├── .gitignore ├── README.md ├── ami_builder_event.json ├── ansible ├── README.md ├── playbook.yaml └── roles │ ├── alerts │ ├── tasks │ │ └── main.yaml │ └── templates │ │ └── genalerts.sh.j2 │ ├── cis │ ├── README.md │ ├── defaults │ │ └── main.yml │ ├── files │ │ ├── audit_1.6.1.6.sh │ │ ├── audit_6.2.10.sh │ │ ├── audit_6.2.11.sh │ │ ├── audit_6.2.12.sh │ │ ├── audit_6.2.13.sh │ │ ├── audit_6.2.14.sh │ │ ├── audit_6.2.15.sh │ │ ├── audit_6.2.16.sh │ │ ├── audit_6.2.17.sh │ │ ├── audit_6.2.18.sh │ │ ├── audit_6.2.19.sh │ │ ├── audit_6.2.6.sh │ │ ├── audit_6.2.7.sh │ │ ├── audit_6.2.8.sh │ │ └── audit_6.2.9.sh │ ├── handlers │ │ └── main.yml │ ├── tasks │ │ ├── level-1.yml │ │ ├── level-1 │ │ │ ├── 1.1.1.1.yml │ │ │ ├── 1.1.1.2.yml │ │ │ ├── 1.1.1.3.yml │ │ │ ├── 1.1.1.4.yml │ │ │ ├── 1.1.1.5.yml │ │ │ ├── 1.1.1.6.yml │ │ │ ├── 1.1.1.7.yml │ │ │ ├── 1.1.1.8.yml │ │ │ ├── 1.1.10.yml │ │ │ ├── 1.1.11.yml │ │ │ ├── 1.1.12.yml │ │ │ ├── 1.1.13.yml │ │ │ ├── 1.1.14.yml │ │ │ ├── 1.1.15.yml │ │ │ ├── 1.1.16.yml │ │ │ ├── 1.1.17.yml │ │ │ ├── 1.1.18.yml │ │ │ ├── 1.1.19.yml │ │ │ ├── 1.1.2.yml │ │ │ ├── 1.1.3.yml │ │ │ ├── 1.1.4.yml │ │ │ ├── 1.1.5.yml │ │ │ ├── 1.1.8.yml │ │ │ ├── 1.1.9.yml │ │ │ ├── 1.2.1.yml │ │ │ ├── 1.2.2.yml │ │ │ ├── 1.2.3.yml │ │ │ ├── 1.3.1.yml │ │ │ ├── 1.3.2.yml │ │ │ ├── 1.4.1.yml │ │ │ ├── 1.4.2.yml │ │ │ ├── 1.4.3.yml │ │ │ ├── 1.5.1.yml │ │ │ ├── 1.5.2.yml │ │ │ ├── 1.5.3.yml │ │ │ ├── 1.5.4.yml │ │ │ ├── 1.6.1.1.yml │ │ │ ├── 1.6.1.2.yml │ │ │ ├── 1.6.1.3.yml │ │ │ ├── 1.6.1.4.yml │ │ │ ├── 1.6.1.5.yml │ │ │ ├── 1.6.1.6.yml │ │ │ ├── 1.7.1.1.yml │ │ │ ├── 1.7.1.2.yml │ │ │ ├── 1.7.1.3.yml │ │ │ ├── 1.7.1.4.yml │ │ │ ├── 1.7.1.5.yml │ │ │ ├── 1.7.1.6.yml │ │ │ ├── 1.8.yml │ │ │ ├── 2.1.1.yml │ │ │ ├── 2.1.10.yml │ │ │ ├── 2.1.11.yml │ │ │ ├── 2.1.2.yml │ │ │ ├── 2.1.3.yml │ │ │ ├── 2.1.4.yml │ │ │ ├── 2.1.5.yml │ │ │ ├── 2.1.6.yml │ │ │ ├── 2.1.7.yml │ │ │ ├── 2.1.8.yml │ │ │ ├── 2.1.9.yml │ │ │ ├── 2.2.1.1.yml │ │ │ ├── 2.2.1.2.yml │ │ │ ├── 2.2.1.3.yml │ │ │ ├── 2.2.10.yml │ │ │ ├── 2.2.11.yml │ │ │ ├── 2.2.12.yml │ │ │ ├── 2.2.13.yml │ │ │ ├── 2.2.14.yml │ │ │ ├── 2.2.15.yml │ │ │ ├── 2.2.16.yml │ │ │ ├── 2.2.2.yml │ │ │ ├── 2.2.3.yml │ │ │ ├── 2.2.4.yml │ │ │ ├── 2.2.5.yml │ │ │ ├── 2.2.6.yml │ │ │ ├── 2.2.7.yml │ │ │ ├── 2.2.8.yml │ │ │ ├── 2.2.9.yml │ │ │ ├── 2.3.1.yml │ │ │ ├── 2.3.2.yml │ │ │ ├── 2.3.3.yml │ │ │ ├── 2.3.4.yml │ │ │ ├── 2.3.5.yml │ │ │ ├── 3.1.1.yml │ │ │ ├── 3.1.2.yml │ │ │ ├── 3.2.1.yml │ │ │ ├── 3.2.2.yml │ │ │ ├── 3.2.3.yml │ │ │ ├── 3.2.4.yml │ │ │ ├── 3.2.5.yml │ │ │ ├── 3.2.6.yml │ │ │ ├── 3.2.7.yml │ │ │ ├── 3.2.8.yml │ │ │ ├── 3.3.1.yml │ │ │ ├── 3.3.2.yml │ │ │ ├── 3.3.3.yml │ │ │ ├── 3.4.1.yml │ │ │ ├── 3.4.2.yml │ │ │ ├── 3.4.3.yml │ │ │ ├── 3.4.4.yml │ │ │ ├── 3.4.5.yml │ │ │ ├── 3.5.1.yml │ │ │ ├── 3.5.2.yml │ │ │ ├── 3.5.3.yml │ │ │ ├── 3.5.4.yml │ │ │ ├── 3.6.1.yml │ │ │ ├── 3.6.2.yml │ │ │ ├── 3.6.3.yml │ │ │ ├── 3.6.4.yml │ │ │ ├── 3.6.5.yml │ │ │ ├── 4.2.1.1.yml │ │ │ ├── 4.2.1.2.yml │ │ │ ├── 4.2.1.3.yml │ │ │ ├── 4.2.1.4.yml │ │ │ ├── 4.2.1.5.yml │ │ │ ├── 4.2.2.1.yml │ │ │ ├── 4.2.2.2.yml │ │ │ ├── 4.2.2.3.yml │ │ │ ├── 4.2.2.4.yml │ │ │ ├── 4.2.2.5.yml │ │ │ ├── 4.2.3.yml │ │ │ ├── 4.2.4.yml │ │ │ ├── 4.3.yml │ │ │ ├── 5.1.1.yml │ │ │ ├── 5.1.2.yml │ │ │ ├── 5.1.3.yml │ │ │ ├── 5.1.4.yml │ │ │ ├── 5.1.5.yml │ │ │ ├── 5.1.6.yml │ │ │ ├── 5.1.7.yml │ │ │ ├── 5.1.8.yml │ │ │ ├── 5.2.1.yml │ │ │ ├── 5.2.10.yml │ │ │ ├── 5.2.11.yml │ │ │ ├── 5.2.12.yml │ │ │ ├── 5.2.13.yml │ │ │ ├── 5.2.14.yml │ │ │ ├── 5.2.15.yml │ │ │ ├── 5.2.16.yml │ │ │ ├── 5.2.2.yml │ │ │ ├── 5.2.3.yml │ │ │ ├── 5.2.4.yml │ │ │ ├── 5.2.5.yml │ │ │ ├── 5.2.6.yml │ │ │ ├── 5.2.7.yml │ │ │ ├── 5.2.8.yml │ │ │ ├── 5.2.9.yml │ │ │ ├── 5.3.1.yml │ │ │ ├── 5.3.2.yml │ │ │ ├── 5.3.3.yml │ │ │ ├── 5.3.4.yml │ │ │ ├── 5.4.1.1.yml │ │ │ ├── 5.4.1.2.yml │ │ │ ├── 5.4.1.3.yml │ │ │ ├── 5.4.1.4.yml │ │ │ ├── 5.4.2.yml │ │ │ ├── 5.4.3.yml │ │ │ ├── 5.4.4.yml │ │ │ ├── 5.5.yml │ │ │ ├── 6.1.1.yml │ │ │ ├── 6.1.10.yml │ │ │ ├── 6.1.11.yml │ │ │ ├── 6.1.12.yml │ │ │ ├── 6.1.13.yml │ │ │ ├── 6.1.14.yml │ │ │ ├── 6.1.2.yml │ │ │ ├── 6.1.3.yml │ │ │ ├── 6.1.4.yml │ │ │ ├── 6.1.5.yml │ │ │ ├── 6.1.6.yml │ │ │ ├── 6.1.7.yml │ │ │ ├── 6.1.8.yml │ │ │ ├── 6.1.9.yml │ │ │ ├── 6.2.1.yml │ │ │ ├── 6.2.10.yml │ │ │ ├── 6.2.11.yml │ │ │ ├── 6.2.12.yml │ │ │ ├── 6.2.13.yml │ │ │ ├── 6.2.14.yml │ │ │ ├── 6.2.15.yml │ │ │ ├── 6.2.16.yml │ │ │ ├── 6.2.17.yml │ │ │ ├── 6.2.18.yml │ │ │ ├── 6.2.19.yml │ │ │ ├── 6.2.2.yml │ │ │ ├── 6.2.3.yml │ │ │ ├── 6.2.4.yml │ │ │ ├── 6.2.5.yml │ │ │ ├── 6.2.6.yml │ │ │ ├── 6.2.7.yml │ │ │ ├── 6.2.8.yml │ │ │ ├── 6.2.9.yml │ │ │ └── stat_sshd_config.yml │ │ ├── level-2.yml │ │ ├── level-2 │ │ │ ├── 4.1.1.2.yml │ │ │ ├── 4.1.1.3.yml │ │ │ ├── 4.1.10.yml │ │ │ ├── 4.1.11.yml │ │ │ ├── 4.1.13.yml │ │ │ ├── 4.1.14.yml │ │ │ ├── 4.1.15.yml │ │ │ ├── 4.1.16.yml │ │ │ ├── 4.1.17.yml │ │ │ ├── 4.1.18.yml │ │ │ ├── 4.1.2.yml │ │ │ ├── 4.1.4.yml │ │ │ ├── 4.1.5.yml │ │ │ ├── 4.1.6.yml │ │ │ ├── 4.1.7.yml │ │ │ ├── 4.1.8.yml │ │ │ ├── 4.1.9.yml │ │ │ └── 6.1.1.yml │ │ └── main.yml │ └── vars │ │ └── main.yml │ ├── clamav │ ├── defaults │ │ └── main.yaml │ ├── handlers │ │ └── main.yaml │ ├── tasks │ │ └── main.yaml │ └── templates │ │ ├── clamd.conf.j2 │ │ ├── clamd.defaults.j2 │ │ └── freshclam.conf.j2 │ ├── cloudwatchlogs │ ├── defaults │ │ └── main.yaml │ ├── tasks │ │ └── main.yaml │ └── templates │ │ ├── awscli.conf.j2 │ │ ├── awslogs.conf.j2 │ │ ├── awslogs.logging.conf.j2 │ │ └── genalerts.sh.j2 │ ├── common │ └── tasks │ │ └── main.yaml │ ├── lynis │ ├── defaults │ │ └── main.yaml │ ├── tasks │ │ └── main.yaml │ └── tests │ │ ├── inventory │ │ └── test.yaml │ └── ossec │ ├── defaults │ └── main.yaml │ ├── tasks │ └── main.yaml │ └── templates │ ├── internal_options.conf.j2 │ ├── local_internal_options.conf.j2 │ ├── ossec-init-script.j2 │ ├── ossec.conf.j2 │ ├── ossec@.service.j2 │ └── preloaded-vars.conf.j2 ├── buildspec.yml ├── cloudformation └── pipeline.yaml ├── images └── BriarV2.png └── packer_cis.json /.gitignore: -------------------------------------------------------------------------------- 1 | # Created by .ignore support plugin (hsz.mobi) 2 | .idea 3 | 4 | -------------------------------------------------------------------------------- /ami_builder_event.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "Source": "com.ami.builder", 4 | "DetailType": "AmiBuilder", 5 | "Detail": "{ \"AmiStatus\": \"Created\"}", 6 | "Resources": [ "<>" ] 7 | } 8 | ] -------------------------------------------------------------------------------- /ansible/README.md: -------------------------------------------------------------------------------- 1 | # Ansible notes 2 | 3 | Tried to use the public roles but they were configured for Amazon linux and not Amazon linux 2 LTE. 4 | 5 | Used the Amazon Linux CIS controls until the Linux 2 LTE version is ready. 6 | # CIS Controls whitepaper: http://bit.ly/2mGAmUc 7 | # AWS CIS Whitepaper: http://bit.ly/2m2Ovrh 8 | 9 | 10 | ## 11 | TODO remove unnecessary packages (httpd) 12 | 13 | This setup only forwards the logs to AWS CloudWatch you need to run the rest of the 14 | cloudformation script. Ahoolo 15 | 16 | This requires an instance profile with the following to send logs to AWS Cloudwatch 17 | ``` 18 | { 19 | "Version": "2012-10-17", 20 | "Statement": [ 21 | { 22 | "Effect": "Allow", 23 | "Action": [ 24 | "logs:CreateLogGroup", 25 | "logs:CreateLogStream", 26 | "logs:PutLogEvents", 27 | "logs:DescribeLogStreams" 28 | ], 29 | "Resource": [ 30 | "arn:aws:logs:*:*:*" 31 | ] 32 | } 33 | ] 34 | } 35 | ``` 36 | Ref 37 | https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AgentReference.html 38 | # Walk through on using this playbook 39 | -common role 40 | update any package 41 | -ossec 42 | 43 | this has multiple parts 44 | TODO: Setup this up later https://medium.com/@rafalwilinski/use-aws-lambda-sns-and-node-js-to-automatically-deploy-your-static-site-from-github-to-s3-9e0987a073ec 45 | -cloudwatch logs role 46 | logforwarder to cloudwatch 47 | 48 | 49 | 50 | 51 | TODO: 52 | Add 53 | https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html 54 | ### 55 | https://raw.githubusercontent.com/awslabs/ami-builder-packer/master/cloudformation/pipeline.yaml 56 | https://raw.githubusercontent.com/awslabs/hids-cloudwatchlogs-elasticsearch-template/master/cloudformation/hids-cwl-es.template 57 | 58 | 59 | ``` 60 | sudo yum install git -y 61 | ``` 62 | 63 | ``` 64 | git clone https://github.com/rbd80/Amazon_Linux_2.git 65 | ``` 66 | 67 | ``` 68 | cd Amazon_Linux_2 69 | 70 | ``` 71 | 72 | ``` 73 | sudo systemctl status clamd@scan 74 | ``` 75 | 76 | 77 | ``` 78 | sudo clamdscan --fdpass /var/log/* 79 | ``` 80 | 81 | 82 | 83 | 84 | 85 | 86 | ## References 87 | - dharrisio.aws-cloudwatch-logs-agent 88 | - anthcourtney.cis-amazon-linux 89 | - https://engineering.vena.io/2016/03/21/deploying-ossec-at-scale/ -------------------------------------------------------------------------------- /ansible/playbook.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: localhost 3 | connection: local 4 | gather_facts: true # gather OS info that is made available for tasks/roles 5 | become: yes # majority of CIS tasks require root 6 | vars: 7 | # CIS Controls whitepaper: http://bit.ly/2mGAmUc 8 | # AWS CIS Whitepaper: http://bit.ly/2m2Ovrh 9 | # Tried to use anthcourtney.cis-amazon-linux but not ready for Amazon2 10 | # Cloned and modified 11 | 12 | cis_level_1_exclusions: 13 | # 3.4.2 and 3.4.3 effectively blocks access to all ports to the machine 14 | ## This can break automation; ignoring it as there are stronger mechanisms than that 15 | - 3.4.2 16 | - 3.4.3 17 | # Cloudwatch Logs will be used instead of Rsyslog/Syslog-ng 18 | ## Same would be true if any other software that doesn't support Rsyslog/Syslog-ng mechanisms 19 | - 4.2.1.4 20 | - 4.2.2.4 21 | - 4.2.2.5 22 | # Autofs is no longer installed and we need to ignore it or else will fail 23 | - 1.1.19 24 | # Possible Anisble errors: https://github.com/anthcourtney/ansible-role-cis-amazon-linux/issues/33 25 | - 3.6.2 26 | - 5.3.3 27 | #https://nordeus.com/blog/engineering/managing-iptables-with-ansible-the-easy-way/ 28 | #Donovan is lazy and does not want use pwd 29 | - 5.2.9 30 | cis_pass_max_days: 45 31 | cis_umask_default: 002 32 | # Cloudwatch Logs Role configuration 33 | logs: 34 | - file: /var/ossec/logs/ossec.log 35 | format: "%b %d %H:%M:%S" 36 | group_name: Host_Message 37 | - file: /var/ossec/logs/alerts/alerts.log 38 | format: "%b %d %H:%M:%S" 39 | group_name: HIDS_Alerts 40 | - file: /var/log/lynis.log 41 | format: "%b %d %H:%M:%S" 42 | group_name: Lynis 43 | - file: /var/log/messages 44 | format: "%b %d %H:%M:%S" 45 | group_name: Host_Message 46 | - file: /var/log/audit 47 | format: "%b %d %H:%M:%S" 48 | group_name: Host_Message 49 | awslogs_loglevel: info 50 | 51 | roles: 52 | - common 53 | - ossec 54 | # Hold off on clamav 55 | #- clamav 56 | #- cis 57 | - cloudwatchlogs 58 | - lynis 59 | - alerts 60 | 61 | 62 | 63 | -------------------------------------------------------------------------------- /ansible/roles/alerts/tasks/main.yaml: -------------------------------------------------------------------------------- 1 | 2 | - name: "Get the Bad agents scripts" 3 | template: 4 | src: templates/genalerts.sh.j2 5 | dest: /tmp/genalerts.sh 6 | 7 | - name: "Run script to test alerts" 8 | cron: 9 | name: Run Bad agent scripts 10 | cron_file: genalerts.sh 11 | minute: 0 12 | hour: 12 13 | weekday: 0 14 | user: root 15 | job: "sh /tmp/genalerts.sh" 16 | -------------------------------------------------------------------------------- /ansible/roles/alerts/templates/genalerts.sh.j2: -------------------------------------------------------------------------------- 1 | #/bin/bash 2 | sleep $[ ( $RANDOM % 20 ) + 1 ]s && curl localhost/readme.txt? 3 | sleep $[ ( $RANDOM % 10 ) + 1 ]s && sudo su -c whoami apache 4 | sleep $[ ( $RANDOM % 50 ) + 1 ]s && sudo -u ec2-user cat /etc/shadow 5 | sleep $[ ( $RANDOM % 10 ) + 1 ]s && sudo yum install -y htop 6 | sleep $[ ( $RANDOM % 80 ) + 1 ]s && ssh admin@localhost echo '`whoami`' 7 | sleep $[ ( $RANDOM % 10 ) + 1 ]s && curl localhost/~ 8 | sleep $[ ( $RANDOM % 10 ) + 1 ]s && telnet localhost 22 < /tmp 9 | sleep $[ ( $RANDOM % 30 ) + 1 ]s && curl localhost/readme.txt? 10 | sleep $[ ( $RANDOM % 18 ) + 1 ]s && sudo su -c whoami bob 11 | sleep $[ ( $RANDOM % 20 ) + 1 ]s && sudo yum remove -y htop* 12 | sleep $[ ( $RANDOM % 25 ) + 1 ]s && curl localhost 13 | sleep $[ ( $RANDOM % 45 ) + 1 ]s && ssh admin@localhost echo '`whoami`' 14 | sleep $[ ( $RANDOM % 30 ) + 1 ]s && sudo cat /etc/passwd 15 | sleep $[ ( $RANDOM % 15 ) + 1 ]s && telnet localhost 22 < /tmp -------------------------------------------------------------------------------- /ansible/roles/cis/defaults/main.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | ############################################### 5 | # Values which modify the behaviour of the role 6 | ############################################### 7 | 8 | cis_apply_level_1_profile: true # Whether Level 1 of the benchmark should be applied 9 | cis_apply_level_2_profile: false # Whether Level 2 of the benchmark should be applied 10 | 11 | cis_level_1_exclusions: [] # A list of Level 1 recommendations to exclude (i.e. ['1.1.1.1']) 12 | cis_level_2_exclusions: [] # A list of Level 2 recommendations to exclude 13 | 14 | # Whether to fail when remediation items are found for recommendations which can't be automatically fixed. 15 | # If false, a debug message will be generated instead, with the preface *** ACTION REQUIRED ***.. 16 | fail_on_manual_remediation_actions: false # True or false. 17 | 18 | ############################################### 19 | # Check specific values which can be overridden 20 | ############################################### 21 | # 1.1.11 22 | cis_partition_dev_val_log: "/dev/xvda2" 23 | cis_partition_mnt_val_log: "/var/log" 24 | cis_partition_fs_val_log: "ext4" 25 | 26 | # 1.1.12 27 | cis_partition_dev_val_log_audit: "/dev/xvda3" 28 | cis_partition_mnt_val_log_audit: "/var/log/audit" 29 | cis_partition_fs_val_log_audit: "ext4" 30 | 31 | # 1.1.13 32 | cis_partition_dev_home: "/dev/xvda4" 33 | cis_partition_mnt_home: "/home" 34 | cis_partition_fs_home: "ext4" 35 | 36 | # 1.3.1 37 | cis_aide_database_filename: "/var/lib/aide/aide.db.gz" 38 | cis_aide_src_database_filename: "/var/lib/aide/aide.db.new.gz" 39 | 40 | # 1.3.2 41 | cis_aide_cron_user: "root" 42 | cis_aide_cron_job: "/usr/sbin/aide --check" 43 | cis_aide_cron_minute: 0 44 | cis_aide_cron_hour: 5 45 | cis_aide_cron_dow: "*" # Day of week 46 | cis_aide_cron_dom: "*" # Day of month 47 | cis_aide_cron_month: "*" 48 | 49 | # 1.7.1.2 50 | cis_local_login_warning_banner: "Authorized uses only. All activity may be monitored and reported.\n" 51 | # 1.7.1.3 52 | cis_remote_login_warning_banner: "Authorized uses only. All activity may be monitored and reported.\n" 53 | 54 | # 2.2.1.1 55 | # You should only enable either ntp or chrony, but not both. 56 | cis_enable_ntp: false # Set to true if ntp should be enabled/configured. 57 | cis_enable_chrony: true # Set to true if chrony should be enabled/configured. 58 | 59 | # 3.4.2 60 | cis_hosts_allow_all_ips: "127.0.0.1" 61 | 62 | # 4.2.3 63 | # You should only enable either rsyslog or syslog-ng, but not both. 64 | cis_enable_rsyslog: false # Set to true if rsyslog should be enabled/configured. 65 | cis_enable_syslog_ng: false # Set to true if syslog_ng should be enabled/configured. 66 | 67 | # 4.2.1.4 68 | cis_rsyslog_remote_loghost_address: "loghost.example.com" # Can be a hostname or IP address. If no forwarding should occur, exclude this check. 69 | 70 | # 4.2.1.5 71 | cis_rsyslog_accept_remote_messages: false # Set to true if the host should accept remote syslog messages. 72 | 73 | # 4.2.2.3 74 | cis_syslog_ng_file_perms: "0640" 75 | 76 | # 5.2.5 77 | cis_sshd_max_auth_tries: 4 78 | 79 | # 5.2.11 80 | cis_sshd_ciphers: "aes256-ctr,aes192-ctr,aes128-ctr" 81 | 82 | # 5.2.12 83 | cis_sshd_macs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com" 84 | 85 | # 5.2.13 86 | cis_sshd_client_alive_interval: 300 87 | cis_sshd_client_alive_count_max: 0 88 | 89 | # 5.2.14 90 | cis_sshd_login_grace_time: 60 91 | 92 | # 5.2.15 93 | cis_sshd_allow_users: "ec2-user,root" # A comma-delimited list of users to allow ssh access to 94 | cis_sshd_allow_groups: "" # A comma-delimited list of groups ot allow ssh access to 95 | cis_sshd_deny_users: "" # A comma-delimited list of users to deny ssh access for 96 | cis_sshd_deny_groups: "" # A comma-delimited list of groups to deny ssh access for 97 | 98 | # 5.2.16 99 | cis_sshd_banner: "/etc/issue.net" 100 | 101 | # 5.3.1 102 | cis_pwquality_minlen: "14" # Minimum number of characters required for passwords 103 | cis_pwquality_dcredit: "-1" # At least one digit must be provided 104 | cis_pwquality_ucredit: "-1" # At least one uppercase character must be provided 105 | cis_pwquality_ocredit: "-1" # At least one special character must be provided 106 | cis_pwquality_lcredit: "-1" # At least one lowercase character must be provided 107 | 108 | # 5.4.1 109 | cis_pass_max_days: 90 110 | cis_pass_min_days: 7 111 | cis_pass_warn_age: 7 112 | cis_pass_inactive_lock: 30 113 | 114 | # 5.4.2 115 | cis_skip_lock_users: 116 | - root 117 | - halt 118 | - shutdown 119 | - sync 120 | 121 | # 5.4.4 122 | cis_umask_default: "027" 123 | cis_umask_shell_files: 124 | - /etc/bashrc 125 | - /etc/profile 126 | #- /etc/profile.d/custom.sh 127 | 128 | # 5.5 129 | cis_wheel_group_members: "root,ec2-user" 130 | -------------------------------------------------------------------------------- /ansible/roles/cis/files/audit_1.6.1.6.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | out=$(ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ 4 | print $NF }') 5 | if [[ out != "" ]]; then 6 | echo "Investigate the unconfined daemons found during the audit action" 7 | echo $out 8 | fi 9 | -------------------------------------------------------------------------------- /ansible/roles/cis/files/audit_6.2.10.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | for dir in `cat /etc/passwd | egrep -v '^(root|sync|halt|shutdown):' | awk -F: '($7 != "/sbin/nologin") { print $6 }'`; do 4 | for file in $dir/.[A-Za-z0-9]*; do 5 | if [ ! -h "$file" -a -f "$file" ]; then 6 | fileperm=`ls -ld $file | cut -f1 -d" "` 7 | 8 | if [ `echo $fileperm | cut -c6 ` != "-" ]; then 9 | echo "Group Write permission set on file $file" 10 | fi 11 | if [ `echo $fileperm | cut -c9 ` != "-" ]; then 12 | echo "Other Write permission set on file $file" 13 | fi 14 | fi 15 | done 16 | done 17 | -------------------------------------------------------------------------------- /ansible/roles/cis/files/audit_6.2.11.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | for dir in `cat /etc/passwd |\ 4 | awk -F: '{ print $6 }'`; do 5 | if [ ! -h "$dir/.forward" -a -f "$dir/.forward" ]; then 6 | echo ".forward file $dir/.forward exists" 7 | fi 8 | done 9 | -------------------------------------------------------------------------------- /ansible/roles/cis/files/audit_6.2.12.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | for dir in `cat /etc/passwd |\ 4 | awk -F: '{ print $6 }'`; do 5 | if [ ! -h "$dir/.netrc" -a -f "$dir/.netrc" ]; then 6 | echo ".netrc file $dir/.netrc exists" 7 | fi 8 | done 9 | -------------------------------------------------------------------------------- /ansible/roles/cis/files/audit_6.2.13.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | for dir in `cat /etc/passwd | egrep -v '(root|sync|halt|shutdown)' | awk -F: '($7 != "/sbin/nologin") { print $6 }'`; do 4 | for file in $dir/.netrc; do 5 | if [ ! -h "$file" -a -f "$file" ]; then 6 | fileperm=`ls -ld $file | cut -f1 -d" "` 7 | if [ `echo $fileperm | cut -c5 ` != "-" ]; then 8 | echo "Group Read set on $file" 9 | fi 10 | if [ `echo $fileperm | cut -c6 ` != "-" ]; then 11 | echo "Group Write set on $file" 12 | fi 13 | if [ `echo $fileperm | cut -c7 ` != "-" ]; then 14 | echo "Group Execute set on $file" 15 | fi 16 | if [ `echo $fileperm | cut -c8 ` != "-" ]; then 17 | echo "Other Read set on $file" 18 | fi 19 | if [ `echo $fileperm | cut -c9 ` != "-" ]; then 20 | echo "Other Write set on $file" 21 | fi 22 | if [ `echo $fileperm | cut -c10 ` != "-" ]; then 23 | echo "Other Execute set on $file" 24 | fi 25 | fi 26 | done 27 | done 28 | -------------------------------------------------------------------------------- /ansible/roles/cis/files/audit_6.2.14.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | for dir in `cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin") { print $6 }'`; do 4 | for file in $dir/.rhosts; do 5 | if [ ! -h "$file" -a -f "$file" ]; then 6 | echo ".rhosts file in $dir" 7 | fi 8 | done 9 | done 10 | -------------------------------------------------------------------------------- /ansible/roles/cis/files/audit_6.2.15.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | comm -23 <(cut -s -d: -f4 /etc/passwd | sort -u) <(cut -s -d: -f3 /etc/group | sort -u) | while read GROUP ; do 4 | echo "Group $GROUP is referenced by /etc/passwd but does not exist in /etc/group" 5 | done 6 | -------------------------------------------------------------------------------- /ansible/roles/cis/files/audit_6.2.16.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | FILE=/etc/passwd 4 | 5 | grep -v '^#' $FILE | cut -f3 -d":" | sort -n | uniq -d | while read DUPE ; do 6 | users=`awk -F: '($3 == n) { print $1 }' n="$DUPE" $FILE` 7 | echo "Duplicate UID ($DUPE): ${users}" 8 | done 9 | -------------------------------------------------------------------------------- /ansible/roles/cis/files/audit_6.2.17.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | FILE=/etc/group 4 | 5 | grep -v '^#' $FILE | cut -f3 -d":" | sort -n | uniq -d | while read DUPE ; do 6 | groups=`awk -F: '($3 == n) { print $1 }' n=$DUPE $FILE` 7 | echo "Duplicate GID ($DUPE): ${groups}" 8 | done 9 | -------------------------------------------------------------------------------- /ansible/roles/cis/files/audit_6.2.18.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | cat /etc/passwd | cut -f1 -d":" | sort -n | uniq -c | while read x ; do 4 | [ -z "${x}" ] && break 5 | set - $x 6 | if [ $1 -gt 1 ]; then 7 | uids=`awk -F: '($1 == n) { print $3 }' n=$2 /etc/passwd | xargs` 8 | echo "Duplicate User Name ($2): ${uids}" 9 | fi 10 | done 11 | -------------------------------------------------------------------------------- /ansible/roles/cis/files/audit_6.2.19.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | cat /etc/group | cut -f1 -d":" | sort -n | uniq -c | while read x ; do 4 | [ -z "${x}" ] && break 5 | set - $x 6 | if [ $1 -gt 1 ]; then 7 | gids=`gawk -F: '($1 == n) { print $3 }' n=$2 /etc/group | xargs` 8 | echo "Duplicate Group Name ($2): ${gids}" 9 | fi 10 | done 11 | -------------------------------------------------------------------------------- /ansible/roles/cis/files/audit_6.2.6.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ "`echo $PATH | grep :: `" != "" ]; then 4 | echo "Empty Directory in PATH (::)" 5 | fi 6 | 7 | if [ "`echo $PATH | grep :$`" != "" ]; then 8 | echo "Trailing : in PATH" 9 | fi 10 | 11 | p=`echo $PATH | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g'` 12 | set -- $p 13 | while [ "$1" != "" ]; do 14 | if [ "$1" = "." ]; then 15 | echo "PATH contains ." 16 | shift 17 | continue 18 | fi 19 | if [ -d $1 ]; then 20 | dirperm=`ls -ldH $1 | cut -f1 -d" "` 21 | if [ `echo $dirperm | cut -c6 ` != "-" ]; then 22 | echo "Group Write permission set on directory $1" 23 | fi 24 | if [ `echo $dirperm | cut -c9 ` != "-" ]; then 25 | echo "Other Write permission set on directory $1" 26 | fi 27 | dirown=`ls -ldH $1 | awk '{print $3}'` 28 | if [ "$dirown" != "root" ] ; then 29 | echo $1 is not owned by root 30 | fi 31 | else 32 | echo $1 is not a directory 33 | fi 34 | shift 35 | done 36 | -------------------------------------------------------------------------------- /ansible/roles/cis/files/audit_6.2.7.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | cat /etc/passwd | awk -F: '{ print $1 " " $3 " " $6 }' | while read user uid dir; do 4 | if [ $uid -ge 500 -a ! -d "$dir" -a $user != "nfsnobody" ]; then 5 | echo "$user:$dir" 6 | fi 7 | done 8 | -------------------------------------------------------------------------------- /ansible/roles/cis/files/audit_6.2.8.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | for dir in `cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin") { print $6 }'`; do 4 | dirperm=`ls -ld $dir | cut -f1 -d" "` 5 | if [ `echo $dirperm | cut -c6 ` != "-" ]; then 6 | echo "Group Write permission set on directory $dir" 7 | fi 8 | if [ `echo $dirperm | cut -c8 ` != "-" ]; then 9 | echo "Other Read permission set on directory $dir" 10 | fi 11 | if [ `echo $dirperm | cut -c9 ` != "-" ]; then 12 | echo "Other Write permission set on directory $dir" 13 | fi 14 | if [ `echo $dirperm | cut -c10 ` != "-" ]; then 15 | echo "Other Execute permission set on directory $dir" 16 | fi 17 | done 18 | -------------------------------------------------------------------------------- /ansible/roles/cis/files/audit_6.2.9.