo-stream 134 | enabled: no 135 | notify: restart xinetd 136 | when: 137 | - echo_stream_service.stat.exists 138 | when: 139 | - ubuntu2004cis_rule_2_1_4 140 | tags: 141 | - level1 142 | - scored 143 | - patch 144 | - rule_2.1.4 145 | - skip_ansible_lint 146 | 147 | - name: "SCORED | 2.1.5 | PATCH | Ensure time services are not enabled | time-dgram,time-stream" 148 | block: 149 | - name: "SCORED | 2.1.5 | PATCH | Ensure time services are not enabled | time-dgram" 150 | stat: 151 | path: /etc/xinetd.d/time-dgram 152 | register: time_dgram_service 153 | 154 | - name: "SCORED | 2.1.5 | PATCH | Ensure time services are not enabled | time-dgram" 155 | service: 156 | name: time-dgram 157 | enabled: no 158 | notify: restart xinetd 159 | when: 160 | - time_dgram_service.stat.exists 161 | 162 | - name: "SCORED | 2.1.5 | PATCH | Ensure time services are not enabled | time-stream" 163 | stat: 164 | path: /etc/xinetd.d/time-stream 165 | register: time_stream_service 166 | 167 | - name: "SCORED | 2.1.5 | PATCH | Ensure time services are not enabled | time-stream" 168 | service: 169 | name: time-stream 170 | enabled: no 171 | notify: restart xinetd 172 | when: 173 | - time_stream_service.stat.exists 174 | when: 175 | - ubuntu2004cis_rule_2_1_5 176 | tags: 177 | - level1 178 | - scored 179 | - patch 180 | - rule_2.1.5 181 | - skip_ansible_lint 182 | 183 | - name: "SCORED | 2.1.6 | PATCH | Ensure rsh server is not enabled | rsh, rlogin, rexec" 184 | block: 185 | - name: "SCORED | 2.1.6 | PATCH | Ensure rsh server is not enabled | rsh" 186 | service: 187 | name: rsh.socket 188 | state: stopped 189 | enabled: false 190 | when: 191 | - not ubuntu2004cis_rsh_server 192 | - rsh_service_status.stdout == "loaded" 193 | - ubuntu2004cis_rule_2_1_6 194 | 195 | - name: "SCORED | 2.1.6 | PATCH | Ensure rsh server is not enabled | rlogin" 196 | service: 197 | name: rlogin.socket 198 | state: stopped 199 | enabled: false 200 | when: 201 | - not ubuntu2004cis_rsh_server 202 | - rlogin_service_status.stdout == "loaded" 203 | - ubuntu2004cis_rule_2_1_6 204 | 205 | - name: "SCORED | 2.1.6 | PATCH | Ensure rsh server is not enabled | rexec" 206 | service: 207 | name: rexec.socket 208 | state: stopped 209 | enabled: false 210 | when: 211 | - not ubuntu2004cis_rsh_server 212 | - rexec_service_status.stdout == "loaded" 213 | - ubuntu2004cis_rule_2_1_6 214 | tags: 215 | - level1 216 | - scored 217 | - patch 218 | - rule_2.1.6 219 | 220 | - name: "SCORED | 2.1.7 | PATCH | Ensure talk server is not enabled" 221 | service: 222 | name: ntalk 223 | state: stopped 224 | enabled: false 225 | when: 226 | - not ubuntu2004cis_ntalk_server 227 | - ntalk_service_status.stdout == "loaded" 228 | - ubuntu2004cis_rule_2_1_7 229 | tags: 230 | - level1 231 | - scored 232 | - patch 233 | - rule_2.1.7 234 | 235 | - name: "SCORED | 2.1.8 | PATCH | Ensure telnet server is not enabled" 236 | service: 237 | name: telnetd 238 | state: stopped 239 | enabled: false 240 | when: 241 | - not ubuntu2004cis_telnet_server 242 | - telnet_service_status.stdout == "loaded" 243 | - ubuntu2004cis_rule_2_1_8 244 | tags: 245 | - level1 246 | - scored 247 | - patch 248 | - rule_2.1.8 249 | 250 | - name: "SCORED | 2.1.9 | PATCH | Ensure tftp server is not enabled" 251 | service: 252 | name: tftpd-hpa 253 | state: stopped 254 | enabled: no 255 | when: 256 | - not ubuntu2004cis_tftp_server 257 | - ubuntu2004cis_rule_2_1_9 258 | - tftp_service_status.stdout == "loaded" 259 | tags: 260 | - level1 261 | - scored 262 | - patch 263 | - rule_2.1.9 264 | 265 | - name: "SCORED | 2.1.10 | PATCH | Ensure xinetd is not enabled" 266 | service: 267 | name: xinetd 268 | state: stopped 269 | enabled: false 270 | when: 271 | - xinetd_service_status.stdout == "loaded" 272 | - not ubuntu2004cis_xinetd_required 273 | - ubuntu2004cis_rule_2_1_10 274 | tags: 275 | - level1 276 | - patch 277 | - scored 278 | - rule_2.1.10 279 | 280 | - name: "SCORED | 2.1.11 | PATCH | Ensure openbsd-inetd is not installed" 281 | apt: 282 | name: openbsd-inetd 283 | state: absent 284 | when: 285 | - openbsd_inetd_service_status.stdout == "ok installed" 286 | - ubuntu2004cis_rule_2_1_11 287 | tags: 288 | - level1 289 | - patch 290 | - scored 291 | - rule_2.1.11 292 | 293 | - name: "SCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use" 294 | block: 295 | - name: "SCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use - service install" 296 | apt: 297 | name: "{{ ubuntu2004cis_time_synchronization }}" 298 | state: present 299 | install_recommends: false 300 | 301 | - name: "SCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use - service start" 302 | service: 303 | name: "{{ ubuntu2004cis_time_synchronization }}" 304 | state: started 305 | enabled: true 306 | 307 | - name: "SCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use - service stop ntp" 308 | service: 309 | name: "{{ ntp_service[ansible_os_family] }}" 310 | state: stopped 311 | enabled: false 312 | when: 313 | - ubuntu2004cis_time_synchronization == "chrony" 314 | - ntpd_service_status.stdout == "loaded" 315 | 316 | - name: "SCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use - service stop chrony" 317 | service: 318 | name: chronyd 319 | state: stopped 320 | enabled: false 321 | ignore_errors: true 322 | when: 323 | - ubuntu2004cis_time_synchronization == "ntp" 324 | - chronyd_service_status.stdout == "loaded" 325 | 326 | - name: "SCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use - mask systemd-timesyncd" 327 | systemd: 328 | name: systemd-timesyncd 329 | enabled: no 330 | masked: yes 331 | when: 332 | - ubuntu2004cis_time_synchronization == "ntp" 333 | - systemd_timesyncd_service_status.stdout == "loaded" 334 | 335 | when: 336 | - ubuntu2004cis_rule_2_2_1_1 337 | tags: 338 | - level1 339 | - scored 340 | - ntp 341 | - chrony 342 | - patch 343 | - rule_2.2.1.1 344 | 345 | - name: "NOTSCORED | 2.2.1.2 | PATCH | Ensure systemd-timesyncd is configured" 346 | command: /bin/true 347 | changed_when: false 348 | when: 349 | - ubuntu2004cis_rule_2_2_1_2 350 | tags: 351 | - level1 352 | - notscored 353 | - patch 354 | - rule_2.2.1.2 355 | - notimplemented 356 | 357 | - name: "SCORED | 2.2.1.3 | PATCH | Ensure chrony is configured" 358 | block: 359 | - name: "SCORED | 2.2.1.3 | PATCH | Ensure chrony is configured | create chrony.conf" 360 | template: 361 | src: chrony.conf.j2 362 | dest: "{{ chrony_config_file[ansible_os_family] }}" 363 | owner: root 364 | group: root 365 | mode: 0644 366 | 367 | - name: "SCORED | 2.2.1.3 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd" 368 | lineinfile: 369 | dest: /etc/sysconfig/chronyd 370 | regexp: "^(#)?OPTIONS" 371 | line: "OPTIONS=\"-u {{ chrony_system_user[ansible_os_family] }}\"" 372 | state: present 373 | create: true 374 | when: 375 | - ubuntu2004cis_time_synchronization == "chrony" 376 | - ubuntu2004cis_rule_2_2_1_3 377 | tags: 378 | - level1 379 | - scored 380 | - chrony 381 | - patch 382 | - rule_2.2.1.3 383 | 384 | - name: "SCORED | 2.2.1.4 | PATCH | Ensure ntp is configured" 385 | block: 386 | - name: "SCORED | 2.2.1.4 | PATCH | Ensure ntp is configured | modify /etc/ntp.conf" 387 | template: 388 | src: ntp.conf.j2 389 | dest: /etc/ntp.conf 390 | owner: root 391 | group: root 392 | mode: 0644 393 | 394 | - name: "SCORED | 2.2.1.4 | PATCH | Ensure ntp is configured | modify /etc/init.d/ntp" 395 | lineinfile: 396 | dest: /etc/init.d/ntp 397 | regexp: "^RUNASUSER" 398 | line: "RUNASUSER=ntp" 399 | when: 400 | - ubuntu2004cis_time_synchronization == "ntp" 401 | - ubuntu2004cis_rule_2_2_1_4 402 | tags: 403 | - level1 404 | - scored 405 | - ntp 406 | - patch 407 | - rule_2.2.1.4 408 | 409 | - name: "SCORED | 2.2.2 | PATCH | Ensure X Window System is not installed" 410 | apt: 411 | name: 412 | - "xorg" 413 | - "x11*" 414 | state: absent 415 | when: 416 | - not ubuntu2004cis_xwindows_required 417 | - ubuntu2004cis_rule_2_2_2 418 | tags: 419 | - level1 420 | - scored 421 | - xwindows 422 | - patch 423 | - rule_2.2.2 424 | 425 | - name: "SCORED | 2.2.3 | PATCH | Ensure Avahi Server is not enabled" 426 | service: 427 | name: avahi-daemon 428 | state: stopped 429 | enabled: false 430 | when: 431 | - not ubuntu2004cis_avahi_server 432 | - avahi_service_status.stdout == "loaded" 433 | - ubuntu2004cis_rule_2_2_3 434 | tags: 435 | - level1 436 | - scored 437 | - avahi 438 | - services 439 | - patch 440 | - rule_2.2.3 441 | 442 | - name: "SCORED | 2.2.4 | PATCH | Ensure CUPS is not enabled" 443 | service: 444 | name: cups 445 | state: stopped 446 | enabled: false 447 | when: 448 | - not ubuntu2004cis_cups_server 449 | - cups_service_status.stdout == "loaded" 450 | - ubuntu2004cis_rule_2_2_4 451 | tags: 452 | - level1 453 | - scored 454 | - cups 455 | - services 456 | - patch 457 | - rule_2.2.4 458 | 459 | - name: "SCORED | 2.2.5 | PATCH | Ensure DHCP Server is not enabled" 460 | service: 461 | name: dhcpd 462 | state: stopped 463 | enabled: false 464 | when: 465 | - not ubuntu2004cis_dhcp_server 466 | - dhcpd_service_status.stdout == "loaded" 467 | - ubuntu2004cis_rule_2_2_5 468 | tags: 469 | - level1 470 | - scored 471 | - dhcp 472 | - services 473 | - patch 474 | - rule_2.2.5 475 | 476 | - name: "SCORED | 2.2.6 | PATCH | Ensure LDAP server is not enabled" 477 | service: 478 | name: slapd 479 | state: stopped 480 | enabled: false 481 | when: 482 | - not ubuntu2004cis_ldap_server 483 | - slapd_service_status.stdout == "loaded" 484 | - ubuntu2004cis_rule_2_2_6 485 | tags: 486 | - level1 487 | - scored 488 | - ldap 489 | - services 490 | - patch 491 | - rule_2.2.6 492 | 493 | - name: "SCORED | 2.2.7 | PATCH | Ensure NFS and RPC are not enabled" 494 | service: 495 | name: nfs 496 | state: stopped 497 | enabled: false 498 | when: 499 | - not ubuntu2004cis_nfs_rpc_server 500 | - nfs_service_status.stdout == "loaded" 501 | - ubuntu2004cis_rule_2_2_7 502 | tags: 503 | - level1 504 | - scored 505 | - nfs 506 | - rpc 507 | - services 508 | - patch 509 | - rule_2.2.7 510 | 511 | - name: "SCORED | 2.2.7 | PATCH | Ensure RPC is not enabled" 512 | service: 513 | name: rpcbind 514 | state: stopped 515 | enabled: false 516 | when: 517 | - not ubuntu2004cis_nfs_rpc_server 518 | - rpcbind_service_status.stdout == "loaded" 519 | - ubuntu2004cis_rule_2_2_7 520 | tags: 521 | - level1 522 | - scored 523 | - nfs 524 | - rpc 525 | - services 526 | - patch 527 | - rule_2.2.7 528 | 529 | - name: "SCORED | 2.2.8 | PATCH | Ensure DNS Server is not enabled" 530 | service: 531 | name: named 532 | state: stopped 533 | enabled: false 534 | when: 535 | - not ubuntu2004cis_named_server 536 | - named_service_status.stdout == "loaded" 537 | - ubuntu2004cis_rule_2_2_8 538 | tags: 539 | - level1 540 | - scored 541 | - dns 542 | - services 543 | - patch 544 | - rule_2.2.8 545 | 546 | - name: "SCORED | 2.2.9 | PATCH | Ensure FTP Server is not enabled" 547 | service: 548 | name: vsftpd 549 | state: stopped 550 | enabled: false 551 | when: 552 | - not ubuntu2004cis_vsftpd_server 553 | - vsftpd_service_status.stdout == "loaded" 554 | - ubuntu2004cis_rule_2_2_9 555 | tags: 556 | - level1 557 | - scored 558 | - ftp 559 | - services 560 | - patch 561 | - rule_2.2.9 562 | 563 | - name: "SCORED | 2.2.10 | PATCH | Ensure HTTP server is not enabled" 564 | service: 565 | name: apache2 566 | state: stopped 567 | enabled: false 568 | when: 569 | - not ubuntu2004cis_httpd_server 570 | - httpd_service_status.stdout == "loaded" 571 | - ubuntu2004cis_rule_2_2_10 572 | tags: 573 | - level1 574 | - scored 575 | - http 576 | - services 577 | - patch 578 | - rule_2.2.10 579 | 580 | - name: "SCORED | 2.2.11 | PATCH | Ensure IMAP and POP3 server is not enabled" 581 | service: 582 | name: dovecot 583 | state: stopped 584 | enabled: false 585 | when: 586 | - not ubuntu2004cis_dovecot_server 587 | - dovecot_service_status.stdout == "loaded" 588 | - ubuntu2004cis_rule_2_2_11 589 | tags: 590 | - level1 591 | - scored 592 | - imap 593 | - pop3 594 | - services 595 | - patch 596 | - rule_2.2.11 597 | 598 | - name: "SCORED | 2.2.12 | PATCH | Ensure Samba is not enabled" 599 | service: 600 | name: smbd 601 | state: stopped 602 | enabled: false 603 | when: 604 | - not ubuntu2004cis_smb_server 605 | - smb_service_status.stdout == "loaded" 606 | - ubuntu2004cis_rule_2_2_12 607 | tags: 608 | - level1 609 | - scored 610 | - samba 611 | - services 612 | - patch 613 | - rule_2.2.12 614 | 615 | - name: "SCORED | 2.2.13 | PATCH | Ensure HTTP Proxy Server is not enabled" 616 | service: 617 | name: squid 618 | state: stopped 619 | enabled: false 620 | when: 621 | - not ubuntu2004cis_squid_server 622 | - squid_service_status.stdout == "loaded" 623 | - ubuntu2004cis_rule_2_2_13 624 | tags: 625 | - level1 626 | - scored 627 | - http_proxy 628 | - services 629 | - patch 630 | - rule_2.2.13 631 | 632 | - name: "SCORED | 2.2.14 | PATCH | Ensure SNMP Server is not enabled" 633 | service: 634 | name: snmpd 635 | state: stopped 636 | enabled: false 637 | when: 638 | - not ubuntu2004cis_snmp_server 639 | - snmpd_service_status.stdout == "loaded" 640 | - ubuntu2004cis_rule_2_2_14 641 | tags: 642 | - level1 643 | - scored 644 | - snmp 645 | - services 646 | - patch 647 | - rule_2.2.14 648 | 649 | - name: "SCORED | 2.2.15 | PATCH | Ensure mail transfer agent is configured for local-only mode" 650 | lineinfile: 651 | dest: /etc/postfix/main.cf 652 | regexp: "^(#)?inet_interfaces" 653 | line: "inet_interfaces = localhost" 654 | when: 655 | - not ubuntu2004cis_is_mail_server 656 | - postfix_installed.rc == 0 657 | - ubuntu2004cis_rule_2_2_15 658 | tags: 659 | - level1 660 | - scored 661 | - patch 662 | - rule_2.2.15 663 | 664 | - name: "SCORED | 2.2.16 | PATCH | Ensure rsync service is not enabled " 665 | service: 666 | name: rsync 667 | state: stopped 668 | enabled: false 669 | when: 670 | - not ubuntu2004cis_rsyncd_server 671 | - rsyncd_service_status.stdout == "loaded" 672 | - ubuntu2004cis_rule_2_2_16 673 | tags: 674 | - level1 675 | - scored 676 | - rsync 677 | - services 678 | - patch 679 | - rule_2.2.16 680 | 681 | - name: "SCORED | 2.2.17 | PATCH | Ensure NIS Server is not enabled" 682 | service: 683 | name: nis 684 | state: stopped 685 | enabled: false 686 | when: 687 | - not ubuntu2004cis_nis_server 688 | - ypserv_service_status.stdout == "loaded" 689 | - ubuntu2004cis_rule_2_2_17 690 | tags: 691 | - level1 692 | - scored 693 | - nis 694 | - services 695 | - patch 696 | - rule_2.2.17 697 | 698 | - name: "SCORED | 2.3.1 | PATCH | Ensure NIS Client is not installed" 699 | apt: 700 | name: yp-tools 701 | state: absent 702 | when: 703 | - not ubuntu2004cis_ypbind_required 704 | - ubuntu2004cis_rule_2_3_1 705 | tags: 706 | - level1 707 | - scored 708 | - patch 709 | - rule_2.3.1 710 | 711 | - name: "SCORED | 2.3.2 | PATCH | Ensure rsh client is not installed" 712 | apt: 713 | name: rsh 714 | state: absent 715 | when: 716 | - not ubuntu2004cis_rsh_required 717 | - ubuntu2004cis_rule_2_3_2 718 | tags: 719 | - level1 720 | - scored 721 | - patch 722 | - rule_2.3.2 723 | 724 | - name: "SCORED | 2.3.3 | PATCH | Ensure talk client is not installed" 725 | apt: 726 | name: talk 727 | state: absent 728 | when: 729 | - not ubuntu2004cis_talk_required 730 | - ubuntu2004cis_rule_2_3_3 731 | tags: 732 | - level1 733 | - scored 734 | - patch 735 | - rule_2.3.3 736 | 737 | - name: "SCORED | 2.3.4 | PATCH | Ensure telnet client is not installed" 738 | apt: 739 | name: telnet 740 | state: absent 741 | when: 742 | - not ubuntu2004cis_telnet_required 743 | - ubuntu2004cis_rule_2_3_4 744 | tags: 745 | - level1 746 | - scored 747 | - patch 748 | - rule_2.3.4 749 | 750 | - name: "SCORED | 2.3.5 | PATCH | Ensure LDAP client is not installed" 751 | apt: 752 | name: ldap-utils 753 | state: absent 754 | when: 755 | - not ubuntu2004cis_openldap_clients_required 756 | - ubuntu2004cis_rule_2_3_5 757 | tags: 758 | - level1 759 | - scored 760 | - patch 761 | - rule_2.3.5 762 | 763 | - name: "SCORED | 2.3.6 | PATCH | Ensure RPC is not installed" 764 | apt: 765 | name: rpcbind 766 | state: absent 767 | when: 768 | - not ubuntu2004cis_rpc_required 769 | - ubuntu2004cis_rule_2_3_6 770 | tags: 771 | - level1 772 | - scored 773 | - patch 774 | - rule_2.3.6 775 | 776 | - name: "NOTSCORED | 2.4 | PATCH | Ensure nonessential services are removed or masked" 777 | changed_when: false 778 | debug: 779 | msg: > 780 | Run the following command: 781 | # lsof -i -P -n | grep -v "(ESTABLISHED)" 782 | Review the output to ensure that all services listed are required on the system. If a listed 783 | service is not required, remove the package containing the service. If the package 784 | containing a non-essential service is required, stop and mask the non-essential service. 785 | Run the following command to remove the package containing the service: 786 | # apt purge 787 | Run the following command to stop and mask the service: 788 | # systemctl --now mask 789 | when: 790 | - not ubuntu2004cis_rpc_required 791 | - ubuntu2004cis_rule_2_4 792 | tags: 793 | - level1 794 | - notscored 795 | - patch 796 | - rule_2.4 797 | -------------------------------------------------------------------------------- /tasks/section3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: "NOTSCORED | 3.1.1 | PATCH | Disable IPv6" 3 | sysctl: 4 | name: "{{ item }}" 5 | value: "1" 6 | state: present 7 | reload: true 8 | ignoreerrors: true 9 | with_items: 10 | - net.ipv6.conf.all.disable_ipv6 11 | - net.ipv6.conf.default.disable_ipv6 12 | - net.ipv6.conf.lo.disable_ipv6 13 | when: 14 | - not ubuntu2004cis_ipv6_required 15 | - ubuntu2004cis_rule_3_1_1 16 | tags: 17 | - level2 18 | - notscored 19 | - patch 20 | - sysctl 21 | - rule_3.1.1 22 | 23 | - name: "NOTSCORED | 3.1.1 | PATCH | Disable IPv6" 24 | replace: 25 | dest: /etc/default/grub 26 | regexp: '^(GRUB_CMDLINE_LINUX=(?!.*ipv6.disable)\"[^\"]*)(\".*)' 27 | replace: '\1 ipv6.disable=1\2' 28 | ignore_errors: true 29 | when: 30 | - not ubuntu2004cis_ipv6_required 31 | - ubuntu2004cis_rule_3_1_1 32 | notify: 33 | - generate new grub config 34 | tags: 35 | - level2 36 | - notscored 37 | - patch 38 | - rule_3.1.1 39 | 40 | - name: "SCORED | 3.1.2 | PATCH | Ensure wireless interfaces are disabled" 41 | sysctl: 42 | name: '{{ item.name }}' 43 | value: '{{ item.value }}' 44 | sysctl_set: true 45 | state: present 46 | reload: true 47 | ignoreerrors: true 48 | with_items: 49 | - { name: net.ipv4.conf.all.send_redirects, value: 0 } 50 | - { name: net.ipv4.conf.default.send_redirects, value: 0 } 51 | when: 52 | - not ubuntu2004cis_ipv6_required 53 | - ubuntu2004cis_rule_3_1_2 54 | notify: 55 | - sysctl flush ipv4 route table 56 | tags: 57 | - level1 58 | - scored 59 | - patch 60 | - sysctl 61 | - rule_3.1.2 62 | 63 | - name: "SCORED | 3.2.1 | PATCH | Ensure packet redirect sending is disabled" 64 | sysctl: 65 | name: '{{ item.name }}' 66 | value: '{{ item.value }}' 67 | sysctl_set: true 68 | state: present 69 | reload: true 70 | ignoreerrors: true 71 | with_items: 72 | - { name: net.ipv4.conf.all.send_redirects, value: 0 } 73 | - { name: net.ipv4.conf.default.send_redirects, value: 0 } 74 | when: 75 | - not ubuntu2004cis_is_router 76 | - ubuntu2004cis_rule_3_2_1 77 | notify: 78 | - sysctl flush ipv4 route table 79 | tags: 80 | - level1 81 | - scored 82 | - patch 83 | - sysctl 84 | - rule_3.2.1 85 | 86 | - name: "SCORED | 3.2.2 | PATCH | Ensure IP forwarding is disabled" 87 | block: 88 | - name: "SCORED | 3.2.2 | PATCH | Ensure IP forwarding is disabled | ipv4" 89 | sysctl: 90 | name: net.ipv4.ip_forward 91 | value: "0" 92 | state: present 93 | reload: true 94 | ignoreerrors: true 95 | notify: 96 | - sysctl flush ipv4 route table 97 | 98 | - name: "SCORED | 3.2.2 | PATCH | Ensure IP forwarding is disabled | ipv6" 99 | sysctl: 100 | name: net.ipv6.conf.all.forwarding 101 | value: "0" 102 | state: present 103 | reload: true 104 | ignoreerrors: true 105 | when: ubuntu2004cis_ipv6_required 106 | notify: 107 | - sysctl flush ipv6 route table 108 | when: 109 | - not ubuntu2004cis_is_router 110 | - ubuntu2004cis_rule_3_2_2 111 | tags: 112 | - level1 113 | - scored 114 | - patch 115 | - sysctl 116 | - rule_3.2.2 117 | 118 | - name: "SCORED | 3.3.1 | PATCH | Ensure source routed packets are not accepted" 119 | block: 120 | - name: "SCORED | 3.3.1 | PATCH | Ensure source routed packets are not accepted | ipv4" 121 | sysctl: 122 | name: '{{ item.name }}' 123 | value: '{{ item.value }}' 124 | sysctl_set: true 125 | state: present 126 | reload: true 127 | ignoreerrors: true 128 | with_items: 129 | - { name: net.ipv4.conf.all.accept_source_route, value: 0 } 130 | - { name: net.ipv4.conf.default.accept_source_route, value: 0 } 131 | notify: 132 | - sysctl flush ipv4 route table 133 | 134 | - name: "SCORED | 3.3.1 | PATCH | Ensure source routed packets are not accepted | ipv6" 135 | sysctl: 136 | name: '{{ item.name }}' 137 | value: '{{ item.value }}' 138 | sysctl_set: true 139 | state: present 140 | reload: true 141 | ignoreerrors: true 142 | with_items: 143 | - { name: net.ipv6.conf.all.accept_source_route, value: 0 } 144 | - { name: net.ipv6.conf.default.accept_source_route, value: 0 } 145 | when: 146 | - ubuntu2004cis_ipv6_required 147 | notify: 148 | - sysctl flush ipv6 route table 149 | when: 150 | - ubuntu2004cis_rule_3_3_1 151 | tags: 152 | - level1 153 | - scored 154 | - patch 155 | - sysctl 156 | - rule_3.3.1 157 | 158 | - name: "SCORED | 3.3.2 | PATCH | Ensure ICMP redirects are not accepted | ipv4,ipv6" 159 | block: 160 | - name: "SCORED | 3.3.2 | PATCH | Ensure ICMP redirects are not accepted | ipv4" 161 | sysctl: 162 | name: '{{ item.name }}' 163 | value: '{{ item.value }}' 164 | sysctl_set: true 165 | state: present 166 | reload: true 167 | ignoreerrors: true 168 | with_items: 169 | - { name: net.ipv4.conf.all.accept_redirects, value: 0 } 170 | - { name: net.ipv4.conf.default.accept_redirects, value: 0 } 171 | notify: 172 | - sysctl flush ipv4 route table 173 | 174 | - name: "SCORED | 3.3.2 | PATCH | Ensure ICMP redirects are not accepted | ipv6" 175 | sysctl: 176 | name: '{{ item.name }}' 177 | value: '{{ item.value }}' 178 | sysctl_set: true 179 | state: present 180 | reload: true 181 | ignoreerrors: true 182 | with_items: 183 | - { name: net.ipv6.conf.all.accept_redirects, value: 0 } 184 | - { name: net.ipv6.conf.default.accept_redirects, value: 0 } 185 | when: 186 | - ubuntu2004cis_ipv6_required 187 | notify: 188 | - sysctl flush ipv6 route table 189 | when: 190 | - ubuntu2004cis_rule_3_3_2 191 | tags: 192 | - level1 193 | - scored 194 | - patch 195 | - sysctl 196 | - rule_3.3.2 197 | 198 | - name: "SCORED | 3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted" 199 | sysctl: 200 | name: '{{ item.name }}' 201 | value: '{{ item.value }}' 202 | sysctl_set: true 203 | state: present 204 | reload: true 205 | ignoreerrors: true 206 | with_items: 207 | - { name: net.ipv4.conf.all.secure_redirects, value: 0 } 208 | - { name: net.ipv4.conf.default.secure_redirects, value: 0 } 209 | when: 210 | - ubuntu2004cis_rule_3_3_3 211 | notify: 212 | - sysctl flush ipv4 route table 213 | tags: 214 | - level1 215 | - scored 216 | - patch 217 | - sysctl 218 | - rule_3.3.3 219 | 220 | - name: "SCORED | 3.3.4 | PATCH | Ensure suspicious packets are logged" 221 | sysctl: 222 | name: '{{ item.name }}' 223 | value: '{{ item.value }}' 224 | sysctl_set: true 225 | state: present 226 | reload: true 227 | ignoreerrors: true 228 | with_items: 229 | - { name: net.ipv4.conf.all.log_martians, value: 1 } 230 | - { name: net.ipv4.conf.default.log_martians, value: 1 } 231 | when: 232 | - ubuntu2004cis_rule_3_3_4 233 | notify: 234 | - sysctl flush ipv4 route table 235 | tags: 236 | - level1 237 | - scored 238 | - patch 239 | - sysctl 240 | - rule_3.3.4 241 | 242 | - name: "SCORED | 3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored" 243 | sysctl: 244 | name: net.ipv4.icmp_echo_ignore_broadcasts 245 | value: "1" 246 | state: present 247 | reload: true 248 | ignoreerrors: true 249 | when: 250 | - ubuntu2004cis_rule_3_3_5 251 | notify: 252 | - sysctl flush ipv4 route table 253 | tags: 254 | - level1 255 | - scored 256 | - patch 257 | - sysctl 258 | - rule_3.3.5 259 | 260 | - name: "SCORED | 3.3.6 | PATCH | Ensure bogus ICMP responses are ignored" 261 | sysctl: 262 | name: net.ipv4.icmp_ignore_bogus_error_responses 263 | value: "1" 264 | state: present 265 | reload: true 266 | ignoreerrors: true 267 | when: 268 | - ubuntu2004cis_rule_3_3_6 269 | notify: 270 | - sysctl flush ipv4 route table 271 | tags: 272 | - level1 273 | - scored 274 | - patch 275 | - sysctl 276 | - rule_3.3.6 277 | 278 | - name: "SCORED | 3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" 279 | sysctl: 280 | name: '{{ item.name }}' 281 | value: '{{ item.value }}' 282 | sysctl_set: true 283 | state: present 284 | reload: true 285 | ignoreerrors: true 286 | with_items: 287 | - { name: net.ipv4.conf.all.rp_filter, value: 1 } 288 | - { name: net.ipv4.conf.default.rp_filter, value: 1 } 289 | when: 290 | - ubuntu2004cis_rule_3_3_7 291 | notify: 292 | - sysctl flush ipv4 route table 293 | tags: 294 | - level1 295 | - scored 296 | - patch 297 | - sysctl 298 | - rule_3.3.7 299 | 300 | - name: "SCORED | 3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled" 301 | sysctl: 302 | name: net.ipv4.tcp_syncookies 303 | value: '1' 304 | state: present 305 | reload: true 306 | ignoreerrors: true 307 | when: 308 | - ubuntu2004cis_rule_3_3_8 309 | notify: 310 | - sysctl flush ipv4 route table 311 | tags: 312 | - level1 313 | - scored 314 | - patch 315 | - sysctl 316 | - rule_3.3.8 317 | 318 | - name: "SCORED | 3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" 319 | sysctl: 320 | name: '{{ item.name }}' 321 | value: '{{ item.value }}' 322 | state: present 323 | reload: true 324 | ignoreerrors: true 325 | with_items: 326 | - { name: net.ipv6.conf.all.accept_ra, value: 0 } 327 | - { name: net.ipv6.conf.default.accept_ra, value: 0 } 328 | when: 329 | - ubuntu2004cis_ipv6_required 330 | - ubuntu2004cis_rule_3_3_9 331 | notify: 332 | - sysctl flush ipv6 route table 333 | tags: 334 | - level1 335 | - scored 336 | - patch 337 | - sysctl 338 | - rule_3.3.9 339 | 340 | - name: "SCORED | 3.4.1 | PATCH | Ensure DCCP is disabled" 341 | lineinfile: 342 | dest: /etc/modprobe.d/CIS.conf 343 | regexp: "^(#)?install dccp(\\s|$)" 344 | line: "install dccp /bin/true" 345 | create: true 346 | when: 347 | - ubuntu2004cis_rule_3_4_1 348 | tags: 349 | - level2 350 | - scored 351 | - patch 352 | - rule_3.4.1 353 | 354 | - name: "SCORED | 3.4.2 | PATCH | Ensure SCTP is disabled" 355 | lineinfile: 356 | dest: /etc/modprobe.d/CIS.conf 357 | regexp: "^(#)?install sctp(\\s|$)" 358 | line: "install sctp /bin/true" 359 | create: true 360 | when: 361 | - ubuntu2004cis_rule_3_4_2 362 | tags: 363 | - level2 364 | - scored 365 | - patch 366 | - rule_3.4.2 367 | 368 | - name: "SCORED | 3.4.3 | PATCH | Ensure RDS is disabled" 369 | lineinfile: 370 | dest: /etc/modprobe.d/CIS.conf 371 | regexp: "^(#)?install rds(\\s|$)" 372 | line: "install rds /bin/true" 373 | create: true 374 | when: 375 | - ubuntu2004cis_rule_3_4_3 376 | tags: 377 | - level2 378 | - scored 379 | - patch 380 | - rule_3.4.3 381 | 382 | - name: "SCORED | 3.4.4 | PATCH | Ensure TIPC is disabled" 383 | lineinfile: 384 | dest: /etc/modprobe.d/CIS.conf 385 | regexp: "^(#)?install tipc(\\s|$)" 386 | line: "install tipc /bin/true" 387 | create: true 388 | when: 389 | - ubuntu2004cis_rule_3_4_4 390 | tags: 391 | - level2 392 | - scored 393 | - patch 394 | - rule_3.4.4 395 | 396 | - name: "SCORED | 3.5.1.1 | PATCH | Ensure Uncomplicated Firewall is installed" 397 | apt: 398 | name: ufw 399 | state: present 400 | install_recommends: false 401 | when: 402 | - ubuntu2004cis_firewall == "ufw" 403 | - ubuntu2004cis_rule_3_5_1_1 404 | - ubuntu2004cis_setup_firewall 405 | tags: 406 | - level1 407 | - scored 408 | - patch 409 | - rule_3.5.1.1 410 | 411 | - name: "SCORED | 3.5.1.2 | PATCH | Ensure iptables-persistent is not installed" 412 | apt: 413 | name: iptables-persistent 414 | state: absent 415 | when: 416 | - ubuntu2004cis_firewall == "ufw" 417 | - ubuntu2004cis_rule_3_5_1_2 418 | - ubuntu2004cis_setup_firewall 419 | tags: 420 | - level1 421 | - scored 422 | - patch 423 | - rule_3.5.1.2 424 | 425 | - name: "SCORED | 3.5.1.3 | PATCH | Ensure ufw service is enabled" 426 | service: 427 | name: ufw 428 | state: started 429 | enabled: true 430 | when: 431 | - ubuntu2004cis_rule_3_5_1_3 432 | - ubuntu2004cis_firewall == "ufw" 433 | - ubuntu2004cis_setup_firewall 434 | tags: 435 | - level1 436 | - scored 437 | - patch 438 | - rule_3.5.1.3 439 | 440 | - name: "SCORED | 3.5.1.4 | PATCH | Ensure loopback traffic is configured" 441 | block: 442 | - name: "SCORED | 3.5.1.4 | PATCH | Ensure loopback traffic is configured| ingress lo allow any" 443 | ufw: 444 | rule: allow 445 | direction: in 446 | interface: lo 447 | 448 | - name: "SCORED | 3.5.1.4 | PATCH | Ensure loopback traffic is configured | ingress deny from lo network ipv4" 449 | ufw: 450 | rule: deny 451 | direction: in 452 | from: "127.0.0.0/8" 453 | 454 | - name: "SCORED | 3.5.1.4 | PATCH | Ensure loopback traffic is configured | ingress deny from lo network ipv6" 455 | ufw: 456 | rule: deny 457 | direction: in 458 | from: "::1" 459 | when: ubuntu2004cis_ipv6_required 460 | when: 461 | - ubuntu2004cis_rule_3_5_1_4 462 | - ubuntu2004cis_firewall == "ufw" 463 | - ubuntu2004cis_setup_firewall 464 | tags: 465 | - level1 466 | - scored 467 | - patch 468 | - rule_3.5.1.4 469 | 470 | - name: "NOTSCORED | 3.5.1.5 | PATCH | Ensure outbound connections are configured" 471 | ufw: 472 | rule: allow 473 | direction: out 474 | interface: all 475 | when: 476 | - ubuntu2004cis_rule_3_5_1_5 477 | - ubuntu2004cis_firewall == "ufw" 478 | - ubuntu2004cis_setup_firewall 479 | tags: 480 | - level1 481 | - notscored 482 | - patch 483 | - rule_3.5.1.5 484 | 485 | - name: "NOTSCORED | 3.5.1.6 | PATCH | Ensure firewall rules exist for all open ports" 486 | block: 487 | - name: "NOTSCORED | 3.5.1.6 | PATCH | Ensure firewall rules exist for all open ports| ssh" 488 | ufw: 489 | rule: allow 490 | proto: tcp 491 | port: '22' 492 | 493 | - name: "NOTSCORED | 3.5.1.6 | PATCH | Ensure firewall rules exist for all open ports| dns" 494 | ufw: 495 | rule: allow 496 | proto: "{{ item }}" 497 | port: '53' 498 | loop: 499 | - tcp 500 | - udp 501 | when: 502 | - ubuntu2004cis_rule_3_5_1_6 503 | - ubuntu2004cis_firewall == "ufw" 504 | - ubuntu2004cis_setup_firewall 505 | tags: 506 | - level1 507 | - notscored 508 | - patch 509 | - rule_3.5.1.6 510 | 511 | - name: "SCORED | 3.5.1.7 | PATCH | Ensure default deny firewall policy" 512 | ufw: 513 | rule: "{{ item.rule }}" 514 | direction: "{{ item.direction }}" 515 | with_items: 516 | - { rule: deny, direction: incoming } 517 | - { rule: deny, direction: outgoing } 518 | - { rule: deny, direction: routed } 519 | when: 520 | - ubuntu2004cis_rule_3_5_1_7 521 | - ubuntu2004cis_firewall == "ufw" 522 | - ubuntu2004cis_setup_firewall 523 | tags: 524 | - level1 525 | - scored 526 | - patch 527 | - rule_3.5.1.7 528 | 529 | - name: "SCORED | 3.5.2.1 | PATCH | Ensure nftables is installed" 530 | apt: 531 | name: nftables 532 | state: present 533 | install_recommends: false 534 | when: 535 | - ubuntu2004cis_firewall == "nftables" 536 | - ubuntu2004cis_rule_3_5_2_1 537 | - ubuntu2004cis_setup_firewall 538 | tags: 539 | - level1 540 | - scored 541 | - patch 542 | - rule_3.5.2.1 543 | 544 | - name: "SCORED | 3.5.2.2 | PATCH | Ensure Uncomplicated Firewall is not installed or disabled" 545 | apt: 546 | name: ufw 547 | state: absent 548 | when: 549 | - ubuntu2004cis_firewall == "nftables" 550 | - ubuntu2004cis_rule_3_5_2_2 551 | - ubuntu2004cis_setup_firewall 552 | tags: 553 | - level1 554 | - scored 555 | - patch 556 | - rule_3.5.2.2 557 | 558 | - name: "NOTSCORED | 3.5.2.3 | PATCH | Ensure iptables are flushed | ipv4, ipv6" 559 | block: 560 | - name: "NOTSCORED | 3.5.2.3 | PATCH | Ensure iptables are flushed | ipv4" 561 | iptables: 562 | flush: yes 563 | 564 | - name: "NOTSCORED | 3.5.2.3 | PATCH | Ensure iptables are flushed | ipv6" 565 | iptables: 566 | flush: yes 567 | ip_version: ipv6 568 | when: ubuntu2004cis_ipv6_required 569 | when: 570 | - ubuntu2004cis_rule_3_5_2_3 571 | - ubuntu2004cis_firewall == "nftables" 572 | - ubuntu2004cis_setup_firewall 573 | tags: 574 | - level1 575 | - notscored 576 | - patch 577 | - rule_3.5.2.3 578 | 579 | - name: "SCORED | 3.5.2.4 | PATCH | Ensure a table exists" 580 | shell: | 581 | nft create table inet {{ ubuntu2004cis_nftables_table }} 582 | args: 583 | executable: /bin/bash 584 | changed_when: false 585 | check_mode: false 586 | # default table name exist when install nftables by apt 587 | # nft create table will raise an error 588 | ignore_errors: true 589 | when: 590 | - ubuntu2004cis_rule_3_5_2_4 591 | - ubuntu2004cis_firewall == "nftables" 592 | - ubuntu2004cis_setup_firewall 593 | tags: 594 | - level1 595 | - scored 596 | - patch 597 | - rule_3.5.2.4 598 | 599 | - name: "SCORED | 3.5.2.5 | PATCH | Ensure base chains exist" 600 | shell: | 601 | nft chain inet {{ ubuntu2004cis_nftables_table }} {{ item }} { type filter hook {{ item }} priority 0\; } 602 | args: 603 | executable: /bin/bash 604 | loop: 605 | - input 606 | - forward 607 | - output 608 | changed_when: false 609 | check_mode: false 610 | when: 611 | - ubuntu2004cis_rule_3_5_2_5 612 | - ubuntu2004cis_firewall == "nftables" 613 | - ubuntu2004cis_setup_firewall 614 | tags: 615 | - level1 616 | - scored 617 | - patch 618 | - rule_3.5.2.5 619 | 620 | - name: "SCORED | 3.5.2.6 | PATCH | Ensure loopback traffic is configured" 621 | block: 622 | - name: "SCORED | 3.5.2.6 | PATCH | Ensure loopback traffic is configured | ingress lo allow nay" 623 | shell: | 624 | nft add rule inet {{ ubuntu2004cis_nftables_table }} input iif lo accept 625 | args: 626 | executable: /bin/bash 627 | changed_when: false 628 | check_mode: false 629 | 630 | - name: "SCORED | 3.5.2.6 | PATCH | Ensure loopback traffic is configured | ingress deny from lo network ipv4" 631 | shell: | 632 | nft add rule inet {{ ubuntu2004cis_nftables_table }} input ip saddr 127.0.0.0/8 counter drop 633 | args: 634 | executable: /bin/bash 635 | changed_when: false 636 | check_mode: false 637 | 638 | - name: "SCORED | 3.5.2.6 | PATCH | Ensure loopback traffic is configured | ingress deny from lo network ipv6" 639 | shell: | 640 | nft add rule inet {{ ubuntu2004cis_nftables_table }} input ip6 saddr ::1 counter drop 641 | args: 642 | executable: /bin/bash 643 | changed_when: false 644 | check_mode: false 645 | when: ubuntu2004cis_ipv6_required 646 | when: 647 | - ubuntu2004cis_rule_3_5_2_6 648 | - ubuntu2004cis_firewall == "nftables" 649 | - ubuntu2004cis_setup_firewall 650 | tags: 651 | - level1 652 | - scored 653 | - patch 654 | - rule_3.5.2.6 655 | 656 | - name: "NOTSCORED | 3.5.2.7 | PATCH | Ensure outbound and established connections are configured" 657 | shell: | 658 | nft add rule inet {{ ubuntu2004cis_nftables_table }} input ip protocol {{ item }} ct state established accept 659 | nft add rule inet {{ ubuntu2004cis_nftables_table }} output ip protocol {{ item }} ct state new,related,established accept 660 | args: 661 | executable: /bin/bash 662 | loop: 663 | - tcp 664 | - udp 665 | - icmp 666 | changed_when: false 667 | check_mode: false 668 | when: 669 | - ubuntu2004cis_rule_3_5_2_7 670 | - ubuntu2004cis_firewall == "nftables" 671 | - ubuntu2004cis_setup_firewall 672 | tags: 673 | - level1 674 | - notscored 675 | - patch 676 | - rule_3.5.2.7 677 | 678 | - name: "SCORED | 3.5.2.8 | PATCH | Ensure default deny policy" 679 | shell: | 680 | nft chain inet {{ ubuntu2004cis_nftables_table }} {{ item }} { policy drop \; } 681 | args: 682 | executable: /bin/bash 683 | loop: 684 | - input 685 | - forward 686 | - output 687 | changed_when: false 688 | check_mode: false 689 | when: 690 | - ubuntu2004cis_rule_3_5_2_8 691 | - ubuntu2004cis_firewall == "nftables" 692 | - ubuntu2004cis_setup_firewall 693 | tags: 694 | - level1 695 | - scored 696 | - patch 697 | - rule_3.5.2.8 698 | 699 | - name: "SCORED | 3.5.2.9 | PATCH | Ensure nftables service is enabled" 700 | service: 701 | name: nftables 702 | state: started 703 | enabled: true 704 | when: 705 | - ubuntu2004cis_rule_3_5_2_9 706 | - ubuntu2004cis_firewall == "nftables" 707 | - ubuntu2004cis_setup_firewall 708 | tags: 709 | - level1 710 | - scored 711 | - patch 712 | - rule_3.5.2.9 713 | 714 | - name: "SCORED | 3.5.2.10 | PATCH | Ensure nftables rules are permanent" 715 | shell: 716 | nft list table inet {{ ubuntu2004cis_nftables_table }} > /etc/nftables.conf 717 | when: 718 | - ubuntu2004cis_rule_3_5_2_10 719 | - ubuntu2004cis_firewall == "nftables" 720 | - ubuntu2004cis_setup_firewall 721 | tags: 722 | - level1 723 | - scored 724 | - patch 725 | - rule_3.5.2.10 726 | 727 | - name: "SCORED | 3.5.3.1.1 | PATCH | Ensure a Firewall package is installed | iptables" 728 | apt: 729 | name: iptables 730 | state: present 731 | install_recommends: false 732 | when: 733 | - ubuntu2004cis_firewall == "iptables" 734 | tags: 735 | - level1 736 | - scored 737 | - patch 738 | - rule_3.5.3.1.1 739 | 740 | - name: "SCORED | 3.5.3.1.2 | PATCH | Ensure nftables is not installed or disabled 741 | SCORED | 3.5.3.1.3 | PATCH | Ensure Uncomplicated Firewall is not installed or disabled" 742 | apt: 743 | name: 744 | - nftables 745 | - ufw 746 | state: absent 747 | when: 748 | - ubuntu2004cis_firewall == "iptables" 749 | - ubuntu2004cis_rule_3_5_3_1_2 750 | - ubuntu2004cis_rule_3_5_3_1_3 751 | - ubuntu2004cis_setup_firewall 752 | tags: 753 | - level1 754 | - scored 755 | - patch 756 | - rule_3.5.3.1.2 757 | - rule_3.5.3.1.3 758 | 759 | - name: "SCORED | 3.5.3.2.1 | PATCH | Ensure default deny firewall policy" 760 | iptables: 761 | chain: "{{ item }}" 762 | policy: DROP 763 | loop: 764 | - INPUT 765 | - OUTPUT 766 | - FORWARD 767 | when: 768 | - ubuntu2004cis_rule_3_5_3_1_2 769 | - ubuntu2004cis_firewall == "iptables" 770 | - ubuntu2004cis_setup_firewall 771 | tags: 772 | - level1 773 | - scored 774 | - patch 775 | - rule_3.5.3.1.2 776 | 777 | - name: "SCORED | 3.5.3.2.2 | PATCH | Ensure loopback traffic is configured" 778 | block: 779 | - name: "SCORED | 3.5.3.2.2 | PATCH | Ensure loopback traffic is configured | ingress lo allow any" 780 | iptables: 781 | chain: INPUT 782 | jump: ACCEPT 783 | in_interface: lo 784 | 785 | - name: "SCORED | 3.5.3.2.2 | PATCH | Ensure loopback traffic is configured | egress lo allow any" 786 | iptables: 787 | chain: INPUT 788 | jump: ACCEPT 789 | in_interface: lo 790 | 791 | - name: "SCORED | 3.5.3.2.2 | PATCH | Ensure loopback traffic is configured | ingress deny from lo network" 792 | iptables: 793 | chain: INPUT 794 | jump: DROP 795 | source: 127.0.0.0/8 796 | when: 797 | - ubuntu2004cis_rule_3_5_3_2_2 798 | - ubuntu2004cis_firewall == "iptables" 799 | - ubuntu2004cis_setup_firewall 800 | tags: 801 | - level1 802 | - scored 803 | - patch 804 | - rule_3.5.3.2.2 805 | 806 | - name: "NOTSCORED | 3.5.3.2.3 | PATCH | Ensure outbound and established connections are configured" 807 | block: 808 | - name: "NOTSCORED | 3.5.3.2.3 | PATCH | Ensure outbound and established connections are configured | input " 809 | iptables: 810 | chain: INPUT 811 | jump: ACCEPT 812 | ctstate: NEW,ESTABLISHED 813 | protocol: "{{ item }}" 814 | loop: 815 | - tcp 816 | - udp 817 | - icmp 818 | 819 | - name: "NOTSCORED | 3.5.3.2.3 | PATCH | Ensure outbound and established connections are configured | output" 820 | iptables: 821 | chain: OUTPUT 822 | jump: ACCEPT 823 | ctstate: NEW,ESTABLISHED 824 | protocol: "{{ item }}" 825 | loop: 826 | - tcp 827 | - udp 828 | - icmp 829 | when: 830 | - ubuntu2004cis_rule_3_5_3_2_3 831 | - ubuntu2004cis_firewall == "iptables" 832 | - ubuntu2004cis_setup_firewall 833 | tags: 834 | - level1 835 | - notscored 836 | - patch 837 | - rule_3.5.3.2.3 838 | 839 | - name: "SCORED | 3.5.3.2.4 | PATCH | Ensure firewall rules exist for all open ports" 840 | block: 841 | - name: "SCORED | 3.5.3.2.4 | PATCH | Ensure firewall rules exist for all open ports| ssh" 842 | iptables: 843 | chain: INPUT 844 | jump: ACCEPT 845 | ctstate: NEW 846 | protocol: tcp 847 | destination_port: 22 848 | 849 | - name: "SCORED | 3.5.3.2.4 | PATCH | Ensure firewall rules exist for all open ports| dns" 850 | iptables: 851 | chain: INPUT 852 | jump: ACCEPT 853 | ctstate: NEW 854 | protocol: "{{ item }}" 855 | destination_port: 53 856 | loop: 857 | - tcp 