├── .gitignore ├── .gitmodules ├── .travis.yml ├── LICENSE ├── NOTES.md ├── README.md ├── ansible.cfg ├── hosts ├── playbook.yml ├── roles └── cis │ ├── README.md │ ├── defaults │ └── main.yml │ ├── files │ └── etc │ │ ├── audit │ │ └── audit.rules │ │ ├── issue │ │ ├── issue.net │ │ ├── logrotate.d │ │ └── syslog │ │ ├── motd │ │ ├── pam.d │ │ ├── password-auth │ │ ├── su │ │ └── system-auth │ │ └── rsyslog.conf │ ├── handlers │ └── main.yml │ ├── meta │ └── main.yml │ ├── tasks │ ├── main.yml │ ├── section_01.yml │ ├── section_01_level1.yml │ ├── section_01_level2.yml │ ├── section_02.yml │ ├── section_02_level1.yml │ ├── section_02_level2.yml │ ├── section_03.yml │ ├── section_03_level1.yml │ ├── section_03_level2.yml │ ├── section_04.yml │ ├── section_04_level1.yml │ ├── section_04_level2.yml │ ├── section_05.yml │ ├── section_05_level1.yml │ ├── section_05_level2.yml │ ├── section_06.yml │ ├── section_06_level1.yml │ ├── section_06_level2.yml │ ├── section_07.yml │ ├── section_07_level1.yml │ ├── section_07_level2.yml │ ├── section_08.yml │ ├── section_08_level1.yml │ ├── section_08_level2.yml │ ├── section_09.yml │ ├── section_09_level1.yml │ └── section_09_level2.yml │ └── vars │ └── main.yml ├── secrets.tgz.enc ├── test-hosts └── test-rackspace.yml /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "roles/cis"] 2 | path = roles/cis 3 | url = git://github.com/major/ansible-role-cis.git 4 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | language: python 2 | python: '2.7' 3 | sudo: false 4 | env: 5 | - PYTHONUNBUFFERED=1 6 | before_install: 7 | - openssl aes-256-cbc -K $encrypted_9dd3cd511634_key -iv $encrypted_9dd3cd511634_iv -in secrets.tgz.enc -out secrets.tgz -d 8 | - tar xzf secrets.tgz 9 | - echo -e "Host *\n\tStrictHostKeyChecking no\n" >> ~/.ssh/config 10 | install: 11 | - pip install -U pip 12 | - pip install ansible 13 | - pip install rackspace-novaclient 14 | - pip install pyrax 15 | script: 16 | - ansible-playbook -i hosts playbook.yml --syntax-check 17 | - ansible-playbook --private-key=travis-key -v -i test-hosts test-rackspace.yml 18 | - rm -f secrets.tgz .pyrax travis-key 19 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, and 10 | distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by the copyright 13 | owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all other entities 16 | that control, are controlled by, or are under common control with that entity. 17 | For the purposes of this definition, "control" means (i) the power, direct or 18 | indirect, to cause the direction or management of such entity, whether by 19 | contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the 20 | outstanding shares, or (iii) beneficial ownership of such entity. 21 | 22 | "You" (or "Your") shall mean an individual or Legal Entity exercising 23 | permissions granted by this License. 24 | 25 | "Source" form shall mean the preferred form for making modifications, including 26 | but not limited to software source code, documentation source, and configuration 27 | files. 28 | 29 | "Object" form shall mean any form resulting from mechanical transformation or 30 | translation of a Source form, including but not limited to compiled object code, 31 | generated documentation, and conversions to other media types. 32 | 33 | "Work" shall mean the work of authorship, whether in Source or Object form, made 34 | available under the License, as indicated by a copyright notice that is included 35 | in or attached to the work (an example is provided in the Appendix below). 36 | 37 | "Derivative Works" shall mean any work, whether in Source or Object form, that 38 | is based on (or derived from) the Work and for which the editorial revisions, 39 | annotations, elaborations, or other modifications represent, as a whole, an 40 | original work of authorship. For the purposes of this License, Derivative Works 41 | shall not include works that remain separable from, or merely link (or bind by 42 | name) to the interfaces of, the Work and Derivative Works thereof. 43 | 44 | "Contribution" shall mean any work of authorship, including the original version 45 | of the Work and any modifications or additions to that Work or Derivative Works 46 | thereof, that is intentionally submitted to Licensor for inclusion in the Work 47 | by the copyright owner or by an individual or Legal Entity authorized to submit 48 | on behalf of the copyright owner. For the purposes of this definition, 49 | "submitted" means any form of electronic, verbal, or written communication sent 50 | to the Licensor or its representatives, including but not limited to 51 | communication on electronic mailing lists, source code control systems, and 52 | issue tracking systems that are managed by, or on behalf of, the Licensor for 53 | the purpose of discussing and improving the Work, but excluding communication 54 | that is conspicuously marked or otherwise designated in writing by the copyright 55 | owner as "Not a Contribution." 56 | 57 | "Contributor" shall mean Licensor and any individual or Legal Entity on behalf 58 | of whom a Contribution has been received by Licensor and subsequently 59 | incorporated within the Work. 60 | 61 | 2. Grant of Copyright License. 62 | 63 | Subject to the terms and conditions of this License, each Contributor hereby 64 | grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, 65 | irrevocable copyright license to reproduce, prepare Derivative Works of, 66 | publicly display, publicly perform, sublicense, and distribute the Work and such 67 | Derivative Works in Source or Object form. 68 | 69 | 3. Grant of Patent License. 70 | 71 | Subject to the terms and conditions of this License, each Contributor hereby 72 | grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, 73 | irrevocable (except as stated in this section) patent license to make, have 74 | made, use, offer to sell, sell, import, and otherwise transfer the Work, where 75 | such license applies only to those patent claims licensable by such Contributor 76 | that are necessarily infringed by their Contribution(s) alone or by combination 77 | of their Contribution(s) with the Work to which such Contribution(s) was 78 | submitted. If You institute patent litigation against any entity (including a 79 | cross-claim or counterclaim in a lawsuit) alleging that the Work or a 80 | Contribution incorporated within the Work constitutes direct or contributory 81 | patent infringement, then any patent licenses granted to You under this License 82 | for that Work shall terminate as of the date such litigation is filed. 83 | 84 | 4. Redistribution. 85 | 86 | You may reproduce and distribute copies of the Work or Derivative Works thereof 87 | in any medium, with or without modifications, and in Source or Object form, 88 | provided that You meet the following conditions: 89 | 90 | You must give any other recipients of the Work or Derivative Works a copy of 91 | this License; and 92 | You must cause any modified files to carry prominent notices stating that You 93 | changed the files; and 94 | You must retain, in the Source form of any Derivative Works that You distribute, 95 | all copyright, patent, trademark, and attribution notices from the Source form 96 | of the Work, excluding those notices that do not pertain to any part of the 97 | Derivative Works; and 98 | If the Work includes a "NOTICE" text file as part of its distribution, then any 99 | Derivative Works that You distribute must include a readable copy of the 100 | attribution notices contained within such NOTICE file, excluding those notices 101 | that do not pertain to any part of the Derivative Works, in at least one of the 102 | following places: within a NOTICE text file distributed as part of the 103 | Derivative Works; within the Source form or documentation, if provided along 104 | with the Derivative Works; or, within a display generated by the Derivative 105 | Works, if and wherever such third-party notices normally appear. The contents of 106 | the NOTICE file are for informational purposes only and do not modify the 107 | License. You may add Your own attribution notices within Derivative Works that 108 | You distribute, alongside or as an addendum to the NOTICE text from the Work, 109 | provided that such additional attribution notices cannot be construed as 110 | modifying the License. 111 | You may add Your own copyright statement to Your modifications and may provide 112 | additional or different license terms and conditions for use, reproduction, or 113 | distribution of Your modifications, or for any such Derivative Works as a whole, 114 | provided Your use, reproduction, and distribution of the Work otherwise complies 115 | with the conditions stated in this License. 116 | 117 | 5. Submission of Contributions. 118 | 119 | Unless You explicitly state otherwise, any Contribution intentionally submitted 120 | for inclusion in the Work by You to the Licensor shall be under the terms and 121 | conditions of this License, without any additional terms or conditions. 122 | Notwithstanding the above, nothing herein shall supersede or modify the terms of 123 | any separate license agreement you may have executed with Licensor regarding 124 | such Contributions. 125 | 126 | 6. Trademarks. 127 | 128 | This License does not grant permission to use the trade names, trademarks, 129 | service marks, or product names of the Licensor, except as required for 130 | reasonable and customary use in describing the origin of the Work and 131 | reproducing the content of the NOTICE file. 132 | 133 | 7. Disclaimer of Warranty. 134 | 135 | Unless required by applicable law or agreed to in writing, Licensor provides the 136 | Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, 137 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, 138 | including, without limitation, any warranties or conditions of TITLE, 139 | NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are 140 | solely responsible for determining the appropriateness of using or 141 | redistributing the Work and assume any risks associated with Your exercise of 142 | permissions under this License. 143 | 144 | 8. Limitation of Liability. 145 | 146 | In no event and under no legal theory, whether in tort (including negligence), 147 | contract, or otherwise, unless required by applicable law (such as deliberate 148 | and grossly negligent acts) or agreed to in writing, shall any Contributor be 149 | liable to You for damages, including any direct, indirect, special, incidental, 150 | or consequential damages of any character arising as a result of this License or 151 | out of the use or inability to use the Work (including but not limited to 152 | damages for loss of goodwill, work stoppage, computer failure or malfunction, or 153 | any and all other commercial damages or losses), even if such Contributor has 154 | been advised of the possibility of such damages. 155 | 156 | 9. Accepting Warranty or Additional Liability. 157 | 158 | While redistributing the Work or Derivative Works thereof, You may choose to 159 | offer, and charge a fee for, acceptance of support, warranty, indemnity, or 160 | other liability obligations and/or rights consistent with this License. However, 161 | in accepting such obligations, You may act only on Your own behalf and on Your 162 | sole responsibility, not on behalf of any other Contributor, and only if You 163 | agree to indemnify, defend, and hold each Contributor harmless for any liability 164 | incurred by, or claims asserted against, such Contributor by reason of your 165 | accepting any such warranty or additional liability. 166 | 167 | END OF TERMS AND CONDITIONS 168 | 169 | APPENDIX: How to apply the Apache License to your work 170 | 171 | To apply the Apache License to your work, attach the following boilerplate 172 | notice, with the fields enclosed by brackets "[]" replaced with your own 173 | identifying information. (Don't include the brackets!) The text should be 174 | enclosed in the appropriate comment syntax for the file format. We also 175 | recommend that a file or class name and description of purpose be included on 176 | the same "printed page" as the copyright notice for easier identification within 177 | third-party archives. 178 | 179 | Copyright [yyyy] [name of copyright owner] 180 | 181 | Licensed under the Apache License, Version 2.0 (the "License"); 182 | you may not use this file except in compliance with the License. 183 | You may obtain a copy of the License at 184 | 185 | http://www.apache.org/licenses/LICENSE-2.0 186 | 187 | Unless required by applicable law or agreed to in writing, software 188 | distributed under the License is distributed on an "AS IS" BASIS, 189 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 190 | See the License for the specific language governing permissions and 191 | limitations under the License. 