nikdoof/ansible-cis
1
0
Fork 0
mirror of https://github.com/nikdoof/ansible-cis.git synced 2025-12-13 09:32:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

Initial import of existing role

Browse Source
This commit is contained in:
Andrew Williams
2022-07-02 11:03:13 +01:00
commit 87dee9b3fa
11 changed files with 226 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
files/auditd/cis-hardening.rules Normal file
View File

@@ -0,0 +1,46 @@
# CIS CentOS 8 Benchmark v1.0.0
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k logins
-w /var/log/btmp -p wa -k logins
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k timechange
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
-w /etc/selinux/ -p wa -k MAC-policy
-w /usr/share/selinux/ -p wa -k MAC-policy
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=-1 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=-1 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=-1 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=-1 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod
# -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod
# -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
# -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
# -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
# -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
-w /var/log/sudo.log -p wa -k actions

21
files/auditd/privileged.rules Normal file
View File

@@ -0,0 +1,21 @@
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/mount.nfs -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

5
handlers/main.yaml Normal file
View File

@@ -0,0 +1,5 @@
---
- name: restart sshd
service:
name: sshd
state: restarted

20
tasks/aide.yaml Normal file
View File

@@ -0,0 +1,20 @@
---
- name: Install AIDE
dnf:
name: aide
state: installed
- name: Init AIDE if database is missing
shell: aide --init && mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
args:
creates: /var/lib/aide/aide.db.gz
- name: Install AIDE crontab
copy:
dest: /etc/cron.d/aide
owner: root
group: root
mode: "0600"
content: |
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
0 5 * * * root /usr/sbin/aide --check

15
tasks/auditd.yaml Normal file
View File

@@ -0,0 +1,15 @@
---
- name: Copy main CIS benchmark ruleset
copy:
src: auditd/cis-hardening.rules
dest: /etc/audit/rules.d/cis-hardening.rules
owner: root
group: root
mode: "0600"
- name: Copy privileged commands ruleset
copy:
src: auditd/privileged.rules
dest: /etc/audit/rules.d/privileged.rules
owner: root
group: root
mode: "0600"

41
tasks/file_security.yaml Normal file
View File

@@ -0,0 +1,41 @@
---
- name: Change grub file modes # noqa: ignore-errors
file:
path: "{{ item }}"
owner: root
group: root
mode: "0600"
ignore_errors: true
loop:
- /boot/grub2/grub.cfg
- /boot/grub2/grubenv
- name: Change MOTD files security
file:
path: "{{ item }}"
owner: root
group: root
mode: "0644"
loop:
- /etc/motd
- /etc/issue
- /etc/issue.net
- name: Set cron file security
file:
path: "{{ item }}"
owner: root
group: root
mode: "0600"
loop:
- /etc/crontab
- name: Set cron.* directory security
file:
path: "{{ item }}"
owner: root
group: root
mode: "0700"
loop:
- /etc/cron.hourly
- /etc/cron.daily
- /etc/cron.weekly
- /etc/cron.monthly
- /etc/cron.d

8
tasks/limits.yaml Normal file
View File

@@ -0,0 +1,8 @@
---
- name: Add core limits
pam_limits:
dest: /etc/security/limits.d/core.conf
domain: "*"
limit_type: hard
limit_item: core
value: "0"

8
tasks/main.yaml Normal file
View File

@@ -0,0 +1,8 @@
---
- include: auditd.yaml
- include: limits.yaml
- include: sudo.yaml
- include: file_security.yaml
- include: ssh.yaml
- include: sysctl.yaml
- include: aide.yaml

22
tasks/ssh.yaml Normal file
View File

@@ -0,0 +1,22 @@
---
- name: Set sshd_config file security
file:
path: /etc/ssh/sshd_config
owner: root
group: root
mode: "0600"
- name: Set SSHD configuration values
lineinfile:
path: /etc/ssh/sshd_config
regexp: "^{{ item.key }}"
line: "{{ item.key }} {{ item.value }}"
notify: restart sshd
loop:
- { key: "X11Forwarding", value: "no" }
- { key: "MaxAuthTries", value: "4" }
- { key: "PermitRootLogin", value: "no" }
- { key: "PasswordAuthentication", value: "no" }
- { key: "PermitEmptyPasswords", value: "no" }
- { key: "PermitUserEnvironment", value: "no" }
- { key: "AllowTcpForwarding", value: "yes" }
- { key: "StreamLocalBindUnlink", value: "yes" }

9
tasks/sudo.yaml Normal file
View File

@@ -0,0 +1,9 @@
---
- name: Ensure sudo access is logged
copy:
dest: /etc/sudoers.d/logfile.conf
owner: root
group: root
mode: "0644"
content: |
Defaults logfile="/var/log/sudo.log"

31
tasks/sysctl.yaml Normal file
View File

@@ -0,0 +1,31 @@
---
- name: Add disable sysctl values
sysctl:
name: "{{ item }}"
value: "0"
state: present
sysctl_file: /etc/sysctl.d/00-cis-rules
loop:
- net.ipv4.conf.all.accept_redirects
- net.ipv4.conf.default.accept_redirects
- net.ipv6.conf.all.accept_redirects
- net.ipv6.conf.default.accept_redirects
- net.ipv4.conf.all.secure_redirects
- net.ipv4.conf.default.secure_redirects
- net.ipv4.conf.all.send_redirects
- net.ipv4.conf.default.send_redirects
- net.ipv4.conf.all.accept_source_route
- net.ipv4.conf.default.accept_source_route
- net.ipv6.conf.all.accept_source_route
- net.ipv6.conf.default.accept_source_route
- fs.suid_dumpable
- name: Add enable sysctl values
sysctl:
name: "{{ item }}"
value: "1"
state: present
sysctl_file: /etc/sysctl.d/00-cis-rules
loop:
- net.ipv4.conf.all.log_martians
- net.ipv4.conf.default.log_martians
- net.ipv4.conf.default.rp_filter