├── .gitignore ├── .gitmodules ├── .travis.yml ├── LICENSE ├── NOTES.md ├── README.md ├── ansible.cfg ├── hosts ├── playbook.yml ├── roles └── cis │ ├── README.md │ ├── defaults │ └── main.yml │ ├── files │ └── etc │ │ ├── audit │ │ └── audit.rules │ │ ├── issue │ │ ├── issue.net │ │ ├── logrotate.d │ │ └── syslog │ │ ├── motd │ │ ├── pam.d │ │ ├── password-auth │ │ └── system-auth │ │ └── rsyslog.conf │ ├── handlers │ └── main.yml │ ├── meta │ └── main.yml │ ├── tasks │ ├── cve.yml │ ├── main.yml │ ├── section_01.yml │ ├── section_01_level1.yml │ ├── section_01_level2.yml │ ├── section_02.yml │ ├── section_02_level1.yml │ ├── section_02_level2.yml │ ├── section_03.yml │ ├── section_03_level1.yml │ ├── section_03_level2.yml │ ├── section_04.yml │ ├── section_04_level1.yml │ ├── section_04_level2.yml │ ├── section_05.yml │ ├── section_05_level1.yml │ ├── section_05_level2.yml │ ├── section_06.yml │ ├── section_06_level1.yml │ ├── section_06_level2.yml │ ├── section_07.yml │ ├── section_07_level1.yml │ ├── section_07_level2.yml │ ├── section_08.yml │ ├── section_08_level1.yml │ ├── section_08_level2.yml │ ├── section_09.yml │ ├── section_09_level1.yml │ └── section_09_level2.yml │ └── vars │ └── main.yml └── tests ├── hosts └── test.yml /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "roles/cis"] 2 | path = roles/cis 3 | url = git://github.com/sanderv32/cis-rhel-ansible.git 4 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | language: python 2 | python: '2.7' 3 | sudo: required 4 | env: 5 | - PYTHONUNBUFFERED=1 6 | services: 7 | - docker 8 | before_install: 9 | - sudo apt-get update -qq 10 | install: 11 | - pip install -U pip 12 | - pip install ansible 13 | - pip install ansible-lint 14 | - gem install yaml-lint 15 | script: 16 | - printf "[defaults]\nroles_path=./roles" > ansible.cfg 17 | - ansible-playbook -i tests/hosts tests/test.yml --syntax-check 18 | - find . -name "*.yml" | xargs yaml-lint 19 | - docker run --detach --privileged --name centos7 --env PYTHONUNBUFFERED=1 --env ANSIBLE_CONFIG=/ansibletest/ansible.cfg --volume="${PWD}":/ansibletest:ro --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro centos:7 /usr/lib/systemd/systemd > /tmp/container_id 20 | - docker exec centos7 touch /etc/sysconfig/init /etc/default/grub 21 | - docker exec centos7 yum -y install epel-release 22 | - docker exec centos7 yum -y install git ansible sudo audit openssh-server cronie 23 | - printf "[defaults]\nroles_path=/ansibletest/roles" > ansible.cfg 24 | - docker exec centos7 ansible-playbook -v -i /ansibletest/tests/hosts /ansibletest/tests/test.yml --skip-tags=section1.1.1,section1.1.2,section1.1.3,section1.1.4,section1.1.5,section1.1.6,section1.1.7,section1.1.8,section1.1.9,section1.1.10,section1.1.11,section1.1.12,section1.1.13 25 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, and 10 | distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by the copyright 13 | owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all other entities 16 | that control, are controlled by, or are under common control with that entity. 17 | For the purposes of this definition, "control" means (i) the power, direct or 18 | indirect, to cause the direction or management of such entity, whether by 19 | contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the 20 | outstanding shares, or (iii) beneficial ownership of such entity. 21 | 22 | "You" (or "Your") shall mean an individual or Legal Entity exercising 23 | permissions granted by this License. 24 | 25 | "Source" form shall mean the preferred form for making modifications, including 26 | but not limited to software source code, documentation source, and configuration 27 | files. 28 | 29 | "Object" form shall mean any form resulting from mechanical transformation or 30 | translation of a Source form, including but not limited to compiled object code, 31 | generated documentation, and conversions to other media types. 32 | 33 | "Work" shall mean the work of authorship, whether in Source or Object form, made 34 | available under the License, as indicated by a copyright notice that is included 35 | in or attached to the work (an example is provided in the Appendix below). 36 | 37 | "Derivative Works" shall mean any work, whether in Source or Object form, that 38 | is based on (or derived from) the Work and for which the editorial revisions, 39 | annotations, elaborations, or other modifications represent, as a whole, an 40 | original work of authorship. For the purposes of this License, Derivative Works 41 | shall not include works that remain separable from, or merely link (or bind by 42 | name) to the interfaces of, the Work and Derivative Works thereof. 43 | 44 | "Contribution" shall mean any work of authorship, including the original version 45 | of the Work and any modifications or additions to that Work or Derivative Works 46 | thereof, that is intentionally submitted to Licensor for inclusion in the Work 47 | by the copyright owner or by an individual or Legal Entity authorized to submit 48 | on behalf of the copyright owner. For the purposes of this definition, 49 | "submitted" means any form of electronic, verbal, or written communication sent 50 | to the Licensor or its representatives, including but not limited to 51 | communication on electronic mailing lists, source code control systems, and 52 | issue tracking systems that are managed by, or on behalf of, the Licensor for 53 | the purpose of discussing and improving the Work, but excluding communication 54 | that is conspicuously marked or otherwise designated in writing by the copyright 55 | owner as "Not a Contribution." 56 | 57 | "Contributor" shall mean Licensor and any individual or Legal Entity on behalf 58 | of whom a Contribution has been received by Licensor and subsequently 59 | incorporated within the Work. 60 | 61 | 2. Grant of Copyright License. 62 | 63 | Subject to the terms and conditions of this License, each Contributor hereby 64 | grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, 65 | irrevocable copyright license to reproduce, prepare Derivative Works of, 66 | publicly display, publicly perform, sublicense, and distribute the Work and such 67 | Derivative Works in Source or Object form. 68 | 69 | 3. Grant of Patent License. 70 | 71 | Subject to the terms and conditions of this License, each Contributor hereby 72 | grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, 73 | irrevocable (except as stated in this section) patent license to make, have 74 | made, use, offer to sell, sell, import, and otherwise transfer the Work, where 75 | such license applies only to those patent claims licensable by such Contributor 76 | that are necessarily infringed by their Contribution(s) alone or by combination 77 | of their Contribution(s) with the Work to which such Contribution(s) was 78 | submitted. If You institute patent litigation against any entity (including a 79 | cross-claim or counterclaim in a lawsuit) alleging that the Work or a 80 | Contribution incorporated within the Work constitutes direct or contributory 81 | patent infringement, then any patent licenses granted to You under this License 82 | for that Work shall terminate as of the date such litigation is filed. 83 | 84 | 4. Redistribution. 85 | 86 | You may reproduce and distribute copies of the Work or Derivative Works thereof 87 | in any medium, with or without modifications, and in Source or Object form, 88 | provided that You meet the following conditions: 89 | 90 | You must give any other recipients of the Work or Derivative Works a copy of 91 | this License; and 92 | You must cause any modified files to carry prominent notices stating that You 93 | changed the files; and 94 | You must retain, in the Source form of any Derivative Works that You distribute, 95 | all copyright, patent, trademark, and attribution notices from the Source form 96 | of the Work, excluding those notices that do not pertain to any part of the 97 | Derivative Works; and 98 | If the Work includes a "NOTICE" text file as part of its distribution, then any 99 | Derivative Works that You distribute must include a readable copy of the 100 | attribution notices contained within such NOTICE file, excluding those notices 101 | that do not pertain to any part of the Derivative Works, in at least one of the 102 | following places: within a NOTICE text file distributed as part of the 103 | Derivative Works; within the Source form or documentation, if provided along 104 | with the Derivative Works; or, within a display generated by the Derivative 105 | Works, if and wherever such third-party notices normally appear. The contents of 106 | the NOTICE file are for informational purposes only and do not modify the 107 | License. You may add Your own attribution notices within Derivative Works that 108 | You distribute, alongside or as an addendum to the NOTICE text from the Work, 109 | provided that such additional attribution notices cannot be construed as 110 | modifying the License. 111 | You may add Your own copyright statement to Your modifications and may provide 112 | additional or different license terms and conditions for use, reproduction, or 113 | distribution of Your modifications, or for any such Derivative Works as a whole, 114 | provided Your use, reproduction, and distribution of the Work otherwise complies 115 | with the conditions stated in this License. 116 | 117 | 5. Submission of Contributions. 118 | 119 | Unless You explicitly state otherwise, any Contribution intentionally submitted 120 | for inclusion in the Work by You to the Licensor shall be under the terms and 121 | conditions of this License, without any additional terms or conditions. 122 | Notwithstanding the above, nothing herein shall supersede or modify the terms of 123 | any separate license agreement you may have executed with Licensor regarding 124 | such Contributions. 125 | 126 | 6. Trademarks. 127 | 128 | This License does not grant permission to use the trade names, trademarks, 129 | service marks, or product names of the Licensor, except as required for 130 | reasonable and customary use in describing the origin of the Work and 131 | reproducing the content of the NOTICE file. 132 | 133 | 7. Disclaimer of Warranty. 134 | 135 | Unless required by applicable law or agreed to in writing, Licensor provides the 136 | Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, 137 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, 138 | including, without limitation, any warranties or conditions of TITLE, 139 | NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are 140 | solely responsible for determining the appropriateness of using or 141 | redistributing the Work and assume any risks associated with Your exercise of 142 | permissions under this License. 143 | 144 | 8. Limitation of Liability. 145 | 146 | In no event and under no legal theory, whether in tort (including negligence), 147 | contract, or otherwise, unless required by applicable law (such as deliberate 148 | and grossly negligent acts) or agreed to in writing, shall any Contributor be 149 | liable to You for damages, including any direct, indirect, special, incidental, 150 | or consequential damages of any character arising as a result of this License or 151 | out of the use or inability to use the Work (including but not limited to 152 | damages for loss of goodwill, work stoppage, computer failure or malfunction, or 153 | any and all other commercial damages or losses), even if such Contributor has 154 | been advised of the possibility of such damages. 155 | 156 | 9. Accepting Warranty or Additional Liability. 157 | 158 | While redistributing the Work or Derivative Works thereof, You may choose to 159 | offer, and charge a fee for, acceptance of support, warranty, indemnity, or 160 | other liability obligations and/or rights consistent with this License. However, 161 | in accepting such obligations, You may act only on Your own behalf and on Your 162 | sole responsibility, not on behalf of any other Contributor, and only if You 163 | agree to indemnify, defend, and hold each Contributor harmless for any liability 164 | incurred by, or claims asserted against, such Contributor by reason of your 165 | accepting any such warranty or additional liability. 166 | 167 | END OF TERMS AND CONDITIONS 168 | 169 | APPENDIX: How to apply the Apache License to your work 170 | 171 | To apply the Apache License to your work, attach the following boilerplate 172 | notice, with the fields enclosed by brackets "[]" replaced with your own 173 | identifying information. (Don't include the brackets!) The text should be 174 | enclosed in the appropriate comment syntax for the file format. We also 175 | recommend that a file or class name and description of purpose be included on 176 | the same "printed page" as the copyright notice for easier identification within 177 | third-party archives. 178 | 179 | Copyright [yyyy] [name of copyright owner] 180 | 181 | Licensed under the Apache License, Version 2.0 (the "License"); 182 | you may not use this file except in compliance with the License. 183 | You may obtain a copy of the License at 184 | 185 | http://www.apache.org/licenses/LICENSE-2.0 186 | 187 | Unless required by applicable law or agreed to in writing, software 188 | distributed under the License is distributed on an "AS IS" BASIS, 189 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 190 | See the License for the specific language governing permissions and 191 | limitations under the License. 192 | -------------------------------------------------------------------------------- /NOTES.md: -------------------------------------------------------------------------------- 1 | #Notes and caveats 2 | 3 | These notes are valid as of the CIS Red Hat Enterprise Linux 6 benchmark version 1.3.0. 4 | 5 | ### Section 1 6 | 7 | ##### 1.1.1 - 1.1.16 8 | Existing mounts will be modified with benchmark options. Mount points are not created if not pre-existing. 9 | 10 | ###### 1.1.17 11 | Skipped: Adjusting permissions across the filesystem can be destructive. 12 | 13 | ##### 1.2.{1,2,5,6} 14 | Skipped: Some yum operations are skipped as they apply only to RHEL and not CentOS. 15 | 16 | ##### 1.4.6 17 | Skipped: Checking for unconfined daemons should be done via cron jobs or via manual inspection 18 | 19 | ##### 1.5.{3,4} 20 | Skipped: Adjusting bootloader configurations at a large scale on production machines could be highly destructive upon reboot. 