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | cat /etc/passwd | awk -F: '{ print $1 " " $3 " " $6 }' | while read user uid dir; do 4 | if [ $uid -ge 500 -a -d "$dir" -a $user != "nfsnobody" ]; then 5 | owner=$(stat -L -c "%U" "$dir") 6 | if [ "$owner" != "$user" ]; then 7 | echo "$dir:$user:$owner" 8 | fi 9 | fi 10 | done 11 | -------------------------------------------------------------------------------- /ansible/roles/cis/handlers/main.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | - name: Restart sshd 5 | service: 6 | name: sshd 7 | state: restarted 8 | 9 | - name: Restart rsyslog 10 | service: 11 | name: rsyslog 12 | state: restarted 13 | 14 | - name: Restart auditd 15 | service: 16 | name: auditd 17 | state: restarted 18 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.1.1.1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Standards: 0.11 3 | 4 | # 1.1.1.1 - Ensure mounting of cramfs filesystems is disabled 5 | 6 | - name: 1.1.1.1 - Check if CIS modprobe configuration file exists 7 | stat: 8 | path: "{{ cis_modprobe_conf_filename }}" 9 | register: modprobe_1_1_1_1 10 | tags: 11 | - level-1 12 | - section-1 13 | - "1.1.1.1" 14 | - scored 15 | 16 | - name: 1.1.1.1 - Ensure mounting of cramfs filesystems is disabled 17 | copy: 18 | dest: "{{ cis_modprobe_conf_filename }}" 19 | content: "install cramfs /bin/true\n" 20 | when: modprobe_1_1_1_1.stat.exists is not defined or not modprobe_1_1_1_1.stat.exists 21 | tags: 22 | - level-1 23 | - section-1 24 | - "1.1.1.1" 25 | - scored 26 | 27 | - name: 1.1.1.1 - Ensure mounting of cramfs filesystems is disabled 28 | lineinfile: 29 | dest: "{{ cis_modprobe_conf_filename }}" 30 | regexp: "^install cramfs" 31 | line: "install cramfs /bin/true" 32 | when: modprobe_1_1_1_1.stat.exists is defined and modprobe_1_1_1_1.stat.exists 33 | tags: 34 | - level-1 35 | - section-1 36 | - "1.1.1.1" 37 | - scored 38 | 39 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.1.1.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.1.2 - Ensure mounting of freevxfs filesystems is disabled 5 | 6 | - name: 1.1.1.2 - Check if CIS modprobe configuration file exists 7 | stat: 8 | path: "{{ cis_modprobe_conf_filename }}" 9 | register: modprobe_1_1_1_2 10 | tags: 11 | - level-1 12 | - section-1 13 | - "1.1.1.2" 14 | - scored 15 | 16 | - name: 1.1.1.2 - Ensure mounting of freevxfs filesystems is disabled 17 | copy: 18 | dest: "{{ cis_modprobe_conf_filename }}" 19 | content: "install freevxfs /bin/true\n" 20 | when: modprobe_1_1_1_2.stat.exists is not defined or not modprobe_1_1_1_2.stat.exists 21 | tags: 22 | - level-1 23 | - section-1 24 | - "1.1.1.2" 25 | - scored 26 | 27 | - name: 1.1.1.2 - Ensure mounting of freevxfs filesystems is disabled 28 | lineinfile: 29 | dest: "{{ cis_modprobe_conf_filename }}" 30 | regexp: "^install freevxfs" 31 | line: "install freevxfs /bin/true" 32 | when: modprobe_1_1_1_2.stat.exists is defined and modprobe_1_1_1_2.stat.exists 33 | tags: 34 | - level-1 35 | - section-1 36 | - "1.1.1.2" 37 | - scored 38 | 39 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.1.1.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.1.3 - Ensure mounting of jffs2 filesystems is disabled 5 | 6 | - name: 1.1.1.3 - Check if CIS modprobe configuration file exists 7 | stat: 8 | path: "{{ cis_modprobe_conf_filename }}" 9 | register: modprobe_1_1_1_3 10 | tags: 11 | - level-1 12 | - section-1 13 | - "1.1.1.3" 14 | - scored 15 | 16 | - name: 1.1.1.3 - Ensure mounting of jffs2 filesystems is disabled 17 | copy: 18 | dest: "{{ cis_modprobe_conf_filename }}" 19 | content: "install jffs2 /bin/true\n" 20 | when: modprobe_1_1_1_3.stat.exists is not defined or not modprobe_1_1_1_3.stat.exists 21 | tags: 22 | - level-1 23 | - section-1 24 | - "1.1.1.3" 25 | - scored 26 | 27 | - name: 1.1.1.3 - Ensure mounting of jffs2 filesystems is disabled 28 | lineinfile: 29 | dest: "{{ cis_modprobe_conf_filename }}" 30 | regexp: "^install jffs2" 31 | line: "install jffs2 /bin/true" 32 | when: modprobe_1_1_1_3.stat.exists is defined and modprobe_1_1_1_3.stat.exists 33 | tags: 34 | - level-1 35 | - section-1 36 | - "1.1.1.3" 37 | - scored 38 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.1.1.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.1.4 - Ensure mounting of hfs filesystems is disabled 5 | 6 | - name: 1.1.1.4 - Check if CIS modprobe configuration file exists 7 | stat: 8 | path: "{{ cis_modprobe_conf_filename }}" 9 | register: modprobe_1_1_1_4 10 | tags: 11 | - level-1 12 | - section-1 13 | - "1.1.1.4" 14 | - scored 15 | 16 | - name: 1.1.1.4 - Ensure mounting of hfs filesystems is disabled 17 | copy: 18 | dest: "{{ cis_modprobe_conf_filename }}" 19 | content: "install hfs /bin/true\n" 20 | when: modprobe_1_1_1_4.stat.exists is not defined or not modprobe_1_1_1_4.stat.exists 21 | tags: 22 | - level-1 23 | - section-1 24 | - "1.1.1.4" 25 | - scored 26 | 27 | - name: 1.1.1.4 - Ensure mounting of hfs filesystems is disabled 28 | lineinfile: 29 | dest: "{{ cis_modprobe_conf_filename }}" 30 | regexp: "^install hfs\\s+" 31 | line: "install hfs /bin/true" 32 | when: modprobe_1_1_1_4.stat.exists is defined and modprobe_1_1_1_4.stat.exists 33 | tags: 34 | - level-1 35 | - section-1 36 | - "1.1.1.4" 37 | - scored 38 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.1.1.5.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.1.5 - Ensure mounting of hfsplus filesystems is disabled 5 | 6 | - name: 1.1.1.5 - Check if CIS modprobe configuration file exists 7 | stat: 8 | path: "{{ cis_modprobe_conf_filename }}" 9 | register: modprobe_1_1_1_5 10 | tags: 11 | - level-1 12 | - section-1 13 | - "1.1.1.5" 14 | - scored 15 | 16 | - name: 1.1.1.5 - Ensure mounting of hfsplus filesystems is disabled 17 | copy: 18 | dest: "{{ cis_modprobe_conf_filename }}" 19 | content: "install hfsplus /bin/true\n" 20 | when: modprobe_1_1_1_5.stat.exists is not defined or not modprobe_1_1_1_5.stat.exists 21 | tags: 22 | - level-1 23 | - section-1 24 | - "1.1.1.5" 25 | - scored 26 | 27 | - name: 1.1.1.5 - Ensure mounting of hfsplus filesystems is disabled 28 | lineinfile: 29 | dest: "{{ cis_modprobe_conf_filename }}" 30 | regexp: "^install hfsplus" 31 | line: "install hfsplus /bin/true" 32 | when: modprobe_1_1_1_5.stat.exists is defined and modprobe_1_1_1_5.stat.exists 33 | tags: 34 | - level-1 35 | - section-1 36 | - "1.1.1.5" 37 | - scored 38 | 39 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.1.1.6.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.1.6 - Ensure mounting of squashfs filesystems is disabled 5 | 6 | - name: 1.1.1.6 - Check if CIS modprobe configuration file exists 7 | stat: 8 | path: "{{ cis_modprobe_conf_filename }}" 9 | register: modprobe_1_1_1_6 10 | tags: 11 | - level-1 12 | - section-1 13 | - "1.1.1.6" 14 | - scored 15 | 16 | - name: 1.1.1.6 - Ensure mounting of squashfs filesystems is disabled 17 | copy: 18 | dest: "{{ cis_modprobe_conf_filename }}" 19 | content: "install squashfs /bin/true\n" 20 | when: modprobe_1_1_1_6.stat.exists is not defined or not modprobe_1_1_1_6.stat.exists 21 | tags: 22 | - level-1 23 | - section-1 24 | - "1.1.1.6" 25 | - scored 26 | 27 | - name: 1.1.1.6 - Ensure mounting of squashfs filesystems is disabled 28 | lineinfile: 29 | dest: "{{ cis_modprobe_conf_filename }}" 30 | regexp: "^install squashfs" 31 | line: "install squashfs /bin/true" 32 | when: modprobe_1_1_1_6.stat.exists is defined and modprobe_1_1_1_6.stat.exists 33 | tags: 34 | - level-1 35 | - section-1 36 | - "1.1.1.6" 37 | - scored 38 | 39 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.1.1.7.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.1.7 - Ensure mounting of udf filesystems is disabled 5 | 6 | - name: 1.1.1.7 - Check if CIS modprobe configuration file exists 7 | stat: 8 | path: "{{ cis_modprobe_conf_filename }}" 9 | register: modprobe_1_1_1_7 10 | tags: 11 | - level-1 12 | - section-1 13 | - "1.1.1.7" 14 | - scored 15 | 16 | - name: 1.1.1.7 - Ensure mounting of udf filesystems is disabled 17 | copy: 18 | dest: "{{ cis_modprobe_conf_filename }}" 19 | content: "install udf /bin/true\n" 20 | when: modprobe_1_1_1_7.stat.exists is not defined or not modprobe_1_1_1_7.stat.exists 21 | tags: 22 | - level-1 23 | - section-1 24 | - "1.1.1.7" 25 | - scored 26 | 27 | - name: 1.1.1.7 - Ensure mounting of udf filesystems is disabled 28 | lineinfile: 29 | dest: "{{ cis_modprobe_conf_filename }}" 30 | regexp: "^install udf" 31 | line: "install udf /bin/true" 32 | when: modprobe_1_1_1_7.stat.exists is defined and modprobe_1_1_1_7.stat.exists 33 | tags: 34 | - level-1 35 | - section-1 36 | - "1.1.1.7" 37 | - scored 38 | 39 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.1.1.8.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.1.8 - Ensure mounting of FAT filesystems is disabled 5 | 6 | - name: 1.1.1.8 - Check if CIS modprobe configuration file exists 7 | stat: 8 | path: "{{ cis_modprobe_conf_filename }}" 9 | register: modprobe_1_1_1_8 10 | tags: 11 | - level-1 12 | - section-1 13 | - "1.1.1.8" 14 | - scored 15 | 16 | - name: 1.1.1.8 - Ensure mounting of vfat filesystems is disabled 17 | copy: 18 | dest: "{{ cis_modprobe_conf_filename }}" 19 | content: "install vfat /bin/true\n" 20 | when: modprobe_1_1_1_8.stat.exists is not defined or not modprobe_1_1_1_8.stat.exists 21 | tags: 22 | - level-1 23 | - section-1 24 | - "1.1.1.8" 25 | - scored 26 | 27 | - name: 1.1.1.8 - Ensure mounting of vfat filesystems is disabled 28 | lineinfile: 29 | dest: "{{ cis_modprobe_conf_filename }}" 30 | regexp: "^install vfat" 31 | line: "install vfat /bin/true" 32 | when: modprobe_1_1_1_8.stat.exists is defined and modprobe_1_1_1_8.stat.exists 33 | tags: 34 | - level-1 35 | - section-1 36 | - "1.1.1.8" 37 | - scored 38 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.1.10.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.10 Ensure noexec option set on /var/tmp partition 5 | 6 | - name: 1.1.10 - Ensure noexec option set on /var/tmp partition 7 | mount: 8 | name: "{{ item.mount }}" 9 | state: mounted 10 | fstype: "{{ item.fstype }}" 11 | src: "{{ item.device }}" 12 | opts: "{{ item.options.split(',') | union(['noexec']) | join(',') }}" 13 | when: item.mount == '/var/tmp' 14 | with_items: "{{ ansible_mounts }}" 15 | tags: 16 | - level-1 17 | - section-1 18 | - "1.1.10" 19 | - scored 20 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.1.11.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.11 Ensure separate partition exists for /var/log (Scored) 5 | 6 | - name: 1.1.11 Ensure separate partition exists for /var/log (Scored) 7 | mount: 8 | name: "{{ item.mountpoint }}" 9 | state: present 10 | fstype: "{{item.fstype}}" 11 | src: "{{item.device}}" 12 | with_items: 13 | - { mountpoint: "{{cis_partition_mnt_val_log}}", device: "{{cis_partition_dev_val_log}}", fstype: "{{cis_partition_fs_val_log}}" } 14 | tags: 15 | - level-1 16 | - section-1 17 | - "1.1.11" 18 | - scored 19 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.1.12.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.12 Ensure separate partition exists for /var/log/audit (Scored) 5 | 6 | - name: 1.1.12 Ensure separate partition exists for /var/log/audit (Scored) 7 | mount: 8 | name: "{{ item.mountpoint }}" 9 | state: present 10 | fstype: "{{item.fstype}}" 11 | src: "{{item.device}}" 12 | with_items: 13 | - { mountpoint: "{{cis_partition_mnt_val_log_audit}}", device: "{{cis_partition_dev_val_log_audit}}", fstype: "{{cis_partition_fs_val_log_audit}}" } 14 | tags: 15 | - level-1 16 | - section-1 17 | - "1.1.11" 18 | - scored 19 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.1.13.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.12 Ensure separate partition exists for /home (Scored) 5 | 6 | - name: 1.1.12 Ensure separate partition exists for /home (Scored) 7 | mount: 8 | name: "{{ item.mountpoint }}" 9 | state: present 10 | fstype: "{{item.fstype}}" 11 | src: "{{item.device}}" 12 | with_items: 13 | - { mountpoint: "{{cis_partition_mnt_home}}", device: "{{cis_partition_dev_home}}", fstype: "{{cis_partition_fs_home}}" } 14 | tags: 15 | - level-1 16 | - section-1 17 | - "1.1.11" 18 | - scored 19 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.1.14.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.14 Ensure nodev option set on /home partition 5 | 6 | - name: 1.1.14 - Ensure nodev option set on /home partition 7 | mount: 8 | name: "{{ item.mount }}" 9 | state: mounted 10 | fstype: "{{ item.fstype }}" 11 | src: "{{ item.device }}" 12 | opts: "{{ item.options.split(',') | union(['nodev']) | join(',') }}" 13 | when: item.mount == '/home' 14 | with_items: "{{ ansible_mounts }}" 15 | tags: 16 | - level-1 17 | - section-1 18 | - "1.1.14" 19 | - scored 20 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.1.15.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.15 Ensure nodev option set on /dev/shm partition 5 | 6 | - name: 1.1.15 - Ensure nodev option set on /dev/shm partition 7 | mount: 8 | name: "{{ item.mount }}" 9 | state: mounted 10 | fstype: "{{ item.fstype }}" 11 | src: "{{ item.device }}" 12 | opts: "{{ item.options.split(',') | union(['nodev']) | join(',') }}" 13 | when: item.mount == '/dev/shm' 14 | with_items: "{{ ansible_mounts }}" 15 | tags: 16 | - level-1 17 | - section-1 18 | - "1.1.15" 19 | - scored 20 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.1.16.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.16 Ensure nosuid option set on /dev/shm partition 5 | 6 | - name: 1.1.16 - Ensure nosuid option set on /dev/shm partition 7 | mount: 8 | name: "{{ item.mount }}" 9 | state: mounted 10 | fstype: "{{ item.fstype }}" 11 | src: "{{ item.device }}" 12 | opts: "{{ item.options.split(',') | union(['nosuid']) | join(',') }}" 13 | when: item.mount == '/dev/shm' 14 | with_items: "{{ ansible_mounts }}" 15 | tags: 16 | - level-1 17 | - section-1 18 | - "1.1.16" 19 | - scored 20 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.1.17.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.17 Ensure noexec option set on /dev/shm partition 5 | 6 | - name: 1.1.17 - Ensure noexec option set on /dev/shm partition 7 | mount: 8 | name: "{{ item.mount }}" 9 | state: mounted 10 | fstype: "{{ item.fstype }}" 11 | src: "{{ item.device }}" 12 | opts: "{{ item.options.split(',') | union(['noexec']) | join(',') }}" 13 | when: item.mount == '/dev/shm' 14 | with_items: "{{ ansible_mounts }}" 15 | tags: 16 | - level-1 17 | - section-1 18 | - "1.1.17" 19 | - scored 20 | 21 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.1.18.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.18 Ensure sticky bit is set on all world-writable directories 5 | 6 | - name: 1.1.18 - Ensure sticky bit is set on all world-writable directories 7 | shell: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t" 8 | tags: 9 | - level-1 10 | - section-1 11 | - "1.1.18" 12 | - scored 13 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.1.19.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.19 - Disable Automounting 5 | 6 | - name: 1.1.19 - Disable autofs 7 | service: 8 | name: autofs 9 | enabled: false 10 | state: stopped 11 | ignore_errors: true 12 | register: autofs_result 13 | failed_when: "autofs_result.failed and 'no service or tool found for: autofs' not in autofs_result.msg" 14 | tags: 15 | - level-1 16 | - "1.1.19" 17 | - scored 18 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.1.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.2 Ensure separate partition exists for /tmp (Scored) 5 | 6 | - name: 1.1.2 - Ensure separate partition exists for /tmp (Scored) 7 | mount: 8 | name: "{{ item.mountpoint }}" 9 | state: present 10 | fstype: "{{item.fstype}}" 11 | src: "{{item.device}}" 12 | with_items: 13 | - { mountpoint: '/tmp', device: 'tmpfs', fstype: 'tmpfs' } 14 | tags: 15 | - level-1 16 | - section-1 17 | - "1.1.2" 18 | - scored 19 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.1.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.3 Ensure nodev option set on /tmp partition 5 | 6 | - name: 1.1.3 - Ensure nodev option set on /tmp partition 7 | mount: 8 | name: "{{ item.mount }}" 9 | state: mounted 10 | fstype: "{{ item.fstype }}" 11 | src: "{{ item.device }}" 12 | opts: "{{ item.options.split(',') | union(['nodev']) | join(',') }}" 13 | when: item.mount == '/tmp' 14 | with_items: "{{ ansible_mounts }}" 15 | tags: 16 | - level-1 17 | - section-1 18 | - "1.1.3" 19 | - scored 20 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.1.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.4 Ensure nosuid option set on /tmp partition 5 | 6 | - name: 1.1.4 - Ensure nosuid option set on /tmp partition 7 | mount: 8 | name: "{{ item.mount }}" 9 | state: mounted 10 | fstype: "{{ item.fstype }}" 11 | src: "{{ item.device }}" 12 | opts: "{{ item.options.split(',') | union(['nosuid']) | join(',') }}" 13 | when: item.mount == '/tmp' 14 | with_items: "{{ ansible_mounts }}" 15 | tags: 16 | - level-1 17 | - section-1 18 | - "1.1.4" 19 | - scored 20 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.1.5.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.5 Ensure noexec option set on /tmp partition 5 | 6 | - name: 1.1.5 - Ensure noexec option set on /tmp partition 7 | mount: 8 | name: "{{ item.mount }}" 9 | state: mounted 10 | fstype: "{{ item.fstype }}" 11 | src: "{{ item.device }}" 12 | opts: "{{ item.options.split(',') | union(['noexec']) | join(',') }}" 13 | when: item.mount == '/tmp' 14 | with_items: "{{ ansible_mounts }}" 15 | tags: 16 | - level-1 17 | - section-1 18 | - "1.1.5" 19 | - scored 20 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.1.8.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.8 Ensure nodev option set on /var/tmp partition 5 | 6 | - name: 1.1.8 - Ensure nodev option set on /var/tmp partition 7 | mount: 8 | name: "{{ item.mount }}" 9 | state: mounted 10 | fstype: "{{ item.fstype }}" 11 | src: "{{ item.device }}" 12 | opts: "{{ item.options.split(',') | union(['nodev']) | join(',') }}" 13 | when: item.mount == '/var/tmp' 14 | with_items: "{{ ansible_mounts }}" 15 | tags: 16 | - level-1 17 | - section-1 18 | - "1.1.8" 19 | - scored 20 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.1.9.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.1.9 Ensure nosuid option set on /var/tmp partition 5 | 6 | - name: 1.1.9 - Ensure nosuid option set on /var/tmp partition 7 | mount: 8 | name: "{{ item.mount }}" 9 | state: mounted 10 | fstype: "{{ item.fstype }}" 11 | src: "{{ item.device }}" 12 | opts: "{{ item.options.split(',') | union(['nosuid']) | join(',') }}" 13 | when: item.mount == '/var/tmp' 14 | with_items: "{{ ansible_mounts }}" 15 | tags: 16 | - level-1 17 | - section-1 18 | - "1.1.9" 19 | - scored 20 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.2.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.2.1 - Ensure package manager repositories are configured 5 | 6 | # The remediation actions for this recommendation are site-specific, therefore we test that 7 | # executing 'yum repolist' results in no errors. 8 | - name: 1.2.1 - Verify that repositories are configured correctly 9 | command: yum repolist 10 | tags: 11 | - level-1 12 | - "1.2.1" 13 | - scored 14 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.2.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.2.2 Ensure GPG keys are configured 5 | 6 | # The remediation actions for this recommendation are site-specific, therefore we test that 7 | # executing the specified rpm command results in no errors. 8 | - name: 1.2.2 - Ensure GPG keys are configured 9 | shell: rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n' 10 | tags: 11 | - level-1 12 | - "1.2.2" 13 | - scored 14 | 15 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.2.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.2.3 - Ensure gpgcheck is globally activated 5 | 6 | - name: 1.2.3 - Get all repos on remote host 7 | find: 8 | paths: "/etc/yum.repos.d" 9 | pattern: "*.repo" 10 | register: yum_repos 11 | 12 | - name: 1.2.3 - Verify that gpgcheck is enabled in /etc/yum.conf 13 | lineinfile: 14 | regexp: "^gpgcheck" 15 | line: "gpgcheck=1" 16 | dest: "/etc/yum.conf" 17 | tags: 18 | - level-1 19 | - "1.2.3" 20 | - scored 21 | 22 | - name: 1.2.3 - Verify that gpgcheck is enabled for all repositories in /etc/yum.repos.d 23 | replace: 24 | regexp: "^gpgcheck=0" 25 | replace: "gpgcheck=1" 26 | dest: "{{ item.path }}" 27 | with_items: "{{ yum_repos.files }}" 28 | tags: 29 | - level-1 30 | - "1.2.3" 31 | - scored 32 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.3.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.3.1 Ensure AIDE is installed 5 | 6 | - name: 1.3.1 - Ensure AIDE is installed 7 | yum: 8 | name: aide 9 | state: present 10 | tags: 11 | - level-1 12 | - section-1 13 | - "1.3.1" 14 | - scored 15 | 16 | - name: 1.3.1 - Check that aide database exists 17 | stat: 18 | path: "{{ cis_aide_database_filename }}" 19 | register: aide_1_3_1 20 | tags: 21 | - level-1 22 | - section-1 23 | - "1.3.1" 24 | - scored 25 | 26 | # We expect that 'aide --init' has been run and the generated database has been moved 27 | - name: 1.3.1 - Ensure aide database exists 28 | command: "{{ item }}" 29 | when: aide_1_3_1.stat.exists is not defined or not aide_1_3_1.stat.exists 30 | with_items: 31 | - "aide --init" 32 | - "mv {{ cis_aide_src_database_filename }} {{ cis_aide_database_filename }}" 33 | tags: 34 | - level-1 35 | - section-1 36 | - "1.3.1" 37 | - scored 38 | 39 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.3.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.3.2 - Ensure filesystem integrity is regularly checked 5 | 6 | - name: 1.3.2 - Ensure cron is installed 7 | yum: 8 | name: cronie 9 | state: present 10 | tags: 11 | - level-1 12 | - section-1 13 | - "1.3.2" 14 | - scored 15 | 16 | - name: 1.3.2 - Create cron entry to run aide filesystem integrity check regularly 17 | cron: 18 | name: "CIS 1.3.2 - Run aide filesystem integrity check" 19 | user: "{{ cis_aide_cron_user }}" 20 | job: "{{ cis_aide_cron_job }}" 21 | minute: "{{ cis_aide_cron_minute }}" 22 | hour: "{{ cis_aide_cron_hour }}" 23 | weekday: "{{ cis_aide_cron_dow }}" 24 | day: "{{ cis_aide_cron_dom }}" 25 | month: "{{ cis_aide_cron_month }}" 26 | state: present 27 | tags: 28 | - level-1 29 | - section-1 30 | - "1.3.2" 31 | - scored 32 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.4.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.4.1 Ensure permissions on bootloader config are configured 5 | 6 | - name: 1.4.1 - Check if grub bootloader file exists 7 | stat: 8 | path: "{{ cis_grub_bootloader_filename }}" 9 | register: grub_1_4_1 10 | tags: 11 | - level-1 12 | - "1.4.1" 13 | - scored 14 | 15 | - name: 1.4.1 - Set permissions on grub configuration 16 | file: 17 | path: "{{ cis_grub_bootloader_filename }}" 18 | owner: root 19 | group: root 20 | mode: "og-rwx" 21 | state: file 22 | when: grub_1_4_1.stat.exists 23 | tags: 24 | - level-1 25 | - "1.4.1" 26 | - scored 27 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.4.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.4.2 - Ensure authentication is required for single user mode 5 | 6 | - name: 1.4.2 - Check if sysconfig init file exists 7 | stat: 8 | path: "{{ cis_sysconfig_init_filename }}" 9 | register: sysconfig_init_1_4_2 10 | tags: 11 | - level-1 12 | - "1.4.2" 13 | - scored 14 | 15 | - name: 1.4.2 - Ensure authentication is required for single-user mode 16 | copy: 17 | dest: "{{ cis_sysconfig_init_filename }}" 18 | content: "SINGLE=/sbin/sulogin\n" 19 | when: sysconfig_init_1_4_2.stat.exists is not defined or not sysconfig_init_1_4_2.stat.exists 20 | tags: 21 | - level-1 22 | - "1.4.2" 23 | - scored 24 | 25 | - name: 1.4.2 - Ensure authentication is required for single-user mode 26 | lineinfile: 27 | dest: "{{ cis_sysconfig_init_filename }}" 28 | regexp: "^SINGLE=" 29 | line: "SINGLE=/sbin/sulogin" 30 | when: sysconfig_init_1_4_2.stat.exists is defined and sysconfig_init_1_4_2.stat.exists 31 | tags: 32 | - level-1 33 | - "1.4.2" 34 | - scored 35 | 36 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.4.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.4.3 - Ensure interactive boot is not enabled 5 | 6 | - name: 1.4.3 - Check if sysconfig init file exists 7 | stat: 8 | path: "{{ cis_sysconfig_init_filename }}" 9 | register: sysconfig_init_1_4_3 10 | tags: 11 | - level-1 12 | - "1.4.3" 13 | - scored 14 | 15 | - name: 1.4.3 - Ensure interactive boot is not enabled 16 | copy: 17 | dest: "{{ cis_sysconfig_init_filename }}" 18 | content: "PROMPT=no\n" 19 | when: sysconfig_init_1_4_3.stat.exists is not defined or not sysconfig_init_1_4_3.stat.exists 20 | tags: 21 | - level-1 22 | - "1.4.3" 23 | - scored 24 | 25 | - name: 1.4.3 - Ensure interactive boot is not enabled 26 | lineinfile: 27 | dest: "{{ cis_sysconfig_init_filename }}" 28 | regexp: "^PROMPT=" 29 | line: "PROMPT=no" 30 | when: sysconfig_init_1_4_3.stat.exists is defined and sysconfig_init_1_4_3.stat.exists 31 | tags: 32 | - level-1 33 | - "1.4.3" 34 | - scored 35 | 36 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.5.