├── .gitattributes ├── .github ├── ISSUE_TEMPLATE │ ├── bug_report.md │ └── feature_request.md └── workflows │ └── ansible-linter.yml ├── .gitignore ├── CODE_OF_CONDUCT.md ├── CentOS7-CIS_Benchmark_level1.yml ├── CentOS7-CIS_Benchmark_level1_and_level2.yml ├── CentOS7-CIS_Benchmark_level2.yml ├── LICENSE ├── README.md ├── defaults └── main.yml ├── files └── etc │ └── systemd │ └── system │ └── tmp.mount ├── handlers └── main.yml ├── library └── grub_crypt.py ├── scripts ├── 6.2.10.sh ├── 6.2.11.sh ├── 6.2.12.sh ├── 6.2.13.sh ├── 6.2.14.sh ├── 6.2.15.sh ├── 6.2.16.sh ├── 6.2.17.sh ├── 6.2.18.sh ├── 6.2.19.sh ├── 6.2.6.sh ├── 6.2.7.sh ├── 6.2.8.sh ├── 6.2.9.sh ├── five_four_two.sh ├── rule_five_four_two.sh ├── rule_six_two_fifteen.sh ├── six_two_eight_rule.sh ├── six_two_eighteen_rule.sh ├── six_two_eleven_rule.sh ├── six_two_fifteen_rule.sh ├── six_two_fourteen_rule.sh ├── six_two_nine_rule.sh ├── six_two_nineteen_rule.sh ├── six_two_seven_rule.sh ├── six_two_seventeen_rule.sh ├── six_two_six_rule.sh ├── six_two_sixteen_rule.sh ├── six_two_ten_rule.sh ├── six_two_thirdteen_rule.sh └── six_two_twelve_rule.sh ├── tasks ├── main.yml ├── post.yml ├── prelim.yml ├── section1.yml ├── section2.yml ├── section3.yml ├── section4.yml ├── section5.yml └── section6.yml ├── templates ├── chrony.conf.j2 ├── etc │ ├── cron.allow.j2 │ ├── issue.j2 │ ├── issue.net.j2 │ ├── motd.j2 │ └── sysconfig │ │ └── chronyd.j2 ├── hosts.allow.j2 └── ntp.conf.j2 └── vars └── main.yml /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Describe the bug** 11 | A clear and concise description of what the bug is. 12 | 13 | **To Reproduce** 14 | Steps to reproduce the behavior: 15 | 1. Go to '...' 16 | 2. Click on '....' 17 | 3. Scroll down to '....' 18 | 4. See error 19 | 20 | **Expected behavior** 21 | A clear and concise description of what you expected to happen. 22 | 23 | **Screenshots** 24 | If applicable, add screenshots to help explain your problem. 25 | 26 | **Desktop (please complete the following information):** 27 | - OS: [e.g. iOS] 28 | - Browser [e.g. chrome, safari] 29 | - Version [e.g. 22] 30 | 31 | **Smartphone (please complete the following information):** 32 | - Device: [e.g. iPhone6] 33 | - OS: [e.g. iOS8.1] 34 | - Browser [e.g. stock browser, safari] 35 | - Version [e.g. 22] 36 | 37 | **Additional context** 38 | Add any other context about the problem here. 39 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Is your feature request related to a problem? Please describe.** 11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 12 | 13 | **Describe the solution you'd like** 14 | A clear and concise description of what you want to happen. 15 | 16 | **Describe alternatives you've considered** 17 | A clear and concise description of any alternative solutions or features you've considered. 18 | 19 | **Additional context** 20 | Add any other context or screenshots about the feature request here. 21 | -------------------------------------------------------------------------------- /.github/workflows/ansible-linter.yml: -------------------------------------------------------------------------------- 1 | name: ansible-lint 2 | 3 | on: [push, pull_request] 4 | 5 | jobs: 6 | build: 7 | runs-on: ubuntu-latest 8 | name: ansible-lint 9 | steps: 10 | - uses: actions/checkout@v2 11 | # - uses: actions/setup-python@v1 12 | # - run: pip install ansible-lint 13 | # - run: ansible-lint --version 14 | - name: Lint Ansible Playbook 15 | # replace "master" with any valid ref 16 | uses: ansible/ansible-lint-action@master 17 | with: 18 | # [required] 19 | # Paths to ansible files (i.e., playbooks, tasks, handlers etc..) 20 | # or valid Ansible directories according to the Ansible role 21 | # directory structure. 22 | # If you want to lint multiple ansible files, use the following syntax 23 | # targets: | 24 | # playbook_1.yml 25 | # playbook_2.yml 26 | targets: "" 27 | # [optional] 28 | # Arguments to override a package and its version to be set explicitly. 29 | # Must follow the example syntax. 30 | #override-deps: | 31 | # ansible==2.9 32 | # ansible-lint==4.2.0 33 | # [optional] 34 | # Arguments to be passed to the ansible-lint 35 | 36 | # Options: 37 | # -q quieter, although not silent output 38 | # -p parseable output in the format of pep8 39 | # --parseable-severity parseable output including severity of rule 40 | # -r RULESDIR specify one or more rules directories using one or 41 | # more -r arguments. Any -r flags override the default 42 | # rules in ansiblelint/rules, unless -R is also used. 43 | # -R Use default rules in ansiblelint/rules in addition to 44 | # any extra 45 | # rules directories specified with -r. There is no need 46 | # to specify this if no -r flags are used 47 | # -t TAGS only check rules whose id/tags match these values 48 | # -x SKIP_LIST only check rules whose id/tags do not match these 49 | # values 50 | # --nocolor disable colored output 51 | # --exclude=EXCLUDE_PATHS 52 | # path to directories or files to skip. This option is 53 | # repeatable. 54 | # -c C Specify configuration file to use. Defaults to ".ansible-lint" 55 | args: "-x 303,305,306,403,602" 56 | # - run: ansible-lint . -x 303,305,306,403,602 57 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | 2 | .DS_Store 3 | .DS_Store 4 | .DS_Store 5 | files/.DS_Store 6 | files/.DS_Store 7 | .DS_Store 8 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation. 6 | 7 | ## Our Standards 8 | 9 | Examples of behavior that contributes to creating a positive environment include: 10 | 11 | * Using welcoming and inclusive language 12 | * Being respectful of differing viewpoints and experiences 13 | * Gracefully accepting constructive criticism 14 | * Focusing on what is best for the community 15 | * Showing empathy towards other community members 16 | 17 | Examples of unacceptable behavior by participants include: 18 | 19 | * The use of sexualized language or imagery and unwelcome sexual attention or advances 20 | * Trolling, insulting/derogatory comments, and personal or political attacks 21 | * Public or private harassment 22 | * Publishing others' private information, such as a physical or electronic address, without explicit permission 23 | * Other conduct which could reasonably be considered inappropriate in a professional setting 24 | 25 | ## Our Responsibilities 26 | 27 | Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior. 28 | 29 | Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful. 30 | 31 | ## Scope 32 | 33 | This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers. 34 | 35 | ## Enforcement 36 | 37 | Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at ryan@radsec.net. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately. 38 | 39 | Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership. 40 | 41 | ## Attribution 42 | 43 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version] 44 | 45 | [homepage]: http://contributor-covenant.org 46 | [version]: http://contributor-covenant.org/version/1/4/ 47 | -------------------------------------------------------------------------------- /CentOS7-CIS_Benchmark_level1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: all 3 | become: yes 4 | become_method: sudo 5 | gather_facts: true 6 | vars: 7 | ignore_errors: true 8 | ignore_unreachable: true 9 | roles: 10 | # Match role folder name here - CentOS7-CIS 11 | - role: CentOS7-CIS 12 | tags: 13 | - always 14 | - prelim_tasks 15 | - level1 16 | - post_tasks -------------------------------------------------------------------------------- /CentOS7-CIS_Benchmark_level1_and_level2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: all 3 | become: yes 4 | become_method: sudo 5 | gather_facts: true 6 | vars: 7 | ignore_errors: true 8 | ignore_unreachable: true 9 | roles: 10 | # Match role folder name here - CentOS7-CIS 11 | - role: CentOS7-CIS 12 | tags: 13 | - always 14 | - prelim_tasks 15 | - level1 16 | - level2 17 | - post_tasks -------------------------------------------------------------------------------- /CentOS7-CIS_Benchmark_level2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: all 3 | become: yes 4 | become_method: sudo 5 | gather_facts: true 6 | vars: 7 | ignore_errors: true 8 | ignore_unreachable: true 9 | roles: 10 | # Match role folder name here - CentOS7-CIS 11 | - role: CentOS7-CIS 12 | tags: 13 | - always 14 | - prelim_tasks 15 | - level2 16 | - post_tasks -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright for portions of CentOS7-CIS are held by 4 | 5 | Copyright (c) 2015 MindPoint Group http://www.mindpointgroup.com 6 | 7 | as part of RHEL7-CIS. 8 | 9 | All other copyright for project CentOS7-CIS are held by 10 | 11 | Copyright (c) 2018-2019 Radsec 12 | 13 | AND 14 | 15 | Copyright (c) 2018-2019 Coalfire 16 | 17 | AND 18 | 19 | Copyright (c) 2018 Glownew Group 20 | 21 | Permission is hereby granted, free of charge, to any person obtaining a copy 22 | of this software and associated documentation files (the "Software"), to deal 23 | in the Software without restriction, including without limitation the rights 24 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 25 | copies of the Software, and to permit persons to whom the Software is 26 | furnished to do so, subject to the following conditions: 27 | 28 | The above copyright notice and this permission notice shall be included in all 29 | copies or substantial portions of the Software. 30 | 31 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 32 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 33 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 34 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 35 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 36 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 37 | SOFTWARE. 38 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CentOS7-CIS - v2.2.0 - Latest 2 | 3 | ![ansible-lint](https://github.com/radsec/CentOS7-CIS/workflows/ansible-lint/badge.svg?branch=master) 4 | 5 | ## CentOS 7 - CIS Benchmark Hardening Script 6 | 7 | This Ansible script is under development and is considered a work in progress. 8 | 9 | This Ansible script can be used to harden a CentOS 7 machine to be CIS compliant to meet level 1 or level 2 requirements. 10 | 11 | This role will make significant changes to systems and could break the running operations of machines. Considering using this script on a test machine before using the script against other production level systems for remediation. Use this script at your own risk and no warranty is attached for the usage of this script as dictated by the license. 12 | 13 | ## System Requirements 14 | ``` 15 | Ansible 2.5+ 16 | CentOS 7.x+ 17 | ``` 18 | ## Role and Setting Variables 19 | ``` 20 | section1 21 | section2 22 | section3 23 | section4 24 | section5 25 | section6 26 | ``` 27 | ## License 28 | MIT License 29 | 30 | Copyright for portions of CentOS7-CIS are held by 31 | 32 | Copyright (c) 2018-2020 Radsec 33 | 34 | Permission is hereby granted, free of charge, to any person obtaining a copy 35 | of this software and associated documentation files (the "Software"), to deal 36 | in the Software without restriction, including without limitation the rights 37 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 38 | copies of the Software, and to permit persons to whom the Software is 39 | furnished to do so, subject to the following conditions: 40 | 41 | The above copyright notice and this permission notice shall be included in all 42 | copies or substantial portions of the Software. 43 | 44 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 45 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 46 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 47 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 48 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 49 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 50 | SOFTWARE. 51 | -------------------------------------------------------------------------------- /defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for CentOS7-CIS 3 | 4 | # Define what sections to run 5 | centos7cis_notauto: false 6 | centos7cis_section1: true 7 | centos7cis_section2: true 8 | centos7cis_section3: true 9 | centos7cis_section4: true 10 | centos7cis_section5: true 11 | centos7cis_section6: true 12 | 13 | # Set to true to run either level1, level2, or set both to true to run level1 and level2 checks. 14 | centos7cis_level1: true 15 | centos7cis_level2: false 16 | 17 | ############################ 18 | ### Section 1 Parameters ### 19 | ############################ 20 | 21 | # Section AIDE # 22 | 23 | # Section 1.3.1 | Ensure AIDE is installed and configured 24 | centos7cis_config_aide: false 25 | 26 | # Section 1.3.2 | Ensure filestystem integrity is regularly checked | AIDE cron settings 27 | centos7cis_aide_cron: 28 | cron_user: root 29 | cron_file: /etc/crontab 30 | aide_job: '/usr/sbin/aide --check' 31 | aide_minute: 0 32 | aide_hour: 5 33 | aide_day: '*' 34 | aide_month: '*' 35 | aide_weekday: '*' 36 | 37 | # 1.4.2 Bootloader password 38 | ##bootLOADER PASSWORD MOVED TO VAR_PROMPT 39 | centos7cis_bootloader_password: random 40 | centos7cis_set_boot_pass: false 41 | 42 | # SELinux Section # 43 | # Section 1.6.1.2 & 1.6.1.3 | Ensure SELinux state is enforcing and configured 44 | # true = SELinux is disabled | false = SELinux is enabled 45 | centos7cis_selinux_disable: false 46 | 47 | # Section 1.6.1.2 & 1.6.1.3 | SELinux policy 48 | centos7cis_selinux_pol: targeted 49 | 50 | # MOTD Section # 51 | # Section 1.7.1.1 | Ensure message of the day is configured properly 52 | # Warning Banner Content (issue, issue.net, motd) 53 | centos7cis_warning_banner: | 54 | Authorized uses only. All activity may be monitored and reported. 55 | 56 | # End Banner 57 | 58 | # System package updates # 59 | 60 | # Section 1.8 | Ensure updates of software repos and system packages are up-to-date | Run yum update 61 | centos7cis_update: false 62 | 63 | ############################ 64 | ### Section 2 Parameters ### 65 | ############################ 66 | # Set this to false to prevent disabling of services. 67 | # Value of true will disable all services listed below not set to true. 68 | # Value of false will skip the disabling of services listed below. 69 | # The disable_service_checks can also be enabled via the skip tag function by skipping "disable_service_checks" tag to the running playbook 70 | centos7cis_disable_service_checks: true 71 | 72 | # Set this value to true if the machine is joined to AD/LDAP server. 73 | # Set this value to false if the machine is not joined to AD/LDAP server. 74 | centos7cis_ad_ldap_joined_machine: true 75 | 76 | # Service configuration booleans set true to keep service 77 | centos7cis_cups_server: false 78 | centos7cis_dhcp_server: false 79 | centos7cis_ldap_server: false 80 | centos7cis_telnet_server: false 81 | centos7cis_nfs_server: false 82 | centos7cis_rpc_server: false 83 | centos7cis_ntalk_server: false 84 | centos7cis_rsyncd_server: false 85 | centos7cis_tftp_server: false 86 | centos7cis_rsh_server: false 87 | centos7cis_nis_server: false 88 | centos7cis_snmp_server: false 89 | centos7cis_squid_server: false 90 | centos7cis_smb_server: false 91 | centos7cis_dovecot_server: false 92 | centos7cis_httpd_server: false 93 | centos7cis_vsftpd_server: false 94 | centos7cis_named_server: false 95 | centos7cis_nfs_rpc_server: false 96 | centos7cis_is_mail_server: false 97 | centos7cis_bind: false 98 | centos7cis_vsftpd: false 99 | centos7cis_httpd: false 100 | centos7cis_dovecot: false 101 | centos7cis_samba: false 102 | centos7cis_squid: false 103 | centos7cis_net_snmp: false 104 | centos7cis_allow_autofs: false 105 | 106 | centos7cis_openldap_clients_required: false 107 | centos7cis_telnet_required: false 108 | centos7cis_talk_required: false 109 | centos7cis_rsh_required: false 110 | centos7cis_ypbind_required: false 111 | 112 | # Section 2.1.11 | Ensure xinetd is not enabled 113 | # xinetd required 114 | centos7cis_xinetd_required: false 115 | 116 | # RedHat Satellite Subscription items 117 | centos7cis_rhnsd_required: false 118 | 119 | # Section 2.2.1.x | Time synchronization # 120 | # Time Synchronization - Use chrony or ntp(d) 121 | centos7cis_time_synchronization: chrony 122 | #centos7cis_time_Synchronization: ntp 123 | 124 | centos7cis_time_synchronization_servers: 125 | - 0.pool.ntp.org 126 | - 1.pool.ntp.org 127 | - 2.pool.ntp.org 128 | - 3.pool.ntp.org 129 | 130 | # Section 2.2.2 | Ensure X Window System is not installed 131 | # Set to 'true' if X Windows is needed in your environment 132 | centos7cis_xwindows_required: no 133 | 134 | # Section 2.2.3 | Ensure avahi server is not enabled 135 | centos7cis_avahi_server: false 136 | 137 | ############################ 138 | ### Section 3 Parameters ### 139 | ############################ 140 | 141 | # Section 3.1.1 & 3.1.2 | Ensure IP forwarding is disabled and Ensure packet redirect sending is disabled 142 | # These rules can only be configured on non-host and router configurations 143 | 144 | # System network parameters (host only OR host and router) 145 | # if host only = false OR host and router = true 146 | centos7cis_is_router: false 147 | 148 | # 3.4.2 | PATCH | Ensure /etc/hosts.allow is configured 149 | centos7cis_host_allow: 150 | - "10.0.0.0/255.0.0.0" 151 | - "172.16.0.0/255.240.0.0" 152 | - "192.168.0.0/255.255.0.0" 153 | 154 | # 3.4.3 | Ensure /etc/hosts.deny is configured 155 | centos7cis_enable_hosts_deny: false 156 | 157 | # Section 3.6.1 | Ensure iptables is installed 158 | # Selection of firewall package to use below | default: iptables 159 | #iptables OR firewalld 160 | centos7cis_firewall: firewalld 161 | #centos7cis_firewall: iptables 162 | 163 | 164 | # Section 3.6.2 | Ensure default deny firewall policy 165 | centos7cis_firewall_default_deny_rule: false 166 | # Section 3.6.3 | Ensure loopback traffic is configured 167 | centos7cis_firewall_loopback_rule: true 168 | # Section 3.6.4 | Ensure outbound and established connections are configured 169 | centos7cis_firewall_outbound_rule: true 170 | 171 | ############################ 172 | ### Section 4 Parameters ### 173 | ############################ 174 | 175 | # 4.1.2 - Enable auditd 176 | centos7cis_enable_auditd: false 177 | 178 | # System Accounting and Logging 179 | # Set logging service to 'true' 180 | centos7cis_log_server: false 181 | 182 | # Enable system auditing | Select rsyslog or syslog_ng from the settings below # 183 | # rsyslog settings are sections 4.2.1.x 184 | # syslog_ng settings are sections 4.2.2.x 185 | 186 | # Section 4.2.1.x | rsyslog settings 187 | # IF using rsyslog, set to true and loghost_address should be reflected here 188 | centos7cis_rsyslog: false 189 | centos7cis_rsyslog_loghost_address: INSERT_DNS_NAME_HERE 190 | 191 | # Section 4.2.2.x | syslog_ng settings 192 | # IF using syslog_ng, set to true and loghost_address should be reflected here 193 | centos7cis_syslog_ng: false 194 | centos7cis_syslog_ng_loghost_address: INSERT_DNS_NAME_HERE 195 | 196 | ############################ 197 | ### Section 5 Parameters ### 198 | ############################ 199 | 200 | # Section 5.2.9 | Ensure SSH root login is disabled 201 | centos7cis_permit_ssh_root_login_disabled: true 202 | 203 | # Section 5.2.11 | Ensure only strong MAC algorithms are used 204 | centos7cis_ssh_mac_algorithms: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com" 205 | # Original # centos7cis_ssh_mac_algorithms: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com" 206 | 207 | 208 | # Section 5.3.1 | Ensure password creation requirements are configured 209 | centos7cis_password_creation_requirements: true 210 | 211 | # Section 5.4.1.1 | Ensure password expiration is 365 days or less 212 | centos7cis_password_expiration: false 213 | 214 | # Section 5.4.1.2 | Ensure minimum days between password changes is 7 or more 215 | centos7cis_password_minimum_days_password_change: true 216 | 217 | # Section 5.4.2 | Ensure system accounts are non-login 218 | centos7cis_ensure_system_accounts_are_non_login: true 219 | 220 | # Section 5.4.4 | Ensure default user umask is 027 or more restrictive 221 | centos7cis_modify_default_user_umask: true 222 | centos7cis_default_user_umask: 027 223 | 224 | 225 | 226 | ############################ 227 | ### Section 6 Parameters ### 228 | ############################ 229 | 230 | # Section 6.2.8 | Ensure users' home directory permissions are 750 or more restrictive 231 | centos7cis_modify_user_homes: true 232 | 233 | # Section 6.2.11 | Ensure no users have .forward files 234 | centos7cis_modify_dot_forward_files: false 235 | 236 | # Section 6.2.12 | Ensure no users have .netrc files 237 | centos7cis_modify_dot_netrc_files: false 238 | 239 | # Section 6.2.13 | Ensure users' .netrc files are not group or world accessible 240 | centos7cis_modify_dot_netrc_files_group: false 241 | 242 | # Section 6.2.14 | Ensure no users have .rhosts files 243 | centos7cis_modify_dot_rhosts_files: false 244 | 245 | centos7cis_vartmp: 246 | source: /tmp 247 | fstype: none 248 | opts: "defaults, nodev, nosuid, noexec, bind" 249 | enabled: false 250 | -------------------------------------------------------------------------------- /files/etc/systemd/system/tmp.mount: -------------------------------------------------------------------------------- 1 | # This file is part of systemd. 2 | # 3 | # systemd is free software; you can redistribute it and/or modify it 4 | # under the terms of the GNU Lesser General Public License as published by 5 | # the Free Software Foundation; either version 2.1 of the License, or 6 | # (at your option) any later version. 7 | 8 | [Unit] 9 | Description=Temporary Directory 10 | Documentation=man:hier(7) 11 | Documentation=http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems 12 | ConditionPathIsSymbolicLink=!/tmp 13 | DefaultDependencies=no 14 | Conflicts=umount.target 15 | Before=local-fs.target umount.target 16 | 17 | [Mount] 18 | What=tmpfs 19 | Where=/tmp 20 | Type=tmpfs 21 | Options=mode=1777,strictatime,noexec,nodev,nosuid 22 | 23 | # Make 'systemctl enable tmp.mount' work: 24 | [Install] 25 | WantedBy=local-fs.target 26 | -------------------------------------------------------------------------------- /handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for CentOS7-CIS 3 | 4 | - name: sysctl flush ipv4 route table 5 | become: yes 6 | sysctl: 7 | name: net.ipv4.route.flush 8 | value: 1 9 | sysctl_set: yes 10 | state: present 11 | reload: yes 12 | when: ansible_virtualization_type != "docker" 13 | 14 | - name: sysctl flush ipv6 route table 15 | become: yes 16 | sysctl: 17 | name: net.ipv6.route.flush 18 | value: 1 19 | sysctl_set: yes 20 | state: present 21 | reload: yes 22 | when: ansible_virtualization_type != "docker" 23 | 24 | - name: systemd restart tmp.mount 25 | become: yes 26 | systemd: 27 | name: tmp.mount 28 | daemon_reload: yes 29 | enabled: yes 30 | masked: no 31 | state: reloaded 32 | 33 | - name: generate new grub config 34 | become: yes 35 | shell: grub2-mkconfig -o {{ grub_cfg.stat.lnk_source }} 36 | 37 | - name: restart xinetd 38 | become: yes 39 | service: 40 | name: xinetd 41 | state: restarted 42 | 43 | - name: systemctl restart postfix 44 | become: yes 45 | service: 46 | name: postfix 47 | state: restarted 48 | -------------------------------------------------------------------------------- /library/grub_crypt.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import random, string, crypt 4 | 5 | def gen_pass(size=16, chars=string.ascii_letters + string.digits): 6 | return ''.join(random.choice(chars) for _ in range(size)) 7 | 8 | def gen_salt(salt): 9 | '''Generate a random salt.''' 10 | ret = '' 11 | if not salt: 12 | with open('/dev/urandom', 'rb') as urandom: 13 | while True: 14 | byte = urandom.read(1) 15 | if byte in ('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz' 16 | './0123456789'): 17 | ret += byte 18 | if len(ret) == 16: 19 | break 20 | return '$6$%s' % ret 21 | else: 22 | return '$6$%s' % salt 23 | 24 | def main(): 25 | module = AnsibleModule( 26 | argument_spec = dict( 27 | salt = dict(required=False, default=None), 28 | password = dict(no_log=True, required=False, default='random', type='str'), 29 | ) 30 | 31 | ) 32 | salt = module.params['salt'] 33 | password = module.params['password'] 34 | if password == 'random': 35 | password = gen_pass() 36 | sha512_salt = gen_salt(salt) 37 | salted_pass = crypt.crypt(password, sha512_salt) 38 | module.exit_json(changed=False, passhash=salted_pass) 39 | 40 | from ansible.module_utils.basic import * 41 | if __name__ == '__main__': 42 | main() 43 | -------------------------------------------------------------------------------- /scripts/6.2.10.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do 4 | if [ ! -d "$dir" ]; then 5 | echo "The home directory ($dir) of user $user does not exist." 6 | else 7 | for file in $dir/.[A-Za-z0-9]*; do 8 | if [ ! -h "$file" -a -f "$file" ]; then 9 | fileperm=`ls -ld $file | cut -f1 -d" "` 10 | 11 | if [ `echo $fileperm | cut -c6` != "-" ]; then 12 | echo "Group Write permission set on file $file" 13 | fi 14 | if [ `echo $fileperm | cut -c9` != "-" ]; then 15 | echo "Other Write permission set on file $file" 16 | fi 17 | fi 18 | done 19 | fi 20 | done -------------------------------------------------------------------------------- /scripts/6.2.11.