21 | 22 | ### Section 4 23 | 24 | ##### 4.8 25 | IPv6 is disabled so ip6tables is also disabled. 26 | 27 | ### Section 6 28 | 29 | ##### 6.4 30 | Skipped: Restricting root access only to the system console is a bit too restrictive for most environments. 31 | 32 | ### Section 7 33 | 34 | ##### 7.1.1 - 7.1.3 35 | Existing user password age is not modified. 36 | 37 | ### Section 8 38 | 39 | ##### 8.2 40 | Satisfied by 8.1. 41 | 42 | ##### 8.3 43 | Not addressing graphical desktop environments. 44 | 45 | ### Section 9 46 | 47 | ##### 9.1.1 48 | Not a scorable item and requires human interpretation. This is best handled by AIDE or other file integrity monitoring systems. 49 | 50 | ##### 9.1.10 - 9.1.14 51 | This is best handled by AIDE or other file integrity monitoring systems. 52 | 53 | ##### 9.2 54 | These items all require human intervention to resolve. None of these will be a concern while applying CIS to a vanilla RHEL6 install. 55 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## Ansible + CIS Benchmarks + RHEL/CentOS 7 2 | 3 | [![Build Status](https://api.travis-ci.org/sanderv32/cis-rhel-ansible.svg?branch=master)](https://travis-ci.org/sanderv32/cis-rhel-ansible) 4 | 5 | This is an ansible playbook for automatically applying CIS Security Benchmarks to a system running Red Hat Enterprise Linux 7 or CentOS 7. 6 | 7 | ### What are these benchmarks? 8 | The [Center for Internet Security](http://www.cisecurity.org/) publishes [security benchmarks](http://benchmarks.cisecurity.org/) for various systems. Refer to the CIS site as the authoritative site for anything regarding these benchmarks. You can join their community and contribute to the security benchmarks project. 9 | 10 | ***Please be aware that I'm not affiliated with CIS in any way and the data in this repository has absolutely no relation to CIS.*** 11 | 12 | ### What does this playbook do? 13 | The playbook will attempt to configure your system to meet as many of the CIS security benchmarks as possible. Any benchmarks marked as "not scored" or benchmarks that are only checks will be skipped. 14 | 15 | For full details and caveats, refer to the [notes](NOTES.md). 16 | 17 | ### How do I run it? 18 | ***WAIT! DANGER!*** 19 | 20 | 21 | **Don't run this blindly on an actively running system.** The playbook will make ***serious*** modifications to your system that could affect its availability. 22 | 23 | #### Basic operation 24 | 25 | Perform a dry run first: 26 | 27 | ansible-playbook -i hosts -C playbook.yml 28 | 29 | If you're ***really really*** ready to apply changes, run it in regular mode: 30 | 31 | ansible-playbook -i hosts playbook.yml 32 | 33 | #### Advanced options 34 | 35 | Tags are available for running a section at a time: 36 | 37 | # Test only items from section 4 38 | ansible-playbook -i hosts -C playbook.yml -t section4 39 | 40 | # Apply changes only from items in section 4, 5, and 6 41 | ansible-playbook -i hosts playbook.yml -t section4,section5,section6 42 | 43 | The checks are also broken up into Level 1 and Level 2 checks: 44 | 45 | * Level 1: Good security improvements with less effects on production workloads 46 | * Level 2: Strong security improvements with greater effects on production workloads 47 | 48 | Running checks for a particular level is easy: 49 | 50 | ansible-playbook -i hosts playbook.yml -t level1 51 | ansible-playbook -i hosts playbook.yml -t level2 52 | 53 | ### How is this playbook licensed? 54 | It's licensed under the [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0.html). The [quick summary](http://bit.ly/VBkBfY) is: 55 | 56 | A license that allows you much freedom with the software, including an explicit right to a patent. “State changes” means that you have to include a notice in each file you modified. 57 | -------------------------------------------------------------------------------- /ansible.cfg: -------------------------------------------------------------------------------- 1 | [defaults] 2 | pipelining=True 3 | -------------------------------------------------------------------------------- /hosts: -------------------------------------------------------------------------------- 1 | [targets] 2 | centos7 3 | -------------------------------------------------------------------------------- /playbook.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2016 Alexander Verhaar 4 | # Copyright 2014 Major Hayden 5 | # 6 | # Licensed under the Apache License, Version 2.0 (the "License"); 7 | # you may not use this file except in compliance with the License. 8 | # You may obtain a copy of the License at 9 | # 10 | # http://www.apache.org/licenses/LICENSE-2.0 11 | # 12 | # Unless required by applicable law or agreed to in writing, software 13 | # distributed under the License is distributed on an "AS IS" BASIS, 14 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | # See the License for the specific language governing permissions and 16 | # limitations under the License. 17 | # 18 | 19 | - hosts: all 20 | user: root 21 | roles: 22 | - cis 23 | -------------------------------------------------------------------------------- /roles/cis/README.md: -------------------------------------------------------------------------------- 1 | CIS Baseline RHEL7/CentOS7 2 | ========= 3 | 4 | This role can be used to audit or remediate a host against the Center for Internet Security (CIS) security benchmarks. 5 | 6 | *Disclaimer: This project has no affiliation with CIS. The role and its contents have not been reviewed or endorsed by CIS.* 7 | 8 | Requirements 9 | ------------ 10 | 11 | This role has no requirements or dependencies. 12 | 13 | Role Variables 14 | -------------- 15 | 16 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. 17 | 18 | Dependencies 19 | ------------ 20 | 21 | Some sensible defaults are configured and documented within defaults/main.yml. These defaults are set so they would cause minimal disruption to a production system. However, it's *your* responsibility to verify that the default configuration will not harm your production server. *Always* run the role in check mode if you're unsure of its effects. 22 | 23 | Be aware that some of the default variables are set against CIS recommendations in the hopes that they will cause minimal disruption to a system. 24 | 25 | Example Playbook 26 | ---------------- 27 | 28 | Playbooks can utilize the CIS role without much effort: 29 | 30 | - hosts: all 31 | roles: 32 | - cis 33 | 34 | The role is thoroughly tagged so that you can run certain sections or certain levels of checks: 35 | 36 | # Test only items from section 4 37 | ansible-playbook -i hosts -C playbook.yml -t section4 38 | 39 | # Apply changes only from items in section 4, 5, and 6 40 | ansible-playbook -i hosts playbook.yml -t section4,section5,section6 41 | 42 | License 43 | ------- 44 | 45 | Apache License, Version 2.0 46 | 47 | Author Information 48 | ------------------ 49 | 50 | 2016 - Alexander Verhaar 51 | 2014 - Major Hayden 52 | -------------------------------------------------------------------------------- /roles/cis/defaults/main.yml: -------------------------------------------------------------------------------- 1 | # Should we configure AIDE on the system? (CIS 1.3) 2 | # Options: 3 | # yes: install and configure AIDE 4 | # no: do not install or configure AIDE 5 | configure_aide: yes 6 | 7 | # auditd (CIS 5.2) 8 | # These are sensible defaults but you may change these to fit your system. 9 | action_mail_acct: "root" 10 | admin_space_left_action: "halt" 11 | max_log_file: 100 12 | max_log_file_action: "keep_logs" 13 | space_left_action: "email" 14 | 15 | # rsyslog (5.1.6) 16 | # Options: 17 | # yes: configure rsyslog to receive remote logs from other servers 18 | # no: do not configure rsyslog to receive remote logs from other servers 19 | rsyslog_host: no 20 | 21 | # ---------------------------------------------------------------------------- 22 | # WARNING 23 | # THIS SECTION IS HAZARDOUS TO PRODUCTION SERVERS. SERIOUSLY. 24 | # ---------------------------------------------------------------------------- 25 | # Options: 26 | # yes: disable/uninstall these services to meet CIS requirements 27 | # no: do not alter these services from their current statuc 28 | dns: no 29 | dovecot: no 30 | ftp: no 31 | httpd: no 32 | ldap_client: no 33 | ldap_server: no 34 | nfs: no 35 | samba: no 36 | snmp: no 37 | squid: no 38 | 39 | # CIS 7.5 says that users who are inactive for over 35 days must have their 40 | # accounts disabled. This could cause issues in some environments. 41 | # Options: 42 | # yes: disable accounts inactive > 35 days per CIS requirements 43 | # no: don't adjust inactive account settings 44 | lock_inactive: no 45 | 46 | # Enable iptables (CIS 4.7) 47 | # You should check to see that your current iptables configuration in 48 | # /etc/sysconfig/iptables is configured properly so that you don't lose access 49 | # to your server when iptables is enabled. If you're alreading using iptables, 50 | # then this setting won't affect you either way. 51 | # Options: 52 | # yes: enable iptables and load the rules from /etc/sysconfig/iptables 53 | # no: don't alter iptables whatsoever 54 | enable_iptables: no 55 | 56 | # Enable ip6tables (CIS 4.8) 57 | # You should check to see that your current ip6tables configuration in 58 | # /etc/sysconfig/ip6tables is configured properly so that you don't lose access 59 | # to your server when ip6tables is enabled. If you're alreading using ip6tables, 60 | # then this setting won't affect you either way. 61 | # Options: 62 | # yes: enable ip6tables and load the rules from /etc/sysconfig/ip6tables 63 | # no: don't alter ip6tables whatsoever 64 | enable_ip6tables: no 65 | 66 | # Disable IPv6 (CIS 4.4.2) 67 | # It's recommended to configure IPv6 properly instead of disabling it entirely. 68 | # If your organization really doesn't use IPv6 at all, you could accept the 69 | # CIS requirements and disable IPv6. 70 | # Options: 71 | # yes: disable IPv6 per CIS requirements 72 | # no: don't alter the IPv6 configuration 73 | disable_ipv6: no 74 | 75 | # SSH configurations (CIS Section 6.2) 76 | # Uncomment these variables and set them accordingly to have them applied. They 77 | # are not applied by default. 78 | #ssh_allow_groups: 79 | #ssh_allow_users: 80 | #ssh_deny_groups: 81 | #ssh_deny_users: 82 | 83 | # 9.1.10 - 9.1.12 to verify & find 84 | verify_find: no 85 | 86 | # 9.1.12 - 9.1.14 to verify rpm 87 | verify_rpm: no 88 | -------------------------------------------------------------------------------- /roles/cis/files/etc/audit/audit.rules: -------------------------------------------------------------------------------- 1 | # This file contains the auditctl rules that are loaded 2 | # whenever the audit daemon is started via the initscripts. 3 | # The rules are simply the parameters that would be passed 4 | # to auditctl. 5 | 6 | # First rule - delete all 7 | -D 8 | 9 | # Increase the buffers to survive stress events. 10 | # Make this bigger for busy systems 11 | -b 320 12 | 13 | # Feel free to add below this line. See auditctl man page 14 | 15 | # 5.2.4 Record Events That Modify Date and Time Information 16 | -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change 17 | -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change 18 | -a always,exit -F arch=b64 -S clock_settime -k time-change 19 | -a always,exit -F arch=b32 -S clock_settime -k time-change 20 | -w /etc/localtime -p wa -k time-change 21 | 22 | # 5.2.5 Record Events That Modify User/Group Information 23 | -w /etc/group -p wa -k identity 24 | -w /etc/passwd -p wa -k identity 25 | -w /etc/gshadow -p wa -k identity 26 | -w /etc/shadow -p wa -k identity 27 | -w /etc/security/opasswd -p wa -k identity 28 | 29 | # 5.2.6 Record Events That Modify the System's Network Environment 30 | -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale 31 | -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale 32 | -w /etc/issue -p wa -k system-locale 33 | -w /etc/issue.net -p wa -k system-locale 34 | -w /etc/hosts -p wa -k system-locale 35 | -w /etc/sysconfig/network -p wa -k system-locale 36 | 37 | # 5.2.7 Record Events That Modify the System's Mandatory Access Controls 38 | -w /etc/selinux/ -p wa -k MAC-policy 39 | 40 | # 5.2.8 Collect Login and Logout Events 41 | -w /var/log/faillog -p wa -k logins 42 | -w /var/log/lastlog -p wa -k logins 43 | -w /var/log/tallylog -p wa -k logins 44 | 45 | # 5.2.9 Collect Session Initiation Information 46 | -w /var/run/utmp -p wa -k session 47 | -w /var/log/wtmp -p wa -k session 48 | -w /var/log/btmp -p wa -k session 49 | 50 | # 5.2.10 Collect Discretionary Access Control Permission Modification Events 51 | -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod 52 | -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod 53 | -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod 54 | -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod 55 | -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod 56 | -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod 57 | 58 | # 5.2.11 Collect Unsuccessful Unauthorized Access Attempts to Files 59 | -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access 60 | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access 61 | -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access 62 | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access 63 | 64 | # 5.2.13 Collect Successful File System Mounts 65 | -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts 66 | -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts 67 | 68 | # 5.2.14 Collect File Deletion Events by User 69 | -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete 70 | -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete 71 | 72 | # 5.2.15 Collect Changes to System Administration Scope 73 | -w /etc/sudoers -p wa -k scope 74 | 75 | # 5.2.16 Collect System Administrator Actions 76 | -w /var/log/sudo.log -p wa -k actions 77 | 78 | # 5.2.17 Collect Kernel Module Loading and Unloading 79 | -w /sbin/insmod -p x -k modules 80 | -w /sbin/rmmod -p x -k modules 81 | -w /sbin/modprobe -p x -k modules 82 | -a always,exit -F arch=b64 -S init_module -S delete_module -k modules 83 | 84 | # 5.2.18 Make the Audit Configuration Immutable 85 | -e 2 86 | -------------------------------------------------------------------------------- /roles/cis/files/etc/issue: -------------------------------------------------------------------------------- 1 | This system is for the use of authorized users only, and may contain privileged and confidential data. 2 | Users may also be monitored. Users of this system expressly consent to such monitoring and are advised 3 | that if such monitoring reveals possible criminal activity, security staff may provide the evidence of 4 | such monitoring to law enforcement officials. 