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.5.1 Ensure core dumps are restricted 5 | 6 | - name: 1.5.1 - Check if security limits file exists 7 | stat: 8 | path: "{{ cis_security_limits_filename }}" 9 | register: security_limits_1_5_1 10 | tags: 11 | - level-1 12 | - "1.5.1" 13 | - scored 14 | 15 | - name: 1.5.1 - Ensure core dumps are restricted 16 | copy: 17 | dest: "{{ cis_security_limits_filename }}" 18 | content: "* hard core 0\n" 19 | when: security_limits_1_5_1.stat.exists is not defined or not security_limits_1_5_1.stat.exists 20 | tags: 21 | - level-1 22 | - "1.5.1" 23 | - scored 24 | 25 | - name: 1.5.1 - Ensure core dumps are restricted 26 | pam_limits: 27 | dest: "{{ cis_security_limits_filename }}" 28 | limit_item: "core" 29 | limit_type: "hard" 30 | domain: "*" 31 | value: "0" 32 | when: security_limits_1_5_1.stat.exists is defined and security_limits_1_5_1.stat.exists 33 | tags: 34 | - level-1 35 | - "1.5.1" 36 | - scored 37 | 38 | - name: 1.5.1 - Prevent suid programs from dumping core 39 | sysctl: 40 | ignoreerrors: yes 41 | name: fs.suid_dumpable 42 | value: 0 43 | state: present 44 | tags: 45 | - level-1 46 | - "1.5.1" 47 | - scored 48 | 49 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.5.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.5.2 Ensure XD/NX support is enabled 5 | 6 | - name: 1.5.2 - Check if XD/NX support is enabled 7 | shell: "dmesg | grep NX" 8 | register: dmesg_1_5_2 9 | check_mode: no 10 | changed_when: False 11 | ignore_errors: true 12 | tags: 13 | - level-1 14 | - "1.5.2" 15 | - not-scored 16 | 17 | - name: 1.5.2 - Ensure XD/NX support is enabled 18 | fail: 19 | msg: "Ensure XD/NX support is enabled." 20 | when: 21 | - "'NX (Execute Disable) protection: active' not in dmesg_1_5_2.stdout" 22 | - fail_on_manual_remediation_actions 23 | tags: 24 | - level-1 25 | - "1.5.2" 26 | - not-scored 27 | 28 | - name: 1.5.2 - Ensure XD/NX support is enabled 29 | debug: 30 | msg: "*** ACTION REQUIRED *** Ensure XD/NX support is enabled." 31 | when: 32 | - "'NX (Execute Disable) protection: active' not in dmesg_1_5_2.stdout" 33 | - not fail_on_manual_remediation_actions 34 | tags: 35 | - level-1 36 | - "1.5.2" 37 | - not-scored 38 | 39 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.5.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.5.3 Ensure address space layout randomization (ASLR) is enabled 5 | 6 | - name: 1.5.3 - Ensure address space layout randomization is enabled 7 | sysctl: 8 | ignoreerrors: yes 9 | name: kernel.randomize_va_space 10 | value: 2 11 | state: present 12 | tags: 13 | - level-1 14 | - "1.5.3" 15 | - scored 16 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.5.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.5.4 Ensure prelink is disabled 5 | 6 | - name: Check if prelink binary exists 7 | command: which prelink 8 | ignore_errors: true 9 | register: which_1_5_4 10 | tags: 11 | - level-1 12 | - "1.5.4" 13 | - scored 14 | 15 | - name: Restore prelinked binaries 16 | command: prelink -ua 17 | when: which_1_5_4.rc is defined and which_1_5_4.rc == 0 18 | tags: 19 | - level-1 20 | - "1.5.4" 21 | - scored 22 | 23 | - name: Ensure prelink is disabled 24 | yum: 25 | name: prelink 26 | state: absent 27 | tags: 28 | - level-1 29 | - "1.5.4" 30 | - scored 31 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.6.1.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.6.1.1 Ensure SELinux is not disabled in bootloader configuration (Scored) 5 | 6 | - name: Install the SE Linux requirements - libselinux-python 7 | yum: 8 | name: libselinux-python 9 | state: installed 10 | 11 | - name: Install the SE Linux requirements - policycoreutils-python 12 | yum: 13 | name: policycoreutils-python 14 | state: installed 15 | 16 | - name: 1.6.1.1 Ensure SELinux is not disabled in bootloader configuration (Scored) 17 | selinux: 18 | policy: targeted 19 | state: enforcing 20 | tags: 21 | - level-1 22 | - section-1 23 | - "1.1.11" 24 | - scored 25 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.6.1.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.6.1.2. Ensure the SELinux state is enforcing (Scored) 5 | 6 | - name: 1.6.1.2 Ensure the SELinux state is enforcing (Scored) 7 | selinux: 8 | policy: targeted 9 | state: enforcing 10 | tags: 11 | - level-1 12 | - section-1 13 | - "1.1.11" 14 | - scored 15 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.6.1.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.6.1.3 Ensure SELinux policy is configured (Scored) 5 | 6 | - name: 1.6.1.3 Ensure SELinux policy is configured (Scored) 7 | selinux: 8 | policy: targeted 9 | state: enforcing 10 | tags: 11 | - level-1 12 | - section-1 13 | - "1.1.11" 14 | - scored 15 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.6.1.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.6.1.4 Ensure SETroubleshoot is not installed (Scored) 5 | 6 | - name: 1.6.1.4 Ensure SETroubleshoot is not installed (Scored) 7 | yum: 8 | name: setroubleshoot 9 | state: removed 10 | tags: 11 | - level-1 12 | - section-1 13 | - "1.1.11" 14 | - scored 15 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.6.1.5.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.6.1.4 Ensure SETroubleshoot is not installed (Scored) 5 | 6 | - name: 1.6.1.4 Ensure SETroubleshoot is not installed (Scored) 7 | yum: 8 | name: mcstrans 9 | state: removed 10 | tags: 11 | - level-1 12 | - section-1 13 | - "1.1.11" 14 | - scored 15 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.6.1.6.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.6.1.6 Ensure no unconfined daemons exist (Scored) 5 | 6 | - name: 1.6.1.6 Ensure no unconfined daemons exist (Scored) 7 | script: "{{ role_path }}/files/audit_1.6.1.6.sh" 8 | always_run: yes 9 | changed_when: False 10 | register: audit_1_6_1_6 11 | tags: 12 | - level-1 13 | - section-6 14 | - "1.6.1.6" 15 | - scored 16 | 17 | - name: 1.6.1.6 Ensure no unconfined daemons exist (Scored) 18 | fail: 19 | msg: "{{ audit_1_6_1_6.stdout_lines }}" 20 | when: 21 | - audit_1_6_1_6.stdout_lines is defined and audit_1_6_1_6.stdout_lines|length > 0 22 | - fail_on_manual_remediation_actions 23 | tags: 24 | - level-1 25 | - section-6 26 | - "1.6.1.6" 27 | - scored 28 | 29 | - name: 1.6.1.6 Ensure no unconfined daemons exist (Scored) 30 | debug: 31 | msg: "*** ACTION REQUIRED *** {{ audit_1_6_1_6.stdout }}" 32 | when: 33 | - audit_1_6_1_6.stdout_lines is defined and audit_1_6_1_6.stdout_lines|length > 0 34 | - not fail_on_manual_remediation_actions 35 | tags: 36 | - level-1 37 | - section-6 38 | - "1.6.1.6" 39 | - scored 40 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.7.1.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.7.1.1 Ensure message of the day is configured properly 5 | 6 | # /etc/motd is dynamically generated by pam on login. The intention of this check is to ensure that OS 7 | # information is not disclosed, therefore the more appropriate option is to ensure that the scripts which 8 | # generate motd, and which are related to system information which would otherwise be 9 | # displayed by mingetty options, are not present. 10 | # On amazon linux, this is the 30-banner script within /etc/update-motd.d/ 11 | - name: 1.7.1.1 - Ensure mingetty options are not used within motd 12 | file: 13 | path: "/etc/update-motd.d/30-banner" 14 | state: absent 15 | tags: 16 | - level-1 17 | - 1.7.1.1 18 | - scored 19 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.7.1.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.7.1.2 Ensure local login warning banner is configured properly 5 | 6 | - name: 1.7.1.2 - Ensure local login warning banner is configured properly 7 | copy: 8 | content: "{{ cis_local_login_warning_banner }}" 9 | dest: "/etc/issue" 10 | tags: 11 | - level-1 12 | - 1.7.1.2 13 | - not-scored 14 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.7.1.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.7.1.3 Ensure remote login warning banner is configured properly 5 | 6 | - name: 1.7.1.3 - Ensure remote login warning banner is configured properly 7 | copy: 8 | content: "{{ cis_remote_login_warning_banner }}" 9 | dest: "/etc/issue.net" 10 | tags: 11 | - level-1 12 | - 1.7.1.3 13 | - not-scored 14 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.7.1.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.7.1.4 Ensure permissions on /etc/motd are configured 5 | 6 | - name: 1.7.1.4 - Ensure permissions on /etc/motd are configured 7 | file: 8 | path: "/etc/motd" 9 | owner: root 10 | group: root 11 | mode: 0644 12 | follow: yes 13 | tags: 14 | - level-1 15 | - 1.7.1.4 16 | - not-scored 17 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.7.1.5.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.7.1.5 Ensure permissions on /etc/issue are configured 5 | 6 | - name: 1.7.1.5 - Ensure permissions on /etc/issue are configured 7 | file: 8 | path: "/etc/issue" 9 | owner: root 10 | group: root 11 | mode: 0644 12 | tags: 13 | - level-1 14 | - 1.7.1.5 15 | - scored 16 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.7.1.6.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.7.1.6 Ensure permissions on /etc/issue.net are configured 5 | 6 | - name: 1.7.1.6 - Ensure permissions on /etc/issue.net are configured 7 | file: 8 | path: "/etc/issue.net" 9 | owner: root 10 | group: root 11 | mode: 0644 12 | tags: 13 | - level-1 14 | - 1.7.1.6 15 | - not-scored 16 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/1.8.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 1.8 Ensure updates, patches, and additional security software are installed 5 | 6 | - name: 1.8 - Ensure updates, patches, and additional security software are installed 7 | yum: 8 | name: "*" 9 | state: latest 10 | tags: 11 | - level-1 12 | - "1.8" 13 | - not-scored 14 | when: 15 | - full_upgrade 16 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/2.1.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.1.1 Ensure chargen services are not enabled 5 | 6 | - name: 2.1.1 - Ensure chargen services are not enabled 7 | service: 8 | name: "{{ item }}" 9 | enabled: false 10 | state: stopped 11 | with_items: 12 | - chargen-dgram 13 | - chargen-stream 14 | ignore_errors: true 15 | tags: 16 | - level-1 17 | - section-2 18 | - "2.1.1" 19 | - scored 20 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/2.1.10.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.1.10 Ensure rsync server is not enabled 5 | 6 | - name: 2.1.10 - Ensure rsync server is not enabled 7 | service: 8 | name: "rsync" 9 | enabled: false 10 | state: stopped 11 | ignore_errors: true 12 | tags: 13 | - level-1 14 | - section-2 15 | - "2.1.10" 16 | - scored 17 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/2.1.11.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.1.11 Ensure xinetd server is not enabled 5 | 6 | - name: 2.1.11 - Ensure xinetd server is not enabled 7 | service: 8 | name: "xinetd" 9 | enabled: false 10 | state: stopped 11 | ignore_errors: true 12 | tags: 13 | - level-1 14 | - section-2 15 | - "2.1.11" 16 | - scored 17 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/2.1.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.1.2 Ensure daytime services are not enabled 5 | 6 | - name: 2.1.2 - Ensure daytime services are not enabled 7 | service: 8 | name: "{{ item }}" 9 | enabled: false 10 | state: stopped 11 | with_items: 12 | - daytime-dgram 13 | - daytime-stream 14 | ignore_errors: true 15 | tags: 16 | - level-1 17 | - section-2 18 | - "2.1.2" 19 | - scored 20 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/2.1.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.1.3 Ensure discard services are not enabled 5 | 6 | - name: 2.1.3 - Ensure discard services are not enabled 7 | service: 8 | name: "{{ item }}" 9 | enabled: false 10 | state: stopped 11 | with_items: 12 | - discard-dgram 13 | - discard-stream 14 | ignore_errors: true 15 | tags: 16 | - level-1 17 | - section-2 18 | - "2.1.3" 19 | - scored 20 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/2.1.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.1.4 Ensure echo services are not enabled 5 | 6 | - name: 2.1.4 - Ensure echo services are not enabled 7 | service: 8 | name: "{{ item }}" 9 | enabled: false 10 | state: stopped 11 | with_items: 12 | - echo-dgram 13 | - echo-stream 14 | ignore_errors: true 15 | tags: 16 | - level-1 17 | - section-2 18 | - "2.1.4" 19 | - scored 20 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/2.1.5.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.1.5 Ensure time services are not enabled 5 | 6 | - name: 2.1.5 - Ensure time services are not enabled 7 | service: 8 | name: "{{ item }}" 9 | enabled: false 10 | state: stopped 11 | with_items: 12 | - time-dgram 13 | - time-stream 14 | ignore_errors: true 15 | tags: 16 | - level-1 17 | - section-2 18 | - "2.1.5" 19 | - scored 20 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/2.1.6.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.1.6 Ensure rsh server is not enabled 5 | 6 | - name: 2.1.6 - Ensure rsh server is not enabled 7 | service: 8 | name: "{{ item }}" 9 | enabled: false 10 | state: stopped 11 | with_items: 12 | - rexec 13 | - rlogin 14 | - rsh 15 | ignore_errors: true 16 | tags: 17 | - level-1 18 | - section-2 19 | - "2.1.6" 20 | - scored 21 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/2.1.7.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.1.7 Ensure talk server is not enabled 5 | 6 | - name: 2.1.7 - Ensure talk server is not enabled 7 | service: 8 | name: "talk" 9 | enabled: false 10 | state: stopped 11 | ignore_errors: true 12 | tags: 13 | - level-1 14 | - section-2 15 | - "2.1.7" 16 | - scored 17 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/2.1.8.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.1.8 Ensure telnet server is not enabled 5 | 6 | - name: 2.1.8 - Ensure telnet server is not enabled 7 | service: 8 | name: "telnet" 9 | enabled: false 10 | state: stopped 11 | ignore_errors: true 12 | tags: 13 | - level-1 14 | - section-2 15 | - "2.1.8" 16 | - scored 17 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/2.1.9.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.1.9 Ensure tftp server is not enabled 5 | 6 | - name: 2.1.9 - Ensure tftp server is not enabled 7 | service: 8 | name: "tftp" 9 | enabled: false 10 | state: stopped 11 | ignore_errors: true 12 | tags: 13 | - level-1 14 | - section-2 15 | - "2.1.9" 16 | - scored 17 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/2.2.1.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.2.1.1 Ensure time synchronisation is in use 5 | 6 | - name: 2.2.1.1 - Ensure ntp is installed 7 | package: 8 | name: "{{ item.name }}" 9 | state: "{{ item.state }}" 10 | when: cis_enable_ntp and not cis_enable_chrony 11 | with_items: 12 | - { name: "ntp", state: "present" } 13 | - { name: "chrony", state: "absent" } 14 | tags: 15 | - level-1 16 | - section-4 17 | - "2.2.1.1" 18 | - not-scored 19 | 20 | - name: 2.2.1.1 - Ensure chrony is installed 21 | package: 22 | name: "{{ item.name }}" 23 | state: "{{ item.state }}" 24 | when: cis_enable_chrony and not cis_enable_ntp 25 | with_items: 26 | - { name: "ntp", state: "absent" } 27 | - { name: "chrony", state: "present" } 28 | tags: 29 | - level-1 30 | - section-4 31 | - "2.2.1.1" 32 | - not-scored 33 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/2.2.1.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.2.1.2 Ensure ntp is configured 5 | 6 | # TODO 7 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/2.2.1.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.2.1.3 Ensure chrony is configured 5 | 6 | # TODO 7 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/2.2.10.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.2.10 Ensure HTTP server is not enabled 5 | 6 | - name: 2.2.10 - Ensure HTTP server is not enabled 7 | service: 8 | name: "{{ item }}" 9 | enabled: false 10 | state: stopped 11 | with_items: 12 | - httpd 13 | - apache 14 | - apache2 15 | - nginx 16 | - lighttpd 17 | ignore_errors: true 18 | tags: 19 | - level-1 20 | - "2.2.10" 21 | - scored 22 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/2.2.11.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.2.11 Ensure IMAP and POP3 server is not enabled 5 | 6 | - name: 2.2.11 - Ensure IMAP and POP3 server is not enabled 7 | service: 8 | name: "{{ item }}" 9 | enabled: false 10 | state: stopped 11 | with_items: 12 | - dovecot 13 | - cyrus-imapd 14 | ignore_errors: true 15 | tags: 16 | - level-1 17 | - "2.2.11" 18 | - scored 19 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/2.2.12.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.2.12 Ensure Samba is not enabled 5 | 6 | - name: 2.2.12 - Ensure Samba is not enabled 7 | service: 8 | name: "smb" 9 | enabled: false 10 | state: stopped 11 | ignore_errors: true 12 | tags: 13 | - level-1 14 | - "2.2.12" 15 | - scored 16 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/2.2.13.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.2.13 Ensure HTTP Proxy Server is not enabled 5 | 6 | - name: 2.2.13 - Ensure HTTP Proxy Server is not enabled 7 | service: 8 | name: "squid" 9 | enabled: false 10 | state: stopped 11 | ignore_errors: true 12 | tags: 13 | - level-1 14 | - "2.2.13" 15 | - scored 16 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/2.2.14.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.2.14 Ensure SNMP Server is not enabled 5 | 6 | - name: 2.2.14 - Ensure SNMP Server is not enabled 7 | service: 8 | name: "snmpd" 9 | enabled: false 10 | state: stopped 11 | ignore_errors: true 12 | tags: 13 | - level-1 14 | - "2.2.14" 15 | - scored 16 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/2.2.15.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.2.15 Ensure mail transfer agent is configured for local-only mode 5 | 6 | - name: 2.2.15 - Check if mail transfer agent is configured for local-only mode 7 | shell: "netstat -an | grep LIST | grep ':25[[:space:]]'" 8 | register: mta_2_2_15 9 | ignore_errors: true 10 | tags: 11 | - level-1 12 | - "2.2.15" 13 | - scored 14 | 15 | - name: 2.2.15 - Ensure mail transfer agent is configured for local-only mode 16 | fail: 17 | msg: "Detected mail transfer agent listening on non-loopback address." 18 | when: 19 | - mta_2_2_15.stdout_lines is defined and (mta_2_2_15.stdout_lines|count > 1 or '127.0.0.1:25' not in mta_2_2_15.stdout) 20 | - fail_on_manual_remediation_actions 21 | tags: 22 | - level-1 23 | - "2.2.15" 24 | - scored 25 | 26 | - name: 2.2.15 - Ensure mail transfer agent is configured for local-only mode 27 | debug: 28 | msg: "*** ACTION REQUIRED *** Detected mail transfer agent listening on non-loopback address." 29 | when: 30 | - mta_2_2_15.stdout_lines is defined and (mta_2_2_15.stdout_lines|count > 1 or '127.0.0.1:25' not in mta_2_2_15.stdout) 31 | - not fail_on_manual_remediation_actions 32 | tags: 33 | - level-1 34 | - "2.2.15" 35 | - scored 36 | 37 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/2.2.16.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.2.16 Ensure NIS Server is not enabled 5 | 6 | - name: 2.2.16 - Ensure NIS Server is not enabled 7 | service: 8 | name: "ypserv" 9 | enabled: false 10 | state: stopped 11 | ignore_errors: true 12 | tags: 13 | - level-1 14 | - "2.2.16" 15 | - scored 16 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/2.2.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.2.2 Ensure X Window System is not installed 5 | 6 | - name: 2.2.2 - Ensure X Window System is not installed 7 | yum: 8 | name: "xorg-x11*" 9 | state: absent 10 | tags: 11 | - level-1 12 | - "2.2.2" 13 | - scored 14 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/2.2.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.2.3 Ensure Avahi Server is not enabled 5 | 6 | - name: 2.2.3 - Ensure Avahi Server is not enabled 7 | service: 8 | name: "avahi-daemon" 9 | enabled: false 10 | state: stopped 11 | ignore_errors: true 12 | tags: 13 | - level-1 14 | - "2.2.3" 15 | - scored 16 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/2.2.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.2.4 Ensure CUPS is not enabled 5 | 6 | - name: 2.2.4 - Ensure CUPS is not enabled 7 | service: 8 | name: "cups" 9 | enabled: false 10 | state: stopped 11 | ignore_errors: true 12 | tags: 13 | - level-1 14 | - "2.2.4" 15 | - scored 16 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/2.2.5.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.2.5 Ensure DHCP Server is not enabled 5 | 6 | - name: 2.2.5 - Ensure DHCP Server is not enabled 7 | service: 8 | name: "dhcpd" 9 | enabled: false 10 | state: stopped 11 | ignore_errors: true 12 | tags: 13 | - level-1 14 | - "2.2.5" 15 | - scored 16 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/2.2.6.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.2.6 Ensure LDAP server is not enabled 5 | 6 | - name: 2.2.6 - Ensure LDAP server is not enabled 7 | service: 8 | name: "slapd" 9 | enabled: false 10 | state: stopped 11 | ignore_errors: true 12 | tags: 13 | - level-1 14 | - "2.2.6" 15 | - scored 16 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/2.2.7.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.2.7 Ensure NFS and RPC are not enabled 5 | 6 | - name: 2.2.7 - Ensure NFS and RPC are not enabled 7 | service: 8 | name: "{{ item }}" 9 | enabled: false 10 | state: stopped 11 | with_items: 12 | - nfs 13 | - rpcbind 14 | ignore_errors: true 15 | tags: 16 | - level-1 17 | - "2.2.7" 18 | - scored 19 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/2.2.8.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.2.8 Ensure DNS Server is not enabled 5 | 6 | - name: 2.2.8 - Ensure DNS Server is not enabled 7 | service: 8 | name: "named" 9 | enabled: false 10 | state: stopped 11 | ignore_errors: true 12 | tags: 13 | - level-1 14 | - "2.2.8" 15 | - scored 16 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/2.2.9.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.2.9 Ensure FTP Server is not enabled 5 | 6 | - name: 2.2.9 - Ensure FTP Server is not enabled 7 | service: 8 | name: "vsftpd" 9 | enabled: false 10 | state: stopped 11 | ignore_errors: true 12 | tags: 13 | - level-1 14 | - "2.2.9" 15 | - scored 16 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/2.3.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.3.1 Ensure NIS Client is not installed 5 | 6 | - name: 2.3.1 - Ensure NIS Client is not installed 7 | yum: 8 | name: "ypbind" 9 | state: absent 10 | tags: 11 | - level-1 12 | - section-2 13 | - "2.3.1" 14 | - scored 15 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/2.3.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.3.2 Ensure rsh client is not installed 5 | 6 | - name: 2.3.2 - Ensure rsh client is not installed 7 | yum: 8 | name: "rsh" 9 | state: absent 10 | tags: 11 | - level-1 12 | - section-2 13 | - "2.3.2" 14 | - scored 15 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/2.3.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.3.3 Ensure talk client is not installed 5 | 6 | - name: 2.3.3 - Ensure talk client is not installed 7 | yum: 8 | name: "talk" 9 | state: absent 10 | tags: 11 | - level-1 12 | - "2.3.3" 13 | - scored 14 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/2.3.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.3.4 Ensure telnet client is not installed 5 | 6 | - name: 2.3.4 - Ensure telnet client is not installed 7 | yum: 8 | name: "telnet" 9 | state: absent 10 | tags: 11 | - level-1 12 | - section-2 13 | - "2.3.4" 14 | - scored 15 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/2.3.5.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 2.3.5 Ensure LDAP client is not installed 5 | 6 | - name: 2.3.5 - Ensure LDAP client is not installed 7 | yum: 8 | name: "openldap-clients" 9 | state: absent 10 | tags: 11 | - level-1 12 | - section-2 13 | - "2.3.5" 14 | - scored 15 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/3.1.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.1.1 Ensure IP forwarding is disabled 5 | 6 | - name: 3.1.1 - Ensure IP forwarding is disabled 7 | sysctl: 8 | name: net.ipv4.ip_forward 9 | value: 0 10 | state: present 11 | tags: 12 | - level-1 13 | - section-3 14 | - "3.1.1" 15 | - scored 16 | 17 | - name: 3.1.1 - Ensure IP forwarding is disabled in active kernel parameters 18 | command: "{{ item }}" 19 | with_items: 20 | - "sysctl -w net.ipv4.ip_forward=0" 21 | - "sysctl -w net.ipv4.route.flush=1" 22 | tags: 23 | - level-1 24 | - section-3 25 | - "3.1.1" 26 | - scored 27 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/3.1.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.1.2 Ensure packet redirect sending is disabled 5 | 6 | - name: 3.1.2 - Ensure packet redirect sending is disabled 7 | sysctl: 8 | ignoreerrors: true 9 | name: "{{ item }}" 10 | value: 0 11 | state: present 12 | with_items: 13 | - "net.ipv4.conf.all.send_redirects" 14 | - "net.ipv4.conf.default.send_redirects" 15 | tags: 16 | - level-1 17 | - section-3 18 | - "3.1.2" 19 | - scored 20 | 21 | - name: 3.1.2 - Ensure packet redirect sending is disabled in active kernel parameters 22 | command: "{{ item }}" 23 | with_items: 24 | - "sysctl -w net.ipv4.conf.all.send_redirects=0" 25 | - "sysctl -w net.ipv4.conf.default.send_redirects=0" 26 | - "sysctl -w net.ipv4.route.flush=1" 27 | tags: 28 | - level-1 29 | - section-3 30 | - "3.1.2" 31 | - scored 32 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/3.2.