192 | -------------------------------------------------------------------------------- /NOTES.md: -------------------------------------------------------------------------------- 1 | #Notes and caveats 2 | 3 | These notes are valid as of the CIS Red Hat Enterprise Linux 6 benchmark version 1.3.0. 4 | 5 | ### Section 1 6 | 7 | ##### 1.1.1 - 1.1.16 8 | Existing mounts will be modified with benchmark options. Mount points are not created if not pre-existing. 9 | 10 | ###### 1.1.17 11 | Skipped: Adjusting permissions across the filesystem can be destructive. 12 | 13 | ##### 1.2.{1,2,5,6} 14 | Skipped: Some yum operations are skipped as they apply only to RHEL and not CentOS. 15 | 16 | ##### 1.4.6 17 | Skipped: Checking for unconfined daemons should be done via cron jobs or via manual inspection 18 | 19 | ##### 1.5.{3,4} 20 | Skipped: Adjusting bootloader configurations at a large scale on production machines could be highly destructive upon reboot. 21 | 22 | ### Section 4 23 | 24 | ##### 4.8 25 | IPv6 is disabled so ip6tables is also disabled. 26 | 27 | ### Section 6 28 | 29 | ##### 6.4 30 | Skipped: Restricting root access only to the system console is a bit too restrictive for most environments. 31 | 32 | ### Section 7 33 | 34 | ##### 7.1.1 - 7.1.3 35 | Existing user password age is not modified. 36 | 37 | ### Section 8 38 | 39 | ##### 8.2 40 | Satisfied by 8.1. 41 | 42 | ##### 8.3 43 | Not addressing graphical desktop environments. 44 | 45 | ### Section 9 46 | 47 | ##### 9.1.1 48 | Not a scorable item and requires human interpretation. This is best handled by AIDE or other file integrity monitoring systems. 49 | 50 | ##### 9.1.10 - 9.1.14 51 | This is best handled by AIDE or other file integrity monitoring systems. 52 | 53 | ##### 9.2 54 | These items all require human intervention to resolve. None of these will be a concern while applying CIS to a vanilla RHEL6 install. 55 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## Ansible + CIS Benchmarks + RHEL/CentOS 6 2 | 3 | [![Build Status](https://travis-ci.org/major/cis-rhel-ansible.svg?branch=master)](https://travis-ci.org/major/cis-rhel-ansible) 4 | 5 | This is an ansible playbook for automatically applying CIS Security Benchmarks to a system running Red Hat Enterprise Linux 6 or CentOS 6. 6 | 7 | _RHEL 7 and CentOS 7 bencharks are coming soon._ 8 | 9 | ### What are these benchmarks? 10 | The [Center for Internet Security](http://www.cisecurity.org/) publishes [security benchmarks](http://benchmarks.cisecurity.org/) for various systems. Refer to the CIS site as the authoritative site for anything regarding these benchmarks. You can join their community and contribute to the security benchmarks project. 11 | 12 | ***Please be aware that I'm not affiliated with CIS in any way and the data in this repository has absolutely no relation to CIS.*** 13 | 14 | ### What does this playbook do? 15 | The playbook will attempt to configure your system to meet as many of the CIS security benchmarks as possible. Any benchmarks marked as "not scored" or benchmarks that are only checks will be skipped. 16 | 17 | For full details and caveats, refer to the [notes](NOTES.md). 18 | 19 | ### How do I run it? 20 | ***WAIT! DANGER!*** 21 | 22 | ![http://media.giphy.com/media/7U1XfwZ94okRW/giphy.gif](http://media.giphy.com/media/7U1XfwZ94okRW/giphy.gif) 23 | 24 | **Don't run this blindly on an actively running system.** The playbook will make ***serious*** modifications to your system that could affect its availability. 25 | 26 | #### Basic operation 27 | 28 | Perform a dry run first: 29 | 30 | ansible-playbook -i hosts -C playbook.yml 31 | 32 | If you're ***really really*** ready to apply changes, run it in regular mode: 33 | 34 | ansible-playbook -i hosts playbook.yml 35 | 36 | #### Advanced options 37 | 38 | Tags are available for running a section at a time: 39 | 40 | # Test only items from section 4 41 | ansible-playbook -i hosts -C playbook.yml -t section4 42 | 43 | # Apply changes only from items in section 4, 5, and 6 44 | ansible-playbook -i hosts playbook.yml -t section4,section5,section6 45 | 46 | The checks are also broken up into Level 1 and Level 2 checks: 47 | 48 | * Level 1: Good security improvements with less effects on production workloads 49 | * Level 2: Strong security improvements with greater effects on production workloads 50 | 51 | Running checks for a particular level is easy: 52 | 53 | ansible-playbook -i hosts playbook.yml -t level1 54 | ansible-playbook -i hosts playbook.yml -t level2 55 | 56 | ### How is this playbook licensed? 57 | It's licensed under the [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0.html). The [quick summary](http://bit.ly/VBkBfY) is: 58 | 59 | A license that allows you much freedom with the software, including an explicit right to a patent. “State changes” means that you have to include a notice in each file you modified. 60 | 61 | ### Something doesn't work. You're awful at ansible playbooks. 62 | 63 | [Pull requests](https://github.com/major/cis-rhel-ansible/pulls) and [GitHub](https://github.com/major/cis-rhel-ansible/issues) issues are welcome! 64 | 65 | _-- Major_ 66 | -------------------------------------------------------------------------------- /ansible.cfg: -------------------------------------------------------------------------------- 1 | [defaults] 2 | pipelining=True -------------------------------------------------------------------------------- /hosts: -------------------------------------------------------------------------------- 1 | [targets] 2 | localhost ansible_connection=local 3 | -------------------------------------------------------------------------------- /playbook.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - hosts: all 19 | accelerate: true 20 | user: root 21 | roles: 22 | - cis 23 | -------------------------------------------------------------------------------- /roles/cis/README.md: -------------------------------------------------------------------------------- 1 | CIS 2 | ========= 3 | 4 | This role can be used to audit or remediate a host against the Center for Internet Security (CIS) security benchmarks. 5 | 6 | *Disclaimer: This project has no affiliation with CIS. The role and its contents have not been reviewed or endorsed by CIS.* 7 | 8 | Requirements 9 | ------------ 10 | 11 | This role has no requirements or dependencies. 12 | 13 | Role Variables 14 | -------------- 15 | 16 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. 17 | 18 | Dependencies 19 | ------------ 20 | 21 | Some sensible defaults are configured and documented within defaults/main.yml. These defaults are set so they would cause minimal disruption to a production system. However, it's *your* responsibility to verify that the default configuration will not harm your production server. *Always* run the role in check mode if you're unsure of its effects. 22 | 23 | Be aware that some of the default variables are set against CIS recommendations in the hopes that they will cause minimal disruption to a system. 24 | 25 | Example Playbook 26 | ---------------- 27 | 28 | Playbooks can utilize the CIS role without much effort: 29 | 30 | - hosts: all 31 | roles: 32 | - cis 33 | 34 | The role is thoroughly tagged so that you can run certain sections or certain levels of checks: 35 | 36 | # Test only items from section 4 37 | ansible-playbook -i hosts -C playbook.yml -t section4 38 | 39 | # Apply changes only from items in section 4, 5, and 6 40 | ansible-playbook -i hosts playbook.yml -t section4,section5,section6 41 | 42 | License 43 | ------- 44 | 45 | Apache License, Version 2.0 46 | 47 | Author Information 48 | ------------------ 49 | 50 | Major Hayden 51 | -------------------------------------------------------------------------------- /roles/cis/defaults/main.yml: -------------------------------------------------------------------------------- 1 | # Should we configure AIDE on the system? (CIS 1.3) 2 | # Options: 3 | # yes: install and configure AIDE 4 | # no: do not install or configure AIDE 5 | configure_aide: yes 6 | 7 | # auditd (CIS 5.2) 8 | # These are sensible defaults but you may change these to fit your system. 9 | action_mail_acct: "root" 10 | admin_space_left_action: "halt" 11 | max_log_file: 100 12 | max_log_file_action: "keep_logs" 13 | space_left_action: "email" 14 | 15 | # rsyslog (5.1.6) 16 | # Options: 17 | # yes: configure rsyslog to receive remote logs from other servers 18 | # no: do not configure rsyslog to receive remote logs from other servers 19 | rsyslog_host: no 20 | 21 | # ---------------------------------------------------------------------------- 22 | # WARNING 23 | # THIS SECTION IS HAZARDOUS TO PRODUCTION SERVERS. SERIOUSLY. 24 | # ---------------------------------------------------------------------------- 25 | # Options: 26 | # yes: disable/uninstall these services to meet CIS requirements 27 | # no: do not alter these services from their current statuc 28 | dns: no 29 | dovecot: no 30 | ftp: no 31 | httpd: no 32 | ldap_client: no 33 | ldap_server: no 34 | nfs: no 35 | samba: no 36 | snmp: no 37 | squid: no 38 | 39 | # CIS 7.5 says that users who are inactive for over 35 days must have their 40 | # accounts disabled. This could cause issues in some environments. 41 | # Options: 42 | # yes: disable accounts inactive > 35 days per CIS requirements 43 | # no: don't adjust inactive account settings 44 | lock_inactive: no 45 | 46 | # Enable iptables (CIS 4.7) 47 | # You should check to see that your current iptables configuration in 48 | # /etc/sysconfig/iptables is configured properly so that you don't lose access 49 | # to your server when iptables is enabled. If you're alreading using iptables, 50 | # then this setting won't affect you either way. 51 | # Options: 52 | # yes: enable iptables and load the rules from /etc/sysconfig/iptables 53 | # no: don't alter iptables whatsoever 54 | enable_iptables: no 55 | 56 | # Enable ip6tables (CIS 4.8) 57 | # You should check to see that your current ip6tables configuration in 58 | # /etc/sysconfig/ip6tables is configured properly so that you don't lose access 59 | # to your server when ip6tables is enabled. If you're alreading using ip6tables, 60 | # then this setting won't affect you either way. 61 | # Options: 62 | # yes: enable ip6tables and load the rules from /etc/sysconfig/ip6tables 63 | # no: don't alter ip6tables whatsoever 64 | enable_ip6tables: no 65 | 66 | # Disable IPv6 (CIS 4.4.2) 67 | # It's recommended to configure IPv6 properly instead of disabling it entirely. 68 | # If your organization really doesn't use IPv6 at all, you could accept the 69 | # CIS requirements and disable IPv6. 70 | # Options: 71 | # yes: disable IPv6 per CIS requirements 72 | # no: don't alter the IPv6 configuration 73 | disable_ipv6: no 74 | 75 | # SSH configurations (CIS Section 6.2) 76 | # Uncomment these variables and set them accordingly to have them applied. They 77 | # are not applied by default. 78 | #ssh_allow_groups: 79 | #ssh_allow_users: 80 | #ssh_deny_groups: 81 | #ssh_deny_users: 82 | 83 | # 9.1.10 - 9.1.12 to verify & find 84 | verify_find: no 85 | 86 | # 9.1.12 - 9.1.14 to verify rpm 87 | verify_rpm: no 88 | -------------------------------------------------------------------------------- /roles/cis/files/etc/audit/audit.rules: -------------------------------------------------------------------------------- 1 | # This file contains the auditctl rules that are loaded 2 | # whenever the audit daemon is started via the initscripts. 3 | # The rules are simply the parameters that would be passed 4 | # to auditctl. 5 | 6 | # First rule - delete all 7 | -D 8 | 9 | # Increase the buffers to survive stress events. 