5 | -------------------------------------------------------------------------------- /roles/cis/files/etc/issue.net: -------------------------------------------------------------------------------- 1 | This system is for the use of authorized users only, and may contain privileged and confidential data. 2 | Users may also be monitored. Users of this system expressly consent to such monitoring and are advised 3 | that if such monitoring reveals possible criminal activity, security staff may provide the evidence of 4 | such monitoring to law enforcement officials. 5 | -------------------------------------------------------------------------------- /roles/cis/files/etc/logrotate.d/syslog: -------------------------------------------------------------------------------- 1 | /var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron { 2 | -------------------------------------------------------------------------------- /roles/cis/files/etc/motd: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /roles/cis/files/etc/pam.d/password-auth: -------------------------------------------------------------------------------- 1 | #%PAM-1.0 2 | # This file is auto-generated. 3 | # User changes will be destroyed the next time authconfig is run. 4 | auth required pam_env.so 5 | auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900 6 | auth [success=1 default=bad] pam_unix.so 7 | auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 8 | auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900 9 | auth required pam_deny.so 10 | 11 | account required pam_unix.so 12 | account sufficient pam_localuser.so 13 | account sufficient pam_succeed_if.so uid < 1000 quiet 14 | account required pam_permit.so 15 | 16 | password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= 17 | password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok 18 | password required pam_deny.so 19 | 20 | session optional pam_keyinit.so revoke 21 | session required pam_limits.so 22 | -session optional pam_systemd.so 23 | session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid 24 | session required pam_unix.so 25 | -------------------------------------------------------------------------------- /roles/cis/files/etc/pam.d/system-auth: -------------------------------------------------------------------------------- 1 | #%PAM-1.0 2 | # This file is auto-generated. 3 | # User changes will be destroyed the next time authconfig is run. 4 | auth required pam_env.so 5 | auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900 6 | auth [success=1 default=bad] pam_unix.so 7 | auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 8 | auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900 9 | auth required pam_deny.so 10 | 11 | account required pam_unix.so 12 | account sufficient pam_localuser.so 13 | account sufficient pam_succeed_if.so uid < 1000 quiet 14 | account required pam_permit.so 15 | 16 | password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= 17 | password sufficient pam_unix.so remember=5 18 | password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok 19 | password required pam_deny.so 20 | 21 | session optional pam_keyinit.so revoke 22 | session required pam_limits.so 23 | -session optional pam_systemd.so 24 | session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid 25 | session required pam_unix.so 26 | -------------------------------------------------------------------------------- /roles/cis/files/etc/rsyslog.conf: -------------------------------------------------------------------------------- 1 | # Execute the following command to restart rsyslogd 2 | # pkill -HUP rsyslogd 3 | 4 | # rsyslog v5 configuration file 5 | 6 | # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html 7 | # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html 8 | 9 | #### MODULES #### 10 | 11 | $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) 12 | $ModLoad imklog # provides kernel logging support (previously done by rklogd) 13 | #$ModLoad immark # provides --MARK-- message capability 14 | 15 | # Provides UDP syslog reception 16 | #$ModLoad imudp 17 | #$UDPServerRun 514 18 | 19 | # Provides TCP syslog reception 20 | #$ModLoad imtcp 21 | #$InputTCPServerRun 514 22 | 23 | 24 | #### GLOBAL DIRECTIVES #### 25 | 26 | # Use default timestamp format 27 | $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat 28 | 29 | # File syncing capability is disabled by default. This feature is usually not required, 30 | # not useful and an extreme performance hit 31 | #$ActionFileEnableSync on 32 | 33 | # Include all config files in /etc/rsyslog.d/ 34 | $IncludeConfig /etc/rsyslog.d/*.conf 35 | 36 | 37 | #### RULES #### 38 | auth.*,user.* /var/log/messages 39 | kern.* /var/log/kern.log 40 | daemon.* /var/log/daemon.log 41 | syslog.* /var/log/syslog 42 | lpr.*,news.*,uucp.*,local0.*,local1.*,local2.*,local3.*,local4.*,local5.*,local6.* /var/log/unused.log 43 | -------------------------------------------------------------------------------- /roles/cis/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - name: Reload auditd Rules 19 | service: name=auditd state=reloaded 20 | when: ansible_virtualization_type != "docker" 21 | 22 | - name: Reload prelinking 23 | command: /usr/sbin/prelink -ua 24 | 25 | - name: Reload sshd 26 | service: name=sshd state=reloaded 27 | -------------------------------------------------------------------------------- /roles/cis/meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | galaxy_info: 3 | author: Alexander Verhaar 4 | description: Audit/remediate hosts using CIS security benchmarks 5 | company: Solvinity 6 | # Some suggested licenses: 7 | # - BSD (default) 8 | # - MIT 9 | # - GPLv2 10 | # - GPLv3 11 | # - Apache 12 | # - CC-BY 13 | license: Apache 14 | min_ansible_version: 2.0 15 | # 16 | # Below are all platforms currently available. Just uncomment 17 | # the ones that apply to your role. If you don't see your 18 | # platform on this list, let us know and we'll get it added! 19 | # 20 | platforms: 21 | - name: EL 22 | versions: 23 | # - all 24 | # - 5 25 | # - 6 26 | - 7 27 | #- name: GenericUNIX 28 | # versions: 29 | # - all 30 | # - any 31 | #- name: Fedora 32 | # versions: 33 | # - all 34 | # - 16 35 | # - 17 36 | # - 18 37 | # - 19 38 | # - 20 39 | #- name: opensuse 40 | # versions: 41 | # - all 42 | # - 12.1 43 | # - 12.2 44 | # - 12.3 45 | # - 13.1 46 | # - 13.2 47 | #- name: Amazon 48 | # versions: 49 | # - all 50 | # - 2013.03 51 | # - 2013.09 52 | #- name: GenericBSD 53 | # versions: 54 | # - all 55 | # - any 56 | #- name: FreeBSD 57 | # versions: 58 | # - all 59 | # - 8.0 60 | # - 8.1 61 | # - 8.2 62 | # - 8.3 63 | # - 8.4 64 | # - 9.0 65 | # - 9.1 66 | # - 9.1 67 | # - 9.2 68 | #- name: Ubuntu 69 | # versions: 70 | # - all 71 | # - lucid 72 | # - maverick 73 | # - natty 74 | # - oneiric 75 | # - precise 76 | # - quantal 77 | # - raring 78 | # - saucy 79 | # - trusty 80 | #- name: SLES 81 | # versions: 82 | # - all 83 | # - 10SP3 84 | # - 10SP4 85 | # - 11 86 | # - 11SP1 87 | # - 11SP2 88 | # - 11SP3 89 | #- name: GenericLinux 90 | # versions: 91 | # - all 92 | # - any 93 | #- name: Debian 94 | # versions: 95 | # - all 96 | # - etch 97 | # - lenny 98 | # - squeeze 99 | # - wheezy 100 | # 101 | # Below are all categories currently available. Just as with 102 | # the platforms above, uncomment those that apply to your role. 103 | # 104 | categories: system 105 | #- cloud 106 | #- cloud:ec2 107 | #- cloud:gce 108 | #- cloud:rax 109 | #- clustering 110 | #- database 111 | #- database:nosql 112 | #- database:sql 113 | #- development 114 | #- monitoring 115 | #- networking 116 | #- packaging 117 | #- system 118 | #- web 119 | dependencies: [] 120 | # List your role dependencies here, one per line. Only 121 | # dependencies available via galaxy should be listed here. 122 | # Be sure to remove the '[]' above if you add dependencies 123 | # to this list. 124 | -------------------------------------------------------------------------------- /roles/cis/tasks/cve.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: OpenSSH Information-leak vulnerability (CVE-2016-0777) 3 | lineinfile: > 4 | dest=/etc/ssh/ssh_config 5 | line="UseRoaming no" 6 | tags: 7 | - cve 8 | -------------------------------------------------------------------------------- /roles/cis/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2016 Alexander Verhaar 4 | # Copyright 2014 Major Hayden 5 | # 6 | # Licensed under the Apache License, Version 2.0 (the "License"); 7 | # you may not use this file except in compliance with the License. 8 | # You may obtain a copy of the License at 9 | # 10 | # http://www.apache.org/licenses/LICENSE-2.0 11 | # 12 | # Unless required by applicable law or agreed to in writing, software 13 | # distributed under the License is distributed on an "AS IS" BASIS, 14 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | # See the License for the specific language governing permissions and 16 | # limitations under the License. 17 | # 18 | 19 | - include: section_01.yml 20 | tags: section1 21 | 22 | - include: section_02.yml 23 | tags: section2 24 | 25 | - include: section_03.yml 26 | tags: section3 27 | 28 | - include: section_04.yml 29 | tags: section4 30 | 31 | - include: section_05.yml 32 | tags: section5 33 | 34 | - include: section_06.yml 35 | tags: section6 36 | 37 | - include: section_07.yml 38 | tags: section7 39 | 40 | - include: section_08.yml 41 | tags: section8 42 | 43 | - include: section_09.yml 44 | tags: section9 45 | 46 | - include: cve.yml 47 | tags: cve 48 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_01.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - include: section_01_level1.yml 19 | tags: 20 | - section1 21 | - level1 22 | 23 | - include: section_01_level2.yml 24 | tags: 25 | - section1 26 | - level2 27 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_01_level1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2016 Alexander Verhaar 4 | # Copyright 2014 Major Hayden 5 | # 6 | # Licensed under the Apache License, Version 2.0 (the "License"); 7 | # you may not use this file except in compliance with the License. 8 | # You may obtain a copy of the License at 9 | # 10 | # http://www.apache.org/licenses/LICENSE-2.0 11 | # 12 | # Unless required by applicable law or agreed to in writing, software 13 | # distributed under the License is distributed on an "AS IS" BASIS, 14 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | # See the License for the specific language governing permissions and 16 | # limitations under the License. 17 | # 18 | 19 | - name: 1.1.1 Create Separate Partition for /tmp (Scored) 20 | debug: msg="*** Manually create Separate Partition for /tmp." 21 | failed_when: "'/tmp' not in mountpoints" 22 | tags: 23 | - scored 24 | - section1.1 25 | - section1.1.1 26 | 27 | - name: 1.1.2 - 1.1.4 Set nodev,nosuid,noexec option for /tmp Partition (Scored) 28 | mount: > 29 | name="/tmp" 30 | src={{ item.device }} 31 | state=mounted 32 | fstype={{ item.fstype }} 33 | opts="nodev,nosuid,noexec" 34 | when: item.mount == "/tmp" 35 | with_items: ansible_mounts 36 | tags: 37 | - scored 38 | - section1.1 39 | - section1.1.2 40 | - section1.1.3 41 | - section1.1.4 42 | 43 | - name: 1.1.5 Create Separate Partition for /var (Scored) 44 | debug: msg="*** Manually create Separate Partition for /var." 45 | failed_when: "'/var' not in mountpoints" 46 | tags: 47 | - scored 48 | - section1.1 49 | - section1.1.5 50 | 51 | - name: 1.1.6 Bind Mount the /var/tmp directory to /tmp (Scored) 52 | mount: > 53 | name="/var/tmp" 54 | src="/tmp" 55 | state=mounted 56 | fstype="none" 57 | opts="bind" 58 | when: item.mount == "/tmp" 59 | with_items: ansible_mounts 60 | tags: 61 | - scored 62 | - section1.1 63 | - section1.1.6 64 | 65 | - name: 1.1.7 Create Separate Partition for /var/log (Scored) 66 | debug: msg="*** Manually create Separate Partition for /var/log." 67 | failed_when: "'/var/log' not in mountpoints" 68 | tags: 69 | - scored 70 | - section1.1 71 | - section1.1.7 72 | 73 | - name: 1.1.8 Create Separate Partition for /var/log/audit (Scored) 74 | debug: msg="*** Manually create Separate Partition for /var/log/audit." 75 | failed_when: "'/var/log/audit' not in mountpoints" 76 | tags: 77 | - scored 78 | - section1.1 79 | - section1.1.8 80 | 81 | - name: 1.1.9 Create Separate Partition for /home (Scored) 82 | debug: msg="*** Manually create Separate Partition for /home." 83 | failed_when: "'/home' not in mountpoints" 84 | tags: 85 | - scored 86 | - section1.1 87 | - section1.1.9 88 | 89 | - name: 1.1.10 Add nodev Option to /home Partition (Scored) 90 | mount: > 91 | name="/home" 92 | src={{ item.device }} 93 | state=mounted 94 | fstype={{ item.fstype }} 95 | opts="nodev" 96 | when: item.mount == "/home" 97 | with_items: ansible_mounts 98 | tags: 99 | - scored 100 | - section1.1 101 | - section1.1.10 102 | 103 | - name: 1.1.11 Add nodev Option to Removable Media Partitions (Not Scored) 104 | debug: msg="*** Not relevant." 105 | tags: 106 | - scored 107 | - section1.1 108 | - section1.1.11 109 | 110 | - name: 1.1.12 Add noexec Option to Removable Media Partitions (Not Scored) 111 | debug: msg="*** Not relevant." 112 | tags: 113 | - notscored 114 | - section1.1 115 | - section1.1.12 116 | 117 | - name: 1.1.13 Add nosuid Option to Removable Media Partitions (Not Scored) 118 | debug: msg="*** Not relevant." 