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.2.1 Ensure source routed packets are not accepted 5 | 6 | - name: 3.2.1 - Ensure source routed packets are not accepted 7 | sysctl: 8 | ignoreerrors: yes 9 | name: "{{ item }}" 10 | value: 0 11 | state: present 12 | with_items: 13 | - "net.ipv4.conf.all.accept_source_route" 14 | - "net.ipv4.conf.default.accept_source_route" 15 | tags: 16 | - level-1 17 | - section-3 18 | - "3.2.1" 19 | - scored 20 | 21 | - name: 3.2.1 - Ensure source routed packets are not accepted in active kernel parameters 22 | command: "{{ item }}" 23 | with_items: 24 | - "sysctl -w net.ipv4.conf.all.accept_source_route=0" 25 | - "sysctl -w net.ipv4.conf.default.accept_source_route=0" 26 | - "sysctl -w net.ipv4.route.flush=1" 27 | tags: 28 | - level-1 29 | - section-3 30 | - "3.2.1" 31 | - scored 32 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/3.2.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.2.2 Ensure ICMP redirects are not accepted 5 | 6 | - name: 3.2.2 - Ensure ICMP redirects are not accepted 7 | sysctl: 8 | ignoreerrors: yes 9 | name: "{{ item }}" 10 | value: 0 11 | state: present 12 | with_items: 13 | - "net.ipv4.conf.all.accept_redirects" 14 | - "net.ipv4.conf.default.accept_redirects" 15 | tags: 16 | - level-1 17 | - section-3 18 | - "3.2.2" 19 | - scored 20 | 21 | - name: 3.2.2 - Ensure ICMP redirects are not accepted by active kernel parameters 22 | command: "{{ item }}" 23 | with_items: 24 | - "sysctl -w net.ipv4.conf.all.accept_redirects=0" 25 | - "sysctl -w net.ipv4.conf.default.accept_redirects=0" 26 | - "sysctl -w net.ipv4.route.flush=1" 27 | tags: 28 | - level-1 29 | - section-3 30 | - "3.2.2" 31 | - scored 32 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/3.2.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.2.3 Ensure secure ICMP redirects are not accepted 5 | 6 | - name: 3.2.3 - Ensure secure ICMP redirects are not accepted 7 | sysctl: 8 | ignoreerrors: yes 9 | name: "{{ item }}" 10 | value: 0 11 | state: present 12 | with_items: 13 | - "net.ipv4.conf.all.secure_redirects" 14 | - "net.ipv4.conf.default.secure_redirects" 15 | tags: 16 | - level-1 17 | - section-3 18 | - "3.2.3" 19 | - scored 20 | 21 | - name: 3.2.3 - Ensure secure ICMP redirects are not accepted by active kernel parameters 22 | command: "{{ item }}" 23 | with_items: 24 | - "sysctl -w net.ipv4.conf.all.secure_redirects=0" 25 | - "sysctl -w net.ipv4.conf.default.secure_redirects=0" 26 | - "sysctl -w net.ipv4.route.flush=1" 27 | tags: 28 | - level-1 29 | - section-3 30 | - "3.2.3" 31 | - scored 32 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/3.2.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.2.4 Ensure suspicious packets are logged 5 | 6 | - name: 3.2.4 - Ensure suspicious packets are logged 7 | sysctl: 8 | ignoreerrors: yes 9 | name: "{{ item }}" 10 | value: 1 11 | state: present 12 | with_items: 13 | - "net.ipv4.conf.all.log_martians" 14 | - "net.ipv4.conf.default.log_martians" 15 | tags: 16 | - level-1 17 | - section-3 18 | - "3.2.4" 19 | - scored 20 | 21 | - name: 3.2.4 - Ensure suspicious packets are logged by active kernel parameters 22 | command: "{{ item }}" 23 | with_items: 24 | - "sysctl -w net.ipv4.conf.all.log_martians=1" 25 | - "sysctl -w net.ipv4.conf.default.log_martians=1" 26 | - "sysctl -w net.ipv4.route.flush=1" 27 | tags: 28 | - level-1 29 | - section-3 30 | - "3.2.4" 31 | - scored 32 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/3.2.5.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.2.5 Ensure broadcast ICMP requests are ignored 5 | 6 | - name: 3.2.5 - Ensure broadcast ICMP requests are ignored 7 | sysctl: 8 | ignoreerrors: yes 9 | name: "net.ipv4.icmp_echo_ignore_broadcasts" 10 | value: 1 11 | state: present 12 | tags: 13 | - level-1 14 | - section-3 15 | - "3.2.5" 16 | - scored 17 | 18 | - name: 3.2.5 - Ensure broadcast ICMP requests are ignored by active kernel parameters 19 | command: "{{ item }}" 20 | with_items: 21 | - "sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1" 22 | - "sysctl -w net.ipv4.route.flush=1" 23 | tags: 24 | - level-1 25 | - section-3 26 | - "3.2.5" 27 | - scored 28 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/3.2.6.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.2.6 Ensure bogus ICMP responses are ignored 5 | 6 | - name: 3.2.6 - Ensure bogus ICMP responses are ignored 7 | sysctl: 8 | ignoreerrors: yes 9 | name: "net.ipv4.icmp_ignore_bogus_error_responses" 10 | value: 1 11 | state: present 12 | tags: 13 | - level-1 14 | - section-3 15 | - "3.2.6" 16 | - scored 17 | 18 | - name: 3.2.6 - Ensure bogus ICMP responses are ignored by active kernel parameters 19 | command: "{{ item }}" 20 | with_items: 21 | - "sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1" 22 | - "sysctl -w net.ipv4.route.flush=1" 23 | tags: 24 | - level-1 25 | - section-3 26 | - "3.2.6" 27 | - scored 28 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/3.2.7.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.2.7 Ensure Reverse Path Filtering is enabled 5 | 6 | - name: 3.2.7 - Ensure Reverse Path Filtering is enabled 7 | sysctl: 8 | ignoreerrors: yes 9 | name: "{{ item }}" 10 | value: 1 11 | state: present 12 | with_items: 13 | - "net.ipv4.conf.all.rp_filter" 14 | - "net.ipv4.conf.default.rp_filter" 15 | tags: 16 | - level-1 17 | - section-3 18 | - "3.2.7" 19 | - scored 20 | 21 | - name: 3.2.7 - Ensure Reverse Path Filtering is enabled by active kernel parameters 22 | command: "{{ item }}" 23 | with_items: 24 | - "sysctl -w net.ipv4.conf.all.rp_filter=1" 25 | - "sysctl -w net.ipv4.conf.default.rp_filter=1" 26 | - "sysctl -w net.ipv4.route.flush=1" 27 | tags: 28 | - level-1 29 | - section-3 30 | - "3.2.7" 31 | - scored 32 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/3.2.8.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.2.8 Ensure TCP SYN Cookies is enabled 5 | 6 | - name: 3.2.8 - Ensure TCP SYN Cookies is enabled 7 | sysctl: 8 | ignoreerrors: yes 9 | name: "net.ipv4.tcp_syncookies" 10 | value: 1 11 | state: present 12 | tags: 13 | - level-1 14 | - section-3 15 | - "3.2.8" 16 | - scored 17 | 18 | - name: 3.2.8 - Ensure TCP SYN Cookies is enabled by active kernel parameters 19 | command: "{{ item }}" 20 | with_items: 21 | - "sysctl -w net.ipv4.tcp_syncookies=1" 22 | - "sysctl -w net.ipv4.route.flush=1" 23 | tags: 24 | - level-1 25 | - section-3 26 | - "3.2.8" 27 | - scored 28 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/3.3.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.3.1 Ensure IPv6 router advertisements are not accepted 5 | 6 | - name: 3.3.1 - Ensure IPv6 router advertisements are not accepted 7 | sysctl: 8 | ignoreerrors: yes 9 | name: "{{ item }}" 10 | value: 0 11 | state: present 12 | with_items: 13 | - "net.ipv6.conf.all.accept_ra" 14 | - "net.ipv6.conf.default.accept_ra" 15 | ignore_errors: true 16 | tags: 17 | - level-1 18 | - section-3 19 | - "3.3.1" 20 | - scored 21 | 22 | - name: 3.3.1 - Ensure IPv6 router advertisements are not accepted by active kernel parameters 23 | command: "{{ item }}" 24 | with_items: 25 | - "sysctl -w net.ipv6.conf.all.accept_ra=0" 26 | - "sysctl -w net.ipv6.conf.default.accept_ra=0" 27 | - "sysctl -w net.ipv4.route.flush=1" 28 | ignore_errors: true 29 | tags: 30 | - level-1 31 | - section-3 32 | - "3.3.1" 33 | - scored 34 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/3.3.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.3.2 Ensure IPv6 redirects are not accepted 5 | 6 | - name: 3.3.2 - Ensure IPv6 redirects are not accepted 7 | sysctl: 8 | ignoreerrors: yes 9 | name: "{{ item }}" 10 | value: 0 11 | state: present 12 | with_items: 13 | - "net.ipv6.conf.all.accept_redirects" 14 | - "net.ipv6.conf.default.accept_redirects" 15 | ignore_errors: true 16 | tags: 17 | - level-1 18 | - section-3 19 | - "3.3.2" 20 | - scored 21 | 22 | - name: 3.3.2 - Ensure IPv6 redirects are not accepted by active kernel parameters 23 | command: "{{ item }}" 24 | with_items: 25 | - "sysctl -w net.ipv6.conf.all.accept_redirects=0" 26 | - "sysctl -w net.ipv6.conf.default.accept_redirects=0" 27 | - "sysctl -w net.ipv4.route.flush=1" 28 | ignore_errors: true 29 | tags: 30 | - level-1 31 | - section-3 32 | - "3.3.2" 33 | - scored 34 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/3.3.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.3.3 - Ensure IPv6 is disabled 5 | 6 | - name: 3.3.3 - Check if CIS modprobe configuration file exists 7 | stat: 8 | path: "{{ cis_modprobe_conf_filename }}" 9 | register: modprobe_3_3_3 10 | tags: 11 | - level-1 12 | - section-3 13 | - "3.3.3" 14 | - scored 15 | 16 | - name: 3.3.3 - Ensure IPv6 is disabled 17 | copy: 18 | dest: "{{ cis_modprobe_conf_filename }}" 19 | content: "options ipv6 disable=1\n" 20 | when: modprobe_3_3_3.stat.exists is not defined or not modprobe_3_3_3.stat.exists 21 | tags: 22 | - level-1 23 | - section-3 24 | - "3.3.3" 25 | - scored 26 | 27 | - name: 3.3.3 - Ensure IPv6 is disabled 28 | lineinfile: 29 | dest: "{{ cis_modprobe_conf_filename }}" 30 | regexp: "^options ipv6 disable=" 31 | line: "options ipv6 disable=1" 32 | when: modprobe_3_3_3.stat.exists is defined and modprobe_3_3_3.stat.exists 33 | tags: 34 | - level-1 35 | - section-3 36 | - "3.3.3" 37 | - scored 38 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/3.4.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.4.1 Ensure TCP Wrappers is installed 5 | 6 | - name: 3.4.1 - Ensure TCP Wrappers is installed 7 | yum: 8 | name: "tcp_wrappers" 9 | state: latest 10 | tags: 11 | - level-1 12 | - section-3 13 | - "3.4.1" 14 | - scored 15 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/3.4.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.4.2 Ensure /etc/hosts.allow is configured 5 | 6 | - name: 3.4.2 - Check if /etc/hosts.allow configuration file exists 7 | stat: 8 | path: "/etc/hosts.allow" 9 | register: hosts_allow_3_4_2 10 | tags: 11 | - level-1 12 | - section-3 13 | - "3.4.2" 14 | - scored 15 | 16 | - name: 3.4.2 - Ensure /etc/hosts.allow is configured 17 | copy: 18 | path: "/etc/hosts.allow" 19 | content: "ALL: {{ cis_hosts_allow_all_ips }}\n" 20 | when: hosts_allow_3_4_2.stat.exists is not defined or not hosts_allow_3_4_2.stat.exists 21 | tags: 22 | - level-1 23 | - section-3 24 | - "3.4.2" 25 | - scored 26 | 27 | - name: 3.4.2 - Ensure /etc/hosts.allow is configured 28 | lineinfile: 29 | dest: "/etc/hosts.allow" 30 | regexp: "^ALL:" 31 | line: "ALL: {{ cis_hosts_allow_all_ips }}" 32 | when: hosts_allow_3_4_2.stat.exists is defined and hosts_allow_3_4_2.stat.exists 33 | tags: 34 | - level-1 35 | - section-3 36 | - "3.4.2" 37 | - scored 38 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/3.4.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.4.3 Ensure /etc/hosts.deny is configured 5 | 6 | - name: 3.4.3 - Check if /etc/hosts.deny configuration file exists 7 | stat: 8 | path: "/etc/hosts.deny" 9 | register: hosts_deny_3_4_3 10 | tags: 11 | - level-1 12 | - section-3 13 | - "3.4.3" 14 | - scored 15 | 16 | - name: 3.4.3 - Ensure /etc/hosts.deny is configured 17 | copy: 18 | path: "/etc/hosts.deny" 19 | content: "ALL: ALL\n" 20 | when: hosts_deny_3_4_3.stat.exists is not defined or not hosts_deny_3_4_3.stat.exists 21 | tags: 22 | - level-1 23 | - section-3 24 | - "3.4.3" 25 | - scored 26 | 27 | - name: 3.4.3 - Ensure /etc/hosts.deny is configured 28 | lineinfile: 29 | dest: "/etc/hosts.deny" 30 | regexp: "^ALL:" 31 | line: "ALL: ALL" 32 | when: hosts_deny_3_4_3.stat.exists is defined and hosts_deny_3_4_3.stat.exists 33 | tags: 34 | - level-1 35 | - section-3 36 | - "3.4.3" 37 | - scored 38 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/3.4.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.4.4 Ensure permissions on /etc/hosts.allow are configured 5 | 6 | - name: 3.4.4 - Ensure permissions on /etc/hosts.allow are configured 7 | file: 8 | path: "/etc/hosts.allow" 9 | owner: root 10 | group: root 11 | mode: 0644 12 | tags: 13 | - level-1 14 | - section-3 15 | - "3.4.4" 16 | - scored 17 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/3.4.5.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.4.5 Ensure permissions on /etc/hosts.deny are configured 5 | 6 | - name: 3.4.5 - Ensure permissions on /etc/hosts.deny are configured 7 | file: 8 | path: "/etc/hosts.deny" 9 | owner: root 10 | group: root 11 | mode: 0644 12 | tags: 13 | - level-1 14 | - section-3 15 | - "3.4.5" 16 | - scored 17 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/3.5.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.5.1 - Ensure DCCP is disabled 5 | 6 | - name: 3.5.1 - Check if CIS modprobe configuration file exists 7 | stat: 8 | path: "{{ cis_modprobe_conf_filename }}" 9 | register: modprobe_3_5_1 10 | tags: 11 | - level-1 12 | - section-3 13 | - "3.5.1" 14 | - not-scored 15 | 16 | - name: 3.5.1 - Ensure DCCP is disabled 17 | copy: 18 | dest: "{{ cis_modprobe_conf_filename }}" 19 | content: "install dccp /bin/true\n" 20 | when: modprobe_3_5_1.stat.exists is not defined or not modprobe_3_5_1.stat.exists 21 | tags: 22 | - level-1 23 | - section-3 24 | - "3.5.1" 25 | - not-scored 26 | 27 | - name: 3.5.1 - Ensure DCCP is disabled 28 | lineinfile: 29 | dest: "{{ cis_modprobe_conf_filename }}" 30 | regexp: "^install dccp\\s+" 31 | line: "install dccp /bin/true" 32 | when: modprobe_3_5_1.stat.exists is defined and modprobe_3_5_1.stat.exists 33 | tags: 34 | - level-1 35 | - section-3 36 | - "3.5.1" 37 | - not-scored 38 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/3.5.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.5.2 - Ensure SCTP is disabled 5 | 6 | - name: 3.5.2 - Check if CIS modprobe configuration file exists 7 | stat: 8 | path: "{{ cis_modprobe_conf_filename }}" 9 | register: modprobe_3_5_2 10 | tags: 11 | - level-1 12 | - section-3 13 | - "3.5.2" 14 | - not-scored 15 | 16 | - name: 3.5.2 - Ensure SCTP is disabled 17 | copy: 18 | dest: "{{ cis_modprobe_conf_filename }}" 19 | content: "install sctp /bin/true\n" 20 | when: modprobe_3_5_2.stat.exists is not defined or not modprobe_3_5_2.stat.exists 21 | tags: 22 | - level-1 23 | - section-3 24 | - "3.5.2" 25 | - not-scored 26 | 27 | - name: 3.5.2 - Ensure SCTP is disabled 28 | lineinfile: 29 | dest: "{{ cis_modprobe_conf_filename }}" 30 | regexp: "^install sctp\\s+" 31 | line: "install sctp /bin/true" 32 | when: modprobe_3_5_2.stat.exists is defined and modprobe_3_5_2.stat.exists 33 | tags: 34 | - level-1 35 | - section-3 36 | - "3.5.2" 37 | - not-scored 38 | 39 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/3.5.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.5.3 - Ensure RDS is disabled 5 | 6 | - name: 3.5.3 - Check if CIS modprobe configuration file exists 7 | stat: 8 | path: "{{ cis_modprobe_conf_filename }}" 9 | register: modprobe_3_5_3 10 | tags: 11 | - level-1 12 | - section-3 13 | - "3.5.3" 14 | - not-scored 15 | 16 | - name: 3.5.3 - Ensure RDS is disabled 17 | copy: 18 | dest: "{{ cis_modprobe_conf_filename }}" 19 | content: "install rds /bin/true\n" 20 | when: modprobe_3_5_3.stat.exists is not defined or not modprobe_3_5_3.stat.exists 21 | tags: 22 | - level-1 23 | - section-3 24 | - "3.5.3" 25 | - not-scored 26 | 27 | - name: 3.5.3 - Ensure RDS is disabled 28 | lineinfile: 29 | dest: "{{ cis_modprobe_conf_filename }}" 30 | regexp: "^install rds\\s+" 31 | line: "install rds /bin/true" 32 | when: modprobe_3_5_3.stat.exists is defined and modprobe_3_5_3.stat.exists 33 | tags: 34 | - level-1 35 | - section-3 36 | - "3.5.3" 37 | - not-scored 38 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/3.5.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.5.4 - Ensure TIPC is disabled 5 | 6 | - name: 3.5.4 - Check if CIS modprobe configuration file exists 7 | stat: 8 | path: "{{ cis_modprobe_conf_filename }}" 9 | register: modprobe_3_5_4 10 | tags: 11 | - level-1 12 | - section-3 13 | - "3.5.4" 14 | - not-scored 15 | 16 | - name: 3.5.4 - Ensure TIPC is disabled 17 | copy: 18 | dest: "{{ cis_modprobe_conf_filename }}" 19 | content: "install tipc /bin/true\n" 20 | when: modprobe_3_5_4.stat.exists is not defined or not modprobe_3_5_4.stat.exists 21 | tags: 22 | - level-1 23 | - section-3 24 | - "3.5.4" 25 | - not-scored 26 | 27 | - name: 3.5.4 - Ensure TIPC is disabled 28 | lineinfile: 29 | dest: "{{ cis_modprobe_conf_filename }}" 30 | regexp: "^install tipc\\s+" 31 | line: "install tipc /bin/true" 32 | when: modprobe_3_5_4.stat.exists is defined and modprobe_3_5_4.stat.exists 33 | tags: 34 | - level-1 35 | - section-3 36 | - "3.5.4" 37 | - not-scored 38 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/3.6.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.6.1 Ensure iptables is installed 5 | 6 | - name: 3.6.1 - Ensure iptables is installed 7 | yum: 8 | name: "iptables" 9 | state: latest 10 | tags: 11 | - level-1 12 | - section-3 13 | - "3.6.1" 14 | - scored 15 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/3.6.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.6.2 Ensure default deny firewall policy 5 | 6 | - name: 3.6.2 - Ensure default deny firewall policy(DROP INPUT) 7 | iptables: 8 | chain: "{{item}}" 9 | jump: DROP 10 | become: yes 11 | with_items: 12 | - INPUT 13 | - FORWARD 14 | - OUTPUT 15 | tags: 16 | - level-1 17 | - section-3 18 | - "3.6.2" 19 | - scored 20 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/3.6.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.6.3 Ensure loopback traffic is configured 5 | 6 | - name: 3.6.3 - Ensure loopback traffic is configured(-i lo) 7 | iptables: 8 | chain: INPUT 9 | in_interface: "lo" 10 | jump: ACCEPT 11 | become: yes 12 | tags: 13 | - level-1 14 | - section-3 15 | - "3.6.3" 16 | - scored 17 | 18 | - name: 3.6.3 - Ensure loopback traffic is configured(-o lo) 19 | iptables: 20 | chain: OUTPUT 21 | out_interface: "lo" 22 | jump: ACCEPT 23 | become: yes 24 | tags: 25 | - level-1 26 | - section-3 27 | - "3.6.3" 28 | - scored 29 | 30 | - name: 3.6.3 - Ensure loopback traffic is configured(-i 127.0.0.1/8) 31 | iptables: 32 | chain: INPUT 33 | source: 127.0.0.0/8 34 | jump: DROP 35 | become: yes 36 | tags: 37 | - level-1 38 | - section-3 39 | - "3.6.3" 40 | - scored 41 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/3.6.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.6.4 Ensure outbound and established connections are configured 5 | 6 | - name: 3.6.4 - Ensure outbound and established connections are configured 7 | iptables: 8 | chain: OUTPUT 9 | protocol: tcp 10 | match: state 11 | ctstate: ESTABLISHED,NEW 12 | jump: ACCEPT 13 | become: yes 14 | tags: 15 | - level-1 16 | - section-3 17 | - "3.6.4" 18 | - not-scored 19 | 20 | - name: 3.6.4 - Ensure outbound and established connections are configured 21 | iptables: 22 | chain: OUTPUT 23 | protocol: udp 24 | match: state 25 | ctstate: ESTABLISHED,NEW 26 | jump: ACCEPT 27 | become: yes 28 | tags: 29 | - level-1 30 | - section-3 31 | - "3.6.4" 32 | - not-scored 33 | 34 | - name: 3.6.4 - Ensure outbound and established connections are configured 35 | iptables: 36 | chain: OUTPUT 37 | protocol: icmp 38 | match: state 39 | ctstate: ESTABLISHED,NEW 40 | jump: ACCEPT 41 | become: yes 42 | tags: 43 | - level-1 44 | - section-3 45 | - "3.6.4" 46 | - not-scored 47 | 48 | - name: 3.6.4 - Ensure outbound and established connections are configured 49 | iptables: 50 | chain: INPUT 51 | protocol: tcp 52 | match: state 53 | ctstate: ESTABLISHED 54 | jump: ACCEPT 55 | become: yes 56 | tags: 57 | - level-1 58 | - section-3 59 | - "3.6.4" 60 | - not-scored 61 | 62 | - name: 3.6.4 - Ensure outbound and established connections are configured 63 | iptables: 64 | chain: INPUT 65 | protocol: udp 66 | match: state 67 | ctstate: ESTABLISHED 68 | jump: ACCEPT 69 | become: yes 70 | tags: 71 | - level-1 72 | - section-3 73 | - "3.6.4" 74 | - not-scored 75 | 76 | - name: 3.6.4 - Ensure outbound and established connections are configured 77 | iptables: 78 | chain: INPUT 79 | protocol: icmp 80 | match: state 81 | ctstate: ESTABLISHED 82 | jump: ACCEPT 83 | become: yes 84 | tags: 85 | - level-1 86 | - section-3 87 | - "3.6.4" 88 | - not-scored 89 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/3.6.5.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 3.6.5 Ensure firewall rules exist for all open ports 5 | 6 | - name: 3.6.5 - Ensure firewall rules exist for all open ports 7 | debug: 8 | msg: "WARNING - We are already checking this as part of security groups." 9 | tags: 10 | - level-1 11 | - section-3 12 | - "3.6.5" 13 | - not-scored 14 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/4.2.1.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 4.2.1.1 Ensure rsyslog Service is enabled 5 | 6 | - name: 4.2.1.1 - Check if rsyslog is installed 7 | command: yum -q list rsyslog 8 | ignore_errors: true 9 | when: cis_enable_rsyslog 10 | register: rsyslog_4_2_1_1 11 | tags: 12 | - level-1 13 | - section-4 14 | - "4.2.1.1" 15 | - scored 16 | 17 | - name: 4.2.1.1 - Ensure rsyslog Service is enabled 18 | service: 19 | name: "rsyslog" 20 | enabled: true 21 | state: started 22 | when: 23 | - cis_enable_rsyslog 24 | - rsyslog_4_2_1_1.rc is not defined or rsyslog_4_2_1_1.rc == 0 25 | ignore_errors: false 26 | tags: 27 | - level-1 28 | - section-4 29 | - "4.2.1.1" 30 | - scored 31 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/4.2.1.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 4.2.1.2 Ensure logging is configured 5 | 6 | - name: 4.2.1.2 - Ensure logging is configured 7 | debug: 8 | msg: "WARNING - This check has not been implemented yet." 9 | tags: 10 | - level-1 11 | - section-4 12 | - "4.2.1.2" 13 | - not-scored 14 | - todo 15 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/4.2.1.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 4.2.1.3 Ensure rsyslog default file permissions configured 5 | 6 | - name: 4.2.1.3 - Ensure rsyslog default file permissions configured 7 | lineinfile: 8 | regexp: "^\\$FileCreateMode\\s+" 9 | line: "$FileCreateMode 0640" 10 | insertbefore: BOF 11 | dest: "/etc/rsyslog.conf" 12 | when: cis_enable_rsyslog 13 | notify: 14 | - Restart rsyslog 15 | tags: 16 | - level-1 17 | - section-4 18 | - "4.2.1.3" 19 | - scored 20 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/4.2.1.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host 5 | 6 | - name: 4.2.1.4 - Ensure rsyslog is configured to send logs to a remote log host 7 | lineinfile: 8 | regexp: "^#?\\*\\.\\*\\s+" 9 | line: "*.* @@{{ cis_rsyslog_remote_loghost_address }}" 10 | dest: "/etc/rsyslog.conf" 11 | when: cis_enable_rsyslog 12 | tags: 13 | - level-1 14 | - section-4 15 | - "4.2.1.4" 16 | - scored 17 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/4.2.1.5.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 4.2.1.5 Ensure remote rsyslog messages are only accepted on designated log hosts 5 | 6 | - name: 4.2.1.5 - Ensure remote rsyslog messages are only accepted on designated log hosts 7 | lineinfile: 8 | regexp: "{{ item.regexp }}" 9 | line: "{{ item.line }}" 10 | dest: "/etc/rsyslog.conf" 11 | state: present 12 | when: cis_enable_rsyslog and cis_rsyslog_accept_remote_messages 13 | with_items: 14 | - { regexp: "^#?\\$ModLoad\\s+imtcp.so", line: "$ModLoad imtcp.so" } 15 | - { regexp: "^#?\\$InputTCPServerRun\\s+", line: "$InputTCPServerRun 514" } 16 | notify: Restart rsyslog 17 | tags: 18 | - level-1 19 | - section-4 20 | - "4.2.1.5" 21 | - scored 22 | 23 | - name: 4.2.1.5 - Ensure remote rsyslog messages are not accepted on non-designated log hosts 24 | lineinfile: 25 | regexp: "{{ item }}" 26 | dest: "/etc/rsyslog.conf" 27 | state: absent 28 | when: cis_enable_rsyslog and not cis_rsyslog_accept_remote_messages 29 | with_items: 30 | - "^#?\\$ModLoad\\s+imtcp.so" 31 | - "^#?\\$InputTCPServerRun\\s+514" 32 | notify: Restart rsyslog 33 | tags: 34 | - level-1 35 | - section-4 36 | - "4.2.1.5" 37 | - scored 38 | 39 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/4.2.2.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 4.2.2.1 Ensure syslog-ng service is enabled 5 | 6 | - name: 4.2.2.1 - Check if syslog-ng is installed 7 | command: yum -q list syslog-ng 8 | ignore_errors: true 9 | register: syslog_ng_4_2_2_1 10 | when: cis_enable_syslog_ng 11 | tags: 12 | - level-1 13 | - section-4 14 | - "4.2.2.1" 15 | - scored 16 | 17 | - name: 4.2.2.1 - Ensure syslog-ng service is enabled 18 | service: 19 | name: "syslog-ng" 20 | enabled: true 21 | state: started 22 | when: 23 | - cis_enable_syslog_ng 24 | - syslog_ng_4_2_2_1 is defined 25 | - syslog_ng_4_2_2_1.rc is not defined or syslog_ng_4_2_2_1.rc == 0 26 | ignore_errors: false 27 | tags: 28 | - level-1 29 | - section-4 30 | - "4.2.2.1" 31 | - scored 32 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/4.2.2.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 4.2.2.2 Ensure logging is configured 5 | 6 | - name: 4.2.2.2 - Ensure logging is configured 7 | debug: 8 | msg: "WARNING - This check has not been implemented yet." 9 | tags: 10 | - level-1 11 | - section-4 12 | - "4.2.2.2" 13 | - not-scored 14 | - todo 15 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/4.2.2.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 4.2.2.3 Ensure syslog-ng default file permissions configured 5 | 6 | - name: 4.2.2.3 - Ensure syslog-ng default file permissions configured 7 | debug: 8 | msg: "WARNING - This check has not been implemented yet." 9 | tags: 10 | - level-1 11 | - section-4 12 | - "4.2.2.3" 13 | - scored 14 | - todo 15 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/4.2.2.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 4.2.2.4 Ensure syslog-ng is configured to send logs to a remote log host 5 | 6 | - name: 4.2.2.4 - Ensure syslog-ng is configured to send logs to a remote log host 7 | debug: 8 | msg: "WARNING - This check has not been implemented yet." 9 | tags: 10 | - level-1 11 | - section-4 12 | - "4.2.2.4" 13 | - not-scored 14 | - todo 15 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/4.2.2.5.