10 | # Make this bigger for busy systems 11 | -b 320 12 | 13 | # Feel free to add below this line. See auditctl man page 14 | 15 | # 5.2.4 Record Events That Modify Date and Time Information 16 | -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change 17 | -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change 18 | -a always,exit -F arch=b64 -S clock_settime -k time-change 19 | -a always,exit -F arch=b32 -S clock_settime -k time-change 20 | -w /etc/localtime -p wa -k time-change 21 | 22 | # 5.2.5 Record Events That Modify User/Group Information 23 | -w /etc/group -p wa -k identity 24 | -w /etc/passwd -p wa -k identity 25 | -w /etc/gshadow -p wa -k identity 26 | -w /etc/shadow -p wa -k identity 27 | -w /etc/security/opasswd -p wa -k identity 28 | 29 | # 5.2.6 Record Events That Modify the System's Network Environment 30 | -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale 31 | -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale 32 | -w /etc/issue -p wa -k system-locale 33 | -w /etc/issue.net -p wa -k system-locale 34 | -w /etc/hosts -p wa -k system-locale 35 | -w /etc/sysconfig/network -p wa -k system-locale 36 | 37 | # 5.2.7 Record Events That Modify the System's Mandatory Access Controls 38 | -w /etc/selinux/ -p wa -k MAC-policy 39 | 40 | # 5.2.8 Collect Login and Logout Events 41 | -w /var/log/faillog -p wa -k logins 42 | -w /var/log/lastlog -p wa -k logins 43 | -w /var/log/tallylog -p wa -k logins 44 | 45 | # 5.2.9 Collect Session Initiation Information 46 | -w /var/run/utmp -p wa -k session 47 | -w /var/log/wtmp -p wa -k session 48 | -w /var/log/btmp -p wa -k session 49 | 50 | # 5.2.10 Collect Discretionary Access Control Permission Modification Events 51 | -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod 52 | -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod 53 | -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod 54 | -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod 55 | -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod 56 | -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod 57 | 58 | # 5.2.11 Collect Unsuccessful Unauthorized Access Attempts to Files 59 | -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access 60 | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access 61 | -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access 62 | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access 63 | 64 | # 5.2.13 Collect Successful File System Mounts 65 | -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts 66 | -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts 67 | 68 | # 5.2.14 Collect File Deletion Events by User 69 | -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete 70 | -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete 71 | 72 | # 5.2.15 Collect Changes to System Administration Scope 73 | -w /etc/sudoers -p wa -k scope 74 | 75 | # 5.2.16 Collect System Administrator Actions 76 | -w /var/log/sudo.log -p wa -k actions 77 | 78 | # 5.2.17 Collect Kernel Module Loading and Unloading 79 | -w /sbin/insmod -p x -k modules 80 | -w /sbin/rmmod -p x -k modules 81 | -w /sbin/modprobe -p x -k modules 82 | -a always,exit -F arch=b64 -S init_module -S delete_module -k modules 83 | 84 | # 5.2.18 Make the Audit Configuration Immutable 85 | -e 2 86 | -------------------------------------------------------------------------------- /roles/cis/files/etc/issue: -------------------------------------------------------------------------------- 1 | Authorized uses only. All activity may be monitored and reported. 2 | -------------------------------------------------------------------------------- /roles/cis/files/etc/issue.net: -------------------------------------------------------------------------------- 1 | Authorized uses only. All activity may be monitored and reported. 2 | -------------------------------------------------------------------------------- /roles/cis/files/etc/logrotate.d/syslog: -------------------------------------------------------------------------------- 1 | /var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron { 2 | -------------------------------------------------------------------------------- /roles/cis/files/etc/motd: -------------------------------------------------------------------------------- 1 | Authorized uses only. All activity may be monitored and reported. 2 | -------------------------------------------------------------------------------- /roles/cis/files/etc/pam.d/password-auth: -------------------------------------------------------------------------------- 1 | #%PAM-1.0 2 | # This file is auto-generated. 3 | # User changes will be destroyed the next time authconfig is run. 4 | auth required pam_env.so 5 | auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900 6 | auth [success=1 default=bad] pam_unix.so 7 | auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 8 | auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900 9 | auth required pam_deny.so 10 | 11 | account required pam_unix.so 12 | account sufficient pam_localuser.so 13 | account sufficient pam_succeed_if.so uid < 500 quiet 14 | account required pam_permit.so 15 | 16 | password requisite pam_cracklib.so try_first_pass retry=3 type= 17 | password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok 18 | password required pam_deny.so 19 | 20 | session optional pam_keyinit.so revoke 21 | session required pam_limits.so 22 | session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid 23 | session required pam_unix.so 24 | -------------------------------------------------------------------------------- /roles/cis/files/etc/pam.d/su: -------------------------------------------------------------------------------- 1 | #%PAM-1.0 2 | auth sufficient pam_rootok.so 3 | # Uncomment the following line to implicitly trust users in the "wheel" group. 4 | #auth sufficient pam_wheel.so trust use_uid 5 | # Uncomment the following line to require a user to be in the "wheel" group. 6 | auth required pam_wheel.so use_uid 7 | auth include system-auth 8 | account sufficient pam_succeed_if.so uid = 0 use_uid quiet 9 | account include system-auth 10 | password include system-auth 11 | session include system-auth 12 | session optional pam_xauth.so 13 | -------------------------------------------------------------------------------- /roles/cis/files/etc/pam.d/system-auth: -------------------------------------------------------------------------------- 1 | #%PAM-1.0 2 | # This file is auto-generated. 3 | # User changes will be destroyed the next time authconfig is run. 4 | auth required pam_env.so 5 | auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900 6 | auth required pam_deny.so 7 | 8 | account required pam_unix.so 9 | account sufficient pam_localuser.so 10 | account sufficient pam_succeed_if.so uid < 500 quiet 11 | account required pam_permit.so 12 | 13 | password required pam_cracklib.so try_first_pass retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 14 | password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5 15 | password required pam_deny.so 16 | 17 | session optional pam_keyinit.so revoke 18 | session required pam_limits.so 19 | session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid 20 | session required pam_unix.so 21 | -------------------------------------------------------------------------------- /roles/cis/files/etc/rsyslog.conf: -------------------------------------------------------------------------------- 1 | # Execute the following command to restart rsyslogd 2 | # pkill -HUP rsyslogd 3 | 4 | # rsyslog v5 configuration file 5 | 6 | # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html 7 | # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html 8 | 9 | #### MODULES #### 10 | 11 | $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) 12 | $ModLoad imklog # provides kernel logging support (previously done by rklogd) 13 | #$ModLoad immark # provides --MARK-- message capability 14 | 15 | # Provides UDP syslog reception 16 | #$ModLoad imudp 17 | #$UDPServerRun 514 18 | 19 | # Provides TCP syslog reception 20 | #$ModLoad imtcp 21 | #$InputTCPServerRun 514 22 | 23 | 24 | #### GLOBAL DIRECTIVES #### 25 | 26 | # Use default timestamp format 27 | $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat 28 | 29 | # File syncing capability is disabled by default. This feature is usually not required, 30 | # not useful and an extreme performance hit 31 | #$ActionFileEnableSync on 32 | 33 | # Include all config files in /etc/rsyslog.d/ 34 | $IncludeConfig /etc/rsyslog.d/*.conf 35 | 36 | 37 | #### RULES #### 38 | auth.*,user.* /var/log/messages 39 | kern.* /var/log/kern.log 40 | daemon.* /var/log/daemon.log 41 | syslog.* /var/log/syslog 42 | lpr.*,news.*,uucp.*,local0.*,local1.*,local2.*,local3.*,local4.*,local5.*,local6.* /var/log/unused.log 43 | -------------------------------------------------------------------------------- /roles/cis/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - name: Reload auditd Rules 19 | command: /usr/bin/pkill -HUP -P 1 auditd 20 | 21 | - name: Reload prelinking 22 | command: /usr/sbin/prelink -ua 23 | 24 | - name: Reload sshd 25 | shell: /etc/init.d/sshd reload 26 | register: result 27 | changed_when: "result.rc == 0" 28 | failed_when: "result.rc not in [0, 7]" 29 | -------------------------------------------------------------------------------- /roles/cis/meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | galaxy_info: 3 | author: Major Hayden 4 | description: Audit/remediate hosts using CIS security benchmarks 5 | company: M/A 6 | # Some suggested licenses: 7 | # - BSD (default) 8 | # - MIT 9 | # - GPLv2 10 | # - GPLv3 11 | # - Apache 12 | # - CC-BY 13 | license: Apache 14 | min_ansible_version: 1.2 15 | # 16 | # Below are all platforms currently available. Just uncomment 17 | # the ones that apply to your role. If you don't see your 18 | # platform on this list, let us know and we'll get it added! 19 | # 20 | platforms: 21 | - name: EL 22 | versions: 23 | # - all 24 | # - 5 25 | - 6 26 | # - 7 27 | #- name: GenericUNIX 28 | # versions: 29 | # - all 30 | # - any 31 | #- name: Fedora 32 | # versions: 33 | # - all 34 | # - 16 35 | # - 17 36 | # - 18 37 | # - 19 38 | # - 20 39 | #- name: opensuse 40 | # versions: 41 | # - all 42 | # - 12.1 43 | # - 12.2 44 | # - 12.3 45 | # - 13.1 46 | # - 13.2 47 | #- name: Amazon 48 | # versions: 49 | # - all 50 | # - 2013.03 51 | # - 2013.09 52 | #- name: GenericBSD 53 | # versions: 54 | # - all 55 | # - any 56 | #- name: FreeBSD 57 | # versions: 58 | # - all 59 | # - 8.0 60 | # - 8.1 61 | # - 8.2 62 | # - 8.3 63 | # - 8.4 64 | # - 9.0 65 | # - 9.1 66 | # - 9.1 67 | # - 9.2 68 | #- name: Ubuntu 69 | # versions: 70 | # - all 71 | # - lucid 72 | # - maverick 73 | # - natty 74 | # - oneiric 75 | # - precise 76 | # - quantal 77 | # - raring 78 | # - saucy 79 | # - trusty 80 | #- name: SLES 81 | # versions: 82 | # - all 83 | # - 10SP3 84 | # - 10SP4 85 | # - 11 86 | # - 11SP1 87 | # - 11SP2 88 | # - 11SP3 89 | #- name: GenericLinux 90 | # versions: 91 | # - all 92 | # - any 93 | #- name: Debian 94 | # versions: 95 | # - all 96 | # - etch 97 | # - lenny 98 | # - squeeze 99 | # - wheezy 100 | # 101 | # Below are all categories currently available. Just as with 102 | # the platforms above, uncomment those that apply to your role. 103 | # 104 | categories: system 105 | #- cloud 106 | #- cloud:ec2 107 | #- cloud:gce 108 | #- cloud:rax 109 | #- clustering 110 | #- database 111 | #- database:nosql 112 | #- database:sql 113 | #- development 114 | #- monitoring 115 | #- networking 116 | #- packaging 117 | #- system 118 | #- web 119 | dependencies: [] 120 | # List your role dependencies here, one per line. Only 121 | # dependencies available via galaxy should be listed here. 122 | # Be sure to remove the '[]' above if you add dependencies 123 | # to this list. 124 | 125 | -------------------------------------------------------------------------------- /roles/cis/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - include: section_01.yml 19 | tags: section1 20 | 21 | - include: section_02.yml 22 | tags: section2 23 | 24 | - include: section_03.yml 25 | tags: section3 26 | 27 | - include: section_04.yml 28 | tags: section4 29 | 30 | - include: section_05.yml 31 | tags: section5 32 | 33 | - include: section_06.yml 34 | tags: section6 35 | 36 | - include: section_07.yml 37 | tags: section7 38 | 39 | - include: section_08.yml 40 | tags: section8 41 | 42 | - include: section_09.yml 43 | tags: section9 44 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_01.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - include: section_01_level1.yml 19 | tags: 20 | - section1 21 | - level1 22 | 23 | - include: section_01_level2.yml 24 | tags: 25 | - section1 26 | - level2 27 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_01_level1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - name: 1.1.1 Create Separate Partition for /tmp (Scored) 19 | debug: msg="*** Manually create Separate Partition for /tmp." 20 | tags: 21 | - scored 22 | - section1.1 23 | - section1.1.1 24 | 25 | - name: 1.1.2 - 1.1.4 Set nodev,nosuid,noexec option for /tmp Partition (Scored) 26 | mount: > 27 | name="/tmp" 28 | src={{ item.device }} 29 | state=mounted 30 | fstype={{ item.fstype }} 31 | opts="nodev,nosuid,noexec" 32 | when: item.mount == "/tmp" 33 | with_items: ansible_mounts 34 | tags: 35 | - scored 36 | - section1.1 37 | - section1.1.2 38 | - section1.1.3 39 | - section1.1.4 40 | 41 | - name: 1.1.5 Create Separate Partition for /var (Scored) 42 | debug: msg="*** Manually create Separate Partition for /var." 43 | tags: 44 | - scored 45 | - section1.1 46 | - section1.1.5 47 | 48 | - name: 1.1.6 Bind Mount the /var/tmp directory to /tmp (Scored) 49 | mount: > 50 | name="/var/tmp" 51 | src="/tmp" 52 | state=mounted 53 | fstype="none" 54 | opts="bind" 55 | when: item.mount == "/tmp" 56 | with_items: ansible_mounts 57 | tags: 58 | - scored 59 | - section1.1 60 | - section1.1.6 61 | 62 | - name: 1.1.7 Create Separate Partition for /var/log (Scored) 63 | debug: msg="*** Manually create Separate Partition for /var/log." 64 | tags: 65 | - scored 66 | - section1.1 67 | - section1.1.7 68 | 69 | - name: 1.1.8 Create Separate Partition for /var/log/audit (Scored) 70 | debug: msg="*** Manually create Separate Partition for /var/log/audit." 