858 | - udp 859 | when: 860 | - ubuntu2004cis_rule_3_5_3_2_4 861 | - ubuntu2004cis_firewall == "iptables" 862 | - ubuntu2004cis_setup_firewall 863 | tags: 864 | - level1 865 | - scored 866 | - patch 867 | - rule_3.5.3.2.4 868 | 869 | - name: "SCORED | 3.5.3.3.1 | PATCH | Ensure IPv6 default deny firewall policy" 870 | iptables: 871 | chain: "{{ item }}" 872 | policy: DROP 873 | ip_version: ipv6 874 | loop: 875 | - INPUT 876 | - OUTPUT 877 | - FORWARD 878 | when: 879 | - ubuntu2004cis_rule_3_5_3_3_1 880 | - ubuntu2004cis_firewall == "iptables" 881 | - ubuntu2004cis_setup_firewall 882 | - ubuntu2004cis_ipv6_required 883 | tags: 884 | - level1 885 | - scored 886 | - patch 887 | - rule_3.5.3.3.1 888 | 889 | - name: "SCORED | 3.5.3.3.2 | PATCH | Ensure IPv6 loopback traffic is configured" 890 | block: 891 | - name: "SCORED | 3.5.3.3.2 | PATCH | Ensure IPv6 loopback traffic is configured| ingress lo allow any" 892 | iptables: 893 | chain: INPUT 894 | jump: ACCEPT 895 | in_interface: lo 896 | ip_version: ipv6 897 | 898 | - name: "SCORED | 3.5.3.3.2 | PATCH | Ensure IPv6 loopback traffic is configured| egress lo allow any" 899 | iptables: 900 | chain: INPUT 901 | jump: ACCEPT 902 | in_interface: lo 903 | ip_version: ipv6 904 | 905 | - name: "SCORED | 3.5.3.3.2 | PATCH | Ensure IPv6 loopback traffic is configured| ingress deny from lo network" 906 | iptables: 907 | chain: INPUT 908 | jump: DROP 909 | source: "::1" 910 | ip_version: ipv6 911 | when: 912 | - ubuntu2004cis_rule_3_5_3_3_2 913 | - ubuntu2004cis_firewall == "iptables" 914 | - ubuntu2004cis_setup_firewall 915 | - ubuntu2004cis_ipv6_required 916 | tags: 917 | - level1 918 | - scored 919 | - patch 920 | - rule_3.5.3.3.2 921 | 922 | - name: "NOTSCORED | 3.5.3.3.3 | PATCH | Ensure IPv6 outbound and established connections are configured" 923 | block: 924 | - name: "NOTSCORED | 3.5.3.3.3 | PATCH | Ensure IPv6 outbound and established connections are configured | input " 925 | iptables: 926 | chain: INPUT 927 | jump: ACCEPT 928 | ctstate: NEW,ESTABLISHED 929 | protocol: "{{ item }}" 930 | ip_version: ipv6 931 | loop: 932 | - tcp 933 | - udp 934 | - icmp 935 | 936 | - name: "NOTSCORED | 3.5.3.3.3 | PATCH | Ensure IPv6 outbound and established connections are configured | output" 937 | iptables: 938 | chain: OUTPUT 939 | jump: ACCEPT 940 | ctstate: NEW,ESTABLISHED 941 | protocol: "{{ item }}" 942 | ip_version: ipv6 943 | loop: 944 | - tcp 945 | - udp 946 | - icmp 947 | when: 948 | - ubuntu2004cis_rule_3_5_3_3_3 949 | - ubuntu2004cis_firewall == "iptables" 950 | - ubuntu2004cis_setup_firewall 951 | - ubuntu2004cis_ipv6_required 952 | tags: 953 | - level1 954 | - notscored 955 | - patch 956 | - rule_3.5.3.3.3 957 | 958 | - name: "NOTSCORED | 3.5.3.3.4 | PATCH | Ensure IPv6 firewall rules exist for all open ports" 959 | block: 960 | - name: "NOTSCORED | 3.5.3.3.4 | PATCH | Ensure IPv6 firewall rules exist for all open ports| ssh" 961 | iptables: 962 | chain: INPUT 963 | jump: ACCEPT 964 | ctstate: NEW 965 | protocol: tcp 966 | destination_port: 22 967 | ip_version: ipv6 968 | 969 | - name: "NOTSCORED | 3.5.3.3.4 | PATCH | Ensure IPv6 firewall rules exist for all open ports| dns" 970 | iptables: 971 | chain: INPUT 972 | jump: ACCEPT 973 | ctstate: NEW 974 | protocol: "{{ item }}" 975 | destination_port: 53 976 | ip_version: ipv6 977 | loop: 978 | - tcp 979 | - udp 980 | when: 981 | - ubuntu2004cis_rule_3_5_3_3_4 982 | - ubuntu2004cis_firewall == "iptables" 983 | - ubuntu2004cis_setup_firewall 984 | - ubuntu2004cis_ipv6_required 985 | tags: 986 | - level1 987 | - notscored 988 | - patch 989 | - rule_3.5.3.3.4 990 | -------------------------------------------------------------------------------- /tasks/section4.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: "SCORED | 4.1.1.1 | PATCH | Ensure auditd is installed" 3 | apt: 4 | name: audispd-plugins 5 | state: present 6 | install_recommends: false 7 | when: 8 | - not ubuntu2004cis_skip_for_travis 9 | - ubuntu2004cis_rule_4_1_1_1 10 | tags: 11 | - level2 12 | - scored 13 | - patch 14 | - auditd 15 | - rule_4.1.1.1 16 | 17 | - name: "SCORED | 4.1.1.2 | PATCH | Ensure auditd service is enabled" 18 | service: 19 | name: auditd 20 | state: started 21 | enabled: true 22 | when: 23 | - not ubuntu2004cis_skip_for_travis 24 | - ubuntu2004cis_rule_4_1_1_2 25 | tags: 26 | - level2 27 | - scored 28 | - patch 29 | - auditd 30 | - rule_4.1.1.2 31 | 32 | - name: "SCORED | 4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" 33 | replace: 34 | dest: /etc/default/grub 35 | regexp: '^(GRUB_CMDLINE_LINUX=(?!.*audit)\"[^\"]*)(\".*)' 36 | replace: '\1 audit=1\2' 37 | notify: 38 | - generate new grub config 39 | when: 40 | - ubuntu2004cis_rule_4_1_1_3 41 | tags: 42 | - level2 43 | - scored 44 | - patch 45 | - auditd 46 | - rule_4.1.1.3 47 | 48 | - name: "SCORED | 4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient" 49 | replace: 50 | dest: /etc/default/grub 51 | regexp: '^(GRUB_CMDLINE_LINUX=(?!.*audit_backlog_limit)\"[^\"]*)(\".*)' 52 | replace: '\1 audit_backlog_limit={{ ubuntu2004cis_auditd.backlog_limit }}\2' 53 | ignore_errors: true 54 | notify: 55 | - generate new grub config 56 | when: 57 | - ubuntu2004cis_rule_4_1_1_4 58 | tags: 59 | - level2 60 | - scored 61 | - patch 62 | - auditd 63 | - rule_4.1.1.4 64 | 65 | - name: "SCORED | 4.1.2.1 | PATCH | Ensure audit log storage size is configured" 66 | lineinfile: 67 | dest: /etc/audit/auditd.conf 68 | regexp: "^max_log_file( |=)" 69 | line: "max_log_file = {{ ubuntu2004cis_auditd.max_audit_log_file_size }}" 70 | state: present 71 | create: yes 72 | when: 73 | - ubuntu2004cis_rule_4_1_2_1 74 | notify: 75 | - restart auditd 76 | tags: 77 | - level2 78 | - scored 79 | - patch 80 | - auditd 81 | - rule_4.1.2.1 82 | 83 | - name: "SCORED | 4.1.2.2 | PATCH | Ensure audit logs are not automatically deleted" 84 | lineinfile: 85 | dest: /etc/audit/auditd.conf 86 | regexp: "^max_log_file_action" 87 | line: "max_log_file_action = {{ ubuntu2004cis_auditd['max_log_file_action'] }}" 88 | state: present 89 | create: yes 90 | when: 91 | - ubuntu2004cis_rule_4_1_2_2 92 | notify: 93 | - restart auditd 94 | tags: 95 | - level2 96 | - scored 97 | - patch 98 | - auditd 99 | - rule_4.1.2.2 100 | 101 | - name: "SCORED | 4.1.2.3 | PATCH | Ensure system is disabled when audit logs are full" 102 | block: 103 | - name: "SCORED | 4.1.2.3 | PATCH | Ensure system is disabled when audit logs are full | admin_space_left_action" 104 | lineinfile: 105 | dest: /etc/audit/auditd.conf 106 | regexp: "^admin_space_left_action" 107 | line: "admin_space_left_action = {{ ubuntu2004cis_auditd['admin_space_left_action'] }}" 108 | state: present 109 | create: yes 110 | notify: 111 | - restart auditd 112 | 113 | - name: "SCORED | 4.1.2.3 | PATCH | Ensure system is disabled when audit logs are full | space_left_action" 114 | lineinfile: 115 | dest: /etc/audit/auditd.conf 116 | regexp: "^space_left_action" 117 | line: "space_left_action = email" 118 | state: present 119 | create: yes 120 | notify: 121 | - restart auditd 122 | 123 | - name: "SCORED | 4.1.2.3 | PATCH | Ensure system is disabled when audit logs are full | action_mail_acct" 124 | lineinfile: 125 | dest: /etc/audit/auditd.conf 126 | regexp: "^action_mail_acct" 127 | line: "action_mail_acct = root" 128 | state: present 129 | create: yes 130 | notify: 131 | - restart auditd 132 | when: 133 | - ubuntu2004cis_rule_4_1_2_3 134 | tags: 135 | - level2 136 | - scored 137 | - patch 138 | - auditd 139 | - rule_4.1.2.3 140 | 141 | - name: "SCORED | 4.1.3 | PATCH | Ensure events that modify date and time information are collected" 142 | template: 143 | src: audit/ubuntu2004cis_rule_4_1_3.rules.j2 144 | dest: /etc/audit/rules.d/ubuntu2004cis_rule_4_1_3.rules 145 | owner: root 146 | group: root 147 | mode: 0600 148 | when: 149 | - ubuntu2004cis_rule_4_1_3 150 | notify: 151 | - load audit rules 152 | - restart auditd 153 | tags: 154 | - level2 155 | - scored 156 | - patch 157 | - auditd 158 | - rule_4.1.3 159 | 160 | - name: "SCORED | 4.1.4 | PATCH | Ensure events that modify user/group information are collected" 161 | template: 162 | src: audit/ubuntu2004cis_rule_4_1_4.rules.j2 163 | dest: /etc/audit/rules.d/ubuntu2004cis_rule_4_1_4.rules 164 | owner: root 165 | group: root 166 | mode: 0600 167 | when: 168 | - ubuntu2004cis_rule_4_1_4 169 | notify: 170 | - load audit rules 171 | - restart auditd 172 | tags: 173 | - level2 174 | - scored 175 | - patch 176 | - auditd 177 | - rule_4.1.4 178 | 179 | - name: "SCORED | 4.1.5 | PATCH | Ensure events that modify the system's network environment are collected" 180 | template: 181 | src: audit/ubuntu2004cis_rule_4_1_5.rules.j2 182 | dest: /etc/audit/rules.d/ubuntu2004cis_rule_4_1_5.rules 183 | owner: root 184 | group: root 185 | mode: 0600 186 | when: 187 | - ubuntu2004cis_rule_4_1_5 188 | notify: 189 | - load audit rules 190 | - restart auditd 191 | tags: 192 | - level2 193 | - scored 194 | - patch 195 | - auditd 196 | - rule_4.1.5 197 | 198 | - name: "SCORED | 4.1.6 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" 199 | template: 200 | src: audit/ubuntu2004cis_rule_4_1_6.rules.j2 201 | dest: /etc/audit/rules.d/ubuntu2004cis_rule_4_1_6.rules 202 | owner: root 203 | group: root 204 | mode: 0600 205 | when: 206 | - ubuntu2004cis_rule_4_1_6 207 | notify: 208 | - load audit rules 209 | - restart auditd 210 | tags: 211 | - level2 212 | - scored 213 | - patch 214 | - auditd 215 | - rule_4.1.6 216 | 217 | - name: "SCORED | 4.1.7 | PATCH | Ensure login and logout events are collected" 218 | template: 219 | src: audit/ubuntu2004cis_rule_4_1_7.rules.j2 220 | dest: /etc/audit/rules.d/ubuntu2004cis_rule_4_1_7.rules 221 | owner: root 222 | group: root 223 | mode: 0600 224 | when: 225 | - ubuntu2004cis_rule_4_1_7 226 | notify: 227 | - load audit rules 228 | - restart auditd 229 | tags: 230 | - level2 231 | - scored 232 | - patch 233 | - auditd 234 | - rule_4.1.7 235 | 236 | - name: "SCORED | 4.1.8 | PATCH | Ensure session initiation information is collected" 237 | template: 238 | src: audit/ubuntu2004cis_rule_4_1_8.rules.j2 239 | dest: /etc/audit/rules.d/ubuntu2004cis_rule_4_1_8.rules 240 | owner: root 241 | group: root 242 | mode: 0600 243 | when: 244 | - ubuntu2004cis_rule_4_1_8 245 | notify: 246 | - load audit rules 247 | - restart auditd 248 | tags: 249 | - level2 250 | - scored 251 | - patch 252 | - auditd 253 | - rule_4.1.8 254 | 255 | - name: "SCORED | 4.1.9 | PATCH | Ensure discretionary access control permission modification events are collected" 256 | template: 257 | src: audit/ubuntu2004cis_rule_4_1_9.rules.j2 258 | dest: /etc/audit/rules.d/ubuntu2004cis_rule_4_1_9.rules 259 | owner: root 260 | group: root 261 | mode: 0600 262 | when: 263 | - ubuntu2004cis_rule_4_1_9 264 | notify: 265 | - load audit rules 266 | - restart auditd 267 | tags: 268 | - level2 269 | - scored 270 | - patch 271 | - auditd 272 | - rule_4.1.9 273 | 274 | - name: "SCORED | 4.1.10 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected" 275 | template: 276 | src: audit/ubuntu2004cis_rule_4_1_10.rules.j2 277 | dest: /etc/audit/rules.d/ubuntu2004cis_rule_4_1_10.rules 278 | owner: root 279 | group: root 280 | mode: 0600 281 | when: 282 | - ubuntu2004cis_rule_4_1_10 283 | notify: 284 | - load audit rules 285 | - restart auditd 286 | tags: 287 | - level2 288 | - scored 289 | - patch 290 | - auditd 291 | - rule_4.1.10 292 | 293 | - name: "SCORED | 4.1.11 | PATCH | Ensure use of privileged commands is collected" 294 | block: 295 | 296 | - name: "SCORED | 4.1.11 | PATCH | Get list of setuid/setguid binaries" 297 | shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done 298 | register: priv_procs 299 | changed_when: false 300 | check_mode: false 301 | 302 | - name: "SCORED | 4.1.11 | PATCH | Ensure use of privileged commands is collected" 303 | template: 304 | src: audit/ubuntu2004cis_rule_4_1_11.rules.j2 305 | dest: /etc/audit/rules.d/ubuntu2004cis_rule_4_1_11.rules 306 | owner: root 307 | group: root 308 | mode: 0600 309 | notify: 310 | - load audit rules 311 | - restart auditd 312 | when: 313 | - ubuntu2004cis_rule_4_1_11 314 | tags: 315 | - level2 316 | - scored 317 | - patch 318 | - auditd 319 | - rule_4.1.11 320 | 321 | - name: "SCORED | 4.1.12 | PATCH | Ensure successful file system mounts are collected" 322 | template: 323 | src: audit/ubuntu2004cis_rule_4_1_12.rules.j2 324 | dest: /etc/audit/rules.d/ubuntu2004cis_rule_4_1_12.rules 325 | owner: root 326 | group: root 327 | mode: 0600 328 | when: 329 | - ubuntu2004cis_rule_4_1_12 330 | notify: 331 | - load audit rules 332 | - restart auditd 333 | tags: 334 | - level2 335 | - scored 336 | - patch 337 | - auditd 338 | - rule_4.1.12 339 | 340 | - name: "SCORED | 4.1.13 | PATCH | Ensure file deletion events by users are collected" 341 | template: 342 | src: audit/ubuntu2004cis_rule_4_1_13.rules.j2 343 | dest: /etc/audit/rules.d/ubuntu2004cis_rule_4_1_13.rules 344 | owner: root 345 | group: root 346 | mode: 0600 347 | when: 348 | - ubuntu2004cis_rule_4_1_13 349 | notify: 350 | - load audit rules 351 | - restart auditd 352 | tags: 353 | - level2 354 | - scored 355 | - patch 356 | - auditd 357 | - rule_4.1.13 358 | 359 | - name: "SCORED | 4.1.14 | PATCH | Ensure changes to system administration scope (sudoers) is collected" 360 | template: 361 | src: audit/ubuntu2004cis_rule_4_1_14.rules.j2 362 | dest: /etc/audit/rules.d/ubuntu2004cis_rule_4_1_14.rules 363 | owner: root 364 | group: root 365 | mode: 0600 366 | when: 367 | - ubuntu2004cis_rule_4_1_14 368 | notify: 369 | - load audit rules 370 | - restart auditd 371 | tags: 372 | - level2 373 | - scored 374 | - patch 375 | - auditd 376 | - rule_4.1.14 377 | 378 | - name: "SCORED | 4.1.15 | PATCH | Ensure system administrator actions (sudolog) are collected" 379 | template: 380 | src: audit/ubuntu2004cis_rule_4_1_15.rules.j2 381 | dest: /etc/audit/rules.d/ubuntu2004cis_rule_4_1_15.rules 382 | owner: root 383 | group: root 384 | mode: 0600 385 | when: 386 | - ubuntu2004cis_rule_4_1_15 387 | notify: 388 | - load audit rules 389 | - restart auditd 390 | tags: 391 | - level2 392 | - scored 393 | - patch 394 | - auditd 395 | - rule_4.1.15 396 | 397 | - name: "SCORED | 4.1.16 | PATCH | Ensure kernel module loading and unloading is collected" 398 | template: 399 | src: audit/ubuntu2004cis_rule_4_1_16.rules.j2 400 | dest: /etc/audit/rules.d/ubuntu2004cis_rule_4_1_16.rules 401 | owner: root 402 | group: root 403 | mode: 0600 404 | when: 405 | - ubuntu2004cis_rule_4_1_16 406 | notify: 407 | - load audit rules 408 | - restart auditd 409 | tags: 410 | - level2 411 | - scored 412 | - patch 413 | - auditd 414 | - rule_4.1.16 415 | 416 | - name: "SCORED | 4.1.17 | PATCH | Ensure the audit configuration is immutable" 417 | template: 418 | src: audit/ubuntu2004cis_rule_4_1_17.rules.j2 419 | dest: /etc/audit/rules.d/ubuntu2004cis_rule_4_1_17.rules 420 | owner: root 421 | group: root 422 | mode: 0600 423 | when: 424 | - ubuntu2004cis_rule_4_1_17 425 | notify: 426 | - load audit rules 427 | - restart auditd 428 | tags: 429 | - level2 430 | - scored 431 | - patch 432 | - auditd 433 | - rule_4.1.17 434 | 435 | - name: "SCORED | 4.2.1.1 | PATCH | Ensure rsyslog or is installed" 436 | apt: 437 | name: rsyslog 438 | state: present 439 | install_recommends: false 440 | when: 441 | - ubuntu2004cis_rule_4_2_1_1 442 | - ubuntu2004cis_syslog == "rsyslog" 443 | tags: 444 | - level1 445 | - scored 446 | - patch 447 | - syslog 448 | - rule_4.2.1.1 449 | 450 | - name: "SCORED | 4.2.1.2 | PATCH | Ensure rsyslog Service is enabled" 451 | service: 452 | name: rsyslog 453 | enabled: yes 454 | changed_when: false 455 | when: 456 | - ubuntu2004cis_rule_4_2_1_2 457 | - ubuntu2004cis_syslog == "rsyslog" 458 | tags: 459 | - level1 460 | - scored 461 | - patch 462 | - syslog 463 | - rule_4.2.1.2 464 | 465 | - name: "NOTSCORED | 4.2.1.3 | PATCH | Ensure logging is configured" 466 | command: /bin/true 467 | changed_when: false 468 | when: 469 | - ubuntu2004cis_rule_4_2_1_3 470 | tags: 471 | - level1 472 | - notscored 473 | - patch 474 | - syslog 475 | - rule_4.2.1.3 476 | - notimplemented 477 | 478 | - name: "SCORED | 4.2.1.4 | PATCH | Ensure rsyslog default file permissions configured" 479 | lineinfile: 480 | dest: /etc/rsyslog.conf 481 | regexp: '^\$FileCreateMode' 482 | line: '$FileCreateMode 0640' 483 | when: 484 | - ubuntu2004cis_rule_4_2_1_4 485 | tags: 486 | - level1 487 | - scored 488 | - patch 489 | - syslog 490 | - rule_4.2.1.4 491 | 492 | - name: "SCORED | 4.2.1.5 | PATCH | Ensure rsyslog is configured to send logs to a remote log host" 493 | command: /bin/true 494 | changed_when: false 495 | when: 496 | - ubuntu2004cis_rule_4_2_1_5 497 | tags: 498 | - level1 499 | - scored 500 | - patch 501 | - syslog 502 | - rule_4.2.1.5 503 | - notimplemented 504 | 505 | - name: "NOTSCORED | 4.2.1.6 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts." 506 | command: /bin/true 507 | changed_when: false 508 | when: 509 | - ubuntu2004cis_rule_4_2_1_6 510 | tags: 511 | - level1 512 | - notscored 513 | - patch 514 | - syslog 515 | - rule_4.2.1.6 516 | - notimplemented 517 | 518 | - name: "SCORED | 4.2.2.1 | PATCH | Ensure journald is configured to send logs to rsyslog" 519 | lineinfile: 520 | dest: /etc/systemd/journald.conf 521 | regexp: "(#)?ForwardToSyslog=(yes|no)" 522 | line: ForwardToSyslog=yes 523 | changed_when: false 524 | when: 525 | - ubuntu2004cis_rule_4_2_2_1 526 | notify: 527 | - restart journald 528 | tags: 529 | - level1 530 | - scored 531 | - patch 532 | - syslog 533 | - rule_4.2.2.1 534 | 535 | - name: "SCORED | 4.2.2.2 | PATCH | Ensure journald is configured to compress large log files" 536 | lineinfile: 537 | dest: /etc/systemd/journald.conf 538 | regexp: "(#)?Compress=(yes|no)" 539 | line: Compress=yes 540 | when: 541 | - ubuntu2004cis_rule_4_2_2_2 542 | notify: 543 | - restart journald 544 | tags: 545 | - level1 546 | - scored 547 | - patch 548 | - syslog 549 | - rule_4.2.2.2 550 | 551 | - name: "SCORED | 4.2.2.3 | PATCH | Ensure journald is configured to write logfiles to persistent disk" 552 | lineinfile: 553 | dest: /etc/systemd/journald.conf 554 | regexp: "(#)?Storage=(auto|persistent)" 555 | line: Storage=persistent 556 | when: 557 | - ubuntu2004cis_rule_4_2_2_3 558 | notify: 559 | - restart journald 560 | tags: 561 | - level1 562 | - scored 563 | - patch 564 | - syslog 565 | - rule_4.2.2.3 566 | 567 | - name: "SCORED | 4.2.3 | PATCH | Ensure permissions on all logfiles are configured" 568 | command: find /var/log -type f -exec chmod g-wx,o-rwx {} + 569 | changed_when: false 570 | failed_when: false 571 | when: 572 | - ubuntu2004cis_rule_4_2_3 573 | tags: 574 | - level1 575 | - scored 576 | - patch 577 | - syslog 578 | - rule_4.2.3 579 | 580 | - name: "NOTSCORED | 4.3 | PATCH | Ensure logrotate is configured" 581 | block: 582 | - name: "NOTSCORED | 4.3 | PATCH | Register logrotate.d files" 583 | find: 584 | paths: /etc/logrotate.d/ 585 | register: log_rotates 586 | 587 | - name: "NOTSCORED | 4.3 | PATCH | Ensure logrotate.conf exists" 588 | file: 589 | path: /etc/logrotate.conf 590 | state: touch 591 | changed_when: false 592 | 593 | - name: "NOTSCORED | 4.3 | PATCH | Ensure logrotate is configured" 594 | replace: 595 | path: "{{ item.path }}" 596 | regexp: '^(\s*)(daily|weekly|monthly|yearly)$' 597 | replace: "\\1{{ ubuntu2004cis_logrotate }}" 598 | with_items: 599 | - "{{ log_rotates.files }}" 600 | - { path: "/etc/logrotate.conf" } 601 | when: 602 | - ubuntu2004cis_rule_4_3 603 | tags: 604 | - level1 605 | - notscored 606 | - patch 607 | - syslog 608 | - rule_4.3 609 | 610 | - name: "SCORED | 4.4 | PATCH | Ensure logrotate assigns appropriate permissions" 611 | lineinfile: 612 | state: present 613 | dest: /etc/logrotate.conf 614 | regexp: '^create' 615 | line: 'create 0640' 616 | when: 617 | - ubuntu2004cis_rule_4_4 618 | tags: 619 | - level1 620 | - scored 621 | - patch 622 | - syslog 623 | - rule_4.4 624 | -------------------------------------------------------------------------------- /tasks/section5.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: "SCORED | 5.1.1 | PATCH | Ensure cron daemon is enabled" 3 | service: 4 | name: "{{ cron_service[ansible_os_family] }}" 5 | enabled: true 6 | when: 7 | - ubuntu2004cis_rule_5_1_1 8 | tags: 9 | - level1 10 | - scored 11 | - patch 12 | - cron 13 | - rule_5.1.1 14 | 15 | - name: "SCORED | 5.1.2 | PATCH | Ensure permissions on /etc/crontab are configured" 16 | file: 17 | dest: /etc/crontab 18 | owner: root 19 | group: root 20 | mode: 0600 21 | when: 22 | - ubuntu2004cis_rule_5_1_2 23 | tags: 24 | - level1 25 | - scored 26 | - patch 27 | - cron 28 | - rule_5.1.2 29 | 30 | - name: "SCORED | 5.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" 31 | file: 32 | dest: /etc/cron.hourly 33 | state: directory 34 | owner: root 35 | group: root 36 | mode: 0700 37 | when: 38 | - ubuntu2004cis_rule_5_1_3 39 | tags: 40 | - level1 41 | - scored 42 | - patch 43 | - cron 44 | - rule_5.1.3 45 | 46 | - name: "SCORED | 5.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" 47 | file: 48 | dest: /etc/cron.daily 49 | state: directory 50 | owner: root 51 | group: root 52 | mode: 0700 53 | when: 54 | - ubuntu2004cis_rule_5_1_4 55 | tags: 56 | - level1 57 | - scored 58 | - patch 59 | - cron 60 | - rule_5.1.4 61 | 62 | - name: "SCORED | 5.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" 63 | file: 64 | dest: /etc/cron.weekly 65 | state: directory 66 | owner: root 67 | group: root 68 | mode: 0700 69 | when: 70 | - ubuntu2004cis_rule_5_1_5 71 | tags: 72 | - level1 73 | - scored 74 | - patch 75 | - cron 76 | - rule_5.1.5 77 | 78 | - name: "SCORED | 5.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" 79 | file: 80 | dest: /etc/cron.monthly 81 | state: directory 82 | owner: root 83 | group: root 84 | mode: 0700 85 | when: 86 | - ubuntu2004cis_rule_5_1_6 87 | tags: 88 | - level1 89 | - scored 90 | - patch 91 | - cron 92 | - rule_5.1.6 93 | 94 | - name: "SCORED | 5.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" 95 | file: 96 | dest: /etc/cron.d 97 | state: directory 98 | owner: root 99 | group: root 100 | mode: 0700 101 | when: 102 | - ubuntu2004cis_rule_5_1_7 103 | tags: 104 | - level1 105 | - scored 106 | - patch 107 | - cron 108 | - rule_5.1.7 109 | 110 | - name: "SCORED | 5.1.8 | PATCH | Ensure cron is restricted to authorized users" 111 | block: 112 | - name: "SCORED | 5.1.8 | PATCH | Ensure cron is restricted to authorized users" 113 | file: 114 | dest: /etc/cron.deny 115 | state: absent 116 | 117 | - name: "SCORED | 5.1.8 | PATCH | Ensure cron is restricted to authorized users" 118 | template: 119 | src: cron.allow.j2 120 | dest: /etc/cron.allow 121 | owner: root 122 | group: root 123 | mode: 0600 124 | when: 125 | - ubuntu2004cis_rule_5_1_8 126 | tags: 127 | - level1 128 | - scored 129 | - patch 130 | - cron 131 | - rule_5.1.8 132 | 133 | - name: "SCORED | 5.1.9 | PATCH | Ensure at is restricted to authorized users" 134 | block: 135 | - name: "SCORED | 5.1.9 | PATCH | Ensure at is restricted to authorized users" 136 | file: 137 | dest: /etc/at.deny 138 | state: absent 139 | 140 | - name: "SCORED | 5.1.8 | PATCH | Ensure at is restricted to authorized users" 141 | template: 142 | src: at.allow.j2 143 | dest: /etc/at.allow 144 | owner: root 145 | group: root 146 | mode: 0600 147 | when: 148 | - ubuntu2004cis_rule_5_1_9 149 | tags: 150 | - level1 151 | - scored 152 | - patch 153 | - cron 154 | - rule_5.1.9 155 | 156 | - name: "SCORED | 5.2.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" 157 | file: 158 | dest: /etc/ssh/sshd_config 159 | state: file 160 | owner: root 161 | group: root 162 | mode: 0600 163 | when: 164 | - ubuntu2004cis_rule_5_2_1 165 | tags: 166 | - level1 167 | - scored 168 | - patch 169 | - sshd 170 | - rule_5.2.1 171 | 172 | - name: "SCORED | 5.2.2 | PATCH | 5.2.2 Ensure permissions on SSH private host key files are configured" 173 | block: 174 | - name: "SCORED | 5.2.2 | PATCH | 5.2.2 Ensure permissions on SSH private host key files are configured | find keys" 175 | find: 176 | paths: /etc/ssh 177 | patterns: "ssh_host_*_key" 178 | register: ssh_private_host_keys 179 | 180 | - name: "SCORED | 5.2.2 | PATCH | 5.2.2 Ensure permissions on SSH private host key files are configured | change permissions" 181 | file: 182 | dest: "{{ item.path }}" 183 | state: file 184 | owner: root 185 | group: root 186 | mode: 0600 187 | with_items: "{{ ssh_private_host_keys.files }}" 188 | when: 189 | - ubuntu2004cis_rule_5_2_2 190 | tags: 191 | - level1 192 | - scored 193 | - patch 194 | - sshd 195 | - rule_5.2.2 196 | 197 | - name: "SCORED | 5.2.3 | PATCH | 5.2.3 Ensure permissions on SSH public host key files are configured" 198 | block: 199 | - name: "SCORED | 5.2.3 | PATCH | 5.2.3 Ensure permissions on SSH public host key files are configured | find keys" 200 | find: 201 | paths: /etc/ssh 202 | patterns: "ssh_host_*_key.pub" 203 | register: ssh_public_host_keys 204 | 205 | - name: "SCORED | 5.2.3 | PATCH | 5.2.3 Ensure permissions on SSH public host key files are configured | change permissions" 206 | file: 207 | dest: "{{ item.path }}" 208 | state: file 209 | owner: root 210 | group: root 211 | mode: 0644 212 | with_items: "{{ ssh_public_host_keys.files }}" 213 | when: 214 | - ubuntu2004cis_rule_5_2_3 215 | tags: 216 | - level1 217 | - scored 218 | - patch 219 | - sshd 220 | - rule_5.2.3 221 | 222 | - name: "SCORED | 5.2.4 | PATCH | Ensure SSH LogLevel is set to INFO" 223 | lineinfile: 224 | state: present 225 | dest: /etc/ssh/sshd_config 226 | regexp: '^LogLevel' 227 | line: 'LogLevel INFO' 228 | when: 229 | - ubuntu2004cis_rule_5_2_4 230 | tags: 231 | - level1 232 | - scored 233 | - patch 234 | - sshd 235 | - rule_5.2.4 236 | 237 | - name: "SCORED | 5.2.5 | PATCH | Ensure SSH X11 forwarding is disabled" 238 | lineinfile: 239 | state: present 240 | dest: /etc/ssh/sshd_config 241 | regexp: '^X11Forwarding' 242 | line: 'X11Forwarding no' 243 | when: 244 | - ubuntu2004cis_rule_5_2_5 245 | tags: 246 | - level1 247 | - scored 248 | - patch 249 | - sshd 250 | - rule_5.2.5 251 | 252 | - name: "SCORED | 5.2.6 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" 253 | lineinfile: 254 | state: present 255 | dest: /etc/ssh/sshd_config 256 | regexp: '^(#)?MaxAuthTries \d' 257 | line: 'MaxAuthTries 4' 258 | when: 259 | - ubuntu2004cis_rule_5_2_6 260 | tags: 261 | - level1 262 | - scored 263 | - patch 264 | - sshd 265 | - rule_5.2.6 266 | 267 | - name: "SCORED | 5.2.7 | PATCH | Ensure SSH IgnoreRhosts is enabled" 268 | lineinfile: 269 | state: present 270 | dest: /etc/ssh/sshd_config 271 | regexp: '^IgnoreRhosts' 272 | line: 'IgnoreRhosts yes' 273 | when: 274 | - ubuntu2004cis_rule_5_2_7 275 | tags: 276 | - level1 277 | - scored 278 | - patch 279 | - sshd 280 | - rule_5.2.7 281 | 282 | - name: "SCORED | 5.2.8 | PATCH | Ensure SSH HostbasedAuthentication is disabled" 283 | lineinfile: 284 | state: present 285 | dest: /etc/ssh/sshd_config 