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do 3 | if [ ! -d "$dir"]; then 4 | echo "The home directory ($dir) of user $user does not exist." 5 | else 6 | if [ ! -h "$dir/.forward" -a -f "$dir/.forward" ]; then 7 | echo ".forward file $dir/.forward exists" 8 | fi 9 | fi 10 | done 11 | #if [ ! -h "$dir/.forward" -a -f "$dir/.forward" ]; then 12 | # echo ".forward file $dir/.forward exists" 13 | #fi 14 | #done 15 | -------------------------------------------------------------------------------- /scripts/6.2.12.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do 3 | if [ ! -d "$dir" ]; then 4 | echo "The home directory ($dir) of user $user does not exist." 5 | else 6 | if [ ! -h "$dir/.netrc" -a -f "$dir/.netrc" ]; then 7 | echo ".netrc file $dir/.netrc exists" 8 | fi 9 | fi 10 | done 11 | #for dir in `cat /etc/passwd | awk -F: '{ print $6 }'`; do 12 | #if [ ! -h "$dir/.netrc" -a -f "$dir/.netrc" ]; then 13 | # echo ".netrc file $dir/.netrc exists" 14 | #fi 15 | #done 16 | -------------------------------------------------------------------------------- /scripts/6.2.13.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do 4 | if [ ! -d "$dir" ]; then 5 | echo "The home directory ($dir) of user $user does not exist." 6 | else 7 | for file in $dir/.netrc; do 8 | if [ ! -h "$file" -a -f "$file" ]; then 9 | fileperm=`ls -ld $file | cut -f1 -d" "` 10 | if [ `echo $fileperm | cut -c5` != "-" ]; then 11 | echo "Group Read set on $file" 12 | fi 13 | if [ `echo $fileperm | cut -c6` != "-" ]; then 14 | echo "Group Write set on $file" 15 | fi 16 | if [ `echo $fileperm | cut -c7` != "-" ]; then 17 | echo "Group Execute set on $file" 18 | fi 19 | if [ `echo $fileperm | cut -c8` != "-" ]; then 20 | echo "Other Read set on $file" 21 | fi 22 | if [ `echo $fileperm | cut -c9` != "-" ]; then 23 | echo "Other Write set on $file" 24 | fi 25 | if [ `echo $fileperm | cut -c10` != "-" ]; then 26 | echo "Other Execute set on $file" 27 | fi 28 | fi 29 | done 30 | fi 31 | done -------------------------------------------------------------------------------- /scripts/6.2.14.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do 3 | if [ ! -d "$dir" ]; then 4 | echo "The home directory ($dir) of user $user does not exist." 5 | else 6 | for file in $dir/.rhosts; do 7 | if [ ! -h "$file" -a -f "$file" ]; then 8 | echo ".rhosts file in $dir" 9 | fi 10 | done 11 | fi 12 | done 13 | #for dir in `cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/usr/sbin/nologin") { print $6 }'`; do 14 | # for file in $dir/.rhosts; do 15 | # if [ ! -h "$file" -a -f "$file" ]; then 16 | # echo ".rhosts file in $dir" 17 | # fi 18 | # done 19 | #done 20 | -------------------------------------------------------------------------------- /scripts/6.2.15.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | for i in $(cut -s -d: -f4 /etc/passwd | sort -u ); do 4 | grep -q -P "^.*?:[^:]*:$i:" /etc/group 5 | if [ $? -ne 0 ]; then 6 | echo "Group $i is referenced by /etc/passwd but does not exist in /etc/group" 7 | fi 8 | done -------------------------------------------------------------------------------- /scripts/6.2.16.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | cat /etc/passwd | cut -f3 -d":" | sort -n | uniq -c | while read x ; do 4 | [ -z "${x}" ] && break 5 | set - $x 6 | if [ $1 -gt 1 ]; then 7 | users= `awk -F: '($3 == n) { print $1 }' n=$2 /etc/passwd | xargs` 8 | echo "Duplicate UID ($2): ${users}" 9 | fi 10 | done -------------------------------------------------------------------------------- /scripts/6.2.17.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | cat /etc/group | cut -f3 -d":" | sort -n | uniq -c | while read x ; do 4 | [ -z "${x}" ] && break 5 | set - $x 6 | if [ $1 -gt 1 ]; then 7 | groups= `awk -F: '($3 == n) { print $1 }' n=$2 /etc/group | xargs` 8 | echo "Duplicate GID ($2): ${groups}" 9 | fi 10 | done -------------------------------------------------------------------------------- /scripts/6.2.18.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | cat /etc/passwd | cut -f1 -d":" | sort -n | uniq -c | while read x ; do 4 | [ -z "${x}" ] && break 5 | set - $x 6 | if [ $1 -gt 1 ]; then 7 | uids= `awk -F: '($1 == n) { print $3 }' n=$2 /etc/passwd | xargs` 8 | echo "Duplicate User Name ($2): ${uids}" 9 | fi 10 | done -------------------------------------------------------------------------------- /scripts/6.2.19.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | cat /etc/group | cut -f1 -d":" | sort -n | uniq -c | while read x ; do 4 | [ -z "${x}" ] && break 5 | set - $x 6 | if [ $1 -gt 1 ]; then 7 | gids= `gawk -F: '($1 == n) { print $3 }' n=$2 /etc/group | xargs` 8 | echo "Duplicate Group Name ($2): ${gids}" 9 | fi 10 | done -------------------------------------------------------------------------------- /scripts/6.2.6.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | if [ "`echo $PATH | grep ::`" != "" ]; then 3 | echo "Empty Directory in PATH (::)" 4 | fi 5 | 6 | if [ "`echo $PATH | grep :$`" !- "" ]; then 7 | echo "Trailing : in PATH" 8 | fi 9 | p=`echo $PATH | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g'` 10 | set -- $PATH 11 | while [ "$1" != "" ]; do 12 | if [ "$1" = "." ]; then 13 | echo "PATH contains ." 14 | shift 15 | continue 16 | fi 17 | if [ -d $1 ]; then 18 | dirperm=`ls -ldH $1 | cut -f1 -d" "` 19 | if [ `echo $dirperm | cut -c6` != "-" ]; then 20 | echo "Group Write permission set on directory $1" 21 | fi 22 | if [ `echo $dirperm | cut -c9` != "-" ]; then 23 | echo "Other Write permission set on directory $1" 24 | fi 25 | dirown=`ls -ldH $1 | awk '{print $3}'` 26 | if [ "$dirown" != "root" ] ; then 27 | echo $1 is not owned by root 28 | fi 29 | else 30 | echo $1 is not a directory 31 | fi 32 | shift 33 | done 34 | -------------------------------------------------------------------------------- /scripts/6.2.7.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do 4 | if [ ! -d "$dir" ]; then 5 | echo "The home directory ($dir) of user $user does not exist." 6 | fi 7 | done -------------------------------------------------------------------------------- /scripts/6.2.8.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do 4 | if [ ! -d "$dir" ]; then 5 | echo "The home directory ($dir) of user $user does not exist." 6 | else 7 | dirperm=`ls -ld $dir | cut -f1 -d" "` 8 | if [ `echo $dirperm | cut -c6` != "-" ]; then 9 | echo "Group Write permission set on the home directory ($dir) of user $user" 10 | fi 11 | if [ `echo $dirperm | cut -c8` != "-" ]; then 12 | echo "Other Read permission set on the home directory ($dir) of user $user" 13 | fi 14 | if [ `echo $dirperm | cut -c9` != "-" ]; then 15 | echo "Other Write permission set on the home directory ($dir) of user $user" 16 | fi 17 | if [ `echo $dirperm | cut -c10` != "-" ]; then 18 | echo "Other Execute permission set on the home directory ($dir) of user $user" 19 | fi 20 | fi 21 | done -------------------------------------------------------------------------------- /scripts/6.2.9.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do 4 | if [ ! -d "$dir" ]; then 5 | echo "The home directory ($dir) of user $user does not exist." 6 | else 7 | owner=$(stat -L -c "%U" "$dir") 8 | if [ "$owner" != "$user" ]; then 9 | echo "The home directory ($dir) of user $user is owned by $owner." 10 | fi 11 | fi 12 | done -------------------------------------------------------------------------------- /scripts/five_four_two.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | for user in `awk -F: '($3 < 1000) {print $1}' /etc/passwd` ; do 4 | if [ $user !- "root" ]; then 5 | usermod -L $user 6 | if [ $user != "sync" ] && [ $user != "shutdown" ] && [ $user != "halt"]; 7 | then 8 | usermod -s /sbin/nologin $user 9 | fi 10 | fi 11 | done -------------------------------------------------------------------------------- /scripts/rule_five_four_two.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | for user in `awk -F: '($3 < 500) {print $1 }' /etc/passwd` ; do 3 | if [ $user != "root" ]; then 4 | usermod -L $user 5 | if [ $user != "sync" ] && [ $user != "shutdown" ] && [ $user != "halt" ]; 6 | then 7 | usermod -s /sbin/nologin $user 8 | fi 9 | fi 10 | done 11 | -------------------------------------------------------------------------------- /scripts/rule_six_two_fifteen.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | for i in $(cut -s -d: -f4 /etc/passwd | sort -u ); do 3 | grep -q -P "^.*?:[^:]*:$i:" /etc/group 4 | if [ $? -ne 0 ]; then 5 | echo "Group $i is referenced by /etc/passwd but does not exist in 6 | /etc/group" 7 | fi 8 | done 9 | -------------------------------------------------------------------------------- /scripts/six_two_eight_rule.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do 3 | if [ ! -d "$dir" ]; then 4 | echo "The home directory ($dir) of user $user does not exist." 5 | else 6 | dirperm=`ls -ld $dir | cut -f1 -d" "` 7 | if [ `echo $dirperm | cut -c6` != "-" ]; then 8 | echo "Group Write permission set on the home directory ($dir) of user $user" 9 | fi 10 | if [ `echo $dirperm | cut -c8` != "-" ]; then 11 | echo "Other Read permission set on the home directory ($dir) of user $user" 12 | fi 13 | if [ `echo $dirperm | cut -c9` != "-" ]; then 14 | echo "Other Write permission set on the home directory ($dir) of user $user" 15 | fi 16 | if [ `echo $dirperm | cut -c10` != "-" ]; then 17 | echo "Other Execute permission set on the home directory ($dir) of user $user" 18 | fi fi 19 | done 20 | -------------------------------------------------------------------------------- /scripts/six_two_eighteen_rule.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | cat /etc/passwd | cut -f1 -d":" | sort -n | uniq -c | while read x ; do [ -z "${x}" ] && break 3 | set - $x 4 | if [ $1 -gt 1 ]; then 5 | uids= `awk -F: '($1 == n) { print $3 }' n=$2 /etc/passwd | xargs` 6 | echo "Duplicate User Name ($2): ${uids}" 7 | fi 8 | done 9 | -------------------------------------------------------------------------------- /scripts/six_two_eleven_rule.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do 3 | if [ ! -d "$dir" ]; then 4 | echo "The home directory ($dir) of user $user does not exist." 5 | else 6 | if [ ! -h "$dir/.forward" -a -f "$dir/.forward" ]; then 7 | echo ".forward file $dir/.forward exists" fi 8 | fi 9 | done 10 | -------------------------------------------------------------------------------- /scripts/six_two_fifteen_rule.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | for i in $(cut -s -d: -f4 /etc/passwd | sort -u ); do grep -q -P "^.*?:[^:]*:$i:" /etc/group 3 | if [ $? -ne 0 ]; then 4 | echo "Group $i is referenced by /etc/passwd but does not exist in /etc/group" 5 | fi done 6 | -------------------------------------------------------------------------------- /scripts/six_two_fourteen_rule.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do 3 | if [ ! -d "$dir" ]; then 4 | echo "The home directory ($dir) of user $user does not exist." 5 | else 6 | for file in $dir/.rhosts; do 7 | if [ ! -h "$file" -a -f "$file" ]; then 8 | echo ".rhosts file in $dir" 9 | fi done 10 | fi done 11 | -------------------------------------------------------------------------------- /scripts/six_two_nine_rule.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do 3 | if [ ! -d "$dir" ]; then 4 | echo "The home directory ($dir) of user $user does not exist." 5 | else 6 | owner=$(stat -L -c "%U" "$dir") 7 | if [ "$owner" != "$user" ]; then 8 | echo "The home directory ($dir) of user $user is owned by $owner." fi 9 | fi done 10 | -------------------------------------------------------------------------------- /scripts/six_two_nineteen_rule.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | cat /etc/group | cut -f1 -d":" | sort -n | uniq -c | while read x ; do [ -z "${x}" ] && break 3 | set - $x 4 | if [ $1 -gt 1 ]; then 5 | gids= `gawk -F: '($1 == n) { print $3 }' n=$2 /etc/group | xargs` 6 | echo "Duplicate Group Name ($2): ${gids}" 7 | fi 8 | done 9 | -------------------------------------------------------------------------------- /scripts/six_two_seven_rule.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do 3 | if [ ! -d "$dir" ]; then 4 | echo "The home directory ($dir) of user $user does not exist." 5 | fi done 6 | -------------------------------------------------------------------------------- /scripts/six_two_seventeen_rule.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | cat /etc/group | cut -f3 -d":" | sort -n | uniq -c | while read x ; do [ -z "${x}" ] && break 3 | set - $x 4 | if [ $1 -gt 1 ]; then 5 | groups= `awk -F: '($3 == n) { print $1 }' n=$2 /etc/group | xargs` 6 | echo "Duplicate GID ($2): ${groups}" 7 | fi 8 | done 9 | -------------------------------------------------------------------------------- /scripts/six_two_six_rule.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | if [ " `echo $PATH | grep ::` " != "" ]; then 3 | echo "Empty Directory in PATH (::)" 4 | fi 5 | if["`echo$PATH|grep:$`" !=""];then echo "Trailing : in PATH" 6 | fi 7 | p= `echo $PATH | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g'` set -- $p 8 | while [ "$1" != "" ]; do 9 | if [ "$1" = "." ]; then 10 | echo "PATH contains ." 11 | shift 12 | continue 13 | fi 14 | if [ -d $1 ]; then 15 | dirperm= `ls -ldH $1 | cut -f1 -d" "` 16 | if [ `echo $dirperm | cut -c6` != "-" ]; then 17 | echo "Group Write permission set on directory $1" fi 18 | if [ `echo $dirperm | cut -c9` != "-" ]; then 19 | echo "Other Write permission set on directory $1" 20 | fi 21 | dirown= `ls -ldH $1 | awk '{print $3}'` 22 | if [ "$dirown" != "root" ] ; then 23 | echo $1 is not owned by root 24 | fi 25 | else 26 | 318 | P a g e 27 | echo $1 is not a directory 28 | fi 29 | shift done 30 | -------------------------------------------------------------------------------- /scripts/six_two_sixteen_rule.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | cat /etc/passwd | cut -f3 -d":" | sort -n | uniq -c | while read x ; do [ -z "${x}" ] && break 3 | set - $x 4 | if [ $1 -gt 1 ]; then 5 | users= `awk -F: '($3 == n) { print $1 }' n=$2 /etc/passwd | xargs` 6 | echo "Duplicate UID ($2): ${users}" 7 | fi 8 | done 9 | -------------------------------------------------------------------------------- /scripts/six_two_ten_rule.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do 3 | if [ ! -d "$dir" ]; then 4 | echo "The home directory ($dir) of user $user does not exist." 5 | else 6 | for file in $dir/.[A-Za-z0-9]*; do 7 | if [ ! -h "$file" -a -f "$file" ]; then 8 | fileperm=`ls -ld $file | cut -f1 -d" "` 9 | if [ `echo $fileperm | cut -c6` != "-" ]; then echo "Group Write permission set on file $file" 10 | fi 11 | if [ `echo $fileperm | cut -c9` != "-" ]; then 12 | echo "Other Write permission set on file $file" fi 13 | fi done 14 | fi done 15 | -------------------------------------------------------------------------------- /scripts/six_two_thirdteen_rule.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do 3 | if [ ! -d "$dir" ]; then 4 | echo "The home directory ($dir) of user $user does not exist." 5 | else 6 | for file in $dir/.netrc; do 7 | if [ ! -h "$file" -a -f "$file" ]; then 8 | fileperm=`ls -ld $file | cut -f1 -d" "` 9 | if [ `echo $fileperm | cut -c5` != "-" ]; then 10 | echo "Group Read set on $file" 11 | fi 12 | if [ `echo $fileperm | cut -c6` != "-" ]; then 13 | echo "Group Write set on $file" 14 | fi 15 | if [ `echo $fileperm | cut -c7` != "-" ]; then 16 | echo "Group Execute set on $file" 17 | fi 18 | if [ `echo $fileperm | cut -c8` != "-" ]; then 19 | echo "Other Read set on $file" 20 | fi 21 | if [ `echo $fileperm | cut -c9` != "-" ]; then 22 | echo "Other Write set on $file" 23 | fi 24 | if [ `echo $fileperm | cut -c10` != "-" ]; then 25 | echo "Other Execute set on $file" 26 | fi fi 27 | done 28 | -------------------------------------------------------------------------------- /scripts/six_two_twelve_rule.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | cat /etc/passwd | egrep -v '^(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin" && $7 != "/bin/false") { print $1 " " $6 }' | while read user dir; do 3 | if [ ! -d "$dir" ]; then 4 | echo "The home directory ($dir) of user $user does not exist." 5 | else 6 | if [ ! -h "$dir/.netrc" -a -f "$dir/.netrc" ]; then 7 | echo ".netrc file $dir/.netrc exists" 8 | fi 9 | fi 10 | done 11 | -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for CentOS7-CIS 3 | - name: "Check OS version and family" 4 | fail: 5 | msg: "This role can only be run against CentOS 7. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." 6 | when: 7 | - ansible_distribution|lower == 'centos' 8 | - ansible_distribution_major_version is version_compare('7', '!=') 9 | tags: 10 | - always 11 | 12 | - name: "Check OS version and family" 13 | debug: 14 | msg: "PASS | This role can only be executed on CentOS 7 operating systems" 15 | when: 16 | - ansible_distribution|lower == 'centos' 17 | - ansible_distribution_major_version is version_compare('7', '==') 18 | tags: 19 | - always 20 | 21 | - name: "Check ansible version" 22 | fail: 23 | msg: "You must use ansible 2.5 or greater" 24 | when: not ansible_version.full is version_compare('2.5', '>=') 25 | tags: 26 | - always 27 | 28 | - name: "Check ansible version" 29 | debug: 30 | msg: "PASS | The detected Ansible version is greater than 2.5" 31 | when: ansible_version.full is version_compare('2.5', '>=') 32 | tags: 33 | - always 34 | 35 | - import_tasks: prelim.yml 36 | become: yes 37 | tags: 38 | - prelim_tasks 39 | - always 40 | 41 | - import_tasks: section1.yml 42 | become: yes 43 | when: centos7cis_section1 44 | 45 | - import_tasks: section2.yml 46 | become: yes 47 | when: centos7cis_section2 48 | 49 | - import_tasks: section3.yml 50 | become: yes 51 | when: centos7cis_section3 52 | 53 | - import_tasks: section4.yml 54 | become: yes 55 | when: centos7cis_section4 56 | 57 | - import_tasks: section5.yml 58 | become: yes 59 | when: centos7cis_section5 60 | 61 | - import_tasks: section6.yml 62 | become: yes 63 | when: centos7cis_section6 64 | 65 | - import_tasks: post.yml 66 | become: yes 67 | tags: 68 | - post_tasks 69 | - always 70 | -------------------------------------------------------------------------------- /tasks/post.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Post tasks 3 | 4 | - name: Perform YUM package cleanup 5 | command: yum -y autoremove 6 | changed_when: no 7 | ignore_errors: yes 8 | -------------------------------------------------------------------------------- /tasks/prelim.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Preliminary tasks that should always be run 3 | # List users in order to look files inside each home directory 4 | - name: "PRELIM | List users accounts" 5 | command: "awk -F: '{print $1}' /etc/passwd" 6 | register: users 7 | changed_when: no 8 | check_mode: no 9 | 10 | - name: "PRELIM | Gather accounts with empty password fields" 11 | shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'" 12 | register: empty_password_accounts 13 | changed_when: no 14 | check_mode: no 15 | 16 | - name: "PRELIM | Gather UID 0 accounts other than root" 17 | shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" 18 | register: uid_zero_accounts_except_root 19 | changed_when: no 20 | check_mode: no 21 | 22 | - name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)" 23 | yum: 24 | name: audit 25 | state: present 26 | 27 | - name: "PRELIM | Section 5.1 | Configure cron" 28 | yum: 29 | name: cronie 30 | state: present 31 | 32 | - name: "PRELIM | Check if prelink package is installed" 33 | command: rpm -q prelink 34 | register: prelink_installed 35 | changed_when: no 36 | failed_when: no 37 | check_mode: no 38 | 39 | - name: "PRELIM | Check if postfix package is installed" 40 | command: rpm -q postfix 41 | register: postfix_installed 42 | changed_when: no 43 | failed_when: no 44 | check_mode: no 45 | 46 | - name: "PRELIM | Check if rsyslog package is installed" 47 | command: rpm -q rsyslog 48 | register: rsyslog_installed 49 | changed_when: no 50 | failed_when: no 51 | check_mode: no 52 | 53 | - name: "PRELIM | Check if syslog-ng package is installed" 54 | command: rpm -q syslog-ng 55 | register: syslog_ng_installed 56 | changed_when: no 57 | failed_when: no 58 | check_mode: no 59 | 60 | # Individual service checks 61 | - name: "PRELIM | Check for xinetd service" 62 | shell: "systemctl show xinetd | grep LoadState | cut -d = -f 2" 63 | register: xinetd_service_status 64 | changed_when: no 65 | check_mode: no 66 | 67 | - name: "PRELIM | Check for ntpd service" 68 | shell: "systemctl show ntpd | grep LoadState | cut -d = -f 2" 69 | register: ntpd_service_status 70 | changed_when: no 71 | check_mode: no 72 | 73 | - name: "PRELIM | Check for chronyd service" 74 | shell: "systemctl show chronyd | grep LoadState | cut -d = -f 2" 75 | register: chronyd_service_status 76 | changed_when: no 77 | check_mode: no 78 | 79 | - name: "PRELIM | Check for avahi-daemon service" 80 | shell: "systemctl show avahi-daemon | grep LoadState | cut -d = -f 2" 81 | register: avahi_service_status 82 | changed_when: no 83 | check_mode: no 84 | 85 | - name: "PRELIM | Check for cups service" 86 | shell: "systemctl show cups | grep LoadState | cut -d = -f 2" 87 | register: cups_service_status 88 | changed_when: no 89 | check_mode: no 90 | 91 | - name: "PRELIM | Check for dhcpd service" 92 | shell: "systemctl show dhcpd | grep LoadState | cut -d = -f 2" 93 | register: dhcpd_service_status 94 | changed_when: no 95 | check_mode: no 96 | 97 | - name: "PRELIM | Check for slapd service" 98 | shell: "systemctl show slapd | grep LoadState | cut -d = -f 2" 99 | register: slapd_service_status 100 | changed_when: no 101 | check_mode: no 102 | 103 | - name: "PRELIM | Check for nfs service" 104 | shell: "systemctl show nfs | grep LoadState | cut -d = -f 2" 105 | register: nfs_service_status 106 | changed_when: no 107 | check_mode: no 108 | 109 | - name: "PRELIM | Check for rpcbind service" 110 | shell: "systemctl show rpcbind | grep LoadState | cut -d = -f 2" 111 | register: rpcbind_service_status 112 | changed_when: no 113 | check_mode: no 114 | 115 | - name: "PRELIM | Check for named service" 116 | shell: "systemctl show named | grep LoadState | cut -d = -f 2" 117 | register: named_service_status 118 | changed_when: no 119 | check_mode: no 120 | 121 | - name: "PRELIM | Check for vsftpd service" 122 | shell: "systemctl show vsftpd | grep LoadState | cut -d = -f 2" 123 | register: vsftpd_service_status 124 | changed_when: no 125 | check_mode: no 126 | 127 | - name: "PRELIM | Check for httpd service" 128 | shell: "systemctl show httpd | grep LoadState | cut -d = -f 2" 129 | register: httpd_service_status 130 | changed_when: no 131 | check_mode: no 132 | 133 | - name: "PRELIM | Check for dovecot service" 134 | shell: "systemctl show dovecot | grep LoadState | cut -d = -f 2" 135 | register: dovecot_service_status 136 | changed_when: no 137 | check_mode: no 138 | 139 | - name: "PRELIM | Check for smb service" 140 | shell: "systemctl show smb | grep LoadState | cut -d = -f 2" 141 | register: smb_service_status 142 | changed_when: no 143 | check_mode: no 144 | 145 | - name: "PRELIM | Check for squid service" 146 | shell: "systemctl show squid | grep LoadState | cut -d = -f 2" 147 | register: squid_service_status 148 | changed_when: no 149 | check_mode: no 150 | 151 | - name: "PRELIM | Check for snmpd service" 152 | shell: "systemctl show snmpd | grep LoadState | cut -d = -f 2" 153 | register: snmpd_service_status 154 | changed_when: no 155 | check_mode: no 156 | 157 | - name: "PRELIM | Check for ypserv service" 158 | shell: "systemctl show ypserv | grep LoadState | cut -d = -f 2" 159 | register: ypserv_service_status 160 | changed_when: no 161 | check_mode: no 162 | 163 | - name: "PRELIM | Check for rsh.socket service" 164 | shell: "systemctl show rsh.socket | grep LoadState | cut -d = -f 2" 165 | register: rsh_service_status 166 | changed_when: no 167 | check_mode: no 168 | 169 | - name: "PRELIM | Check for rlogin.socket service" 170 | shell: "systemctl show rlogin.socket | grep LoadState | cut -d = -f 2" 171 | register: rlogin_service_status 172 | changed_when: no 173 | check_mode: no 174 | 175 | - name: "PRELIM | Check for rexec.socket service" 176 | shell: "systemctl show rexec.socket | grep LoadState | cut -d = -f 2" 177 | register: rexec_service_status 178 | changed_when: no 179 | check_mode: no 180 | 181 | - name: "PRELIM | Check for telnet service" 182 | shell: "systemctl show telnet | grep LoadState | cut -d = -f 2" 183 | register: telnet_service_status 184 | changed_when: no 185 | check_mode: no 186 | 187 | - name: "PRELIM | Check for tftp service" 188 | shell: "systemctl show tftp | grep LoadState | cut -d = -f 2" 189 | register: tftp_service_status 190 | changed_when: no 191 | check_mode: no 192 | 193 | - name: "PRELIM | Check for rsyncd service" 194 | shell: "systemctl show rsyncd | grep LoadState | cut -d = -f 2" 195 | register: rsyncd_service_status 196 | changed_when: no 197 | check_mode: no 198 | 199 | - name: "PRELIM | Check for ntalk service" 200 | shell: "systemctl show ntalk | grep LoadState | cut -d = -f 2" 201 | register: ntalk_service_status 202 | changed_when: no 203 | check_mode: no 204 | 205 | - name: "PRELIM | Check for autofs service" 206 | shell: "systemctl show autofs | grep LoadState | cut -d = -f 2" 207 | register: autofs_service_status 208 | changed_when: no 209 | check_mode: no 210 | -------------------------------------------------------------------------------- /tasks/section1.yml: -------------------------------------------------------------------------------- 1 | - name: "SCORED | 1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled" 2 | lineinfile: 3 | dest: /etc/modprobe.d/CIS.conf 4 | regexp: "^(#)?install cramfs(\\s|$)" 5 | line: "install cramfs /bin/true" 6 | create: yes 7 | when: 8 | - centos7cis_level1 is defined and centos7cis_level1 9 | tags: 10 | - level1 11 | - scored 12 | - patch 13 | - rule_1.1.1.1 14 | - cramfs 15 | 16 | - name: "SCORED | 1.1.1.2 | PATCH | Ensure mounting of freevxfs filesystems is disabled" 17 | lineinfile: 18 | dest: /etc/modprobe.d/CIS.conf 19 | regexp: "^(#)?install freevxfs(\\s|$)" 20 | line: "install freevxfs /bin/true" 21 | create: yes 22 | when: 23 | - centos7cis_level1 is defined and centos7cis_level1 24 | tags: 25 | - level1 26 | - scored 27 | - patch 28 | - rule_1.1.1.2 29 | - freevxfs 30 | 31 | - name: "SCORED | 1.1.1.3 | PATCH | Ensure mounting of jffs2 filesystems is disabled" 32 | lineinfile: 33 | dest: /etc/modprobe.d/CIS.conf 34 | regexp: "^(#)?install jffs2(\\s|$)" 35 | line: "install jffs2 /bin/true" 36 | create: yes 37 | when: 38 | - centos7cis_level1 is defined and centos7cis_level1 39 | tags: 40 | - level1 41 | - scored 42 | - patch 43 | - rule_1.1.1.3 44 | - jffs2 45 | 46 | - name: "SCORED | 1.1.1.4 | PATCH | Ensure mounting of hfs filesystems is disabled" 47 | lineinfile: 48 | dest: /etc/modprobe.d/CIS.conf 49 | regexp: "^(#)?install hfs(\\s|$)" 50 | line: "install hfs /bin/true" 51 | create: yes 52 | when: 53 | - centos7cis_level1 is defined and centos7cis_level1 54 | tags: 55 | - level1 56 | - scored 57 | - patch 58 | - rule_1.1.1.4 59 | - hfs 60 | 61 | - name: "SCORED | 1.1.1.5 | PATCH | Ensure mounting of hfsplus filesystems is disabled" 62 | lineinfile: 63 | dest: /etc/modprobe.d/CIS.conf 64 | regexp: "^(#)?install hfsplus(\\s|$)" 65 | line: "install hfsplus /bin/true" 66 | create: yes 67 | when: 68 | - centos7cis_level1 is defined and centos7cis_level1 69 | tags: 70 | - level1 71 | - scored 72 | - patch 73 | - rule_1.1.1.5 74 | - hfsplus 75 | 76 | - name: "SCORED | 1.1.1.6 | PATCH | Ensure mounting of squashfs filesystems is disabled" 77 | lineinfile: 78 | dest: /etc/modprobe.d/CIS.conf 79 | regexp: "^(#)?install squashfs(\\s|$)" 80 | line: "install squashfs /bin/true" 81 | create: yes 82 | when: 83 | - centos7cis_level1 is defined and centos7cis_level1 84 | tags: 85 | - level1 86 | - scored 87 | - patch 88 | - rule_1.1.1.6 89 | - squashfs 90 | 91 | - name: "SCORED | 1.1.1.7 | PATCH | Ensure mounting of udf filesystems is disabled" 92 | lineinfile: 93 | dest: /etc/modprobe.d/CIS.conf 94 | regexp: "^(#)?install udf(\\s|$)" 95 | line: "install udf /bin/true" 96 | create: yes 97 | when: 98 | - centos7cis_level1 is defined and centos7cis_level1 99 | tags: 100 | - level1 101 | - scored 102 | - patch 103 | - rule_1.1.1.7 104 | - udf 105 | 106 | - name: "SCORED | 1.1.1.8 | PATCH | Ensure mounting of FAT filesystems is disabled" 107 | lineinfile: 108 | dest: /etc/modprobe.d/CIS.conf 109 | regexp: "^(#)?install vfat(\\s|$)" 110 | line: "install vfat /bin/true" 111 | create: yes 112 | when: 113 | - centos7cis_level1 is defined and centos7cis_level1 114 | tags: 115 | - level1 116 | - scored 117 | - patch 118 | - rule_1.1.1.8 119 | - vfat 120 | 121 | - name: "SCORED | 1.1.2 | PATCH | Ensure separate partition exists for /tmp | enable and start/restart tmp.mount" 122 | systemd: 123 | name: tmp.mount 124 | daemon_reload: yes 125 | enabled: yes 126 | masked: no 127 | state: started 128 | when: 129 | - centos7cis_level2 is defined and centos7cis_level2 130 | tags: 131 | - level2 132 | - scored 133 | - patch 134 | - rule_1.1.2 135 | 136 | - name: "SCORED | 1.1.3 | PATCH | Ensure nodev option set on /tmp partition\n 137 | SCORED | 1.1.4 | PATCH | Ensure nosuid option set on /tmp partition\n 138 | SCORED | 1.1.5 | PATCH | Ensure noexec option set on /tmp partition\n 139 | | drop custom tmp.mount" 140 | copy: 141 | src: etc/systemd/system/tmp.mount 142 | dest: /etc/systemd/system/tmp.mount 143 | owner: root 144 | group: root 145 | mode: 0644 146 | notify: systemd restart tmp.mount 147 | when: 148 | - centos7cis_level1 is defined and centos7cis_level1 149 | tags: 150 | - level1 151 | - scored 152 | - patch 153 | - rule_1.1.3 154 | - rule_1.1.4 155 | - rule_1.1.5 156 | 157 | - name: "SCORED | 1.1.6 | PATCH | Ensure separate partition exists for /var" 158 | shell: | 159 | set -o pipefail 160 | mount | grep "on /var " 161 | register: var_mounted 162 | changed_when: no 163 | failed_when: no 164 | args: 165 | executable: /usr/bin/bash 166 | when: 167 | - centos7cis_level2 is defined and centos7cis_level2 168 | tags: 169 | - level2 170 | - scored 171 | - patch 172 | - rule_1.1.6 173 | 174 | - name: "SCORED | 1.1.7 | PATCH | Ensure separate partition exists for /var/tmp" 175 | shell: | 176 | set -o pipefail 177 | mount | grep "on /var/tmp " 178 | register: var_tmp_mounted 179 | changed_when: no 180 | failed_when: no 181 | args: 182 | executable: /usr/bin/bash 183 | when: 184 | - centos7cis_level1 is defined and centos7cis_level1 or centos7cis_level2 is defined and centos7cis_level2 185 | tags: 186 | - level2 187 | - scored 188 | - patch 189 | - rule_1.1.7 190 | 191 | - name: "SCORED | 1.1.8 | PATCH | Ensure nodev option set on /var/tmp partition\n 192 | SCORED | 1.1.9 | PATCH | Ensure nosuid option set on /var/tmp partition\n 193 | SCORED | 1.1.10 | PATCH | Ensure noexec option set on /var/tmp partition" 194 | mount: 195 | path: /var/tmp 196 | opts: "rw,nosuid,nodev,noexec,relatime" 197 | state: mounted 198 | fstype: "tmpfs" 199 | src: tmpfs 200 | when: 201 | - centos7cis_level1 is defined and centos7cis_level1 202 | tags: 203 | - level1 204 | - scored 205 | - patch 206 | - rule_1.1.8 207 | - rule_1.1.9 208 | - rule_1.1.10 209 | - low 210 | 211 | - name: "SCORED | 1.1.11 | PATCH | Ensure separate partition exists for /var/log" 212 | shell: | 213 | set -o pipefail 214 | mount | grep "on /var/log " 215 | register: var_log_mounted 216 | changed_when: no 217 | failed_when: no 218 | args: 219 | executable: /usr/bin/bash 220 | when: 221 | - centos7cis_level2 is defined and centos7cis_level2 222 | tags: 223 | - level2 224 | - scored 225 | - patch 226 | - rule_1.1.11 227 | 228 | - name: "SCORED | 1.1.12 | PATCH | Ensure separate partition exists for /var/log/audit" 229 | shell: | 230 | set -o pipefail 231 | mount | grep "on /var/log/audit " 232 | register: var_log_audit_mounted 233 | changed_when: no 234 | failed_when: no 235 | args: 236 | executable: /usr/bin/bash 237 | when: 238 | - centos7cis_level2 is defined and centos7cis_level2 239 | tags: 240 | - level2 241 | - scored 242 | - patch 243 | - rule_1.1.12 244 | 245 | - name: "SCORED | 1.1.13 | PATCH | Ensure separate partition exists for /home" 246 | shell: | 247 | set -o pipefail 248 | mount | grep "on /home " 249 | register: home_mounted 250 | changed_when: no 251 | failed_when: no 252 | args: 253 | executable: /usr/bin/bash 254 | when: 255 | - centos7cis_level2 is defined and centos7cis_level2 256 | tags: 257 | - level2 258 | - scored 259 | - patch 260 | - rule_1.1.13 261 | 262 | - name: "SCORED | 1.1.14 | PATCH | Ensure nodev option set on /home partition" 263 | mount: 264 | path: /home 265 | opts: nodev 266 | state: mounted 267 | fstype: "{{ item.fstype }}" 268 | src: "{{ item.device }}" 269 | tags: 270 | - level1 271 | - level2 272 | - patch 273 | - rule_1.1.14 274 | - user_check 275 | when: 276 | - centos7cis_level2 is defined and centos7cis_level2 277 | - item.mount == "/home" 278 | with_items: 279 | - "{{ ansible_mounts }}" 280 | 281 | - name: "SCORED | 1.1.15 | PATCH | Ensure nodev option set on /dev/shm partition\n 282 | SCORED | 1.1.16 | PATCH | Ensure nosuid option set on /dev/shm partition\n 283 | SCORED | 1.1.17 | PATCH | Ensure noexec option set on /dev/shm partition" 284 | mount: 285 | name: /dev/shm 286 | src: tmpfs 287 | state: mounted 288 | fstype: tmpfs 289 | opts: "defaults,nodev,nosuid,noexec" 290 | when: 291 | - centos7cis_level1 is defined and centos7cis_level1 292 | tags: 293 | - level1 294 | - scored 295 | - patch 296 | - rule_1.1.15 297 | - rule_1.1.16 298 | - rule_1.1.17 299 | 300 | - name: "NOTSCORED | 1.1.18 | PATCH | Ensure nodev option set on removable media partitions" 301 | command: /bin/true 302 | changed_when: no 303 | when: 304 | - centos7cis_level1 is defined and centos7cis_level1 305 | tags: 306 | - level1 307 | - notscored 308 | - patch 309 | - rule_1.1.18 310 | 311 | - name: "NOTSCORED | 1.1.19 | PATCH | Ensure nosuid option set on removable media partitions" 312 | command: /bin/true 313 | changed_when: no 314 | when: 315 | - centos7cis_level1 is defined and centos7cis_level1 316 | tags: 317 | - level1 318 | - notscored 319 | - patch 320 | - rule_1.1.19 321 | 322 | - name: "NOTSCORED | 1.1.20 | PATCH | Ensure noexec option set on removable media partitions" 323 | command: /bin/true 324 | changed_when: no 325 | when: 326 | - centos7cis_level is defined and centos7cis_level1 327 | tags: 328 | - level1 329 | - notscored 330 | - patch 331 | - rule_1.1.20 332 | 333 | - name: "SCORED | 1.1.21 | PATCH | Ensure sticky bit is set on all world-writable directories" 334 | shell: | 335 | set -o pipefail 336 | df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t 337 | #when: sticky_bit_on_worldwritable_dirs_audit.rc == '0' 338 | args: 339 | executable: /usr/bin/bash 340 | when: 341 | - centos7cis_level1 is defined and centos7cis_level1 342 | tags: 343 | - level1 344 | - patch 345 | - rule_1.1.21 346 | 347 | - name: "SCORED | 1.1.22 | PATCH | Disable Automounting" 348 | systemd: 349 | name: autofs 350 | enabled: no 351 | when: 352 | - centos7cis_level1 is defined and centos7cis_level1 353 | - centos7cis_allow_autofs is defined and not centos7cis_allow_autofs 354 | - autofs_service_status is defined and autofs_service_status.stdout == "loaded" 355 | tags: 356 | - level1 357 | - patch 358 | - rule_1.1.22 359 | 360 | - name: "NOTSCORED | 1.2.1 | PATCH | Ensure package manager repositories are configured" 361 | command: /bin/true 362 | changed_when: no 363 | when: 364 | - centos7cis_level1 is defined and centos7cis_level1 365 | tags: 366 | - level1 367 | - notscored 368 | - patch 369 | - rule_1.2.1 370 | 371 | - name: "SCORED | 1.2.2 | PATCH | Ensure gpgcheck is globally activated" 372 | replace: 373 | name: /etc/yum.conf 374 | regexp: "^gpgcheck=0" 375 | replace: "gpgcheck=1" 376 | when: 377 | - centos7cis_level1 is defined and centos7cis_level1 378 | tags: 379 | - level1 380 | - scored 381 | - patch 382 | - rule_1.2.2 383 | 384 | - name: "SCORED | 1.2.2 | PATCH | Ensure gpgcheck is globally activated" 385 | find: 386 | paths: /etc/yum.repos.d 387 | patterns: "*.repo" 388 | register: yum_repos 389 | changed_when: no 390 | when: 391 | - centos7cis_level1 is defined and centos7cis_level1 392 | tags: 393 | - level1 394 | - scored 395 | - patch 396 | - rule_1.2.2 397 | 398 | - name: "SCORED | 1.2.2 | PATCH | Ensure gpgcheck is globally activated" 399 | replace: 400 | name: "{{ item.path }}" 401 | regexp: "^gpgcheck=0" 402 | replace: "gpgcheck=1" 403 | with_items: 404 | - "{{ yum_repos.files }}" 405 | when: 406 | - centos7cis_level1 is defined and centos7cis_level1 407 | tags: 408 | - level1 409 | - scored 410 | - patch 411 | - rule_1.2.2 412 | 413 | - name: "NOTSCORED | 1.2.3 | PATCH | Ensure GPG keys are configured" 414 | command: /bin/true 415 | changed_when: no 416 | when: 417 | - centos7cis_level1 is defined and centos7cis_level1 418 | tags: 419 | - level1 420 | - notscored 421 | - patch 422 | - rule_1.2.3 423 | 424 | - name: "SCORED | 1.3.1 | PATCH | Ensure AIDE is installed" 425 | yum: 426 | name: aide 427 | state: present 428 | when: 429 | - centos7cis_level1 is defined and centos7cis_level1 430 | tags: 431 | - level1 432 | - scored 433 | - aide 434 | - patch 435 | - rule_1.3.1 436 | 437 | - name: "SCORED | 1.3.1 | PATCH | Ensure AIDE is installed" 438 | command: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz' 439 | args: 440 | creates: /var/lib/aide/aide.db.gz 441 | when: 442 | - centos7cis_level1 is defined and centos7cis_level1 443 | - centos7cis_config_aide is defined and centos7cis_config_aide 444 | async: 45 445 | poll: 0 446 | tags: 447 | - level1 448 | - scored 449 | - aide 450 | - patch 451 | - rule_1.3.1 452 | 453 | - name: "SCORED | 1.3.2 | PATCH | Ensure filesystem integrity is regularly checked" 454 | cron: 455 | name: Run AIDE integrity check weekly 456 | cron_file: "{{ centos7cis_aide_cron['cron_file'] }}" 457 | user: "{{ centos7cis_aide_cron['cron_user'] }}" 458 | minute: "{{ centos7cis_aide_cron['aide_minute'] | default('0') }}" 459 | hour: "{{ centos7cis_aide_cron['aide_hour'] | default('5') }}" 460 | day: "{{ centos7cis_aide_cron['aide_day'] | default('*') }}" 461 | month: "{{ centos7cis_aide_cron['aide_month'] | default('*') }}" 462 | weekday: "{{ centos7cis_aide_cron['aide_weekday'] | default('*') }}" 463 | job: "{{ centos7cis_aide_cron['aide_job'] }}" 464 | when: 465 | - centos7cis_level1 is defined and centos7cis_level1 466 | tags: 467 | - level1 468 | - scored 469 | - aide 470 | - file_integrity 471 | - patch 472 | - rule_1.3.2 473 | 474 | - name: "SCORED | 1.3.2 | PATCH | Ensure filesystem integrity is regularly checked" 475 | cron: 476 | name: Run AIDE integrity check weekly 477 | cron_file: "/var/spool/cron/root" 478 | user: "{{ centos7cis_aide_cron['cron_user'] }}" 479 | minute: "{{ centos7cis_aide_cron['aide_minute'] | default('0') }}" 480 | hour: "{{ centos7cis_aide_cron['aide_hour'] | default('5') }}" 481 | day: "{{ centos7cis_aide_cron['aide_day'] | default('*') }}" 482 | month: "{{ centos7cis_aide_cron['aide_month'] | default('*') }}" 483 | weekday: "{{ centos7cis_aide_cron['aide_weekday'] | default('*') }}" 484 | job: "{{ centos7cis_aide_cron['aide_job'] }}" 485 | when: 486 | - centos7cis_level1 is defined and centos7cis_level1 487 | tags: 488 | - level1 489 | - scored 490 | - aide 491 | - file_integrity 492 | - patch 493 | - rule_1.3.2 494 | 495 | - name: "SCORED | 1.4.1 | PATCH | Ensure permissions on bootloader config are configured" 496 | stat: 497 | path: /etc/grub2.cfg 498 | register: grub_cfg 499 | tags: 500 | - level1 501 | - low 502 | - scored 503 | - grub 504 | - patch 505 | - rule_1.4.1 506 | 507 | - name: "SCORED | 1.4.1 | PATCH | Ensure permissions on bootloader config are configured" 508 | file: 509 | path: "{{ grub_cfg.stat.lnk_source }}" 510 | owner: root 511 | group: root 512 | mode: 0600 513 | when: 514 | - centos7cis_level1 is defined and centos7cis_level1 515 | - grub_cfg is defined and grub_cfg.stat.exists and grub_cfg.stat.islnk 516 | tags: 517 | - level1 518 | - scored 519 | - grub 520 | - patch 521 | - rule_1.4.1 522 | 523 | - name: "SCORED | 1.4.2 | PATCH | Ensure bootloader password is set" 524 | grub_crypt: 525 | password: "{{ centos7cis_bootloader_password }}" 526 | register: grub_pass 527 | when: 528 | - centos7cis_level1 is defined and centos7cis_level1 529 | - centos7cis_set_boot_pass is defined and centos7cis_set_boot_pass 530 | tags: 531 | - level1 532 | - scored 533 | - grub 534 | - patch 535 | - rule_1.4.2 536 | 537 | - name: "SCORED | 1.4.2 | PATCH | Ensure bootloader password is set" 538 | copy: 539 | dest: /boot/grub2/user.cfg 540 | content: "GRUB2_PASSWORD={{ grub_pass.passhash }}" 541 | when: 542 | - centos7cis_level1 is defined and centos7cis_level1 543 | - centos7cis_set_boot_pass is defined and centos7cis_set_boot_pass and grub_pass is defined and grub_pass.passhash is defined and grub_pass.passhash != '' 544 | notify: generate new grub config 545 | tags: 546 | - level1 547 | - scored 548 | - grub 549 | - patch 550 | - rule_1.4.2 551 | 552 | - name: "NOTSCORED | 1.4.3 | PATCH | Ensure authentication required for single user mode" 553 | command: /bin/true 554 | changed_when: no 555 | when: 556 | - centos7cis_level2 is defined and centos7cis_level2 557 | tags: 558 | - level2 559 | - patch 560 | - rule_1.4.3 561 | 562 | - name: "SCORED | 1.5.1 | PATCH | Ensure core dumps are restricted" 563 | lineinfile: 564 | state: present 565 | dest: /etc/security/limits.conf 566 | regexp: '^#?\\*.*core' 567 | line: '* hard core 0' 568 | insertbefore: '^# End of file' 569 | when: 570 | - centos7cis_level1 is defined and centos7cis_level1 571 | tags: 572 | - level1 573 | - scored 574 | - limits 575 | - patch 576 | - rule_1.5.1 577 | 578 | - name: "SCORED | 1.5.1 | PATCH | Ensure core dumps are restricted" 579 | sysctl: 580 | name: fs.suid_dumpable 581 | value: 0 582 | state: present 583 | reload: yes 584 | sysctl_set: yes 585 | ignoreerrors: yes 586 | when: 587 | - centos7cis_level1 is defined and centos7cis_level1 588 | tags: 589 | - level1 590 | - scored 591 | - sysctl 592 | - patch 593 | - rule_1.5.1 594 | 595 | - name: "NOTSCORED | 1.5.2 | PATCH | Ensure XD/NX support is enabled" 596 | command: /bin/true 597 | changed_when: no 598 | when: 599 | - centos7cis_level2 is defined and centos7cis_level2 600 | tags: 601 | - level2 602 | - patch 603 | - rule_1.5.2 604 | 605 | - name: "SCORED | 1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled" 606 | sysctl: 607 | name: kernel.randomize_va_space 608 | value: 2 609 | state: present 610 | reload: yes 611 | sysctl_set: yes 612 | ignoreerrors: yes 613 | when: 614 | - centos7cis_level1 is defined and centos7cis_level1 615 | tags: 616 | - level1 617 | - scored 618 | - patch 619 | - rule_1.5.3 620 | 621 | - name: "SCORED | 1.5.4 | PATCH | Ensure prelink is disabled" 622 | command: prelink -ua 623 | when: 624 | - centos7cis_level1 is defined and centos7cis_level1 625 | - prelink_installed is defined and prelink_installed.rc == 0 626 | tags: 627 | - level1 628 | - scored 629 | - patch 630 | - rule_1.5.4 631 | 632 | - name: "SCORED | 1.5.4 | PATCH | Ensure prelink is disabled" 633 | yum: 634 | name: prelink 635 | state: absent 636 | when: 637 | - centos7cis_level1 is defined and centos7cis_level1 638 | tags: 639 | - level1 640 | - scored 641 | - patch 642 | - rule_1.5.4 643 | 644 | - name: "SCORED | 1.6.1.1 | PATCH | Ensure SELinux is not disabled in bootloader configuration" 645 | replace: 646 | dest: /etc/default/grub 647 | regexp: '(selinux|enforcing)\s*=\s*0\s*' 648 | follow: yes 649 | register: selinux_grub_patch 650 | ignore_errors: yes 651 | notify: generate new grub config 652 | when: 653 | - centos7cis_level2 is defined and centos7cis_level2 654 | tags: 655 | - level2 656 | - scored 657 | - patch 658 | - rule_1.6.1.1 659 | 660 | - name: "SCORED | 1.6.1.2 | PATCH | Ensure the SELinux state is enforcing" 661 | selinux: 662 | conf: /etc/selinux/config 663 | policy: "{{ centos7cis_selinux_pol }}" 664 | state: enforcing 665 | when: 666 | - centos7cis_level2 is defined and centos7cis_level2 667 | - centos7cis_selinux_disable is defined and not centos7cis_selinux_disable 668 | tags: 669 | - level2 670 | - scored 671 | - selinux 672 | - patch 673 | - rule_1.6.1.2 674 | 675 | - name: "SCORED | 1.6.1.3 | PATCH | Ensure SELinux policy is configured" 676 | selinux: 677 | conf: /etc/selinux/config 678 | policy: "{{ centos7cis_selinux_pol }}" 679 | state: enforcing 680 | when: 681 | - centos7cis_level2 is defined and centos7cis_level2 682 | - centos7cis_selinux_disable is defined and not centos7cis_selinux_disable 683 | tags: 684 | - level2 685 | - scored 686 | - selinux 687 | - patch 688 | - rule_1.6.1.3 689 | 690 | - name: "SCORED | 1.6.1.4 | PATCH | Ensure SETroubleshoot is not installed" 691 | yum: 692 | name: setroubleshoot 693 | state: absent 694 | when: 695 | - centos7cis_level2 is defined and centos7cis_level2 696 | tags: 697 | - level2 698 | - scored 699 | - selinux 700 | - patch 701 | - rule_1.6.1.4 702 | 703 | - name: "SCORED | 1.6.1.5 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed" 704 | yum: 705 | name: mcstrans 706 | state: absent 707 | when: 708 | - centos7cis_level2 is defined and centos7cis_level2 709 | tags: 710 | - level2 711 | - scored 712 | - patch 713 | - rule_1.6.1.5 714 | 715 | - name: "SCORED | 1.6.2 | PATCH | Ensure SELinux is installed" 716 | yum: 717 | name: libselinux 718 | state: present 719 | when: 720 | - centos7cis_level2 is defined and centos7cis_level2 721 | tags: 722 | - level2 723 | - scored 724 | - patch 725 | - rule_1.6.2 726 | 727 | - name: "SCORED | 1.7.1.1 | PATCH | Ensure message of the day is configured properly" 728 | template: 729 | src: etc/motd.j2 730 | dest: /etc/motd 731 | when: 732 | - centos7cis_level1 is defined and centos7cis_level1 733 | tags: 734 | - level1 735 | - banner 736 | - patch 737 | - rule_1.7.1.1 738 | 739 | - name: "NOTSCORED | 1.7.1.2 | PATCH | Ensure local login warning banner is configured properly" 740 | template: 741 | src: etc/issue.j2 742 | dest: /etc/issue 743 | when: 744 | - centos7cis_level1 is defined and centos7cis_level1 745 | tags: 746 | - level1 747 | - patch 748 | - rule_1.7.1.2 749 | 750 | - name: "NOTSCORED | 1.7.1.3 | PATCH | Ensure remote login warning banner is configured properly" 751 | template: 752 | src: etc/issue.net.j2 753 | dest: /etc/issue.net 754 | when: 755 | - centos7cis_level1 is defined and centos7cis_level1 756 | tags: 757 | - level1 758 | - banner 759 | - patch 760 | - rule_1.7.1.3 761 | 762 | - name: "NOTSCORED | 1.7.1.4 | PATCH | Ensure permissions on /etc/motd are configured" 763 | file: 764 | dest: /etc/motd 765 | state: file 766 | owner: root 767 | group: root 768 | mode: 0644 769 | when: 770 | - centos7cis_level1 is defined and centos7cis_level1 771 | tags: 772 | - level1 773 | - perms 774 | - patch 775 | - rule_1.7.1.4 776 | 777 | - name: "SCORED | 1.7.1.5 | PATCH | Ensure permissions on /etc/issue are configured" 778 | file: 779 | dest: /etc/issue 780 | state: file 781 | owner: root 782 | group: root 783 | mode: 0644 784 | when: 785 | - centos7cis_level1 is defined and centos7cis_level1 786 | tags: 787 | - level1 788 | - perms 789 | - patch 790 | - rule_1.7.1.5 791 | 792 | - name: "NOTSCORED | 1.7.1.6 | PATCH | Ensure permissions on /etc/issue.net are configured" 793 | file: 794 | dest: /etc/issue.net 795 | state: file 796 | owner: root 797 | group: root 798 | mode: 0644 799 | when: 800 | - centos7cis_level1 is defined and centos7cis_level1 801 | tags: 802 | - level1 803 | - perms 804 | - patch 805 | - rule_1.7.1.6 806 | 807 | - name: "SCORED | 1.7.2 | PATCH | Ensure GDM login banner is configured" 808 | debug: 809 | msg: "Not currently implemented" 810 | #when: gdm_installed_audit.rc == '0' and gdm_login_banner_configured_audit 811 | changed_when: no 812 | when: 813 | - centos7cis_level1 is defined and centos7cis_level1 814 | tags: 815 | - level1 816 | - patch 817 | - rule_1.7.2 818 | 819 | - name: "NOTSCORED | 1.8 | PATCH | Ensure updates, patches, and additional security software are installed" 820 | yum: 821 | name: "*" 822 | state: latest 823 | when: 824 | - centos7cis_level1 is defined and centos7cis_level1 825 | - centos7cis_update is defined and centos7cis_update 826 | tags: 827 | - level1 828 | - patch 829 | - rule_1.8 830 | -------------------------------------------------------------------------------- /tasks/section2.yml: -------------------------------------------------------------------------------- 1 | - name: "SCORED | 2.1.1 | PATCH | Ensure chargen services are not enabled | chargen-dgram" 2 | stat: 3 | path: /etc/xinetd.d/chargen-dgram 4 | register: chargen_dgram_service 5 | tags: 6 | - level1 7 | - scored 8 | - services 9 | - patch 10 | - rule_2.1.1 11 | 12 | - name: "SCORED | 2.1.1 | PATCH | Ensure chargen services are not enabled | chargen-dgram" 13 | command: chkconfig chargen-dgram off 14 | notify: restart xinetd 15 | when: 16 | - centos7cis_level1 is defined and centos7cis_level1 17 | - chargen_dgram_service is defined 18 | - chargen_dgram_service.stat.exists 19 | tags: 20 | - level1 21 | - scored 22 | - services 23 | - patch 24 | - rule_2.1.1 25 | 26 | - name: "SCORED | 2.1.1 | PATCH | Ensure chargen services are not enabled | chargen-stream" 27 | stat: 28 | path: /etc/xinetd.d/chargen-stream 29 | register: chargen_stream_service 30 | tags: 31 | - level1 32 | - scored 33 | - services 34 | - patch 35 | - rule_2.1.1 36 | 37 | - name: "SCORED | 2.1.1 | PATCH | Ensure chargen services are not enabled | chargen-stream" 38 | command: chkconfig chargen-stream off 39 | notify: restart xinetd 40 | when: 41 | - centos7cis_level1 is defined and centos7cis_level1 42 | - chargen_stream_service is defined 43 | - chargen_stream_service.stat.exists 44 | tags: 45 | - level1 46 | - scored 47 | - services 48 | - patch 49 | - rule_2.1.1 50 | 51 | - name: "SCORED | 2.1.2 | PATCH | Ensure daytime services are not enabled | daytime-dgram" 52 | stat: 53 | path: /etc/xinetd.d/daytime-dgram 54 | register: daytime_dgram_service 55 | tags: 56 | - level1 57 | - low 58 | - scored 59 | - patch 60 | - rule_2.1.2 61 | 62 | - name: "SCORED | 2.1.2 | PATCH | Ensure daytime services are not enabled | daytime-dgram" 63 | command: chkconfig daytime-dgram off 64 | notify: restart xinetd 65 | when: 66 | - centos7cis_level1 is defined and centos7cis_level1 67 | - daytime_dgram_service is defined 68 | - daytime_dgram_service.stat.exists 69 | tags: 70 | - level1 71 | - scored 72 | - patch 73 | - rule_2.1.2 74 | 75 | - name: "SCORED | 2.1.2 | PATCH | Ensure daytime services are not enabled | daytime-stream" 76 | stat: 77 | path: /etc/xinetd.d/daytime-stream 78 | register: daytime_stream_service 79 | tags: 80 | - level1 81 | - low 82 | - scored 83 | - patch 84 | - rule_2.1.2 85 | 86 | - name: "SCORED | 2.1.2 | PATCH | Ensure daytime services are not enabled | daytime-stream" 87 | command: chkconfig daytime-stream off 88 | notify: restart xinetd 89 | when: 90 | - centos7cis_level1 is defined and centos7cis_level1 91 | - daytime_stream_service is defined 92 | - daytime_stream_service.stat.exists 93 | tags: 94 | - level1 95 | - scored 96 | - patch 97 | - rule_2.1.2 98 | 99 | - name: "SCORED | 2.1.3 | PATCH | Ensure discard services are not enabled | discard-dgram" 100 | stat: 101 | path: /etc/xinetd.d/discard-dgram 102 | register: discard_dgram_service 103 | tags: 104 | - level1 105 | - scored 106 | - patch 107 | - rule_2.1.3 108 | 109 | - name: "SCORED | 2.1.3 | PATCH | Ensure discard services are not enabled | discard-dgram" 110 | command: chkconfig discard-dgram off 111 | notify: restart xinetd 112 | when: 113 | - centos7cis_level1 is defined and centos7cis_level1 114 | - discard_dgram_service is defined 115 | - discard_dgram_service.stat.exists 116 | tags: 117 | - level1 118 | - scored 119 | - patch 120 | - rule_2.1.3 121 | 122 | - name: "SCORED | 2.1.3 | PATCH | Ensure discard services are not enabled | discard-stream" 123 | stat: 124 | path: /etc/xinetd.d/discard-stream 125 | register: discard_stream_service 126 | tags: 127 | - level1 128 | - low 129 | - scored 130 | - patch 131 | - rule_2.1.3 132 | 133 | - name: "SCORED | 2.1.3 | PATCH | Ensure discard services are not enabled | discard-stream" 134 | command: chkconfig discard-stream off 135 | notify: restart xinetd 136 | when: 137 | - centos7cis_level1 is defined and centos7cis_level1 138 | - discard_stream_service is defined 139 | - discard_stream_service.stat.exists 140 | tags: 141 | - level1 142 | - scored 143 | - patch 144 | - rule_2.1.3 145 | 146 | - name: "SCORED | 2.1.4 | PATCH | Ensure echo services are not enabled | echo-dgram" 147 | stat: 148 | path: /etc/xinetd.d/echo-dgram 149 | register: echo_dgram_service 150 | tags: 151 | - level1 152 | - low 153 | - scored 154 | - patch 155 | - rule_2.1.4 156 | 157 | - name: "SCORED | 2.1.4 | PATCH | Ensure echo services are not enabled | echo-dgram" 158 | command: chkconfig echo-dgram off 159 | notify: restart xinetd 160 | when: 161 | - centos7cis_level1 is defined and centos7cis_level1 162 | - echo_dgram_service is defined 163 | - echo_dgram_service.stat.exists 164 | tags: 165 | - level1 166 | - scored 167 | - patch 168 | - rule_2.1.4 169 | 170 | - name: "SCORED | 2.1.4 | PATCH | Ensure echo services are not enabled | echo-stream" 171 | stat: 172 | path: /etc/xinetd.d/echo-stream 173 | register: echo_stream_service 174 | tags: 175 | - level1 176 | - scored 177 | - patch 178 | - rule_2.1.4 179 | 180 | - name: "SCORED | 2.1.4 | PATCH | Ensure echo services are not enabled | echo-stream" 181 | command: chkconfig echo-stream off 182 | notify: restart xinetd 183 | when: 184 | - centos7cis_level1 is defined and centos7cis_level1 185 | - echo_stream_service is defined 186 | - echo_stream_service.stat.exists 187 | tags: 188 | - level1 189 | - scored 190 | - patch 191 | - rule_2.1.4 192 | 193 | - name: "SCORED | 2.1.5 | PATCH | Ensure time services are not enabled | time-dgram" 194 | stat: 195 | path: /etc/xinetd.d/time-dgram 196 | register: time_dgram_service 197 | tags: 198 | - level1 199 | - low 200 | - scored 201 | - patch 202 | - rule_2.1.5 203 | 204 | - name: "SCORED | 2.1.5 | PATCH | Ensure time services are not enabled | time-dgram" 205 | command: chkconfig time-dgram off 206 | notify: restart xinetd 207 | when: 208 | - centos7cis_level1 is defined and centos7cis_level1 209 | - time_dgram_service is defined 210 | - time_dgram_service.stat.exists 211 | tags: 212 | - level1 213 | - scored 214 | - patch 215 | - rule_2.1.5 216 | 217 | - name: "SCORED | 2.1.5 | PATCH | Ensure time services are not enabled | time-stream" 218 | stat: 219 | path: /etc/xinetd.d/time-stream 220 | register: time_stream_service 221 | tags: 222 | - level1 223 | - low 224 | - scored 225 | - patch 226 | - rule_2.1.5 227 | 228 | - name: "SCORED | 2.1.5 | PATCH | Ensure time services are not enabled | time-stream" 229 | command: chkconfig time-stream off 230 | notify: restart xinetd 231 | when: 232 | - centos7cis_level1 is defined and centos7cis_level1 233 | - time_stream_service is defined 234 | - time_stream_service.stat.exists 235 | tags: 236 | - level1 237 | - scored 238 | - patch 239 | - rule_2.1.5 240 | 241 | - name: "SCORED | 2.1.6 | PATCH | Ensure tftp server is not enabled" 242 | stat: 243 | path: /etc/xinetd.d/tftp 244 | register: tftp_service 245 | tags: 246 | - level1 247 | - low 248 | - scored 249 | - patch 250 | - rule_2.1.6 251 | 252 | - name: "SCORED | 2.1.6 | PATCH | Ensure tftp server is not enabled" 253 | command: chkconfig tftp off 254 | notify: restart xinetd 255 | when: 256 | - centos7cis_level1 is defined and centos7cis_level1 257 | - centos7cis_disable_service_checks is defined and centos7cis_disable_service_checks 258 | - tftp_service.stat.exists and not centos7cis_tftp_server 259 | tags: 260 | - level1 261 | - scored 262 | - patch 263 | - rule_2.1.6 264 | 265 | - name: "SCORED | 2.1.7 | PATCH | Ensure xinetd is not enabled" 266 | service: 267 | name: xinetd 268 | state: stopped 269 | enabled: no 270 | when: 271 | - centos7cis_level1 is defined and centos7cis_level1 272 | - centos7cis_disable_service_checks is defined and centos7cis_disable_service_checks 273 | - xinetd_service_status.stdout == "loaded" and not centos7cis_xinetd_required 274 | tags: 275 | - level1 276 | - patch 277 | - scored 278 | - rule_2.1.7 279 | 280 | - name: "NOTSCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use - service install" 281 | yum: 282 | name: "{{ centos7cis_time_synchronization }}" 283 | state: present 284 | when: 285 | - centos7cis_level1 is defined and centos7cis_level1 286 | tags: 287 | - level1 288 | - patch 289 | - rule_2.2.1.1 290 | 291 | - name: "NOTSCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use - service start" 292 | service: 293 | name: "{{ centos7cis_time_synchronization }}d" 294 | state: started 295 | enabled: yes 296 | when: 297 | - centos7cis_level1 is defined and centos7cis_level1 298 | - centos7cis_time_synchronization is defined 299 | tags: 300 | - level1 301 | - patch 302 | - rule_2.2.1.1 303 | 304 | - name: "NOTSCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use - service stop ntp" 305 | service: 306 | name: ntpd 307 | state: stopped 308 | enabled: no 309 | when: 310 | - centos7cis_level1 is defined and centos7cis_level1 311 | - centos7cis_time_synchronization is defined 312 | - centos7cis_time_synchronization == "chrony" and ntpd_service_status.stdout == "loaded" 313 | tags: 314 | - level1 315 | - patch 316 | - rule_2.2.1.1 317 | 318 | - name: "NOTSCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use - service stop chrony" 319 | service: 320 | name: chronyd 321 | state: stopped 322 | enabled: no 323 | ignore_errors: yes 324 | when: 325 | - centos7cis_level1 is defined and centos7cis_level1 326 | - centos7cis_time_synchronization is defined 327 | - centos7cis_time_synchronization == "ntp" and chronyd_service_status.stdout == "loaded" 328 | tags: 329 | - level1 330 | - patch 331 | - rule_2.2.1.1 332 | 333 | - name: "SCORED | 2.2.1.2 | PATCH | Ensure ntp is configured | modify /etc/ntp.conf" 334 | template: 335 | src: ntp.conf.j2 336 | dest: /etc/ntp.conf 337 | owner: root 338 | group: root 339 | mode: 0644 340 | when: 341 | - centos7cis_level1 is defined and centos7cis_level1 342 | - centos7cis_time_synchronization is defined 343 | - centos7cis_time_synchronization == "ntp" 344 | tags: 345 | - level1 346 | - patch 347 | - rule_2.2.1.2 348 | 349 | - name: "SCORED | 2.2.1.2 | PATCH | Ensure ntp is configured | modify /etc/sysconfig/ntpd" 350 | lineinfile: 351 | dest: /etc/sysconfig/ntpd 352 | regexp: "^(#)?OPTIONS" 353 | line: "OPTIONS=\"-u ntp:ntp\"" 354 | when: 355 | - centos7cis_level1 is defined and centos7cis_level1 356 | - centos7cis_time_synchronization is defined 357 | - centos7cis_time_synchronization == "ntp" 358 | tags: 359 | - level1 360 | - patch 361 | - rule_2.2.1.2 362 | 363 | - name: "SCORED | 2.2.1.2 | PATCH | Ensure ntp is configured | modify /usr/lib/systemd/system/ntpd.service" 364 | lineinfile: 365 | dest: /usr/lib/systemd/system/ntpd.service 366 | regexp: "^(#)?ExecStart" 367 | line: "ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS" 368 | when: 369 | - centos7cis_level1 is defined and centos7cis_level1 370 | - centos7cis_time_synchronization is defined 371 | - centos7cis_time_synchronization == "ntp" 372 | tags: 373 | - level1 374 | - patch 375 | - rule_2.2.1.2 376 | 377 | - name: "SCORED | 2.2.1.3 | PATCH | Ensure chrony is configured" 378 | lineinfile: 379 | path: /etc/chrony.conf 380 | regexp: "^server\\s+{{ item }}(.*)$" 381 | line: "server {{ item }}\\1" 382 | backrefs: yes 383 | loop: "{{ centos7cis_time_synchronization_servers }}" 384 | when: 385 | - centos7cis_level1 is defined and centos7cis_level1 386 | - centos7cis_time_synchronization is defined 387 | - centos7cis_time_synchronization == "chrony" 388 | - centos7cis_time_synchronization_servers is defined 389 | tags: 390 | - level1 391 | - patch 392 | - rule_2.2.1.3 393 | 394 | #- name: "SCORED | 2.2.1.3 | PATCH | Ensure chrony is configured" 395 | # template: 396 | # src: chrony.conf.j2 397 | # dest: /etc/chrony.conf 398 | # owner: root 399 | # group: root 400 | # mode: 0644 401 | # when: 402 | # - centos7cis_level1 is defined and centos7cis_level1 403 | # - centos7cis_time_synchronization is defined 404 | # - centos7cis_time_synchronization == "chrony" 405 | # tags: 406 | # - level1 407 | # - patch 408 | # - rule_2.2.1.3 409 | 410 | - name: "SCORED | 2.2.1.3 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd" 411 | template: 412 | src: etc/sysconfig/chronyd.j2 413 | dest: /etc/sysconfig/chronyd 414 | owner: root 415 | group: root 416 | mode: '0644' 417 | when: 418 | - centos7cis_level1 is defined and centos7cis_level1 419 | - centos7cis_time_synchronization is defined 420 | - centos7cis_time_synchronization == "chrony" 421 | tags: 422 | - level1 423 | - patch 424 | - rule_2.2.1.3 425 | - low 426 | 427 | - name: "SCORED | 2.2.1.3 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd" 428 | lineinfile: 429 | dest: /etc/sysconfig/chronyd 430 | regexp: "^(#)?OPTIONS" 431 | line: "OPTIONS=\"-u chrony\"" 432 | state: present 433 | create: yes 434 | when: 435 | - centos7cis_level1 is defined and centos7cis_level1 436 | - centos7cis_time_synchronization is defined 437 | - centos7cis_time_synchronization == "chrony" 438 | tags: 439 | - level1 440 | - patch 441 | - rule_2.2.1.3 442 | - low 443 | 444 | - name: "SCORED | 2.2.2 | PATCH | Ensure X Window System is not installed" 445 | yum: 446 | name: "{{ item }}" 447 | state: absent 448 | when: 449 | - centos7cis_level1 is defined and centos7cis_level1 450 | - centos7cis_xwindows_required is defined and not centos7cis_xwindows_required 451 | - centos7cis_disable_service_checks is defined and centos7cis_disable_service_checks 452 | with_items: 453 | - "@X Window System" 454 | - "xorg-x11*" 455 | tags: 456 | - level1 457 | - scored 458 | - xwindows 459 | - patch 460 | - rule_2.2.2 461 | - disable_service_checks 462 | 463 | - name: "SCORED | 2.2.3 | PATCH | Ensure Avahi Server is not enabled" 464 | service: 465 | name: avahi-daemon 466 | state: stopped 467 | enabled: no 468 | when: 469 | - centos7cis_level1 is defined and centos7cis_level1 470 | - centos7cis_avahi_server is defined and (not centos7cis_avahi_server and avahi_service_status.stdout == "loaded") 471 | - centos7cis_disable_service_checks is defined and centos7cis_disable_service_checks 472 | tags: 473 | - level1 474 | - scored 475 | - avahi 476 | - services 477 | - patch 478 | - rule_2.2.3 479 | - disable_service_checks 480 | 481 | - name: "SCORED | 2.2.4 | PATCH | Ensure CUPS is not enabled" 482 | service: 483 | name: cups 484 | state: stopped 485 | enabled: no 486 | when: 487 | - centos7cis_level1 is defined and centos7cis_level1 488 | - centos7cis_cups_server is defined and (not centos7cis_cups_server and cups_service_status.stdout == "loaded") 489 | - centos7cis_disable_service_checks is defined and centos7cis_disable_service_checks 490 | tags: 491 | - level1 492 | - scored 493 | - cups 494 | - services 495 | - patch 496 | - rule_2.2.4 497 | - disable_service_checks 498 | 499 | - name: "SCORED | 2.2.5 | PATCH | Ensure DHCP Server is not enabled" 500 | service: 501 | name: dhcpd 502 | state: stopped 503 | enabled: no 504 | when: 505 | - centos7cis_level1 is defined and centos7cis_level1 506 | - centos7cis_dhcp_server is defined and (not centos7cis_dhcp_server and dhcpd_service_status.stdout == "loaded") 507 | - centos7cis_disable_service_checks is defined and centos7cis_disable_service_checks 508 | tags: 509 | - level1 510 | - scored 511 | - dhcp 512 | - services 513 | - patch 514 | - rule_2.2.5 515 | - disable_service_checks 516 | 517 | - name: "SCORED | 2.2.6 | PATCH | Ensure LDAP server is not enabled" 518 | service: 519 | name: slapd 520 | state: stopped 521 | enabled: no 522 | when: 523 | - centos7cis_level1 is defined and centos7cis_level1 524 | - centos7cis_ldap_server is defined and (not centos7cis_ldap_server and slapd_service_status.stdout == "loaded") 525 | - centos7cis_disable_service_checks is defined and centos7cis_disable_service_checks 526 | tags: 527 | - level1 528 | - scored 529 | - ldap 530 | - services 531 | - patch 532 | - rule_2.2.6 533 | - disable_service_checks 534 | 535 | - name: "SCORED | 2.2.7 | PATCH | Ensure NFS and RPC are not enabled" 536 | service: 537 | name: nfs 538 | state: stopped 539 | enabled: no 540 | when: 541 | - centos7cis_level1 is defined and centos7cis_level1 542 | - centos7cis_nfs_rpc_server is defined and (not centos7cis_nfs_rpc_server and nfs_service_status.stdout == "loaded") 543 | - centos7cis_disable_service_checks is defined and centos7cis_disable_service_checks 544 | tags: 545 | - level1 546 | - scored 547 | - nfs 548 | - rpc 549 | - services 550 | - patch 551 | - rule_2.2.7 552 | - disable_service_checks 553 | 554 | - name: "SCORED | 2.2.7 | PATCH | Ensure NFS and RPC are not enabled" 555 | service: 556 | name: rpcbind 557 | state: stopped 558 | enabled: no 559 | when: 560 | - centos7cis_level1 is defined and centos7cis_level1 561 | - centos7cis_nfs_rpc_server is defined and (not centos7cis_nfs_rpc_server and rpcbind_service_status.stdout == "loaded") 562 | - centos7cis_disable_service_checks is defined and centos7cis_disable_service_checks 563 | tags: 564 | - level1 565 | - scored 566 | - nfs 567 | - rpc 568 | - services 569 | - patch 570 | - rule_2.2.7 571 | - disable_service_checks 572 | 573 | - name: "SCORED | 2.2.8 | PATCH | Ensure DNS Server is not enabled" 574 | service: 575 | name: named 576 | state: stopped 577 | enabled: no 578 | when: 579 | - centos7cis_level1 is defined and centos7cis_level1 580 | - centos7cis_named_server is defined and (not centos7cis_named_server and named_service_status.stdout == "loaded") 581 | - centos7cis_disable_service_checks is defined and centos7cis_disable_service_checks 582 | tags: 583 | - level1 584 | - patch 585 | - rule_2.2.8 586 | - disable_service_checks 587 | 588 | - name: "SCORED | 2.2.9 | PATCH | Ensure FTP Server is not enabled" 589 | service: 590 | name: vsftpd 591 | state: stopped 592 | enabled: no 593 | when: 594 | - centos7cis_level1 is defined and centos7cis_level1 595 | - centos7cis_vsftpd_server is defined and (not centos7cis_vsftpd_server and vsftpd_service_status.stdout == "loaded") 596 | - centos7cis_disable_service_checks is defined and centos7cis_disable_service_checks 597 | tags: 598 | - level1 599 | - patch 600 | - rule_2.2.9 601 | - disable_service_checks 602 | 603 | - name: "SCORED | 2.2.10 | PATCH | Ensure HTTP server is not enabled" 604 | service: 605 | name: httpd 606 | state: stopped 607 | enabled: no 608 | when: 609 | - centos7cis_level1 is defined and centos7cis_level1 610 | - centos7cis_httpd_server is defined and (not centos7cis_httpd_server and httpd_service_status.stdout == "loaded") 611 | - centos7cis_disable_service_checks is defined and centos7cis_disable_service_checks 612 | tags: 613 | - level1 614 | - patch 615 | - rule_2.2.10 616 | - disable_service_checks 617 | 618 | - name: "SCORED | 2.2.11 | PATCH | Ensure IMAP and POP3 server is not enabled" 619 | service: 620 | name: dovecot 621 | state: stopped 622 | enabled: no 623 | when: 624 | - centos7cis_level1 is defined and centos7cis_level1 625 | - centos7cis_dovecot_server is defined and (not centos7cis_dovecot_server and dovecot_service_status.stdout == "loaded") 626 | - centos7cis_disable_service_checks is defined and centos7cis_disable_service_checks 627 | tags: 628 | - level1 629 | - patch 630 | - rule_2.2.11 631 | - disable_service_checks 632 | 633 | - name: "SCORED | 2.2.12 | PATCH | Ensure Samba is not enabled" 634 | service: 635 | name: smb 636 | state: stopped 637 | enabled: no 638 | when: 639 | - centos7cis_level1 is defined and centos7cis_level1 640 | - centos7cis_smb_server is defined and (not centos7cis_smb_server and smb_service_status.stdout == "loaded") 641 | - centos7cis_disable_service_checks is defined and centos7cis_disable_service_checks 642 | tags: 643 | - level1 644 | - patch 645 | - rule_2.2.12 646 | - disable_service_checks 647 | 648 | - name: "SCORED | 2.2.13 | PATCH | Ensure HTTP Proxy Server is not enabled" 649 | service: 650 | name: squid 651 | state: stopped 652 | enabled: no 653 | when: 654 | - centos7cis_level1 is defined and centos7cis_level1 655 | - centos7cis_squid_server is defined and (not centos7cis_squid_server and squid_service_status.stdout == "loaded") 656 | - centos7cis_disable_service_checks is defined and centos7cis_disable_service_checks 657 | tags: 658 | - level1 659 | - patch 660 | - rule_2.2.13 661 | - disable_service_checks 662 | 663 | - name: "SCORED | 2.2.14 | PATCH | Ensure SNMP Server is not enabled" 664 | service: 665 | name: snmpd 666 | state: stopped 667 | enabled: no 668 | when: 669 | - centos7cis_level1 is defined and centos7cis_level1 670 | - centos7cis_snmp_server is defined and (not centos7cis_snmp_server and snmpd_service_status.stdout == "loaded") 671 | - centos7cis_disable_service_checks is defined and centos7cis_disable_service_checks 672 | tags: 673 | - level1 674 | - patch 675 | - rule_2.2.14 676 | - disable_service_checks 677 | 678 | - name: "SCORED | 2.2.15 | PATCH | Ensure mail transfer agent is configured for local-only mode" 679 | lineinfile: 680 | dest: /etc/postfix/main.cf 681 | regexp: "^(#)?inet_interfaces" 682 | line: "inet_interfaces = loopback-only" 683 | notify: systemctl restart postfix 684 | when: 685 | - centos7cis_level1 is defined and centos7cis_level1 686 | - centos7cis_is_mail_server is defined and (not centos7cis_is_mail_server and postfix_installed.rc == 0) 687 | - centos7cis_disable_service_checks is defined 688 | tags: 689 | - level1 690 | - patch 691 | - rule_2.2.15 692 | 693 | - name: "SCORED | 2.2.16 | PATCH | Ensure NIS Server is not enabled" 694 | service: 695 | name: ypserv 696 | state: stopped 697 | enabled: no 698 | when: 699 | - centos7cis_level1 is defined and centos7cis_level1 700 | - centos7cis_nis_server is defined and (not centos7cis_nis_server and ypserv_service_status.stdout == "loaded") 701 | - centos7cis_disable_service_checks is defined and centos7cis_disable_service_checks 702 | tags: 703 | - level1 704 | - patch 705 | - rule_2.2.16 706 | - disable_service_checks 707 | 708 | - name: "SCORED | 2.2.17 | PATCH | Ensure rsh server is not enabled | rsh" 709 | service: 710 | name: rsh.socket 711 | state: stopped 712 | enabled: no 713 | when: 714 | - centos7cis_level1 is defined and centos7cis_level1 715 | - centos7cis_rsh_server is defined and (not centos7cis_rsh_server and rsh_service_status.stdout == "loaded") 716 | - centos7cis_disable_service_checks is defined and centos7cis_disable_service_checks 717 | tags: 718 | - level1 719 | - patch 720 | - rule_2.2.17 721 | - disable_service_checks 722 | 723 | - name: "SCORED | 2.2.17 | PATCH | Ensure rsh server is not enabled | rlogin" 724 | service: 725 | name: rlogin.socket 726 | state: stopped 727 | enabled: no 728 | when: 729 | - centos7cis_level1 is defined and centos7cis_level1 730 | - centos7cis_rsh_server is defined and (not centos7cis_rsh_server and rlogin_service_status.stdout == "loaded") 731 | - centos7cis_disable_service_checks is defined and centos7cis_disable_service_checks 732 | tags: 733 | - level1 734 | - patch 735 | - rule_2.2.17 736 | - disable_service_checks 737 | 738 | - name: "SCORED | 2.2.17 | PATCH | Ensure rsh server is not enabled | rexec" 739 | service: 740 | name: rexec.socket 741 | state: stopped 742 | enabled: no 743 | when: 744 | - centos7cis_level1 is defined and centos7cis_level1 745 | - centos7cis_rsh_server is defined and (not centos7cis_rsh_server and rexec_service_status.stdout == "loaded") 746 | - centos7cis_disable_service_checks is defined and centos7cis_disable_service_checks 747 | tags: 748 | - level1 749 | - patch 750 | - rule_2.2.17 751 | - disable_service_checks 752 | 753 | - name: "SCORED | 2.2.18 | PATCH | Ensure telnet server is not enabled" 754 | service: 755 | name: telnet 756 | state: stopped 757 | enabled: no 758 | when: 759 | - centos7cis_level1 is defined and centos7cis_level1 760 | - centos7cis_telnet_server is defined and (not centos7cis_telnet_server and telnet_service_status.stdout == "loaded") 761 | - centos7cis_disable_service_checks is defined and centos7cis_disable_service_checks 762 | tags: 763 | - level1 764 | - patch 765 | - rule_2.2.18 766 | - disable_service_checks 767 | 768 | - name: "SCORED | 2.2.19 | PATCH | Ensure tftp server is not enabled" 769 | service: 770 | name: tftp 771 | state: stopped 772 | enabled: no 773 | when: 774 | - centos7cis_level1 is defined and centos7cis_level1 775 | - centos7cis_tftp_server is defined and (not centos7cis_tftp_server and tftp_service_status.stdout == "loaded") 776 | - centos7cis_disable_service_checks is defined and centos7cis_disable_service_checks 777 | tags: 778 | - level1 779 | - scored 780 | - insecure_services 781 | - tftp 782 | - patch 783 | - rule_2.2.19 784 | - disable_service_checks 785 | 786 | - name: "SCORED | 2.2.20 | PATCH | Ensure rsync service is not enabled " 787 | service: 788 | name: rsyncd 789 | state: stopped 790 | enabled: no 791 | when: 792 | - centos7cis_level1 is defined and centos7cis_level1 793 | - centos7cis_rsyncd_server is defined and (not centos7cis_rsyncd_server and rsyncd_service_status.stdout == "loaded") 794 | - centos7cis_disable_service_checks is defined and centos7cis_disable_service_checks 795 | tags: 796 | - level1 797 | - patch 798 | - rule_2.2.20 799 | - disable_service_check 800 | 801 | - name: "SCORED | 2.2.21 | PATCH | Ensure talk server is not enabled" 802 | service: 803 | name: ntalk 804 | state: stopped 805 | enabled: no 806 | when: 807 | - centos7cis_level1 is defined and centos7cis_level1 808 | - centos7cis_ntalk_server is defined and (not centos7cis_ntalk_server and ntalk_service_status.stdout == "loaded") 809 | - centos7cis_disable_service_checks is defined and centos7cis_disable_service_checks 810 | tags: 811 | - level1 812 | - patch 813 | - rule_2.2.21 814 | - disable_service_checks 815 | 816 | - name: "SCORED | 2.3.1 | PATCH | Ensure NIS Client is not installed" 817 | yum: 818 | name: ypbind 819 | state: absent 820 | when: 821 | - centos7cis_level1 is defined and centos7cis_level1 822 | - centos7cis_ypbind_required is defined and (not centos7cis_ypbind_required) 823 | - centos7cis_disable_service_checks is defined and centos7cis_disable_service_checks 824 | tags: 825 | - level1 826 | - patch 827 | - rule_2.3.1 828 | - disable_service_checks 829 | 830 | - name: "SCORED | 2.3.2 | PATCH | Ensure rsh client is not installed" 831 | yum: 832 | name: rsh 833 | state: absent 834 | when: 835 | - centos7cis_level1 is defined and centos7cis_level1 836 | - centos7cis_rsh_required is defined and (not centos7cis_rsh_required) 837 | - centos7cis_disable_service_checks is defined and centos7cis_disable_service_checks 838 | tags: 839 | - level1 840 | - patch 841 | - rule_2.3.2 842 | - disable_service_checks 843 | 844 | - name: "SCORED | 2.3.3 | PATCH | Ensure talk client is not installed" 845 | yum: 846 | name: talk 847 | state: absent 848 | when: 849 | - centos7cis_level1 is defined and centos7cis_level1 850 | - centos7cis_talk_required is defined and (not centos7cis_talk_required) 851 | - centos7cis_disable_service_checks is defined and centos7cis_disable_service_checks 852 | tags: 853 | - level1 854 | - patch 855 | - rule_2.3.3 856 | - disable_service_checks 857 | 858 | - name: "SCORED | 2.3.4 | PATCH | Ensure telnet client is not installed" 859 | yum: 860 | name: telnet 861 | state: absent 862 | when: 863 | - centos7cis_level1 is defined and centos7cis_level1 864 | - centos7cis_telnet_required is defined and (not centos7cis_telnet_required) 865 | - centos7cis_disable_service_checks is defined and centos7cis_disable_service_checks 866 | tags: 867 | - level1 868 | - patch 869 | - rule_2.3.4 870 | - disable_service_checks 871 | 872 | - name: "SCORED | 2.3.5 | PATCH | Ensure LDAP client is not installed" 873 | yum: 874 | name: openldap-clients 875 | state: absent 876 | when: 877 | - centos7cis_level1 is defined and centos7cis_level1 878 | - centos7cis_ad_ldap_joined_machine is defined and not centos7cis_ad_ldap_joined_machine 879 | - centos7cis_openldap_clients is defined and (not centos7cis_openldap_clients_required) 880 | - centos7cis_disable_service_checks is defined and centos7cis_disable_service_checks 881 | tags: 882 | - level1 883 | - patch 884 | - rule_2.3.5 885 | - disable_service_checks 886 | -------------------------------------------------------------------------------- /tasks/section3.yml: -------------------------------------------------------------------------------- 1 | - name: "SCORED | 3.1.1 | PATCH | Ensure IP forwarding is disabled" 2 | sysctl: 3 | name: net.ipv4.ip_forward 4 | value: 0 5 | state: present 6 | reload: yes 7 | ignoreerrors: yes 8 | sysctl_set: yes 9 | when: 10 | - centos7cis_level1 is defined and centos7cis_level1 11 | - centos7cis_is_router is defined and not centos7cis_is_router 12 | notify: 13 | - sysctl flush ipv4 route table 14 | tags: 15 | - level1 16 | - sysctl 17 | - scored 18 | - patch 19 | - rule_3.1.1 20 | 21 | - name: "SCORED | 3.1.2 | PATCH | Ensure packet redirect sending is disabled" 22 | sysctl: 23 | name: '{{ item.name }}' 24 | value: '{{ item.value }}' 25 | sysctl_set: yes 26 | state: present 27 | reload: yes 28 | ignoreerrors: yes 29 | with_items: 30 | - { name: net.ipv4.conf.all.send_redirects, value: 0 } 31 | - { name: net.ipv4.conf.default.send_redirects, value: 0 } 32 | when: 33 | - centos7cis_level1 is defined and centos7cis_level1 34 | - centos7cis_is_router is defined and not centos7cis_is_router 35 | notify: 36 | - sysctl flush ipv4 route table 37 | tags: 38 | - level1 39 | - sysctl 40 | - scored 41 | - patch 42 | - rule_3.1.2 43 | - name: "SCORED | 3.2.1 | PATCH | Ensure source routed packets are not accepted" 44 | sysctl: 45 | name: '{{ item.name }}' 46 | value: '{{ item.value }}' 47 | sysctl_set: yes 48 | state: present 49 | reload: yes 50 | ignoreerrors: yes 51 | with_items: 52 | - { name: net.ipv4.conf.all.accept_source_route, value: 0 } 53 | - { name: net.ipv4.conf.default.accept_source_route, value: 0 } 54 | notify: 55 | - sysctl flush ipv4 route table 56 | when: 57 | - centos7cis_level1 is defined and centos7cis_level1 58 | tags: 59 | - level1 60 | - sysctl 61 | - patch 62 | - rule_3.2.1 63 | 64 | - name: "SCORED | 3.2.2 | PATCH | Ensure ICMP redirects are not accepted" 65 | sysctl: 66 | name: '{{ item.name }}' 67 | value: '{{ item.value }}' 68 | sysctl_set: yes 69 | state: present 70 | reload: yes 71 | ignoreerrors: yes 72 | with_items: 73 | - { name: net.ipv4.conf.all.accept_redirects, value: 0 } 74 | - { name: net.ipv4.conf.default.accept_redirects, value: 0 } 75 | notify: 76 | - sysctl flush ipv4 route table 77 | when: 78 | - centos7cis_level1 is defined and centos7cis_level1 79 | tags: 80 | - level1 81 | - sysctl 82 | - scored 83 | - patch 84 | - rule_3.2.2 85 | 86 | - name: "SCORED | 3.2.3 | PATCH | Ensure secure ICMP redirects are not accepted" 87 | sysctl: 88 | name: '{{ item.name }}' 89 | value: '{{ item.value }}' 90 | sysctl_set: yes 91 | state: present 92 | reload: yes 93 | ignoreerrors: yes 94 | with_items: 95 | - { name: net.ipv4.conf.all.secure_redirects, value: 0 } 96 | - { name: net.ipv4.conf.default.secure_redirects, value: 0 } 97 | notify: 98 | - sysctl flush ipv4 route table 99 | when: 100 | - centos7cis_level1 is defined and centos7cis_level1 101 | tags: 102 | - level1 103 | - sysctl 104 | - scored 105 | - patch 106 | - rule_3.2.3 107 | 108 | - name: "SCORED | 3.2.4 | PATCH | Ensure suspicious packets are logged" 109 | sysctl: 110 | name: '{{ item.name }}' 111 | value: '{{ item.value }}' 112 | sysctl_set: yes 113 | state: present 114 | reload: yes 115 | ignoreerrors: yes 116 | with_items: 117 | - { name: net.ipv4.conf.all.log_martians, value: 1 } 118 | - { name: net.ipv4.conf.default.log_martians, value: 1 } 119 | notify: 120 | - sysctl flush ipv4 route table 121 | when: 122 | - centos7cis_level1 is defined and centos7cis_level1 123 | tags: 124 | - level1 125 | - sysctl 126 | - scored 127 | - patch 128 | - rule_3.2.4 129 | 130 | - name: "SCORED | 3.2.5 | PATCH | Ensure broadcast ICMP requests are ignored" 131 | sysctl: 132 | name: net.ipv4.icmp_echo_ignore_broadcasts 133 | value: 1 134 | state: present 135 | reload: yes 136 | ignoreerrors: yes 137 | sysctl_set: yes 138 | notify: 139 | - sysctl flush ipv4 route table 140 | when: 141 | - centos7cis_level1 is defined and centos7cis_level1 142 | tags: 143 | - level1 144 | - sysctl 145 | - patch 146 | - scored 147 | - rule_3.2.5 148 | 149 | - name: "SCORED | 3.2.6 | PATCH | Ensure bogus ICMP responses are ignored" 150 | sysctl: 151 | name: net.ipv4.icmp_ignore_bogus_error_responses 152 | value: 1 153 | state: present 154 | reload: yes 155 | ignoreerrors: yes 156 | sysctl_set: yes 157 | notify: 158 | - sysctl flush ipv4 route table 159 | when: 160 | - centos7cis_level1 is defined and centos7cis_level1 161 | tags: 162 | - level1 163 | - sysctl 164 | - patch 165 | - scored 166 | - rule_3.2.6 167 | 168 | - name: "SCORED | 3.2.7 | PATCH | Ensure Reverse Path Filtering is enabled" 169 | sysctl: 170 | name: '{{ item.name }}' 171 | value: '{{ item.value }}' 172 | sysctl_set: yes 173 | state: present 174 | reload: yes 175 | ignoreerrors: yes 176 | with_items: 177 | - { name: net.ipv4.conf.all.rp_filter, value: 1 } 178 | - { name: net.ipv4.conf.default.rp_filter, value: 1 } 179 | notify: 180 | - sysctl flush ipv4 route table 181 | when: 182 | - centos7cis_level1 is defined and centos7cis_level1 183 | tags: 184 | - level1 185 | - sysctl 186 | - patch 187 | - scored 188 | - rule_3.2.7 189 | 190 | - name: "SCORED | 3.2.8 | PATCH | Ensure TCP SYN Cookies is enabled" 191 | sysctl: 192 | name: net.ipv4.tcp_syncookies 193 | value: 1 194 | state: present 195 | reload: yes 196 | ignoreerrors: yes 197 | sysctl_set: yes 198 | notify: 199 | - sysctl flush ipv4 route table 200 | when: 201 | - centos7cis_level1 is defined and centos7cis_level1 202 | tags: 203 | - level1 204 | - sysctl 205 | - patch 206 | - scored 207 | - rule_3.2.8 208 | 209 | - name: "SCORED | 3.3.1 | PATCH | Ensure IPv6 router advertisements are not accepted" 210 | sysctl: 211 | name: '{{ item.name }}' 212 | value: '{{ item.value }}' 213 | sysctl_set: yes 214 | state: present 215 | reload: yes 216 | ignoreerrors: yes 217 | with_items: 218 | - { name: net.ipv6.conf.all.accept_ra, value: 0 } 219 | - { name: net.ipv6.conf.default.accept_ra, value: 0 } 220 | when: 221 | - centos7cis_level1 is defined and centos7cis_level1 222 | - centos7cis_ipv6_required is defined 223 | - centos7cis_ipv6_required 224 | notify: 225 | - sysctl flush ipv6 route table 226 | tags: 227 | - level1 228 | - sysctl 229 | - patch 230 | - scored 231 | - rule_3.3.1 232 | 233 | - name: "SCORED | 3.3.2 | PATCH | Ensure IPv6 redirects are not accepted" 234 | sysctl: 235 | name: '{{ item.name }}' 236 | value: '{{ item.value }}' 237 | sysctl_set: yes 238 | state: present 239 | reload: yes 240 | ignoreerrors: yes 241 | with_items: 242 | - { name: net.ipv6.conf.all.accept_redirects, value: 0 } 243 | - { name: net.ipv6.conf.default.accept_redirects, value: 0 } 244 | when: 245 | - centos7cis_level1 is defined and centos7cis_level1 246 | - centos7cis_ipv6_required is defined 247 | - centos7cis_ipv6_required 248 | notify: 249 | - sysctl flush ipv6 route table 250 | tags: 251 | - level1 252 | - sysctl 253 | - patch 254 | - scored 255 | - rule_3.3.2 256 | 257 | - name: "NOTSCORED | 3.3.3 | PATCH | Ensure IPv6 is disabled" 258 | lineinfile: 259 | dest: /etc/modprobe.d/CIS.conf 260 | regexp: "^(#)?options ipv6 disable=" 261 | line: "options ipv6 disable=1" 262 | create: yes 263 | when: 264 | - centos7cis_level1 is defined and centos7cis_level1 265 | - centos7cis_ipv6_required is defined 266 | - not centos7cis_ipv6_required 267 | tags: 268 | - level1 269 | - patch 270 | - rule_3.3.3 271 | 272 | - name: "SCORED | 3.4.1 | PATCH | Ensure TCP Wrappers is installed" 273 | yum: 274 | name: tcp_wrappers 275 | state: present 276 | when: 277 | - centos7cis_level1 is defined and centos7cis_level1 278 | tags: 279 | - level1 280 | - patch 281 | - rule_3.4.1 282 | 283 | - name: "SCORED | 3.4.2 | PATCH | Ensure /etc/hosts.allow is configured" 284 | template: 285 | src: hosts.allow.j2 286 | dest: /etc/hosts.allow 287 | owner: root 288 | group: root 289 | mode: 0644 290 | when: 291 | - centos7cis_level1 is defined and centos7cis_level1 292 | tags: 293 | - level1 294 | - patch 295 | - rule_3.4.2 296 | 297 | - name: "SCORED | 3.4.3 | PATCH | Ensure /etc/hosts.deny is configured" 298 | lineinfile: 299 | dest: /etc/hosts.deny 300 | regexp: "^(#)?ALL" 301 | line: "ALL: ALL" 302 | when: 303 | - centos7cis_level1 is defined and centos7cis_level1 304 | - centos7cis_enable_hosts_deny is defined 305 | - centos7cis_enable_hosts_deny 306 | tags: 307 | - level1 308 | - patch 309 | - rule_3.4.3 310 | 311 | - name: "SCORED | 3.4.4 | PATCH | Ensure permissions on /etc/hosts.allow are configured" 312 | file: 313 | dest: /etc/hosts.allow 314 | owner: root 315 | group: root 316 | mode: 0644 317 | when: 318 | - centos7cis_level1 is defined and centos7cis_level1 319 | tags: 320 | - level1 321 | - patch 322 | - rule_3.4.4 323 | 324 | - name: "SCORED | 3.4.5 | PATCH | Ensure permissions on /etc/hosts.deny are 644" 325 | file: 326 | dest: /etc/hosts.deny 327 | owner: root 328 | group: root 329 | mode: 0644 330 | when: 331 | - centos7cis_level1 is defined and centos7cis_level1 332 | tags: 333 | - level1 334 | - patch 335 | - rule_3.4.5 336 | 337 | - name: "NOTSCORED | 3.5.1 | PATCH | Ensure DCCP is disabled" 338 | lineinfile: 339 | dest: /etc/modprobe.d/CIS.conf 340 | regexp: "^(#)?install dccp(\\s|$)" 341 | line: "install dccp /bin/true" 342 | create: yes 343 | when: 344 | - centos7cis_level1 is defined and centos7cis_level1 345 | tags: 346 | - level1 347 | - patch 348 | - rule_3.5.1 349 | 350 | - name: "NOTSCORED | 3.5.2 | PATCH | Ensure SCTP is disabled" 351 | lineinfile: 352 | dest: /etc/modprobe.d/CIS.conf 353 | regexp: "^(#)?install sctp(\\s|$)" 354 | line: "install sctp /bin/true" 355 | create: yes 356 | when: 357 | - centos7cis_level1 is defined and centos7cis_level1 358 | tags: 359 | - level1 360 | - patch 361 | - rule_3.5.2 362 | 363 | - name: "NOTSCORED | 3.5.3 | PATCH | Ensure RDS is disabled" 364 | lineinfile: 365 | dest: /etc/modprobe.d/CIS.conf 366 | regexp: "^(#)?install rds(\\s|$)" 367 | line: "install rds /bin/true" 368 | create: yes 369 | when: 370 | - centos7cis_level1 is defined and centos7cis_level1 371 | tags: 372 | - level1 373 | - patch 374 | - rule_3.5.3 375 | 376 | - name: "NOTSCORED | 3.5.4 | PATCH | Ensure TIPC is disabled" 377 | lineinfile: 378 | dest: /etc/modprobe.d/CIS.conf 379 | regexp: "^(#)?install tipc(\\s|$)" 380 | line: "install tipc /bin/true" 381 | create: yes 382 | when: 383 | - centos7cis_level1 is defined and centos7cis_level1 384 | tags: 385 | - level1 386 | - patch 387 | - rule_3.5.4 388 | 389 | - name: "SCORED | 3.6 | PATCH | Ensure firewalld is installed and started | CUSTOM" 390 | yum: 391 | name: firewalld 392 | state: present 393 | when: 394 | - centos7cis_level1 is defined and centos7cis_level1 395 | - centos7cis_firewall is defined and centos7cis_firewall == "firewalld" 396 | tags: 397 | - level1 398 | - patch 399 | - rule_3.6 400 | 401 | - name: "SCORED | 3.6 | PATCH | Ensure firewalld is installed and started | CUSTOM" 402 | service: 403 | name: firewalld 404 | state: started 405 | enabled: no 406 | when: 407 | - centos7cis_level1 is defined and centos7cis_level1 408 | - centos7cis_firewall is defined and centos7cis_firewall == "firewalld" 409 | tags: 410 | - level1 411 | - patch 412 | - rule_3.6 413 | 414 | - name: "NOTSCORED | 3.6.4 | PATCH | Ensure outbound and established connections are configured -UDP" 415 | iptables: 416 | ip_version: ipv4 417 | chain: INPUT 418 | protocol: udp 419 | match: state 420 | ctstate: ESTABLISHED 421 | jump: ACCEPT 422 | when: 423 | - centos7cis_level1 is defined and centos7cis_level1 424 | - centos7cis_firewall is defined and centos7cis_firewall == "iptables" 425 | - centos7cis_firewall_outbound_rule is defined and centos7cis_firewall_outbound_rule 426 | tags: 427 | - level1 428 | - patch 429 | - rule_3.6.4 430 | - low 431 | 432 | - name: "NOTSCORED | 3.6.4 | PATCH | Ensure outbound and established connections are configured -ICMP" 433 | iptables: 434 | ip_version: ipv4 435 | chain: INPUT 436 | protocol: icmp 437 | match: state 438 | ctstate: ESTABLISHED 439 | jump: ACCEPT 440 | when: 441 | - centos7cis_level1 is defined and centos7cis_level1 442 | - centos7cis_firewall is defined and centos7cis_firewall == "iptables" 443 | - centos7cis_firewall_outbound_rule is defined and centos7cis_firewall_outbound_rule 444 | tags: 445 | - level1 446 | - patch 447 | - rule_3.6.4 448 | - low 449 | 450 | - name: "SCORED | 3.6.5 | PATCH | Ensure firewall rules exist for all open ports" 451 | debug: 452 | msg: "Ensure firewall rules exist for all open ports" 453 | when: 454 | - centos7cis_level1 is defined and centos7cis_level1 455 | - centos7cis_firewall is defined and centos7cis_firewall == "iptables" 456 | tags: 457 | - level1 458 | - patch 459 | - scored 460 | - rule_3.6.5 461 | - low 462 | 463 | - name: "NOTSCORED | 3.7 | PATCH | Ensure wireless interfaces are disabled" 464 | command: /bin/true 465 | changed_when: no 466 | when: 467 | - centos7cis_level2 is defined and centos7cis_level2 468 | tags: 469 | - level1 470 | - level2 471 | - patch 472 | - rule_3.7 473 | -------------------------------------------------------------------------------- /tasks/section4.yml: -------------------------------------------------------------------------------- 1 | - name: "NOTSCORED | 4.1.1.1 | PATCH | Ensure audit log storage size is configured" 2 | lineinfile: 3 | dest: /etc/audit/auditd.conf 4 | regexp: "^max_log_file" 5 | line: "max_log_file = 10" 6 | state: present 7 | when: 8 | - centos7cis_level2 is defined and centos7cis_level2 9 | tags: 10 | - level2 11 | - auditd 12 | - patch 13 | - rule_4.1.1.1 14 | 15 | - name: "SCORED | 4.1.1.2 | PATCH | Ensure system is disabled when audit logs are full" 16 | lineinfile: 17 | dest: /etc/audit/auditd.conf 18 | regexp: "^admin_space_left_action" 19 | line: "admin_space_left_action = halt" 20 | state: present 21 | when: 22 | - centos7cis_level2 is defined and centos7cis_level2 23 | tags: 24 | - level2 25 | - auditd 26 | - patch 27 | - rule_4.1.1.2 28 | 29 | - name: "SCORED | 4.1.1.3 | PATCH | Ensure audit logs are not automatically deleted" 30 | lineinfile: 31 | dest: /etc/audit/auditd.conf 32 | regexp: "^max_log_file_action" 33 | line: "max_log_file_action = keep_logs" 34 | state: present 35 | when: 36 | - centos7cis_level2 is defined and centos7cis_level2 37 | tags: 38 | - level2 39 | - auditd 40 | - patch 41 | - rule_4.1.1.3 42 | 43 | - name: "SCORED | 4.1.2 | PATCH | Ensure auditd service is enabled" 44 | service: 45 | name: auditd 46 | state: started 47 | enabled: yes 48 | when: 49 | - centos7cis_level2 is defined and centos7cis_level2 50 | - centos7cis_enable_auditd is defined and centos7cis_enable_auditd 51 | tags: 52 | - level2 53 | - auditd 54 | - patch 55 | - rule_4.1.2 56 | 57 | - name: "SCORED | 4.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" 58 | replace: 59 | dest: /etc/default/grub 60 | regexp: '(^GRUB_CMDLINE_LINUX\s*\=\s*)(?:")(.+)(?=1000 -F auid!=4294967295 -k mounts" 176 | state: present 177 | when: 178 | - centos7cis_level2 is defined and centos7cis_level2 179 | tags: 180 | - level2 181 | - auditd 182 | - patch 183 | - rule_4.1.13 184 | 185 | - name: "SCORED | 4.1.13 | PATCH | Ensure successful file system mounts are collected" 186 | lineinfile: 187 | dest: /etc/audit/audit.rules 188 | line: "-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts" 189 | state: present 190 | when: 191 | - centos7cis_level2 is defined and centos7cis_level2 192 | tags: 193 | - level2 194 | - auditd 195 | - patch 196 | - rule_4.1.13 197 | 198 | - name: "SCORED | 4.1.13 | PATCH | Ensure successful file system mounts are collected" 199 | lineinfile: 200 | dest: /etc/audit/rules.d/audit.rules 201 | line: "-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts" 202 | state: present 203 | when: 204 | - centos7cis_level2 is defined and centos7cis_level2 205 | tags: 206 | - level2 207 | - auditd 208 | - patch 209 | - rule_4.1.13 210 | 211 | - name: "SCORED | 4.1.14 | PATCH | Ensure file deletion events by users are collected" 212 | command: /bin/true 213 | changed_when: no 214 | when: 215 | - centos7cis_level2 is defined and centos7cis_level2 216 | tags: 217 | - level2 218 | - auditd 219 | - patch 220 | - rule_4.1.14 221 | 222 | - name: "SCORED | 4.1.15 | PATCH | Ensure changes to system administration scope (sudoers) is collected" 223 | lineinfile: 224 | dest: /etc/audit/rules.d/audit.rules 225 | line: "-w /etc/sudoers -p wa -k scope" 226 | state: present 227 | when: 228 | - centos7cis_level2 is defined and centos7cis_level2 229 | tags: 230 | - level2 231 | - auditd 232 | - patch 233 | - rule_4.1.15 234 | 235 | - name: "SCORED | 4.1.15 | PATCH | Ensure changes to system administration scope (sudoers) is collected" 236 | lineinfile: 237 | dest: /etc/audit/audit.rules 238 | line: "-w /etc/sudoers -p wa -k scope" 239 | state: present 240 | when: 241 | - centos7cis_level2 is defined and centos7cis_level2 242 | tags: 243 | - level2 244 | - auditd 245 | - patch 246 | - rule_4.1.15 247 | 248 | - name: "SCORED | 4.1.15 | PATCH | Ensure changes to system administration scope (sudoers) is collected" 249 | lineinfile: 250 | dest: /etc/audit/rules.d/audit.rules 251 | line: "-w /etc/sudoers.d -p wa -k scope" 252 | state: present 253 | when: 254 | - centos7cis_level2 is defined and centos7cis_level2 255 | tags: 256 | - level2 257 | - auditd 258 | - patch 259 | - rule_4.1.15 260 | 261 | - name: "SCORED | 4.1.16 | PATCH | Ensure system administrator actions (sudolog) are collected" 262 | command: /bin/true 263 | changed_when: no 264 | when: 265 | - centos7cis_level2 is defined and centos7cis_level2 266 | tags: 267 | - level2 268 | - auditd 269 | - patch 270 | - rule_4.1.16 271 | 272 | - name: "SCORED | 4.1.17 | PATCH | Ensure kernel module loading and unloading is collected" 273 | command: /bin/true 274 | changed_when: no 275 | when: 276 | - centos7cis_level2 is defined and centos7cis_level2 277 | tags: 278 | - level2 279 | - auditd 280 | - patch 281 | - rule_4.1.17 282 | 283 | - name: "SCORED | 4.1.18 | PATCH | Ensure the audit configuration is immutable" 284 | command: /bin/true 285 | changed_when: no 286 | when: 287 | - centos7cis_level2 is defined and centos7cis_level2 288 | tags: 289 | - level2 290 | - auditd 291 | - patch 292 | - rule_4.1.18 293 | 294 | - name: "SCORED | 4.2.1.1 | PATCH | Ensure rsyslog Service is enabled" 295 | systemd: 296 | name: rsyslogd 297 | enabled: yes 298 | when: 299 | - centos7cis_level1 is defined and centos7cis_level1 300 | - centos7cis_rsyslog is defined and centos7cis_rsyslog 301 | - rsyslog_installed is defined and rsyslog_installed 302 | tags: 303 | - level2 304 | - patch 305 | - rule_4.2.1.1 306 | 307 | - name: "NOTSCORED | 4.2.1.2 | PATCH | Ensure logging is configured" 308 | command: /bin/true 309 | changed_when: no 310 | when: 311 | - centos7cis_level1 is defined and centos7cis_level1 312 | - centos7cis_rsyslog is defined and centos7cis_log_server is defined 313 | - centos7cis_rsyslog 314 | - centos7cis_log_server 315 | tags: 316 | - level1 317 | - patch 318 | - rule_4.2.1.2 319 | 320 | - name: "SCORED | 4.2.1.3 | PATCH | Ensure rsyslog default file permissions configured" 321 | lineinfile: 322 | dest: /etc/rsyslog.conf 323 | regexp: '^\$FileCreateMode' 324 | line: '$FileCreateMode 0640' 325 | create: yes 326 | when: 327 | - centos7cis_level1 is defined and centos7cis_level1 328 | - centos7cis_rsyslog is defined and centos7cis_rsyslog 329 | - rsyslog_installed is defined and rsyslog_installed 330 | tags: 331 | - level1 332 | - patch 333 | - rule_4.2.1.3 334 | 335 | - name: "SCORED | 4.2.1.4 | PATCH | Ensure rsyslog is configured to send logs to a remote log host" 336 | lineinfile: 337 | dest: /etc/rsyslog.conf 338 | regexp: "^\\*\\.\\*" 339 | line: "*.* @@{{ centos7cis_rsyslog_loghost_address }}" 340 | when: 341 | - centos7cis_level1 is defined and centos7cis_level1 342 | - centos7cis_rsyslog is defined and centos7cis_rsyslog 343 | - rsyslog_installed is defined and rsyslog_installed 344 | tags: 345 | - level1 346 | - patch 347 | - rule_4.2.1.4 348 | 349 | - name: "NOTSCORED | 4.2.1.5 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts. | NON-LOG SERVER" 350 | lineinfile: 351 | dest: /etc/rsyslog.conf 352 | regexp: '^\$ModLoad imtcp' 353 | line: '# $ModLoad imtcp' 354 | create: yes 355 | when: 356 | - centos7cis_level1 is defined and centos7cis_level1 357 | - centos7cis_rsyslog is defined and centos7cis_rsyslog is defined 358 | - not centos7cis_log_server 359 | - centos7cis_rsyslog 360 | - rsyslog_installed is defined and rsyslog_installed 361 | tags: 362 | - level1 363 | - patch 364 | - rule_4.2.1.5 365 | 366 | - name: "NOTSCORED | 4.2.1.5 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts. | NON-LOG SERVER" 367 | lineinfile: 368 | dest: /etc/rsyslog.conf 369 | regexp: '^\$InputTCPServerRun 514' 370 | line: '# $InputTCPServerRun 514' 371 | create: yes 372 | when: 373 | - centos7cis_level1 is defined and centos7cis_level1 374 | - centos7cis_rsyslog is defined and centos7cis_rsyslog is defined 375 | - not centos7cis_log_server 376 | - centos7cis_rsyslog 377 | - rsyslog_installed is defined and rsyslog_installed 378 | tags: 379 | - level1 380 | - patch 381 | - rule_4.2.1.5 382 | 383 | - name: "NOTSCORED | 4.2.1.5 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts. | LOG SERVER" 384 | lineinfile: 385 | dest: /etc/rsyslog.conf 386 | regexp: '^\$ModLoad imtcp' 387 | line: '$ModLoad imtcp' 388 | create: yes 389 | when: 390 | - centos7cis_level1 is defined and centos7cis_level1 391 | - centos7cis_rsyslog is defined and centos7cis_log_server is defined 392 | - centos7cis_rsyslog 393 | - centos7cis_log_server 394 | - rsyslog_installed is defined and rsyslog_installed 395 | tags: 396 | - level1 397 | - patch 398 | - rule_4.2.1.5 399 | 400 | - name: "NOTSCORED | 4.2.1.5 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts. | LOG SERVER" 401 | lineinfile: 402 | dest: /etc/rsyslog.conf 403 | regexp: '^\$InputTCPServerRun 514' 404 | line: '$InputTCPServerRun 514' 405 | create: yes 406 | when: 407 | - centos7cis_level1 is defined and centos7cis_level1 408 | - centos7cis_rsyslog is defined and centos7cis_log_server is defined 409 | - centos7cis_rsyslog 410 | - centos7cis_log_server 411 | - rsyslog_installed is defined and rsyslog_installed 412 | tags: 413 | - level1 414 | - patch 415 | - rule_4.2.1.5 416 | 417 | - name: "SCORED | 4.2.2.1 | PATCH | Ensure syslog-ng service is enabled" 418 | systemd: 419 | name: syslog-ng 420 | enabled: yes 421 | when: 422 | - centos7cis_level1 is defined and centos7cis_level1 423 | - centos7cis_rsyslog is defined and centos7cis_rsyslog 424 | - syslog_ng_installed is defined and syslog_ng_installed 425 | tags: 426 | - level1 427 | - patch 428 | - rule_4.2.2.1 429 | 430 | - name: "NOTSCORED | 4.2.2.2 | PATCH | Ensure logging is configured" 431 | command: /bin/true 432 | changed_when: no 433 | when: 434 | - centos7cis_level1 is defined and centos7cis_level1 435 | - centos7cis_rsyslog is defined and centos7cis_log_server is defined 436 | - centos7cis_rsyslog 437 | - centos7cis_log_server 438 | tags: 439 | - level1 440 | - patch 441 | - rule_4.2.2.2 442 | 443 | - name: "SCORED | 4.2.2.3 | PATCH | Ensure syslog-ng default file permissions configured" 444 | lineinfile: 445 | dest: '/etc/syslog-ng/syslog-ng.conf' 446 | regexp: '^perm(0640);' 447 | line: '^perm(0640);' 448 | create: yes 449 | when: 450 | - centos7cis_level1 is defined and centos7cis_level1 451 | - centos7cis_syslog_ng is defined and centos7cis_log_server is defined 452 | - centos7cis_syslog_ng 453 | - centos7cis_log_server 454 | - syslog_ng_installed is defined and syslog_ng_installed 455 | tags: 456 | - level1 457 | - patch 458 | - rule_4.2.2.3 459 | 460 | - name: "NOTSCORED | 4.2.2.4 | PATCH | Ensure syslog-ng is configured to send logs to a remote log host" 461 | command: /bin/true 462 | changed_when: no 463 | when: 464 | - centos7cis_level1 is defined and centos7cis_level1 465 | - centos7cis_syslog_ng is defined and centos7cis_log_server is defined 466 | - centos7cis_syslog_ng 467 | - centos7cis_log_server 468 | - syslog_ng_installed is defined and syslog_ng_installed 469 | tags: 470 | - level1 471 | - patch 472 | - rule_4.2.2.4 473 | 474 | - name: "NOTSCORED | 4.2.2.5 | PATCH | Ensure remote syslog-ng messages are only accepted on designated log hosts" 475 | command: /bin/true 476 | changed_when: no 477 | when: 478 | - centos7cis_level1 is defined and centos7cis_level1 479 | - centos7cis_syslog_ng is defined and centos7cis_log_server is defined 480 | - centos7cis_syslog_ng 481 | - centos7cis_log_server 482 | - syslog_ng_installed is defined and syslog_ng_installed 483 | tags: 484 | - level1 485 | - patch 486 | - rule_4.2.2.5 487 | 488 | - name: "SCORED | 4.2.3 | PATCH | Ensure rsyslog or syslog-ng is installed" 489 | yum: 490 | name: rsyslog 491 | state: present 492 | when: 493 | - centos7cis_level1 is defined and centos7cis_level1 494 | - centos7cis_rsyslog is defined and centos7cis_rsyslog 495 | tags: 496 | - level1 497 | - low 498 | - patch 499 | - rule_4.2.3 500 | 501 | - name: "SCORED | 4.2.3 | PATCH | Ensure rsyslog or syslog-ng is installed" 502 | yum: 503 | name: syslog-ng 504 | state: present 505 | when: 506 | - centos7cis_level1 is defined and centos7cis_level1 507 | - centos7cis_syslog_ng is defined and centos7cis_syslog_ng 508 | tags: 509 | - level1 510 | - low 511 | - patch 512 | - rule_4.2.3 513 | 514 | - name: "SCORED | 4.2.4 | PATCH | Ensure permissions on all logfiles are configured" 515 | command: find /var/log -type f -exec chmod g-wx,o-rwx {} + 516 | when: 517 | - centos7cis_level1 is defined and centos7cis_level1 518 | tags: 519 | - level1 520 | - patch 521 | - rule_4.2.4 522 | 523 | - name: "NOTSCORED | 4.3 | PATCH | Ensure logrotate is configured" 524 | lineinfile: 525 | dest: /etc/logrotate.conf 526 | regexp: "^#daily" 527 | line: "daily" 528 | create: yes 529 | when: 530 | - centos7cis_level1 is defined and centos7cis_level1 531 | tags: 532 | - level1 533 | - patch 534 | - rule_4.3 535 | -------------------------------------------------------------------------------- /tasks/section5.yml: -------------------------------------------------------------------------------- 1 | - name: "SCORED | 5.1.1 | PATCH | Ensure cron daemon is enabled" 2 | systemd: 3 | name: crond 4 | enabled: yes 5 | when: 6 | - centos7cis_level1 is defined and centos7cis_level1 7 | tags: 8 | - level1 9 | - patch 10 | - rule_5.1.1 11 | 12 | - name: "SCORED | 5.1.2 | PATCH | Ensure permissions on /etc/crontab are configured" 13 | file: 14 | dest: /etc/crontab 15 | owner: root 16 | group: root 17 | mode: 0600 18 | when: 19 | - centos7cis_level1 is defined and centos7cis_level1 20 | tags: 21 | - level1 22 | - patch 23 | - rule_5.1.2 24 | 25 | - name: "SCORED | 5.