From 87dee9b3fa7c8ff9deab4b8e45519d9ba2cd09bb Mon Sep 17 00:00:00 2001 From: Andrew Williams Date: Sat, 2 Jul 2022 11:03:13 +0100 Subject: [PATCH] Initial import of existing role --- files/auditd/cis-hardening.rules | 46 ++++++++++++++++++++++++++++++++ files/auditd/privileged.rules | 21 +++++++++++++++ handlers/main.yaml | 5 ++++ tasks/aide.yaml | 20 ++++++++++++++ tasks/auditd.yaml | 15 +++++++++++ tasks/file_security.yaml | 41 ++++++++++++++++++++++++++++ tasks/limits.yaml | 8 ++++++ tasks/main.yaml | 8 ++++++ tasks/ssh.yaml | 22 +++++++++++++++ tasks/sudo.yaml | 9 +++++++ tasks/sysctl.yaml | 31 +++++++++++++++++++++ 11 files changed, 226 insertions(+) create mode 100644 files/auditd/cis-hardening.rules create mode 100644 files/auditd/privileged.rules create mode 100644 handlers/main.yaml create mode 100644 tasks/aide.yaml create mode 100644 tasks/auditd.yaml create mode 100644 tasks/file_security.yaml create mode 100644 tasks/limits.yaml create mode 100644 tasks/main.yaml create mode 100644 tasks/ssh.yaml create mode 100644 tasks/sudo.yaml create mode 100644 tasks/sysctl.yaml diff --git a/files/auditd/cis-hardening.rules b/files/auditd/cis-hardening.rules new file mode 100644 index 0000000..9a33461 --- /dev/null +++ b/files/auditd/cis-hardening.rules @@ -0,0 +1,46 @@ +# CIS CentOS 8 Benchmark v1.0.0 + +-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d/ -p wa -k scope +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k timechange +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change +-w /etc/selinux/ -p wa -k MAC-policy +-w /usr/share/selinux/ -p wa -k MAC-policy +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/sysconfig/network -p wa -k system-locale +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=-1 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=-1 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=-1 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=-1 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod +# -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod +# -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +# -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +# -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +# -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity +-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules +-w /var/log/sudo.log -p wa -k actions diff --git a/files/auditd/privileged.rules b/files/auditd/privileged.rules new file mode 100644 index 0000000..0d01c94 --- /dev/null +++ b/files/auditd/privileged.rules @@ -0,0 +1,21 @@ +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/mount.nfs -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged diff --git a/handlers/main.yaml b/handlers/main.yaml new file mode 100644 index 0000000..6207454 --- /dev/null +++ b/handlers/main.yaml @@ -0,0 +1,5 @@ +--- +- name: restart sshd + service: + name: sshd + state: restarted diff --git a/tasks/aide.yaml b/tasks/aide.yaml new file mode 100644 index 0000000..ec93516 --- /dev/null +++ b/tasks/aide.yaml @@ -0,0 +1,20 @@ +--- +- name: Install AIDE + dnf: + name: aide + state: installed +- name: Init AIDE if database is missing + shell: aide --init && mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz + args: + creates: /var/lib/aide/aide.db.gz +- name: Install AIDE crontab + copy: + dest: /etc/cron.d/aide + owner: root + group: root + mode: "0600" + content: | + SHELL=/bin/bash + PATH=/sbin:/bin:/usr/sbin:/usr/bin + MAILTO=root + 0 5 * * * root /usr/sbin/aide --check diff --git a/tasks/auditd.yaml b/tasks/auditd.yaml new file mode 100644 index 0000000..727eb6f --- /dev/null +++ b/tasks/auditd.yaml @@ -0,0 +1,15 @@ +--- +- name: Copy main CIS benchmark ruleset + copy: + src: auditd/cis-hardening.rules + dest: /etc/audit/rules.d/cis-hardening.rules + owner: root + group: root + mode: "0600" +- name: Copy privileged