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 4.2.2.5 Ensure remote syslog-ng messages are only accepted on designated log hosts 5 | 6 | - name: 4.2.2.5 - Ensure remote syslog-ng messages are only accepted on designated log hosts 7 | debug: 8 | msg: "WARNING - This check has not been implemented yet." 9 | tags: 10 | - level-1 11 | - section-4 12 | - "4.2.2.5" 13 | - not-scored 14 | - todo 15 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/4.2.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 4.2.3 Ensure rsyslog or syslog-ng is installed 5 | 6 | - name: 4.2.3 - Ensure rsyslog is installed 7 | yum: 8 | name: "{{ item.name }}" 9 | state: "{{ item.state }}" 10 | when: cis_enable_rsyslog and not cis_enable_syslog_ng 11 | with_items: 12 | - { name: "rsyslog", state: "present" } 13 | - { name: "syslog-ng", state: "absent" } 14 | tags: 15 | - level-1 16 | - section-4 17 | - "4.2.3" 18 | - scored 19 | 20 | - name: 4.2.3 - Ensure syslog-ng is installed 21 | yum: 22 | name: "{{ item.name }}" 23 | state: "{{ item.state }}" 24 | enablerepo: epel 25 | when: cis_enable_syslog_ng and not cis_enable_rsyslog 26 | with_items: 27 | - { name: "rsyslog", state: "absent" } 28 | - { name: "syslog-ng", state: "present" } 29 | tags: 30 | - level-1 31 | - section-4 32 | - "4.2.3" 33 | - scored 34 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/4.2.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 4.2.4 Ensure permissions on all logfiles are configured 5 | 6 | - name: 4.2.4 - Ensure permissions on all logfiles are configured 7 | shell: "find /var/log -type f -exec chmod g-wx,o-rwx {} +" 8 | tags: 9 | - level-1 10 | - section-4 11 | - "4.2.4" 12 | - scored 13 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/4.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 4.3 Ensure logrotate is configured 5 | 6 | - name: 4.3 - Ensure logrotate is configured 7 | debug: 8 | msg: "WARNING - This check has not been implemented yet." 9 | tags: 10 | - level-1 11 | - section-4 12 | - "4.3" 13 | - not-scored 14 | - todo 15 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/5.1.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.1.1 Ensure cron daemon is enabled 5 | 6 | - name: 5.1.1 - Ensure cron is installed 7 | yum: 8 | name: cronie 9 | state: present 10 | tags: 11 | - level-1 12 | - section-5 13 | - "5.1.1" 14 | - scored 15 | 16 | - name: 5.1.1 - Ensure cron daemon is enabled 17 | service: 18 | name: "crond" 19 | enabled: true 20 | state: started 21 | ignore_errors: false 22 | tags: 23 | - level-1 24 | - section-5 25 | - "5.1.1" 26 | - scored 27 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/5.1.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.1.2 Ensure permissions on /etc/crontab are configured 5 | 6 | - name: 5.1.2 - Ensure permissions on /etc/crontab are configured 7 | file: 8 | path: "/etc/crontab" 9 | owner: root 10 | group: root 11 | mode: 0600 12 | tags: 13 | - level-1 14 | - section-5 15 | - "5.1.2" 16 | - scored 17 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/5.1.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.1.3 Ensure permissions on /etc/cron.hourly are configured 5 | 6 | - name: 5.1.3 - Ensure permissions on /etc/cron.hourly are configured 7 | file: 8 | path: "/etc/cron.hourly" 9 | owner: root 10 | group: root 11 | mode: 0600 12 | tags: 13 | - level-1 14 | - section-5 15 | - "5.1.3" 16 | - scored 17 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/5.1.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.1.4 Ensure permissions on /etc/cron.daily are configured 5 | 6 | - name: 5.1.4 - Ensure permissions on /etc/cron.daily are configured 7 | file: 8 | path: "/etc/cron.daily" 9 | owner: root 10 | group: root 11 | mode: 0600 12 | tags: 13 | - level-1 14 | - section-5 15 | - "5.1.4" 16 | - scored 17 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/5.1.5.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.1.5 Ensure permissions on /etc/cron.weekly are configured 5 | 6 | - name: 5.1.5 - Ensure permissions on /etc/cron.weekly are configured 7 | file: 8 | path: "/etc/cron.weekly" 9 | owner: root 10 | group: root 11 | mode: 0600 12 | tags: 13 | - level-1 14 | - section-5 15 | - "5.1.5" 16 | - scored 17 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/5.1.6.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.1.6 Ensure permissions on /etc/cron.monthly are configured 5 | 6 | - name: 5.1.6 - Ensure permissions on /etc/cron.monthly are configured 7 | file: 8 | path: "/etc/cron.monthly" 9 | owner: root 10 | group: root 11 | mode: 0600 12 | tags: 13 | - level-1 14 | - section-6 15 | - "5.1.6" 16 | - scored 17 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/5.1.7.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.1.7 Ensure permissions on /etc/cron.d are configured 5 | 6 | - name: 5.1.7 - Ensure permissions on /etc/cron.d are configured 7 | file: 8 | path: "/etc/cron.d" 9 | owner: root 10 | group: root 11 | mode: 0600 12 | state: directory 13 | tags: 14 | - level-1 15 | - section-5 16 | - "5.1.7" 17 | - scored 18 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/5.1.8.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.1.8 Ensure at/cron is restricted to authorized users 5 | 6 | - name: 5.1.8 - Ensure /etc/cron.deny and /etc/at.deny do not exist 7 | file: 8 | path: "{{ item }}" 9 | state: absent 10 | with_items: 11 | - "/etc/at.deny" 12 | - "/etc/cron.deny" 13 | tags: 14 | - level-1 15 | - section-5 16 | - "5.1.8" 17 | - scored 18 | 19 | - name: 5.1.8 - Ensure at/cron is restricted to authorized users 20 | file: 21 | path: "{{ item }}" 22 | state: touch 23 | owner: root 24 | group: root 25 | mode: 0600 26 | with_items: 27 | - "/etc/cron.allow" 28 | - "/etc/at.allow" 29 | tags: 30 | - level-1 31 | - section-5 32 | - "5.1.8" 33 | - scored 34 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/5.2.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured 5 | 6 | - include: stat_sshd_config.yml 7 | tags: 8 | - level-1 9 | - section-5 10 | - "5.2.1" 11 | - scored 12 | 13 | - name: 5.2.1 - Ensure permissions on /etc/ssh/sshd_config are configured 14 | file: 15 | path: /etc/ssh/sshd_config 16 | owner: root 17 | group: root 18 | mode: 0600 19 | when: sshd_config.stat.exists 20 | tags: 21 | - level-1 22 | - section-5 23 | - "5.2.1" 24 | - scored 25 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/5.2.10.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.2.10 - Ensure SSH PermitUserEnvironment is disabled 5 | 6 | - include: stat_sshd_config.yml 7 | tags: 8 | - level-1 9 | - section-5 10 | - "5.2.10" 11 | - scored 12 | 13 | - name: 5.2.10 - Ensure SSH PermitUserEnvironment is disabled 14 | lineinfile: 15 | regexp: "^PermitUserEnvironment\\s+" 16 | line: "PermitUserEnvironment no" 17 | dest: "/etc/ssh/sshd_config" 18 | when: sshd_config.stat.exists 19 | notify: 20 | - Restart sshd 21 | tags: 22 | - level-1 23 | - section-5 24 | - "5.2.10" 25 | - scored 26 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/5.2.11.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.2.11 - Ensure only approved ciphers are used 5 | 6 | - include: stat_sshd_config.yml 7 | tags: 8 | - level-1 9 | - section-5 10 | - "5.2.11" 11 | - scored 12 | 13 | - name: 5.2.11 - Ensure only approved ciphers are used 14 | lineinfile: 15 | regexp: "^Ciphers\\s+" 16 | line: "Ciphers {{ cis_sshd_ciphers }}" 17 | dest: "/etc/ssh/sshd_config" 18 | when: sshd_config.stat.exists 19 | notify: 20 | - Restart sshd 21 | tags: 22 | - level-1 23 | - section-5 24 | - "5.2.11" 25 | - scored 26 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/5.2.12.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.2.12 - Ensure only approved MAC algorithms are used 5 | 6 | - include: stat_sshd_config.yml 7 | tags: 8 | - level-1 9 | - section-5 10 | - "5.2.12" 11 | - scored 12 | 13 | - name: 5.2.12 - Ensure only approved MAC algorithms are used 14 | lineinfile: 15 | regexp: "^MACs\\s+" 16 | line: "MACs {{ cis_sshd_macs }}" 17 | dest: "/etc/ssh/sshd_config" 18 | when: sshd_config.stat.exists 19 | notify: 20 | - Restart sshd 21 | tags: 22 | - level-1 23 | - section-5 24 | - "5.2.12" 25 | - scored 26 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/5.2.13.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.2.13 - Ensure SSH Idle Timeout Interval is configured 5 | 6 | - include: stat_sshd_config.yml 7 | tags: 8 | - level-1 9 | - section-5 10 | - "5.2.13" 11 | - scored 12 | 13 | - name: 5.2.13 - Ensure SSH Client Alive Interval is configured 14 | lineinfile: 15 | regexp: "^ClientAliveInterval\\s+" 16 | line: "ClientAliveInterval {{ cis_sshd_client_alive_interval }}" 17 | dest: "/etc/ssh/sshd_config" 18 | when: sshd_config.stat.exists 19 | notify: 20 | - Restart sshd 21 | tags: 22 | - level-1 23 | - section-5 24 | - "5.2.13" 25 | - scored 26 | 27 | - name: 5.2.13 - Ensure SSH Client Alive Count Max is configured 28 | lineinfile: 29 | regexp: "^ClientAliveCountMax\\s+" 30 | line: "ClientAliveCountMax {{ cis_sshd_client_alive_count_max }}" 31 | dest: "/etc/ssh/sshd_config" 32 | when: sshd_config.stat.exists 33 | notify: 34 | - Restart sshd 35 | tags: 36 | - level-1 37 | - section-5 38 | - "5.2.13" 39 | - scored 40 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/5.2.14.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.2.14 - Ensure SSH LoginGraceTime is set to one minute or less 5 | 6 | - include: stat_sshd_config.yml 7 | tags: 8 | - level-1 9 | - section-5 10 | - "5.2.14" 11 | - scored 12 | 13 | - name: 5.2.14 - Ensure SSH LoginGraceTime is set to one minute or less 14 | lineinfile: 15 | regexp: "^LoginGraceTime\\s+" 16 | line: "LoginGraceTime {{ cis_sshd_login_grace_time }}" 17 | dest: "/etc/ssh/sshd_config" 18 | when: sshd_config.stat.exists 19 | notify: 20 | - Restart sshd 21 | tags: 22 | - level-1 23 | - section-5 24 | - "5.2.14" 25 | - scored 26 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/5.2.15.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.2.15 Ensure SSH access is limited 5 | 6 | - include: stat_sshd_config.yml 7 | tags: 8 | - level-1 9 | - section-5 10 | - "5.2.15" 11 | - scored 12 | 13 | - name: 5.2.15 - Configure SSH AllowUsers 14 | lineinfile: 15 | regexp: "^#?AllowUsers\\s+" 16 | line: "AllowUsers {{ cis_sshd_allow_users }}" 17 | dest: "/etc/ssh/sshd_config" 18 | when: 19 | - sshd_config.stat.exists 20 | - cis_sshd_allow_users is defined and cis_sshd_allow_users|trim != "" 21 | notify: Restart sshd 22 | tags: 23 | - level-1 24 | - section-5 25 | - "5.2.15" 26 | - scored 27 | 28 | - name: 5.2.15 - Configure SSH AllowGroups 29 | lineinfile: 30 | regexp: "^#?AllowGroups\\s+" 31 | line: "AllowGroups {{ cis_sshd_allow_groups }}" 32 | dest: "/etc/ssh/sshd_config" 33 | when: 34 | - sshd_config.stat.exists 35 | - cis_sshd_allow_groups is defined and cis_sshd_allow_groups|trim != "" 36 | notify: Restart sshd 37 | tags: 38 | - level-1 39 | - section-5 40 | - "5.2.15" 41 | - scored 42 | 43 | - name: 5.2.15 - Configure SSH DenyUsers 44 | lineinfile: 45 | regexp: "^#?DenyUsers\\s+" 46 | line: "DenyUsers {{ cis_sshd_deny_users }}" 47 | dest: "/etc/ssh/sshd_config" 48 | when: 49 | - sshd_config.stat.exists 50 | - cis_sshd_deny_users is defined and cis_sshd_deny_users|trim != "" 51 | notify: Restart sshd 52 | tags: 53 | - level-1 54 | - section-5 55 | - "5.2.15" 56 | - scored 57 | 58 | - name: 5.2.15 - Configure SSH DenyGroups 59 | lineinfile: 60 | regexp: "^#?DenyGroups\\s+" 61 | line: "DenyGroups {{ cis_sshd_deny_groups }}" 62 | dest: "/etc/ssh/sshd_config" 63 | when: 64 | - sshd_config.stat.exists 65 | - cis_sshd_deny_groups is defined and cis_sshd_deny_groups|trim != "" 66 | notify: Restart sshd 67 | tags: 68 | - level-1 69 | - section-5 70 | - "5.2.15" 71 | - scored 72 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/5.2.16.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.2.16 - Ensure SSH warning banner is configured 5 | 6 | - include: stat_sshd_config.yml 7 | tags: 8 | - level-1 9 | - section-5 10 | - "5.2.16" 11 | - scored 12 | 13 | - name: 5.2.16 - Ensure SSH warning banner is configured 14 | lineinfile: 15 | regexp: "^Banner\\s+" 16 | line: "Banner {{ cis_sshd_banner }}" 17 | dest: "/etc/ssh/sshd_config" 18 | when: sshd_config.stat.exists 19 | notify: 20 | - Restart sshd 21 | tags: 22 | - level-1 23 | - section-5 24 | - "5.2.16" 25 | - scored 26 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/5.2.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.2.2 - Ensure SSH Protocol is set to 2 5 | 6 | - include: stat_sshd_config.yml 7 | tags: 8 | - level-1 9 | - section-5 10 | - "5.2.2" 11 | - scored 12 | 13 | - name: 5.2.2 - Ensure SSH Protocol is set to 2 14 | lineinfile: 15 | regexp: "^Protocol\\s+" 16 | line: "Protocol 2" 17 | dest: "/etc/ssh/sshd_config" 18 | notify: "Restart sshd" 19 | when: sshd_config.stat.exists 20 | tags: 21 | - level-1 22 | - section-5 23 | - "5.2.2" 24 | - scored 25 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/5.2.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.2.3 - Ensure SSH LogLevel is set to INFO 5 | 6 | - include: stat_sshd_config.yml 7 | tags: 8 | - level-1 9 | - section-5 10 | - "5.2.3" 11 | - scored 12 | 13 | - name: 5.2.3 - Ensure SSH LogLevel is set to INFO 14 | lineinfile: 15 | regexp: "^LogLevel\\s+" 16 | line: "LogLevel INFO" 17 | dest: "/etc/ssh/sshd_config" 18 | when: sshd_config.stat.exists 19 | notify: 20 | - Restart sshd 21 | tags: 22 | - level-1 23 | - section-5 24 | - "5.2.3" 25 | - scored 26 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/5.2.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.2.4 - Ensure SSH X11 forwarding is disabled 5 | 6 | - include: stat_sshd_config.yml 7 | tags: 8 | - level-1 9 | - section-5 10 | - "5.2.4" 11 | - scored 12 | 13 | - name: 5.2.4 - Ensure SSH X11 forwarding is disabled 14 | lineinfile: 15 | regexp: "^X11Forwarding\\s+" 16 | line: "X11Forwarding no" 17 | dest: "/etc/ssh/sshd_config" 18 | when: sshd_config.stat.exists 19 | notify: 20 | - Restart sshd 21 | tags: 22 | - level-1 23 | - section-5 24 | - "5.2.4" 25 | - scored 26 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/5.2.5.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.2.5 - Ensure SSH MaxAuthTries is set to 4 or less 5 | 6 | - include: stat_sshd_config.yml 7 | tags: 8 | - level-1 9 | - section-5 10 | - "5.2.5" 11 | - scored 12 | 13 | - name: 5.2.5 - Ensure SSH MaxAuthTries is set to 4 or less 14 | lineinfile: 15 | regexp: "^MaxAuthTries\\s+" 16 | line: "MaxAuthTries {{ cis_sshd_max_auth_tries }}" 17 | dest: "/etc/ssh/sshd_config" 18 | when: sshd_config.stat.exists 19 | notify: 20 | - Restart sshd 21 | tags: 22 | - level-1 23 | - section-5 24 | - "5.2.5" 25 | - scored 26 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/5.2.6.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.2.6 - Ensure SSH IgnoreRhosts is enabled 5 | 6 | - include: stat_sshd_config.yml 7 | tags: 8 | - level-1 9 | - section-5 10 | - "5.2.6" 11 | - scored 12 | 13 | - name: 5.2.6 - Ensure SSH IgnoreRhosts is enabled 14 | lineinfile: 15 | regexp: "^IgnoreRhosts\\s+" 16 | line: "IgnoreRhosts yes" 17 | dest: "/etc/ssh/sshd_config" 18 | when: sshd_config.stat.exists 19 | notify: 20 | - Restart sshd 21 | tags: 22 | - level-1 23 | - section-5 24 | - "5.2.6" 25 | - scored 26 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/5.2.7.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.2.7 - Ensure SSH HostbasedAuthentication is disabled 5 | 6 | - include: stat_sshd_config.yml 7 | tags: 8 | - level-1 9 | - section-5 10 | - "5.2.7" 11 | - scored 12 | 13 | - name: 5.2.7 - Ensure SSH HostbasedAuthentication is disabled 14 | lineinfile: 15 | regexp: "^HostbasedAuthentication\\s+" 16 | line: "HostbasedAuthentication no" 17 | dest: "/etc/ssh/sshd_config" 18 | when: sshd_config.stat.exists 19 | notify: 20 | - Restart sshd 21 | tags: 22 | - level-1 23 | - section-5 24 | - "5.2.7" 25 | - scored 26 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/5.2.8.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.2.8 - Ensure SSH root login is disabled 5 | 6 | - include: stat_sshd_config.yml 7 | tags: 8 | - level-1 9 | - section-5 10 | - "5.2.8" 11 | - scored 12 | 13 | - name: 5.2.8 - Ensure SSH root login is disabled 14 | lineinfile: 15 | regexp: "^PermitRootLogin\\s+" 16 | line: "PermitRootLogin no" 17 | dest: "/etc/ssh/sshd_config" 18 | when: sshd_config.stat.exists 19 | notify: 20 | - Restart sshd 21 | tags: 22 | - level-1 23 | - section-5 24 | - "5.2.8" 25 | - scored 26 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/5.2.9.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.2.9 - Ensure SSH PermitEmptyPasswords is disabled 5 | 6 | - include: stat_sshd_config.yml 7 | tags: 8 | - level-1 9 | - section-5 10 | - "5.2.9" 11 | - scored 12 | 13 | - name: 5.2.9 - Ensure SSH PermitEmptyPasswords is disabled 14 | lineinfile: 15 | regexp: "^PermitEmptyPasswords\\s+" 16 | line: "PermitEmptyPasswords no" 17 | dest: "/etc/ssh/sshd_config" 18 | when: sshd_config.stat.exists 19 | notify: 20 | - Restart sshd 21 | tags: 22 | - level-1 23 | - section-5 24 | - "5.2.9" 25 | - scored 26 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/5.3.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.3.1 Ensure password creation requirements are configured 5 | 6 | - name: 5.3.1 - Ensure password creation requirements are configured 7 | lineinfile: 8 | dest: "/etc/security/pwquality.conf" 9 | regexp: "{{ item.regexp }}" 10 | line: "{{ item.line }}" 11 | state: present 12 | create: yes 13 | with_items: 14 | - { regexp: "^#?minlen=", line: "minlen={{ cis_pwquality_minlen }}" } 15 | - { regexp: "^#?dcredit=", line: "dcredit={{ cis_pwquality_dcredit }}" } 16 | - { regexp: "^#?ucredit=", line: "ucredit={{ cis_pwquality_ucredit }}" } 17 | - { regexp: "^#?ocredit=", line: "ocredit={{ cis_pwquality_ocredit }}" } 18 | - { regexp: "^#?lcredit=", line: "lcredit={{ cis_pwquality_lcredit }}" } 19 | tags: 20 | - level-1 21 | - section-5 22 | - "5.3.1" 23 | - scored 24 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/5.3.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.3.2 Ensure lockout for failed password attempts is configured 5 | 6 | - name: 5.3.2 - Ensure lockout for failed password attempts is configured(pam_faillock.so - before) 7 | pamd: 8 | name: system-auth 9 | type: auth 10 | control: sufficient 11 | module_path: pam_unix.so 12 | new_type: auth 13 | new_control: required 14 | new_module_path: pam_faillock.so 15 | module_arguments: 'preauth 16 | audit 17 | silent 18 | deny=5 19 | unlock_time=900' 20 | state: before 21 | tags: 22 | - level-1 23 | - section-5 24 | - "5.3.2" 25 | - scored 26 | 27 | - name: 5.3.2 - Ensure lockout for failed password attempts is configured(pam_faillock.so - last) 28 | pamd: 29 | name: system-auth 30 | type: auth 31 | control: sufficient 32 | module_path: pam_unix.so 33 | new_type: auth 34 | new_control: sufficient 35 | new_module_path: pam_faillock.so 36 | module_arguments: 'authsucc 37 | audit 38 | deny=5 39 | unlock_time=900' 40 | state: after 41 | tags: 42 | - level-1 43 | - section-5 44 | - "5.3.2" 45 | - scored 46 | 47 | - name: 5.3.2 - Ensure lockout for failed password attempts is configured(pam_faillock.so - after) 48 | pamd: 49 | name: system-auth 50 | type: auth 51 | control: sufficient 52 | module_path: pam_unix.so 53 | new_type: auth 54 | new_control: "[default=die]" 55 | new_module_path: pam_faillock.so 56 | module_arguments: 'authfail 57 | audit 58 | deny=5 59 | unlock_time=900' 60 | state: after 61 | tags: 62 | - level-1 63 | - section-5 64 | - "5.3.2" 65 | - scored 66 | 67 | - name: 5.3.2 - Ensure lockout for failed password attempts is configured(pam_unix.so) 68 | pamd: 69 | name: system-auth 70 | type: auth 71 | control: sufficient 72 | module_path: pam_unix.so 73 | new_control: [success=1 default=bad] 74 | module_arguments: '' 75 | state: updated 76 | tags: 77 | - level-1 78 | - section-5 79 | - "5.3.2" 80 | - scored 81 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/5.3.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.3.3 Ensure password reuse is limited 5 | - name: 5.3.3 - Ensure password reuse is limited (/etc/pam.d/system-auth) 6 | pamd: 7 | name: system-auth 8 | type: password 9 | control: sufficient 10 | module_path: pam_unix.so 11 | new_control: sufficient 12 | module_arguments: 'remember=5' 13 | state: updated 14 | tags: 15 | - level-1 16 | - section-5 17 | - "5.3.3" 18 | - scored 19 | 20 | - name: 5.3.3 - Ensure password reuse is limited (/etc/pam.d/password-auth) 21 | pamd: 22 | name: password-auth 23 | type: password 24 | control: sufficient 25 | module_path: pam_unix.so 26 | new_control: sufficient 27 | module_arguments: 'remember=5' 28 | state: updated 29 | tags: 30 | - level-1 31 | - section-5 32 | - "5.3.3" 33 | - scored 34 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/5.3.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.3.4 Ensure password hashing algorithm is SHA-512 5 | 6 | - name: 5.3.4 - Ensure password hashing algorithm is SHA-512 7 | command: "authconfig --update --passalgo=sha512" 8 | tags: 9 | - level-1 10 | - section-5 11 | - "5.3.4" 12 | - scored 13 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/5.4.1.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.4.1.1 Ensure password expiration is 90 days or less 5 | 6 | - name: 5.4.1.1 - Obtain a list of user accounts 7 | shell: "egrep ^[^:]+:[^\\!*] /etc/shadow | cut -d: -f1" 8 | register: egrep_5_4_1_1 9 | check_mode: no 10 | changed_when: False 11 | tags: 12 | - level-1 13 | - section-5 14 | - "5.4.1.1" 15 | - scored 16 | 17 | - name: 5.4.1.1 - Ensure password expiration is 90 days or less 18 | lineinfile: 19 | dest: "/etc/login.defs" 20 | regexp: "^PASS_MAX_DAYS\\s+" 21 | line: "PASS_MAX_DAYS {{ cis_pass_max_days }}" 22 | tags: 23 | - level-1 24 | - section-5 25 | - "5.4.1.1" 26 | - scored 27 | 28 | - name: 5.4.1.1 - Set password expiration for all user accounts 29 | command: "chage --maxdays {{ cis_pass_max_days }} {{ item }}" 30 | with_items: "{{ egrep_5_4_1_1.stdout_lines }}" 31 | tags: 32 | - level-1 33 | - section-5 34 | - "5.4.1.1" 35 | - scored 36 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/5.4.1.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.4.1.2 Ensure minimum days between password changes is 7 or more 5 | 6 | - name: 5.4.1.2 - Obtain a list of user accounts 7 | shell: "egrep ^[^:]+:[^\\!*] /etc/shadow | cut -d: -f1" 8 | register: egrep_5_4_1_2 9 | check_mode: no 10 | changed_when: False 11 | tags: 12 | - level-1 13 | - section-5 14 | - "5.4.1.2" 15 | - scored 16 | 17 | - name: 5.4.1.2 - Ensure minimum days between password changes is 7 or more 18 | lineinfile: 19 | dest: "/etc/login.defs" 20 | regexp: "^PASS_MIN_DAYS\\s+" 21 | line: "PASS_MIN_DAYS {{ cis_pass_min_days }}" 22 | tags: 23 | - level-1 24 | - section-5 25 | - "5.4.1.2" 26 | - scored 27 | 28 | - name: 5.4.1.2 - Set minimum password change interval for all user accounts 29 | command: "chage --mindays {{ cis_pass_min_days }} {{ item }}" 30 | with_items: "{{ egrep_5_4_1_2.stdout_lines }}" 31 | tags: 32 | - level-1 33 | - section-5 34 | - "5.4.1.2" 35 | - scored 36 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/5.4.1.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.4.1.3 Ensure password expiration warning days is 7 or more 5 | 6 | - name: 5.4.1.3 - Obtain a list of user accounts 7 | shell: "egrep ^[^:]+:[^\\!*] /etc/shadow | cut -d: -f1" 8 | register: egrep_5_4_1_3 9 | check_mode: no 10 | changed_when: False 11 | tags: 12 | - level-1 13 | - section-5 14 | - "5.4.1.3" 15 | - scored 16 | 17 | - name: 5.4.1.3 - Ensure password expiration warning days is 7 or more 18 | lineinfile: 19 | dest: "/etc/login.defs" 20 | regexp: "^PASS_WARN_AGE\\s+" 21 | line: "PASS_WARN_AGE {{ cis_pass_warn_age }}" 22 | tags: 23 | - level-1 24 | - section-5 25 | - "5.4.1.3" 26 | - scored 27 | 28 | - name: 5.4.1.3 - Set password expiration warning for all user accounts 29 | command: "chage --warndays {{ cis_pass_warn_age }} {{ item }}" 30 | with_items: "{{ egrep_5_4_1_3.stdout_lines }}" 31 | tags: 32 | - level-1 33 | - section-5 34 | - "5.4.1.3" 35 | - scored 36 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/5.4.1.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.4.1.4 Ensure inactive password lock is 30 days or less 5 | 6 | - name: 5.4.1.4 - Obtain a list of user accounts 7 | shell: "egrep ^[^:]+:[^\\!*] /etc/shadow | cut -d: -f1" 8 | register: egrep_5_4_1_4 9 | check_mode: no 10 | changed_when: False 11 | tags: 12 | - level-1 13 | - section-5 14 | - "5.4.1.4" 15 | - scored 16 | 17 | - name: 5.4.1.4 - Ensure inactive password lock is 30 days or less 18 | lineinfile: 19 | dest: "/etc/default/useradd" 20 | regexp: "^INACTIVE\\s+" 21 | line: "INACTIVE={{ cis_pass_inactive_lock }}" 22 | tags: 23 | - level-1 24 | - section-5 25 | - "5.4.1.4" 26 | - scored 27 | 28 | - name: 5.4.1.4 - Set inactive password lock for all user accounts 29 | command: "chage --inactive {{ cis_pass_inactive_lock }} {{ item }}" 30 | with_items: "{{ egrep_5_4_1_4.stdout_lines }}" 31 | tags: 32 | - level-1 33 | - section-5 34 | - "5.4.1.4" 35 | - scored 36 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/5.4.