71 | tags: 72 | - scored 73 | - section1.1 74 | - section1.1.8 75 | 76 | - name: 1.1.9 Create Separate Partition for /home (Scored) 77 | debug: msg="*** Manually create Separate Partition for /home." 78 | tags: 79 | - scored 80 | - section1.1 81 | - section1.1.9 82 | 83 | - name: 1.1.10 Add nodev Option to /home Partition (Scored) 84 | mount: > 85 | name="/home" 86 | src={{ item.device }} 87 | state=mounted 88 | fstype={{ item.fstype }} 89 | opts="nodev" 90 | when: item.mount == "/home" 91 | with_items: ansible_mounts 92 | tags: 93 | - scored 94 | - section1.1 95 | - section1.1.10 96 | 97 | - name: 1.1.11 Add nodev Option to Removable Media Partitions (Not Scored) 98 | debug: msg="*** Not relevant." 99 | tags: 100 | - scored 101 | - section1.1 102 | - section1.1.11 103 | 104 | - name: 1.1.12 Add noexec Option to Removable Media Partitions (Not Scored) 105 | debug: msg="*** Not relevant." 106 | tags: 107 | - notscored 108 | - section1.1 109 | - section1.1.12 110 | 111 | - name: 1.1.13 Add nosuid Option to Removable Media Partitions (Not Scored) 112 | debug: msg="*** Not relevant." 113 | tags: 114 | - notscored 115 | - section1.1 116 | - section1.1.13 117 | 118 | - name: 1.1.14 - 1.1.16 Add noexec Option to /dev/shm Partition (Scored) 119 | mount: > 120 | name="/dev/shm" 121 | src="none" 122 | state=mounted 123 | fstype="tmpfs" 124 | opts="nodev,nosuid,noexec" 125 | tags: 126 | - section1.1 127 | - section1.1.14 128 | - section1.1.15 129 | - section1.1.16 130 | - scored 131 | 132 | - name: 1.1.17 Set sticky bit on all world-writeable directories (Scored) 133 | debug: msg="*** May be too destructive -- see notes" 134 | tags: 135 | - scored 136 | - section1.1 137 | - section1.1.17 138 | 139 | - name: 1.2.1 Configure Connection to the RHN RPM repositories (Not Scored) 140 | command: yum check-update 141 | register: result 142 | failed_when: "result.rc == 1" 143 | when: ansible_distribution == "RedHat" 144 | tags: 145 | - notscored 146 | - section1.2 147 | - section1.2.1 148 | 149 | - name: 1.2.2 Verify Red Hat GPG key is installed (Scored) 150 | command: gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release 151 | when: ansible_distribution == "RedHat" 152 | tags: 153 | - scored 154 | - section1.2 155 | - section1.2.2 156 | 157 | - name: 1.2.3 Verify that gpgcheck is Globally Activated (Scored) 158 | lineinfile: > 159 | state=present 160 | dest=/etc/yum.conf 161 | regexp=^gpgcheck= 162 | line=gpgcheck=1 163 | tags: 164 | - scored 165 | - section1.2 166 | - section1.2.3 167 | 168 | - name: 1.2.5 Obtain software package updates with yum (Not Scored) 169 | debug: msg="*** Check manually." 170 | tags: 171 | - notscored 172 | - section1.2 173 | - section1.2.5 174 | 175 | - name: 1.2.6 Verify package integrity using RPM (Not Scored) 176 | debug: msg="*** Check via cron/AIDE/manually" 177 | tags: 178 | - notscored 179 | - section1.2 180 | - section1.2.6 181 | 182 | - name: 1.5.1 Get Absolute Path to grub.conf 183 | command: readlink -f /etc/grub.conf 184 | register: readlink 185 | changed_when: false 186 | always_run: yes 187 | tags: 188 | - scored 189 | - section1.5 190 | - section1.5.1 191 | 192 | - name: 1.5.1 Set User/Group Owner on /etc/grub.conf (Scored) 193 | file: > 194 | path={{ readlink.stdout }} 195 | owner=root 196 | group=root 197 | tags: 198 | - scored 199 | - section1.5 200 | - section1.5.1 201 | 202 | - name: 1.5.2 Get Absolute Path to grub.conf 203 | command: readlink -f /etc/grub.conf 204 | register: readlink 205 | changed_when: false 206 | always_run: yes 207 | tags: 208 | - scored 209 | - section1.5 210 | - section1.5.2 211 | 212 | - name: 1.5.2 Set Permissions on /etc/grub.conf (Scored) 213 | file: > 214 | path={{ readlink.stdout }} 215 | mode=0400 216 | tags: 217 | - scored 218 | - section1.5 219 | - section1.5.2 220 | 221 | - name: 1.5.3 Set boot loader password (Scored) 222 | debug: msg="*** Too destructive for production systems. Evaluate for your environment first." 223 | tags: 224 | - scored 225 | - section1.5 226 | - section1.5.3 227 | 228 | - name: 1.5.4 Require authentication for single-user mode (Scored) 229 | debug: msg="*** Too destructive for production systems. Evaluate for your environment first." 230 | tags: 231 | - scored 232 | - section1.5 233 | - section1.5.4 234 | 235 | - name: 1.5.5 Disable Interactive Boot (Scored) 236 | lineinfile: > 237 | dest=/etc/sysconfig/init 238 | regexp=^PROMPT= 239 | line=PROMPT=no 240 | tags: 241 | - scored 242 | - section1.5 243 | - section1.5.5 244 | 245 | - name: 1.6.1 Restrict core dumps (Scored) - via pam 246 | lineinfile: > 247 | dest=/etc/security/limits.conf 248 | line="* hard core 0" 249 | insertafter=EOF 250 | tags: 251 | - scored 252 | - section1.6 253 | - section1.6.1 254 | 255 | - name: 1.6.1 Restrict core dumps (Scored) - via sysctl 256 | sysctl: > 257 | name=fs.suid_dumpable 258 | value=0 259 | state=present 260 | ignoreerrors=yes 261 | tags: 262 | - scored 263 | - section1.6 264 | - section1.6.1 265 | 266 | - name: 1.6.2 Configure ExecShield (Scored) 267 | sysctl: > 268 | name=kernel.exec-shield 269 | value=1 270 | state=present 271 | ignoreerrors=yes 272 | tags: 273 | - scored 274 | - section1.6 275 | - section1.6.2 276 | 277 | - name: 1.6.3 Enable Randomized Virtual Memory Region Placement (Scored) 278 | sysctl: > 279 | name=kernel.randomize_va_space 280 | value=2 281 | state=present 282 | ignoreerrors=yes 283 | tags: 284 | - scored 285 | - section1.6 286 | - section1.6.3 287 | 288 | - name: 1.7 Use the Latest OS Release (Not Scored) 289 | command: > 290 | cat /etc/redhat-release 291 | when: ansible_distribution == "RedHat" 292 | tags: 293 | - notscored 294 | - section1.7 295 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_01_level2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - name: Create /etc/modprobe.d/CIS.conf with root ownership & mode 19 | file: path=/etc/modprobe.d/CIS.conf state=touch owner=root group=root mode=0600 20 | changed_when: false 21 | tags: 22 | - notscored 23 | - section1.1 24 | - section1.1.18 25 | - section1.1.19 26 | - section1.1.20 27 | - section1.1.21 28 | - section1.1.22 29 | - section1.1.23 30 | - section1.1.24 31 | 32 | - name: 1.1.18 Disable Mounting of cramfs Filesystems (Not Scored) 33 | lineinfile: > 34 | state=present 35 | dest=/etc/modprobe.d/CIS.conf 36 | line="install cramfs /bin/true" 37 | tags: 38 | - notscored 39 | - section1.1 40 | - section1.1.18 41 | 42 | - name: 1.1.19 Disable Mounting of freevxfs Filesystems (Not Scored) 43 | lineinfile: > 44 | state=present 45 | dest=/etc/modprobe.d/CIS.conf 46 | line="install freevxfs /bin/true" 47 | tags: 48 | - notscored 49 | - section1.1 50 | - section1.1.19 51 | 52 | - name: 1.1.20 Disable Mounting of jffs2 Filesystems (Not Scored) 53 | lineinfile: > 54 | state=present 55 | dest=/etc/modprobe.d/CIS.conf 56 | line="install jffs2 /bin/true" 57 | tags: 58 | - notscored 59 | - section1.1 60 | - section1.1.20 61 | 62 | - name: 1.1.21 Disable Mounting of hfs Filesystems (Not Scored) 63 | lineinfile: > 64 | state=present 65 | dest=/etc/modprobe.d/CIS.conf 66 | line="install hfs /bin/true" 67 | tags: 68 | - notscored 69 | - section1.1 70 | - section1.1.21 71 | 72 | - name: 1.1.22 Disable Mounting of hfsplus Filesystems (Not Scored) 73 | lineinfile: > 74 | state=present 75 | dest=/etc/modprobe.d/CIS.conf 76 | line="install hfsplus /bin/true" 77 | tags: 78 | - notscored 79 | - section1.1 80 | - section1.1.22 81 | 82 | - name: 1.1.23 Disable Mounting of squashfs Filesystems (Not Scored) 83 | lineinfile: > 84 | state=present 85 | dest=/etc/modprobe.d/CIS.conf 86 | line="install squashfs /bin/true" 87 | tags: 88 | - notscored 89 | - section1.1 90 | - section1.1.23 91 | 92 | - name: 1.1.24 Disable Mounting of udf Filesystems (Not Scored) 93 | lineinfile: > 94 | state=present 95 | dest=/etc/modprobe.d/CIS.conf 96 | line="install udf /bin/true" 97 | tags: 98 | - notscored 99 | - section1.1 100 | - section1.1.24 101 | 102 | - name: 1.2.4 Check to see if rhnsd daemon is installed (Not Scored) 103 | stat: path=/etc/init.d/rhnsd 104 | register: rhnsd_service 105 | when: ansible_distribution == "RedHat" 106 | tags: 107 | - notscored 108 | - section1.2 109 | - section1.2.4 110 | 111 | - name: 1.2.4 Disable the rhnsd Daemon (Not Scored) 112 | action: command /sbin/chkconfig rhnsd off 113 | when: ansible_distribution == "RedHat" 114 | tags: 115 | - notscored 116 | - section1.2 117 | - section1.2.4 118 | 119 | - name: 1.3.1 Install AIDE (Scored) 120 | yum: > 121 | name=aide 122 | state=present 123 | when: configure_aide 124 | tags: 125 | - scored 126 | - section1.3 127 | - section1.3.1 128 | 129 | - name: 1.3.1 Install AIDE (Initialize AIDE) (Scored) 130 | command: > 131 | /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz' 132 | creates=/var/lib/aide/aide.db.gz 133 | when: configure_aide 134 | tags: 135 | - scored 136 | - section1.3 137 | - section1.3.1 138 | 139 | - name: 1.3.1 Install AIDE (check is prelink installed) (Scored) 140 | stat: path=/usr/sbin/prelink 141 | register: prelink_stat 142 | tags: 143 | - scored 144 | - section1.3 145 | - section1.3.1 146 | 147 | - name: 1.3.1 Install AIDE (Disable Prelinking) (Scored) 148 | lineinfile: > 149 | state=present 150 | dest=/etc/sysconfig/prelink 151 | regexp=^PRELINKING= 152 | line=PRELINKING=no 153 | create=yes 154 | when: 155 | - configure_aide 156 | - prelink_stat.stat.exists 157 | tags: 158 | - scored 159 | - section1.3 160 | - section1.3.1 161 | 162 | - name: 1.3.2 Implement Periodic Execution of File Integrity (Scored) 163 | cron: > 164 | name="Run AIDE (CIS 1.3.2)" 165 | minute="0" 166 | hour="5" 167 | job="/usr/sbin/aide --check" 168 | when: configure_aide 169 | tags: 170 | - scored 171 | - section1.3 172 | - section1.3.2 173 | 174 | - name: 1.4.1 Enable SELinux in /etc/grub.conf (Scored) 175 | lineinfile: > 176 | state=absent 177 | dest=/etc/grub.conf 178 | line="selinux=0" 179 | tags: 180 | - scored 181 | - section1.4 182 | - section1.4.1 183 | 184 | - name: 1.4.1 Enable SELinux in /etc/grub.conf (Scored) 185 | lineinfile: > 186 | state=absent 187 | dest=/etc/grub.conf 188 | line="enforcing=0" 189 | tags: 190 | - scored 191 | - section1.4 192 | - section1.4.1 193 | 194 | - name: 1.4.2 Set the SELinux State (Scored) 195 | yum: > 196 | name=selinux-policy-targeted 197 | state=present 198 | tags: 199 | - scored 200 | - section1.4 201 | - section1.4.2 202 | 203 | - name: 1.4.3 Set the SELinux Policy (Scored) 204 | selinux: > 205 | state=enforcing 206 | policy=targeted 207 | ignore_errors: yes 208 | tags: 209 | - scored 210 | - section1.4 211 | - section1.4.3 212 | 213 | - name: 1.4.4 Remove SETroubleshoot (Scored) 214 | yum: > 215 | name=setroubleshoot 216 | state=absent 217 | tags: 218 | - scored 219 | - section1.4 220 | - section1.4.4 221 | 222 | - name: 1.4.5 Remove MCS Translation Service (mcstrans) (Scored) 223 | yum: > 224 | name=mcstrans 225 | state=absent 226 | tags: 227 | - scored 228 | - section1.4 229 | - section1.4.5 230 | 231 | - name: 1.4.6 Check for unconfined daemons (Scored) 232 | debug: msg="*** Check via cron jobs or manually." 233 | tags: 234 | - scored 235 | - section1.4 236 | - section1.4.6 237 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_02.