119 | tags: 120 | - notscored 121 | - section1.1 122 | - section1.1.13 123 | 124 | - name: 1.1.14 - 1.1.16 Add noexec Option to /dev/shm Partition (Scored) 125 | mount: > 126 | name="/dev/shm" 127 | src="none" 128 | state=mounted 129 | fstype="tmpfs" 130 | opts="nodev,nosuid,noexec" 131 | tags: 132 | - section1.1 133 | - section1.1.14 134 | - section1.1.15 135 | - section1.1.16 136 | - scored 137 | 138 | - name: 1.1.17 Set sticky bit on all world-writeable directories (Scored) 139 | shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null 140 | register: result1_1_17 141 | tags: 142 | - scored 143 | - section1.1 144 | - section1.1.17 145 | 146 | - name: 1.1.17 Set sticky bit on all world-writeable directories (Scored) 147 | shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null | xargs chmod a+t 148 | when: result1_1_17 == "" 149 | tags: 150 | - scored 151 | - section1.1 152 | - section1.1.17 153 | 154 | - name: 1.2.1 Configure Connection to the RHN RPM repositories (Not Scored) 155 | command: yum check-update 156 | register: result 157 | failed_when: "result.rc == 1" 158 | when: ansible_distribution == "RedHat" 159 | tags: 160 | - notscored 161 | - section1.2 162 | - section1.2.1 163 | 164 | - name: 1.2.2 Verify Red Hat GPG key is installed (Scored) 165 | command: gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release 166 | when: ansible_distribution == "RedHat" 167 | tags: 168 | - scored 169 | - section1.2 170 | - section1.2.2 171 | 172 | - name: 1.2.3 Verify that gpgcheck is Globally Activated (Scored) 173 | lineinfile: > 174 | state=present 175 | dest=/etc/yum.conf 176 | regexp=^gpgcheck= 177 | line=gpgcheck=1 178 | tags: 179 | - scored 180 | - section1.2 181 | - section1.2.3 182 | 183 | - name: 1.2.4 Disable the rhnsd Daemon (Not Scored) 184 | shell: systemctl is-enabled rhnsd &>/dev/null && echo "enabled" || echo "disabled" 185 | register: result1_2_4 186 | changed_when: False 187 | tags: 188 | - notscored 189 | - section1.2 190 | - section1.2.4 191 | 192 | - name: 1.2.4 Disable the rhnsd Daemon (Not Scored) 193 | service: > 194 | name=rhnsd 195 | state=stopped 196 | enabled=no 197 | when: "'enabled' in result1_2_4.stdout" 198 | tags: 199 | - notscored 200 | - section1.2 201 | - section1.2.4 202 | 203 | - name: 1.2.5 Obtain software package updates with yum (Not Scored) 204 | debug: msg="*** Check manually." 205 | tags: 206 | - notscored 207 | - section1.2 208 | - section1.2.5 209 | 210 | - name: 1.2.6 Verify package integrity using RPM (Not Scored) 211 | debug: msg="*** Check via cron/AIDE/manually" 212 | tags: 213 | - notscored 214 | - section1.2 215 | - section1.2.6 216 | 217 | - name: 1.5.1 Get Absolute Path to grub config 218 | command: readlink -f /etc/default/grub 219 | register: readlink 220 | changed_when: false 221 | always_run: yes 222 | tags: 223 | - scored 224 | - section1.5 225 | - section1.5.1 226 | 227 | - name: 1.5.1 Set User/Group Owner on /etc/default/grub (Scored) 228 | file: > 229 | path={{ readlink.stdout }} 230 | owner=root 231 | group=root 232 | tags: 233 | - scored 234 | - section1.5 235 | - section1.5.1 236 | 237 | - name: 1.5.2 Get Absolute Path to grub config 238 | command: readlink -f /etc/default/grub 239 | register: readlink 240 | changed_when: false 241 | always_run: yes 242 | tags: 243 | - scored 244 | - section1.5 245 | - section1.5.2 246 | 247 | - name: 1.5.2 Set Permissions on /etc/default/grub (Scored) 248 | file: > 249 | path={{ readlink.stdout }} 250 | mode=0400 251 | tags: 252 | - scored 253 | - section1.5 254 | - section1.5.2 255 | 256 | # TODO: Needs to be implemented 257 | - name: 1.5.3 Set boot loader password (Scored) 258 | debug: msg="*** Too destructive for production systems. Evaluate for your environment first." 259 | tags: 260 | - scored 261 | - section1.5 262 | - section1.5.3 263 | 264 | - name: 1.6.1 Restrict core dumps (Scored) - via pam 265 | lineinfile: > 266 | dest=/etc/security/limits.conf 267 | line="* hard core 0" 268 | insertafter=EOF 269 | tags: 270 | - scored 271 | - section1.6 272 | - section1.6.1 273 | 274 | - name: 1.6.1 Restrict core dumps (Scored) - via sysctl 275 | sysctl: > 276 | name=fs.suid_dumpable 277 | value=0 278 | state=present 279 | ignoreerrors=yes 280 | tags: 281 | - scored 282 | - section1.6 283 | - section1.6.1 284 | 285 | - name: 1.6.2 Enable Randomized Virtual Memory Region Placement (Scored) 286 | sysctl: > 287 | name=kernel.randomize_va_space 288 | value=2 289 | state=present 290 | ignoreerrors=yes 291 | tags: 292 | - scored 293 | - section1.6 294 | - section1.6.2 295 | 296 | - name: 1.7 Use the Latest OS Release (Not Scored) 297 | command: > 298 | cat /etc/redhat-release 299 | when: ansible_distribution == "RedHat" 300 | tags: 301 | - notscored 302 | - section1.7 303 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_01_level2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2016 Alexander Verhaar 4 | # Copyright 2014 Major Hayden 5 | # 6 | # Licensed under the Apache License, Version 2.0 (the "License"); 7 | # you may not use this file except in compliance with the License. 8 | # You may obtain a copy of the License at 9 | # 10 | # http://www.apache.org/licenses/LICENSE-2.0 11 | # 12 | # Unless required by applicable law or agreed to in writing, software 13 | # distributed under the License is distributed on an "AS IS" BASIS, 14 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | # See the License for the specific language governing permissions and 16 | # limitations under the License. 17 | # 18 | 19 | - name: "Create {{modprobe_unused_modules}} with root ownership & mode" 20 | file: path="{{modprobe_unused_modules}}" state=touch owner=root group=root mode=0600 21 | changed_when: false 22 | tags: 23 | - notscored 24 | - section1.1 25 | - section1.1.18 26 | - section1.1.19 27 | - section1.1.20 28 | - section1.1.21 29 | - section1.1.22 30 | - section1.1.23 31 | - section1.1.24 32 | 33 | - name: 1.1.18 Disable Mounting of cramfs Filesystems (Not Scored) 34 | lineinfile: > 35 | state=present 36 | dest="{{modprobe_unused_modules}}" 37 | line="install cramfs /bin/true" 38 | tags: 39 | - notscored 40 | - section1.1 41 | - section1.1.18 42 | 43 | - name: 1.1.19 Disable Mounting of freevxfs Filesystems (Not Scored) 44 | lineinfile: > 45 | state=present 46 | dest="{{modprobe_unused_modules}}" 47 | line="install freevxfs /bin/true" 48 | tags: 49 | - notscored 50 | - section1.1 51 | - section1.1.19 52 | 53 | - name: 1.1.20 Disable Mounting of jffs2 Filesystems (Not Scored) 54 | lineinfile: > 55 | state=present 56 | dest="{{modprobe_unused_modules}}" 57 | line="install jffs2 /bin/true" 58 | tags: 59 | - notscored 60 | - section1.1 61 | - section1.1.20 62 | 63 | - name: 1.1.21 Disable Mounting of hfs Filesystems (Not Scored) 64 | lineinfile: > 65 | state=present 66 | dest="{{modprobe_unused_modules}}" 67 | line="install hfs /bin/true" 68 | tags: 69 | - notscored 70 | - section1.1 71 | - section1.1.21 72 | 73 | - name: 1.1.22 Disable Mounting of hfsplus Filesystems (Not Scored) 74 | lineinfile: > 75 | state=present 76 | dest="{{modprobe_unused_modules}}" 77 | line="install hfsplus /bin/true" 78 | tags: 79 | - notscored 80 | - section1.1 81 | - section1.1.22 82 | 83 | - name: 1.1.23 Disable Mounting of squashfs Filesystems (Not Scored) 84 | lineinfile: > 85 | state=present 86 | dest="{{modprobe_unused_modules}}" 87 | line="install squashfs /bin/true" 88 | tags: 89 | - notscored 90 | - section1.1 91 | - section1.1.23 92 | 93 | - name: 1.1.24 Disable Mounting of udf Filesystems (Not Scored) 94 | lineinfile: > 95 | state=present 96 | dest="{{modprobe_unused_modules}}" 97 | line="install udf /bin/true" 98 | tags: 99 | - notscored 100 | - section1.1 101 | - section1.1.24 102 | 103 | - name: 1.2.4 Check to see if rhnsd daemon is installed (Not Scored) 104 | stat: path=/etc/init.d/rhnsd 105 | register: rhnsd_service 106 | when: ansible_distribution == "RedHat" 107 | tags: 108 | - notscored 109 | - section1.2 110 | - section1.2.4 111 | 112 | - name: 1.2.4 Disable the rhnsd Daemon (Not Scored) 113 | action: command /sbin/chkconfig rhnsd off 114 | when: ansible_distribution == "RedHat" 115 | tags: 116 | - notscored 117 | - section1.2 118 | - section1.2.4 119 | 120 | - name: 1.3.1 Install AIDE (Scored) 121 | yum: > 122 | name=aide 123 | state=present 124 | when: configure_aide 125 | tags: 126 | - scored 127 | - section1.3 128 | - section1.3.1 129 | 130 | - name: 1.3.1 Install AIDE (Initialize AIDE) (Scored) 131 | command: > 132 | /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz' 133 | creates=/var/lib/aide/aide.db.gz 134 | when: configure_aide 135 | tags: 136 | - scored 137 | - section1.3 138 | - section1.3.1 139 | 140 | - name: 1.3.1 Install AIDE (check is prelink installed) (Scored) 141 | stat: path=/usr/sbin/prelink 142 | register: prelink_stat 143 | tags: 144 | - scored 145 | - section1.3 146 | - section1.3.1 147 | 148 | - name: 1.3.1 Install AIDE (Disable Prelinking) (Scored) 149 | lineinfile: > 150 | state=present 151 | dest=/etc/sysconfig/prelink 152 | regexp=^PRELINKING= 153 | line=PRELINKING=no 154 | create=yes 155 | when: 156 | - configure_aide 157 | - prelink_stat.stat.exists 158 | tags: 159 | - scored 160 | - section1.3 161 | - section1.3.1 162 | 163 | - name: 1.3.2 Implement Periodic Execution of File Integrity (Scored) 164 | cron: > 165 | name="Run AIDE (CIS 1.3.2)" 166 | minute="0" 167 | hour="5" 168 | job="/usr/sbin/aide --check" 169 | when: configure_aide 170 | tags: 171 | - scored 172 | - section1.3 173 | - section1.3.2 174 | 175 | - name: 1.4.1 Enable SELinux in /etc/grub.conf (Scored) 176 | lineinfile: > 177 | state=absent 178 | dest=/etc/grub.conf 179 | line="selinux=0" 180 | tags: 181 | - scored 182 | - section1.4 183 | - section1.4.1 184 | 185 | - name: 1.4.1 Enable SELinux in /etc/grub.conf (Scored) 186 | lineinfile: > 187 | state=absent 188 | dest=/etc/grub.conf 189 | line="enforcing=0" 190 | tags: 191 | - scored 192 | - section1.4 193 | - section1.4.1 194 | 195 | - name: 1.4.2 Set the SELinux State (Scored) 196 | yum: > 197 | name=selinux-policy-targeted 198 | state=present 199 | tags: 200 | - scored 201 | - section1.4 202 | - section1.4.2 203 | 204 | - name: 1.4.3 Set the SELinux Policy (Scored) 205 | selinux: > 206 | state=enforcing 207 | policy=targeted 208 | ignore_errors: yes 209 | tags: 210 | - scored 211 | - section1.4 212 | - section1.4.3 213 | 214 | - name: 1.4.4 Remove SETroubleshoot (Scored) 215 | yum: > 216 | name=setroubleshoot 217 | state=absent 218 | tags: 219 | - scored 220 | - section1.4 221 | - section1.4.4 222 | 223 | - name: 1.4.5 Remove MCS Translation Service (mcstrans) (Scored) 224 | yum: > 225 | name=mcstrans 226 | state=absent 227 | tags: 228 | - scored 229 | - section1.4 230 | - section1.4.5 231 | 232 | # TODO: ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }' 233 | - name: 1.4.6 Check for unconfined daemons (Scored) 234 | debug: msg="*** Check via cron jobs or manually." 235 | tags: 236 | - scored 237 | - section1.4 238 | - section1.4.6 239 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_02.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - include: section_02_level1.yml 19 | tags: 20 | - section2 21 | - level1 22 | 23 | - include: section_02_level2.yml 24 | tags: 25 | - section2 26 | - level2 27 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_02_level1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2016 Alexander Verhaar 4 | # Copyright 2014 Major Hayden 5 | # 6 | # Licensed under the Apache License, Version 2.0 (the "License"); 7 | # you may not use this file except in compliance with the License. 8 | # You may obtain a copy of the License at 9 | # 10 | # http://www.apache.org/licenses/LICENSE-2.0 11 | # 12 | # Unless required by applicable law or agreed to in writing, software 13 | # distributed under the License is distributed on an "AS IS" BASIS, 14 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | # See the License for the specific language governing permissions and 16 | # limitations under the License. 17 | # 18 | 19 | - name: 2.1.1 Remove telnet-server (Scored) 20 | yum: > 21 | name=telnet-server 22 | state=absent 23 | tags: 24 | - scored 25 | - section2.1 26 | - section2.1.1 27 | 28 | - name: 2.1.2 Remove telnet Clients (Scored) 29 | yum: > 30 | name=telnet 31 | state=absent 32 | tags: 33 | - scored 34 | - section2.1 35 | - section2.1.2 36 | 37 | - name: 2.1.3 Remove rsh-server (Scored) 38 | yum: > 39 | name=rsh-server 40 | state=absent 41 | tags: 42 | - scored 43 | - section2.1 44 | - section2.1.3 45 | 46 | - name: 2.1.4 Remove rsh (Scored) 47 | yum: > 48 | name=rsh 49 | state=absent 50 | tags: 51 | - scored 52 | - section2.1 53 | - section2.1.4 54 | 55 | - name: 2.1.5 Remove NIS Client (Scored) 56 | yum: > 57 | name=ypbind 58 | state=absent 59 | tags: 60 | - scored 61 | - section2.1 62 | - section2.1.5 63 | 64 | - name: 2.1.6 Remove NIS Server (Scored) 65 | yum: > 66 | name=ypserv 67 | state=absent 68 | tags: 69 | - scored 70 | - section2.1 71 | - section2.1.6 72 | 73 | - name: 2.1.7 Remove tftp (Scored) 74 | yum: > 75 | name=tftp 76 | state=absent 77 | tags: 78 | - scored 79 | - section2.1 80 | - section2.1.7 81 | 82 | - name: 2.1.8 Remove tftp-server (Scored) 83 | yum: > 84 | name=tftp-server 85 | state=absent 86 | tags: 87 | - scored 88 | - section2.1 89 | - section2.1.8 90 | 91 | - name: 2.1.9 Remove talk (Scored) 92 | yum: > 93 | name=talk 94 | state=absent 95 | tags: 96 | - scored 97 | - section2.1 98 | - section2.1.9 99 | 100 | - name: 2.1.10 Remove talk-server (Scored) 101 | yum: > 102 | name=talk-server 103 | state=absent 104 | tags: 105 | - scored 106 | - section2.1 107 | - section2.1.10 108 | 109 | - name: 2.1.12 Disable chargen-dgram (check if exists) 110 | stat: path=/etc/xinetd.d/chargen-dgram 111 | register: chargen_dgram 112 | tags: 113 | - scored 114 | - section2.1 115 | - section2.1.12 116 | 117 | - name: 2.1.12 Disable chargen-dgram (disable xinetd service) 118 | service: > 119 | name=chargen-dgram 120 | state=stopped 121 | enabled=no 122 | when: chargen_dgram.stat.exists 123 | tags: 124 | - scored 125 | - section2.1 126 | - section2.1.12 127 | 128 | - name: 2.1.13 Disable chargen-stream (check if exists) (Scored) 129 | stat: path=/etc/xinetd.d/chargen-stream 130 | register: chargen_stream 131 | tags: 132 | - scored 133 | - section2.1 134 | - section2.1.13 135 | 136 | - name: 2.1.13 Disable chargen-stream (disable xinetd service) (Scored) 137 | service: > 138 | name=chargen-stream 139 | state=stopped 140 | enabled=no 141 | when: chargen_stream.stat.exists 142 | tags: 143 | - scored 144 | - section2.1 145 | - section2.1.13 146 | 147 | - name: 2.1.14 Disable daytime-dgram (check if exists) (Scored) 148 | stat: path=/etc/xinetd.d/daytime-dgram 149 | register: daytime_dgram 150 | tags: 151 | - scored 152 | - section2.1 153 | - section2.1.14 154 | 155 | - name: 2.1.14 Disable daytime-dgram (disable xinetd service) (Scored) 156 | service: > 157 | name=daytime-dgram 158 | state=stopped 159 | enabled=no 160 | when: daytime_dgram.stat.exists 161 | tags: 162 | - scored 163 | - section2.1 164 | - section2.1.14 165 | 166 | - name: 2.1.15 Disable daytime-stream (check if exists) (Scored) 167 | stat: path=/etc/xinetd.d/daytime-stream 168 | register: daytime_stream 169 | tags: 170 | - scored 171 | - section2.1 172 | - section2.1.15 173 | 174 | - name: 2.1.15 Disable daytime-stream (disable xinetd service) (Scored) 175 | service: > 176 | name=daytime-stream 177 | state=stopped 178 | enabled=no 179 | when: daytime_stream.stat.exists 180 | tags: 181 | - scored 182 | - section2.1 183 | - section2.1.15 184 | 185 | - name: 2.1.16 Disable echo-dgram (check if exists) (Scored) 186 | stat: path=/etc/xinetd.d/echo-dgram 187 | register: echo_dgram 188 | tags: 189 | - scored 190 | - section2.1 191 | - section2.1.16 192 | 193 | - name: 2.1.16 Disable echo-dgram (disable xinetd service) (Scored) 194 | service: > 195 | name=echo-dgram 196 | state=stopped 197 | enabled=no 198 | when: echo_dgram.stat.exists 199 | tags: 200 | - scored 201 | - section2.1 202 | - section2.1.16 203 | 204 | - name: 2.1.17 Disable echo-stream (check if exists) (Scored) 205 | stat: path=/etc/xinetd.d/echo-stream 206 | register: echo_stream 207 | tags: 208 | - scored 209 | - section2.1 210 | - section2.1.17 211 | 212 | - name: 2.1.17 Disable echo-stream (disable xinetd service) (Scored) 213 | service: > 214 | name=echo-stream 215 | state=stopped 216 | enabled=no 217 | when: echo_stream.stat.exists 218 | tags: 219 | - scored 220 | - section2.1 221 | - section2.1.17 222 | 223 | - name: 2.1.18 Disable tcpmux-server (check if exists) (Scored) 224 | stat: path=/etc/xinetd.d/tcpmux-server 225 | register: tcpmux_server 226 | tags: 227 | - scored 228 | - section2.1 229 | - section2.1.18 230 | 231 | - name: 2.1.18 Disable tcpmux-server (disable xinetd service) (Scored) 232 | service: > 233 | name=tcpmux-server 234 | state=stopped 235 | enabled=no 236 | when: tcpmux_server.stat.exists 237 | tags: 238 | - scored 239 | - section2.1 240 | - section2.1.18 241 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_02_level2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - name: 2.1.11 Remove xinetd (Scored) 19 | yum: > 20 | name=xinetd 21 | state=absent 22 | tags: 23 | - scored 24 | - section2.1 25 | - section2.1.11 26 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_03.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - include: section_03_level1.yml 19 | tags: 20 | - section3 21 | - level1 22 | 23 | - include: section_03_level2.yml 24 | tags: 25 | - section3 26 | - level2 27 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_03_level1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2016 Alexander Verhaar 4 | # Copyright 2014 Major Hayden 5 | # 6 | # Licensed under the Apache License, Version 2.0 (the "License"); 7 | # you may not use this file except in compliance with the License. 8 | # You may obtain a copy of the License at 9 | # 10 | # http://www.apache.org/licenses/LICENSE-2.0 11 | # 12 | # Unless required by applicable law or agreed to in writing, software 13 | # distributed under the License is distributed on an "AS IS" BASIS, 14 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | # See the License for the specific language governing permissions and 16 | # limitations under the License. 17 | # 18 | 19 | - name: 3.1 Set Daemon umask (Scored) 20 | lineinfile: > 21 | dest=/etc/sysconfig/init 22 | state=present 23 | regexp=^umask 24 | line="umask 027" 25 | tags: 26 | - scored 27 | - section3.1 28 | 29 | - name: 3.2 Remove X Windows (runlevel 3) (Scored) 30 | file: > 31 | src=/etc/systemd/system/multi-user.target 32 | dest=/etc/systemd/system/default.target 33 | state=link 34 | force=yes 35 | tags: 36 | - scored 37 | - section3.2 38 | 39 | - name: 3.2 Remove X Windows (remove package group) (Scored) 40 | yum: > 41 | name=xorg-x11-server-common 42 | state=absent 43 | tags: 44 | - scored 45 | - section3.2 46 | 47 | - name: 3.3 Disable Avahi Server (disable service) (Scored) 48 | shell: systemctl is-enabled avahi-daemon &>/dev/null && echo "enabled" || echo "disabled" 49 | changed_when: False 50 | register: result3_3 51 | tags: 52 | - scored 53 | - section3.3 54 | 55 | - name: 3.3 Disable Avahi Server (disable service) (Scored) 56 | service: > 57 | name=avahi-daemon 58 | state=stopped 59 | enabled=no 60 | when: "'enabled' in result3_3.stdout" 61 | tags: 62 | - scored 63 | - section3.3 64 | 65 | - name: 3.4 Disable Print Server - CUPS (Not Scored) 66 | shell: systemctl is-enabled cups &>/dev/null && echo "enabled" || echo "disabled" 67 | changed_when: False 68 | register: result3_4 69 | tags: 70 | - notscored 71 | - section3.4 72 | 73 | - name: 3.4 Disable Print Server - CUPS (Not Scored) 74 | service: > 75 | name=cups 76 | state=stopped 77 | enabled=no 78 | when: "'enabled' in result3_4.stdout" 79 | tags: 80 | - notscored 81 | - section3.4 82 | 83 | - name: 3.5 Remove DHCP Server (Scored) 84 | yum: > 85 | name=dhcp 86 | state=absent 87 | tags: 88 | - scored 89 | - section3.5 90 | 91 | - name: 3.6 Configure Network Time Protocol (ipv4) (Scored) 92 | yum: > 93 | pkg=ntp 94 | state=installed 95 | always_run: yes 96 | tags: 97 | - scored 98 | - section3.6 99 | 100 | - name: 3.6 Configure Network Time Protocol (ipv4) (Scored) 101 | service: > 102 | name=ntpd 103 | state=started 104 | enabled=yes 105 | tags: 106 | - scored 107 | - section3.6 108 | 109 | - name: 3.6 Configure Network Time Protocol (ipv4) (Scored) 110 | lineinfile: > 111 | dest=/etc/ntp.conf 112 | state=present 113 | regexp="^restrict default" 114 | line="restrict default kod nomodify notrap nopeer noquery" 115 | insertafter=EOF 116 | tags: 117 | - scored 118 | - section3.6 119 | 120 | - name: 3.6 Configure Network Time Protocol (ipv6) (Scored) 121 | lineinfile: > 122 | dest=/etc/ntp.conf 123 | state=present 124 | regexp="^restrict -6 default" 125 | line="restrict -6 default kod nomodify notrap nopeer noquery" 126 | insertafter=EOF 127 | tags: 128 | - scored 129 | - section3.6 130 | 131 | - name: 3.7 Remove LDAP (Not Scored) 132 | yum: > 133 | name=openldap-clients 134 | state=absent 135 | when: ldap_client 136 | tags: 137 | - notscored 138 | - section3.7 139 | 140 | - name: 3.7 Remove LDAP (Not Scored) 141 | yum: > 142 | name=openldap-servers 143 | state=absent 144 | when: ldap_server 145 | tags: 146 | - notscored 147 | - section3.7 148 | 149 | - name: 3.8 Disable NFS and RPC (check for nfs-utils) (Not Scored) 150 | stat: path=/etc/init.d/nfslock 151 | register: nfs_utils 152 | tags: 153 | - notscored 154 | - section3.8 155 | 156 | - name: 3.8 Disable NFS and RPC (check for rpcbind) (Not Scored) 157 | stat: path=/etc/init.d/rpcbind 158 | register: rpcbind 159 | tags: 160 | - notscored 161 | - section3.8 162 | 163 | - name: 3.8 Disable NFS and RPC (nfs-utils services) (Not Scored) 164 | service: > 165 | name={{ item }} 166 | state=stopped 167 | enabled=no 168 | with_items: 169 | - nfslock 170 | - rpcgssd 171 | - rpcidmapd 172 | - rpcsvcgssd 173 | when: nfs_utils.stat.exists 174 | tags: 175 | - notscored 176 | - section3.8 177 | 178 | - name: 3.8 Disable NFS and RPC (rpcbind services) (Not Scored) 179 | service: > 180 | name=rpcbind 181 | state=stopped 182 | enabled=no 183 | when: 184 | - rpcbind.stat.exists 185 | - nfs 186 | tags: 187 | - notscored 188 | - section3.8 189 | 190 | - name: 3.9 Remove DNS Server (Not Scored) 191 | yum: > 192 | name=bind 193 | state=absent 194 | when: dns 195 | tags: 196 | - notscored 197 | - section3.9 198 | 199 | - name: 3.10 Remove FTP Server (Not Scored) 200 | yum: > 201 | name=vsftpd 202 | state=absent 203 | when: ftp 204 | tags: 205 | - notscored 206 | - section3.10 207 | 208 | - name: 3.11 Remove HTTP Server (Not Scored) 209 | yum: > 210 | name=httpd 211 | state=absent 212 | when: httpd 213 | tags: 214 | - notscored 215 | - section3.11 216 | 217 | - name: 3.12 Remove Dovecot (IMAP and POP3 services) (Not Scored) 218 | yum: > 219 | name=dovecot 220 | state=absent 221 | when: dovecot 222 | tags: 223 | - notscored 224 | - section3.12 225 | 226 | - name: 3.13 Remove Samba (Not Scored) 227 | yum: > 228 | name=samba 229 | state=absent 230 | when: samba 231 | tags: 232 | - notscored 233 | - section3.13 234 | 235 | - name: 3.14 Remove HTTP Proxy Server (Not Scored) 236 | yum: > 237 | name=squid 238 | state=absent 239 | when: squid 240 | tags: 241 | - notscored 242 | - section3.14 243 | 244 | - name: 3.15 Remove SNMP Server (Not Scored) 245 | yum: > 246 | name=net-snmp 247 | state=absent 248 | when: snmp 249 | tags: 250 | - notscored 251 | - section3.15 252 | 253 | - name: 3.16 Configure Mail Transfer Agent for Local-Only Mode (Scored) 254 | yum: > 255 | name=postfix 256 | state=present 257 | tags: 258 | - scored 259 | - section3.16 260 | 261 | - name: 3.16 Configure Mail Transfer Agent for Local-Only Mode (Scored) 262 | lineinfile: > 263 | backup=yes 264 | state=present 265 | dest=/etc/postfix/main.cf 266 | backrefs=yes 267 | regexp="^inet_interfaces" 268 | line="inet_interfaces = localhost" 269 | ignore_errors: yes 270 | tags: 271 | - scored 272 | - section3.16 273 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_03_level2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | # CIS Section 3 has no Level 2 checks -------------------------------------------------------------------------------- /roles/cis/tasks/section_04.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - include: section_04_level1.yml 19 | tags: 20 | - section4 21 | - level1 22 | 23 | - include: section_04_level2.yml 24 | tags: 25 | - section4 26 | - level2 27 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_04_level1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2016 Alexander Verhaar 4 | # Copyright 2014 Major Hayden 5 | # 6 | # Licensed under the Apache License, Version 2.0 (the "License"); 7 | # you may not use this file except in compliance with the License. 8 | # You may obtain a copy of the License at 9 | # 10 | # http://www.apache.org/licenses/LICENSE-2.0 11 | # 12 | # Unless required by applicable law or agreed to in writing, software 13 | # distributed under the License is distributed on an "AS IS" BASIS, 14 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | # See the License for the specific language governing permissions and 16 | # limitations under the License. 17 | # 18 | 19 | - name: 4.1.1 Disable IP Forwarding (Scored) 20 | sysctl: > 21 | name=net.ipv4.ip_forward 22 | value=0 23 | state=present 24 | tags: 25 | - scored 26 | - section4.1 27 | - section4.1.1 28 | 29 | - name: 4.1.2 Disable Send Packet Redirects (Scored) 30 | sysctl: > 31 | name=net.ipv4.conf.all.send_redirects 32 | value=0 33 | state=present 34 | ignoreerrors=true 35 | tags: 36 | - scored 37 | - section4.1 38 | - section4.1.2 39 | 40 | - name: 4.1.2 Disable Send Packet Redirects (Scored) 41 | sysctl: > 42 | name=net.ipv4.conf.default.send_redirects 43 | value=0 44 | state=present 45 | ignoreerrors=true 46 | tags: 47 | - scored 48 | - section4.1 49 | - section4.1.2 50 | 51 | - name: 4.2.1 Disable Source Routed Packet Acceptance (Scored) 52 | sysctl: > 53 | name=net.ipv4.conf.all.accept_source_route 54 | value=0 55 | state=present 56 | ignoreerrors=true 57 | tags: 58 | - scored 59 | - section4.2 60 | - section4.2.1 61 | 62 | - name: 4.2.1 Disable Source Routed Packet Acceptance (Scored) 63 | sysctl: > 64 | name=net.ipv4.conf.default.accept_source_route 65 | value=0 66 | state=present 67 | ignoreerrors=true 68 | tags: 69 | - scored 70 | - section4.2 71 | - section4.2.1 72 | 73 | - name: 4.2.2 Disable ICMP Redirect Acceptance (Scored) 74 | sysctl: > 75 | name=net.ipv4.conf.all.accept_redirects 76 | value=0 77 | state=present 78 | ignoreerrors=true 79 | tags: 80 | - scored 81 | - section4.2 82 | - section4.2.2 83 | 84 | - name: 4.2.2 Disable ICMP Redirect Acceptance (Scored) 85 | sysctl: > 86 | name=net.ipv4.conf.default.accept_redirects 87 | value=0 88 | state=present 89 | ignoreerrors=true 90 | tags: 91 | - scored 92 | - section4.2 93 | - section4.2.2 94 | 95 | - name: 4.2.4 Log Suspicious Packets (Scored) 96 | sysctl: > 97 | name=net.ipv4.conf.all.log_martians 98 | value=1 99 | state=present 100 | ignoreerrors=true 101 | tags: 102 | - scored 103 | - section4.2 104 | - section4.2.4 105 | 106 | - name: 4.2.4 Log Suspicious Packets (Scored) 107 | sysctl: > 108 | name=net.ipv4.conf.default.log_martians 109 | value=1 110 | state=present 111 | ignoreerrors=true 112 | tags: 113 | - scored 114 | - section4.2 115 | - section4.2.4 116 | 117 | - name: 4.2.5 Enable Ignore Broadcast Requests (Scored) 118 | sysctl: > 119 | name=net.ipv4.icmp_echo_ignore_broadcasts 120 | value=1 121 | state=present 122 | ignoreerrors=true 123 | tags: 124 | - scored 125 | - section4.2 126 | - section4.2.5 127 | 128 | - name: 4.2.6 Enable Bad Error Message Protection (Scored) 129 | sysctl: > 130 | name=net.ipv4.icmp_ignore_bogus_error_responses 131 | value=1 132 | state=present 133 | ignoreerrors=true 134 | tags: 135 | - scored 136 | - section4.2 137 | - section4.2.6 138 | 139 | - name: 4.2.8 Enable TCP SYN Cookies (Scored) 140 | sysctl: > 141 | name=net.ipv4.tcp_syncookies 142 | value=1 143 | state=present 144 | ignoreerrors=true 145 | tags: 146 | - scored 147 | - section4.2 148 | - section4.2.8 149 | 150 | - name: 4.4.1.1 Disable IPv6 Router Advertisements (Not Scored) 151 | sysctl: > 152 | name=net.ipv6.conf.all.accept_ra 153 | value=0 154 | state=present 155 | ignoreerrors=true 156 | tags: 157 | - notscored 158 | - section4.4 159 | - section4.4.1 160 | - section4.4.1.1 161 | 162 | - name: 4.4.1.1 Disable IPv6 Router Advertisements (Not Scored) 163 | sysctl: > 164 | name=net.ipv6.conf.default.accept_ra 165 | value=0 166 | state=present 167 | ignoreerrors=true 168 | tags: 169 | - notscored 170 | - section4.4 171 | - section4.4.1 172 | - section4.4.1.1 173 | 174 | - name: 4.4.1.2 Disable IPv6 Redirect Acceptance (Not Scored) 175 | sysctl: > 176 | name=net.ipv6.conf.all.accept_redirects 177 | value=0 178 | state=present 179 | ignoreerrors=true 180 | tags: 181 | - notscored 182 | - section4.4 183 | - section4.4.1 184 | - section4.4.1.2 185 | 186 | - name: 4.4.1.2 Disable IPv6 Redirect Acceptance (Not Scored) 187 | sysctl: > 188 | name=net.ipv6.conf.default.accept_redirects 189 | value=0 190 | state=present 191 | ignoreerrors=true 192 | tags: 193 | - notscored 194 | - section4.4 195 | - section4.4.1 196 | - section4.4.1.2 197 | 198 | - name: 4.4.2 Disable IPv6 (Not Scored) 199 | sysctl: > 200 | name=net.ipv6.conf.all.disable_ipv6 201 | value=1 202 | state=present 203 | ignoreerrors=true 204 | tags: 205 | - notscored 206 | - section4.4 207 | - section4.4.2 208 | 209 | - name: 4.5.1 Install TCP Wrappers (Not Scored) 210 | yum: > 211 | name=tcp_wrappers 212 | state=present 213 | tags: 214 | - notscored 215 | - section4.5 216 | - section4.5.1 217 | 218 | - name: 4.5.2 Create /etc/hosts.allow (Not Scored) 219 | lineinfile: > 220 | state=present 221 | create=yes 222 | dest=/etc/hosts.allow 223 | regexp=^ALL 224 | line=ALL:{{ tcp_allow | default("ALL") }} 225 | tags: 226 | - notscored 227 | - section4.5 228 | - section4.5.2 229 | 230 | - name: 4.5.3 Verify Permissions on /etc/hosts.allow (Scored) 231 | file: > 232 | path=/etc/hosts.allow 233 | mode=0644 234 | tags: 235 | - scored 236 | - section4.5 237 | - section4.5.3 238 | 239 | - name: 4.5.4 Create /etc/hosts.deny (Not Scored) 240 | lineinfile: > 241 | state=present 242 | create=yes 243 | dest=/etc/hosts.deny 244 | line=ALL:ALL 245 | tags: 246 | - notscored 247 | - section4.5 248 | - section4.5.4 249 | 250 | - name: 4.5.5 Verify Permissions on /etc/hosts.deny (Scored) 251 | file: > 252 | path=/etc/hosts.deny 253 | mode=0644 254 | tags: 255 | - scored 256 | - section4.5 257 | - section4.5.5 258 | 259 | - name: 4.6.1 Disable DCCP (Not Scored) 260 | lineinfile: > 261 | state=present 262 | create=yes 263 | dest="{{modprobe_cis_conf}}" 264 | line="install dccp /bin/true" 265 | tags: 266 | - notscored 267 | - section4.6 268 | - section4.6.1 269 | 270 | - name: 4.6.2 Disable SCTP (Not Scored) 271 | lineinfile: > 272 | state=present 273 | create=yes 274 | dest="{{modprobe_cis_conf}}" 275 | line="install sctp /bin/true" 276 | tags: 277 | - notscored 278 | - section4.6 279 | - section4.6.2 280 | 281 | - name: 4.6.3 Disable RDS (Not Scored) 282 | lineinfile: > 283 | state=present 284 | create=yes 285 | dest="{{modprobe_cis_conf}}" 286 | line="install rds /bin/true" 287 | tags: 288 | - notscored 289 | - section4.6 290 | - section4.6.3 291 | 292 | - name: 4.6.4 Disable TIPC (Not Scored) 293 | lineinfile: > 294 | state=present 295 | create=yes 296 | dest="{{modprobe_cis_conf}}" 297 | line="install tipc /bin/true" 298 | tags: 299 | - notscored 300 | - section4.6 301 | - section4.6.4 302 | 303 | - name: 4.7 Enable firewalld (Scored) 304 | service: > 305 | name=firewalld 306 | enabled=yes 307 | state=started 308 | when: ansible_virtualization_type != "docker" 309 | tags: 310 | - scored 311 | - section4.7 312 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_04_level2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - name: 4.2.3 Disable Secure ICMP Redirect Acceptance (Scored) 19 | sysctl: > 20 | name=net.ipv4.conf.all.secure_redirects 21 | value=0 22 | state=present 23 | ignoreerrors=true 24 | tags: 25 | - scored 26 | - section4.2 27 | - section4.2.3 28 | 29 | - name: 4.2.3 Disable Secure ICMP Redirect Acceptance (Scored) 30 | sysctl: > 31 | name=net.ipv4.conf.default.secure_redirects 32 | value=0 33 | state=present 34 | ignoreerrors=true 35 | tags: 36 | - scored 37 | - section4.2 38 | - section4.2.3 39 | 40 | - name: 4.2.7 Enable RFC-recommended Source Route Validation (Scored) 41 | sysctl: > 42 | name=net.ipv4.conf.all.rp_filter 43 | value=1 44 | state=present 45 | ignoreerrors=true 46 | tags: 47 | - scored 48 | - section4.2 49 | - section4.2.7 50 | 51 | - name: 4.2.7 Enable RFC-recommended Source Route Validation (Scored) 52 | sysctl: > 53 | name=net.ipv4.conf.default.rp_filter 54 | value=1 55 | state=present 56 | ignoreerrors=true 57 | tags: 58 | - scored 59 | - section4.2 60 | - section4.2.7 61 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_05.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - include: section_05_level1.yml 19 | tags: 20 | - section5 21 | - level1 22 | 23 | - include: section_05_level2.yml 24 | tags: 25 | - section5 26 | - level2 27 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_05_level1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - name: 5.1.1 Install the rsyslog package (Scored) 19 | yum: > 20 | name=rsyslog 21 | state=present 22 | tags: 23 | - scored 24 | - section5.1 25 | - section5.1.1 26 | 27 | - name: 5.1.2 Activate the rsyslog Service (Scored) 28 | service: > 29 | name=rsyslog 30 | enabled=yes 31 | state=started 32 | tags: 33 | - scored 34 | - section5.1 35 | - section5.1.2 36 | 37 | - name: 5.1.3 Configure /etc/rsyslog.conf (Not Scored) 38 | copy: > 39 | src=etc/rsyslog.conf 40 | dest=/etc/rsyslog.conf 41 | owner=root 42 | group=root 43 | mode=0644 44 | tags: 45 | - notscored 46 | - section5.1 47 | - section5.1.3 48 | 49 | - name: 5.1.4 Create and Set Permissions on rsyslog Log Files (Scored) 50 | file: > 51 | path=/var/log/{{ item }} 52 | state=touch 53 | owner=root 54 | group=wheel 55 | mode=0640 56 | with_items: 57 | - messages 58 | - kern.log 59 | - daemon.log 60 | - syslog 61 | - unused.log 62 | tags: 63 | - scored 64 | - section5.1 65 | - section5.1.4 66 | 67 | - name: 5.1.5 Configure rsyslog to Send Logs to a Remote Log Host (Scored) 68 | lineinfile: > 69 | state=present 70 | dest=/etc/rsyslog.conf 71 | regexp="^\*\.\*" 72 | line="*.* @@{{ rsyslog_dest }}" 73 | when: rsyslog_dest is defined 74 | tags: 75 | - scored 76 | - section5.1 77 | - section5.1.5 78 | 79 | - name: 5.1.6 Accept Remote rsyslog Messages Only on Designated Log Hosts (Not Scored) 80 | lineinfile: > 81 | state=present 82 | line="$ModLoad imtcp.so" 83 | when: rsyslog_host 84 | tags: 85 | - notscored 86 | - section5.1 87 | - section5.1.6 88 | 89 | - name: 5.1.6 Accept Remote rsyslog Messages Only on Designated Log Hosts (Not Scored) 90 | lineinfile: > 91 | state=present 92 | line="$InputTCPServerRun 514" 93 | when: rsyslog_host 94 | tags: 95 | - notscored 96 | - section5.1 97 | - section5.1.6 98 | 99 | - name: 5.3 Configure logrotate (Not Scored) 100 | copy: > 101 | src=etc/logrotate.d/syslog 102 | dest=/etc/logrotate.d/syslog 103 | tags: 104 | - notscored 105 | - section5.3 106 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_05_level2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2016 Alexander Verhaar 4 | # Copyright 2014 Major Hayden 5 | # 6 | # Licensed under the Apache License, Version 2.0 (the "License"); 7 | # you may not use this file except in compliance with the License. 8 | # You may obtain a copy of the License at 9 | # 10 | # http://www.apache.org/licenses/LICENSE-2.0 11 | # 12 | # Unless required by applicable law or agreed to in writing, software 13 | # distributed under the License is distributed on an "AS IS" BASIS, 14 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | # See the License for the specific language governing permissions and 16 | # limitations under the License. 17 | # 18 | 19 | - name: 5.2.1.1 Configure Audit Log Storage Size (Not Scored) 20 | lineinfile: > 21 | state=present 22 | dest=/etc/audit/auditd.conf 23 | regexp="^max_log_file =" 24 | line="max_log_file = {{ max_log_file }}" 25 | notify: Reload auditd Rules 26 | tags: 27 | - notscored 28 | - section5.2 29 | - section5.2.1 30 | - section5.2.1.1 31 | 32 | - name: 5.2.1.2 Disable System on Audit Log Full (Not Scored) 33 | lineinfile: > 34 | state=present 35 | dest=/etc/audit/auditd.conf 36 | regexp="^space_left_action =" 37 | line="space_left_action = {{ space_left_action }}" 38 | notify: Reload auditd Rules 39 | tags: 40 | - notscored 41 | - section5.2 42 | - section5.2.1 43 | - section5.2.1.2 44 | 45 | - name: 5.2.1.2 Disable System on Audit Log Full (Not Scored) 46 | lineinfile: > 47 | state=present 48 | dest=/etc/audit/auditd.conf 49 | regexp="^action_mail_acct =" 50 | line="action_mail_acct = {{ action_mail_acct }}" 51 | notify: Reload auditd Rules 52 | tags: 53 | - notscored 54 | - section5.2 55 | - section5.2.1 56 | - section5.2.1.2 57 | 58 | - name: 5.2.1.2 Disable System on Audit Log Full (Not Scored) 59 | lineinfile: > 60 | state=present 61 | dest=/etc/audit/auditd.conf 62 | regexp="^admin_space_left_action =" 63 | line="admin_space_left_action = {{ admin_space_left_action }}" 64 | notify: Reload auditd Rules 65 | tags: 66 | - notscored 67 | - section5.2 68 | - section5.2.1 69 | - section5.2.1.2 70 | 71 | - name: 5.2.1.3 Keep All Auditing Information (Scored) 72 | lineinfile: > 73 | state=present 74 | dest=/etc/audit/auditd.conf 75 | regexp="^max_log_file_action =" 76 | line="max_log_file_action = {{ max_log_file_action }}" 77 | notify: Reload auditd Rules 78 | tags: 79 | - scored 80 | - section5.2 81 | - section5.2.1 82 | - section5.2.1.3 83 | 84 | - name: 5.2.2 Enable auditd Service (Scored) 85 | shell: systemctl is-enabled auditd.service 86 | register: result5_2_2 87 | ignore_errors: True 88 | tags: 89 | - scored 90 | - section5.2 91 | - section5.2.2 92 | 93 | - name: 5.2.2 Enable auditd Service (Scored) 94 | service: > 95 | name=auditd 96 | enabled=yes 97 | state=running 98 | when: "'enabled' not in result5_2_2.stdout" 99 | tags: 100 | - scored 101 | - section5.2 102 | - section5.2.2 103 | 104 | - name: 5.2.3 Enable Auditing for Processes That Start Prior to auditd (Scored) 105 | lineinfile: > 106 | state=present 107 | dest=/etc/default/grub 108 | backrefs=yes 109 | regexp="(^\s*kernel.*)$(? 118 | src=etc/audit/audit.rules 119 | dest=/etc/audit/audit.rules 120 | notify: Reload auditd Rules 121 | tags: 122 | - scored 123 | - section5.2 124 | - section5.2.4 125 | - section5.2.5 126 | - section5.2.6 127 | - section5.2.7 128 | - section5.2.8 129 | - section5.2.9 130 | - section5.2.10 131 | - section5.2.11 132 | - section5.2.12 133 | - section5.2.13 134 | - section5.2.14 135 | - section5.2.15 136 | - section5.2.16 137 | - section5.2.17 138 | - section5.2.18 139 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_06.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - include: section_06_level1.yml 19 | tags: 20 | - section6 21 | - level1 22 | 23 | - include: section_06_level2.yml 24 | tags: 25 | - section6 26 | - level2 27 | 28 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_06_level1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - name: 6.1.1 Enable anacron Daemon (Scored) 19 | yum: > 20 | name=cronie-anacron 21 | state=present 22 | tags: 23 | - scored 24 | - section6.1 25 | - section6.1.1 26 | 27 | - name: 6.1.2 Enable crond Daemon (Scored) 28 | service: > 29 | name=crond 30 | enabled=yes 31 | state=started 32 | tags: 33 | - scored 34 | - section6.1 35 | - section6.1.2 36 | 37 | - name: 6.1.3 Set User/Group Owner and Permission on /etc/anacrontab (Scored) 38 | file: > 39 | path=/etc/anacrontab 40 | owner=root 41 | group=root 42 | mode=0600 43 | tags: 44 | - scored 45 | - section6.1 46 | - section6.1.3 47 | 48 | - name: 6.1.4 Set User/Group Owner and Permission on /etc/crontab (Scored) 49 | file: > 50 | path=/etc/crontab 51 | owner=root 52 | group=root 53 | mode=0600 54 | tags: 55 | - scored 56 | - section6.1 57 | - section6.1.4 58 | 59 | - name: 6.1.5 Set User/Group Owner and Permission on /etc/cron.hourly (Scored) 60 | file: > 61 | path=/etc/cron.hourly 62 | owner=root 63 | group=root 64 | mode=0600 65 | tags: 66 | - scored 67 | - section6.1 68 | - section6.1.5 69 | 70 | - name: 6.1.6 Set User/Group Owner and Permission on /etc/cron.daily (Scored) 71 | file: > 72 | path=/etc/cron.daily 73 | owner=root 74 | group=root 75 | mode=0600 76 | tags: 77 | - scored 78 | - section6.1 79 | - section6.1.6 80 | 81 | - name: 6.1.7 Set User/Group Owner and Permission on /etc/cron.weekly (Scored) 82 | file: > 83 | path=/etc/cron.weekly 84 | owner=root 85 | group=root 86 | mode=0600 87 | tags: 88 | - scored 89 | - section6.1 90 | - section6.1.7 91 | 92 | - name: 6.1.8 Set User/Group Owner and Permission on /etc/cron.monthly (Scored) 93 | file: > 94 | path=/etc/cron.monthly 95 | owner=root 96 | group=root 97 | mode=0600 98 | tags: 99 | - scored 100 | - section6.1 101 | - section6.1.8 102 | 103 | - name: 6.1.9 Set User/Group Owner and Permission on /etc/cron.d (Scored) 104 | file: > 105 | path=/etc/cron.d 106 | state=directory 107 | owner=root 108 | group=root 109 | mode=0700 110 | tags: 111 | - scored 112 | - section6.1 113 | - section6.1.9 114 | 115 | - name: 6.1.10 Restrict at Daemon (Scored) 116 | file: > 117 | path=/etc/at.deny 118 | state=absent 119 | tags: 120 | - scored 121 | - section6.1 122 | - section6.1.10 123 | 124 | - name: 6.1.10 Restrict at Daemon (Scored) 125 | file: > 126 | path=/etc/at.allow 127 | state=touch 128 | owner=root 129 | group=root 130 | mode=0600 131 | tags: 132 | - scored 133 | - section6.1 134 | - section6.1.10 135 | 136 | - name: 6.1.11 Restrict at/cron to Authorized Users (Scored) 137 | file: > 138 | path=/etc/cron.deny 139 | state=absent 140 | tags: 141 | - scored 142 | - section6.1 143 | - section6.1.11 144 | 145 | - name: 6.1.11 Restrict at/cron to Authorized Users (Scored) 146 | file: > 147 | path=/etc/cron.allow 148 | state=touch 149 | owner=root 150 | group=root 151 | mode=0600 152 | tags: 153 | - scored 154 | - section6.1 155 | - section6.1.11 156 | 157 | - name: 6.2.1 Set SSH Protocol to 2 (Scored) 158 | lineinfile: > 159 | dest=/etc/ssh/sshd_config 160 | regexp="^Protocol " line="Protocol 2" 161 | notify: Reload sshd 162 | tags: 163 | - scored 164 | - section6.2 165 | - section6.2.1 166 | 167 | - name: 6.2.2 Set LogLevel to INFO (Scored) 168 | lineinfile: > 169 | dest=/etc/ssh/sshd_config 170 | regexp="^LogLevel " 171 | line="LogLevel INFO" 172 | notify: Reload sshd 173 | tags: 174 | - scored 175 | - section6.2 176 | - section6.2.2 177 | 178 | - name: 6.2.3 Set Permissions on /etc/ssh/sshd_config (Scored) 179 | file: > 180 | path=/etc/ssh/sshd_config 181 | owner=root 182 | group=root 183 | mode=0600 184 | notify: Reload sshd 185 | tags: 186 | - scored 187 | - section6.2 188 | - section6.2.3 189 | 190 | - name: 6.2.4 Disable SSH X11 Forwarding (Scored) 191 | lineinfile: > 192 | dest=/etc/ssh/sshd_config 193 | regexp="^X11Forwarding " 194 | line="X11Forwarding no" 195 | notify: Reload sshd 196 | tags: 197 | - scored 198 | - section6.2 199 | - section6.2.4 200 | 201 | - name: 6.2.5 Set SSH MaxAuthTries to 4 or Less (Scored) 202 | lineinfile: > 203 | dest=/etc/ssh/sshd_config 204 | regexp="^MaxAuthTries " 205 | line="MaxAuthTries 4" 206 | notify: Reload sshd 207 | tags: 208 | - scored 209 | - section6.2 210 | - section6.2.5 211 | 212 | - name: 6.2.6 Set SSH IgnoreRhosts to Yes (Scored) 213 | lineinfile: > 214 | dest=/etc/ssh/sshd_config 215 | regexp="^IgnoreRhosts " 216 | line="IgnoreRhosts yes" 217 | notify: Reload sshd 218 | tags: 219 | - scored 220 | - section6.2 221 | - section6.2.6 