commands ruleset + copy: + src: auditd/privileged.rules + dest: /etc/audit/rules.d/privileged.rules + owner: root + group: root + mode: "0600" diff --git a/tasks/file_security.yaml b/tasks/file_security.yaml new file mode 100644 index 0000000..3693913 --- /dev/null +++ b/tasks/file_security.yaml @@ -0,0 +1,41 @@ +--- +- name: Change grub file modes # noqa: ignore-errors + file: + path: "{{ item }}" + owner: root + group: root + mode: "0600" + ignore_errors: true + loop: + - /boot/grub2/grub.cfg + - /boot/grub2/grubenv +- name: Change MOTD files security + file: + path: "{{ item }}" + owner: root + group: root + mode: "0644" + loop: + - /etc/motd + - /etc/issue + - /etc/issue.net +- name: Set cron file security + file: + path: "{{ item }}" + owner: root + group: root + mode: "0600" + loop: + - /etc/crontab +- name: Set cron.* directory security + file: + path: "{{ item }}" + owner: root + group: root + mode: "0700" + loop: + - /etc/cron.hourly + - /etc/cron.daily + - /etc/cron.weekly + - /etc/cron.monthly + - /etc/cron.d diff --git a/tasks/limits.yaml b/tasks/limits.yaml new file mode 100644 index 0000000..087c2e0 --- /dev/null +++ b/tasks/limits.yaml @@ -0,0 +1,8 @@ +--- +- name: Add core limits + pam_limits: + dest: /etc/security/limits.d/core.conf + domain: "*" + limit_type: hard + limit_item: core + value: "0" diff --git a/tasks/main.yaml b/tasks/main.yaml new file mode 100644 index 0000000..3d00e34 --- /dev/null +++ b/tasks/main.yaml @@ -0,0 +1,8 @@ +--- +- include: auditd.yaml +- include: limits.yaml +- include: sudo.yaml +- include: file_security.yaml +- include: ssh.yaml +- include: sysctl.yaml +- include: aide.yaml diff --git a/tasks/ssh.yaml b/tasks/ssh.yaml new file mode 100644 index 0000000..5befd15 --- /dev/null +++ b/tasks/ssh.yaml @@ -0,0 +1,22 @@ +--- +- name: Set sshd_config file security + file: + path: /etc/ssh/sshd_config + owner: root + group: root + mode: "0600" +- name: Set SSHD configuration values + lineinfile: + path: /etc/ssh/sshd_config + regexp: "^{{ item.key }}" + line: "{{ item.key }} {{ item.value }}" + notify: restart sshd + loop: + - { key: "X11Forwarding", value: "no" } + - { key: "MaxAuthTries", value: "4" } + - { key: "PermitRootLogin", value: "no" } + - { key: "PasswordAuthentication", value: "no" } + - { key: "PermitEmptyPasswords", value: "no" } + - { key: "PermitUserEnvironment", value: "no" } + - { key: "AllowTcpForwarding", value: "yes" } + - { key: "StreamLocalBindUnlink", value: "yes" } diff --git a/tasks/sudo.yaml b/tasks/sudo.yaml new file mode 100644 index 0000000..b44a40a --- /dev/null +++ b/tasks/sudo.yaml @@ -0,0 +1,9 @@ +--- +- name: Ensure sudo access is logged + copy: + dest: /etc/sudoers.d/logfile.conf + owner: root + group: root + mode: "0644" + content: | + Defaults logfile="/var/log/sudo.log" diff --git a/tasks/sysctl.yaml b/tasks/sysctl.yaml new file mode 100644 index 0000000..11e7808 --- /dev/null +++ b/tasks/sysctl.yaml @@ -0,0 +1,31 @@ +--- +- name: Add disable sysctl values + sysctl: + name: "{{ item }}" + value: "0" + state: present + sysctl_file: /etc/sysctl.d/00-cis-rules + loop: + - net.ipv4.conf.all.accept_redirects + - net.ipv4.conf.default.accept_redirects + - net.ipv6.conf.all.accept_redirects + - net.ipv6.conf.default.accept_redirects + - net.ipv4.conf.all.secure_redirects + - net.ipv4.conf.default.secure_redirects + - net.ipv4.conf.all.send_redirects + - net.ipv4.conf.default.send_redirects + - net.ipv4.conf.all.accept_source_route + - net.ipv4.conf.default.accept_source_route + - net.ipv6.conf.all.accept_source_route + - net.ipv6.conf.default.accept_source_route + - fs.suid_dumpable +- name: Add enable sysctl values + sysctl: + name: "{{ item }}" + value: "1" + state: present + sysctl_file: /etc/sysctl.d/00-cis-rules + loop: + - net.ipv4.conf.all.log_martians + - net.ipv4.conf.default.log_martians + - net.ipv4.conf.default.rp_filter