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.4.2 Ensure system accounts are non-login 5 | 6 | - name: 5.4.2 - Retrieve system accounts 7 | shell: "awk -F: '($3 < 500) {print $1 }' /etc/passwd | grep -v ^#" 8 | register: audit_5_4_2 9 | check_mode: no 10 | changed_when: False 11 | tags: 12 | - level-1 13 | - section-5 14 | - "5.4.2" 15 | - scored 16 | 17 | - name: 5.4.2 - Lock system user passwords 18 | command: "usermod -L {{ item }}" 19 | with_items: "{{ audit_5_4_2.stdout_lines }}" 20 | when: item != "root" 21 | tags: 22 | - level-1 23 | - section-5 24 | - "5.4.2" 25 | - scored 26 | 27 | - name: 5.4.2 - Ensure system accounts are non-login 28 | user: 29 | name: "{{ item }}" 30 | shell: "/sbin/nologin" 31 | with_items: "{{ audit_5_4_2.stdout_lines }}" 32 | when: "item not in cis_skip_lock_users" 33 | tags: 34 | - level-1 35 | - section-5 36 | - "5.4.2" 37 | - scored 38 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/5.4.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.4.3 Ensure default group for the root account is GID 0 5 | 6 | - name: 5.4.3 - Check the GID of the root group 7 | shell: "cat /etc/passwd | awk -F: '($3 == 0) { print $1 }'" 8 | register: cat_5_4_3 9 | check_mode: no 10 | changed_when: False 11 | tags: 12 | - level-1 13 | - section-5 14 | - "5.4.3" 15 | - scored 16 | 17 | - name: 5.4.3 - Ensure default group for the root account is GID 0 18 | command: usermod -g 0 root 19 | when: cat_5_4_3.stdout is not defined or cat_5_4_3.stdout != 0 20 | tags: 21 | - level-1 22 | - section-5 23 | - "5.4.3" 24 | - scored 25 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/5.4.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.4.4 Ensure default user umask is 027 or more restrictive 5 | 6 | - name: 5.4.4 - Ensure default user umask is 027 or more restrictive 7 | lineinfile: 8 | regexp: "^umask\\s+" 9 | line: "umask {{ cis_umask_default }}" 10 | dest: "{{ item }}" 11 | with_items: "{{ cis_umask_shell_files }}" 12 | tags: 13 | - level-1 14 | - section-5 15 | - "5.4.4" 16 | - scored 17 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/5.5.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 5.5 Ensure access to the su command is restricted 5 | 6 | - name: 5.5 - Ensure access to the su command is restricted 7 | lineinfile: 8 | regexp: "^auth\\s+" 9 | line: "auth required pam_wheel.so use_uid" 10 | dest: "/etc/pam.d/su" 11 | tags: 12 | - level-1 13 | - section-5 14 | - "5.5" 15 | - scored 16 | 17 | - name: 5.5 - Configure wheel group members who can access the su command 18 | lineinfile: 19 | regexp: "^wheel:" 20 | line: "wheel:x:10:{{ cis_wheel_group_members }}" 21 | dest: "/etc/group" 22 | tags: 23 | - level-1 24 | - section-5 25 | - "5.5" 26 | - scored 27 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/6.1.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.1.1 Audit system file permissions (Not Scored) 5 | 6 | - name: 6.1.1 Audit system file permissions (Not Scored) 7 | shell: rpm -Va --nomtime --nosize --nomd5 --nolinkto > /tmp/test.out 2>&1 8 | args: 9 | creates: /tmp/test.out 10 | tags: 11 | - level-1 12 | - section-5 13 | - "5.3.2" 14 | - scored 15 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/6.1.10.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.1.10 Ensure no world writable files exist 5 | 6 | - name: 6.1.10 - Audit if any world writable files exist 7 | shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 8 | register: audit_6_1_10 9 | tags: 10 | - level-1 11 | - section-6 12 | - "6.1.10" 13 | - scored 14 | 15 | - name: 6.1.10 - Ensure no world writable files exist 16 | fail: 17 | msg: "{{ audit_6_1_10.stdout_lines }}" 18 | when: 19 | - audit_6_1_10.stdout_lines is defined and audit_6_1_10.stdout_lines|length > 0 20 | - fail_on_manual_remediation_actions 21 | tags: 22 | - level-1 23 | - section-6 24 | - "6.1.10" 25 | - scored 26 | 27 | - name: 6.1.10 - Ensure no world writable files exist 28 | debug: 29 | msg: "*** ACTION REQUIRED *** {{ audit_6_1_10.stdout }}" 30 | when: 31 | - audit_6_1_10.stdout_lines is defined and audit_6_1_10.stdout_lines|length > 0 32 | - not fail_on_manual_remediation_actions 33 | tags: 34 | - level-1 35 | - section-6 36 | - "6.1.10" 37 | - scored 38 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/6.1.11.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.1.11 Ensure no unowned files or directories exist 5 | 6 | - name: 6.1.11 - Audit if any unowned files or directories exist 7 | shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser 8 | register: audit_6_1_11 9 | tags: 10 | - level-1 11 | - section-6 12 | - "6.1.11" 13 | - scored 14 | 15 | - name: 6.1.11 - Ensure no unowned files or directories exist 16 | fail: 17 | msg: "{{ audit_6_1_11.stdout_lines }}" 18 | when: 19 | - audit_6_1_11.stdout_lines is defined and audit_6_1_11.stdout_lines|length > 0 20 | - fail_on_manual_remediation_actions 21 | tags: 22 | - level-1 23 | - section-6 24 | - "6.1.11" 25 | - scored 26 | 27 | - name: 6.1.11 - Ensure no unowned files or directories exist 28 | debug: 29 | msg: "*** ACTION REQUIRED *** {{ audit_6_1_11.stdout }}" 30 | when: 31 | - audit_6_1_11.stdout_lines is defined and audit_6_1_11.stdout_lines|length > 0 32 | - not fail_on_manual_remediation_actions 33 | tags: 34 | - level-1 35 | - section-6 36 | - "6.1.11" 37 | - scored 38 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/6.1.12.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.1.12 Ensure no ungrouped files or directories exist 5 | 6 | - name: 6.1.12 - Audit if any ungrouped files or directories exist 7 | shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup 8 | register: audit_6_1_12 9 | tags: 10 | - level-1 11 | - section-6 12 | - "6.1.12" 13 | - scored 14 | 15 | - name: 6.1.12 - Ensure no ungrouped files or directories exist 16 | fail: 17 | msg: "{{ audit_6_1_12.stdout_lines }}" 18 | when: 19 | - audit_6_1_12.stdout_lines is defined and audit_6_1_12.stdout_lines|length > 0 20 | - fail_on_manual_remediation_actions 21 | tags: 22 | - level-1 23 | - section-6 24 | - "6.1.12" 25 | - scored 26 | 27 | - name: 6.1.12 - Ensure no ungrouped files or directories exist 28 | debug: 29 | msg: "*** ACTION REQUIRED *** {{ audit_6_1_12.stdout }}" 30 | when: 31 | - audit_6_1_12.stdout_lines is defined and audit_6_1_12.stdout_lines|length > 0 32 | - not fail_on_manual_remediation_actions 33 | tags: 34 | - level-1 35 | - section-6 36 | - "6.1.12" 37 | - scored 38 | 39 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/6.1.13.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.1.13 Audit SUID executables 5 | 6 | - name: 6.1.13 - Check if any SUID executables exist 7 | shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000 8 | register: audit_6_1_13 9 | tags: 10 | - level-1 11 | - section-6 12 | - "6.1.13" 13 | - scored 14 | 15 | - name: 6.1.13 - Audit SUID executables 16 | fail: 17 | msg: "{{ audit_6_1_13.stdout_lines }}" 18 | when: 19 | - audit_6_1_13.stdout_lines is defined and audit_6_1_13.stdout_lines|length > 0 20 | - fail_on_manual_remediation_actions 21 | tags: 22 | - level-1 23 | - section-6 24 | - "6.1.13" 25 | - scored 26 | 27 | - name: 6.1.13 - Audit SUID executables 28 | debug: 29 | msg: "*** ACTION REQUIRED *** {{ audit_6_1_13.stdout }}" 30 | when: 31 | - audit_6_1_13.stdout_lines is defined and audit_6_1_13.stdout_lines|length > 0 32 | - not fail_on_manual_remediation_actions 33 | tags: 34 | - level-1 35 | - section-6 36 | - "6.1.13" 37 | - scored 38 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/6.1.14.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.1.14 Audit SGID executables 5 | 6 | - name: 6.1.14 - Check if any SGID executables exist 7 | shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000 8 | register: audit_6_1_14 9 | tags: 10 | - level-1 11 | - section-6 12 | - "6.1.14" 13 | - scored 14 | 15 | - name: 6.1.14 - Audit SGID executables 16 | fail: 17 | msg: "{{ audit_6_1_14.stdout }}" 18 | when: 19 | - audit_6_1_14.stdout_lines is defined and audit_6_1_14.stdout_lines|length > 0 20 | - fail_on_manual_remediation_actions 21 | tags: 22 | - level-1 23 | - section-6 24 | - "6.1.14" 25 | - scored 26 | 27 | - name: 6.1.14 - Audit SGID executables 28 | debug: 29 | msg: "*** ACTION REQUIRED *** {{ audit_6_1_14.stdout }}" 30 | when: 31 | - audit_6_1_14.stdout_lines is defined and audit_6_1_14.stdout_lines|length > 0 32 | - not fail_on_manual_remediation_actions 33 | tags: 34 | - level-1 35 | - section-6 36 | - "6.1.14" 37 | - scored 38 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/6.1.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.1.2 Ensure permissions on /etc/passwd are configured 5 | 6 | - name: 6.1.2 - Ensure permissions on /etc/passwd are configured 7 | file: 8 | path: /etc/passwd 9 | owner: root 10 | group: root 11 | mode: 0644 12 | tags: 13 | - level-1 14 | - section-6 15 | - "6.1.2" 16 | - scored 17 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/6.1.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.1.3 Ensure permissions on /etc/shadow are configured 5 | 6 | - name: 6.1.3 - Ensure permissions on /etc/shadow are configured 7 | file: 8 | path: /etc/shadow 9 | owner: root 10 | group: root 11 | mode: 0000 12 | tags: 13 | - level-1 14 | - section-6 15 | - "6.1.3" 16 | - scored 17 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/6.1.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.1.4 Ensure permissions on /etc/group are configured 5 | 6 | - name: 6.1.4 - Ensure permissions on /etc/group are configured 7 | file: 8 | path: /etc/group 9 | owner: root 10 | group: root 11 | mode: 0644 12 | tags: 13 | - level-1 14 | - section-6 15 | - "6.1.4" 16 | - scored 17 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/6.1.5.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.1.5 Ensure permissions on /etc/gshadow are configured 5 | 6 | - name: 6.1.5 - Ensure permissions on /etc/gshadow are configured 7 | file: 8 | path: /etc/gshadow 9 | owner: root 10 | group: root 11 | mode: 0000 12 | tags: 13 | - level-1 14 | - section-6 15 | - "6.1.5" 16 | - scored 17 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/6.1.6.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.1.6 Ensure permissions on /etc/passwd- are configured 5 | 6 | - name: 6.1.6 - Ensure permissions on /etc/passwd- are configured 7 | file: 8 | path: /etc/passwd- 9 | owner: root 10 | group: root 11 | mode: 0600 12 | tags: 13 | - level-1 14 | - section-6 15 | - "6.1.6" 16 | - scored 17 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/6.1.7.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.1.7 Ensure permissions on /etc/shadow- are configured 5 | 6 | - name: 6.1.7 - Ensure permissions on /etc/shadow- are configured 7 | file: 8 | path: /etc/shadow- 9 | owner: root 10 | group: root 11 | mode: 0000 12 | tags: 13 | - level-1 14 | - section-6 15 | - "6.1.7" 16 | - scored 17 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/6.1.8.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.1.8 Ensure permissions on /etc/group- are configured 5 | 6 | - name: 6.1.8 - Ensure permissions on /etc/group- are configured 7 | file: 8 | path: /etc/group- 9 | owner: root 10 | group: root 11 | mode: 0600 12 | tags: 13 | - level-1 14 | - section-6 15 | - "6.1.8" 16 | - scored 17 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/6.1.9.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.1.9 Ensure permissions on /etc/gshadow- are configured 5 | 6 | - name: 6.1.9 - Ensure permissions on /etc/gshadow- are configured 7 | file: 8 | path: /etc/gshadow- 9 | owner: root 10 | group: root 11 | mode: 0600 12 | tags: 13 | - level-1 14 | - section-6 15 | - "6.1.9" 16 | - scored 17 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/6.2.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.1 Ensure password fields are not empty 5 | 6 | - name: 6.2.1 - Identify any accounts without passwords 7 | shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) { print $1 }'" 8 | register: accounts_6_2_1 9 | check_mode: no 10 | changed_when: False 11 | tags: 12 | - level-1 13 | - section-6 14 | - "6.2.1" 15 | - scored 16 | 17 | - name: 6.2.1 - Lock any accounts without passwords 18 | command: "passwd -l {{ item }}" 19 | with_items: "{{ accounts_6_2_1.stdout_lines }}" 20 | when: accounts_6_2_1.stdout_lines is defined 21 | tags: 22 | - level-1 23 | - section-6 24 | - "6.2.1" 25 | - scored 26 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/6.2.10.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.10 Ensure users' dot files are not group or world writable 5 | 6 | - name: 6.2.10 - Audit users' dot files permissions 7 | script: "{{ role_path }}/files/audit_6.2.10.sh" 8 | check_mode: no 9 | changed_when: False 10 | register: audit_6_2_10 11 | tags: 12 | - level-1 13 | - section-6 14 | - "6.2.10" 15 | - scored 16 | 17 | - name: 6.2.10 - Ensure users' dot files are not group or world writable 18 | fail: 19 | msg: "{{ audit_6_2_10.stdout }}" 20 | when: 21 | - audit_6_2_10.stdout_lines is defined and audit_6_2_10.stdout_lines|length > 0 22 | - fail_on_manual_remediation_actions 23 | tags: 24 | - level-1 25 | - section-6 26 | - "6.2.10" 27 | - scored 28 | 29 | - name: 6.2.10 - Ensure users' dot files are not group or world writable 30 | debug: 31 | msg: "*** ACTION REQUIRED *** {{ audit_6_2_10.stdout }}" 32 | when: 33 | - audit_6_2_10.stdout_lines is defined and audit_6_2_10.stdout_lines|length > 0 34 | - not fail_on_manual_remediation_actions 35 | tags: 36 | - level-1 37 | - section-6 38 | - "6.2.10" 39 | - scored 40 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/6.2.11.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.11 Ensure no users have .forward files 5 | 6 | - name: 6.2.11 - Audit users' forward files 7 | script: "{{ role_path }}/files/audit_6.2.11.sh" 8 | check_mode: no 9 | changed_when: False 10 | register: audit_6_2_11 11 | tags: 12 | - level-1 13 | - section-6 14 | - "6.2.11" 15 | - scored 16 | 17 | - name: 6.2.11 - Ensure no users have .forward files 18 | fail: 19 | msg: "{{ audit_6_2_11.stdout }}" 20 | when: 21 | - audit_6_2_11.stdout_lines is defined and audit_6_2_11.stdout_lines|length > 0 22 | - fail_on_manual_remediation_actions 23 | tags: 24 | - level-1 25 | - section-6 26 | - "6.2.11" 27 | - scored 28 | 29 | - name: 6.2.11 - Ensure no users have .forward files 30 | debug: 31 | msg: "*** ACTION REQUIRED *** {{ audit_6_2_11.stdout }}" 32 | when: 33 | - audit_6_2_11.stdout_lines is defined and audit_6_2_11.stdout_lines|length > 0 34 | - not fail_on_manual_remediation_actions 35 | tags: 36 | - level-1 37 | - section-6 38 | - "6.2.11" 39 | - scored 40 | 41 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/6.2.12.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.12 Ensure no users have .netrc files 5 | 6 | - name: 6.2.12 - Audit users'.netrc files 7 | script: "{{ role_path }}/files/audit_6.2.12.sh" 8 | check_mode: no 9 | changed_when: False 10 | register: audit_6_2_12 11 | tags: 12 | - level-1 13 | - section-6 14 | - "6.2.12" 15 | - scored 16 | 17 | - name: 6.2.12 - Ensure no users have .netrc files 18 | fail: 19 | msg: "{{ audit_6_2_12.stdout_lines }}" 20 | when: 21 | - audit_6_2_12.stdout_lines is defined and audit_6_2_12.stdout_lines|length > 0 22 | - fail_on_manual_remediation_actions 23 | tags: 24 | - level-1 25 | - section-6 26 | - "6.2.12" 27 | - scored 28 | 29 | - name: 6.2.12 - Ensure no users have .netrc files 30 | debug: 31 | msg: "*** ACTION REQUIRED *** {{ audit_6_2_12.stdout }}" 32 | when: 33 | - audit_6_2_12.stdout_lines is defined and audit_6_2_12.stdout_lines|length > 0 34 | - not fail_on_manual_remediation_actions 35 | tags: 36 | - level-1 37 | - section-6 38 | - "6.2.12" 39 | - scored 40 | 41 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/6.2.13.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.13 Ensure users' .netrc Files are not group or world accessible 5 | 6 | - name: 6.2.13 - Audit users'.netrc permissions 7 | script: "{{ role_path }}/files/audit_6.2.13.sh" 8 | check_mode: no 9 | changed_when: False 10 | register: audit_6_2_13 11 | tags: 12 | - level-1 13 | - section-6 14 | - "6.2.13" 15 | - scored 16 | 17 | - name: 6.2.13 - Ensure users' .netrc Files are not group or world accessible 18 | fail: 19 | msg: "{{ audit_6_2_13.stdout }}" 20 | when: 21 | - audit_6_2_13.stdout_lines is defined and audit_6_2_13.stdout_lines|length > 0 22 | - fail_on_manual_remediation_actions 23 | tags: 24 | - level-1 25 | - section-6 26 | - "6.2.13" 27 | - scored 28 | 29 | - name: 6.2.13 - Ensure users' .netrc Files are not group or world accessible 30 | debug: 31 | msg: "*** ACTION REQUIRED *** {{ audit_6_2_13.stdout }}" 32 | when: 33 | - audit_6_2_13.stdout_lines is defined and audit_6_2_13.stdout_lines|length > 0 34 | - not fail_on_manual_remediation_actions 35 | tags: 36 | - level-1 37 | - section-6 38 | - "6.2.13" 39 | - scored 40 | 41 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/6.2.14.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.14 Ensure no users have .rhosts files 5 | 6 | - name: 6.2.14 - Audit users'.rhosts files 7 | script: "{{ role_path }}/files/audit_6.2.14.sh" 8 | check_mode: no 9 | changed_when: False 10 | register: audit_6_2_14 11 | tags: 12 | - level-1 13 | - section-6 14 | - "6.2.14" 15 | - scored 16 | 17 | - name: 6.2.14 - Ensure no users have .rhosts files 18 | fail: 19 | msg: "{{ audit_6_2_14.stdout_lines }}" 20 | when: 21 | - audit_6_2_14.stdout_lines is defined and audit_6_2_14.stdout_lines|length > 0 22 | - fail_on_manual_remediation_actions 23 | tags: 24 | - level-1 25 | - section-6 26 | - "6.2.14" 27 | - scored 28 | 29 | - name: 6.2.14 - Ensure no users have .rhosts files 30 | debug: 31 | msg: "*** ACTION REQUIRED *** {{ audit_6_2_14.stdout }}" 32 | when: 33 | - audit_6_2_14.stdout_lines is defined and audit_6_2_14.stdout_lines|length > 0 34 | - not fail_on_manual_remediation_actions 35 | tags: 36 | - level-1 37 | - section-6 38 | - "6.2.14" 39 | - scored 40 | 41 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/6.2.15.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.15 Ensure all groups in /etc/passwd exist in /etc/group 5 | 6 | - name: 6.2.15 - Audit existence of groups listed in /etc/passwd against /etc/group 7 | script: "{{ role_path }}/files/audit_6.2.15.sh" 8 | check_mode: no 9 | changed_when: False 10 | register: audit_6_2_15 11 | tags: 12 | - level-1 13 | - section-6 14 | - "6.2.15" 15 | - scored 16 | 17 | - name: 6.2.15 - Ensure all groups in /etc/passwd exist in /etc/group 18 | fail: 19 | msg: "{{ audit_6_2_15.stdout_lines }}" 20 | when: 21 | - audit_6_2_15.stdout_lines is defined and audit_6_2_15.stdout_lines|length > 0 22 | - fail_on_manual_remediation_actions 23 | tags: 24 | - level-1 25 | - section-6 26 | - "6.2.15" 27 | - scored 28 | 29 | - name: 6.2.15 - Ensure all groups in /etc/passwd exist in /etc/group 30 | debug: 31 | msg: "*** ACTION REQUIRED *** {{ audit_6_2_15.stdout }}" 32 | when: 33 | - audit_6_2_15.stdout_lines is defined and audit_6_2_15.stdout_lines|length > 0 34 | - not fail_on_manual_remediation_actions 35 | tags: 36 | - level-1 37 | - section-6 38 | - "6.2.15" 39 | - scored 40 | 41 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/6.2.16.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.16 Ensure no duplicate UIDs exist 5 | 6 | - name: 6.2.16 - Check if duplicate UIDs exist 7 | script: "{{ role_path }}/files/audit_6.2.16.sh" 8 | check_mode: no 9 | changed_when: False 10 | register: audit_6_2_16 11 | tags: 12 | - level-1 13 | - section-6 14 | - "6.2.16" 15 | - scored 16 | 17 | - name: 6.2.16 - Ensure no duplicate UIDs exist 18 | fail: 19 | msg: "{{ audit_6_2_16.stdout_lines }}" 20 | when: 21 | - audit_6_2_16.stdout_lines is defined and audit_6_2_16.stdout_lines|length > 0 22 | - fail_on_manual_remediation_actions 23 | tags: 24 | - level-1 25 | - section-6 26 | - "6.2.16" 27 | - scored 28 | 29 | - name: 6.2.16 - Ensure no duplicate UIDs exist 30 | debug: 31 | msg: "*** ACTION REQUIRED *** {{ audit_6_2_16.stdout }}" 32 | when: 33 | - audit_6_2_16.stdout_lines is defined and audit_6_2_16.stdout_lines|length > 0 34 | - not fail_on_manual_remediation_actions 35 | tags: 36 | - level-1 37 | - section-6 38 | - "6.2.16" 39 | - scored 40 | 41 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/6.2.17.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.17 Ensure no duplicate GIDs exist 5 | 6 | - name: 6.2.17 - Check if duplicate GIDs exist 7 | script: "{{ role_path }}/files/audit_6.2.17.sh" 8 | check_mode: no 9 | changed_when: False 10 | register: audit_6_2_17 11 | tags: 12 | - level-1 13 | - section-6 14 | - "6.2.17" 15 | - scored 16 | 17 | - name: 6.2.17 - Ensure no duplicate GIDs exist 18 | fail: 19 | msg: "{{ audit_6_2_17.stdout_lines }}" 20 | when: 21 | - audit_6_2_17.stdout_lines is defined and audit_6_2_17.stdout_lines|length > 0 22 | - fail_on_manual_remediation_actions 23 | tags: 24 | - level-1 25 | - section-6 26 | - "6.2.17" 27 | - scored 28 | 29 | - name: 6.2.17 - Ensure no duplicate GIDs exist 30 | debug: 31 | msg: "*** ACTION REQUIRED *** {{ audit_6_2_17.stdout }}" 32 | when: 33 | - audit_6_2_17.stdout_lines is defined and audit_6_2_17.stdout_lines|length > 0 34 | - not fail_on_manual_remediation_actions 35 | tags: 36 | - level-1 37 | - section-6 38 | - "6.2.17" 39 | - scored 40 | 41 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/6.2.18.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.18 Ensure no duplicate user names exist 5 | 6 | - name: 6.2.18 - Check if duplicate user names exist 7 | script: "{{ role_path }}/files/audit_6.2.18.sh" 8 | check_mode: no 9 | changed_when: False 10 | register: audit_6_2_18 11 | tags: 12 | - level-1 13 | - section-6 14 | - "6.2.18" 15 | - scored 16 | 17 | - name: 6.2.18 - Ensure no duplicate user names exist 18 | fail: 19 | msg: "{{ audit_6_2_18.stdout_lines }}" 20 | when: 21 | - audit_6_2_18.stdout_lines is defined and audit_6_2_18.stdout_lines|length > 0 22 | - fail_on_manual_remediation_actions 23 | tags: 24 | - level-1 25 | - section-6 26 | - "6.2.18" 27 | - scored 28 | 29 | - name: 6.2.18 - Ensure no duplicate user names exist 30 | debug: 31 | msg: "*** ACTION REQUIRED *** {{ audit_6_2_18.stdout }}" 32 | when: 33 | - audit_6_2_18.stdout_lines is defined and audit_6_2_18.stdout_lines|length > 0 34 | - not fail_on_manual_remediation_actions 35 | tags: 36 | - level-1 37 | - section-6 38 | - "6.2.18" 39 | - scored 40 | 41 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/6.2.19.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.19 Ensure no duplicate group names exist 5 | 6 | - name: 6.2.19 - Check if duplicate group names exist 7 | script: "{{ role_path }}/files/audit_6.2.19.sh" 8 | check_mode: no 9 | changed_when: False 10 | register: audit_6_2_19 11 | tags: 12 | - level-1 13 | - section-6 14 | - "6.2.19" 15 | - scored 16 | 17 | - name: 6.2.19 - Ensure no duplicate group names exist 18 | fail: 19 | msg: "{{ audit_6_2_19.stdout_lines }}" 20 | when: 21 | - audit_6_2_19.stdout_lines is defined and audit_6_2_19.stdout_lines|length > 0 22 | - fail_on_manual_remediation_actions 23 | tags: 24 | - level-1 25 | - section-6 26 | - "6.2.19" 27 | - scored 28 | 29 | - name: 6.2.19 - Ensure no duplicate group names exist 30 | debug: 31 | msg: "*** ACTION REQUIRED *** {{ audit_6_2_19.stdout }}" 32 | when: 33 | - audit_6_2_19.stdout_lines is defined and audit_6_2_19.stdout_lines|length > 0 34 | - not fail_on_manual_remediation_actions 35 | tags: 36 | - level-1 37 | - section-6 38 | - "6.2.19" 39 | - scored 40 | 41 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/6.2.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd 5 | 6 | - name: 6.2.2 - Ensure no legacy "+" entries exist in /etc/passwd 7 | replace: 8 | dest: "/etc/passwd" 9 | regexp: "^\\+:.*\n" 10 | tags: 11 | - level-1 12 | - section-6 13 | - "6.2.2" 14 | - scored 15 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/6.2.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.3 Ensure no legacy "+" entries exist in /etc/shadow 5 | 6 | - name: 6.2.3 - Ensure no legacy "+" entries exist in /etc/shadow 7 | replace: 8 | dest: "/etc/shadow" 9 | regexp: "^\\+:.*\n" 10 | tags: 11 | - level-1 12 | - section-6 13 | - "6.2.3" 14 | - scored 15 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/6.2.4.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.4 Ensure no legacy "+" entries exist in /etc/group 5 | 6 | - name: 6.2.4 - Ensure no legacy "+" entries exist in /etc/group 7 | replace: 8 | dest: "/etc/group" 9 | regexp: "^\\+:.*\n" 10 | tags: 11 | - level-1 12 | - section-6 13 | - "6.2.4" 14 | - scored 15 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/6.2.5.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.5 Ensure root is the only UID 0 account 5 | 6 | - name: 6.2.5 - Ensure root is the only UID 0 account 7 | shell: "cat /etc/passwd | awk -F: '($3 == 0) { print $1 }'" 8 | check_mode: no 9 | changed_when: False 10 | register: cat_6_2_5 11 | tags: 12 | - level-1 13 | - section-6 14 | - "6.2.5" 15 | - scored 16 | 17 | - name: 6.2.5 - Fail if root is not the only UID 0 account 18 | fail: 19 | msg: "root is not the only UID 0 account." 