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - include: section_02_level1.yml 19 | tags: 20 | - section2 21 | - level1 22 | 23 | - include: section_02_level2.yml 24 | tags: 25 | - section2 26 | - level2 27 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_02_level1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - name: 2.1.1 Remove telnet-server (Scored) 19 | yum: > 20 | name=telnet-server 21 | state=absent 22 | tags: 23 | - scored 24 | - section2.1 25 | - section2.1.1 26 | 27 | - name: 2.1.2 Remove telnet Clients (Scored) 28 | yum: > 29 | name=telnet 30 | state=absent 31 | tags: 32 | - scored 33 | - section2.1 34 | - section2.1.2 35 | 36 | - name: 2.1.3 Remove rsh-server (Scored) 37 | yum: > 38 | name=rsh-server 39 | state=absent 40 | tags: 41 | - scored 42 | - section2.1 43 | - section2.1.3 44 | 45 | - name: 2.1.4 Remove rsh (Scored) 46 | yum: > 47 | name=rsh 48 | state=absent 49 | tags: 50 | - scored 51 | - section2.1 52 | - section2.1.4 53 | 54 | - name: 2.1.5 Remove NIS Client (Scored) 55 | yum: > 56 | name=ypbind 57 | state=absent 58 | tags: 59 | - scored 60 | - section2.1 61 | - section2.1.5 62 | 63 | - name: 2.1.6 Remove NIS Server (Scored) 64 | yum: > 65 | name=ypserv 66 | state=absent 67 | tags: 68 | - scored 69 | - section2.1 70 | - section2.1.6 71 | 72 | - name: 2.1.7 Remove tftp (Scored) 73 | yum: > 74 | name=tftp 75 | state=absent 76 | tags: 77 | - scored 78 | - section2.1 79 | - section2.1.7 80 | 81 | - name: 2.1.8 Remove tftp-server (Scored) 82 | yum: > 83 | name=tftp-server 84 | state=absent 85 | tags: 86 | - scored 87 | - section2.1 88 | - section2.1.8 89 | 90 | - name: 2.1.9 Remove talk (Scored) 91 | yum: > 92 | name=talk 93 | state=absent 94 | tags: 95 | - scored 96 | - section2.1 97 | - section2.1.9 98 | 99 | - name: 2.1.10 Remove talk-server (Scored) 100 | yum: > 101 | name=talk-server 102 | state=absent 103 | tags: 104 | - scored 105 | - section2.1 106 | - section2.1.10 107 | 108 | - name: 2.1.12 Disable chargen-dgram (check if exists) 109 | stat: path=/etc/xinetd.d/chargen-dgram 110 | register: chargen_dgram 111 | tags: 112 | - scored 113 | - section2.1 114 | - section2.1.12 115 | 116 | - name: 2.1.12 Disable chargen-dgram (disable xinetd service) 117 | service: > 118 | name=chargen-dgram 119 | state=stopped 120 | enabled=no 121 | when: chargen_dgram.stat.exists 122 | tags: 123 | - scored 124 | - section2.1 125 | - section2.1.12 126 | 127 | - name: 2.1.13 Disable chargen-stream (check if exists) (Scored) 128 | stat: path=/etc/xinetd.d/chargen-stream 129 | register: chargen_stream 130 | tags: 131 | - scored 132 | - section2.1 133 | - section2.1.13 134 | 135 | - name: 2.1.13 Disable chargen-stream (disable xinetd service) (Scored) 136 | service: > 137 | name=chargen-stream 138 | state=stopped 139 | enabled=no 140 | when: chargen_stream.stat.exists 141 | tags: 142 | - scored 143 | - section2.1 144 | - section2.1.13 145 | 146 | - name: 2.1.14 Disable daytime-dgram (check if exists) (Scored) 147 | stat: path=/etc/xinetd.d/daytime-dgram 148 | register: daytime_dgram 149 | tags: 150 | - scored 151 | - section2.1 152 | - section2.1.14 153 | 154 | - name: 2.1.14 Disable daytime-dgram (disable xinetd service) (Scored) 155 | service: > 156 | name=daytime-dgram 157 | state=stopped 158 | enabled=no 159 | when: daytime_dgram.stat.exists 160 | tags: 161 | - scored 162 | - section2.1 163 | - section2.1.14 164 | 165 | - name: 2.1.15 Disable daytime-stream (check if exists) (Scored) 166 | stat: path=/etc/xinetd.d/daytime-stream 167 | register: daytime_stream 168 | tags: 169 | - scored 170 | - section2.1 171 | - section2.1.15 172 | 173 | - name: 2.1.15 Disable daytime-stream (disable xinetd service) (Scored) 174 | service: > 175 | name=daytime-stream 176 | state=stopped 177 | enabled=no 178 | when: daytime_stream.stat.exists 179 | tags: 180 | - scored 181 | - section2.1 182 | - section2.1.15 183 | 184 | - name: 2.1.16 Disable echo-dgram (check if exists) (Scored) 185 | stat: path=/etc/xinetd.d/echo-dgram 186 | register: echo_dgram 187 | tags: 188 | - scored 189 | - section2.1 190 | - section2.1.16 191 | 192 | - name: 2.1.16 Disable echo-dgram (disable xinetd service) (Scored) 193 | service: > 194 | name=echo-dgram 195 | state=stopped 196 | enabled=no 197 | when: echo_dgram.stat.exists 198 | tags: 199 | - scored 200 | - section2.1 201 | - section2.1.16 202 | 203 | - name: 2.1.17 Disable echo-stream (check if exists) (Scored) 204 | stat: path=/etc/xinetd.d/echo-stream 205 | register: echo_stream 206 | tags: 207 | - scored 208 | - section2.1 209 | - section2.1.17 210 | 211 | - name: 2.1.17 Disable echo-stream (disable xinetd service) (Scored) 212 | service: > 213 | name=echo-stream 214 | state=stopped 215 | enabled=no 216 | when: echo_stream.stat.exists 217 | tags: 218 | - scored 219 | - section2.1 220 | - section2.1.17 221 | 222 | - name: 2.1.18 Disable tcpmux-server (check if exists) (Scored) 223 | stat: path=/etc/xinetd.d/tcpmux-server 224 | register: tcpmux_server 225 | tags: 226 | - scored 227 | - section2.1 228 | - section2.1.18 229 | 230 | - name: 2.1.18 Disable tcpmux-server (disable xinetd service) (Scored) 231 | service: > 232 | name=tcpmux-server 233 | state=stopped 234 | enabled=no 235 | when: tcpmux_server.stat.exists 236 | tags: 237 | - scored 238 | - section2.1 239 | - section2.1.18 240 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_02_level2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - name: 2.1.11 Remove xinetd (Scored) 19 | yum: > 20 | name=xinetd 21 | state=absent 22 | tags: 23 | - scored 24 | - section2.1 25 | - section2.1.11 26 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_03.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - include: section_03_level1.yml 19 | tags: 20 | - section3 21 | - level1 22 | 23 | - include: section_03_level2.yml 24 | tags: 25 | - section3 26 | - level2 27 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_03_level1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - name: 3.1 Set Daemon umask (Scored) 19 | lineinfile: > 20 | dest=/etc/sysconfig/init 21 | state=present 22 | regexp=^umask 23 | line="umask 027" 24 | tags: 25 | - scored 26 | - section3.1 27 | 28 | - name: 3.2 Remove X Windows (runlevel 3) (Scored) 29 | lineinfile: > 30 | dest=/etc/inittab 31 | state=present 32 | regexp="^id:" 33 | line="id:3:initdefault:" 34 | tags: 35 | - scored 36 | - section3.2 37 | 38 | - name: 3.2 Remove X Windows (remove package group) (Scored) 39 | yum: > 40 | name=xorg-x11-server-common 41 | state=absent 42 | tags: 43 | - scored 44 | - section3.2 45 | 46 | - name: 3.3 Disable Avahi Server (check if installed) (Scored) 47 | stat: path=/etc/init.d/avahi-daemon 48 | register: avahi_service 49 | tags: 50 | - scored 51 | - section3.3 52 | 53 | - name: 3.3 Disable Avahi Server (disable service) (Scored) 54 | service: > 55 | name=avahi-daemon 56 | state=stopped 57 | enabled=no 58 | when: avahi_service.stat.exists 59 | tags: 60 | - scored 61 | - section3.3 62 | 63 | - name: 3.4 Check to see if cups daemon is installed (Not Scored) 64 | stat: path=/etc/init.d/cups 65 | register: cups_service 66 | tags: 67 | - notscored 68 | - section3.4 69 | 70 | - name: 3.4 Disable Print Server - CUPS (Not Scored) 71 | service: > 72 | name=cups 73 | state=stopped 74 | enabled=no 75 | ignore_errors: yes 76 | when: cups_service.stat.exists 77 | tags: 78 | - notscored 79 | - section3.4 80 | 81 | - name: 3.5 Remove DHCP Server (Scored) 82 | yum: > 83 | name=dhcp 84 | state=absent 85 | tags: 86 | - scored 87 | - section3.5 88 | 89 | - name: 3.6 Configure Network Time Protocol (ipv4) (Scored) 90 | yum: > 91 | pkg=ntp 92 | state=installed 93 | always_run: yes 94 | tags: 95 | - scored 96 | - section3.6 97 | 98 | - name: 3.6 Configure Network Time Protocol (ipv4) (Scored) 99 | service: > 100 | name=ntpd 101 | state=started 102 | enabled=yes 103 | tags: 104 | - scored 105 | - section3.6 106 | 107 | - name: 3.6 Configure Network Time Protocol (ipv4) (Scored) 108 | lineinfile: > 109 | dest=/etc/ntp.conf 110 | state=present 111 | regexp="^restrict default" 112 | line="restrict default kod nomodify notrap nopeer noquery" 113 | insertafter=EOF 114 | tags: 115 | - scored 116 | - section3.6 117 | 118 | - name: 3.6 Configure Network Time Protocol (ipv6) (Scored) 119 | lineinfile: > 120 | dest=/etc/ntp.conf 121 | state=present 122 | regexp="^restrict -6 default" 123 | line="restrict -6 default kod nomodify notrap nopeer noquery" 124 | insertafter=EOF 125 | tags: 126 | - scored 127 | - section3.6 128 | 129 | - name: 3.7 Remove LDAP (Not Scored) 130 | yum: > 131 | name=openldap-clients 132 | state=absent 133 | when: ldap_client 134 | tags: 135 | - notscored 136 | - section3.7 137 | 138 | - name: 3.7 Remove LDAP (Not Scored) 139 | yum: > 140 | name=openldap-servers 141 | state=absent 142 | when: ldap_server 143 | tags: 144 | - notscored 145 | - section3.7 146 | 147 | - name: 3.8 Disable NFS and RPC (check for nfs-utils) (Not Scored) 148 | stat: path=/etc/init.d/nfslock 149 | register: nfs_utils 150 | tags: 151 | - notscored 152 | - section3.8 153 | 154 | - name: 3.8 Disable NFS and RPC (check for rpcbind) (Not Scored) 155 | stat: path=/etc/init.d/rpcbind 156 | register: rpcbind 157 | tags: 158 | - notscored 159 | - section3.8 160 | 161 | - name: 3.8 Disable NFS and RPC (nfs-utils services) (Not Scored) 162 | service: > 163 | name={{ item }} 164 | state=stopped 165 | enabled=no 166 | with_items: 167 | - nfslock 168 | - rpcgssd 169 | - rpcidmapd 170 | - rpcsvcgssd 171 | when: nfs_utils.stat.exists 172 | tags: 173 | - notscored 174 | - section3.8 175 | 176 | - name: 3.8 Disable NFS and RPC (rpcbind services) (Not Scored) 177 | service: > 178 | name=rpcbind 179 | state=stopped 180 | enabled=no 181 | when: 182 | - rpcbind.stat.exists 183 | - nfs 184 | tags: 185 | - notscored 186 | - section3.8 187 | 188 | - name: 3.9 Remove DNS Server (Not Scored) 189 | yum: > 190 | name=bind 191 | state=absent 192 | when: dns 193 | tags: 194 | - notscored 195 | - section3.9 196 | 197 | - name: 3.10 Remove FTP Server (Not Scored) 198 | yum: > 199 | name=vsftpd 200 | state=absent 201 | when: ftp 202 | tags: 203 | - notscored 204 | - section3.10 205 | 206 | - name: 3.11 Remove HTTP Server (Not Scored) 207 | yum: > 208 | name=httpd 209 | state=absent 210 | when: httpd 211 | tags: 212 | - notscored 213 | - section3.11 214 | 215 | - name: 3.12 Remove Dovecot (IMAP and POP3 services) (Not Scored) 216 | yum: > 217 | name=dovecot 218 | state=absent 219 | when: dovecot 220 | tags: 221 | - notscored 222 | - section3.12 223 | 224 | - name: 3.13 Remove Samba (Not Scored) 225 | yum: > 226 | name=samba 227 | state=absent 228 | when: samba 229 | tags: 230 | - notscored 231 | - section3.13 232 | 233 | - name: 3.14 Remove HTTP Proxy Server (Not Scored) 234 | yum: > 235 | name=squid 236 | state=absent 237 | when: squid 238 | tags: 239 | - notscored 240 | - section3.14 241 | 242 | - name: 3.15 Remove SNMP Server (Not Scored) 243 | yum: > 244 | name=net-snmp 245 | state=absent 246 | when: snmp 247 | tags: 248 | - notscored 249 | - section3.15 250 | 251 | - name: 3.16 Configure Mail Transfer Agent for Local-Only Mode (Scored) 252 | yum: > 253 | name=postfix 254 | state=present 255 | tags: 256 | - scored 257 | - section3.16 258 | 259 | - name: 3.16 Configure Mail Transfer Agent for Local-Only Mode (Scored) 260 | lineinfile: > 261 | backup=yes 262 | state=present 263 | dest=/etc/postfix/main.cf 264 | backrefs=yes 265 | regexp="^inet_interfaces" 266 | line="inet_interfaces = localhost" 267 | ignore_errors: yes 268 | tags: 269 | - scored 270 | - section3.16 271 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_03_level2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | # CIS Section 3 has no Level 2 checks -------------------------------------------------------------------------------- /roles/cis/tasks/section_04.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - include: section_04_level1.yml 19 | tags: 20 | - section4 21 | - level1 22 | 23 | - include: section_04_level2.yml 24 | tags: 25 | - section4 26 | - level2 27 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_04_level1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - name: 4.1.1 Disable IP Forwarding (Scored) 19 | sysctl: > 20 | name=net.ipv4.ip_forward 21 | value=0 22 | state=present 23 | tags: 24 | - scored 25 | - section4.1 26 | - section4.1.1 27 | 28 | - name: 4.1.2 Disable Send Packet Redirects (Scored) 29 | sysctl: > 30 | name=net.ipv4.conf.all.send_redirects 31 | value=0 32 | state=present 33 | ignoreerrors=true 34 | tags: 35 | - scored 36 | - section4.1 37 | - section4.1.2 38 | 39 | - name: 4.1.2 Disable Send Packet Redirects (Scored) 40 | sysctl: > 41 | name=net.ipv4.conf.default.send_redirects 42 | value=0 43 | state=present 44 | ignoreerrors=true 45 | tags: 46 | - scored 47 | - section4.1 48 | - section4.1.2 49 | 50 | - name: 4.2.1 Disable Source Routed Packet Acceptance (Scored) 51 | sysctl: > 52 | name=net.ipv4.conf.all.accept_source_route 53 | value=0 54 | state=present 55 | ignoreerrors=true 56 | tags: 57 | - scored 58 | - section4.2 59 | - section4.2.1 60 | 61 | - name: 4.2.1 Disable Source Routed Packet Acceptance (Scored) 62 | sysctl: > 63 | name=net.ipv4.conf.default.accept_source_route 64 | value=0 65 | state=present 66 | ignoreerrors=true 67 | tags: 68 | - scored 69 | - section4.2 70 | - section4.2.1 71 | 72 | - name: 4.2.2 Disable ICMP Redirect Acceptance (Scored) 73 | sysctl: > 74 | name=net.ipv4.conf.all.accept_redirects 75 | value=0 76 | state=present 77 | ignoreerrors=true 78 | tags: 79 | - scored 80 | - section4.2 81 | - section4.2.2 82 | 83 | - name: 4.2.2 Disable ICMP Redirect Acceptance (Scored) 84 | sysctl: > 85 | name=net.ipv4.conf.default.accept_redirects 86 | value=0 87 | state=present 88 | ignoreerrors=true 89 | tags: 90 | - scored 91 | - section4.2 92 | - section4.2.2 93 | 94 | - name: 4.2.4 Log Suspicious Packets (Scored) 95 | sysctl: > 96 | name=net.ipv4.conf.all.log_martians 97 | value=1 98 | state=present 99 | ignoreerrors=true 100 | tags: 101 | - scored 102 | - section4.2 103 | - section4.2.4 104 | 105 | - name: 4.2.4 Log Suspicious Packets (Scored) 106 | sysctl: > 107 | name=net.ipv4.conf.default.log_martians 108 | value=1 109 | state=present 110 | ignoreerrors=true 111 | tags: 112 | - scored 113 | - section4.2 114 | - section4.2.4 115 | 116 | - name: 4.2.5 Enable Ignore Broadcast Requests (Scored) 117 | sysctl: > 118 | name=net.ipv4.icmp_echo_ignore_broadcasts 119 | value=1 120 | state=present 121 | ignoreerrors=true 122 | tags: 123 | - scored 124 | - section4.2 125 | - section4.2.5 126 | 127 | - name: 4.2.6 Enable Bad Error Message Protection (Scored) 128 | sysctl: > 129 | name=net.ipv4.icmp_ignore_bogus_error_responses 130 | value=1 131 | state=present 132 | ignoreerrors=true 133 | tags: 134 | - scored 135 | - section4.2 136 | - section4.2.6 137 | 138 | - name: 4.2.8 Enable TCP SYN Cookies (Scored) 139 | sysctl: > 140 | name=net.ipv4.tcp_syncookies 141 | value=1 142 | state=present 143 | ignoreerrors=true 144 | tags: 145 | - scored 146 | - section4.2 147 | - section4.2.8 148 | 149 | - name: 4.4.1.1 Disable IPv6 Router Advertisements (Not Scored) 150 | sysctl: > 151 | name=net.ipv6.conf.all.accept_ra 152 | value=0 153 | state=present 154 | ignoreerrors=true 155 | tags: 156 | - notscored 157 | - section4.4 158 | - section4.4.1 159 | - section4.4.1.1 160 | 161 | - name: 4.4.1.1 Disable IPv6 Router Advertisements (Not Scored) 162 | sysctl: > 163 | name=net.ipv6.conf.default.accept_ra 164 | value=0 165 | state=present 166 | ignoreerrors=true 167 | tags: 168 | - notscored 169 | - section4.4 170 | - section4.4.1 171 | - section4.4.1.1 172 | 173 | - name: 4.4.1.2 Disable IPv6 Redirect Acceptance (Not Scored) 174 | sysctl: > 175 | name=net.ipv6.conf.all.accept_redirects 176 | value=0 177 | state=present 178 | ignoreerrors=true 179 | tags: 180 | - notscored 181 | - section4.4 182 | - section4.4.1 183 | - section4.4.1.2 184 | 185 | - name: 4.4.1.2 Disable IPv6 Redirect Acceptance (Not Scored) 186 | sysctl: > 187 | name=net.ipv6.conf.default.accept_redirects 188 | value=0 189 | state=present 190 | ignoreerrors=true 191 | tags: 192 | - notscored 193 | - section4.4 194 | - section4.4.1 195 | - section4.4.1.2 196 | 197 | - name: 4.4.2 Disable IPv6 (disable in network config) (Not Scored) 198 | lineinfile: > 199 | state=present 200 | dest=/etc/sysconfig/network 201 | regexp=^NETWORKING_IPV6 202 | line=NETWORKING_IPV6=no 203 | when: disable_ipv6 204 | tags: 205 | - notscored 206 | - section4.4 207 | - section4.4.2 208 | 209 | - name: 4.4.2 Disable IPv6 (disable in network config) (Not Scored) 210 | lineinfile: > 211 | state=present 212 | dest=/etc/sysconfig/network 213 | regexp=^IPV6INIT 214 | line=IPV6INIT=no 215 | when: disable_ipv6 216 | tags: 217 | - notscored 218 | - section4.4 219 | - section4.4.2 220 | 221 | - name: 4.4.2 Disable IPv6 (disable via modprobe) (Not Scored) 222 | lineinfile: > 223 | state=present 224 | create=yes 225 | dest=/etc/modprobe.d/ipv6.conf 226 | line="options ipv6 disable=1" 227 | when: disable_ipv6 228 | tags: 229 | - notscored 230 | - section4.4 231 | - section4.4.2 232 | 233 | - name: 4.4.2 Disable IPv6 (disable ip6tables) (Not Scored) 234 | service: > 235 | name=ip6tables 236 | enabled=no 237 | state=stopped 238 | when: disable_ipv6 239 | tags: 240 | - notscored 241 | - section4.4 242 | - section4.4.2 243 | 244 | - name: 4.4.2 Disable IPv6 (flush routes) (Not Scored) 245 | command: /sbin/sysctl -w net.ipv6.route.flush=1 246 | ignore_errors: yes 247 | when: disable_ipv6 248 | tags: 249 | - notscored 250 | - section4.4 251 | - section4.4.2 252 | 253 | - name: 4.5.1 Install TCP Wrappers (Not Scored) 254 | yum: > 255 | name=tcp_wrappers 256 | state=present 257 | tags: 258 | - notscored 259 | - section4.5 260 | - section4.5.1 261 | 262 | - name: 4.5.2 Create /etc/hosts.allow (Not Scored) 263 | lineinfile: > 264 | state=present 265 | create=yes 266 | dest=/etc/hosts.allow 267 | regexp=^ALL 268 | line=ALL:{{ tcp_allow | default("ALL") }} 269 | tags: 270 | - notscored 271 | - section4.5 272 | - section4.5.2 273 | 274 | - name: 4.5.3 Verify Permissions on /etc/hosts.allow (Scored) 275 | file: > 276 | path=/etc/hosts.allow 277 | mode=0644 278 | tags: 279 | - scored 280 | - section4.5 281 | - section4.5.3 282 | 283 | - name: 4.5.4 Create /etc/hosts.deny (Not Scored) 284 | lineinfile: > 285 | state=present 286 | create=yes 287 | dest=/etc/hosts.deny 288 | line=ALL:ALL 289 | tags: 290 | - notscored 291 | - section4.5 292 | - section4.5.4 293 | 294 | - name: 4.5.5 Verify Permissions on /etc/hosts.deny (Scored) 295 | file: > 296 | path=/etc/hosts.deny 297 | mode=0644 298 | tags: 299 | - scored 300 | - section4.5 301 | - section4.5.5 302 | 303 | - name: 4.6.1 Disable DCCP (Not Scored) 304 | lineinfile: > 305 | state=present 306 | create=yes 307 | dest=/etc/modprobe.d/CIS.conf 308 | line="install dccp /bin/true" 309 | tags: 310 | - notscored 311 | - section4.6 312 | - section4.6.1 313 | 314 | - name: 4.6.2 Disable SCTP (Not Scored) 315 | lineinfile: > 316 | state=present 317 | create=yes 318 | dest=/etc/modprobe.d/CIS.conf 319 | line="install sctp /bin/true" 320 | tags: 321 | - notscored 322 | - section4.6 323 | - section4.6.2 324 | 325 | - name: 4.6.3 Disable RDS (Not Scored) 326 | lineinfile: > 327 | state=present 328 | create=yes 329 | dest=/etc/modprobe.d/CIS.conf 330 | line="install rds /bin/true" 331 | tags: 332 | - notscored 333 | - section4.6 334 | - section4.6.3 335 | 336 | - name: 4.6.4 Disable TIPC (Not Scored) 337 | lineinfile: > 338 | state=present 339 | create=yes 340 | dest=/etc/modprobe.d/CIS.conf 341 | line="install tipc /bin/true" 342 | tags: 343 | - notscored 344 | - section4.6 345 | - section4.6.4 346 | 347 | - name: 4.7 Enable IPtables (Scored) 348 | service: > 349 | name=iptables 350 | enabled=yes 351 | state=started 352 | when: enable_iptables 353 | tags: 354 | - scored 355 | - section4.7 356 | 357 | - name: 4.8 Enable IP6tables (Not Scored) 358 | service: > 359 | name=ip6tables 360 | enabled=yes 361 | state=started 362 | ignore_errors: yes 363 | when: enable_ip6tables 364 | tags: 365 | - notscored 366 | - section4.8 367 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_04_level2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - name: 4.2.3 Disable Secure ICMP Redirect Acceptance (Scored) 19 | sysctl: > 20 | name=net.ipv4.conf.all.secure_redirects 21 | value=0 22 | state=present 23 | ignoreerrors=true 24 | tags: 25 | - scored 26 | - section4.2 27 | - section4.2.3 28 | 29 | - name: 4.2.3 Disable Secure ICMP Redirect Acceptance (Scored) 30 | sysctl: > 31 | name=net.ipv4.conf.default.secure_redirects 32 | value=0 33 | state=present 34 | ignoreerrors=true 35 | tags: 36 | - scored 37 | - section4.2 38 | - section4.2.3 39 | 40 | - name: 4.2.7 Enable RFC-recommended Source Route Validation (Scored) 41 | sysctl: > 42 | name=net.ipv4.conf.all.rp_filter 43 | value=1 44 | state=present 45 | ignoreerrors=true 46 | tags: 47 | - scored 48 | - section4.2 49 | - section4.2.7 50 | 51 | - name: 4.2.7 Enable RFC-recommended Source Route Validation (Scored) 52 | sysctl: > 53 | name=net.ipv4.conf.default.rp_filter 54 | value=1 55 | state=present 56 | ignoreerrors=true 57 | tags: 58 | - scored 59 | - section4.2 60 | - section4.2.7 61 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_05.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - include: section_05_level1.yml 19 | tags: 20 | - section5 21 | - level1 22 | 23 | - include: section_05_level2.yml 24 | tags: 25 | - section5 26 | - level2 27 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_05_level1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - name: 5.1.1 Install the rsyslog package (Scored) 19 | yum: > 20 | name=rsyslog 21 | state=present 22 | tags: 23 | - scored 24 | - section5.1 25 | - section5.1.1 26 | 27 | - name: 5.1.2 Activate the rsyslog Service (Scored) 28 | service: > 29 | name=rsyslog 30 | enabled=yes 31 | state=started 32 | tags: 33 | - scored 34 | - section5.1 35 | - section5.1.2 36 | 37 | - name: 5.1.3 Configure /etc/rsyslog.conf (Not Scored) 38 | copy: > 39 | src=etc/rsyslog.conf 40 | dest=/etc/rsyslog.conf 41 | owner=root 42 | group=root 43 | mode=0644 44 | tags: 45 | - notscored 46 | - section5.1 47 | - section5.1.3 48 | 49 | - name: 5.1.4 Create and Set Permissions on rsyslog Log Files (Scored) 50 | file: > 51 | path=/var/log/{{ item }} 52 | state=touch 53 | owner=root 54 | group=wheel 55 | mode=0640 56 | with_items: 57 | - messages 58 | - kern.log 59 | - daemon.log 60 | - syslog 61 | - unused.log 62 | tags: 63 | - scored 64 | - section5.1 65 | - section5.1.4 66 | 67 | - name: 5.1.5 Configure rsyslog to Send Logs to a Remote Log Host (Scored) 68 | lineinfile: > 69 | state=present 70 | dest=/etc/rsyslog.conf 71 | regexp="^\*\.\*" 72 | line="*.* @@{{ rsyslog_dest }}" 73 | when: rsyslog_dest is defined 74 | tags: 75 | - scored 76 | - section5.1 77 | - section5.1.5 78 | 79 | - name: 5.1.6 Accept Remote rsyslog Messages Only on Designated Log Hosts (Not Scored) 80 | lineinfile: > 81 | state=present 82 | line="$ModLoad imtcp.so" 83 | when: rsyslog_host 84 | tags: 85 | - notscored 86 | - section5.1 87 | - section5.1.6 88 | 89 | - name: 5.1.6 Accept Remote rsyslog Messages Only on Designated Log Hosts (Not Scored) 90 | lineinfile: > 91 | state=present 92 | line="$InputTCPServerRun 514" 93 | when: rsyslog_host 94 | tags: 95 | - notscored 96 | - section5.1 97 | - section5.1.6 98 | 99 | - name: 5.3 Configure logrotate (Not Scored) 100 | copy: > 101 | src=etc/logrotate.d/syslog 102 | dest=/etc/logrotate.d/syslog 103 | tags: 104 | - notscored 105 | - section5.3 106 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_05_level2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - name: 5.2.1.1 Configure Data Retention (Not Scored) 19 | lineinfile: > 20 | state=present 21 | dest=/etc/audit/auditd.conf 22 | regexp="^max_log_file =" 23 | line="max_log_file = {{ max_log_file }}" 24 | notify: Reload auditd Rules 25 | tags: 26 | - notscored 27 | - section5.2 28 | - section5.2.1 29 | - section5.2.1.1 30 | 31 | - name: 5.2.1.2 Disable System on Audit Log Full (Not Scored) 32 | lineinfile: > 33 | state=present 34 | dest=/etc/audit/auditd.conf 35 | regexp="^space_left_action =" 36 | line="space_left_action = {{ space_left_action }}" 37 | notify: Reload auditd Rules 38 | tags: 39 | - notscored 40 | - section5.2 41 | - section5.2.1 42 | - section5.2.1.2 43 | 44 | - name: 5.2.1.2 Disable System on Audit Log Full (Not Scored) 45 | lineinfile: > 46 | state=present 47 | dest=/etc/audit/auditd.conf 48 | regexp="^action_mail_acct =" 49 | line="action_mail_acct = {{ action_mail_acct }}" 50 | notify: Reload auditd Rules 51 | tags: 52 | - notscored 53 | - section5.2 54 | - section5.2.1 55 | - section5.2.1.2 56 | 57 | - name: 5.2.1.2 Disable System on Audit Log Full (Not Scored) 58 | lineinfile: > 59 | state=present 60 | dest=/etc/audit/auditd.conf 61 | regexp="^admin_space_left_action =" 62 | line="admin_space_left_action = {{ admin_space_left_action }}" 63 | notify: Reload auditd Rules 64 | tags: 65 | - notscored 66 | - section5.2 67 | - section5.2.1 68 | - section5.2.1.2 69 | 70 | - name: 5.2.1.3 Keep All Auditing Information (Scored) 71 | lineinfile: > 72 | state=present 73 | dest=/etc/audit/auditd.conf 74 | regexp="^max_log_file_action =" 75 | line="max_log_file_action = {{ max_log_file_action }}" 76 | notify: Reload auditd Rules 77 | tags: 78 | - scored 79 | - section5.2 80 | - section5.2.1 81 | - section5.2.1.3 82 | 83 | - name: 5.2.2 Enable auditd Service (Scored) 84 | service: > 85 | name=auditd 86 | enabled=yes 87 | state=running 88 | tags: 89 | - scored 90 | - section5.2 91 | - section5.2.2 92 | 93 | - name: 5.2.3 Enable Auditing for Processes That Start Prior to auditd (Scored) 94 | lineinfile: > 95 | state=present 96 | dest=/etc/grub.conf 97 | backrefs=yes 98 | regexp="(^\s*kernel.*)$(? 107 | src=etc/audit/audit.rules 108 | dest=/etc/audit/audit.rules 109 | notify: Reload auditd Rules 110 | tags: 111 | - scored 112 | - section5.2 113 | - section5.2.4 114 | - section5.2.5 115 | - section5.2.6 116 | - section5.2.7 117 | - section5.2.8 118 | - section5.2.9 119 | - section5.2.10 120 | - section5.2.11 121 | - section5.2.12 122 | - section5.2.13 123 | - section5.2.14 124 | - section5.2.15 125 | - section5.2.16 126 | - section5.2.17 127 | - section5.2.18 128 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_06.