286 | regexp: '^HostbasedAuthentication' 287 | line: 'HostbasedAuthentication no' 288 | when: 289 | - ubuntu2004cis_rule_5_2_8 290 | tags: 291 | - level1 292 | - scored 293 | - patch 294 | - sshd 295 | - rule_5.2.8 296 | 297 | - name: "SCORED | 5.2.9 | PATCH | Ensure SSH root login is disabled" 298 | lineinfile: 299 | state: present 300 | dest: /etc/ssh/sshd_config 301 | regexp: '^PermitRootLogin' 302 | line: 'PermitRootLogin no' 303 | when: 304 | - ubuntu2004cis_rule_5_2_9 305 | tags: 306 | - level1 307 | - scored 308 | - patch 309 | - sshd 310 | - rule_5.2.9 311 | 312 | - name: "SCORED | 5.2.10 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" 313 | lineinfile: 314 | state: present 315 | dest: /etc/ssh/sshd_config 316 | regexp: '^PermitEmptyPasswords' 317 | line: 'PermitEmptyPasswords no' 318 | when: 319 | - ubuntu2004cis_rule_5_2_10 320 | tags: 321 | - level1 322 | - scored 323 | - patch 324 | - sshd 325 | - rule_5.2.10 326 | 327 | - name: "SCORED | 5.2.11 | PATCH | Ensure SSH PermitUserEnvironment is disabled" 328 | lineinfile: 329 | state: present 330 | dest: /etc/ssh/sshd_config 331 | regexp: '^PermitUserEnvironment' 332 | line: 'PermitUserEnvironment no' 333 | when: 334 | - ubuntu2004cis_rule_5_2_11 335 | tags: 336 | - level1 337 | - scored 338 | - patch 339 | - sshd 340 | - rule_5.2.11 341 | 342 | - name: "SCORED | 5.2.12 | PATCH | Ensure only strong Ciphers are used" 343 | lineinfile: 344 | state: present 345 | dest: /etc/ssh/sshd_config 346 | regexp: '^Ciphers' 347 | line: "Ciphers {{ ubuntu2004cis_sshd['ciphers'] }}" 348 | when: 349 | - ubuntu2004cis_rule_5_2_12 350 | tags: 351 | - level1 352 | - scored 353 | - patch 354 | - sshd 355 | - rule_5.2.12 356 | 357 | - name: "SCORED | 5.2.13 | PATCH | Ensure only approved MAC algorithms are used" 358 | lineinfile: 359 | state: present 360 | dest: /etc/ssh/sshd_config 361 | regexp: '^MACs' 362 | line: "MACs {{ ubuntu2004cis_sshd['macs'] }}" 363 | when: 364 | - ubuntu2004cis_rule_5_2_13 365 | tags: 366 | - level1 367 | - scored 368 | - patch 369 | - sshd 370 | - rule_5.2.13 371 | 372 | - name: "SCORED | 5.2.14 | PATCH | Ensure only strong Key Exchange algorithms are used" 373 | lineinfile: 374 | state: present 375 | dest: /etc/ssh/sshd_config 376 | regexp: '^KexAlgorithms' 377 | line: "KexAlgorithms {{ ubuntu2004cis_sshd['kexalgorithms'] }}" 378 | when: 379 | - ubuntu2004cis_rule_5_2_14 380 | tags: 381 | - level1 382 | - scored 383 | - patch 384 | - sshd 385 | - rule_5.2.14 386 | 387 | - name: "SCORED | 5.2.15 | PATCH | Ensure SSH Idle Timeout Interval is configured" 388 | block: 389 | - name: "SCORED | 5.2.15 | PATCH | Ensure SSH Idle Timeout Interval is configured" 390 | lineinfile: 391 | state: present 392 | dest: /etc/ssh/sshd_config 393 | regexp: '^ClientAliveInterval' 394 | line: "ClientAliveInterval {{ ubuntu2004cis_sshd['clientaliveinterval'] }}" 395 | 396 | - name: "SCORED | 5.2.15 | PATCH | Ensure SSH ClientAliveCountMax set to <= 3" 397 | lineinfile: 398 | state: present 399 | dest: /etc/ssh/sshd_config 400 | regexp: '^ClientAliveCountMax' 401 | line: "ClientAliveCountMax {{ ubuntu2004cis_sshd['clientalivecountmax'] }}" 402 | when: 403 | - ubuntu2004cis_rule_5_2_15 404 | tags: 405 | - level1 406 | - scored 407 | - patch 408 | - sshd 409 | - rule_5.2.15 410 | 411 | - name: "SCORED | 5.2.16 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" 412 | lineinfile: 413 | state: present 414 | dest: /etc/ssh/sshd_config 415 | regexp: '^LoginGraceTime' 416 | line: "LoginGraceTime 60" 417 | when: 418 | - ubuntu2004cis_rule_5_2_16 419 | tags: 420 | - level1 421 | - scored 422 | - patch 423 | - sshd 424 | - rule_5.2.16 425 | 426 | - name: "SCORED | 5.2.17 | PATCH | Ensure SSH access is limited" 427 | block: 428 | - name: "SCORED | 5.2.17 | PATCH | Ensure SSH access is limited | allowusers" 429 | lineinfile: 430 | state: present 431 | dest: /etc/ssh/sshd_config 432 | regexp: '^AllowUsers' 433 | line: "AllowUsers {{ ubuntu2004cis_sshd['allowusers'] }}" 434 | when: 435 | - "ubuntu2004cis_sshd['allowusers']|default('')" 436 | 437 | - name: "SCORED | 5.2.17 | PATCH | Ensure SSH access is limited | allowgroups" 438 | lineinfile: 439 | state: present 440 | dest: /etc/ssh/sshd_config 441 | regexp: '^AllowGroups' 442 | line: "AllowGroups {{ ubuntu2004cis_sshd['allowgroups'] }}" 443 | when: 444 | - "ubuntu2004cis_sshd['allowgroups']|default('')" 445 | 446 | - name: "SCORED | 5.2.17 | PATCH | Ensure SSH access is limited | denyusers" 447 | lineinfile: 448 | state: present 449 | dest: /etc/ssh/sshd_config 450 | regexp: '^DenyUsers' 451 | line: "DenyUsers {{ ubuntu2004cis_sshd['denyusers'] }}" 452 | when: 453 | - "ubuntu2004cis_sshd['denyusers']|default('')" 454 | 455 | - name: "SCORED | 5.2.17 | PATCH | Ensure SSH access is limited | denygroups" 456 | lineinfile: 457 | state: present 458 | dest: /etc/ssh/sshd_config 459 | regexp: '^DenyGroups' 460 | line: "DenyGroups {{ ubuntu2004cis_sshd['denygroups'] }}" 461 | when: 462 | - "ubuntu2004cis_sshd['denygroups']|default('')" 463 | when: 464 | - ubuntu2004cis_rule_5_2_17 465 | tags: 466 | - level1 467 | - scored 468 | - patch 469 | - sshd 470 | - rule_5.2.17 471 | 472 | - name: "SCORED | 5.2.18 | PATCH | Ensure SSH warning banner is configured" 473 | lineinfile: 474 | state: present 475 | dest: /etc/ssh/sshd_config 476 | regexp: '^Banner' 477 | line: 'Banner /etc/issue.net' 478 | when: 479 | - ubuntu2004cis_rule_5_2_18 480 | tags: 481 | - level1 482 | - scored 483 | - patch 484 | - sshd 485 | - rule_5.2.18 486 | 487 | - name: "SCORED | 5.2.19 | PATCH | Ensure SSH PAM is enabled" 488 | lineinfile: 489 | state: present 490 | dest: /etc/ssh/sshd_config 491 | regexp: '^UsePAM' 492 | line: 'UsePAM yes' 493 | when: 494 | - ubuntu2004cis_rule_5_2_19 495 | tags: 496 | - level1 497 | - scored 498 | - patch 499 | - sshd 500 | - rule_5.2.19 501 | 502 | - name: "SCORED | 5.2.20 | PATCH | Ensure SSH AllowTcpForwarding is disabled" 503 | lineinfile: 504 | state: present 505 | dest: /etc/ssh/sshd_config 506 | regexp: '^AllowTcpForwarding' 507 | line: 'AllowTcpForwarding no' 508 | when: 509 | - ubuntu2004cis_rule_5_2_20 510 | tags: 511 | - level2 512 | - scored 513 | - patch 514 | - sshd 515 | - rule_5.2.20 516 | 517 | - name: "SCORED | 5.2.21 | PATCH | Ensure SSH MaxStartups is configured" 518 | lineinfile: 519 | state: present 520 | dest: /etc/ssh/sshd_config 521 | regexp: '^MaxStartups' 522 | line: 'MaxStartups 10:30:60' 523 | when: 524 | - ubuntu2004cis_rule_5_2_21 525 | tags: 526 | - level1 527 | - scored 528 | - patch 529 | - sshd 530 | - rule_5.2.21 531 | 532 | - name: "SCORED | 5.2.22 | PATCH | Ensure SSH MaxSessions is set to 4 or less " 533 | lineinfile: 534 | state: present 535 | dest: /etc/ssh/sshd_config 536 | regexp: '^MaxSessions' 537 | line: 'MaxSessions 4' 538 | notify: 539 | - restart sshd 540 | when: 541 | - ubuntu2004cis_rule_5_2_22 542 | tags: 543 | - level1 544 | - scored 545 | - patch 546 | - sshd 547 | - rule_5.2.22 548 | 549 | - name: "SCORED | 5.3.1 | PATCH | Ensure password creation requirements are configured" 550 | block: 551 | - name: "SCORED | 5.3.1 | PATCH | Ensure lipam-pwquality is installed" 552 | apt: 553 | name: libpam-pwquality 554 | state: present 555 | install_recommends: false 556 | 557 | - name: "SCORED | 5.3.1 | PATCH | Ensure password creation requirements are configured" 558 | lineinfile: 559 | state: present 560 | create: yes 561 | dest: /etc/security/pwquality.conf 562 | regexp: '^{{ item.key }}' 563 | line: '{{ item.key }} = {{ item.value }}' 564 | with_items: 565 | - "{{ ubuntu2004cis_pwquality }}" 566 | when: 567 | - ubuntu2004cis_rule_5_3_1 568 | tags: 569 | - level1 570 | - scored 571 | - patch 572 | - rule_5.3.1 573 | 574 | - name: "SCORED | 5.3.2 | PATCH | Ensure lockout for failed password attempts is configured" 575 | block: 576 | - name: "SCORED | 5.3.2 | PATCH | Ensure lockout for failed password attempts is configured - /etc/pam.d/common-account" 577 | lineinfile: 578 | dest: /etc/pam.d/common-account 579 | line: 'account required pam_tally2.so' 580 | 581 | - name: "SCORED | 5.3.2 | PATCH | Ensure lockout for failed password attempts is configured - /etc/pam.d/common-auth" 582 | lineinfile: 583 | dest: /etc/pam.d/common-auth 584 | line: 'auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900' 585 | when: 586 | - ubuntu2004cis_rule_5_3_2 587 | tags: 588 | - level1 589 | - scored 590 | - patch 591 | - rule_5.3.2 592 | 593 | - name: "SCORED | 5.3.3 | PATCH | Ensure password reuse is limited" 594 | lineinfile: 595 | dest: /etc/pam.d/common-password 596 | line: "password required pam_pwhistory.so remember={{ ubuntu2004cis_pass['history'] }}" 597 | when: 598 | - ubuntu2004cis_rule_5_3_3 599 | tags: 600 | - level1 601 | - scored 602 | - patch 603 | - rule_5.3.3 604 | 605 | - name: "SCORED | 5.3.4 | PATCH | Ensure password hashing algorithm is SHA-512" 606 | command: authconfig --passalgo=sha512 --update 607 | changed_when: false 608 | failed_when: false 609 | when: 610 | - ubuntu2004cis_rule_5_3_4 611 | tags: 612 | - level1 613 | - scored 614 | - patch 615 | - rule_5.3.4 616 | 617 | - name: "SCORED | 5.4.1.1 | PATCH | Ensure password expiration is 365 days or less" 618 | lineinfile: 619 | state: present 620 | dest: /etc/login.defs 621 | regexp: '^PASS_MAX_DAYS' 622 | line: "PASS_MAX_DAYS {{ ubuntu2004cis_pass['max_days'] }}" 623 | when: 624 | - ubuntu2004cis_rule_5_4_1_1 625 | tags: 626 | - level1 627 | - scored 628 | - patch 629 | - rule_5.4.1.1 630 | 631 | - name: "SCORED | 5.4.1.2 | PATCH | Ensure minimum days between password changes is configured" 632 | lineinfile: 633 | state: present 634 | dest: /etc/login.defs 635 | regexp: '^PASS_MIN_DAYS' 636 | line: "PASS_MIN_DAYS {{ ubuntu2004cis_pass['min_days'] }}" 637 | when: 638 | - ubuntu2004cis_rule_5_4_1_2 639 | tags: 640 | - level1 641 | - scored 642 | - patch 643 | - rule_5.4.1.2 644 | 645 | - name: "SCORED | 5.4.1.3 | PATCH | Ensure password expiration warning days is 7 or more" 646 | lineinfile: 647 | state: present 648 | dest: /etc/login.defs 649 | regexp: '^PASS_WARN_AGE' 650 | line: "PASS_WARN_AGE {{ ubuntu2004cis_pass['warn_age'] }}" 651 | when: 652 | - ubuntu2004cis_rule_5_4_1_3 653 | tags: 654 | - level1 655 | - scored 656 | - patch 657 | - rule_5.4.1.3 658 | 659 | - name: "SCORED | 5.4.1.4 | PATCH | Ensure inactive password lock is 30 days or less" 660 | lineinfile: 661 | state: present 662 | dest: /etc/default/useradd 663 | regexp: '^INACTIVE' 664 | line: "INACTIVE={{ ubuntu2004cis_pass['inactive'] }}" 665 | when: 666 | - ubuntu2004cis_rule_5_4_1_4 667 | tags: 668 | - level1 669 | - scored 670 | - patch 671 | - rule_5.4.1.4 672 | 673 | - name: "SCORED | 5.4.1.5 | PATCH | Ensure all users last password change date is in the past" 674 | block: 675 | - name: "SCORED | 5.4.1.5 | PATCH | Ensure all users last password change date is in the past| lock users" 676 | user: 677 | name: "{{ item }}" 678 | password_lock: yes" 679 | loop: "{{ users_password_change_date_in_future.stdout_lines }}" 680 | when: 681 | - ubuntu2004cis_password_change_date_in_future_action == 'lock' 682 | 683 | - name: "SCORED | 5.4.1.5 | PATCH | Ensure all users last password change date is in the past| expire users" 684 | user: 685 | name: "{{ item }}" 686 | expires: 1422403387 687 | loop: "{{ users_password_change_date_in_future.stdout_lines }}" 688 | when: 689 | - ubuntu2004cis_password_change_date_in_future_action == 'expire' 690 | when: 691 | - ubuntu2004cis_rule_5_4_1_5 692 | - users_password_change_date_in_future.stdout_lines | length > 0 693 | tags: 694 | - level1 695 | - scored 696 | - patch 697 | - rule_5.4.1.5 698 | 699 | - name: "SCORED | 5.4.2 | PATCH | Ensure system accounts are secured" 700 | command: > 701 | for user in `awk -F: '($3 < 1000) {print $1 }' /etc/passwd`; do 702 | if [ $user != "root" ]; then 703 | usermod -L $user 704 | if [ $user != "sync" ] && [ $user != "shutdown" ] && [ $user != "halt" ]; 705 | then 706 | usermod -s /usr/sbin/nologin $user 707 | fi 708 | fi 709 | done 710 | changed_when: false 711 | when: 712 | - ubuntu2004cis_rule_5_4_2 713 | - system_accounts_non_login_1.stdout 714 | - system_accounts_non_login_2.stdout 715 | tags: 716 | - level1 717 | - patch 718 | - rule_5.4.2 719 | - scored 720 | 721 | - name: "SCORED | 5.4.3 | PATCH | Ensure default group for the root account is GID 0" 722 | command: usermod -g 0 root 723 | changed_when: false 724 | failed_when: false 725 | when: 726 | - ubuntu2004cis_rule_5_4_3 727 | tags: 728 | - level1 729 | - patch 730 | - rule_5.4.3 731 | - scored 732 | 733 | - name: "SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive" 734 | block: 735 | - name: "SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive - /etc/bash.bashrc" 736 | lineinfile: 737 | state: present 738 | dest: /etc/bash.bashrc 739 | create: true 740 | regexp: '^umask ' 741 | line: 'umask 027' 742 | 743 | - name: "SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive - /etc/profile" 744 | lineinfile: 745 | state: present 746 | dest: /etc/profile 747 | create: true 748 | regexp: '^umask ' 749 | line: 'umask 027' 750 | 751 | - name: "SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive - /etc/profile.d/99-umask.sh" 752 | lineinfile: 753 | state: present 754 | dest: /etc/profile.d/99-umask.sh 755 | create: true 756 | regexp: '^umask ' 757 | line: 'umask 027' 758 | when: 759 | - ubuntu2004cis_rule_5_4_4 760 | tags: 761 | - level1 762 | - patch 763 | - rule_5.4.4 764 | - scored 765 | 766 | - name: "SCORED | 5.4.5 | PATCH | Ensure default user shell timeout is 900 seconds or less" 767 | block: 768 | - name: "SCORED | 5.4.5 | PATCH | Ensure default user shell timeout is 900 seconds or less - /etc/bash.bashrc" 769 | lineinfile: 770 | state: present 771 | dest: /etc/bash.bashrc 772 | create: true 773 | regexp: '^TMOUT=' 774 | line: "TMOUT={{ ubuntu2004cis_shell_timeout }}" 775 | 776 | - name: "SCORED | 5.4.5 | PATCH | Ensure default user shell timeout is 900 seconds or less - /etc/profile" 777 | lineinfile: 778 | state: present 779 | dest: /etc/profile 780 | create: true 781 | regexp: '^TMOUT=' 782 | line: "TMOUT={{ ubuntu2004cis_shell_timeout }}" 783 | 784 | - name: "SCORED | 5.4.5 | PATCH | Ensure default user shell timeout is 900 seconds or less - /etc/profile.d/99-tmout.sh" 785 | lineinfile: 786 | state: present 787 | dest: /etc/profile.d/99-tmout.sh 788 | create: true 789 | regexp: '^TMOUT=' 790 | line: "TMOUT={{ ubuntu2004cis_shell_timeout }}" 791 | when: 792 | - ubuntu2004cis_rule_5_4_5 793 | tags: 794 | - level1 795 | - patch 796 | - rule_5.4.5 797 | - scored 798 | 799 | - name: "NOTSCORED | 5.5 | PATCH | Ensure root login is restricted to system console" 800 | command: /bin/true 801 | changed_when: false 802 | when: 803 | - ubuntu2004cis_rule_5_5 804 | tags: 805 | - level1 806 | - patch 807 | - rule_5.5 808 | - notscored 809 | - notimplemented 810 | 811 | - name: "SCORED | 5.6 | PATCH | Ensure access to the su command is restricted" 812 | lineinfile: 813 | state: present 814 | dest: /etc/pam.d/su 815 | regexp: '^(#)?auth\s+required\s+pam_wheel\.so' 816 | line: "auth required pam_wheel.so use_uid" 817 | when: 818 | - ubuntu2004cis_rule_5_6 819 | tags: 820 | - level1 821 | - patch 822 | - rule_5.6 823 | - scored 824 | 825 | - name: "SCORED | 5.6 | PATCH | Ensure access to the su command is restricted - sudo group contains root" 826 | user: 827 | name: root 828 | groups: sudo 829 | when: 830 | - ubuntu2004cis_rule_5_6 831 | tags: 832 | - level1 833 | - patch 834 | - rule_5.6 835 | - scored 836 | -------------------------------------------------------------------------------- /tasks/section6.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: "NOTSCORED | 6.1.1 | PATCH | Audit system file permissions" 3 | command: /bin/true 4 | changed_when: false 5 | when: 6 | - ubuntu2004cis_rule_6_1_1 7 | tags: 8 | - level2 9 | - notscored 10 | - patch 11 | - rule_6.1.1 12 | - notimplemented 13 | 14 | - name: "SCORED | 6.1.2 | PATCH | Ensure permissions on /etc/passwd are configured" 15 | file: 16 | dest: /etc/passwd 17 | owner: root 18 | group: root 19 | mode: 0644 20 | when: 21 | - ubuntu2004cis_rule_6_1_2 22 | tags: 23 | - level1 24 | - scored 25 | - patch 26 | - rule_6.1.2 27 | 28 | - name: "SCORED | 6.1.3 | PATCH | Ensure permissions on /etc/gshadow- are configured" 29 | file: 30 | dest: /etc/gshadow- 31 | owner: root 32 | group: shadow 33 | mode: 0640 34 | when: 35 | - ubuntu2004cis_rule_6_1_3 36 | tags: 37 | - level1 38 | - scored 39 | - patch 40 | - rule_6.1.3 41 | 42 | - name: "SCORED | 6.1.4 | PATCH | Ensure permissions on /etc/shadow are configured" 43 | file: 44 | dest: /etc/shadow 45 | owner: root 46 | group: shadow 47 | mode: 0640 48 | when: 49 | - ubuntu2004cis_rule_6_1_4 50 | tags: 51 | - level1 52 | - scored 53 | - patch 54 | - rule_6.1.4 55 | 56 | - name: "SCORED | 6.1.5 | PATCH | Ensure permissions on /etc/group are configured" 57 | file: 58 | dest: /etc/group 59 | owner: root 60 | group: root 61 | mode: 0644 62 | when: 63 | - ubuntu2004cis_rule_6_1_5 64 | tags: 65 | - level1 66 | - scored 67 | - patch 68 | - rule_6.1.5 69 | 70 | - name: "SCORED | 6.1.6 | PATCH | Ensure permissions on /etc/passwd- are configured" 71 | file: 72 | dest: /etc/passwd- 73 | owner: root 74 | group: root 75 | mode: 0600 76 | when: 77 | - ubuntu2004cis_rule_6_1_6 78 | tags: 79 | - level1 80 | - scored 81 | - patch 82 | - rule_6.1.6 83 | 84 | - name: "SCORED | 6.1.7 | PATCH | Ensure permissions on /etc/shadow- are configured" 85 | file: 86 | dest: /etc/shadow- 87 | owner: root 88 | group: shadow 89 | mode: 0600 90 | when: 91 | - ubuntu2004cis_rule_6_1_7 92 | tags: 93 | - level1 94 | - scored 95 | - patch 96 | - rule_6.1.7 97 | 98 | - name: "SCORED | 6.1.8 | PATCH | Ensure permissions on /etc/group- are configured" 99 | file: 100 | dest: /etc/group- 101 | owner: root 102 | group: root 103 | mode: 0644 104 | when: 105 | - ubuntu2004cis_rule_6_1_8 106 | tags: 107 | - level1 108 | - scored 109 | - patch 110 | - rule_6.1.8 111 | 112 | - name: "SCORED | 6.1.9 | PATCH | Ensure permissions on /etc/gshadow are configured" 113 | file: 114 | dest: /etc/gshadow 115 | owner: root 116 | group: shadow 117 | mode: 0640 118 | when: 119 | - ubuntu2004cis_rule_6_1_9 120 | tags: 121 | - level1 122 | - scored 123 | - patch 124 | - rule_6.1.9 125 | 126 | - name: "SCORED | 6.1.10 | PATCH | Ensure no world writable files exist" 127 | command: /bin/true 128 | changed_when: false 129 | when: 130 | - ubuntu2004cis_rule_6_1_10 131 | tags: 132 | - level1 133 | - scored 134 | - patch 135 | - rule_6.1.10 136 | - notimplemented 137 | 138 | - name: "SCORED | 6.1.11 | PATCH | Ensure no unowned files or directories exist" 139 | command: /bin/true 140 | changed_when: false 141 | when: 142 | - ubuntu2004cis_rule_6_1_11 143 | tags: 144 | - level1 145 | - scored 146 | - patch 147 | - rule_6.1.11 148 | - notimplemented 149 | 150 | - name: "SCORED | 6.1.12 | PATCH | Ensure no ungrouped files or directories exist" 151 | command: /bin/true 152 | changed_when: false 153 | when: 154 | - ubuntu2004cis_rule_6_1_12 155 | tags: 156 | - level1 157 | - scored 158 | - patch 159 | - rule_6.1.12 160 | - notimplemented 161 | 162 | - name: "NOTSCORED | 6.1.13 | PATCH | Audit SUID executables" 163 | command: /bin/true 164 | changed_when: false 165 | when: 166 | - ubuntu2004cis_rule_6_1_13 167 | tags: 168 | - level1 169 | - notscored 170 | - patch 171 | - rule_6.1.13 172 | - notimplemented 173 | 174 | - name: "NOTSCORED | 6.1.14 | PATCH | Audit SGID executables" 175 | command: /bin/true 176 | changed_when: false 177 | when: 178 | - ubuntu2004cis_rule_6_1_14 179 | tags: 180 | - level1 181 | - notscored 182 | - patch 183 | - rule_6.1.14 184 | - notimplemented 185 | 186 | - name: "SCORED | 6.2.1 | PATCH | Ensure password fields are not empty" 187 | command: passwd -l {{ item }} 188 | changed_when: false 189 | failed_when: false 190 | with_items: "{{ empty_password_accounts.stdout_lines }}" 191 | when: 192 | - empty_password_accounts.rc 193 | - ubuntu2004cis_rule_6_2_1 194 | tags: 195 | - level1 196 | - scored 197 | - patch 198 | - rule_6.2.1 199 | 200 | - name: "SCORED | 6.2.2 | PATCH | Ensure root is the only UID 0 account" 201 | command: passwd -l {{ item }} 202 | changed_when: false 203 | failed_when: false 204 | with_items: "{{ uid_zero_accounts_except_root.stdout_lines }}" 205 | when: 206 | - uid_zero_accounts_except_root.rc 207 | - ubuntu2004cis_rule_6_2_2 208 | tags: 209 | - level1 210 | - scored 211 | - patch 212 | - rule_6.2.2 213 | 214 | - name: "SCORED | 6.2.3 | PATCH | Ensure root PATH Integrity" 215 | block: 216 | - name: "SCORED | 6.2.3 | PATCH | Ensure root PATH Integrity (unimplemented)" 217 | command: /bin/true 218 | changed_when: false 219 | tags: 220 | - level1 221 | - scored 222 | - patch 223 | - rule_6.2.3 224 | - notimplemented 225 | 226 | - name: "SCORED | 6.2.3 | PATCH | Ensure root PATH Integrity (collect paths)" 227 | shell: | 228 | set -o pipefail; 229 | sudopath=($(grep secure_path /etc/sudoers | cut -f2 -d= |cut -f2 -d\")) 230 | IFS=: 231 | for i in ${sudopath[*]} 232 | do 233 | if [ -d "$i" ] 234 | then newsudopath+=($i) 235 | fi 236 | done 237 | echo "${newsudopath[*]}" 238 | args: 239 | executable: /bin/bash 240 | register: fixsudo 241 | changed_when: false 242 | check_mode: false 243 | tags: 244 | - level1 245 | - scored 246 | - patch 247 | - rule_6.2.3 248 | 249 | - name: "SCORED | 6.2.3 | PATCH | Ensure root PATH Integrity (fix paths)" 250 | lineinfile: 251 | dest: /etc/sudoers 252 | regexp: "(.*secure_path=).*" 253 | line: '\1"{{ fixsudo.stdout_lines[0] }}"' 254 | backrefs: true 255 | when: 256 | - fixsudo.stdout_lines[0] 257 | tags: 258 | - level1 259 | - scored 260 | - patch 261 | - rule_6.2.3 262 | when: 263 | - ubuntu2004cis_rule_6_2_3 264 | 265 | - name: "SCORED | 6.2.4 | PATCH | Ensure all users' home directories exist" 266 | command: /bin/true 267 | changed_when: false 268 | when: 269 | - ubuntu2004cis_rule_6_2_4 270 | tags: 271 | - level1 272 | - scored 273 | - patch 274 | - rule_6.2.4 275 | - notimplemented 276 | 277 | - name: "SCORED | 6.2.5 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" 278 | shell: | 279 | for dir in {{ homes_with_perms.stdout }}; 280 | do 281 | chmod g-w,o-rwx $dir; 282 | done 283 | when: 284 | - ubuntu2004cis_rule_6_2_5 285 | - homes_with_perms.stdout | length > 0 286 | tags: 287 | - level1 288 | - scored 289 | - patch 290 | - rule_6.2.5 291 | 292 | - name: "SCORED | 6.2.6 | PATCH | Ensure users own their home directories" 293 | command: /bin/true 294 | changed_when: false 295 | when: 296 | - ubuntu2004cis_rule_6_2_6 297 | tags: 298 | - level1 299 | - scored 300 | - patch 301 | - rule_6.2.6 302 | - notimplemented 303 | 304 | - name: "SCORED | 6.2.7 | PATCH | Ensure users' dot files are not group or world writable" 305 | command: /bin/true 306 | changed_when: false 307 | when: 308 | - ubuntu2004cis_rule_6_2_7 309 | tags: 310 | - level1 311 | - scored 312 | - patch 313 | - rule_6.2.7 314 | - notimplemented 315 | 316 | - name: "SCORED | 6.2.8 | PATCH | Ensure no users have .forward files" 317 | file: 318 | state: absent 319 | dest: "~{{ item }}/.forward" 320 | with_items: "{{ users.stdout_lines }}" 321 | when: 322 | - ubuntu2004cis_rule_6_2_8 323 | tags: 324 | - level1 325 | - scored 326 | - patch 327 | - rule_6.2.8 328 | 329 | - name: "SCORED | 6.2.9 | PATCH | Ensure no users have .netrc files" 330 | file: 331 | state: absent 332 | dest: "~{{ item }}/.netrc" 333 | with_items: "{{ users.stdout_lines }}" 334 | when: 335 | - ubuntu2004cis_rule_6_2_9 336 | tags: 337 | - level1 338 | - scored 339 | - patch 340 | - rule_6.2.9 341 | 342 | - name: "SCORED | 6.2.10 | PATCH | Ensure users' .netrc Files are not group or world accessible" 343 | command: /bin/true 344 | changed_when: false 345 | when: 346 | - ubuntu2004cis_rule_6_2_10 347 | tags: 348 | - level1 349 | - scored 350 | - patch 351 | - rule_6.2.10 352 | - notimplemented 353 | 354 | - name: "SCORED | 6.2.11 | PATCH | Ensure no users have .rhosts files" 355 | file: 356 | state: absent 357 | dest: "~{{ item }}/.rhosts" 358 | with_items: "{{ users.stdout_lines }}" 359 | when: 360 | - ubuntu2004cis_rule_6_2_11 361 | tags: 362 | - level1 363 | - scored 364 | - patch 365 | - rule_6.2.11 366 | 367 | - name: "SCORED | 6.2.12 | PATCH | Ensure all groups in /etc/passwd exist in /etc/group" 368 | command: /bin/true 369 | changed_when: false 370 | when: 371 | - ubuntu2004cis_rule_6_2_12 372 | tags: 373 | - level1 374 | - scored 375 | - patch 376 | - rule_6.2.12 377 | - notimplemented 378 | 379 | - name: "SCORED | 6.2.13 | PATCH | Ensure no duplicate UIDs exist" 380 | command: /bin/true 381 | changed_when: false 382 | when: 383 | - ubuntu2004cis_rule_6_2_13 384 | tags: 385 | - level1 386 | - scored 387 | - patch 388 | - rule_6.2.13 389 | - notimplemented 390 | 391 | - name: "SCORED | 6.2.14 | PATCH | Ensure no duplicate GIDs exist" 392 | command: /bin/true 393 | changed_when: false 394 | when: 395 | - ubuntu2004cis_rule_6_2_14 396 | tags: 397 | - level1 398 | - scored 399 | - patch 400 | - rule_6.2.14 401 | - notimplemented 402 | 403 | - name: "SCORED | 6.2.15 | PATCH | Ensure no duplicate user names exist" 404 | command: /bin/true 405 | changed_when: false 406 | when: 407 | - ubuntu2004cis_rule_6_2_15 408 | tags: 409 | - level1 410 | - scored 411 | - patch 412 | - rule_6.2.15 413 | - notimplemented 414 | 415 | - name: "SCORED | 6.2.16 | PATCH | Ensure no duplicate group names exist" 416 | command: /bin/true 417 | changed_when: false 418 | when: 419 | - ubuntu2004cis_rule_6_2_16 420 | tags: 421 | - level1 422 | - scored 423 | - patch 424 | - rule_6.2.16 425 | - notimplemented 426 | 427 | - name: "SCORED | 6.2.17 | PATCH | Ensure shadow group is empty" 428 | command: /bin/true 429 | changed_when: false 430 | when: 431 | - ubuntu2004cis_rule_6_2_17 432 | tags: 433 | - level1 434 | - scored 435 | - patch 436 | - rule_6.2.17 437 | - notimplemented 438 | -------------------------------------------------------------------------------- /templates/at.allow.j2: -------------------------------------------------------------------------------- 1 | {% for user in ubuntu2004cis_at_allow_users %} 2 | {{ user }} 3 | {% endfor %} 4 | -------------------------------------------------------------------------------- /templates/audit/ubuntu2004cis_rule_4_1_10.rules.j2: -------------------------------------------------------------------------------- 1 | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access 2 | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access 3 | {% if ansible_architecture == 'x86_64' -%} 4 | -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access 5 | -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access 6 | {% endif %} 7 | -------------------------------------------------------------------------------- /templates/audit/ubuntu2004cis_rule_4_1_11.rules.j2: -------------------------------------------------------------------------------- 1 | {% for