diff --git a/files/auditd/privileged.rules b/files/auditd/privileged.rules index 0d01c94..d34cd89 100644 --- a/files/auditd/privileged.rules +++ b/files/auditd/privileged.rules @@ -9,6 +9,9 @@ -a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/fusermount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged @@ -16,6 +19,7 @@ -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/sbin/mount.nfs -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/games/nethack/nethack -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged diff --git a/handlers/main.yaml b/handlers/main.yaml index 6207454..f5a71f5 100644 --- a/handlers/main.yaml +++ b/handlers/main.yaml @@ -1,5 +1,23 @@ --- - name: restart sshd - service: + ansible.builtin.service: name: sshd state: restarted +- name: init aide + ansible.builtin.shell: aide --init; mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz + args: + creates: /var/lib/aide/aide.db.gz + async: 300 + poll: 0 +- name: remount proc + ansible.posix.mount: + path: /proc + state: remount +- name: restart journald + ansible.builtin.service: + name: systemd-journald + state: restarted +- name: restart rsyslog + ansible.builtin.service: + name: rsyslog + state: restarted diff --git a/meta/main.yaml b/meta/main.yaml new file mode 100644 index 0000000..c29a65e --- /dev/null +++ b/meta/main.yaml @@ -0,0 +1,19 @@ +--- +allow_duplicates: false + +galaxy_info: + role_name: cis + author: Andrew Williams + description: Configures a RHEL systems to CIS specs + license: MIT + + min_ansible_version: 2.4 + + platforms: + - name: RedHat + versions: + - 8 + + collections: + - ansible.posix + - community.general diff --git a/tasks/aide.yaml b/tasks/aide.yaml index ec93516..23cb51a 100644 --- a/tasks/aide.yaml +++ b/tasks/aide.yaml @@ -1,14 +1,11 @@ --- - name: Install AIDE - dnf: + ansible.builtin.package: name: aide state: installed -- name: Init AIDE if database is missing - shell: aide --init && mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz - args: - creates: /var/lib/aide/aide.db.gz + notify: init aide - name: Install AIDE crontab - copy: + ansible.builtin.copy: dest: /etc/cron.d/aide owner: root group: root @@ -17,4 +14,4 @@ SHELL=/bin/bash PATH=/sbin:/bin:/usr/sbin:/usr/bin MAILTO=root - 0 5 * * * root /usr/sbin/aide --check + 0 5 * * * root /usr/sbin/aide --update; mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz diff --git a/tasks/auditd.yaml b/tasks/auditd.yaml index 727eb6f..3971b3b 100644 --- a/tasks/auditd.yaml +++ b/tasks/auditd.yaml @@ -1,13 +1,13 @@ --- - name: Copy main CIS benchmark ruleset - copy: + ansible.builtin.copy: src: auditd/cis-hardening.rules dest: /etc/audit/rules.d/cis-hardening.rules owner: root group: root mode: "0600" - name: Copy privileged commands ruleset - copy: + ansible.builtin.copy: src: auditd/privileged.rules dest: /etc/audit/rules.d/privileged.rules owner: root diff --git a/tasks/cron.yaml b/tasks/cron.yaml new file mode 100644 index 0000000..040d13c --- /dev/null +++ b/tasks/cron.yaml @@ -0,0 +1,26 @@ +--- +- name: Enable crond + ansible.builtin.service: + name: crond + state: started + enabled: true +- name: Set cron file security + ansible.builtin.file: + path: "{{ item }}" + owner: root + group: root + mode: "0600" + loop: + - /etc/crontab +- name: Set cron.* directory security + ansible.builtin.file: + path: "{{ item }}" + owner: root + group: root + mode: "0700" + loop: + - /etc/cron.hourly + - /etc/cron.daily + - /etc/cron.weekly + - /etc/cron.monthly + - /etc/cron.d diff --git a/tasks/file_security.yaml b/tasks/file_security.yaml index 3693913..f7073ad 100644 --- a/tasks/file_security.yaml +++ b/tasks/file_security.yaml @@ -1,16 +1,22 @@ --- -- name: Change grub file modes # noqa: ignore-errors - file: +- name: Check if grub file exists + ansible.builtin.stat: path: "{{ item }}" - owner: root - group: root - mode: "0600" - ignore_errors: true + register: grub_results loop: - /boot/grub2/grub.cfg - /boot/grub2/grubenv + ignore_errors: true +- name: Change grub file modes + ansible.builtin.file: + path: "{{ item.item }}" + owner: root + group: root + mode: "0600" + loop: "{{ grub_results.results }}" + when: item.stat.exists - name: Change MOTD files security - file: + ansible.builtin.file: path: "{{ item }}" owner: root group: root @@ -19,23 +25,3 @@ - /etc/motd - /etc/issue - /etc/issue.net -- name: Set cron file security - file: - path: "{{ item }}" - owner: root - group: root - mode: "0600" - loop: - - /etc/crontab -- name: Set cron.