20 | when: 21 | - cat_6_2_5.stdout_lines is defined and (cat_6_2_5.stdout_lines|length > 1 or (cat_6_2_5.stdout_lines|length == 1 and 'root' not in cat_6_2_5.stdout_lines)) 22 | - fail_on_manual_remediation_actions 23 | tags: 24 | - level-1 25 | - section-6 26 | - "6.2.5" 27 | - scored 28 | 29 | - name: 6.2.5 - Warn if root is not the only UID 0 account 30 | debug: 31 | msg: "*** ACTION REQUIRED *** root is not the only UID 0 account" 32 | when: 33 | - cat_6_2_5.stdout_lines is defined and (cat_6_2_5.stdout_lines|length > 1 or (cat_6_2_5.stdout_lines|length == 1 and 'root' not in cat_6_2_5.stdout_lines)) 34 | - not fail_on_manual_remediation_actions 35 | tags: 36 | - level-1 37 | - section-6 38 | - "6.2.5" 39 | - scored 40 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/6.2.6.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.6 Ensure root PATH Integrity 5 | 6 | - name: 6.2.6 - Audit root PATH Integrity 7 | script: "{{ role_path }}/files/audit_6.2.6.sh" 8 | check_mode: no 9 | changed_when: False 10 | register: audit_6_2_6 11 | tags: 12 | - level-1 13 | - section-6 14 | - "6.2.6" 15 | - scored 16 | 17 | - name: 6.2.6 - Ensure root PATH Integrity 18 | fail: 19 | msg: "{{ audit_6_2_6.stdout_lines }}" 20 | when: 21 | - audit_6_2_6.stdout_lines is defined and audit_6_2_6.stdout_lines|length > 0 22 | - fail_on_manual_remediation_actions 23 | tags: 24 | - level-1 25 | - section-6 26 | - "6.2.6" 27 | - scored 28 | 29 | - name: 6.2.6 - Ensure root PATH Integrity 30 | debug: 31 | msg: "*** ACTION REQUIRED *** {{ audit_6_2_6.stdout }}" 32 | when: 33 | - audit_6_2_6.stdout_lines is defined and audit_6_2_6.stdout_lines|length > 0 34 | - not fail_on_manual_remediation_actions 35 | tags: 36 | - level-1 37 | - section-6 38 | - "6.2.6" 39 | - scored 40 | 41 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/6.2.7.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.7 Ensure all users' home directories exist 5 | 6 | - name: 6.2.7 - Audit existence of users' home directories 7 | script: "{{ role_path }}/files/audit_6.2.7.sh" 8 | check_mode: no 9 | changed_when: False 10 | register: audit_6_2_7 11 | tags: 12 | - level-1 13 | - section-6 14 | - "6.2.7" 15 | - scored 16 | 17 | - name: 6.2.7 - Ensure users' home directories exist. 18 | user: 19 | name: "{{ item.split(':')[0] }}" 20 | home: "{{ item.split(':')[1] }}" 21 | when: audit_6_2_7.stdout_lines is defined and audit_6_2_7.stdout_lines|length > 0 22 | with_items: "{{ audit_6_2_7.stdout_lines }}" 23 | tags: 24 | - level-1 25 | - section-6 26 | - "6.2.7" 27 | - scored 28 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/6.2.8.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.8 Ensure users' home directories permissions are 750 or more restrictive 5 | 6 | - name: 6.2.8 - Audit users' home directories permissions 7 | script: "{{ role_path }}/files/audit_6.2.8.sh" 8 | check_mode: no 9 | changed_when: False 10 | register: audit_6_2_8 11 | tags: 12 | - level-1 13 | - section-6 14 | - "6.2.8" 15 | - scored 16 | 17 | - name: 6.2.8 - Ensure users' home directories permissions are 750 or more restrictive 18 | fail: 19 | msg: "{{ audit_6_2_8.stdout_lines }}" 20 | when: 21 | - audit_6_2_8.stdout_lines is defined and audit_6_2_8.stdout_lines|length > 0 22 | - fail_on_manual_remediation_actions 23 | tags: 24 | - level-1 25 | - section-6 26 | - "6.2.8" 27 | - scored 28 | 29 | - name: 6.2.8 - Ensure users' home directories permissions are 750 or more restrictive 30 | debug: 31 | msg: "*** ACTION REQUIRED *** {{ audit_6_2_8.stdout }}" 32 | when: 33 | - audit_6_2_8.stdout_lines is defined and audit_6_2_8.stdout_lines|length > 0 34 | - not fail_on_manual_remediation_actions 35 | tags: 36 | - level-1 37 | - section-6 38 | - "6.2.8" 39 | - scored 40 | 41 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/6.2.9.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.2.9 Ensure users own their home directories 5 | 6 | - name: 6.2.9 - Audit ownership of users' home directories 7 | script: "{{ role_path }}/files/audit_6.2.9.sh" 8 | check_mode: no 9 | changed_when: False 10 | register: audit_6_2_9 11 | tags: 12 | - level-1 13 | - section-6 14 | - "6.2.9" 15 | - scored 16 | 17 | - name: 6.2.9 - Ensure users own their home directories 18 | file: 19 | owner: "{{ item.split(':')[1] }}" 20 | path: "{{ item.split(':')[0] }}" 21 | state: directory 22 | follow: yes 23 | when: audit_6_2_9.stdout_lines is defined and audit_6_2_9.stdout_lines|length > 0 24 | with_items: "{{ audit_6_2_9.stdout_lines }}" 25 | tags: 26 | - level-1 27 | - section-6 28 | - "6.2.9" 29 | - scored 30 | 31 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-1/stat_sshd_config.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Check if /etc/ssh/sshd_config exists 4 | stat: 5 | path: /etc/ssh/sshd_config 6 | register: sshd_config 7 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | - include: "level-2/4.1.8.yml" 5 | when: "'4.1.8' not in cis_level_2_exclusions" 6 | - include: "level-2/4.1.9.yml" 7 | when: "'4.1.9' not in cis_level_2_exclusions" 8 | - include: "level-2/4.1.10.yml" 9 | when: "'4.1.10' not in cis_level_2_exclusions" 10 | - include: "level-2/4.1.11.yml" 11 | when: "'4.1.11' not in cis_level_2_exclusions" 12 | - include: "level-2/4.1.13.yml" 13 | when: "'4.1.13' not in cis_level_2_exclusions" 14 | - include: "level-2/4.1.14.yml" 15 | when: "'4.1.14' not in cis_level_2_exclusions" 16 | - include: "level-2/4.1.15.yml" 17 | when: "'4.1.15' not in cis_level_2_exclusions" 18 | - include: "level-2/4.1.16.yml" 19 | when: "'4.1.16' not in cis_level_2_exclusions" 20 | - include: "level-2/4.1.17.yml" 21 | when: "'4.1.17' not in cis_level_2_exclusions" 22 | - include: "level-2/4.1.18.yml" 23 | when: "'4.1.18' not in cis_level_2_exclusions" 24 | - include: "level-2/6.1.1.yml" 25 | when: "'6.1.1' not in cis_level_2_exclusions" 26 | - include: "level-2/4.1.1.2.yml" 27 | when: "'4.1.1.2' not in cis_level_2_exclusions" 28 | - include: "level-2/4.1.1.3.yml" 29 | when: "'4.1.1.3' not in cis_level_2_exclusions" 30 | - include: "level-2/4.1.2.yml" 31 | when: "'4.1.2' not in cis_level_2_exclusions" 32 | - include: "level-2/4.1.4.yml" 33 | when: "'4.1.4' not in cis_level_2_exclusions" 34 | - include: "level-2/4.1.5.yml" 35 | when: "'4.1.5' not in cis_level_2_exclusions" 36 | - include: "level-2/4.1.6.yml" 37 | when: "'4.1.6' not in cis_level_2_exclusions" 38 | - include: "level-2/4.1.7.yml" 39 | when: "'4.1.7' not in cis_level_2_exclusions" 40 | 41 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-2/4.1.1.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 4.1.1.2 Ensure system is disabled when audit logs are full (Scored) 5 | 6 | - name: 4.1.1.2- Check if CIS audit.d configuration file exists 7 | stat: 8 | path: "{{ cis_audit_auditd_filename }}" 9 | register: auditd_4_1_1_2 10 | tags: 11 | - level-1 12 | - section-1 13 | - "4.1.1.2" 14 | - scored 15 | 16 | - name: 4.1.1.2 Ensure system is disabled when audit logs are full (Scored) 17 | lineinfile: 18 | regexp: "{{ item.regexp }}" 19 | line: "{{ item.line }}" 20 | dest: "{{ cis_audit_auditd_filename }}" 21 | state: present 22 | with_items: 23 | - { regexp: "space_left_action = SYSLOG", line: "space_left_action = email" } 24 | - { regexp: "admin_space_left_action = SUSPEND", line: "admin_space_left_action = halt" } 25 | notify: Restart auditd 26 | when: auditd_4_1_1_2.stat.exists is not defined or not auditd_4_1_1_2.stat.exists 27 | tags: 28 | - level-2 29 | - section-4 30 | - "4.1.1.2" 31 | - scored 32 | 33 | 34 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-2/4.1.1.3.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 4.1.1.3 Ensure audit logs are not automatically deleted (Scored) 5 | 6 | - name: 4.1.1.3- Check if CIS audit.d configuration file exists 7 | stat: 8 | path: "{{ cis_audit_auditd_filename }}" 9 | register: auditd_4_1_1_3 10 | tags: 11 | - level-1 12 | - section-1 13 | - "4.1.1.3" 14 | - scored 15 | 16 | - name: 4.1.1.3 Ensure audit logs are not automatically deleted (Scored) 17 | lineinfile: 18 | regexp: "max_log_file_action = ROTATE" 19 | line: "max_log_file_action = keep_logs" 20 | dest: "{{ cis_audit_auditd_filename }}" 21 | state: present 22 | notify: Restart auditd 23 | when: auditd_4_1_1_2.stat.exists is not defined or not auditd_4_1_1_2.stat.exists 24 | tags: 25 | - level-2 26 | - section-4 27 | - "4.1.1.3" 28 | - scored 29 | 30 | 31 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-2/4.1.10.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 4.1.10 Ensure discretionary access control permission modification events are collected (Scored) 5 | 6 | - name: 4.1.10 Ensure discretionary access control permission modification events are collected (Scored) 7 | shell: "grep perm_mod {{ cis_audit_rules_filename }}" 8 | register: perm_mod 9 | changed_when: False 10 | ignore_errors: true 11 | tags: 12 | - "4.1.10" 13 | - level-2 14 | - section-4 15 | - scored 16 | 17 | 18 | - name: 4.1.10 Ensure discretionary access control permission modification events are collected (Scored)(Verify registered output matches) 19 | lineinfile: 20 | dest: "{{ cis_audit_rules_filename }}" 21 | line: "{{ item }}" 22 | with_items: 23 | - '# 4.1.10 Ensure discretionary access control permission modification events are collected' 24 | - '-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod' 25 | - '-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod' 26 | - '-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod' 27 | - '-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod' 28 | - '-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod' 29 | - '-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod' 30 | when: 31 | ("'-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod' not in perm_mod.stdout") or 32 | ("'-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod' not in perm_mod.stdout") or 33 | ("'-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod' not in perm_mod.stdout") or 34 | ("'-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod' not in perm_mod.stdout") or 35 | ("'-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod' not in perm_mod.stdout") or 36 | ("'-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod' not in perm_mod.stdout") 37 | tags: 38 | - "4.1.10" 39 | - level-2 40 | - section-4 41 | - scored 42 | 43 | 44 | 45 | 46 | 47 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-2/4.1.11.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected (Scored) 5 | 6 | - name: 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected (Scored) 7 | shell: "grep access {{ cis_audit_rules_filename }}" 8 | register: access 9 | changed_when: False 10 | ignore_errors: true 11 | tags: 12 | - "4.1.11" 13 | - level-2 14 | - section-4 15 | - scored 16 | 17 | 18 | - name: 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected(Verify registered output matches) 19 | lineinfile: 20 | dest: "{{ cis_audit_rules_filename }}" 21 | line: "{{ item }}" 22 | with_items: 23 | - '# 4.1.11 Ensure unsuccessful unauthorized file access attempts are collected' 24 | - '-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access' 25 | - '-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access' 26 | - '-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access' 27 | - '-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access' 28 | 29 | tags: 30 | - "4.1.11" 31 | - level-2 32 | - section-4 33 | - scored 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-2/4.1.13.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 4.1.13 Ensure successful file system mounts are collected (Scored) 5 | 6 | - name: 4.1.13 Ensure successful file system mounts are collected (Scored) 7 | shell: "grep mounts {{ cis_audit_rules_filename }}" 8 | register: mounts 9 | changed_when: False 10 | ignore_errors: true 11 | tags: 12 | - "4.1.13" 13 | - level-1 14 | - section-4 15 | - scored 16 | 17 | 18 | - name: 4.1.13 Ensure successful file system mounts are collected (Scored)(Verify registered output matches) 19 | lineinfile: 20 | dest: "{{ cis_audit_rules_filename }}" 21 | line: "{{ item }}" 22 | with_items: 23 | - '# 4.1.13 Ensure successful file system mounts are collected (Scored)' 24 | - '-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts' 25 | - '-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts' 26 | when: 27 | ("'-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts' not in mounts.stdout") or 28 | ("'-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts' not in mounts.stdout") 29 | tags: 30 | - "4.1.13" 31 | - level-1 32 | - section-4 33 | - scored 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-2/4.1.14.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 4.1.14 Ensure file deletion events by users are collected (Scored) 5 | 6 | - name: 4.1.14 Ensure file deletion events by users are collected (Scored) 7 | shell: "grep delete {{ cis_audit_rules_filename }}" 8 | register: delete 9 | changed_when: False 10 | ignore_errors: true 11 | tags: 12 | - "4.1.14" 13 | - level-1 14 | - section-4 15 | - scored 16 | 17 | 18 | - name: 4.1.14 Ensure file deletion events by users are collected(Verify registered output matches) 19 | lineinfile: 20 | dest: "{{ cis_audit_rules_filename }}" 21 | line: "{{ item }}" 22 | with_items: 23 | - '# 4.1.14 Ensure file deletion events by users are collected' 24 | - '-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete' 25 | - '-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete' 26 | when: 27 | ("'-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete' not in delete.stdout") or 28 | ("'-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete' not in delete.stdout") 29 | tags: 30 | - "4.1.14" 31 | - level-1 32 | - section-4 33 | - scored 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-2/4.1.15.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 4.1.15 Ensure changes to system administration scope (sudoers) is collected (Scored) 5 | 6 | - name: 4.1.15 Ensure changes to system administration scope (sudoers) is collected (Scored) 7 | shell: "grep scope {{ cis_audit_rules_filename }}" 8 | register: scope 9 | changed_when: False 10 | ignore_errors: true 11 | tags: 12 | - "4.1.15" 13 | - level-2 14 | - section-4 15 | - scored 16 | 17 | 18 | - name: 4.1.15 Ensure changes to system administration scope (sudoers) is collected(Verify registered output matches) 19 | lineinfile: 20 | dest: "{{ cis_audit_rules_filename }}" 21 | line: "{{ item }}" 22 | with_items: 23 | - '# 4.1.15 Ensure changes to system administration scope (sudoers) is collected' 24 | - '-w /etc/sudoers -p wa -k scope' 25 | - '-w /etc/sudoers.d -p wa -k scope' 26 | when: 27 | ("'-w /etc/sudoers -p wa -k scope' not in scope.stdout") or 28 | ("'-w /etc/sudoers.d -p wa -k scope' not in scope.stdout") 29 | tags: 30 | - "4.1.15" 31 | - level-2 32 | - section-4 33 | - scored 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-2/4.1.16.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 4.1.16 Ensure system administrator actions (sudolog) are collected (Scored) 5 | 6 | - name: 4.1.16 Ensure system administrator actions (sudolog) are collected (Scored) 7 | shell: "grep scope {{ cis_audit_rules_filename }}" 8 | register: scope 9 | changed_when: False 10 | ignore_errors: true 11 | tags: 12 | - "4.1.16" 13 | - level-2 14 | - section-4 15 | - scored 16 | 17 | 18 | - name: 4.1.16 Ensure system administrator actions (sudolog) are collected(Verify registered output matches) 19 | lineinfile: 20 | dest: "{{ cis_audit_rules_filename }}" 21 | line: "{{ item }}" 22 | with_items: 23 | - '# 4.1.16 Ensure system administrator actions (sudolog) are collected' 24 | - '-w /var/log/sudo.log -p wa -k actions' 25 | when: 26 | ("'-w /var/log/sudo.log -p wa -k actions' not in scope.stdout") 27 | tags: 28 | - "4.1.16" 29 | - level-2 30 | - section-4 31 | - scored 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-2/4.1.17.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 4.1.17 Ensure kernel module loading and unloading is collected (Scored) 5 | 6 | - name: 4.1.17 Ensure kernel module loading and unloading is collected (Scored) 7 | shell: "grep modules {{ cis_audit_rules_filename }}" 8 | register: modules 9 | changed_when: False 10 | ignore_errors: true 11 | tags: 12 | - "4.1.17" 13 | - level-2 14 | - section-4 15 | - scored 16 | 17 | 18 | - name: 4.1.17 Ensure kernel module loading and unloading is collected(Verify registered output matches) 19 | lineinfile: 20 | dest: "{{ cis_audit_rules_filename }}" 21 | line: "{{ item }}" 22 | with_items: 23 | - '# 4.1.17 Ensure kernel module loading and unloading is collected' 24 | - '-w /sbin/insmod -p x -k modules' 25 | - '-w /sbin/rmmod -p x -k modules' 26 | - '-w /sbin/modprobe -p x -k modules' 27 | - '-a always,exit arch=b64 -S init_module -S delete_module -k modules' 28 | when: 29 | ("'-w /sbin/insmod -p x -k modules' not in modules.stdout") or 30 | ("'-w /sbin/rmmod -p x -k modules' not in modules.stdout") or 31 | ("'-w /sbin/modprobe -p x -k modules' not in modules.stdout") or 32 | ("'-a always,exit arch=b64 -S init_module -S delete_module -k modules' not in modules.stdout") 33 | tags: 34 | - "4.1.17" 35 | - level-2 36 | - section-4 37 | - scored 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-2/4.1.18.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 4.1.18 Ensure the audit configuration is immutable (Scored) 5 | 6 | - name: 4.1.18 Ensure the audit configuration is immutable (Scored) 7 | shell: grep "^\s*[^#]" {{ cis_audit_rules_filename }} | tail -1 8 | register: immutable 9 | changed_when: False 10 | ignore_errors: true 11 | tags: 12 | - "4.1.18" 13 | - level-2 14 | - section-4 15 | - scored 16 | 17 | 18 | - name: 4.1.18 Ensure the audit configuration is immutable(Verify registered output matches) 19 | lineinfile: 20 | dest: "{{ cis_audit_rules_filename }}" 21 | line: "{{ item }}" 22 | with_items: 23 | - '# 4.1.18 Ensure the audit configuration is immutable' 24 | - '-e 2' 25 | when: 26 | ("'-e 2' not in immutable.stdout") 27 | tags: 28 | - "4.1.18" 29 | - level-2 30 | - section-4 31 | - scored 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-2/4.1.2.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 4.1.2 Ensure auditd service is enabled (Scored) 5 | - name: 4.1.2 Ensure auditd service is enabled (Scored) 6 | command: yum -q list audit 7 | ignore_errors: true 8 | register: auditd_4_1_2 9 | tags: 10 | - level-2 11 | - section-4 12 | - "4.2.1.1" 13 | - scored 14 | 15 | - name: 4.1.2 Ensure auditd service is enabled (Scored) 16 | service: 17 | name: "auditd" 18 | enabled: true 19 | state: started 20 | when: 21 | - auditd_4_1_2.rc is not defined or auditd_4_1_2.rc == 0 22 | ignore_errors: false 23 | tags: 24 | - level-2 25 | - section-4 26 | - "4.2.1.1" 27 | - scored 28 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-2/4.1.4.yml: -------------------------------------------------------------------------------- 1 | # 4.1.4 Ensure events that modify date and time information are collected (Scored) 2 | 3 | - name: 4.1.4 Ensure events that modify date and time information are collected (Scored) 4 | shell: "grep time-change {{ cis_audit_rules_filename }}" 5 | register: time-change 6 | changed_when: False 7 | ignore_errors: true 8 | tags: 9 | - "4.1.4" 10 | - level-2 11 | - section-4 12 | - scored 13 | 14 | 15 | - name: 4.1.4 Ensure events that modify date and time information are collected (Scored)(Verify registered output matches) 16 | lineinfile: 17 | dest: "{{ cis_audit_rules_filename }}" 18 | line: "{{ item }}" 19 | with_items: 20 | - '# 4.1.4 Ensure events that modify date and time information are collected' 21 | - '-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change' 22 | - '-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change' 23 | - '-a always,exit -F arch=b64 -S clock_settime -k time-change' 24 | - '-a always,exit -F arch=b32 -S clock_settime -k time-change' 25 | - '-w /etc/localtime -p wa -k time-change' 26 | when: 27 | ("'-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change' not in time-change.stdout") or 28 | ("'-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change' not in time-change.stdout") or 29 | ("'-a always,exit -F arch=b64 -S clock_settime -k time-change' not in time-change.stdout") or 30 | ("'-a always,exit -F arch=b32 -S clock_settime -k time-change' not in time-change.stdout") or 31 | ("'-w /etc/localtime -p wa -k time-change' not in time-change.stdout") 32 | tags: 33 | - "4.1.4" 34 | - level-2 35 | - section-4 36 | - scored 37 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-2/4.1.5.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 4.1.5 Ensure events that modify user/group information are collected(Scored) 5 | 6 | - name: 4.1.5 Ensure events that modify user/group information are collected(Scored) 7 | shell: "grep identity {{ cis_audit_rules_filename }}" 8 | register: identity 9 | changed_when: False 10 | ignore_errors: true 11 | tags: 12 | - "4.1.5" 13 | - level-2 14 | - section-4 15 | - scored 16 | 17 | 18 | - name: 4.1.5 Ensure events that modify user/group information are collected(Scored)(Verify registered output matches) 19 | lineinfile: 20 | dest: "{{ cis_audit_rules_filename }}" 21 | line: "{{ item }}" 22 | with_items: 23 | - '# 4.1.5 Ensure events that modify date and time information are collected' 24 | - '-w /etc/group -p wa -k identity' 25 | - '-w /etc/passwd -p wa -k identity' 26 | - '-w /etc/gshadow -p wa -k identity' 27 | - '-w /etc/shadow -p wa -k identity' 28 | - '-w /etc/security/opasswd -p wa -k identity' 29 | when: 30 | ("'-w /etc/group -p wa -k identity' not in identity.stdout") or 31 | ("'-w /etc/passwd -p wa -k identity' not in identity.stdout") or 32 | ("'-w /etc/gshadow -p wa -k identity' not in identity.stdout") or 33 | ("'-w /etc/shadow -p wa -k identity' not in identity.stdout") or 34 | ("'-w /etc/security/opasswd -p wa -k identity' not in identity.stdout") 35 | tags: 36 | - "4.1.5" 37 | - level-2 38 | - section-4 39 | - scored 40 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-2/4.1.6.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 4.1.6 Ensure events that modify the system's network environment are collected(Scored) 5 | 6 | - name: 4.1.6 Ensure events that modify the system's network environment are collected(Scored) 7 | shell: "grep system-locale {{ cis_audit_rules_filename }}" 8 | register: system-locale 9 | changed_when: False 10 | ignore_errors: true 11 | tags: 12 | - "4.1.6" 13 | - level-2 14 | - section-4 15 | - scored 16 | 17 | 18 | - name: 4.1.6 Ensure events that modify the system's network environment are collected(Scored)(Verify registered output matches) 19 | lineinfile: 20 | dest: "{{ cis_audit_rules_filename }}" 21 | line: "{{ item }}" 22 | with_items: 23 | - '# 4.1.6 Ensure events that modify date and time information are collected' 24 | - '-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale' 25 | - '-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale' 26 | - '-w /etc/issue -p wa -k system-locale' 27 | - '-w /etc/issue.net -p wa -k system-locale' 28 | - '-w /etc/sysconfig/network -p wa -k system-locale' 29 | when: 30 | ("'-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale' not in system-locale.stdout") or 31 | ("'-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale' not in system-locale.stdout") or 32 | ("'-w /etc/issue -p wa -k system-locale' not in system-locale.stdout") or 33 | ("'-w /etc/issue.net -p wa -k system-locale' not in system-locale.stdout") or 34 | ("'-w /etc/sysconfig/network -p wa -k system-locale' not in system-locale.stdout") 35 | tags: 36 | - "4.1.6" 37 | - level-2 38 | - section-4 39 | - scored 40 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-2/4.1.7.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected(Scored) 5 | 6 | - name: 4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected(Scored) 7 | shell: "grep MAC-policy {{ cis_audit_rules_filename }}" 8 | register: MAC-policy 9 | changed_when: False 10 | ignore_errors: true 11 | tags: 12 | - "4.1.7" 13 | - level-2 14 | - section-4 15 | - scored 16 | 17 | 18 | - name: 4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected(Scored)(Verify registered output matches) 19 | lineinfile: 20 | dest: "{{ cis_audit_rules_filename }}" 21 | line: "{{ item }}" 22 | with_items: 23 | - '# 4.1.7 Ensure events that modify date and time information are collected' 24 | - '-w /etc/selinux/ -p wa -k MAC-policy' 25 | when: 26 | ("'-w /etc/selinux/ -p wa -k MAC-policy' not in MAC-policy.stdout") 27 | tags: 28 | - "4.1.7" 29 | - level-2 30 | - section-4 31 | - scored 32 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-2/4.1.8.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | #4.1.8 Ensure login and logout events are collected(Scored) 4 | 5 | - name: 4.1.8 Ensure login and logout events are collected(Scored) 6 | shell: "grep logins {{ cis_audit_rules_filename }}" 7 | register: logins 8 | changed_when: False 9 | ignore_errors: true 10 | tags: 11 | - "4.1.8" 12 | - level-2 13 | - section-4 14 | - scored 15 | 16 | 17 | - name: 4.1.8 Ensure login and logout events are collected (Verify registered output matches) 18 | lineinfile: 19 | dest: "{{ cis_audit_rules_filename }}" 20 | line: "{{ item }}" 21 | with_items: 22 | - '# 4.1.8 Ensure login and logout events are collected' 23 | - '-w /var/log/lastlog -p wa -k logins' 24 | - '-w /var/run/faillock/ -p wa -k logins' 25 | when: 26 | ("'-w /var/run/faillock/ -p wa -k logins' not in logins.stdout") or 27 | ("'-w /var/log/lastlog -p wa -k logins' not in logins.stdout") 28 | 29 | tags: 30 | - "4.1.8" 31 | - level-2 32 | - section-4 33 | - scored 34 | 35 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-2/4.1.9.