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - include: section_06_level1.yml 19 | tags: 20 | - section6 21 | - level1 22 | 23 | - include: section_06_level2.yml 24 | tags: 25 | - section6 26 | - level2 27 | 28 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_06_level1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - name: 6.1.1 Enable anacron Daemon (Scored) 19 | yum: > 20 | name=cronie-anacron 21 | state=present 22 | tags: 23 | - scored 24 | - section6.1 25 | - section6.1.1 26 | 27 | - name: 6.1.2 Enable crond Daemon (Scored) 28 | service: > 29 | name=crond 30 | enabled=yes 31 | state=started 32 | tags: 33 | - scored 34 | - section6.1 35 | - section6.1.2 36 | 37 | - name: 6.1.3 Set User/Group Owner and Permission on /etc/anacrontab (Scored) 38 | file: > 39 | path=/etc/anacrontab 40 | owner=root 41 | group=root 42 | mode=0600 43 | tags: 44 | - scored 45 | - section6.1 46 | - section6.1.3 47 | 48 | - name: 6.1.4 Set User/Group Owner and Permission on /etc/crontab (Scored) 49 | file: > 50 | path=/etc/crontab 51 | owner=root 52 | group=root 53 | mode=0600 54 | tags: 55 | - scored 56 | - section6.1 57 | - section6.1.4 58 | 59 | - name: 6.1.5 Set User/Group Owner and Permission on /etc/cron.hourly (Scored) 60 | file: > 61 | path=/etc/cron.hourly 62 | owner=root 63 | group=root 64 | mode=0600 65 | tags: 66 | - scored 67 | - section6.1 68 | - section6.1.5 69 | 70 | - name: 6.1.6 Set User/Group Owner and Permission on /etc/cron.daily (Scored) 71 | file: > 72 | path=/etc/cron.daily 73 | owner=root 74 | group=root 75 | mode=0600 76 | tags: 77 | - scored 78 | - section6.1 79 | - section6.1.6 80 | 81 | - name: 6.1.7 Set User/Group Owner and Permission on /etc/cron.weekly (Scored) 82 | file: > 83 | path=/etc/cron.weekly 84 | owner=root 85 | group=root 86 | mode=0600 87 | tags: 88 | - scored 89 | - section6.1 90 | - section6.1.7 91 | 92 | - name: 6.1.8 Set User/Group Owner and Permission on /etc/cron.monthly (Scored) 93 | file: > 94 | path=/etc/cron.monthly 95 | owner=root 96 | group=root 97 | mode=0600 98 | tags: 99 | - scored 100 | - section6.1 101 | - section6.1.8 102 | 103 | - name: 6.1.9 Set User/Group Owner and Permission on /etc/cron.d (Scored) 104 | file: > 105 | path=/etc/cron.d 106 | state=directory 107 | owner=root 108 | group=root 109 | mode=0700 110 | tags: 111 | - scored 112 | - section6.1 113 | - section6.1.9 114 | 115 | - name: 6.1.10 Restrict at Daemon (Scored) 116 | file: > 117 | path=/etc/at.deny 118 | state=absent 119 | tags: 120 | - scored 121 | - section6.1 122 | - section6.1.10 123 | 124 | - name: 6.1.10 Restrict at Daemon (Scored) 125 | file: > 126 | path=/etc/at.allow 127 | state=touch 128 | owner=root 129 | group=root 130 | mode=0600 131 | tags: 132 | - scored 133 | - section6.1 134 | - section6.1.10 135 | 136 | - name: 6.1.11 Restrict at/cron to Authorized Users (Scored) 137 | file: > 138 | path=/etc/cron.deny 139 | state=absent 140 | tags: 141 | - scored 142 | - section6.1 143 | - section6.1.11 144 | 145 | - name: 6.1.11 Restrict at/cron to Authorized Users (Scored) 146 | file: > 147 | path=/etc/cron.allow 148 | state=touch 149 | owner=root 150 | group=root 151 | mode=0600 152 | tags: 153 | - scored 154 | - section6.1 155 | - section6.1.11 156 | 157 | - name: 6.2.1 Set SSH Protocol to 2 (Scored) 158 | lineinfile: > 159 | dest=/etc/ssh/sshd_config 160 | regexp="^Protocol " line="Protocol 2" 161 | notify: Reload sshd 162 | tags: 163 | - scored 164 | - section6.2 165 | - section6.2.1 166 | 167 | - name: 6.2.2 Set LogLevel to INFO (Scored) 168 | lineinfile: > 169 | dest=/etc/ssh/sshd_config 170 | regexp="^LogLevel " 171 | line="LogLevel INFO" 172 | notify: Reload sshd 173 | tags: 174 | - scored 175 | - section6.2 176 | - section6.2.2 177 | 178 | - name: 6.2.3 Set Permissions on /etc/ssh/sshd_config (Scored) 179 | file: > 180 | path=/etc/ssh/sshd_config 181 | owner=root 182 | group=root 183 | mode=0600 184 | notify: Reload sshd 185 | tags: 186 | - scored 187 | - section6.2 188 | - section6.2.3 189 | 190 | - name: 6.2.4 Disable SSH X11 Forwarding (Scored) 191 | lineinfile: > 192 | dest=/etc/ssh/sshd_config 193 | regexp="^X11Forwarding " 194 | line="X11Forwarding no" 195 | notify: Reload sshd 196 | tags: 197 | - scored 198 | - section6.2 199 | - section6.2.4 200 | 201 | - name: 6.2.5 Set SSH MaxAuthTries to 4 or Less (Scored) 202 | lineinfile: > 203 | dest=/etc/ssh/sshd_config 204 | regexp="^MaxAuthTries " 205 | line="MaxAuthTries 4" 206 | notify: Reload sshd 207 | tags: 208 | - scored 209 | - section6.2 210 | - section6.2.5 211 | 212 | - name: 6.2.6 Set SSH IgnoreRhosts to Yes (Scored) 213 | lineinfile: > 214 | dest=/etc/ssh/sshd_config 215 | regexp="^IgnoreRhosts " 216 | line="IgnoreRhosts yes" 217 | notify: Reload sshd 218 | tags: 219 | - scored 220 | - section6.2 221 | - section6.2.6 222 | 223 | - name: 6.2.7 Set SSH HostbasedAuthentication to No (Scored) 224 | lineinfile: > 225 | dest=/etc/ssh/sshd_config 226 | regexp="^HostbasedAuthentication " 227 | line="HostbasedAuthentication no" 228 | notify: Reload sshd 229 | tags: 230 | - scored 231 | - section6.2 232 | - section6.2.7 233 | 234 | - name: 6.2.8 Disable SSH Root Login (Scored) 235 | lineinfile: > 236 | dest=/etc/ssh/sshd_config 237 | regexp="^PermitRootLogin " 238 | line="PermitRootLogin no" 239 | notify: Reload sshd 240 | tags: 241 | - scored 242 | - section6.2 243 | - section6.2.8 244 | 245 | - name: 6.2.9 Set SSH PermitEmptyPasswords to No (Scored) 246 | lineinfile: > 247 | dest=/etc/ssh/sshd_config 248 | regexp="^PermitEmptyPasswords " 249 | line="PermitEmptyPasswords no" 250 | notify: Reload sshd 251 | tags: 252 | - scored 253 | - section6.2 254 | - section6.2.9 255 | 256 | - name: 6.2.10 Do Not Allow Users to Set Environment Options (Scored) 257 | lineinfile: > 258 | dest=/etc/ssh/sshd_config 259 | regexp="^PermitUserEnvironment " 260 | line="PermitUserEnvironment no" 261 | notify: Reload sshd 262 | tags: 263 | - scored 264 | - section6.2 265 | - section6.2.10 266 | 267 | - name: 6.2.11 Use Only Approved Cipher in Counter Mode (Scored) 268 | lineinfile: > 269 | dest=/etc/ssh/sshd_config 270 | regexp="^Ciphers " 271 | line="Ciphers aes128-ctr,aes192-ctr,aes256-ctr" 272 | notify: Reload sshd 273 | tags: 274 | - scored 275 | - section6.2 276 | - section6.2.11 277 | 278 | - name: 6.2.12 Set Idle Timeout Interval for User Login (Scored) 279 | lineinfile: > 280 | dest=/etc/ssh/sshd_config 281 | regexp="^ClientAliveInterval " 282 | line="ClientAliveInterval 300" 283 | notify: Reload sshd 284 | tags: 285 | - scored 286 | - section6.2 287 | - section6.2.12 288 | 289 | - name: 6.2.12 Set Idle Timeout Interval for User Login (Scored) 290 | lineinfile: > 291 | dest=/etc/ssh/sshd_config 292 | regexp="^ClientAliveCountMax " 293 | line="ClientAliveCountMax 0" 294 | notify: Reload sshd 295 | tags: 296 | - scored 297 | - section6.2 298 | - section6.2.12 299 | 300 | - name: 6.2.13 Limit Access via SSH (Scored) 301 | lineinfile: > 302 | dest=/etc/ssh/sshd_config 303 | regexp="^AllowGroups " 304 | line="AllowGroups {{ ssh_allow_groups }}" 305 | when: ssh_allow_groups is defined 306 | notify: Reload sshd 307 | tags: 308 | - scored 309 | - section6.2 310 | - section6.2.13 311 | 312 | - name: 6.2.13 Limit Access via SSH (Scored) 313 | lineinfile: > 314 | dest=/etc/ssh/sshd_config 315 | regexp="^AllowUsers " 316 | line="AllowUsers {{ ssh_allow_users }}" 317 | when: ssh_allow_users is defined 318 | notify: Reload sshd 319 | tags: 320 | - scored 321 | - section6.2 322 | - section6.2.13 323 | 324 | - name: 6.2.13 Limit Access via SSH (Scored) 325 | lineinfile: > 326 | dest=/etc/ssh/sshd_config 327 | regexp="^DenyGroups " 328 | line="DenyGroups {{ ssh_deny_groups }}" 329 | when: ssh_deny_groups is defined 330 | notify: Reload sshd 331 | tags: 332 | - scored 333 | - section6.2 334 | - section6.2.13 335 | 336 | - name: 6.2.13 Limit Access via SSH (Scored) 337 | lineinfile: > 338 | dest=/etc/ssh/sshd_config 339 | regexp="^DenyUsers " 340 | line="DenyUsers {{ ssh_deny_users }}" 341 | when: ssh_deny_users is defined 342 | notify: Reload sshd 343 | tags: 344 | - scored 345 | - section6.2 346 | - section6.2.13 347 | 348 | - name: 6.2.14 Set SSH Banner (Scored) 349 | lineinfile: > 350 | dest=/etc/ssh/sshd_config 351 | regexp="^Banner " 352 | line="Banner /etc/issue.net" 353 | notify: Reload sshd 354 | tags: 355 | - scored 356 | - section6.2 357 | - section6.2.14 358 | 359 | - name: 6.3.1 Ensure authconfig package is installed 360 | yum: 361 | name: authconfig 362 | state: present 363 | 364 | - name: 6.3.1 Upgrade Password Hashing Algorithm to SHA-512 (Scored) 365 | shell: 'authconfig --test | grep hashing' 366 | register: password_hash_algorithm 367 | always_run: yes 368 | tags: 369 | - scored 370 | - section6.3 371 | - section6.3.1 372 | 373 | - name: 6.3.1 Upgrade Password Hashing Algorithm to SHA-512 (Scored) 374 | shell: authconfig --passalgo=sha512 --update 375 | when: '"sha512" not in password_hash_algorithm.stdout' 376 | tags: 377 | - scored 378 | - section6.3 379 | - section6.3.1 380 | 381 | - name: 6.3.2 - 6.3.4 Configure PAM (Scored) 382 | copy: > 383 | src=etc/pam.d/system-auth 384 | dest=/etc/pam.d/system-auth 385 | tags: 386 | - scored 387 | - section6.3 388 | - section6.3.2 389 | - section6.3.3 390 | - section6.3.4 391 | 392 | - name: 6.3.2 - 6.3.4 Configure PAM (Scored) 393 | copy: > 394 | src=etc/pam.d/password-auth 395 | dest=/etc/pam.d/password-auth 396 | tags: 397 | - scored 398 | - section6.3 399 | - section6.3.2 400 | - section6.3.3 401 | - section6.3.4 402 | 403 | - name: 6.4 Restrict root login to system console (Not Scored) 404 | debug: msg="Too restrictive for most environments." 405 | tags: 406 | - notscored 407 | - section6.4 408 | 409 | - name: 6.5 Restrict Access to the su Command (Scored) 410 | copy: > 411 | src=etc/pam.d/su 412 | dest=/etc/pam.d/su 413 | tags: 414 | - scored 415 | - section6.5 416 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_06_level2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | # CIS Section 6 has no Level 2 checks -------------------------------------------------------------------------------- /roles/cis/tasks/section_07.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - include: section_07_level1.yml 19 | tags: 20 | - section7 21 | - level1 22 | 23 | - include: section_07_level2.yml 24 | tags: 25 | - section7 26 | - level2 27 | 28 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_07_level1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - name: 7.1.1 Set Password Expiration Days (Scored) 19 | lineinfile: > 20 | backup=yes 21 | state=present 22 | dest=/etc/login.defs 23 | backrefs=yes 24 | regexp="^PASS_MAX_DAYS\s+" 25 | line="PASS_MAX_DAYS\t90" 26 | tags: 27 | - scored 28 | - section7.1 29 | - section7.1.1 30 | 31 | - name: 7.1.2 Set Password Change Minimum Number of Days (Scored) 32 | lineinfile: > 33 | backup=yes 34 | state=present 35 | dest=/etc/login.defs 36 | backrefs=yes 37 | regexp="^PASS_MIN_DAYS\s+" 38 | line="PASS_MIN_DAYS\t7" 39 | tags: 40 | - scored 41 | - section7.1 42 | - section7.1.2 43 | 44 | - name: 7.1.3 Set Password Expiring Warning Days (Scored) 45 | lineinfile: > 46 | backup=yes 47 | state=present 48 | dest=/etc/login.defs 49 | backrefs=yes 50 | regexp="^PASS_WARN_AGE\s+" 51 | line="PASS_WARN_AGE\t7" 52 | tags: 53 | - scored 54 | - section7.1 55 | - section7.1.3 56 | 57 | - name: 7.2 Disable System Accounts (Scored) - preparation 58 | shell: awk -F':' '($3<500 && $1!="root" && $1!="sync" && $1!="shutdown" && $1!="sync" && $1!="shutdown" && $1!="halt" && $7!="/sbin/nologin") { print $1 }' /etc/passwd 59 | register: enabled_system_accounts 60 | changed_when: false 61 | tags: 62 | - scored 63 | - section7.2 64 | 65 | - name: 7.2 Disable System Accounts (Scored) 66 | command: /usr/sbin/usermod -s /sbin/nologin {{ item }} 67 | with_items: enabled_system_accounts.stdout_lines 68 | tags: 69 | - scored 70 | - section7.2 71 | 72 | - name: 7.3 Set Default Group for root Account (Scored) 73 | user: > 74 | name=root 75 | group=root 76 | tags: 77 | - scored 78 | - section7.3 79 | 80 | - name: 7.4 Set Default umask for Users (Scored) 81 | lineinfile: 82 | state=present 83 | create=yes 84 | dest=/etc/profile.d/cis.sh 85 | line="umask 077" 86 | ignore_errors: true 87 | tags: 88 | - scored 89 | - section7.4 90 | 91 | - name: Ensure that /etc/profile.d/cis.sh has correct owner, group and mode 92 | file: 93 | path=/etc/profile.d/cis.sh 94 | owner=root 95 | group=root 96 | mode=0644 97 | changed_when: false 98 | tags: 99 | - scored 100 | - section7.4 101 | 102 | - name: 7.5 Lock Inactive User Accounts (Scored) 103 | command: /usr/sbin/useradd -D -f 35 104 | when: lock_inactive 105 | tags: 106 | - scored 107 | - section7.5 108 | 109 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_07_level2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | # CIS Section 7 has no Level 2 checks 19 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_08.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - include: section_08_level1.yml 19 | tags: 20 | - section8 21 | - level1 22 | 23 | - include: section_08_level2.yml 24 | tags: 25 | - section8 26 | - level2 27 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_08_level1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - name: 8.1 Set Warning Banner for Standard Login Services (Scored) 19 | stat: path=/etc/{{ item }} 20 | register: stats 21 | with_items: 22 | - motd 23 | - issue 24 | - issue.net 25 | tags: 26 | - scored 27 | - section8.1 28 | 29 | - name: 8.1 Set Warning Banner for Standard Login Services (Scored) 30 | file: > 31 | name=/etc/motd 32 | state=absent 33 | changed_when: false 34 | with_items: 35 | - stats.results 36 | when: item.islnk is defined 37 | tags: 38 | - scored 39 | - section8.1 40 | 41 | - name: 8.1 Set Warning Banner for Standard Login Services (Scored) 42 | file: > 43 | name=/etc/issue 44 | state=absent 45 | changed_when: false 46 | with_items: 47 | - stats.results 48 | when: item.islnk is defined 49 | tags: 50 | - scored 51 | - section8.1 52 | 53 | - name: 8.1 Set Warning Banner for Standard Login Services (Scored) 54 | file: > 55 | name=/etc/issue.net 56 | state=absent 57 | changed_when: false 58 | with_items: 59 | - stats.results 60 | when: item.islnk is defined 61 | tags: 62 | - scored 63 | - section8.1 64 | 65 | - name: 8.1 Set Warning Banner for Standard Login Services (Scored) 66 | copy: > 67 | src=etc/{{item}} 68 | dest=/etc/{{item}} 69 | with_items: 70 | - motd 71 | - issue 72 | - issue.net 73 | tags: 74 | - scored 75 | - section8.1 76 | 77 | - name: 8.1 Set Warning Banner for Standard Login Services (Scored) 78 | file: > 79 | path=/etc/{{ item }} 80 | owner=root 81 | group=root 82 | mode=0644 83 | with_items: 84 | - motd 85 | - issue 86 | - issue.net 87 | tags: 88 | - scored 89 | - section8.1 90 | 91 | - name: 8.2 Remove OS Information from Login Warning Banners (Scored) 92 | replace: > 93 | dest=/etc/{{ item }} 94 | regexp='\\r|\\v|\\s' 95 | replace='[CIS replaced]' 96 | with_items: 97 | - motd 98 | - issue 99 | - issue.net 100 | tags: 101 | - scored 102 | - section8.2 103 | 104 | - name: 8.3 Set GNOME Warning Banner (Not Scored) 105 | debug: msg="*** Will do later" 106 | tags: 107 | - scored 108 | - section8.3 109 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_08_level2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | # CIS Section 8 has no Level 2 checks -------------------------------------------------------------------------------- /roles/cis/tasks/section_09.