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" 26 | file: 27 | dest: /etc/cron.hourly 28 | owner: root 29 | group: root 30 | mode: 0600 31 | when: 32 | - centos7cis_level1 is defined and centos7cis_level1 33 | tags: 34 | - level1 35 | - patch 36 | - rule_5.1.3 37 | 38 | - name: "SCORED | 5.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" 39 | file: 40 | dest: /etc/cron.daily 41 | owner: root 42 | group: root 43 | mode: 0600 44 | when: 45 | - centos7cis_level1 is defined and centos7cis_level1 46 | tags: 47 | - level1 48 | - patch 49 | - rule_5.1.4 50 | 51 | - name: "SCORED | 5.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" 52 | file: 53 | dest: /etc/cron.weekly 54 | owner: root 55 | group: root 56 | mode: 0600 57 | when: 58 | - centos7cis_level1 is defined and centos7cis_level1 59 | tags: 60 | - level1 61 | - patch 62 | - rule_5.1.5 63 | 64 | - name: "SCORED | 5.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" 65 | file: 66 | dest: /etc/cron.monthly 67 | owner: root 68 | group: root 69 | mode: 0600 70 | when: 71 | - centos7cis_level1 is defined and centos7cis_level1 72 | tags: 73 | - level1 74 | - patch 75 | - rule_5.1.6 76 | 77 | - name: "SCORED | 5.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" 78 | file: 79 | dest: /etc/cron.d 80 | state: directory 81 | owner: root 82 | group: root 83 | mode: 0600 84 | when: 85 | - centos7cis_level1 is defined and centos7cis_level1 86 | tags: 87 | - level1 88 | - patch 89 | - rule_5.1.7 90 | 91 | - name: "SCORED | 5.1.8 | PATCH | Ensure at/cron is restricted to authorized users" 92 | file: 93 | dest: /etc/at.deny 94 | state: absent 95 | when: 96 | - centos7cis_level1 is defined and centos7cis_level1 97 | tags: 98 | - level1 99 | - patch 100 | - rule_5.1.8 101 | 102 | - name: "SCORED | 5.1.8 | PATCH | Ensure at/cron is restricted to authorized users" 103 | file: 104 | dest: /etc/at.allow 105 | state: touch 106 | owner: root 107 | group: root 108 | mode: 0600 109 | when: 110 | - centos7cis_level1 is defined and centos7cis_level1 111 | tags: 112 | - level1 113 | - patch 114 | - rule_5.1.8 115 | 116 | - name: "SCORED | 5.1.8 | PATCH | Ensure at/cron is restricted to authorized users" 117 | file: 118 | dest: /etc/cron.deny 119 | state: absent 120 | when: 121 | - centos7cis_level1 is defined and centos7cis_level1 122 | tags: 123 | - level1 124 | - patch 125 | - rule_5.1.8 126 | 127 | - name: "SCORED | 5.1.8 | PATCH | Ensure at/cron is restricted to authorized users" 128 | file: 129 | dest: /etc/cron.allow 130 | state: touch 131 | owner: root 132 | group: root 133 | mode: 0600 134 | when: 135 | - centos7cis_level1 is defined and centos7cis_level1 136 | tags: 137 | - level1 138 | - patch 139 | - rule_5.1.8 140 | 141 | - name: "SCORED | 5.2.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" 142 | file: 143 | dest: /etc/ssh/sshd_config 144 | state: file 145 | owner: root 146 | group: root 147 | mode: 0600 148 | when: 149 | - centos7cis_level1 is defined and centos7cis_level1 150 | tags: 151 | - level1 152 | - patch 153 | - rule_5.2.1 154 | 155 | - name: "SCORED | 5.2.2 | PATCH | Ensure SSH Protocol is set to 2" 156 | lineinfile: 157 | state: present 158 | dest: /etc/ssh/sshd_config 159 | regexp: '^Protocol' 160 | line: 'Protocol 2' 161 | when: 162 | - centos7cis_level1 is defined and centos7cis_level1 163 | tags: 164 | - level1 165 | - patch 166 | - rule_5.2.2 167 | 168 | - name: "SCORED | 5.2.3 | PATCH | Ensure SSH LogLevel is set to INFO" 169 | lineinfile: 170 | state: present 171 | dest: /etc/ssh/sshd_config 172 | regexp: '^LogLevel' 173 | line: 'LogLevel INFO' 174 | when: 175 | - centos7cis_level1 is defined and centos7cis_level1 176 | tags: 177 | - level1 178 | - patch 179 | - rule_5.2.3 180 | 181 | - name: "SCORED | 5.2.4 | PATCH | Ensure SSH X11 forwarding is disabled" 182 | lineinfile: 183 | state: present 184 | dest: /etc/ssh/sshd_config 185 | regexp: '^X11Forwarding' 186 | line: 'X11Forwarding no' 187 | when: 188 | - centos7cis_level1 is defined and centos7cis_level1 189 | tags: 190 | - level1 191 | - patch 192 | - rule_5.2.4 193 | 194 | - name: "SCORED | 5.2.5 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" 195 | lineinfile: 196 | state: present 197 | dest: /etc/ssh/sshd_config 198 | regexp: '^(#)?MaxAuthTries \d' 199 | line: 'MaxAuthTries 4' 200 | when: 201 | - centos7cis_level1 is defined and centos7cis_level1 202 | tags: 203 | - level1 204 | - patch 205 | - rule_5.2.5 206 | 207 | - name: "SCORED | 5.2.6 | PATCH | Ensure SSH IgnoreRhosts is enabled" 208 | lineinfile: 209 | state: present 210 | dest: /etc/ssh/sshd_config 211 | regexp: '^IgnoreRhosts' 212 | line: 'IgnoreRhosts yes' 213 | when: 214 | - centos7cis_level1 is defined and centos7cis_level1 215 | tags: 216 | - level1 217 | - patch 218 | - rule_5.2.6 219 | 220 | - name: "SCORED | 5.2.7 | PATCH | Ensure SSH HostbasedAuthentication is disabled" 221 | lineinfile: 222 | state: present 223 | dest: /etc/ssh/sshd_config 224 | regexp: '^HostbasedAuthentication' 225 | line: 'HostbasedAuthentication no' 226 | when: 227 | - centos7cis_level1 is defined and centos7cis_level1 228 | tags: 229 | - level1 230 | - patch 231 | - rule_5.2.7 232 | 233 | - name: "SCORED | 5.2.8 | PATCH | Ensure SSH root login is disabled" 234 | lineinfile: 235 | state: present 236 | dest: /etc/ssh/sshd_config 237 | regexp: '^PermitRootLogin' 238 | line: 'PermitRootLogin no' 239 | when: 240 | - centos7cis_permit_ssh_root_login_disabled is defined and centos7cis_permit_ssh_root_login_disabled 241 | tags: 242 | - level1 243 | - patch 244 | - rule_5.2.8 245 | 246 | - name: "SCORED | 5.2.9 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" 247 | lineinfile: 248 | state: present 249 | dest: /etc/ssh/sshd_config 250 | regexp: '^PermitEmptyPasswords' 251 | line: 'PermitEmptyPasswords no' 252 | when: 253 | - centos7cis_level1 is defined and centos7cis_level1 254 | tags: 255 | - level1 256 | - patch 257 | - rule_5.2.9 258 | 259 | - name: "SCORED | 5.2.10 | PATCH | Ensure SSH PermitUserEnvironment is disabled" 260 | lineinfile: 261 | state: present 262 | dest: /etc/ssh/sshd_config 263 | regexp: '^PermitUserEnvironment' 264 | line: 'PermitUserEnvironment no' 265 | when: 266 | - centos7cis_level1 is defined and centos7cis_level1 267 | tags: 268 | - level1 269 | - patch 270 | - rule_5.2.10 271 | 272 | # Removed 5.2.11 from CIS Benchmark 273 | # - name: "SCORED | 5.2.11 | PATCH | Ensure only approved ciphers are used" 274 | # lineinfile: 275 | # state: present 276 | # dest: /etc/ssh/sshd_config 277 | # regexp: '^Ciphers' 278 | # line: 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr' 279 | # tags: 280 | # - level1 281 | # - level2 282 | # - medium 283 | # - patch 284 | # - rule_5.2.11 285 | 286 | - name: "SCORED | 5.2.11 | PATCH | Ensure only approved MAC algorithms are used" 287 | lineinfile: 288 | state: present 289 | dest: /etc/ssh/sshd_config 290 | regexp: '^MACs' 291 | line: 'MACs {{ centos7cis_ssh_mac_algorithms | quote }}' 292 | #line: 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com' 293 | when: 294 | - centos7cis_level1 is defined and centos7cis_level1 295 | - centos7cis_ssh_mac_algorithms is defined 296 | tags: 297 | - level1 298 | - patch 299 | - rule_5.2.11 300 | 301 | - name: "SCORED | 5.2.12 | PATCH | Ensure SSH Idle Timeout Interval is configured" 302 | lineinfile: 303 | state: absent 304 | dest: /etc/ssh/sshd_config 305 | regexp: '^ClientAliveInterval (?!300)' 306 | when: 307 | - centos7cis_level1 is defined and centos7cis_level1 308 | tags: 309 | - level1 310 | - patch 311 | - rule_5.2.12 312 | 313 | - name: "SCORED | 5.2.12 | PATCH | Ensure SSH Idle Timeout Interval is configured" 314 | lineinfile: 315 | state: present 316 | dest: /etc/ssh/sshd_config 317 | regexp: '^ClientAliveInterval(.*)?$' 318 | line: 'ClientAliveInterval 300' 319 | when: 320 | - centos7cis_level1 is defined and centos7cis_level1 321 | tags: 322 | - level1 323 | - patch 324 | - rule_5.2.12 325 | 326 | - name: "SCORED | 5.2.12 | PATCH | Ensure SSH Idle Timeout Interval is configured" 327 | replace: 328 | dest: /etc/ssh/sshd_config 329 | regexp: '^ClientAliveInterval(.*)?$' 330 | replace: 'ClientAliveInterval 300' 331 | backup: yes 332 | ignore_errors: yes 333 | when: 334 | - centos7cis_level1 is defined and centos7cis_level1 335 | tags: 336 | - level1 337 | - patch 338 | - rule_5.2.12 339 | 340 | - name: "SCORED | 5.2.12 | PATCH | Ensure SSH Idle Timeout Interval is configured" 341 | lineinfile: 342 | state: absent 343 | dest: /etc/ssh/sshd_config 344 | regexp: '^ClientAliveCountMax (?!0)' 345 | when: 346 | - centos7cis_level1 is defined and centos7cis_level1 347 | tags: 348 | - level1 349 | - patch 350 | - rule_5.2.12 351 | 352 | - name: "SCORED | 5.2.12 | PATCH | Ensure SSH Idle Timeout Interval is configured" 353 | lineinfile: 354 | state: present 355 | dest: /etc/ssh/sshd_config 356 | regexp: '^ClientAliveCountMax(.*)?$' 357 | line: 'ClientAliveCountMax 0' 358 | when: 359 | - centos7cis_level1 is defined and centos7cis_level1 360 | tags: 361 | - level1 362 | - patch 363 | - rule_5.2.12 364 | 365 | - name: "SCORED | 5.2.12 | PATCH | Ensure SSH Idle Timeout Interval is configured" 366 | replace: 367 | dest: /etc/ssh/sshd_config 368 | regexp: '^ClientAliveCountMax(.*)?$' 369 | replace: 'ClientAliveCountMax 0' 370 | backup: yes 371 | ignore_errors: yes 372 | when: 373 | - centos7cis_level1 is defined and centos7cis_level1 374 | tags: 375 | - level1 376 | - patch 377 | - rule_5.2.12 378 | 379 | - name: "SCORED | 5.2.13 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" 380 | lineinfile: 381 | state: present 382 | dest: /etc/ssh/sshd_config 383 | regexp: '^LoginGraceTime' 384 | line: 'LoginGraceTime 60' 385 | when: 386 | - centos7cis_level1 is defined and centos7cis_level1 387 | tags: 388 | - level1 389 | - patch 390 | - rule_5.2.13 391 | 392 | - name: "SCORED | 5.2.14 | PATCH | Ensure SSH access is limited" 393 | command: /bin/true 394 | changed_when: no 395 | when: 396 | - centos7cis_level1 is defined and centos7cis_level1 397 | tags: 398 | - level1 399 | - patch 400 | - rule_5.2.14 401 | 402 | - name: "SCORED | 5.2.15 | PATCH | Ensure SSH warning banner is configured" 403 | lineinfile: 404 | state: present 405 | dest: /etc/ssh/sshd_config 406 | regexp: '^Banner' 407 | line: 'Banner /etc/issue.net' 408 | when: 409 | - centos7cis_level1 is defined and centos7cis_level1 410 | tags: 411 | - level1 412 | - patch 413 | - rule_5.2.15 414 | 415 | - name: "SCORED | 5.3.1 | PATCH | Ensure password creation requirements are configured" 416 | lineinfile: 417 | state: present 418 | dest: /etc/security/pwquality.conf 419 | regexp: '^{{ item.key }}' 420 | line: '{{ item.key }} = {{ item.value }}' 421 | with_items: 422 | - { key: 'minlen', value: '14' } 423 | - { key: 'dcredit', value: '-1' } 424 | - { key: 'ucredit', value: '-1' } 425 | - { key: 'ocredit', value: '-1' } 426 | - { key: 'lcredit', value: '-1' } 427 | when: 428 | - centos7cis_level1 is defined and centos7cis_level1 429 | - centos7cis_password_creation_requirements is defined and centos7cis_password_creation_requirements 430 | tags: 431 | - level1 432 | - patch 433 | - rule_5.3.1 434 | 435 | # auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900 436 | # auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 437 | 438 | 439 | # START # auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900 # 440 | 441 | - name: "SCORED | 5.3.2 | Ensure lockout for failed password attempts is configured" 442 | pamd: 443 | name: '{{ item }}' 444 | type: auth 445 | control: sufficient 446 | module_path: pam_unix.so 447 | new_type: auth 448 | new_control: required 449 | new_module_path: pam_faillock.so 450 | module_arguments: preauth audit silent deny=5 unlock_time=900 451 | state: before 452 | ignore_errors: yes 453 | loop: 454 | - system-auth 455 | - password-auth 456 | when: 457 | - centos7cis_level1 is defined and centos7cis_level1 458 | - centos7cis_ad_ldap_joined_machine is defined and not centos7cis_ad_ldap_joined_machine 459 | tags: 460 | - level1 461 | - patch 462 | - rule_5.3.2 463 | - low 464 | 465 | - name: "SCORED | 5.3.2 | Ensure lockout for failed password attempts is configured" 466 | pamd: 467 | name: '{{ item }}' 468 | type: auth 469 | control: required 470 | module_path: pam_faillock.so 471 | module_arguments: preauth audit silent deny=5 unlock_time=900 472 | state: args_present 473 | ignore_errors: yes 474 | loop: 475 | - system-auth 476 | - password-auth 477 | when: 478 | - centos7cis_level1 is defined and centos7cis_level1 479 | - centos7cis_ad_ldap_joined_machine is defined and not centos7cis_ad_ldap_joined_machine 480 | tags: 481 | - level1 482 | - patch 483 | - rule_5.3.2 484 | - low 485 | 486 | - name: "SCORED | 5.3.2 | Ensure lockout for failed password attempts is configured - Removal" 487 | pamd: 488 | name: '{{ item }}' 489 | type: auth 490 | control: required 491 | module_path: pam_faillock.so 492 | module_arguments: preauth audit silent deny=5 unlock_time=900 493 | state: absent 494 | ignore_errors: yes 495 | loop: 496 | - system-auth 497 | - password-auth 498 | when: 499 | - centos7cis_level1 is defined and centos7cis_level1 500 | - centos7cis_ad_ldap_joined_machine is defined and centos7cis_ad_ldap_joined_machine 501 | tags: 502 | - level1 503 | - patch 504 | - rule_5.3.2 505 | - low 506 | 507 | 508 | # END # auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900 # 509 | 510 | # START # auth [success=1 default=bad] pam_unix.so # 511 | 512 | - name: 'SCORED | 5.3.2 | Ensure lockout for failed password attempts is configured - pam_unix.so' 513 | pamd: 514 | name: '{{ item }}' 515 | type: auth 516 | control: sufficient 517 | module_path: 'pam_unix.so' 518 | new_control: '[success=1 default=bad]' 519 | ignore_errors: yes 520 | loop: 521 | - system-auth 522 | - password-auth 523 | 524 | when: 525 | - centos7cis_level1 is defined and centos7cis_level1 526 | tags: 527 | - level1 528 | - patch 529 | - rule_5.3.2 530 | - low 531 | 532 | - name: 'SCORED | 5.3.2 | Ensure lockout for failed password attempts is configured - pam_unix.so' 533 | pamd: 534 | name: '{{ item }}' 535 | type: auth 536 | control: sufficient 537 | module_path: 'pam_unix.so' 538 | new_type: auth 539 | new_control: '[success=1 default=bad]' 540 | new_module_path: pam_unix.so 541 | module_arguments: 'nullok try_first_pass' 542 | state: before 543 | ignore_errors: yes 544 | loop: 545 | - system-auth 546 | - password-auth 547 | when: 548 | - centos7cis_level1 is defined and centos7cis_level1 549 | tags: 550 | - level1 551 | - patch 552 | - rule_5.3.2 553 | - low 554 | 555 | - name: 'SCORED | 5.3.2 | Ensure lockout for failed password attempts is configured - pam_unix.so' 556 | pamd: 557 | name: '{{ item }}' 558 | type: auth 559 | control: '[success=1 default=bad]' 560 | module_path: pam_unix.so 561 | module_arguments: 'nullok try_first_pass' 562 | state: updated 563 | ignore_errors: yes 564 | loop: 565 | - system-auth 566 | - password-auth 567 | when: 568 | - centos7cis_level1 is defined and centos7cis_level1 569 | tags: 570 | - level1 571 | - patch 572 | - rule_5.3.2 573 | - low 574 | 575 | - name: 'SCORED | 5.3.2 | Ensure lockout for failed password attempts is configured - pam_unix.so' 576 | pamd: 577 | name: '{{ item }}' 578 | type: auth 579 | control: '[success=1 default=bad]' 580 | module_path: pam_unix.so 581 | module_arguments: 'nullok try_first_pass' 582 | state: args_present 583 | ignore_errors: yes 584 | loop: 585 | - system-auth 586 | - password-auth 587 | when: 588 | - centos7cis_level1 is defined and centos7cis_level1 589 | tags: 590 | - level1 591 | - patch 592 | - rule_5.3.2 593 | - low 594 | 595 | # - name: 'SCORED | 5.3.2 | Ensure lockout for failed password attempts is configured - Removal - pam_unix.so' 596 | # pamd: 597 | # name: '{{ item }}' 598 | # type: auth 599 | # control: sufficient 600 | # module_path: 'pam_unix.so' 601 | # state: absent 602 | # ignore_errors: yes 603 | # loop: 604 | # - system-auth 605 | # - password-auth 606 | # when: 607 | # - centos7cis_level1 is defined and centos7cis_level1 608 | # tags: 609 | # - level1 610 | # - patch 611 | # - rule_5.3.2 612 | # - low 613 | 614 | # END # auth [success=1 default=bad] pam_unix.so # 615 | 616 | # START # auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 # 617 | 618 | - name: "SCORED | 5.3.2 | Ensure lockout for failed password attempts is configured" 619 | pamd: 620 | name: '{{ item }}' 621 | type: auth 622 | control: '[success=1 default=bad]' 623 | module_path: pam_unix.so 624 | new_type: auth 625 | new_control: '[default=die]' 626 | new_module_path: pam_faillock.so 627 | module_arguments: authfail audit deny=5 unlock_time=900 628 | state: after 629 | ignore_errors: yes 630 | loop: 631 | - system-auth 632 | - password-auth 633 | when: 634 | - centos7cis_level1 is defined and centos7cis_level1 635 | - centos7cis_ad_ldap_joined_machine is defined and not centos7cis_ad_ldap_joined_machine 636 | tags: 637 | - level1 638 | - patch 639 | - rule_5.3.2 640 | - low 641 | 642 | - name: "SCORED | 5.3.2 | Ensure lockout for failed password attempts is configured" 643 | pamd: 644 | name: '{{ item }}' 645 | type: auth 646 | control: sufficient 647 | module_path: pam_unix.so 648 | new_type: auth 649 | new_control: '[default=die]' 650 | new_module_path: pam_faillock.so 651 | module_arguments: authfail audit deny=5 unlock_time=900 652 | state: after 653 | ignore_errors: yes 654 | loop: 655 | - system-auth 656 | - password-auth 657 | when: 658 | - centos7cis_level1 is defined and centos7cis_level1 659 | - centos7cis_ad_ldap_joined_machine is defined and not centos7cis_ad_ldap_joined_machine 660 | tags: 661 | - level1 662 | - patch 663 | - rule_5.3.2 664 | - low 665 | 666 | - name: "SCORED | 5.3.2 | Ensure lockout for failed password attempts is configured" 667 | pamd: 668 | name: '{{ item }}' 669 | type: auth 670 | control: '[default=die]' 671 | module_path: pam_faillock.so 672 | module_arguments: authfail audit deny=5 unlock_time=900 673 | state: args_present 674 | ignore_errors: yes 675 | loop: 676 | - system-auth 677 | - password-auth 678 | when: 679 | - centos7cis_level1 is defined and centos7cis_level1 680 | - centos7cis_ad_ldap_joined_machine is defined and not centos7cis_ad_ldap_joined_machine 681 | tags: 682 | - level1 683 | - patch 684 | - rule_5.3.2 685 | - low 686 | 687 | - name: "SCORED | 5.3.2 | Ensure lockout for failed password attempts is configured - Removal" 688 | pamd: 689 | name: '{{ item }}' 690 | type: auth 691 | control: '[default=die]' 692 | module_path: pam_faillock.so 693 | module_arguments: authfail audit deny=5 unlock_time=900 694 | state: absent 695 | ignore_errors: yes 696 | loop: 697 | - system-auth 698 | - password-auth 699 | when: 700 | - centos7cis_level1 is defined and centos7cis_level1 701 | - centos7cis_ad_ldap_joined_machine is defined and centos7cis_ad_ldap_joined_machine 702 | tags: 703 | - level1 704 | - patch 705 | - rule_5.3.2 706 | - low 707 | 708 | # END # auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 # 709 | 710 | # START # auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900 # 711 | 712 | - name: "SCORED | 5.3.2 | Ensure lockout for failed password attempts is configured" 713 | pamd: 714 | name: '{{ item }}' 715 | type: auth 716 | control: '[default=die]' 717 | module_path: pam_faillock.so 718 | new_type: auth 719 | new_control: sufficient 720 | new_module_path: pam_faillock.so 721 | module_arguments: authsucc audit deny=5 unlock_time=900 722 | state: after 723 | ignore_errors: yes 724 | loop: 725 | - system-auth 726 | - password-auth 727 | when: 728 | - centos7cis_level1 is defined and centos7cis_level1 729 | - centos7cis_ad_ldap_joined_machine is defined and not centos7cis_ad_ldap_joined_machine 730 | tags: 731 | - level1 732 | - patch 733 | - rule_5.3.2 734 | - low 735 | 736 | - name: "SCORED | 5.3.2 | Ensure lockout for failed password attempts is configured" 737 | pamd: 738 | name: '{{ item }}' 739 | type: auth 740 | control: sufficient 741 | module_path: pam_faillock.so 742 | module_arguments: authsucc audit deny=5 unlock_time=900 743 | state: args_present 744 | ignore_errors: yes 745 | loop: 746 | - system-auth 747 | - password-auth 748 | when: 749 | - centos7cis_level1 is defined and centos7cis_level1 750 | - centos7cis_ad_ldap_joined_machine is defined and not centos7cis_ad_ldap_joined_machine 751 | tags: 752 | - level1 753 | - patch 754 | - rule_5.3.2 755 | - low 756 | 757 | - name: "SCORED | 5.3.2 | Ensure lockout for failed password attempts is configured - Removal" 758 | pamd: 759 | name: '{{ item }}' 760 | type: auth 761 | control: sufficient 762 | module_path: pam_faillock.so 763 | module_arguments: authsucc audit deny=5 unlock_time=900 764 | state: absent 765 | ignore_errors: yes 766 | loop: 767 | - system-auth 768 | - password-auth 769 | when: 770 | - centos7cis_level1 is defined and centos7cis_level1 771 | - centos7cis_ad_ldap_joined_machine is defined and centos7cis_ad_ldap_joined_machine 772 | tags: 773 | - level1 774 | - patch 775 | - rule_5.3.2 776 | - low 777 | 778 | # END # auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900 # 779 | 780 | # OLD # START # 781 | # - name: "SCORED | 5.3.2 | Ensure lockout for failed password attempts is configured | system-auth" 782 | # pamd: 783 | # name: system-auth 784 | # type: auth 785 | # control: required 786 | # module_path: pam_faillock.so 787 | # module_arguments: 'preauth 788 | # audit 789 | # silent 790 | # deny=5 791 | # unlock_time=900' 792 | # state: updated 793 | # ignore_errors: yes 794 | # when: 795 | # - centos7cis_level1 is defined and centos7cis_level1 796 | # tags: 797 | # - level1 798 | # - patch 799 | # - rule_5.3.2 800 | # - low 801 | 802 | # - name: "SCORED | 5.3.2 | Ensure lockout for failed password attempts is configured | system-auth" 803 | # pamd: 804 | # name: system-auth 805 | # type: auth 806 | # control: '[success=1 default=bad]' 807 | # module_path: pam_unix.so 808 | # state: updated 809 | # ignore_errors: yes 810 | # when: 811 | # - centos7cis_level1 is defined and centos7cis_level1 812 | # tags: 813 | # - level1 814 | # - patch 815 | # - rule_5.3.2 816 | # - low 817 | 818 | # - name: "SCORED | 5.3.2 | Ensure lockout for failed password attempts is configured | system-auth" 819 | # pamd: 820 | # name: system-auth 821 | # type: auth 822 | # control: '[default=die]' 823 | # module_path: pam_faillock.so 824 | # module_arguments: 'authfail 825 | # audit 826 | # deny=5 827 | # unlock_time=900' 828 | # state: updated 829 | # ignore_errors: yes 830 | # when: 831 | # - centos7cis_level1 is defined and centos7cis_level1 832 | # tags: 833 | # - level1 834 | # - patch 835 | # - rule_5.3.2 836 | # - low 837 | 838 | # - name: "SCORED | 5.3.2 | Ensure lockout for failed password attempts is configured | system-auth" 839 | # pamd: 840 | # name: system-auth 841 | # type: auth 842 | # control: sufficient 843 | # module_path: pam_faillock.so 844 | # module_arguments: 'authsucc 845 | # audit 846 | # deny=5 847 | # unlock_time=900' 848 | # state: updated 849 | # ignore_errors: yes 850 | # when: 851 | # - centos7cis_level1 is defined and centos7cis_level1 852 | # tags: 853 | # - level1 854 | # - patch 855 | # - rule_5.3.2 856 | # - low 857 | 858 | # - name: "SCORED | 5.3.2 | Ensure lockout for failed password attempts is configured | password-auth" 859 | # pamd: 860 | # name: password-auth 861 | # type: auth 862 | # control: required 863 | # module_path: pam_faillock.so 864 | # module_arguments: 'preauth 865 | # audit 866 | # silent 867 | # deny=5 