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | #4.1.9 Ensure session initiation information is collected (Scored) 5 | 6 | - name: 4.1.9 Ensure session initiation information is collected (Scored) 7 | shell: "grep session {{ cis_audit_rules_filename }}" 8 | register: session 9 | changed_when: False 10 | ignore_errors: true 11 | tags: 12 | - "4.1.9" 13 | - level-2 14 | - section-4 15 | - scored 16 | 17 | 18 | - name: 4.1.9 Ensure session initiation information is collected(Verify registered output matches) 19 | lineinfile: 20 | dest: "{{ cis_audit_rules_filename }}" 21 | line: "{{ item }}" 22 | with_items: 23 | - '# 4.1.9 Ensure login and logout events are collected' 24 | - '-w /var/run/utmp -p wa -k session' 25 | - '-w /var/log/wtmp -p wa -k session' 26 | - '-w /var/log/btmp -p wa -k session' 27 | when: 28 | ("'-w /var/run/utmp -p wa -k session' not in session.stdout") or 29 | ("'-w /var/log/wtmp -p wa -k session' not in session.stdout") or 30 | ("'-w /var/log/btmp -p wa -k session' not in session.stdout") 31 | tags: 32 | - "4.1.9" 33 | - level-2 34 | - section-4 35 | - scored 36 | 37 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/level-2/6.1.1.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | # 6.1.1 Audit system file permissions 5 | 6 | - name: 6.1.1 - Audit system file permissions 7 | command: rpm -Va --nomtime --nosize --nomd5 --nolinkto 8 | register: audit_6_1_1 9 | tags: 10 | - level-2 11 | - section-6 12 | - "6.1.1" 13 | - scored 14 | 15 | - name: 6.1.1 - Audit system file permissions 16 | fail: 17 | msg: "{{ audit_6_1_1.stdout }}" 18 | when: 19 | - audit_6_1_1.stdout_lines is defined and audit_6_1_1.stdout_lines|length > 0 20 | - fail_on_manual_remediation_actions 21 | tags: 22 | - level-2 23 | - section-6 24 | - "6.1.1" 25 | - scored 26 | 27 | - name: 6.1.1 - Audit system file permissions 28 | debug: 29 | msg: "*** ACTION REQUIRED *** {{ audit_6_1_1.stdout }}" 30 | when: 31 | - audit_6_1_1.stdout_lines is defined and audit_6_1_1.stdout_lines|length > 0 32 | - not fail_on_manual_remediation_actions 33 | tags: 34 | - level-2 35 | - section-6 36 | - "6.1.1" 37 | - scored 38 | 39 | -------------------------------------------------------------------------------- /ansible/roles/cis/tasks/main.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | #- include: preflight.yml 5 | # when: cis_apply_level_1_profile or cis_apply_level_2_profile 6 | 7 | - include: "level-1.yml" 8 | when: cis_apply_level_1_profile 9 | 10 | - include: "level-2.yml" 11 | when: cis_apply_level_2_profile 12 | -------------------------------------------------------------------------------- /ansible/roles/cis/vars/main.yml: -------------------------------------------------------------------------------- 1 | # Standards: 0.11 2 | --- 3 | 4 | cis_target_os_distribution: "Amazon" 5 | cis_target_os_versions: 6 | - "2016.03" 7 | - "2016.09" 8 | - "2017.03" 9 | - "2017.09" 10 | 11 | cis_modprobe_conf_filename: "/etc/modprobe.d/CIS.conf" 12 | cis_aide_database_filename: "/var/lib/aide/aide.db.gz" 13 | cis_grub_bootloader_filename: "/boot/grub/menu.lst" 14 | cis_sysconfig_init_filename: "/etc/sysconfig/init" 15 | cis_security_limits_filename: "/etc/security/limits.conf" 16 | cis_audit_auditd_filename: "/etc/audit/auditd.conf" 17 | cis_audit_rules_filename: "/etc/audit/audit.rules" 18 | 19 | full_upgrade: True 20 | -------------------------------------------------------------------------------- /ansible/roles/clamav/handlers/main.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Restart Clamd service 4 | service: 5 | name: "{{ clamav_service }}" 6 | state: restarted 7 | when: > 8 | clamav_service_started is not defined or 9 | not clamav_service_started.changed -------------------------------------------------------------------------------- /ansible/roles/clamav/templates/clamd.defaults.j2: -------------------------------------------------------------------------------- 1 | {{ ansible_managed | comment }} 2 | 3 | {{ clamav_clamd_daemon_config | encode_ini }} -------------------------------------------------------------------------------- /ansible/roles/cloudwatchlogs/defaults/main.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for ansible-aws-cloudwatch-logs-agent 3 | extra_logs: {} 4 | log_stream_name: "{instance_id}" 5 | aws_region: us-east-1 6 | awslogs_loglevel: "info" -------------------------------------------------------------------------------- /ansible/roles/cloudwatchlogs/tasks/main.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: "Install awslogs daemon" 4 | yum: pkg=awslogs state=latest 5 | 6 | - name: "Configure AWS CloudWatch Logs Agent" 7 | template: 8 | src: awslogs.conf.j2 9 | dest: /etc/awslogs/awslogs.conf 10 | 11 | - name: "Configure AWS CloudWatch Log Agent logging" 12 | template: 13 | src: awslogs.logging.conf.j2 14 | dest: /etc/awslogs/awslogs.logging.conf 15 | 16 | - name: "Ensure awslogs launches on boot" 17 | command: systemctl enable awslogsd.service 18 | 19 | - name: "Make sure a service is running" 20 | systemd: 21 | state: restarted 22 | name: "awslogsd" -------------------------------------------------------------------------------- /ansible/roles/cloudwatchlogs/templates/awscli.conf.j2: -------------------------------------------------------------------------------- 1 | [plugins] 2 | cwlogs = cwlogs 3 | [default] 4 | region=us-east-1 -------------------------------------------------------------------------------- /ansible/roles/cloudwatchlogs/templates/awslogs.conf.j2: -------------------------------------------------------------------------------- 1 | [general] 2 | # Path to the CloudWatch Logs agent's state file. The agent uses this file to maintain 3 | # client side state across its executions. 4 | state_file = /var/lib/awslogs/agent-state 5 | logging_config_file = /etc/awslogs/awslogs.logging.conf 6 | 7 | {% for log in logs|list + extra_logs|list %} 8 | [{{ log.file }}] 9 | log_group_name = {{ log.group_name }} 10 | log_stream_name = {instance_id} 11 | datetime_format = {{ log.format }} 12 | time_zone = LOCAL 13 | file = {{ log.file }} 14 | initial_position = start_of_file 15 | encoding = utf-8 16 | buffer_duration = 5000 17 | {% endfor %} 18 | 19 | -------------------------------------------------------------------------------- /ansible/roles/cloudwatchlogs/templates/awslogs.logging.conf.j2: -------------------------------------------------------------------------------- 1 | # 2 | # Based on the logging configuration example from AWS documentation 3 | # https://docs.aws.amazon.com/fr_fr/AmazonCloudWatch/latest/logs/AgentReference.html 4 | # 5 | [loggers] 6 | keys=root,cwlogs,reader,publisher,event,batch,stream,watcher 7 | 8 | [handlers] 9 | keys=consoleHandler 10 | 11 | [formatters] 12 | keys=simpleFormatter 13 | 14 | [logger_root] 15 | level=INFO 16 | handlers=consoleHandler 17 | 18 | [logger_cwlogs] 19 | level=INFO 20 | handlers=consoleHandler 21 | qualname=cwlogs.push 22 | propagate=0 23 | 24 | [logger_reader] 25 | level={{ awslogs_loglevel | upper }} 26 | handlers=consoleHandler 27 | qualname=cwlogs.push.reader 28 | propagate=0 29 | 30 | [logger_publisher] 31 | level={{ awslogs_loglevel | upper }} 32 | handlers=consoleHandler 33 | qualname=cwlogs.push.publisher 34 | propagate=0 35 | 36 | [logger_event] 37 | level={{ awslogs_loglevel | upper }} 38 | handlers=consoleHandler 39 | qualname=cwlogs.push.event 40 | propagate=0 41 | 42 | [logger_batch] 43 | level={{ awslogs_loglevel | upper }} 44 | handlers=consoleHandler 45 | qualname=cwlogs.push.batch 46 | propagate=0 47 | 48 | [logger_stream] 49 | level={{ awslogs_loglevel | upper }} 50 | handlers=consoleHandler 51 | qualname=cwlogs.push.stream 52 | propagate=0 53 | 54 | [logger_watcher] 55 | level={{ awslogs_loglevel | upper }} 56 | handlers=consoleHandler 57 | qualname=cwlogs.push.watcher 58 | propagate=0 59 | 60 | [handler_consoleHandler] 61 | class=logging.StreamHandler 62 | level={{ awslogs_loglevel | upper }} 63 | formatter=simpleFormatter 64 | args=(sys.stderr,) 65 | 66 | [formatter_simpleFormatter] 67 | format=%(asctime)s - %(name)s - %(levelname)s - %(process)d - %(threadName)s - %(message)s -------------------------------------------------------------------------------- /ansible/roles/cloudwatchlogs/templates/genalerts.sh.j2: -------------------------------------------------------------------------------- 1 | #/bin/bash 2 | sleep $[ ( $RANDOM % 20 ) + 1 ]s && curl localhost/readme.txt? 3 | sleep $[ ( $RANDOM % 10 ) + 1 ]s && sudo su -c whoami apache 4 | sleep $[ ( $RANDOM % 50 ) + 1 ]s && sudo -u ec2-user cat /etc/shadow 5 | sleep $[ ( $RANDOM % 10 ) + 1 ]s && sudo yum install -y htop 6 | sleep $[ ( $RANDOM % 80 ) + 1 ]s && ssh admin@localhost echo '`whoami`' 7 | sleep $[ ( $RANDOM % 10 ) + 1 ]s && curl localhost/~ 8 | sleep $[ ( $RANDOM % 10 ) + 1 ]s && telnet localhost 22 < /tmp 9 | sleep $[ ( $RANDOM % 30 ) + 1 ]s && curl localhost/readme.txt? 10 | sleep $[ ( $RANDOM % 18 ) + 1 ]s && sudo su -c whoami bob 11 | sleep $[ ( $RANDOM % 20 ) + 1 ]s && sudo yum remove -y htop* 12 | sleep $[ ( $RANDOM % 25 ) + 1 ]s && curl localhost 13 | sleep $[ ( $RANDOM % 45 ) + 1 ]s && ssh admin@localhost echo '`whoami`' 14 | sleep $[ ( $RANDOM % 30 ) + 1 ]s && sudo cat /etc/passwd 15 | sleep $[ ( $RANDOM % 15 ) + 1 ]s && telnet localhost 22 < /tmp -------------------------------------------------------------------------------- /ansible/roles/common/tasks/main.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: "Ensure all packages have been patched" 4 | yum: 5 | name: "*" 6 | state: latest 7 | 8 | - name: "Set timezone to America/New_York" 9 | timezone: 10 | name: America/New_York 11 | 12 | #- name: "Stop AWS System Manager, OSSEC had lot of errors with it" 13 | # systemd: 14 | # name: amazon-ssm-agent 15 | # state: stopped 16 | 17 | - name: "Remove AWS System Manager, OSSEC had lot of errors with it" 18 | yum: 19 | name: amazon-ssm-agent.x86_64 20 | state: absent 21 | 22 | 23 | # https://forums.aws.amazon.com/thread.jspa?messageID=821176&tstart=0 24 | - name: "Packages for SELinux and work around" 25 | action: > 26 | {{ ansible_pkg_mgr }} name={{ item }} state=present update_cache=yes 27 | with_items: 28 | - policycoreutils 29 | - selinux-policy-targeted 30 | - policycoreutils-python 31 | - libselinux-python 32 | 33 | - name: "Edit grub2 default kernel options to start SELinux" 34 | command: sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT=\"console=tty0 console=ttyS0,115200n8 /GRUB_CMDLINE_LINUX_DEFAULT=\"console=ttyS0,115200n8 console=tty0 selinux=1 security=selinux enforcing=1 /g' /etc/default/grub 35 | 36 | - name: "Delete selinux" 37 | file: 38 | path: /etc/sysconfig/selinux 39 | state: absent 40 | 41 | - name: "Symlink selinux" 42 | file: 43 | src: /etc/selinux/config 44 | dest: /etc/sysconfig/selinux 45 | state: link 46 | #TODO rewrite this lazy.... 47 | - name: "Make changes to config" 48 | command: sed -i 's/SELINUX=disabled/SELINUX=enforcing/g' /etc/selinux/config 49 | 50 | - name: "Touch Auto relabel" 51 | file: 52 | path: /.autorelabel 53 | state: touch 54 | 55 | - name: "Check to see if grub has been configured" 56 | stat: path=/etc/grub2.cfg 57 | register: grub_config 58 | 59 | - name: "Write grub configuration file" 60 | command: grub2-mkconfig -o /etc/grub2.cfg 61 | when: grub_config.stat.exists == False 62 | 63 | # cat /etc/os-release && sestatus -------------------------------------------------------------------------------- /ansible/roles/lynis/defaults/main.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for lynis 3 | 4 | lynis_version: 2.6.3 5 | lynis_version_sha256sum: df75f39abdbcf921d949dc9b8b1348fefb2ccca27bda9089a702312b0a7c3f31 6 | 7 | lynis_src_directory: /usr/local/src 8 | 9 | lynis_dest_directory: /opt 10 | 11 | lynis_log_directory: /var/log/lynis 12 | 13 | lynis_cron: yes 14 | lynis_cron_weekday: "*" 15 | lynis_cron_hour: 3 16 | lynis_cron_minute: 30 -------------------------------------------------------------------------------- /ansible/roles/lynis/tasks/main.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for lynis 3 | 4 | - name: Download Lynis. 5 | get_url: 6 | url: "https://cisofy.com/files/lynis-{{ lynis_version }}.tar.gz" 7 | dest: "{{ lynis_src_directory }}/lynis-{{ lynis_version }}.tar.gz" 8 | sha256sum: "{{ lynis_version_sha256sum }}" 9 | 10 | - name: Ensure Lynis src directory exists. 11 | file: 12 | path: "{{ lynis_src_directory }}/lynis-{{ lynis_version }}" 13 | state: directory 14 | 15 | - name: Extract Lynis. 16 | unarchive: 17 | src: "{{ lynis_src_directory }}/lynis-{{ lynis_version }}.tar.gz" 18 | dest: "{{ lynis_src_directory }}/lynis-{{ lynis_version }}" 19 | creates: "{{ lynis_src_directory }}/lynis-{{ lynis_version }}/lynis" 20 | copy: no 21 | 22 | - name: Copy Lynis to dest directory. 23 | shell: > 24 | rsync --delete -ri --links --exclude="plugins/*" 25 | {{ lynis_src_directory }}/lynis-{{ lynis_version }}/lynis/ 26 | {{ lynis_dest_directory }}/lynis 27 | | awk '{print $1}' | grep -vE '..\.\..\.\.\.\.' | wc -l 28 | become: yes 29 | register: lynis_rsync 30 | changed_when: lynis_rsync.stdout|int != 0 31 | 32 | - name: Ensure Lynis log directory exists (when lynis_cron). 33 | file: 34 | path: "{{ lynis_log_directory }}" 35 | state: directory 36 | mode: 0750 37 | when: lynis_cron 38 | 39 | - name: Configure Lynis cron task (when lynis_cron). 40 | cron: 41 | name: Run Lynis 42 | cron_file: lynis 43 | minute: "{{ lynis_cron_minute }}" 44 | hour: "{{ lynis_cron_hour }}" 45 | weekday: "{{ lynis_cron_weekday }}" 46 | user: root 47 | job: cd {{ lynis_dest_directory }}/lynis && ./lynis audit system --auditor "automated" --cronjob > {{ lynis_log_directory }}/report-$(hostname).$(date +%Y%m%d).txt && mv /var/log/lynis.log {{ lynis_log_directory }}/report-log-$(hostname).$(date +%Y%m%d).log && mv /var/log/lynis-report.dat {{ lynis_log_directory }}/report-data-$(hostname).$(date +%Y%m%d).txt >/dev/null 2>&1 48 | when: lynis_cron 49 | 50 | #- name: "Run Lynis " 51 | # shell: sh ./lynis audit system -c -Q --auditor "The Auditor" 52 | # args: 53 | # chdir: "{{ lynis_dest_directory }}/lynis/" -------------------------------------------------------------------------------- /ansible/roles/lynis/tests/inventory: -------------------------------------------------------------------------------- 1 | localhost -------------------------------------------------------------------------------- /ansible/roles/lynis/tests/test.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: localhost 3 | remote_user: root 4 | roles: 5 | - ansible-role-lynis -------------------------------------------------------------------------------- /ansible/roles/ossec/defaults/main.yaml: -------------------------------------------------------------------------------- 1 | # defaults file for OSSEC 2 | ### OSSEC 3 | # Default variables for OSSEC HIDS clients 4 | ossec_version: 2.9.3 5 | ossec_tarball: ossec-hids-{{ ossec_version }}.tar.gz 6 | ossec_install_dir: /var/ossec/ 7 | ossec_untar_dir: ossec-hids-{{ ossec_version }} 8 | ossec_tmp_dir: /tmp/ 9 | ossec_url: https://github.com/ossec/ossec-hids/archive/ 10 | ossec_server: xxx.xxx.xxx.xxx 11 | 12 | # Package to be installed (explicit version can be specified here) 13 | ossec_pkgs: "{{ 14 | ['ossec@execd', 'ossec@analysisd', 'ossec@logcollector', 'ossec@maild', 'ossec@syscheckd', 'ossec@monitord'] 15 | }}" 16 | -------------------------------------------------------------------------------- /ansible/roles/ossec/templates/internal_options.conf.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | # internal_options.conf, Daniel B. Cid (dcid @ ossec.net). 3 | # 4 | # DO NOT TOUCH THIS FILE. The default configuration 5 | # is at ossec.conf. More information at: 6 | # http://www.ossec.net/en/manual.html 7 | # 8 | # This file should be handled with care. It contain 9 | # run time modifications that can affect the use 10 | # of ossec. Only change it if you know what you 11 | # are doing. Again, look first at ossec.conf 12 | # for most of the things you want to change. 13 | 14 | 15 | # Analysisd default rule timeframe. 16 | analysisd.default_timeframe=360 17 | # Analysisd stats maximum diff. 18 | analysisd.stats_maxdiff=999000 19 | # Analysisd stats minimum diff. 20 | analysisd.stats_mindiff=1250 21 | # Analysisd stats percentage (how much to differ from average) 22 | analysisd.stats_percent_diff=150 23 | # Analysisd FTS list size. 24 | analysisd.fts_list_size=32 25 | # Analysisd FTS minimum string size. 26 | analysisd.fts_min_size_for_str=14 27 | # Analysisd Enable the firewall log (at logs/firewall/firewall.log) 28 | # 1 to enable, 0 to disable. 29 | analysisd.log_fw=1 30 | 31 | 32 | # Logcollector file loop timeout (check every 2 seconds for file changes) 33 | logcollector.loop_timeout=2 34 | 35 | # Logcollector number of attempts to open a log file. 36 | logcollector.open_attempts=8 37 | 38 | # Logcollector - If it should accept remote commands from the manager 39 | logcollector.remote_commands=0 40 | 41 | 42 | 43 | # Remoted counter io flush. 44 | remoted.recv_counter_flush=128 45 | 46 | # Remoted compression averages printout. 47 | remoted.comp_average_printout=19999 48 | 49 | # Verify msg id (set to 0 to disable it) 50 | remoted.verify_msg_id=1 51 | 52 | 53 | # Maild strict checking (0=disabled, 1=enabled) 54 | maild.strict_checking=1 55 | 56 | # Maild grouping (0=disabled, 1=enabled) 57 | # Groups alerts within the same e-mail. 58 | maild.groupping=1 59 | 60 | # Maild full subject (0=disabled, 1=enabled) 61 | maild.full_subject=0 62 | 63 | # Maild display GeoIP data (0=disabled, 1=enabled) 64 | maild.geoip=1 65 | 66 | 67 | # Monitord day_wait. Ammount of seconds to wait before compressing/signing 68 | # the files. 69 | monitord.day_wait=10 70 | 71 | # Monitord compress. (0=do not compress, 1=compress) 72 | monitord.compress=1 73 | 74 | # Monitord sign. (0=do not sign, 1=sign) 75 | monitord.sign=1 76 | 77 | # Monitord monitor_agents. (0=do not monitor, 1=monitor) 78 | monitord.monitor_agents=1 79 | 80 | 81 | # Syscheck checking/usage speed. To avoid large cpu/memory 82 | # usage, you can specify how much to sleep after generating 83 | # the checksum of X files. The default is to sleep 2 seconds 84 | # after reading 15 files. 85 | syscheck.sleep=2 86 | syscheck.sleep_after=15 87 | 88 | 89 | # Database - maximum number of reconnect attempts 90 | dbd.reconnect_attempts=10 91 | 92 | 93 | # Debug options. 94 | # Debug 0 -> no debug 95 | # Debug 1 -> first level of debug 96 | # Debug 2 -> full debugging 97 | 98 | # Windows debug (used by the windows agent) 99 | windows.debug=0 100 | 101 | # Syscheck (local, server and unix agent) 102 | syscheck.debug=0 103 | 104 | # Remoted (server debug) 105 | remoted.debug=0 106 | 107 | # Analysisd (server or local) 108 | analysisd.debug=0 109 | 110 | # Log collector (server, local or unix agent) 111 | logcollector.debug=0 112 | 113 | # Unix agentd 114 | agent.debug=0 115 | 116 | 117 | # EOF 118 | -------------------------------------------------------------------------------- /ansible/roles/ossec/templates/local_internal_options.conf.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | ## local_internal_options.conf 3 | # 4 | # This file should be handled with care. It contains 5 | # run time modifications that can affect the use 6 | # of OSSEC. Only change it if you know what you 7 | # are doing. Look first at ossec.conf 8 | # for most of the things you want to change. 9 | # 10 | # This file will not be overwritten during upgrades. -------------------------------------------------------------------------------- /ansible/roles/ossec/templates/ossec-init-script.j2: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # OSSEC Controls OSSEC HIDS 3 | # Author: Daniel B. Cid 4 | # Modified for Debian by Michael Starks (patch by Costas Drogos) 5 | # {{ ansible_managed }} 6 | 7 | ### BEGIN INIT INFO 8 | # Provides: ossec 9 | # Required-Start: $remote_fs $syslog 10 | # Required-Stop: $remote_fs $syslog 11 | # Should-Start: $network 12 | # Should-Stop: $network 13 | # Default-Start: 2 3 4 5 14 | # Default-Stop: 0 1 6 15 | # Short-Description: Start and stop OSSEC HIDS 16 | # Description: Controls OSSEC HIDS daemons 17 | # 18 | ### END INIT INFO 19 | 20 | . /etc/ossec-init.conf 21 | if [ "X${DIRECTORY}" = "X" ]; then 22 | DIRECTORY="/var/ossec" 23 | fi 24 | 25 | 26 | start() { 27 | ${DIRECTORY}/bin/ossec-control start 28 | } 29 | 30 | stop() { 31 | ${DIRECTORY}/bin/ossec-control stop 32 | } 33 | 34 | case "$1" in 35 | start) 36 | start 37 | exit 0 38 | ;; 39 | stop) 40 | stop 41 | exit 0 42 | ;; 43 | restart) 44 | stop 45 | start 46 | exit 0 47 | ;; 48 | *) 49 | echo "*** Usage: $0 {start|stop|restart}" 50 | exit 1 51 | esac 52 | -------------------------------------------------------------------------------- /ansible/roles/ossec/templates/ossec@.service.j2: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=The OSSEC HIDS %i server 3 | After=network.target 4 | 5 | [Service] 6 | Type=simple 7 | ExecStartPre=/usr/bin/env /var/ossec/bin/%p-%i -t 8 | ExecStart=/usr/bin/env /var/ossec/bin/%p-%i -f 9 | 10 | [Install] 11 | WantedBy=multi-user.target -------------------------------------------------------------------------------- /ansible/roles/ossec/templates/preloaded-vars.conf.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | USER_LANGUAGE="en"; 3 | USER_NO_STOP="y"; 4 | USER_INSTALL_TYPE="local"; 5 | USER_DIR="/var/ossec"; 6 | USER_ENABLE_SYSCHECK="y"; 7 | USER_ENABLE_ROOTCHECK="y"; 8 | USER_UPDATE_RULES="y"; 9 | USER_ENABLE_EMAIL="n"; 10 | USER_ENABLE_FIREWALL_RESPONSE="n"; 11 | USER_ENABLE_ACTIVE_RESPONSE="y"; -------------------------------------------------------------------------------- /buildspec.yml: -------------------------------------------------------------------------------- 1 | --- 2 | version: 0.2 3 | 4 | phases: 5 | pre_build: 6 | commands: 7 | - echo "Installing jq..." 8 | - curl -qL -o jq https://stedolan.github.io/jq/download/linux64/jq && chmod +x ./jq 9 | - echo "Installing HashiCorp Packer..." 10 | - export packer_url=$(curl https://releases.hashicorp.com/index.json | ./jq '{packer}' | egrep "linux.*amd64" | sort --version-sort -r | head -1 | awk -F[\"] '{print $4}') 11 | - echo ${packer_url} 12 | - curl -o packer.zip $packer_url && unzip packer.zip 13 | - echo "Validating Packer file" 14 | - ./packer validate packer_cis.json 15 | build: 16 | commands: 17 | - echo "Building HashiCorp Packer templates" 18 | - ./packer build -color=false packer_cis.json | tee build.log 19 | post_build: 20 | commands: 21 | - egrep "${AWS_REGION}\:\sami\-" build.log | cut -d' ' -f2 > ami_id.txt 22 | # Packer doesn't return non-zero status; we must do that if Packer build failed 23 | - test -s ami_id.txt || exit 1 24 | - sed -i.bak "s/<>/$(cat ami_id.txt)/g" ami_builder_event.json 25 | - aws events put-events --entries file://ami_builder_event.json 26 | - echo "HashiCorp Packer build completed on `date`" 27 | artifacts: 28 | files: 29 | - ami_builder_event.json 30 | - build.log 31 | discard-paths: yes -------------------------------------------------------------------------------- /images/BriarV2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rbd80/Amazon_Linux_2/ff45e0ebae4007573f9f559f0c88d8b8f76874d0/images/BriarV2.png -------------------------------------------------------------------------------- /packer_cis.json: -------------------------------------------------------------------------------- 1 | { 2 | "variables": { 3 | "vpc": "{{env `BUILD_VPC_ID`}}", 4 | "subnet": "{{env `BUILD_SUBNET_ID`}}", 5 | "aws_region": "{{env `AWS_REGION`}}", 6 | "ami_name": "Prod-CIS-Latest-AMZN-{{isotime \"02-Jan-06 03_04_05\"}}" 7 | }, 8 | "builders": [{ 9 | "name": "AWS AMI Builder - CIS", 10 | "type": "amazon-ebs", 11 | "region": "{{user `aws_region`}}", 12 | "source_ami_filter": { 13 | "filters": { 14 | "virtualization-type": "hvm", 15 | "name": "*amzn2-ami*-ebs", 16 | "root-device-type": "ebs" 17 | }, 18 | "owners": ["137112412989", "591542846629", "801119661308", 19 | "102837901569", "013907871322", "206029621532", 20 | "286198878708", "443319210888"], 21 | "most_recent": true 22 | }, 23 | "instance_type": "t2.micro", 24 | "force_deregister": "true", 25 | "force_delete_snapshot": "true", 26 | "encrypt_boot": true, 27 | "ssh_username": "ec2-user", 28 | "ami_name": "{{user `ami_name` | clean_ami_name}}", 29 | "tags": { 30 | "Name": "{{user `ami_name`}}" 31 | }, 32 | "run_tags": { 33 | "Name": "{{user `ami_name`}}" 34 | }, 35 | "run_volume_tags": { 36 | "Name": "{{user `ami_name`}}" 37 | }, 38 | "snapshot_tags": { 39 | "Name": "{{user `ami_name`}}" 40 | }, 41 | "ami_description": "Amazon Linux CIS with Cloudwatch Logs agent", 42 | "associate_public_ip_address": "true" 43 | }], 44 | "provisioners": [ 45 | { 46 | "type": "shell", 47 | "inline": [ 48 | "sudo easy_install pip", 49 | "pip --version", 50 | "sudo pip install boto3", 51 | "sudo pip install ansible" 52 | ]}, 53 | { 54 | "type": "ansible-local", 55 | "playbook_file": "ansible/playbook.yaml", 56 | "role_paths": [ 57 | "ansible/roles/common", 58 | "ansible/roles/cloudwatchlogs", 59 | "ansible/roles/lynis", 60 | "ansible/roles/ossec", 61 | "ansible/roles/cis", 62 | "ansible/roles/alerts" 63 | ] 64 | }, 65 | { 66 | "type": "shell", 67 | "inline": [ 68 | "rm .ssh/authorized_keys ; sudo rm /root/.ssh/authorized_keys" 69 | ] 70 | } 71 | ] 72 | } 73 | --------------------------------------------------------------------------------