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - include: section_09_level1.yml 19 | tags: 20 | - section9 21 | - level1 22 | 23 | - include: section_09_level2.yml 24 | tags: 25 | - section9 26 | - level2 27 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_09_level1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - name: 9.1.2 Verify Permissions on /etc/passwd (Scored) 19 | file: > 20 | path=/etc/passwd 21 | mode=0644 22 | tags: 23 | - scored 24 | - section9.1 25 | - section9.1.2 26 | 27 | - name: 9.1.3 Verify Permissions on /etc/shadow (Scored) 28 | file: > 29 | path=/etc/shadow 30 | mode=0000 31 | tags: 32 | - scored 33 | - section9.1 34 | - section9.1.3 35 | 36 | - name: 9.1.4 Verify Permissions on /etc/gshadow (Scored) 37 | file: > 38 | path=/etc/gshadow 39 | mode=0000 40 | tags: 41 | - scored 42 | - section9.1 43 | - section9.1.4 44 | 45 | - name: 9.1.5 Verify Permissions on /etc/group (Scored) 46 | file: > 47 | path=/etc/group 48 | mode=0644 49 | tags: 50 | - scored 51 | - section9.1 52 | - section9.1.5 53 | 54 | - name: 9.1.6 Verify User/Group Ownership on /etc/passwd (Scored) 55 | file: > 56 | path=/etc/passwd 57 | owner=root 58 | group=root 59 | tags: 60 | - scored 61 | - section9.1 62 | - section9.1.6 63 | 64 | - name: 9.1.7 Verify User/Group Ownership on /etc/shadow (Scored) 65 | file: > 66 | path=/etc/shadow 67 | owner=root 68 | group=root 69 | tags: 70 | - scored 71 | - section9.1 72 | - section9.1.7 73 | 74 | - name: 9.1.8 Verify User/Group Ownership on /etc/gshadow (Scored) 75 | file: > 76 | path=/etc/gshadow 77 | owner=root 78 | group=root 79 | tags: 80 | - scored 81 | - section9.1 82 | - section9.1.8 83 | 84 | - name: 9.1.9 Verify User/Group Ownership on /etc/group (Scored) 85 | file: > 86 | path=/etc/group 87 | owner=root 88 | group=root 89 | tags: 90 | - scored 91 | - section9.1 92 | - section9.1.9 93 | 94 | - name: 9.1.10 Find World Writable Files (Not Scored) 95 | shell: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002" 96 | when: verify_find 97 | tags: 98 | - notscored 99 | - section9.1 100 | - section9.1.10 101 | 102 | - name: 9.1.11 Find Un-owned Files and Directories (Scored) 103 | shell: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls" 104 | when: verify_find 105 | tags: 106 | - scored 107 | - section9.1 108 | - section9.1.11 109 | 110 | - name: 9.1.12 Find Un-grouped Files and Directories (Scored) 111 | shell: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls" 112 | when: verify_find 113 | tags: 114 | - scored 115 | - section9.1 116 | - section9.1.12 117 | 118 | - name: 9.1.13 Find SUID System Executables (Not Scored) 119 | shell: '/bin/rpm -V `/bin/rpm -qf /usr/bin/sudo`' 120 | register: suid 121 | when: verify_rpm 122 | tags: 123 | - notscored 124 | - section9.1 125 | - section9.1.13 126 | 127 | - name: 9.1.14 Find SGID System Executables (Not Scored) 128 | shell: '/bin/rpm -V `/bin/rpm -qf /usr/bin/sudo`' 129 | register: sgid 130 | when: verify_rpm 131 | tags: 132 | - notscored 133 | - section9.1 134 | - section9.1.14 135 | 136 | - name: 9.2.1 Ensure Password Fields are Not Empty (Scored) 137 | shell: /bin/cat /etc/shadow | /bin/awk -F':' '($2 == "" ) { print $1 " does not have a password "}' 138 | register: result9_2_1 139 | changed_when: "result9_2_1.stdout" 140 | always_run: yes 141 | tags: 142 | - scored 143 | - section9.2 144 | - section9.2.1 145 | 146 | - name: 9.2.2 Verify No Legacy "+" Entries Exist in /etc/passwd File (Scored) 147 | shell: /bin/grep '^+:' /etc/passwd 148 | register: result9_2_2 149 | failed_when: result9_2_2.rc == 0 150 | changed_when: result9_2_2.rc == 0 151 | always_run: yes 152 | ignore_errors: yes 153 | tags: 154 | - scored 155 | - section9.2 156 | - section9.2.2 157 | 158 | - name: 9.2.3 Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored) 159 | shell: /bin/grep '^+:' /etc/shadow 160 | register: result9_2_3 161 | failed_when: result9_2_3.rc == 0 162 | changed_when: result9_2_3.rc == 0 163 | always_run: yes 164 | ignore_errors: yes 165 | tags: 166 | - scored 167 | - section9.2 168 | - section9.2.3 169 | 170 | - name: 9.2.4 Verify No Legacy "+" Entries Exist in /etc/group File (Scored) 171 | shell: /bin/grep '^+:' /etc/group 172 | register: result9_2_4 173 | failed_when: result9_2_4.rc == 0 174 | changed_when: result9_2_4.rc == 0 175 | always_run: yes 176 | ignore_errors: yes 177 | tags: 178 | - scored 179 | - section9.2 180 | - section9.2.4 181 | 182 | - name: 9.2.5 Verify No UID 0 Accounts Exist Other Than root (Scored) 183 | shell: /bin/awk -F':' '($3 == 0) { print $1 }' /etc/passwd | grep -qx 'root' 184 | register: result9_2_5 185 | failed_when: result9_2_5.rc != 0 186 | changed_when: result9_2_5.rc != 0 187 | always_run: yes 188 | ignore_errors: yes 189 | tags: 190 | - scored 191 | - section9.2 192 | - section9.2.5 193 | 194 | - name: 9.2.6 Ensure root PATH Integrity (Scored) 195 | debug: msg="*** To do later" 196 | tags: 197 | - scored 198 | - section9.2 199 | - section9.2.6 200 | 201 | - name: 9.2.7 Check Permissions on User Home Directories (Scored) 202 | debug: msg="*** To do later" 203 | tags: 204 | - scored 205 | - section9.2 206 | - section9.2.7 207 | 208 | - name: 9.2.8 Check User Dot File Permissions (Scored) 209 | debug: msg="*** To do later" 210 | tags: 211 | - scored 212 | - section9.2 213 | - section9.2.8 214 | 215 | - name: 9.2.9 Check Permissions on User .netrc Files (Scored) 216 | debug: msg="*** To do later" 217 | tags: 218 | - scored 219 | - section9.2 220 | - section9.2.9 221 | 222 | - name: 9.2.10 Check for Presence of User .rhosts Files (Scored) 223 | debug: msg="*** To do later" 224 | tags: 225 | - scored 226 | - section9.2 227 | - section9.2.10 228 | 229 | - name: 9.2.11 Check Groups in /etc/passwd (Scored) 230 | debug: msg="*** To do later" 231 | tags: 232 | - scored 233 | - section9.2 234 | - section9.2.11 235 | 236 | - name: 9.2.12 Check That Users Are Assigned Valid Home Directories (Scored) 237 | debug: msg="*** To do later" 238 | tags: 239 | - scored 240 | - section9.2 241 | - section9.2.12 242 | 243 | - name: 9.2.13 Check User Home Directory Ownership (Scored) 244 | debug: msg="*** To do later" 245 | tags: 246 | - scored 247 | - section9.2 248 | - section9.2.13 249 | 250 | - name: 9.2.14 Check for Duplicate UIDs (Scored) 251 | debug: msg="*** To do later" 252 | tags: 253 | - scored 254 | - section9.2 255 | - section9.2.14 256 | 257 | - name: 9.2.15 Check for Duplicate GIDs (Scored) 258 | shell: for dupeID in $(cut -f3 -d":" /etc/group | sort | uniq -c | sort -n | awk ' $1 > 1 {print $2}'); do awk -F':' -v dupeid=$dupeID '$3 == dupeid {print $1}' /etc/group ; done 259 | register: result9_2_15 260 | changed_when: "result9_2_15.stdout" 261 | always_run: yes 262 | tags: 263 | - scored 264 | - check-only 265 | - section9.2 266 | - section9.2.15 267 | 268 | - name: 9.2.16 Check for Duplicate User Names (Scored) 269 | shell: cut -f1 -d':' /etc/passwd | sort | uniq -c | sort -n | awk ' $1 > 1 {print $2}' 270 | register: result9_2_16 271 | changed_when: "result9_2_16.stdout" 272 | always_run: yes 273 | tags: 274 | - scored 275 | - check-only 276 | - section9.2 277 | - section9.2.16 278 | 279 | - name: 9.2.17 Check for Duplicate Group Names (Scored) 280 | shell: cut -f1 -d':' /etc/group | sort | uniq -c | sort -n | awk ' $1 > 1 {print $2}' 281 | register: result9_2_17 282 | changed_when: "result9_2_17.stdout" 283 | always_run: yes 284 | tags: 285 | - scored 286 | - check-only 287 | - section9.2 288 | - section9.2.17 289 | 290 | - name: 9.2.18 Check for Presence of User .netrc Files (Scored) 291 | shell: for h in $(/bin/awk -F':' '$7 !~ /\/sbin\/nologin/ && $7 !~ /\/bin\/false/ { print $6 }' /etc/passwd); do if [[ -f $h/.netrc && -s $h/.netrc ]]; then echo $h; fi ; done 292 | register: result9_2_18 293 | changed_when: "result9_2_18.stdout" 294 | always_run: yes 295 | tags: 296 | - scored 297 | - check-only 298 | - section9.2 299 | - section9.2.18 300 | 301 | - name: 9.2.19 Check for Presence of User .forward Files (Scored) 302 | shell: for h in $(/bin/awk -F':' '$7 !~ /\/sbin\/nologin/ && $7 !~ /\/bin\/false/ { print $6 }' /etc/passwd); do if [[ -f $h/.forward && -s $h/.forward ]]; then echo $h; fi ; done 303 | register: result9_2_19 304 | changed_when: "result9_2_19.stdout" 305 | always_run: yes 306 | tags: 307 | - scored 308 | - check-only 309 | - section9.2 310 | - section9.2.19 311 | 312 | # - debug: var=result9_2_19.stdout 313 | # tags: 314 | # - section9.2.19 315 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_09_level2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - name: 9.1.1 Verify system file permissions (Not Scored) 19 | debug: msg="Check via cron/manually/AIDE." 20 | tags: 21 | - notscored 22 | - section9.1 23 | - section9.1.1 24 | -------------------------------------------------------------------------------- /roles/cis/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for . 3 | -------------------------------------------------------------------------------- /secrets.tgz.enc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/major/cis-rhel-ansible/c5338357f7d72ab2b147205d7e9a9672bb2057ad/secrets.tgz.enc -------------------------------------------------------------------------------- /test-hosts: -------------------------------------------------------------------------------- 1 | [raxhosts] 2 | -------------------------------------------------------------------------------- /test-rackspace.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: localhost 3 | connection: local 4 | gather_facts: False 5 | tasks: 6 | 7 | - name: Build a new cloud server 8 | action: 9 | module: rax 10 | credentials: .pyrax 11 | name: "cis-rhel-ansible-testing" 12 | flavor: general1-2 13 | image: aa68fd54-2f9a-42c3-9901-4035e2738830 14 | key_name: travis-key 15 | wait: yes 16 | region: IAD 17 | state: present 18 | networks: 19 | - private 20 | - public 21 | group: raxhosts 22 | register: rax 23 | 24 | - name: Add new instance to host group 25 | local_action: 26 | module: add_host 27 | hostname: "{{ item.accessIPv4 }}" 28 | groupname: raxhosts 29 | with_items: rax.instances 30 | 31 | - name: Wait for server to come online 32 | hosts: raxhosts 33 | user: root 34 | gather_facts: false 35 | tasks: 36 | 37 | - name: Wait for server to come online 38 | wait_for: > 39 | port=22 40 | timeout=300 41 | 42 | - name: Test the ansible playbook on the remote host 43 | hosts: raxhosts 44 | user: root 45 | tasks: 46 | 47 | # This is mainly to prevent shenanigans with people trying to hop 48 | # into the VM while it's building at travis-ci. ;) 49 | - name: Disable ssh authentication with passwords 50 | lineinfile: 51 | dest: /etc/ssh/sshd_config 52 | regexp: "^#?PasswordAuthentication" 53 | line: "PasswordAuthentication no" 54 | 55 | - name: Restart sshd 56 | service: 57 | name: sshd 58 | state: restarted 59 | 60 | - name: Install ansible 61 | yum: 62 | name: ansible 63 | state: latest 64 | 65 | - name: Make a directory to hold the ansible scripts 66 | file: 67 | path: /root/ansible-role-cis/ 68 | state: directory 69 | 70 | - name: Copy over files 71 | copy: 72 | src: "{{ item }}" 73 | dest: /root/ansible-role-cis/ 74 | with_items: 75 | - ansible.cfg 76 | - hosts 77 | - playbook.yml 78 | - roles 79 | 80 | - name: Run the ansible playbook 81 | shell: "cd /root/ansible-role-cis && ansible-playbook -i hosts playbook.yml" 82 | 83 | - hosts: localhost 84 | connection: local 85 | gather_facts: False 86 | tasks: 87 | 88 | - name: Delete the cloud server 89 | action: 90 | module: rax 91 | credentials: .pyrax 92 | name: "cis-rhel-ansible-testing" 93 | flavor: general1-2 94 | image: aa68fd54-2f9a-42c3-9901-4035e2738830 95 | key_name: travis-key 96 | wait: yes 97 | region: IAD 98 | state: present 99 | group: raxhosts 100 | count: 0 101 | exact_count: yes 102 | networks: 103 | - private 104 | - public 105 | register: rax 106 | --------------------------------------------------------------------------------