proc in priv_procs.stdout_lines -%} 2 | -a always,exit -F path={{ proc }} -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged 3 | {% endfor %} 4 | -------------------------------------------------------------------------------- /templates/audit/ubuntu2004cis_rule_4_1_12.rules.j2: -------------------------------------------------------------------------------- 1 | -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts 2 | {% if ansible_architecture == 'x86_64' -%} 3 | -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts 4 | {% endif %} 5 | -------------------------------------------------------------------------------- /templates/audit/ubuntu2004cis_rule_4_1_13.rules.j2: -------------------------------------------------------------------------------- 1 | -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete 2 | {% if ansible_architecture == 'x86_64' -%} 3 | -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete 4 | {% endif %} 5 | -------------------------------------------------------------------------------- /templates/audit/ubuntu2004cis_rule_4_1_14.rules.j2: -------------------------------------------------------------------------------- 1 | -w /etc/sudoers -p wa -k scope 2 | -w /etc/sudoers.d/ -p wa -k scope 3 | -------------------------------------------------------------------------------- /templates/audit/ubuntu2004cis_rule_4_1_15.rules.j2: -------------------------------------------------------------------------------- 1 | -w /var/log/sudo.log -p wa -k actions 2 | -------------------------------------------------------------------------------- /templates/audit/ubuntu2004cis_rule_4_1_16.rules.j2: -------------------------------------------------------------------------------- 1 | -w /sbin/insmod -p x -k modules 2 | -w /sbin/rmmod -p x -k modules 3 | -w /sbin/modprobe -p x -k modules 4 | {% if ansible_architecture == 'x86_64' -%} 5 | -a always,exit -F arch=b64 -S init_module -S delete_module -k modules 6 | {% endif %} 7 | -a always,exit -F arch=b32 -S init_module -S delete_module -k modules 8 | -------------------------------------------------------------------------------- /templates/audit/ubuntu2004cis_rule_4_1_17.rules.j2: -------------------------------------------------------------------------------- 1 | -e 2 2 | -------------------------------------------------------------------------------- /templates/audit/ubuntu2004cis_rule_4_1_3.rules.j2: -------------------------------------------------------------------------------- 1 | -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change 2 | -a always,exit -F arch=b32 -S clock_settime -k time-change 3 | {% if ansible_architecture == 'x86_64' -%} 4 | -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change 5 | -a always,exit -F arch=b64 -S clock_settime -k time-change 6 | {% endif %} 7 | -w /etc/localtime -p wa -k time-change 8 | -------------------------------------------------------------------------------- /templates/audit/ubuntu2004cis_rule_4_1_4.rules.j2: -------------------------------------------------------------------------------- 1 | -w /etc/group -p wa -k identity 2 | -w /etc/passwd -p wa -k identity 3 | -w /etc/gshadow -p wa -k identity 4 | -w /etc/shadow -p wa -k identity 5 | -w /etc/security/opasswd -p wa -k identity 6 | -------------------------------------------------------------------------------- /templates/audit/ubuntu2004cis_rule_4_1_5.rules.j2: -------------------------------------------------------------------------------- 1 | {% if ansible_architecture == 'x86_64' -%} 2 | -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale 3 | {% endif %} 4 | -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale 5 | -w /etc/issue -p wa -k system-locale 6 | -w /etc/issue.net -p wa -k system-locale 7 | -w /etc/hosts -p wa -k system-locale 8 | -w /etc/network -p wa -k system-locale 9 | -w /etc/networks -p wa -k system-locale 10 | -------------------------------------------------------------------------------- /templates/audit/ubuntu2004cis_rule_4_1_6.rules.j2: -------------------------------------------------------------------------------- 1 | -w /etc/apparmor/ -p wa -k MAC-policy 2 | -w /etc/apparmor.d/ -p wa -k MAC-policy 3 | -------------------------------------------------------------------------------- /templates/audit/ubuntu2004cis_rule_4_1_7.rules.j2: -------------------------------------------------------------------------------- 1 | -w /var/log/faillog -p wa -k logins 2 | -w /var/log/lastlog -p wa -k logins 3 | -w /var/log/tallylog -p wa -k logins 4 | -------------------------------------------------------------------------------- /templates/audit/ubuntu2004cis_rule_4_1_8.rules.j2: -------------------------------------------------------------------------------- 1 | -w /var/run/utmp -p wa -k session 2 | -w /var/log/wtmp -p wa -k logins 3 | -w /var/log/btmp -p wa -k logins 4 | -------------------------------------------------------------------------------- /templates/audit/ubuntu2004cis_rule_4_1_9.rules.j2: -------------------------------------------------------------------------------- 1 | -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod 2 | -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod 3 | -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod 4 | {% if ansible_architecture == 'x86_64' -%} 5 | -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod 6 | -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod 7 | -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod 8 | {% endif %} 9 | -------------------------------------------------------------------------------- /templates/chrony.conf.j2: -------------------------------------------------------------------------------- 1 | # This the default chrony.conf file for the Debian chrony package. After 2 | # editing this file use the command 'invoke-rc.d chrony restart' to make 3 | # your changes take effect. John Hasler 1998-2008 4 | 5 | # See www.pool.ntp.org for an explanation of these servers. Please 6 | # consider joining the project if possible. If you can't or don't want to 7 | # use these servers I suggest that you try your ISP's nameservers. We mark 8 | # the servers 'offline' so that chronyd won't try to connect when the link 9 | # is down. Scripts in /etc/ppp/ip-up.d and /etc/ppp/ip-down.d use chronyc 10 | # commands to switch it on when a dialup link comes up and off when it goes 11 | # down. Code in /etc/init.d/chrony attempts to determine whether or not 12 | # the link is up at boot time and set the online status accordingly. If 13 | # you have an always-on connection such as cable omit the 'offline' 14 | # directive and chronyd will default to online. 15 | # 16 | # Note that if Chrony tries to go "online" and dns lookup of the servers 17 | # fails they will be discarded. Thus under some circumstances it is 18 | # better to use IP numbers than host names. 19 | 20 | {% for server in ubuntu2004cis_time_synchronization_servers -%} 21 | server {{ server.uri }} {{ server.config }} 22 | {% endfor %} 23 | 24 | # Look here for the admin password needed for chronyc. The initial 25 | # password is generated by a random process at install time. You may 26 | # change it if you wish. 27 | 28 | keyfile /etc/chrony/chrony.keys 29 | 30 | # Set runtime command key. Note that if you change the key (not the 31 | # password) to anything other than 1 you will need to edit 32 | # /etc/ppp/ip-up.d/chrony, /etc/ppp/ip-down.d/chrony, /etc/init.d/chrony 33 | # and /etc/cron.weekly/chrony as these scripts use it to get the password. 34 | 35 | commandkey 1 36 | 37 | # I moved the driftfile to /var/lib/chrony to comply with the Debian 38 | # filesystem standard. 39 | 40 | driftfile /var/lib/chrony/chrony.drift 41 | 42 | # Comment this line out to turn off logging. 43 | 44 | log tracking measurements statistics 45 | logdir /var/log/chrony 46 | 47 | # Stop bad estimates upsetting machine clock. 48 | 49 | maxupdateskew 100.0 50 | 51 | # Dump measurements when daemon exits. 52 | 53 | dumponexit 54 | 55 | # Specify directory for dumping measurements. 56 | 57 | dumpdir /var/lib/chrony 58 | 59 | # Let computer be a server when it is unsynchronised. 60 | 61 | local stratum 10 62 | 63 | # Allow computers on the unrouted nets to use the server. 64 | 65 | #allow 10/8 66 | #allow 192.168/16 67 | #allow 172.16/12 68 | 69 | # This directive forces `chronyd' to send a message to syslog if it 70 | # makes a system clock adjustment larger than a threshold value in seconds. 71 | 72 | logchange 0.5 73 | 74 | # This directive defines an email address to which mail should be sent 75 | # if chronyd applies a correction exceeding a particular threshold to the 76 | # system clock. 77 | 78 | # mailonchange root@localhost 0.5 79 | 80 | # This directive tells chrony to regulate the real-time clock and tells it 81 | # Where to store related data. It may not work on some newer motherboards 82 | # that use the HPET real-time clock. It requires enhanced real-time 83 | # support in the kernel. I've commented it out because with certain 84 | # combinations of motherboard and kernel it is reported to cause lockups. 85 | 86 | # rtcfile /var/lib/chrony/chrony.rtc 87 | 88 | # If the last line of this file reads 'rtconutc' chrony will assume that 89 | # the CMOS clock is on UTC (GMT). If it reads '# rtconutc' or is absent 90 | # chrony will assume local time. The line (if any) was written by the 91 | # chrony postinst based on what it found in /etc/default/rcS. You may 92 | # change it if necessary. 93 | rtconutc 94 | -------------------------------------------------------------------------------- /templates/cron.allow.j2: -------------------------------------------------------------------------------- 1 | {% for user in ubuntu2004cis_cron_allow_users %} 2 | {{ user }} 3 | {% endfor %} 4 | -------------------------------------------------------------------------------- /templates/etc/issue.j2: -------------------------------------------------------------------------------- 1 | {{ ubuntu2004cis_warning_banner }} 2 | -------------------------------------------------------------------------------- /templates/etc/issue.net.j2: -------------------------------------------------------------------------------- 1 | {{ ubuntu2004cis_warning_banner }} 2 | -------------------------------------------------------------------------------- /templates/etc/motd.j2: -------------------------------------------------------------------------------- 1 | {{ ubuntu2004cis_warning_banner }} 2 | -------------------------------------------------------------------------------- /templates/ntp.conf.j2: -------------------------------------------------------------------------------- 1 | # For more information about this file, see the man pages 2 | # ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5). 3 | 4 | driftfile /var/lib/ntp/drift 5 | 6 | # Permit time synchronization with our time source, but do not 7 | # permit the source to query or modify the service on this system. 8 | #restrict default nomodify notrap nopeer noquery 9 | restrict -4 default kod nomodify notrap nopeer noquery 10 | restrict -6 default kod nomodify notrap nopeer noquery 11 | 12 | # Permit all access over the loopback interface. This could 13 | # be tightened as well, but to do so would effect some of 14 | # the administrative functions. 15 | restrict 127.0.0.1 16 | restrict ::1 17 | 18 | # Hosts on local network are less restricted. 19 | #restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap 20 | 21 | # Use public servers from the pool.ntp.org project. 22 | # Please consider joining the pool (http://www.pool.ntp.org/join.html). 23 | {% for server in ubuntu2004cis_time_synchronization_servers -%} 24 | server {{ server.uri }} {{ server.config }} 25 | {% endfor %} 26 | 27 | #broadcast 192.168.1.255 autokey # broadcast server 28 | #broadcastclient # broadcast client 29 | #broadcast 224.0.1.1 autokey # multicast server 30 | #multicastclient 224.0.1.1 # multicast client 31 | #manycastserver 239.255.254.254 # manycast server 32 | #manycastclient 239.255.254.254 autokey # manycast client 33 | 34 | # Enable public key cryptography. 35 | #crypto 36 | 37 | # includefile /etc/ntp/crypto/pw 38 | 39 | # Key file containing the keys and key identifiers used when operating 40 | # with symmetric key cryptography. 41 | # keys /etc/ntp/keys 42 | 43 | # Specify the key identifiers which are trusted. 44 | #trustedkey 4 8 42 45 | 46 | # Specify the key identifier to use with the ntpdc utility. 47 | #requestkey 8 48 | 49 | # Specify the key identifier to use with the ntpq utility. 50 | #controlkey 8 51 | 52 | # Enable writing of statistics records. 53 | #statistics clockstats cryptostats loopstats peerstats 54 | 55 | # Disable the monitoring facility to prevent amplification attacks using ntpdc 56 | # monlist command when default restrict does not include the noquery flag. See 57 | # CVE-2013-5211 for more details. 58 | # Note: Monitoring will not be disabled with the limited restriction flag. 59 | disable monitor 60 | -------------------------------------------------------------------------------- /tests/inventory: -------------------------------------------------------------------------------- 1 | localhost 2 | 3 | -------------------------------------------------------------------------------- /vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for ubuntu2004_cis 3 | --------------------------------------------------------------------------------