222 | 223 | - name: 6.2.7 Set SSH HostbasedAuthentication to No (Scored) 224 | lineinfile: > 225 | dest=/etc/ssh/sshd_config 226 | regexp="^HostbasedAuthentication " 227 | line="HostbasedAuthentication no" 228 | notify: Reload sshd 229 | tags: 230 | - scored 231 | - section6.2 232 | - section6.2.7 233 | 234 | - name: 6.2.8 Disable SSH Root Login (Scored) 235 | lineinfile: > 236 | dest=/etc/ssh/sshd_config 237 | regexp="^PermitRootLogin " 238 | line="PermitRootLogin no" 239 | notify: Reload sshd 240 | tags: 241 | - scored 242 | - section6.2 243 | - section6.2.8 244 | 245 | - name: 6.2.9 Set SSH PermitEmptyPasswords to No (Scored) 246 | lineinfile: > 247 | dest=/etc/ssh/sshd_config 248 | regexp="^PermitEmptyPasswords " 249 | line="PermitEmptyPasswords no" 250 | notify: Reload sshd 251 | tags: 252 | - scored 253 | - section6.2 254 | - section6.2.9 255 | 256 | - name: 6.2.10 Do Not Allow Users to Set Environment Options (Scored) 257 | lineinfile: > 258 | dest=/etc/ssh/sshd_config 259 | regexp="^PermitUserEnvironment " 260 | line="PermitUserEnvironment no" 261 | notify: Reload sshd 262 | tags: 263 | - scored 264 | - section6.2 265 | - section6.2.10 266 | 267 | - name: 6.2.11 Use Only Approved Cipher in Counter Mode (Scored) 268 | lineinfile: > 269 | dest=/etc/ssh/sshd_config 270 | regexp="^Ciphers " 271 | line="Ciphers aes128-ctr,aes192-ctr,aes256-ctr" 272 | notify: Reload sshd 273 | tags: 274 | - scored 275 | - section6.2 276 | - section6.2.11 277 | 278 | - name: 6.2.12 Set Idle Timeout Interval for User Login (Scored) 279 | lineinfile: > 280 | dest=/etc/ssh/sshd_config 281 | regexp="^ClientAliveInterval " 282 | line="ClientAliveInterval 300" 283 | notify: Reload sshd 284 | tags: 285 | - scored 286 | - section6.2 287 | - section6.2.12 288 | 289 | - name: 6.2.12 Set Idle Timeout Interval for User Login (Scored) 290 | lineinfile: > 291 | dest=/etc/ssh/sshd_config 292 | regexp="^ClientAliveCountMax " 293 | line="ClientAliveCountMax 0" 294 | notify: Reload sshd 295 | tags: 296 | - scored 297 | - section6.2 298 | - section6.2.12 299 | 300 | - name: 6.2.13 Limit Access via SSH (Scored) 301 | lineinfile: > 302 | dest=/etc/ssh/sshd_config 303 | regexp="^AllowGroups " 304 | line="AllowGroups {{ ssh_allow_groups }}" 305 | when: ssh_allow_groups is defined 306 | notify: Reload sshd 307 | tags: 308 | - scored 309 | - section6.2 310 | - section6.2.13 311 | 312 | - name: 6.2.13 Limit Access via SSH (Scored) 313 | lineinfile: > 314 | dest=/etc/ssh/sshd_config 315 | regexp="^AllowUsers " 316 | line="AllowUsers {{ ssh_allow_users }}" 317 | when: ssh_allow_users is defined 318 | notify: Reload sshd 319 | tags: 320 | - scored 321 | - section6.2 322 | - section6.2.13 323 | 324 | - name: 6.2.13 Limit Access via SSH (Scored) 325 | lineinfile: > 326 | dest=/etc/ssh/sshd_config 327 | regexp="^DenyGroups " 328 | line="DenyGroups {{ ssh_deny_groups }}" 329 | when: ssh_deny_groups is defined 330 | notify: Reload sshd 331 | tags: 332 | - scored 333 | - section6.2 334 | - section6.2.13 335 | 336 | - name: 6.2.13 Limit Access via SSH (Scored) 337 | lineinfile: > 338 | dest=/etc/ssh/sshd_config 339 | regexp="^DenyUsers " 340 | line="DenyUsers {{ ssh_deny_users }}" 341 | when: ssh_deny_users is defined 342 | notify: Reload sshd 343 | tags: 344 | - scored 345 | - section6.2 346 | - section6.2.13 347 | 348 | - name: 6.2.14 Set SSH Banner (Scored) 349 | lineinfile: > 350 | dest=/etc/ssh/sshd_config 351 | regexp="^Banner " 352 | line="Banner /etc/issue.net" 353 | notify: Reload sshd 354 | tags: 355 | - scored 356 | - section6.2 357 | - section6.2.14 358 | 359 | - name: 6.3.1 Ensure authconfig package is installed 360 | yum: 361 | name: authconfig 362 | state: present 363 | 364 | - name: 6.3.1 Upgrade Password Hashing Algorithm to SHA-512 (Scored) 365 | shell: 'authconfig --test | grep hashing' 366 | register: password_hash_algorithm 367 | always_run: yes 368 | tags: 369 | - scored 370 | - section6.3 371 | - section6.3.1 372 | 373 | - name: 6.3.1 Upgrade Password Hashing Algorithm to SHA-512 (Scored) 374 | shell: authconfig --passalgo=sha512 --update 375 | when: '"sha512" not in password_hash_algorithm.stdout' 376 | tags: 377 | - scored 378 | - section6.3 379 | - section6.3.1 380 | 381 | - name: 6.3.2 Set Password Creation Requirement Parameters Using pam_pwquality (Scored) 382 | lineinfile: > 383 | dest=/etc/security/pwquality.conf 384 | regexp="{{item.regexp}}" 385 | line="{{item.line}}" 386 | with_items: 387 | - { regexp: 'minlen', line: 'minlen=14' } 388 | - { regexp: 'dcredit', line: 'dcredit=-1' } 389 | - { regexp: 'ucredit', line: 'ucredit=-1' } 390 | - { regexp: 'ocredit', line: 'ocredit=-1' } 391 | - { regexp: 'lcredit', line: 'lcredit=-1' } 392 | tags: 393 | - scored 394 | - section6.3 395 | - section6.3.2 396 | 397 | - name: 6.3.2 - 6.3.4 Configure PAM (Scored) 398 | copy: > 399 | src=etc/pam.d/system-auth 400 | dest=/etc/pam.d/system-auth 401 | tags: 402 | - scored 403 | - section6.3 404 | - section6.3.2 405 | - section6.3.3 406 | - section6.3.4 407 | 408 | - name: 6.3.2 - 6.3.4 Configure PAM (Scored) 409 | copy: > 410 | src=etc/pam.d/password-auth 411 | dest=/etc/pam.d/password-auth 412 | tags: 413 | - scored 414 | - section6.3 415 | - section6.3.2 416 | - section6.3.3 417 | - section6.3.4 418 | 419 | - name: 6.4 Restrict root login to system console (Not Scored) 420 | debug: msg="Too restrictive for most environments." 421 | tags: 422 | - notscored 423 | - section6.4 424 | 425 | - name: 6.5 Restrict Access to the su Command (Scored) 426 | lineinfile: > 427 | dest=/etc/pam.d/su 428 | line="auth required pam_wheel.so use_uid" 429 | regexp="auth\s+required\s+pam_wheel\.so\s+use_uid" 430 | tags: 431 | - scored 432 | - section6.5 433 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_06_level2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | # CIS Section 6 has no Level 2 checks -------------------------------------------------------------------------------- /roles/cis/tasks/section_07.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - include: section_07_level1.yml 19 | tags: 20 | - section7 21 | - level1 22 | 23 | - include: section_07_level2.yml 24 | tags: 25 | - section7 26 | - level2 27 | 28 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_07_level1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - name: 7.1.1 Set Password Expiration Days (Scored) 19 | lineinfile: > 20 | backup=yes 21 | state=present 22 | dest=/etc/login.defs 23 | backrefs=yes 24 | regexp="^PASS_MAX_DAYS\s+" 25 | line="PASS_MAX_DAYS\t90" 26 | tags: 27 | - scored 28 | - section7.1 29 | - section7.1.1 30 | 31 | - name: 7.1.2 Set Password Change Minimum Number of Days (Scored) 32 | lineinfile: > 33 | backup=yes 34 | state=present 35 | dest=/etc/login.defs 36 | backrefs=yes 37 | regexp="^PASS_MIN_DAYS\s+" 38 | line="PASS_MIN_DAYS\t7" 39 | tags: 40 | - scored 41 | - section7.1 42 | - section7.1.2 43 | 44 | - name: 7.1.3 Set Password Expiring Warning Days (Scored) 45 | lineinfile: > 46 | backup=yes 47 | state=present 48 | dest=/etc/login.defs 49 | backrefs=yes 50 | regexp="^PASS_WARN_AGE\s+" 51 | line="PASS_WARN_AGE\t7" 52 | tags: 53 | - scored 54 | - section7.1 55 | - section7.1.3 56 | 57 | - name: 7.2 Disable System Accounts (Scored) - preparation 58 | shell: awk -F':' '($3<500 && $1!="root" && $1!="sync" && $1!="shutdown" && $1!="sync" && $1!="shutdown" && $1!="halt" && $7!="/sbin/nologin") { print $1 }' /etc/passwd 59 | register: enabled_system_accounts 60 | changed_when: false 61 | tags: 62 | - scored 63 | - section7.2 64 | 65 | - name: 7.2 Disable System Accounts (Scored) 66 | command: /usr/sbin/usermod -s /sbin/nologin {{ item }} 67 | with_items: enabled_system_accounts.stdout_lines 68 | tags: 69 | - scored 70 | - section7.2 71 | 72 | - name: 7.3 Set Default Group for root Account (Scored) 73 | user: > 74 | name=root 75 | group=root 76 | tags: 77 | - scored 78 | - section7.3 79 | 80 | - name: 7.4 Set Default umask for Users (Scored) 81 | lineinfile: 82 | state=present 83 | create=yes 84 | dest=/etc/profile.d/cis.sh 85 | line="umask 077" 86 | ignore_errors: true 87 | tags: 88 | - scored 89 | - section7.4 90 | 91 | - name: Ensure that /etc/profile.d/cis.sh has correct owner, group and mode 92 | file: 93 | path=/etc/profile.d/cis.sh 94 | owner=root 95 | group=root 96 | mode=0644 97 | changed_when: false 98 | tags: 99 | - scored 100 | - section7.4 101 | 102 | - name: 7.5 Lock Inactive User Accounts (Scored) 103 | command: /usr/sbin/useradd -D -f 35 104 | when: lock_inactive 105 | tags: 106 | - scored 107 | - section7.5 108 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_07_level2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | # CIS Section 7 has no Level 2 checks 19 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_08.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - include: section_08_level1.yml 19 | tags: 20 | - section8 21 | - level1 22 | 23 | - include: section_08_level2.yml 24 | tags: 25 | - section8 26 | - level2 27 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_08_level1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2016 Alexander Verhaar 4 | # Copyright 2014 Major Hayden 5 | # 6 | # Licensed under the Apache License, Version 2.0 (the "License"); 7 | # you may not use this file except in compliance with the License. 8 | # You may obtain a copy of the License at 9 | # 10 | # http://www.apache.org/licenses/LICENSE-2.0 11 | # 12 | # Unless required by applicable law or agreed to in writing, software 13 | # distributed under the License is distributed on an "AS IS" BASIS, 14 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | # See the License for the specific language governing permissions and 16 | # limitations under the License. 17 | # 18 | 19 | - name: 8.1 Set Warning Banner for Standard Login Services (Scored) 20 | stat: path=/etc/{{ item }} 21 | register: stats 22 | with_items: 23 | - motd 24 | - issue 25 | - issue.net 26 | tags: 27 | - scored 28 | - section8.1 29 | 30 | - name: 8.1 Set Warning Banner for Standard Login Services (Scored) 31 | file: > 32 | name=/etc/motd 33 | state=absent 34 | changed_when: false 35 | with_items: 36 | - stats.results 37 | when: item.islnk is defined 38 | tags: 39 | - scored 40 | - section8.1 41 | 42 | - name: 8.1 Set Warning Banner for Standard Login Services (Scored) 43 | file: > 44 | name=/etc/issue 45 | state=absent 46 | changed_when: false 47 | with_items: 48 | - stats.results 49 | when: item.islnk is defined 50 | tags: 51 | - scored 52 | - section8.1 53 | 54 | - name: 8.1 Set Warning Banner for Standard Login Services (Scored) 55 | file: > 56 | name=/etc/issue.net 57 | state=absent 58 | changed_when: false 59 | with_items: 60 | - stats.results 61 | when: item.islnk is defined 62 | tags: 63 | - scored 64 | - section8.1 65 | 66 | - name: 8.1 Set Warning Banner for Standard Login Services (Scored) 67 | copy: > 68 | src=etc/{{item}} 69 | dest=/etc/{{item}} 70 | with_items: 71 | - motd 72 | - issue 73 | - issue.net 74 | tags: 75 | - scored 76 | - section8.1 77 | 78 | - name: 8.1 Set Warning Banner for Standard Login Services (Scored) 79 | file: > 80 | path=/etc/{{ item }} 81 | owner=root 82 | group=root 83 | mode=0644 84 | with_items: 85 | - motd 86 | - issue 87 | - issue.net 88 | tags: 89 | - scored 90 | - section8.1 91 | 92 | - name: 8.2 Remove OS Information from Login Warning Banners (Scored) 93 | replace: > 94 | dest=/etc/{{ item }} 95 | regexp='\\\\r|\\\\v|\\\\s' 96 | replace='[CIS replaced]' 97 | with_items: 98 | - motd 99 | - issue 100 | - issue.net 101 | tags: 102 | - scored 103 | - section8.2 104 | 105 | # - name: 8.3 Set GNOME Warning Banner (Not Scored) 106 | # debug: msg="*** Will do later" 107 | # tags: 108 | # - scored 109 | # - section8.3 110 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_08_level2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | # CIS Section 8 has no Level 2 checks -------------------------------------------------------------------------------- /roles/cis/tasks/section_09.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - include: section_09_level1.yml 19 | tags: 20 | - section9 21 | - level1 22 | 23 | - include: section_09_level2.yml 24 | tags: 25 | - section9 26 | - level2 27 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_09_level1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2016 Alexander Verhaar 4 | # Copyright 2014 Major Hayden 5 | # 6 | # Licensed under the Apache License, Version 2.0 (the "License"); 7 | # you may not use this file except in compliance with the License. 8 | # You may obtain a copy of the License at 9 | # 10 | # http://www.apache.org/licenses/LICENSE-2.0 11 | # 12 | # Unless required by applicable law or agreed to in writing, software 13 | # distributed under the License is distributed on an "AS IS" BASIS, 14 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | # See the License for the specific language governing permissions and 16 | # limitations under the License. 