* directory security - file: - path: "{{ item }}" - owner: root - group: root - mode: "0700" - loop: - - /etc/cron.hourly - - /etc/cron.daily - - /etc/cron.weekly - - /etc/cron.monthly - - /etc/cron.d diff --git a/tasks/journald.yaml b/tasks/journald.yaml new file mode 100644 index 0000000..6c7dc7b --- /dev/null +++ b/tasks/journald.yaml @@ -0,0 +1,31 @@ +--- +- name: Forward journald to syslog + community.general.ini_file: + path: /etc/systemd/journald.conf + section: Journal + option: ForwardToSyslog + value: "yes" + owner: root + group: root + mode: "0644" + notify: restart journald +- name: Compress journald logs + community.general.ini_file: + path: /etc/systemd/journald.conf + section: Journal + option: Compress + value: "yes" + owner: root + group: root + mode: "0644" + notify: restart journald +- name: Ensure logs are wrote to persistent disk + community.general.ini_file: + path: /etc/systemd/journald.conf + section: Journal + option: Storage + value: persistent + owner: root + group: root + mode: "0644" + notify: restart journald diff --git a/tasks/limits.yaml b/tasks/limits.yaml index 087c2e0..54e03c4 100644 --- a/tasks/limits.yaml +++ b/tasks/limits.yaml @@ -1,6 +1,6 @@ --- - name: Add core limits - pam_limits: + community.general.pam_limits: dest: /etc/security/limits.d/core.conf domain: "*" limit_type: hard diff --git a/tasks/logindefs.yaml b/tasks/logindefs.yaml new file mode 100644 index 0000000..ac63f2f --- /dev/null +++ b/tasks/logindefs.yaml @@ -0,0 +1,20 @@ +--- +# Modify login.defs +- name: Set Default umask for Users + ansible.builtin.lineinfile: + dest: "/etc/login.defs" + regexp: "UMASK" + line: "UMASK 077" + state: present +- name: Set Home filemode + ansible.builtin.lineinfile: + dest: "/etc/login.defs" + regexp: "HOME_MODE" + line: "HOME_MODE 0701" + state: present +- name: Disable user groups + ansible.builtin.lineinfile: + dest: "/etc/login.defs" + regexp: "USERGROUPS_ENAB" + line: "USERGROUPS_ENAB no" + state: present diff --git a/tasks/main.yaml b/tasks/main.yaml index 3d00e34..9faf318 100644 --- a/tasks/main.yaml +++ b/tasks/main.yaml @@ -1,8 +1,13 @@ --- - include: auditd.yaml - include: limits.yaml +- include: proc.yaml - include: sudo.yaml - include: file_security.yaml +- include: cron.yaml - include: ssh.yaml - include: sysctl.yaml +- include: logindefs.yaml +- include: journald.yaml +- include: rsyslog.yaml - include: aide.yaml diff --git a/tasks/proc.yaml b/tasks/proc.yaml new file mode 100644 index 0000000..63519c0 --- /dev/null +++ b/tasks/proc.yaml @@ -0,0 +1,10 @@ +--- +# Tighten down /proc +- name: Hide other user's PIDs for non-root users + ansible.posix.mount: + src: proc + path: /proc + opts: defaults,hidepid=1,gid=986 + state: present + fstype: proc + notify: remount proc diff --git a/tasks/rsyslog.yaml b/tasks/rsyslog.yaml new file mode 100644 index 0000000..c5b4675 --- /dev/null +++ b/tasks/rsyslog.yaml @@ -0,0 +1,18 @@ +--- +- name: Install rsyslog + ansible.builtin.package: + name: rsyslog + state: present +- name: Set FileCreateMode for rsyslog + ansible.builtin.copy: + dest: /etc/rsyslog.d/00-filecreatemode.conf + owner: root + group: root + mode: "0644" + content: "$FileCreateMode 0640\n" + notify: restart rsyslog +- name: Start rsyslog + ansible.builtin.service: + name: rsyslog + state: started + enabled: true diff --git a/tasks/services.yaml b/tasks/services.yaml new file mode 100644 index 0000000..8a953b6 --- /dev/null +++ b/tasks/services.yaml @@ -0,0 +1,9 @@ +--- +- name: Disable services + ansible.builtin.service: + name: "{{ item }}" + state: stopped + enabled: false + loop: + - rpcbind.socket + - rpcbind.service diff --git a/tasks/ssh.yaml b/tasks/ssh.yaml index 5befd15..d29ffc8 100644 --- a/tasks/ssh.yaml +++ b/tasks/ssh.yaml @@ -1,12 +1,12 @@ --- - name: Set sshd_config file security - file: + ansible.builtin.file: path: /etc/ssh/sshd_config owner: root group: root mode: "0600" - name: Set SSHD configuration values - lineinfile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^{{ item.key }}" line: "{{ item.key }} {{ item.value }}" diff --git a/tasks/sudo.yaml b/tasks/sudo.yaml index b44a40a..9d27128 100644 --- a/tasks/sudo.yaml +++ b/tasks/sudo.yaml @@ -1,6 +1,6 @@ --- - name: Ensure sudo access is logged - copy: + ansible.builtin.copy: dest: /etc/sudoers.d/logfile.conf owner: root group: root