868 | # unlock_time=900' 869 | # state: updated 870 | # ignore_errors: yes 871 | # when: 872 | # - centos7cis_level1 is defined and centos7cis_level1 873 | # tags: 874 | # - level1 875 | # - patch 876 | # - rule_5.3.2 877 | # - low 878 | 879 | # - name: "SCORED | 5.3.2 | Ensure lockout for failed password attempts is configured | password-auth" 880 | # pamd: 881 | # name: password-auth 882 | # type: auth 883 | # control: '[success=1 default=bad]' 884 | # module_path: pam_unix.so 885 | # state: updated 886 | # ignore_errors: yes 887 | # when: 888 | # - centos7cis_level1 is defined and centos7cis_level1 889 | # tags: 890 | # - level1 891 | # - patch 892 | # - rule_5.3.2 893 | # - low 894 | 895 | # - name: "SCORED | 5.3.2 | Ensure lockout for failed password attempts is configured | password-auth" 896 | # pamd: 897 | # name: password-auth 898 | # type: auth 899 | # control: '[default=die]' 900 | # module_path: pam_faillock.so 901 | # module_arguments: 'authfail 902 | # audit 903 | # deny=5 904 | # unlock_time=900' 905 | # state: updated 906 | # ignore_errors: yes 907 | # when: 908 | # - centos7cis_level1 is defined and centos7cis_level1 909 | # tags: 910 | # - level1 911 | # - patch 912 | # - rule_5.3.2 913 | # - low 914 | 915 | # - name: "SCORED | 5.3.2 | Ensure lockout for failed password attempts is configured | password-auth" 916 | # pamd: 917 | # name: password-auth 918 | # type: auth 919 | # control: sufficient 920 | # module_path: pam_faillock.so 921 | # module_arguments: 'authsucc 922 | # audit 923 | # deny=5 924 | # unlock_time=900' 925 | # state: updated 926 | # ignore_errors: yes 927 | # when: 928 | # - centos7cis_level1 is defined and centos7cis_level1 929 | # tags: 930 | # - level1 931 | # - patch 932 | # - rule_5.3.2 933 | # - low 934 | # END # OLD # 935 | 936 | # START # password sufficient pam_unix.so remember=5 # 937 | # Determine if pam_unix.so or pam_pwhistory.so should be utilized 938 | - name: 'SCORED | 5.3.3 | Ensure password reuse is limited' 939 | shell: 'grep -q "^password\s*sufficient\s*pam_unix\.so" /etc/pam.d/system-auth' 940 | register: system_auth_password_check_pam_unix 941 | failed_when: 'system_auth_password_check_pam_unix.rc > 1' 942 | changed_when: false 943 | ignore_errors: yes 944 | become: yes 945 | when: 946 | - centos7cis_level1 is defined and centos7cis_level1 947 | tags: 948 | - level1 949 | - patch 950 | - rule_5.3.3 951 | - low 952 | 953 | - name: 'SCORED | 5.3.3 | Ensure password reuse is limited' 954 | shell: 'grep -q "^password\s+required\s+pam_pwhistory\.so" /etc/pam.d/system-auth' 955 | register: system_auth_password_check_pam_pwhistory 956 | failed_when: 'system_auth_password_check_pam_pwhistory.rc > 1' 957 | changed_when: false 958 | ignore_errors: yes 959 | become: yes 960 | when: 961 | - centos7cis_level1 is defined and centos7cis_level1 962 | tags: 963 | - level1 964 | - patch 965 | - rule_5.3.3 966 | - low 967 | 968 | # START # DEBUG STATEMENTS # 969 | # - debug: 970 | # var: system_auth_password_check_pam_unix 971 | # when: 972 | # - centos7cis_level1 is defined and centos7cis_level1 973 | # tags: 974 | # - level1 975 | # - patch 976 | # - rule_5.3.3 977 | # - low 978 | 979 | 980 | # - debug: 981 | # var: system_auth_password_check_pam_pwhistory 982 | # when: 983 | # - centos7cis_level1 is defined and centos7cis_level1 984 | # tags: 985 | # - level1 986 | # - patch 987 | # - rule_5.3.3 988 | # - low 989 | # END # DEBUG STATEMENTS # 990 | 991 | - name: 'SCORED | 5.3.3 | Ensure password reuse is limited' 992 | pamd: 993 | name: '{{ item }}' 994 | type: password 995 | control: sufficient 996 | module_path: 'pam_unix.so' 997 | module_arguments: 'remember=5' 998 | state: args_present 999 | ignore_errors: yes 1000 | loop: 1001 | - system-auth 1002 | - password-auth 1003 | when: 1004 | - centos7cis_level1 is defined and centos7cis_level1 1005 | - system_auth_password_check_pam_unix.rc is defined and system_auth_password_check_pam_unix.rc == 0 1006 | tags: 1007 | - level1 1008 | - patch 1009 | - rule_5.3.3 1010 | - low 1011 | 1012 | - name: 'SCORED | 5.3.3 | Ensure password reuse is limited' 1013 | pamd: 1014 | name: '{{ item }}' 1015 | type: password 1016 | control: required 1017 | module_path: 'pam_pwhistory.so' 1018 | module_arguments: 'remember=5' 1019 | state: args_present 1020 | ignore_errors: yes 1021 | loop: 1022 | - system-auth 1023 | - password-auth 1024 | when: 1025 | - centos7cis_level1 is defined and centos7cis_level1 1026 | - system_auth_password_check_pam_pwhistory.rc is defined and system_auth_password_check_pam_pwhistory.rc == 0 1027 | tags: 1028 | - level1 1029 | - patch 1030 | - rule_5.3.3 1031 | - low 1032 | 1033 | # END # password sufficient pam_unix.so remember=5 # 1034 | 1035 | # OLD # START # 1036 | # - name: "SCORED | 5.3.3 | Ensure password reuse is limited | password-auth" 1037 | # pamd: 1038 | # name: password-auth 1039 | # type: password 1040 | # control: sufficient 1041 | # module_path: pam_pwhistory.so 1042 | # module_arguments: 'remember=5' 1043 | # state: updated 1044 | # ignore_errors: yes 1045 | # when: 1046 | # - centos7cis_level1 is defined and centos7cis_level1 1047 | # tags: 1048 | # - level1 1049 | # - patch 1050 | # - rule_5.3.3 1051 | # - low 1052 | 1053 | # - name: "SCORED | 5.3.3 | Ensure password reuse is limited | system-auth" 1054 | # pamd: 1055 | # name: system-auth 1056 | # type: password 1057 | # control: sufficient 1058 | # module_path: pam_pwhistory.so 1059 | # module_arguments: 'remember=5' 1060 | # state: updated 1061 | # ignore_errors: yes 1062 | # when: 1063 | # - centos7cis_level1 is defined and centos7cis_level1 1064 | # tags: 1065 | # - level1 1066 | # - patch 1067 | # - rule_5.3.3 1068 | # - low 1069 | 1070 | # OLD # END # 1071 | 1072 | # START # password sufficient pam_unix.so sha512 # 1073 | 1074 | - name: 'SCORED | 5.3.4 | PATCH | Ensure password hashing algorithm is SHA-512' 1075 | pamd: 1076 | name: '{{ item }}' 1077 | type: password 1078 | control: sufficient 1079 | module_path: 'pam_unix.so' 1080 | module_arguments: 'sha512' 1081 | state: args_present 1082 | ignore_errors: yes 1083 | loop: 1084 | - system-auth 1085 | - password-auth 1086 | when: 1087 | - centos7cis_level1 is defined and centos7cis_level1 1088 | tags: 1089 | - level1 1090 | - patch 1091 | - rule_5.3.4 1092 | 1093 | # END # password sufficient pam_unix.so sha512 # 1094 | 1095 | # OLD # START # 1096 | # - name: "SCORED | 5.3.4 | PATCH | Ensure password hashing algorithm is SHA-512" 1097 | # command: authconfig --passalgo=sha512 --update 1098 | # when: 1099 | # - centos7cis_level1 is defined and centos7cis_level1 1100 | # tags: 1101 | # - level1 1102 | # - patch 1103 | # - rule_5.3.4 1104 | # OLD # END # 1105 | 1106 | - name: "SCORED | 5.4.1.1 | PATCH | Ensure password expiration is 365 days or less" 1107 | lineinfile: 1108 | state: present 1109 | dest: /etc/login.defs 1110 | regexp: '^PASS_MAX_DAYS' 1111 | line: 'PASS_MAX_DAYS 90' 1112 | when: 1113 | - centos7cis_level1 is defined and centos7cis_level1 1114 | - centos7cis_password_expiration is defined and centos7cis_password_expiration 1115 | tags: 1116 | - level1 1117 | - patch 1118 | - rule_5.4.1.1 1119 | 1120 | - name: "SCORED | 5.4.1.2 | PATCH | Ensure minimum days between password changes is 7 or more" 1121 | lineinfile: 1122 | state: present 1123 | dest: /etc/login.defs 1124 | regexp: '^PASS_MIN_DAYS' 1125 | line: 'PASS_MIN_DAYS 7' 1126 | when: 1127 | - centos7cis_level1 is defined and centos7cis_level1 1128 | - centos7cis_password_minimum_days_password_change is defined and centos7cis_password_minimum_days_password_change 1129 | tags: 1130 | - level1 1131 | - patch 1132 | - rule_5.4.1.2 1133 | 1134 | - name: "SCORED | 5.4.1.3 | PATCH | Ensure password expiration warning days is 7 or more" 1135 | lineinfile: 1136 | state: present 1137 | dest: /etc/login.defs 1138 | regexp: '^PASS_WARN_AGE' 1139 | line: 'PASS_WARN_AGE 7' 1140 | when: 1141 | - centos7cis_level1 is defined and centos7cis_level1 1142 | tags: 1143 | - level1 1144 | - patch 1145 | - rule_5.4.1.3 1146 | 1147 | - name: "SCORED | 5.4.1.4 | PATCH | Ensure inactive password lock is 30 days or less" 1148 | command: useradd -D -f 30 1149 | when: 1150 | - centos7cis_level1 is defined and centos7cis_level1 1151 | tags: 1152 | - level1 1153 | - patch 1154 | - rule_5.4.1.4 1155 | - low 1156 | 1157 | - name: "SCORED | 5.4.1.5 | Ensure all users last password change date is in the past (Scored)" 1158 | debug: 1159 | msg: 'Confirm all password change dates are in the past.' 1160 | when: 1161 | - centos7cis_level1 is defined and centos7cis_level1 1162 | tags: 1163 | - level1 1164 | - patch 1165 | - rule_5.4.1.5 1166 | - low 1167 | 1168 | - name: "SCORED | 5.4.2 | PATCH | Ensure system accounts are non-login" 1169 | copy: 1170 | src: scripts/five_four_two.sh 1171 | dest: /opt/five_four_two.sh 1172 | owner: root 1173 | group: root 1174 | mode: 0700 1175 | changed_when: no 1176 | when: 1177 | - centos7cis_level1 is defined and centos7cis_level1 1178 | - centos7cis_ensure_system_accounts_are_non_login is defined and centos7cis_ensure_system_accounts_are_non_login 1179 | tags: 1180 | - level1 1181 | - patch 1182 | - rule_5.4.2 1183 | - low 1184 | 1185 | - name: "SCORED | 5.4.2 | PATCH | Ensure system accounts are non-login" 1186 | shell: /opt/five_four_two.sh 1187 | args: 1188 | executable: /bin/bash 1189 | when: 1190 | - centos7cis_level1 is defined and centos7cis_level1 1191 | - centos7cis_ensure_system_accounts_are_non_login is defined and centos7cis_ensure_system_accounts_are_non_login 1192 | tags: 1193 | - level1 1194 | - patch 1195 | - rule_5.4.2 1196 | - low 1197 | 1198 | - name: "SCORED | 5.4.2 | PATCH | Ensure system accounts are non-login" 1199 | file: 1200 | path: /opt/five_four_two.sh 1201 | owner: root 1202 | group: root 1203 | state: absent 1204 | changed_when: no 1205 | when: 1206 | - centos7cis_level1 is defined and centos7cis_level1 1207 | - centos7cis_ensure_system_accounts_are_non_login is defined and centos7cis_ensure_system_accounts_are_non_login 1208 | tags: 1209 | - level1 1210 | - patch 1211 | - rule_5.4.2 1212 | - low 1213 | 1214 | - name: "SCORED | 5.4.3 | PATCH | Ensure default group for the root account is GID 0" 1215 | command: usermod -g 0 root 1216 | when: 1217 | - centos7cis_level1 is defined and centos7cis_level1 1218 | tags: 1219 | - level1 1220 | - patch 1221 | - rule_5.4.3 1222 | 1223 | - name: "SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive" 1224 | lineinfile: 1225 | state: present 1226 | dest: /etc/bashrc 1227 | regexp: 'umask' 1228 | line: 'umask {{ centos7cis_default_user_umask }}' 1229 | when: 1230 | - centos7cis_level1 is defined and centos7cis_level1 1231 | - centos7cis_modify_default_user_umask is defined and centos7cis_modify_default_user_umask 1232 | tags: 1233 | - level1 1234 | - patch 1235 | - rule_5.4.4 1236 | - low 1237 | 1238 | - name: "SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive" 1239 | lineinfile: 1240 | state: present 1241 | dest: /etc/profile 1242 | regexp: 'umask' 1243 | line: 'umask {{ centos7cis_default_user_umask }}' 1244 | when: 1245 | - centos7cis_level1 is defined and centos7cis_level1 1246 | - centos7cis_modify_default_user_umask is defined and centos7cis_modify_default_user_umask 1247 | tags: 1248 | - level1 1249 | - patch 1250 | - rule_5.4.4 1251 | - low 1252 | 1253 | - name: "SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive" 1254 | find: 1255 | paths: /etc/profile.d/ 1256 | recurse: yes 1257 | patterns: "*.sh" 1258 | register: profiled_dir 1259 | when: 1260 | - centos7cis_level1 is defined and centos7cis_level1 1261 | - centos7cis_modify_default_user_umask is defined and centos7cis_modify_default_user_umask 1262 | tags: 1263 | - level1 1264 | - patch 1265 | - rule_5.4.4 1266 | - low 1267 | 1268 | - name: "SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive" 1269 | lineinfile: 1270 | state: present 1271 | dest: "{{ item.path }}" 1272 | regexp: 'umask' 1273 | line: 'umask {{ centos7cis_default_user_umask }}' 1274 | backup: yes 1275 | with_items: "{{ profiled_dir.files }}" 1276 | ignore_errors: yes 1277 | when: 1278 | - centos7cis_level1 is defined and centos7cis_level1 1279 | - centos7cis_modify_default_user_umask is defined and centos7cis_modify_default_user_umask 1280 | tags: 1281 | - level1 1282 | - patch 1283 | - rule_5.4.4 1284 | - low 1285 | 1286 | - name: "SCORED | 5.4.5 | PATCH | Ensure default user shell timeout is 900 seconds or less" 1287 | lineinfile: 1288 | state: present 1289 | dest: /etc/bashrc 1290 | regexp: '^TMOUT' 1291 | line: 'TMOUT=600' 1292 | when: 1293 | - centos7cis_level2 is defined and centos7cis_level2 1294 | tags: 1295 | - level2 1296 | - patch 1297 | - rule_5.4.5 1298 | - low 1299 | 1300 | - name: "SCORED | 5.4.5 | PATCH | Ensure default user shell timeout is 900 seconds or less" 1301 | lineinfile: 1302 | state: present 1303 | dest: /etc/profile 1304 | regexp: '^TMOUT' 1305 | line: 'TMOUT=600' 1306 | when: 1307 | - centos7cis_level2 is defined and centos7cis_level2 1308 | tags: 1309 | - level2 1310 | - patch 1311 | - rule_5.4.5 1312 | - low 1313 | 1314 | - name: "SCORED | 5.6 | PATCH | Ensure access to the su command is restricted" 1315 | lineinfile: 1316 | state: present 1317 | dest: /etc/group 1318 | regexp: '^wheel:x:10:(.*)$' 1319 | line: 'wheel:x:10:\1,root' 1320 | backrefs: yes 1321 | when: 1322 | - centos7cis_level1 is defined and centos7cis_level1 1323 | tags: 1324 | - level1 1325 | - patch 1326 | - rule_5.6 1327 | - low 1328 | 1329 | - name: "SCORED | 5.6 | PATCH | Ensure access to the su command is restricted" 1330 | lineinfile: 1331 | state: present 1332 | dest: /etc/pam.d/su 1333 | regexp: '^#auth\s+required\s+pam_wheel\.so' 1334 | line: 'auth required pam_wheel.so use_uid' 1335 | when: 1336 | - centos7cis_level1 is defined and centos7cis_level1 1337 | tags: 1338 | - level1 1339 | - patch 1340 | - rule_5.6 1341 | -------------------------------------------------------------------------------- /tasks/section6.yml: -------------------------------------------------------------------------------- 1 | - name: "NOTSCORED | 6.1.1 | PATCH | Audit system file permissions" 2 | command: /bin/true 3 | changed_when: no 4 | when: 5 | - centos7cis_level2 is defined and centos7cis_level2 6 | tags: 7 | - level2 8 | - patch 9 | - rule_6.1.1 10 | 11 | - name: "SCORED | 6.1.2 | PATCH | Ensure permissions on /etc/passwd are configured" 12 | file: 13 | dest: /etc/passwd 14 | owner: root 15 | group: root 16 | mode: 0644 17 | when: 18 | - centos7cis_level1 is defined and centos7cis_level1 19 | tags: 20 | - level1 21 | - low 22 | - patch 23 | - rule_6.1.2 24 | 25 | - name: "SCORED | 6.1.3 | PATCH | Ensure permissions on /etc/shadow are configured" 26 | file: 27 | dest: /etc/shadow 28 | owner: root 29 | group: root 30 | mode: 0000 31 | when: 32 | - centos7cis_level1 is defined and centos7cis_level1 33 | tags: 34 | - level1 35 | - low 36 | - patch 37 | - rule_6.1.3 38 | 39 | - name: "SCORED | 6.1.4 | PATCH | Ensure permissions on /etc/group are configured" 40 | file: 41 | dest: /etc/group 42 | owner: root 43 | group: root 44 | mode: 0644 45 | when: 46 | - centos7cis_level1 is defined and centos7cis_level1 47 | tags: 48 | - level1 49 | - low 50 | - patch 51 | - rule_6.1.4 52 | 53 | - name: "SCORED | 6.1.5 | PATCH | Ensure permissions on /etc/gshadow are configured" 54 | file: 55 | dest: /etc/gshadow 56 | owner: root 57 | group: root 58 | mode: 0000 59 | when: 60 | - centos7cis_level1 is defined and centos7cis_level1 61 | tags: 62 | - level1 63 | - low 64 | - patch 65 | - rule_6.1.5 66 | 67 | - name: "SCORED | 6.1.6 | PATCH | Ensure permissions on /etc/passwd- are configured" 68 | file: 69 | dest: /etc/passwd- 70 | owner: root 71 | group: root 72 | mode: 0644 73 | when: 74 | - centos7cis_level1 is defined and centos7cis_level1 75 | tags: 76 | - level1 77 | - low 78 | - patch 79 | - rule_6.1.6 80 | 81 | - name: "SCORED | 6.1.7 | PATCH | Ensure permissions on /etc/shadow- are configured" 82 | file: 83 | dest: /etc/shadow- 84 | owner: root 85 | group: root 86 | mode: 0000 87 | when: 88 | - centos7cis_level1 is defined and centos7cis_level1 89 | tags: 90 | - level1 91 | - low 92 | - patch 93 | - rule_6.1.7 94 | 95 | - name: "SCORED | 6.1.8 | PATCH | Ensure permissions on /etc/group- are configured" 96 | file: 97 | dest: /etc/group- 98 | owner: root 99 | group: root 100 | mode: 0644 101 | when: 102 | - centos7cis_level1 is defined and centos7cis_level1 103 | tags: 104 | - level1 105 | - low 106 | - patch 107 | - rule_6.1.8 108 | 109 | - name: "SCORED | 6.1.9 | PATCH | Ensure permissions on /etc/gshadow- are configured" 110 | file: 111 | dest: /etc/gshadow- 112 | owner: root 113 | group: root 114 | mode: 0000 115 | when: 116 | - centos7cis_level1 is defined and centos7cis_level1 117 | tags: 118 | - level1 119 | - low 120 | - patch 121 | - rule_6.1.9 122 | 123 | - name: "SCORED | 6.1.10 | PATCH | Ensure no world writable files exist" 124 | command: /bin/true 125 | changed_when: no 126 | when: 127 | - centos7cis_level1 is defined and centos7cis_level1 128 | tags: 129 | - level1 130 | - patch 131 | - rule_6.1.10 132 | 133 | - name: "SCORED | 6.1.11 | PATCH | Ensure no unowned files or directories exist" 134 | command: /bin/true 135 | changed_when: no 136 | when: 137 | - centos7cis_level1 is defined and centos7cis_level1 138 | tags: 139 | - level1 140 | - patch 141 | - rule_6.1.11 142 | 143 | - name: "SCORED | 6.1.12 | PATCH | Ensure no ungrouped files or directories exist" 144 | command: /bin/true 145 | changed_when: no 146 | when: 147 | - centos7cis_level1 is defined and centos7cis_level1 148 | tags: 149 | - level1 150 | - patch 151 | - rule_6.1.12 152 | 153 | - name: "NOTSCORED | 6.1.13 | PATCH | Audit SUID executables" 154 | command: /bin/true 155 | changed_when: no 156 | when: 157 | - centos7cis_level1 is defined and centos7cis_level1 158 | tags: 159 | - level1 160 | - patch 161 | - rule_6.1.13 162 | 163 | - name: "NOTSCORED | 6.1.14 | PATCH | Audit SGID executables" 164 | command: /bin/true 165 | changed_when: no 166 | when: 167 | - centos7cis_level1 is defined and centos7cis_level1 168 | tags: 169 | - level1 170 | - patch 171 | - rule_6.1.14 172 | 173 | - name: "SCORED | 6.2.1 | PATCH | Ensure password fields are not empty" 174 | command: passwd -l {{ item }} 175 | with_items: "{{ empty_password_accounts.stdout_lines }}" 176 | when: 177 | - centos7cis_level1 is defined and centos7cis_level1 178 | - empty_password_accounts is defined 179 | - empty_password_accounts.rc 180 | tags: 181 | - level1 182 | - low 183 | - patch 184 | - rule_6.2.1 185 | 186 | - name: "SCORED | 6.2.2 | PATCH | Ensure no legacy '+' entries exist in /etc/passwd" 187 | command: "sed -i '/^+/ d' /etc/passwd" 188 | become: yes 189 | args: 190 | warn: no 191 | ignore_errors: yes 192 | when: 193 | - centos7cis_level1 is defined and centos7cis_level1 194 | tags: 195 | - level1 196 | - patch 197 | - rule_6.2.2 198 | 199 | - name: "SCORED | 6.2.3 | PATCH | Ensure no legacy '+' entries exist in /etc/shadow" 200 | command: "sed -i '/^+/ d' /etc/shadow" 201 | become: yes 202 | args: 203 | warn: no 204 | ignore_errors: yes 205 | when: 206 | - centos7cis_level1 is defined and centos7cis_level1 207 | tags: 208 | - level1 209 | - low 210 | - patch 211 | - rule_6.2.3 212 | 213 | - name: "SCORED | 6.2.4 | PATCH | Ensure no legacy '+' entries exist in /etc/group" 214 | command: "sed -i '/^+/ d' /etc/group" 215 | become: yes 216 | args: 217 | warn: no 218 | ignore_errors: yes 219 | when: 220 | - centos7cis_level1 is defined and centos7cis_level1 221 | tags: 222 | - level1 223 | - low 224 | - patch 225 | - rule_6.2.4 226 | 227 | - name: "SCORED | 6.2.5 | PATCH | Ensure root is the only UID 0 account" 228 | command: passwd -l {{ item }} 229 | with_items: "{{ uid_zero_accounts_except_root.stdout_lines }}" 230 | when: 231 | - centos7cis_level1 is defined and centos7cis_level1 232 | - uid_zero_accounts_except is defined 233 | - uid_zero_accounts_except_root.rc 234 | tags: 235 | - level1 236 | - low 237 | - patch 238 | - rule_6.2.5 239 | 240 | - name: "SCORED | 6.2.6 | PATCH | Ensure root PATH Integrity" 241 | copy: 242 | src: scripts/6.2.6.sh 243 | dest: /opt/6.2.6.sh 244 | owner: root 245 | group: root 246 | mode: 0700 247 | tags: 248 | - rule_6.2.6 249 | - low 250 | - level1 251 | - low 252 | 253 | - name: "SCORED | 6.2.6 | PATCH | Ensure root PATH Integrity" 254 | copy: 255 | src: scripts/6.2.6.sh 256 | dest: /opt/6.2.6.sh 257 | owner: root 258 | group: root 259 | mode: 0700 260 | changed_when: no 261 | when: 262 | - centos7cis_level1 is defined and centos7cis_level1 263 | tags: 264 | - rule_6.2.6 265 | - low 266 | - level1 267 | - low 268 | 269 | - name: "SCORED | 6.2.6 | PATCH | Ensure root PATH Integrity" 270 | shell: /opt/6.2.6.sh 271 | args: 272 | executable: /bin/bash 273 | register: root_path_integrity 274 | when: 275 | - centos7cis_level1 is defined and centos7cis_level1 276 | tags: 277 | - rule_6.2.6 278 | - low 279 | - level1 280 | - low 281 | 282 | # - name: "SCORED | 6.2.6 | PATCH | Ensure root PATH Integrity" 283 | # debug: 284 | # var: root_path_integrity.stdout_lines 285 | # when: 286 | # - centos7cis_level1 is defined and centos7cis_level1 287 | # - root_path_integrity is defined 288 | # - root_path_integrity.stdout != "" 289 | # tags: 290 | # - rule_6.2.6 291 | # - low 292 | # - level1 293 | # - low 294 | 295 | - name: "SCORED | 6.2.6 | PATCH | Ensure root PATH Integrity" 296 | debug: 297 | msg: "PASS | 6.2.6 | root PATH integrity" 298 | when: 299 | - centos7cis_level1 is defined and centos7cis_level1 300 | - root_path_integrity is defined 301 | - root_path_integrity.stdout == "" 302 | tags: 303 | - rule_6.2.6 304 | - low 305 | - level1 306 | - low 307 | 308 | - name: "SCORED | 6.2.6 | PATCH | Ensure root PATH Integrity" 309 | file: 310 | path: /opt/6.2.6.sh 311 | owner: root 312 | group: root 313 | state: absent 314 | changed_when: no 315 | when: 316 | - centos7cis_level1 is defined and centos7cis_level1 317 | tags: 318 | - rule_6.2.6 319 | - low 320 | - level1 321 | - low 322 | 323 | - name: "SCORED | 6.2.7 | PATCH | Ensure all users' home directories exist" 324 | copy: 325 | src: scripts/6.2.7.sh 326 | dest: /opt/6.2.7.sh 327 | owner: root 328 | group: root 329 | mode: 0700 330 | changed_when: no 331 | when: 332 | - centos7cis_level1 is defined and centos7cis_level1 333 | tags: 334 | - rule_6.2.7 335 | - low 336 | - level1 337 | - low 338 | 339 | - name: "SCORED | 6.2.7 | PATCH | Ensure all users' home directories exist" 340 | shell: /opt/6.2.7.sh 341 | args: 342 | executable: /bin/bash 343 | register: home_directories_exist 344 | when: 345 | - centos7cis_level1 is defined and centos7cis_level1 346 | tags: 347 | - rule_6.2.7 348 | - low 349 | - level1 350 | - low 351 | 352 | # - name: "SCORED | 6.2.7 | PATCH | Ensure all users' home directories exist" 353 | # debug: 354 | # var: home_directories_exist.stdout_lines 355 | # when: 356 | # - centos7cis_level1 is defined and centos7cis_level1 357 | # - home_directories_exist is defined 358 | # - home_directories_exist.stdout != "" 359 | # tags: 360 | # - rule_6.2.7 361 | # - low 362 | # - level1 363 | # - low 364 | 365 | - name: "SCORED | 6.2.7 | PATCH | Ensure all users' home directories exist" 366 | debug: 367 | msg: "PASS | 6.2.7 | All users' home directories exist." 368 | when: 369 | - centos7cis_level1 is defined and centos7cis_level1 370 | - home_directories_exist is defined 371 | - home_directories_exist.stdout == "" 372 | tags: 373 | - rule_6.2.7 374 | - low 375 | - level1 376 | - low 377 | 378 | - name: "SCORED | 6.2.7 | PATCH | Ensure all users' home directories exist" 379 | file: 380 | path: /opt/6.2.7.sh 381 | owner: root 382 | group: root 383 | state: absent 384 | changed_when: no 385 | when: 386 | - centos7cis_level1 is defined and centos7cis_level1 387 | tags: 388 | - rule_6.2.7 389 | - low 390 | - level1 391 | - low 392 | 393 | - name: "SCORED | 6.2.8 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" 394 | copy: 395 | src: scripts/6.2.8.sh 396 | dest: /opt/6.2.8.sh 397 | owner: root 398 | group: root 399 | mode: 0700 400 | changed_when: no 401 | when: 402 | - centos7cis_level1 is defined and centos7cis_level1 403 | - centos7cis_modify_user_homes is defined and centos7cis_modify_user_homes 404 | tags: 405 | - rule_6.2.8 406 | - level1 407 | - patch 408 | - low 409 | 410 | - name: "SCORED | 6.2.8 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" 411 | shell: /opt/6.2.8.sh 412 | args: 413 | executable: /bin/bash 414 | register: home_directories_permissions 415 | when: 416 | - centos7cis_level1 is defined and centos7cis_level1 417 | - centos7cis_modify_user_homes is defined and centos7cis_modify_user_homes 418 | tags: 419 | - rule_6.2.8 420 | - level1 421 | - patch 422 | - low 423 | 424 | # - name: "SCORED | 6.2.8 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" 425 | # debug: 426 | # var: home_directories_permissions.stdout_lines 427 | # when: 428 | # - centos7cis_level1 is defined and centos7cis_level1 429 | # - centos7cis_modify_user_homes is defined and home_directories_permissions is defined 430 | # - centos7cis_modify_user_homes 431 | # tags: 432 | # - rule_6.2.8 433 | # - level1 434 | # - patch 435 | # - low 436 | 437 | - name: "SCORED | 6.2.8 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" 438 | debug: 439 | msg: "PASS | 6.2.8 | Users' home directories permissions are 750 or more restrictive." 