17 | # 18 | 19 | - name: 9.1.2 Verify Permissions on /etc/passwd (Scored) 20 | file: > 21 | path=/etc/passwd 22 | mode=0644 23 | tags: 24 | - scored 25 | - section9.1 26 | - section9.1.2 27 | 28 | - name: 9.1.3 Verify Permissions on /etc/shadow (Scored) 29 | file: > 30 | path=/etc/shadow 31 | mode=0000 32 | tags: 33 | - scored 34 | - section9.1 35 | - section9.1.3 36 | 37 | - name: 9.1.4 Verify Permissions on /etc/gshadow (Scored) 38 | file: > 39 | path=/etc/gshadow 40 | mode=0000 41 | tags: 42 | - scored 43 | - section9.1 44 | - section9.1.4 45 | 46 | - name: 9.1.5 Verify Permissions on /etc/group (Scored) 47 | file: > 48 | path=/etc/group 49 | mode=0644 50 | tags: 51 | - scored 52 | - section9.1 53 | - section9.1.5 54 | 55 | - name: 9.1.6 Verify User/Group Ownership on /etc/passwd (Scored) 56 | file: > 57 | path=/etc/passwd 58 | owner=root 59 | group=root 60 | tags: 61 | - scored 62 | - section9.1 63 | - section9.1.6 64 | 65 | - name: 9.1.7 Verify User/Group Ownership on /etc/shadow (Scored) 66 | file: > 67 | path=/etc/shadow 68 | owner=root 69 | group=root 70 | tags: 71 | - scored 72 | - section9.1 73 | - section9.1.7 74 | 75 | - name: 9.1.8 Verify User/Group Ownership on /etc/gshadow (Scored) 76 | file: > 77 | path=/etc/gshadow 78 | owner=root 79 | group=root 80 | tags: 81 | - scored 82 | - section9.1 83 | - section9.1.8 84 | 85 | - name: 9.1.9 Verify User/Group Ownership on /etc/group (Scored) 86 | file: > 87 | path=/etc/group 88 | owner=root 89 | group=root 90 | tags: 91 | - scored 92 | - section9.1 93 | - section9.1.9 94 | 95 | - name: 9.1.10 Find World Writable Files (Not Scored) 96 | shell: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002" 97 | when: verify_find 98 | tags: 99 | - notscored 100 | - section9.1 101 | - section9.1.10 102 | 103 | - name: 9.1.11 Find Un-owned Files and Directories (Scored) 104 | shell: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls" 105 | when: verify_find 106 | tags: 107 | - scored 108 | - section9.1 109 | - section9.1.11 110 | 111 | - name: 9.1.12 Find Un-grouped Files and Directories (Scored) 112 | shell: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls" 113 | when: verify_find 114 | tags: 115 | - scored 116 | - section9.1 117 | - section9.1.12 118 | 119 | - name: 9.1.13 Find SUID System Executables (Not Scored) 120 | shell: '/bin/rpm -V `/bin/rpm -qf /usr/bin/sudo`' 121 | register: suid 122 | when: verify_rpm 123 | tags: 124 | - notscored 125 | - section9.1 126 | - section9.1.13 127 | 128 | - name: 9.1.14 Find SGID System Executables (Not Scored) 129 | shell: '/bin/rpm -V `/bin/rpm -qf /usr/bin/sudo`' 130 | register: sgid 131 | when: verify_rpm 132 | tags: 133 | - notscored 134 | - section9.1 135 | - section9.1.14 136 | 137 | - name: 9.2.1 Ensure Password Fields are Not Empty (Scored) 138 | shell: /bin/cat /etc/shadow | /bin/awk -F':' '($2 == "" ) { print $1 " does not have a password "}' 139 | register: result9_2_1 140 | changed_when: "result9_2_1.stdout" 141 | always_run: yes 142 | tags: 143 | - scored 144 | - section9.2 145 | - section9.2.1 146 | 147 | - name: 9.2.2 Verify No Legacy "+" Entries Exist in /etc/passwd File (Scored) 148 | shell: /bin/grep '^+:' /etc/passwd 149 | register: result9_2_2 150 | failed_when: result9_2_2.rc == 0 151 | changed_when: result9_2_2.rc == 0 152 | always_run: yes 153 | ignore_errors: yes 154 | tags: 155 | - scored 156 | - section9.2 157 | - section9.2.2 158 | 159 | - name: 9.2.3 Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored) 160 | shell: /bin/grep '^+:' /etc/shadow 161 | register: result9_2_3 162 | failed_when: result9_2_3.rc == 0 163 | changed_when: result9_2_3.rc == 0 164 | always_run: yes 165 | ignore_errors: yes 166 | tags: 167 | - scored 168 | - section9.2 169 | - section9.2.3 170 | 171 | - name: 9.2.4 Verify No Legacy "+" Entries Exist in /etc/group File (Scored) 172 | shell: /bin/grep '^+:' /etc/group 173 | register: result9_2_4 174 | failed_when: result9_2_4.rc == 0 175 | changed_when: result9_2_4.rc == 0 176 | always_run: yes 177 | ignore_errors: yes 178 | tags: 179 | - scored 180 | - section9.2 181 | - section9.2.4 182 | 183 | - name: 9.2.5 Verify No UID 0 Accounts Exist Other Than root (Scored) 184 | shell: /bin/awk -F':' '($3 == 0) { print $1 }' /etc/passwd | grep -qx 'root' 185 | register: result9_2_5 186 | failed_when: result9_2_5.rc != 0 187 | changed_when: result9_2_5.rc != 0 188 | always_run: yes 189 | ignore_errors: yes 190 | tags: 191 | - scored 192 | - section9.2 193 | - section9.2.5 194 | 195 | - name: 9.2.6 Ensure root PATH Integrity (Scored) 196 | shell: | 197 | if [ "`echo $PATH | /bin/grep :: `" != "" ]; then 198 | echo "Empty Directory in PATH (::)" 199 | fi 200 | if [ "`echo $PATH | bin/grep :$`" != "" ]; then 201 | echo "Trailing : in PATH" 202 | fi 203 | p=`echo $PATH | /bin/sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g'` 204 | set -- $p 205 | while [ "$1" != "" ]; do 206 | if [ "$1" = "." ]; then 207 | echo "PATH contains ." 208 | shift 209 | continue 210 | fi 211 | if [ -d $1 ]; then 212 | dirperm=`/bin/ls -ldH $1 | /bin/cut -f1 -d" "` 213 | if [ `echo $dirperm | /bin/cut -c6 ` != "-" ]; then 214 | echo "Group Write permission set on directory $1" 215 | fi 216 | if [ `echo $dirperm | /bin/cut -c9 ` != "-" ]; then 217 | echo "Other Write permission set on directory $1" 218 | fi 219 | dirown=`ls -ldH $1 | awk '{print $3}'` 220 | if [ "$dirown" != "root" ] ; then 221 | echo $1 is not owned by root 222 | fi 223 | else 224 | echo $1 is not a directory 225 | fi 226 | shift 227 | done 228 | register: result9_2_6 229 | changed_when: "result9_2_6.stdout" 230 | failed_when: "result9_2_6.stdout" 231 | tags: 232 | - scored 233 | - section9.2 234 | - section9.2.6 235 | 236 | - name: 9.2.7 Check Permissions on User Home Directories (Scored) 237 | shell: | 238 | for dir in `/bin/cat /etc/passwd | /bin/egrep -v '(root|halt|sync|shutdown)' |\ 239 | /bin/awk -F: '($8 == "PS" && $7 != "/sbin/nologin") { print $6 }'`; do 240 | dirperm=`/bin/ls -ld $dir | /bin/cut -f1 -d" "` 241 | if [ `echo $dirperm | /bin/cut -c6 ` != "-" ]; then 242 | echo "Group Write permission set on directory $dir" 243 | fi 244 | if [ `echo $dirperm | /bin/cut -c8 ` != "-" ]; then 245 | echo "Other Read permission set on directory $dir" 246 | fi 247 | if [ `echo $dirperm | /bin/cut -c9 ` != "-" ]; then 248 | echo "Other Write permission set on directory $dir" 249 | fi 250 | if [ `echo $dirperm | /bin/cut -c10 ` != "-" ]; then 251 | echo "Other Execute permission set on directory $dir" 252 | fi 253 | done 254 | register: result9_2_7 255 | changed_when: "result9_2_7.stdout" 256 | failed_when: "result9_2_7.stdout" 257 | tags: 258 | - scored 259 | - section9.2 260 | - section9.2.7 261 | 262 | - name: 9.2.8 Check User Dot File Permissions (Scored) 263 | shell: | 264 | for dir in `/bin/cat /etc/passwd | /bin/egrep -v '(root|sync|halt|shutdown)' | 265 | /bin/awk -F: '($7 != "/sbin/nologin") { print $6 }'`; do 266 | for file in $dir/.[A-Za-z0-9]*; do 267 | if [ ! -h "$file" -a -f "$file" ]; then 268 | fileperm=`/bin/ls -ld $file | /bin/cut -f1 -d" "` 269 | if [ `echo $fileperm | /bin/cut -c6 ` != "-" ]; then 270 | echo "Group Write permission set on file $file" 271 | fi 272 | if [ `echo $fileperm | /bin/cut -c9 ` != "-" ]; then 273 | echo "Other Write permission set on file $file" 274 | fi 275 | fi 276 | done 277 | done 278 | register: result9_2_8 279 | changed_when: "result9_2_8.stdout" 280 | failed_when: "result9_2_8.stdout" 281 | tags: 282 | - scored 283 | - section9.2 284 | - section9.2.8 285 | 286 | - name: 9.2.9 Check Permissions on User .netrc Files (Scored) 287 | shell: | 288 | for dir in `/bin/cat /etc/passwd | /bin/egrep -v '(root|sync|halt|shutdown)' |\ 289 | /bin/awk -F: '($7 != "/sbin/nologin") { print $6 }'`; do 290 | for file in $dir/.netrc; do 291 | if [ ! -h "$file" -a -f "$file" ]; then 292 | fileperm=`/bin/ls -ld $file | /bin/cut -f1 -d" "` 293 | if [ `echo $fileperm | /bin/cut -c5 ` != "-" ] 294 | then 295 | echo "Group Read set on $file" 296 | fi 297 | if [ `echo $fileperm | /bin/cut -c6 ` != "-" ] 298 | then 299 | echo "Group Write set on $file" 300 | fi 301 | if [ `echo $fileperm | /bin/cut -c7 ` != "-" ] 302 | then 303 | echo "Group Execute set on $file" 304 | fi 305 | if [ `echo $fileperm | /bin/cut -c8 ` != "-" ] 306 | then 307 | echo "Other Read set on $file" 308 | fi 309 | if [ `echo $fileperm | /bin/cut -c9 ` != "-" ] 310 | then 311 | echo "Other Write set on $file" 312 | fi 313 | if [ `echo $fileperm | /bin/cut -c10 ` != "-" ] 314 | then 315 | echo "Other Execute set on $file" 316 | fi 317 | fi 318 | done 319 | done 320 | register: result9_2_9 321 | changed_when: "result9_2_9.stdout" 322 | failed_when: "result9_2_9.stdout" 323 | tags: 324 | - scored 325 | - section9.2 326 | - section9.2.9 327 | 328 | - name: 9.2.10 Check for Presence of User .rhosts Files (Scored) 329 | shell: | 330 | for dir in `/bin/cat /etc/passwd | /bin/egrep -v '(root|halt|sync|shutdown)' |\ 331 | /bin/awk -F: '($7 != "/sbin/nologin") { print $6 }'`; do 332 | for file in $dir/.rhosts; do 333 | if [ ! -h "$file" -a -f "$file" ]; then 334 | echo ".rhosts file in $dir" 335 | fi 336 | done 337 | done 338 | register: result9_2_10 339 | changed_when: "result9_2_10.stdout" 340 | failed_when: "result9_2_10.stdout" 341 | tags: 342 | - scored 343 | - section9.2 344 | - section9.2.10 345 | 346 | - name: 9.2.11 Check Groups in /etc/passwd (Scored) 347 | shell: | 348 | for i in $(cut -s -d: -f4 /etc/passwd | sort -u ); do 349 | grep -q -P "^.*?:x:$i:" /etc/group 350 | if [ $? -ne 0 ]; then 351 | echo "Group $i is referenced by /etc/passwd but does not exist in /etc/group" 352 | fi 353 | done 354 | register: result9_2_11 355 | changed_when: "result9_2_11.stdout" 356 | failed_when: "result9_2_11.stdout" 357 | tags: 358 | - scored 359 | - section9.2 360 | - section9.2.11 361 | 362 | - name: 9.2.12 Check That Users Are Assigned Valid Home Directories (Scored) 363 | shell: | 364 | cat /etc/passwd | awk -F: '{ print $1 " " $3 " " $6 }' | while read user uid dir; do 365 | if [ $uid -ge 1000 -a ! -d "$dir" -a $user != "nfsnobody" ]; then 366 | echo "The home directory ($dir) of user $user does not exist." 367 | fi 368 | done 369 | register: result9_2_12 370 | failed_when: "result9_2_12.stdout" 371 | changed_when: "result9_2_12.stdout" 372 | always_run: yes 373 | tags: 374 | - scored 375 | - section9.2 376 | - section9.2.12 377 | 378 | - name: 9.2.13 Check User Home Directory Ownership (Scored) 379 | shell: | 380 | cat /etc/passwd | awk -F: '{ print $1 " " $3 " " $6 }' | while read user uid dir; do 381 | if [ $uid -ge 1000 -a -d "$dir" -a $user != "nfsnobody" ]; then 382 | owner=$(stat -L -c "%U" "$dir") 383 | if [ "$owner" != "$user" ]; then 384 | echo "The home directory ($dir) of user $user is owned by $owner." 385 | fi 386 | fi 387 | done 388 | register: result9_2_13 389 | failed_when: "result9_2_13.stdout" 390 | changed_when: "result9_2_13.stdout" 391 | always_run: yes 392 | tags: 393 | - scored 394 | - section9.2 395 | - section9.2.13 396 | 397 | - name: 9.2.14 Check for Duplicate UIDs (Scored) 398 | shell: for dupeID in $(cut -f3 -d":" /etc/passwd | sort | uniq -c | sort -n | awk ' $1 > 1 {print $2}'); do awk -F':' -v dupeid=$dupeID '$3 == dupeid {print $1}' /etc/passwd ; done 399 | register: result9_2_15 400 | changed_when: "result9_2_15.stdout" 401 | always_run: yes 402 | tags: 403 | - scored 404 | - section9.2 405 | - section9.2.14 406 | 407 | - name: 9.2.15 Check for Duplicate GIDs (Scored) 408 | shell: for dupeID in $(cut -f3 -d":" /etc/group | sort | uniq -c | sort -n | awk ' $1 > 1 {print $2}'); do awk -F':' -v dupeid=$dupeID '$3 == dupeid {print $1}' /etc/group ; done 409 | register: result9_2_15 410 | changed_when: "result9_2_15.stdout" 411 | always_run: yes 412 | tags: 413 | - scored 414 | - check-only 415 | - section9.2 416 | - section9.2.15 417 | 418 | - name: 9.2.16 Check That Reserved UIDs Are Assigned to System Accounts (Scored) 419 | shell: | 420 | defUsers="root bin daemon adm lp sync shutdown halt mail news uucp operator games 421 | gopher ftp nobody nscd vcsa rpc mailnull smmsp pcap ntp dbus avahi sshd rpcuser 422 | nfsnobody haldaemon avahi-autoipd distcache apache oprofile webalizer dovecot squid 423 | named xfs gdm sabayon usbmuxd rtkit abrt saslauth pulse postfix tcpdump tss" 424 | /bin/cat /etc/passwd | /bin/awk -F: '($3 < 500) { print $1" "$3 }' |\ 425 | while read user uid; do 426 | found=0 427 | for tUser in ${defUsers}; do 428 | if [ ${user} = ${tUser} ]; then 429 | found=1 430 | fi 431 | done 432 | if [ $found -eq 0 ]; then 433 | echo "User $user has a reserved UID ($uid)." 434 | fi 435 | done 436 | register: result9_2_16 437 | failed_when: "result9_2_16.stdout" 438 | changed_when: "result9_2_16.stdout" 439 | always_run: yes 440 | tags: 441 | - scored 442 | - section9.2 443 | - section9.2.16 444 | 445 | - name: 9.2.17 Check for Duplicate User Names (Scored) 446 | shell: cut -f1 -d':' /etc/passwd | sort | uniq -c | sort -n | awk ' $1 > 1 {print $2}' 447 | register: result9_2_17 448 | changed_when: "result9_2_17.stdout" 449 | always_run: yes 450 | tags: 451 | - scored 452 | - check-only 453 | - section9.2 454 | - section9.2.17 455 | 456 | - name: 9.2.18 Check for Duplicate Group Names (Scored) 457 | shell: cut -f1 -d':' /etc/group | sort | uniq -c | sort -n | awk ' $1 > 1 {print $2}' 458 | register: result9_2_18 459 | changed_when: "result9_2_18.stdout" 460 | always_run: yes 461 | tags: 462 | - scored 463 | - check-only 464 | - section9.2 465 | - section9.2.18 466 | 467 | - name: 9.2.19 Check for Presence of User .netrc Files (Scored) 468 | shell: for h in $(/bin/awk -F':' '$7 !~ /\/sbin\/nologin/ && $7 !~ /\/bin\/false/ { print $6 }' /etc/passwd); do if [[ -f $h/.netrc && -s $h/.netrc ]]; then echo $h; fi ; done 469 | register: result9_2_19 470 | changed_when: "result9_2_19.stdout" 471 | always_run: yes 472 | tags: 473 | - scored 474 | - check-only 475 | - section9.2 476 | - section9.2.19 477 | 478 | - name: 9.2.20 Check for Presence of User .forward Files (Scored) 479 | shell: for h in $(/bin/awk -F':' '$7 !~ /\/sbin\/nologin/ && $7 !~ /\/bin\/false/ { print $6 }' /etc/passwd); do if [[ -f $h/.forward && -s $h/.forward ]]; then echo $h; fi ; done 480 | register: result9_2_20 481 | changed_when: "result9_2_20.stdout" 482 | always_run: yes 483 | tags: 484 | - scored 485 | - check-only 486 | - section9.2 487 | - section9.2.20 488 | 489 | # - debug: var=result9_2_19.stdout 490 | # tags: 491 | # - section9.2.19 492 | -------------------------------------------------------------------------------- /roles/cis/tasks/section_09_level2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # Copyright 2014 Major Hayden 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | # 17 | 18 | - name: 9.1.1 Verify system file permissions (Not Scored) 19 | debug: msg="Check via cron/manually/AIDE." 20 | tags: 21 | - notscored 22 | - section9.1 23 | - section9.1.1 24 | -------------------------------------------------------------------------------- /roles/cis/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | modprobe_unused_modules: /etc/modprobe.d/CIS_unused_modules.conf 3 | modprobe_cis_conf: /etc/modprobe.d/CIS_uncommon_network_protocols.conf 4 | space_left_action: email 5 | action_mail_acct: root 6 | admin_space_left_action: halt 7 | max_log_file_action: keep_logs 8 | mountpoints: "{{ ansible_mounts | selectattr('mount')| map(attribute='mount') | list }}" 9 | -------------------------------------------------------------------------------- /tests/hosts: -------------------------------------------------------------------------------- 1 | [travis] 2 | -------------------------------------------------------------------------------- /tests/test.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: localhost 3 | connection: local 4 | gather_facts: True 5 | roles: 6 | - cis 7 | --------------------------------------------------------------------------------