440 | when: 441 | - centos7cis_level1 is defined and centos7cis_level1 442 | - centos7cis_modify_user_homes is defined and centos7cis_modify_user_homes 443 | - home_directories_permissions is defined and home_directories_permissions.stdout == "" 444 | tags: 445 | - rule_6.2.8 446 | - level1 447 | - patch 448 | - low 449 | 450 | - name: "SCORED | 6.2.8 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" 451 | file: 452 | path: /opt/6.2.8.sh 453 | owner: root 454 | group: root 455 | state: absent 456 | changed_when: no 457 | when: 458 | - centos7cis_level1 is defined and centos7cis_level1 459 | - centos7cis_modify_user_homes is defined and centos7cis_modify_user_homes 460 | tags: 461 | - rule_6.2.8 462 | - level1 463 | - patch 464 | - low 465 | 466 | - name: "SCORED | 6.2.9 | PATCH | Ensure users own their home directories" 467 | copy: 468 | src: scripts/6.2.9.sh 469 | dest: /opt/6.2.9.sh 470 | owner: root 471 | group: root 472 | mode: 0700 473 | changed_when: no 474 | when: 475 | - centos7cis_level1 is defined and centos7cis_level1 476 | tags: 477 | - rule_6.2.9 478 | - level1 479 | - patch 480 | - low 481 | 482 | - name: "SCORED | 6.2.9 | PATCH | Ensure users own their home directories" 483 | shell: /opt/6.2.9.sh 484 | args: 485 | executable: /bin/bash 486 | register: home_directories_own 487 | no_log: yes 488 | when: 489 | - centos7cis_level1 is defined and centos7cis_level1 490 | tags: 491 | - rule_6.2.9 492 | - level1 493 | - patch 494 | - low 495 | 496 | # - name: "SCORED | 6.2.9 | PATCH | Ensure users own their home directories" 497 | # debug: 498 | # var: home_directories_own.stdout_lines 499 | # when: 500 | # - centos7cis_level1 is defined and centos7cis_level1 501 | # tags: 502 | # - rule_6.2.9 503 | # - level1 504 | # - patch 505 | 506 | - name: "SCORED | 6.2.9 | PATCH | Ensure users own their home directories" 507 | debug: 508 | msg: "PASS | 6.2.9 | Users' own their home directories." 509 | when: 510 | - centos7cis_level1 is defined and centos7cis_level1 511 | - home_directories_own is defined and home_directories_own.stdout == "" 512 | tags: 513 | - rule_6.2.9 514 | - level1 515 | - patch 516 | - low 517 | 518 | - name: "SCORED | 6.2.9 | PATCH | Ensure users own their home directories" 519 | file: 520 | path: /opt/6.2.9.sh 521 | owner: root 522 | group: root 523 | state: absent 524 | changed_when: no 525 | when: 526 | - centos7cis_level1 is defined and centos7cis_level1 527 | tags: 528 | - rule_6.2.9 529 | - level1 530 | - patch 531 | - low 532 | 533 | - name: "SCORED | 6.2.10 | PATCH | Ensure users' dot files are not group or world writable" 534 | copy: 535 | src: scripts/6.2.10.sh 536 | dest: /opt/6.2.10.sh 537 | owner: root 538 | group: root 539 | mode: 0700 540 | changed_when: no 541 | when: 542 | - centos7cis_level1 is defined and centos7cis_level1 543 | tags: 544 | - rule_6.2.10 545 | - patch 546 | - level1 547 | - low 548 | 549 | - name: "SCORED | 6.2.10 | PATCH | Ensure users' dot files are not group or world writable" 550 | shell: /opt/6.2.10.sh 551 | args: 552 | executable: /bin/bash 553 | register: user_dot_files 554 | no_log: yes 555 | when: 556 | - centos7cis_level1 is defined and centos7cis_level1 557 | tags: 558 | - rule_6.2.10 559 | - patch 560 | - level1 561 | - low 562 | 563 | # - name: "SCORED | 6.2.10 | PATCH | Ensure users' dot files are not group or world writable" 564 | # debug: 565 | # var: user_dot_files.stdout_lines 566 | # when: 567 | # - centos7cis_level1 is defined and centos7cis_level1 568 | # tags: 569 | # - rule_6.2.10 570 | # - level1 571 | # - patch 572 | # - low 573 | 574 | - name: "SCORED | 6.2.10 | PATCH | Ensure users' dot files are not group or world writable" 575 | debug: 576 | msg: "PASS | 6.2.10 | Users' dot files are not group or world writable." 577 | when: 578 | - centos7cis_level1 is defined and centos7cis_level1 579 | - user_dot_files is defined and user_dot_files.stdout == "" 580 | tags: 581 | - rule_6.2.10 582 | - level1 583 | - patch 584 | - low 585 | 586 | - name: "SCORED | 6.2.10 | PATCH | Ensure users' dot files are not group or world writable" 587 | file: 588 | path: /opt/6.2.10.sh 589 | owner: root 590 | group: root 591 | state: absent 592 | changed_when: no 593 | when: 594 | - centos7cis_level1 is defined and centos7cis_level1 595 | tags: 596 | - rule_6.2.10 597 | - patch 598 | - level1 599 | - low 600 | 601 | - name: "SCORED | 6.2.11 | PATCH | Ensure no users have .forward files" 602 | file: 603 | state: absent 604 | dest: "~{{ item }}/.forward" 605 | with_items: "{{ users.stdout_lines }}" 606 | no_log: yes 607 | when: 608 | - centos7cis_level1 is defined and centos7cis_level1 609 | - centos7cis_modify_dot_forward_files is defined and centos7cis_modify_dot_forward_files 610 | tags: 611 | - rule_6.2.11 612 | - patch 613 | - level1 614 | - low 615 | 616 | - name: "SCORED | 6.2.12 | PATCH | Ensure no users have .netrc files" 617 | file: 618 | state: absent 619 | dest: "~{{ item }}/.netrc" 620 | with_items: "{{ users.stdout_lines }}" 621 | no_log: yes 622 | when: 623 | - centos7cis_level1 is defined and centos7cis_level1 624 | - centos7cis_modify_dot_netrc_files is defined and centos7cis_modify_dot_netrc_files 625 | tags: 626 | - rule_6.2.12 627 | - patch 628 | - level1 629 | - low 630 | 631 | - name: "SCORED | 6.2.13 | PATCH | Ensure users' .netrc files are not group or world accessible" 632 | copy: 633 | src: scripts/6.2.13.sh 634 | dest: /opt/6.2.13.sh 635 | owner: root 636 | group: root 637 | mode: 0700 638 | changed_when: no 639 | when: 640 | - centos7cis_level1 is defined and centos7cis_level1 641 | - centos7cis_modify_dot_netrc_files_group is defined and centos7cis_modify_dot_netrc_files_group 642 | tags: 643 | - rule_6.2.13 644 | - patch 645 | - level1 646 | - low 647 | 648 | - name: "SCORED | 6.2.13 | PATCH | Ensure users' .netrc files are not group or world accessible" 649 | shell: /opt/6.2.13.sh 650 | args: 651 | executable: /bin/bash 652 | register: dot_netrc_files 653 | no_log: yes 654 | when: 655 | - centos7cis_level1 is defined and centos7cis_level1 656 | - centos7cis_modify_dot_netrc_files_group is defined and centos7cis_modify_dot_netrc_files_group 657 | tags: 658 | - rule_6.2.13 659 | - patch 660 | - level1 661 | - low 662 | 663 | # - name: "SCORED | 6.2.13 | PATCH | Ensure users' .netrc files are not group or world accessible" 664 | # debug: 665 | # var: dot_netrc_files.stdout_lines 666 | # when: 667 | # - centos7cis_level1 is defined and centos7cis_level1 668 | # tags: 669 | # - rule_6.2.13 670 | # - patch 671 | # - level1 672 | # - low 673 | 674 | - name: "SCORED | 6.2.13 | PATCH | Ensure users' .netrc files are not group or world accessible" 675 | debug: 676 | msg: "PASS | 6.2.13 | Users' .netrc files are not group or world accessible." 677 | when: 678 | - centos7cis_level1 is defined and centos7cis_level1 679 | - centos7cis_modify_dot_netrc_files_group is defined and centos7cis_modify_dot_netrc_files_group 680 | - dot_netrc_files is defined and dot_netrc_files.stdout == "" 681 | tags: 682 | - rule_6.2.13 683 | - patch 684 | - level1 685 | - low 686 | 687 | - name: "SCORED | 6.2.13 | PATCH | Ensure users' .netrc Files are not group or world accessible" 688 | file: 689 | path: /opt/6.2.13.sh 690 | owner: root 691 | group: root 692 | state: absent 693 | changed_when: no 694 | when: 695 | - centos7cis_level1 is defined and centos7cis_level1 696 | - centos7cis_modify_dot_netrc_files_group is defined and centos7cis_modify_dot_netrc_files_group 697 | tags: 698 | - rule_6.2.13 699 | - patch 700 | - level1 701 | - low 702 | 703 | - name: "SCORED | 6.2.14 | PATCH | Ensure no users have .rhosts files" 704 | file: 705 | state: absent 706 | dest: "~{{ item }}/.rhosts" 707 | with_items: "{{ users.stdout_lines }}" 708 | no_log: yes 709 | when: 710 | - centos7cis_level1 is defined and centos7cis_level1 711 | - centos7cis_modify_dot_rhosts_files is defined and centos7cis_modify_dot_rhosts_files 712 | tags: 713 | - rule_6.2.14 714 | - patch 715 | - level1 716 | - low 717 | 718 | - name: "SCORED | 6.2.15 | PATCH | Ensure all groups in /etc/passwd exist in /etc/group" 719 | copy: 720 | src: scripts/6.2.15.sh 721 | dest: /opt/6.2.15.sh 722 | owner: root 723 | group: root 724 | mode: 0700 725 | changed_when: no 726 | when: 727 | - centos7cis_level1 is defined and centos7cis_level1 728 | tags: 729 | - rule_6.2.15 730 | - patch 731 | - level1 732 | - low 733 | 734 | - name: "SCORED | 6.2.15 | PATCH | Ensure all groups in /etc/passwd exist in /etc/group" 735 | shell: /opt/6.2.15.sh 736 | args: 737 | executable: /bin/bash 738 | register: check_groups_in_passwd 739 | no_log: yes 740 | when: 741 | - centos7cis_level1 is defined and centos7cis_level1 742 | tags: 743 | - rule_6.2.15 744 | - patch 745 | - level1 746 | - low 747 | 748 | # - name: "SCORED | 6.2.15 | PATCH | Ensure all groups in /etc/passwd exist in /etc/group" 749 | # debug: 750 | # var: check_groups_in_passwd.stdout_lines 751 | # when: 752 | # - centos7cis_level1 is defined and centos7cis_level1 753 | # tags: 754 | # - rule_6.2.15 755 | # - patch 756 | # - level1 757 | # - low 758 | 759 | - name: "SCORED | 6.2.15 | PATCH | Ensure all groups in /etc/passwd exist in /etc/group" 760 | debug: 761 | msg: "PASS | 6.2.15 | All groups exist in /etc/group." 762 | when: 763 | - centos7cis_level1 is defined and centos7cis_level1 764 | - check_groups_in_passwd is defined and check_groups_in_passwd.stdout == "" 765 | tags: 766 | - rule_6.2.15 767 | - patch 768 | - level1 769 | - low 770 | 771 | - name: "SCORED | 6.2.15 | PATCH | Ensure all groups in /etc/passwd exist in /etc/group" 772 | file: 773 | path: /opt/6.2.15.sh 774 | owner: root 775 | group: root 776 | state: absent 777 | changed_when: no 778 | when: 779 | - centos7cis_level1 is defined and centos7cis_level1 780 | tags: 781 | - rule_6.2.15 782 | - patch 783 | - level1 784 | - low 785 | 786 | - name: "SCORED | 6.2.16 | PATCH | Ensure no duplicate UIDs exist" 787 | copy: 788 | src: scripts/6.2.16.sh 789 | dest: /opt/6.2.16.sh 790 | owner: root 791 | group: root 792 | mode: 0700 793 | changed_when: no 794 | when: 795 | - centos7cis_level1 is defined and centos7cis_level1 796 | tags: 797 | - rule_6.2.16 798 | - patch 799 | - level1 800 | - low 801 | 802 | - name: "SCORED | 6.2.16 | PATCH | Ensure no duplicate UIDs exist" 803 | shell: /opt/6.2.16.sh 804 | args: 805 | executable: /bin/bash 806 | register: duplicate_uids 807 | no_log: yes 808 | when: 809 | - centos7cis_level1 is defined and centos7cis_level1 810 | tags: 811 | - rule_6.2.16 812 | - patch 813 | - level1 814 | - low 815 | 816 | # - name: "SCORED | 6.2.16 | PATCH | Ensure no duplicate UIDs exist" 817 | # debug: 818 | # var: duplicate_uids.stdout_lines 819 | # when: 820 | # - centos7cis_level1 is defined and centos7cis_level1 821 | # tags: 822 | # - rule_6.2.16 823 | # - patch 824 | # - level1 825 | # - low 826 | 827 | - name: "SCORED | 6.2.16 | PATCH | Ensure no duplicate UIDs exist" 828 | debug: 829 | msg: "PASS | 6.2.16 | No duplicate UIDs exist." 830 | when: 831 | - centos7cis_level1 is defined and centos7cis_level1 832 | - duplicate_uids is defined and duplicate_uids.stdout == "" 833 | tags: 834 | - rule_6.2.16 835 | - patch 836 | - level1 837 | - low 838 | 839 | - name: "SCORED | 6.2.16 | PATCH | Ensure no duplicate UIDs exist" 840 | file: 841 | path: /opt/6.2.16.sh 842 | owner: root 843 | group: root 844 | state: absent 845 | changed_when: no 846 | when: 847 | - centos7cis_level1 is defined and centos7cis_level1 848 | tags: 849 | - rule_6.2.16 850 | - patch 851 | - level1 852 | - low 853 | 854 | - name: "SCORED | 6.2.17 | PATCH | Ensure no duplicate GIDs exist" 855 | copy: 856 | src: scripts/6.2.17.sh 857 | dest: /opt/6.2.17.sh 858 | owner: root 859 | group: root 860 | mode: 0700 861 | changed_when: no 862 | when: 863 | - centos7cis_level1 is defined and centos7cis_level1 864 | tags: 865 | - rule_6.2.17 866 | - patch 867 | - level1 868 | - low 869 | 870 | - name: "SCORED | 6.2.17 | PATCH | Ensure no duplicate GIDs exist" 871 | shell: /opt/6.2.17.sh 872 | args: 873 | executable: /bin/bash 874 | when: 875 | - centos7cis_level1 is defined and centos7cis_level1 876 | no_log: yes 877 | register: duplicate_gids 878 | tags: 879 | - rule_6.2.17 880 | - patch 881 | - level1 882 | - low 883 | 884 | # - name: "SCORED | 6.2.17 | PATCH | Ensure no duplicate GIDs exist" 885 | # debug: 886 | # var: duplicate_gids.stdout_lines 887 | # when: 888 | # - centos7cis_level1 is defined and centos7cis_level1 889 | # tags: 890 | # - rule_6.2.17 891 | # - patch 892 | # - level1 893 | # - low 894 | 895 | - name: "SCORED | 6.2.17 | PATCH | Ensure no duplicate GIDs exist" 896 | debug: 897 | msg: "PASS | 6.2.17 | No duplicate GIDs exist." 898 | when: 899 | - centos7cis_level1 is defined and centos7cis_level1 900 | - duplicate_gids is defined and duplicate_gids.stdout == "" 901 | tags: 902 | - rule_6.2.17 903 | - patch 904 | - level1 905 | - low 906 | 907 | - name: "SCORED | 6.2.17 | PATCH | Ensure no duplicate GIDs exist" 908 | file: 909 | path: /opt/6.2.17.sh 910 | owner: root 911 | group: root 912 | state: absent 913 | changed_when: no 914 | when: 915 | - centos7cis_level1 is defined and centos7cis_level1 916 | tags: 917 | - rule_6.2.17 918 | - patch 919 | - level1 920 | - low 921 | 922 | - name: "SCORED | 6.2.18 | PATCH | Ensure no duplicate user names exist" 923 | copy: 924 | src: scripts/6.2.18.sh 925 | dest: /opt/6.2.18.sh 926 | owner: root 927 | group: root 928 | mode: 0700 929 | changed_when: no 930 | when: 931 | - centos7cis_level1 is defined and centos7cis_level1 932 | tags: 933 | - rule_6.2.18 934 | - patch 935 | - level1 936 | - low 937 | 938 | - name: "SCORED | 6.2.18 | PATCH | Ensure no duplicate user names exist" 939 | shell: /opt/6.2.18.sh 940 | args: 941 | executable: /bin/bash 942 | register: duplicate_users 943 | no_log: yes 944 | when: 945 | - centos7cis_level1 is defined and centos7cis_level1 946 | tags: 947 | - rule_6.2.18 948 | - patch 949 | - level1 950 | - low 951 | 952 | # - name: "SCORED | 6.2.18 | PATCH | Ensure no duplicate user names exist" 953 | # debug: 954 | # var: duplicate_users.stdout_lines 955 | # when: 956 | # - centos7cis_level1 is defined and centos7cis_level1 957 | # tags: 958 | # - rule_6.2.18 959 | # - patch 960 | # - level1 961 | # - low 962 | 963 | - name: "SCORED | 6.2.18 | PATCH | Ensure no duplicate user names exist" 964 | debug: 965 | msg: "PASS | 6.2.18 | No duplicate user names exist" 966 | when: 967 | - centos7cis_level1 is defined and centos7cis_level1 968 | - duplicate_users is defined and duplicate_users.stdout == "" 969 | tags: 970 | - rule_6.2.18 971 | - patch 972 | - level1 973 | - low 974 | 975 | - name: "SCORED | 6.2.18 | PATCH | Ensure no duplicate user names exist" 976 | file: 977 | path: /opt/6.2.18.sh 978 | owner: root 979 | group: root 980 | state: absent 981 | changed_when: no 982 | when: 983 | - centos7cis_level1 is defined and centos7cis_level1 984 | tags: 985 | - rule_6.2.18 986 | - patch 987 | - level1 988 | - low 989 | 990 | - name: "SCORED | 6.2.19 | PATCH | Ensure no duplicate group names exist" 991 | copy: 992 | src: scripts/6.2.19.sh 993 | dest: /opt/6.2.19.sh 994 | owner: root 995 | group: root 996 | mode: 0700 997 | changed_when: no 998 | when: 999 | - centos7cis_level1 is defined and centos7cis_level1 1000 | tags: 1001 | - rule_6.2.19 1002 | - patch 1003 | - level1 1004 | - low 1005 | 1006 | - name: "SCORED | 6.2.19 | PATCH | Ensure no duplicate group names exist" 1007 | shell: /opt/6.2.19.sh 1008 | args: 1009 | executable: /bin/bash 1010 | register: duplicate_groups 1011 | no_log: yes 1012 | when: 1013 | - centos7cis_level1 is defined and centos7cis_level1 1014 | tags: 1015 | - rule_6.2.19 1016 | - patch 1017 | - level1 1018 | - low 1019 | 1020 | # - name: "SCORED | 6.2.19 | PATCH | Ensure no duplicate group names exist" 1021 | # debug: 1022 | # var: duplicate_groups.stdout_lines 1023 | # when: 1024 | # - centos7cis_level1 is defined and centos7cis_level1 1025 | # tags: 1026 | # - rule_6.2.19 1027 | # - patch 1028 | # - level1 1029 | # - low 1030 | 1031 | - name: "SCORED | 6.2.19 | PATCH | Ensure no duplicate group names exist" 1032 | debug: 1033 | msg: "PASS | 6.2.19 | No duplicate group names exist" 1034 | when: 1035 | - centos7cis_level1 is defined and centos7cis_level1 1036 | - duplicate_groups is defined and duplicate_groups.stdout == "" 1037 | tags: 1038 | - rule_6.2.19 1039 | - patch 1040 | - level1 1041 | - low 1042 | 1043 | - name: "SCORED | 6.2.19 | PATCH | Ensure no duplicate group names exist" 1044 | file: 1045 | path: /opt/6.2.19.sh 1046 | owner: root 1047 | group: root 1048 | state: absent 1049 | changed_when: no 1050 | when: 1051 | - centos7cis_level1 is defined and centos7cis_level1 1052 | tags: 1053 | - rule_6.2.19 1054 | - patch 1055 | - level1 1056 | - low 1057 | -------------------------------------------------------------------------------- /templates/chrony.conf.j2: -------------------------------------------------------------------------------- 1 | # This the default chrony.conf file for the Debian chrony package. After 2 | # editing this file use the command 'invoke-rc.d chrony restart' to make 3 | # your changes take effect. John Hasler 1998-2008 4 | 5 | # See www.pool.ntp.org for an explanation of these servers. Please 6 | # consider joining the project if possible. If you can't or don't want to 7 | # use these servers I suggest that you try your ISP's nameservers. We mark 8 | # the servers 'offline' so that chronyd won't try to connect when the link 9 | # is down. Scripts in /etc/ppp/ip-up.d and /etc/ppp/ip-down.d use chronyc 10 | # commands to switch it on when a dialup link comes up and off when it goes 11 | # down. Code in /etc/init.d/chrony attempts to determine whether or not 12 | # the link is up at boot time and set the online status accordingly. If 13 | # you have an always-on connection such as cable omit the 'offline' 14 | # directive and chronyd will default to online. 15 | # 16 | # Note that if Chrony tries to go "online" and dns lookup of the servers 17 | # fails they will be discarded. Thus under some circumstances it is 18 | # better to use IP numbers than host names. 19 | 20 | {% for server in centos7cis_time_synchronization_servers -%} 21 | server {{ server }} minpoll 8 22 | {% endfor %} 23 | 24 | # Look here for the admin password needed for chronyc. The initial 25 | # password is generated by a random process at install time. You may 26 | # change it if you wish. 27 | 28 | keyfile /etc/chrony/chrony.keys 29 | 30 | # Set runtime command key. Note that if you change the key (not the 31 | # password) to anything other than 1 you will need to edit 32 | # /etc/ppp/ip-up.d/chrony, /etc/ppp/ip-down.d/chrony, /etc/init.d/chrony 33 | # and /etc/cron.weekly/chrony as these scripts use it to get the password. 34 | 35 | commandkey 1 36 | 37 | # I moved the driftfile to /var/lib/chrony to comply with the Debian 38 | # filesystem standard. 39 | 40 | driftfile /var/lib/chrony/chrony.drift 41 | 42 | # Comment this line out to turn off logging. 43 | 44 | log tracking measurements statistics 45 | logdir /var/log/chrony 46 | 47 | # Stop bad estimates upsetting machine clock. 48 | 49 | maxupdateskew 100.0 50 | 51 | # Dump measurements when daemon exits. 52 | 53 | dumponexit 54 | 55 | # Specify directory for dumping measurements. 56 | 57 | dumpdir /var/lib/chrony 58 | 59 | # Let computer be a server when it is unsynchronised. 60 | 61 | local stratum 10 62 | 63 | # Allow computers on the unrouted nets to use the server. 64 | 65 | #allow 10/8 66 | #allow 192.168/16 67 | #allow 172.16/12 68 | 69 | # This directive forces `chronyd' to send a message to syslog if it 70 | # makes a system clock adjustment larger than a threshold value in seconds. 71 | 72 | logchange 0.5 73 | 74 | # This directive defines an email address to which mail should be sent 75 | # if chronyd applies a correction exceeding a particular threshold to the 76 | # system clock. 77 | 78 | # mailonchange root@localhost 0.5 79 | 80 | # This directive tells chrony to regulate the real-time clock and tells it 81 | # Where to store related data. It may not work on some newer motherboards 82 | # that use the HPET real-time clock. It requires enhanced real-time 83 | # support in the kernel. I've commented it out because with certain 84 | # combinations of motherboard and kernel it is reported to cause lockups. 85 | 86 | # rtcfile /var/lib/chrony/chrony.rtc 87 | 88 | # If the last line of this file reads 'rtconutc' chrony will assume that 89 | # the CMOS clock is on UTC (GMT). If it reads '# rtconutc' or is absent 90 | # chrony will assume local time. The line (if any) was written by the 91 | # chrony postinst based on what it found in /etc/default/rcS. You may 92 | # change it if necessary. 93 | rtconutc 94 | -------------------------------------------------------------------------------- /templates/etc/cron.allow.j2: -------------------------------------------------------------------------------- 1 | root 2 | -------------------------------------------------------------------------------- /templates/etc/issue.j2: -------------------------------------------------------------------------------- 1 | {{ centos7cis_warning_banner }} 2 | -------------------------------------------------------------------------------- /templates/etc/issue.net.j2: -------------------------------------------------------------------------------- 1 | {{ centos7cis_warning_banner }} 2 | -------------------------------------------------------------------------------- /templates/etc/motd.j2: -------------------------------------------------------------------------------- 1 | {{ centos7cis_warning_banner }} 2 | -------------------------------------------------------------------------------- /templates/etc/sysconfig/chronyd.j2: -------------------------------------------------------------------------------- 1 | # Command-line options for chronyd 2 | OPTIONS="-u chrony" 3 | -------------------------------------------------------------------------------- /templates/hosts.allow.j2: -------------------------------------------------------------------------------- 1 | # 2 | # hosts.allow This file contains access rules which are used to 3 | # allow or deny connections to network services that 4 | # either use the tcp_wrappers library or that have been 5 | # started through a tcp_wrappers-enabled xinetd. 6 | # 7 | # See 'man 5 hosts_options' and 'man 5 hosts_access' 8 | # for information on rule syntax. 9 | # See 'man tcpd' for information on tcp_wrappers 10 | # 11 | ALL: {% for iprange in centos7cis_host_allow -%}{{ iprange }}{{ iprange }}{% if not loop.last %},{% endif %}{% endfor %} 12 | -------------------------------------------------------------------------------- /templates/ntp.conf.j2: -------------------------------------------------------------------------------- 1 | # For more information about this file, see the man pages 2 | # ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5). 3 | 4 | driftfile /var/lib/ntp/drift 5 | 6 | # Permit time synchronization with our time source, but do not 7 | # permit the source to query or modify the service on this system. 8 | #restrict default nomodify notrap nopeer noquery 9 | restrict -4 default kod nomodify notrap nopeer noquery 10 | restrict -6 default kod nomodify notrap nopeer noquery 11 | 12 | # Permit all access over the loopback interface. This could 13 | # be tightened as well, but to do so would effect some of 14 | # the administrative functions. 15 | restrict 127.0.0.1 16 | restrict ::1 17 | 18 | # Hosts on local network are less restricted. 19 | #restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap 20 | 21 | # Use public servers from the pool.ntp.org project. 22 | # Please consider joining the pool (http://www.pool.ntp.org/join.html). 23 | {% for server in centos7cis_time_synchronization_servers -%} 24 | server {{ server }} iburst 25 | {% endfor %} 26 | 27 | #broadcast 192.168.1.255 autokey # broadcast server 28 | #broadcastclient # broadcast client 29 | #broadcast 224.0.1.1 autokey # multicast server 30 | #multicastclient 224.0.1.1 # multicast client 31 | #manycastserver 239.255.254.254 # manycast server 32 | #manycastclient 239.255.254.254 autokey # manycast client 33 | 34 | # Enable public key cryptography. 35 | #crypto 36 | 37 | includefile /etc/ntp/crypto/pw 38 | 39 | # Key file containing the keys and key identifiers used when operating 40 | # with symmetric key cryptography. 41 | keys /etc/ntp/keys 42 | 43 | # Specify the key identifiers which are trusted. 44 | #trustedkey 4 8 42 45 | 46 | # Specify the key identifier to use with the ntpdc utility. 47 | #requestkey 8 48 | 49 | # Specify the key identifier to use with the ntpq utility. 50 | #controlkey 8 51 | 52 | # Enable writing of statistics records. 53 | #statistics clockstats cryptostats loopstats peerstats 54 | 55 | # Disable the monitoring facility to prevent amplification attacks using ntpdc 56 | # monlist command when default restrict does not include the noquery flag. See 57 | # CVE-2013-5211 for more details. 58 | # Note: Monitoring will not be disabled with the limited restriction flag. 59 | disable monitor 60 | -------------------------------------------------------------------------------- /vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for RHEL7-CIS 3 | --------------------------------------------------------------------------------