nikdoof/ansible-cis
1
0
Fork 0
mirror of https://github.com/nikdoof/ansible-cis.git synced 2025-12-13 09:32:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update to Dimension's version

Browse Source
This commit is contained in:
Andrew Williams
2022-07-02 11:08:11 +01:00
parent 87dee9b3fa
commit d71a4ace92
16 changed files with 184 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
files/auditd/privileged.rules
View File

@@ -9,6 +9,9 @@
-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/fusermount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
@@ -16,6 +19,7 @@
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/mount.nfs -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/sbin/mount.nfs -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/games/nethack/nethack -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

20
handlers/main.yaml
View File

@@ -1,5 +1,23 @@
--- ---
- name: restart sshd - name: restart sshd
service: ansible.builtin.service:
name: sshd name: sshd
state: restarted state: restarted
- name: init aide
ansible.builtin.shell: aide --init; mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
args:
creates: /var/lib/aide/aide.db.gz
async: 300
poll: 0
- name: remount proc
ansible.posix.mount:
path: /proc
state: remount
- name: restart journald
ansible.builtin.service:
name: systemd-journald
state: restarted
- name: restart rsyslog
ansible.builtin.service:
name: rsyslog
state: restarted

19
meta/main.yaml Normal file
View File

@@ -0,0 +1,19 @@
---
allow_duplicates: false
galaxy_info:
role_name: cis
author: Andrew Williams
description: Configures a RHEL systems to CIS specs
license: MIT
min_ansible_version: 2.4
platforms:
- name: RedHat
versions:
- 8
collections:
- ansible.posix
- community.general

11
tasks/aide.yaml
View File

@@ -1,14 +1,11 @@
--- ---
- name: Install AIDE - name: Install AIDE
dnf: ansible.builtin.package:
name: aide name: aide
state: installed state: installed
- name: Init AIDE if database is missing notify: init aide
shell: aide --init && mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
args:
creates: /var/lib/aide/aide.db.gz
- name: Install AIDE crontab - name: Install AIDE crontab
copy: ansible.builtin.copy:
dest: /etc/cron.d/aide dest: /etc/cron.d/aide
owner: root owner: root
group: root group: root
@@ -17,4 +14,4 @@
SHELL=/bin/bash SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root MAILTO=root
0 5 * * * root /usr/sbin/aide --check 0 5 * * * root /usr/sbin/aide --update; mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

4
tasks/auditd.yaml
View File

@@ -1,13 +1,13 @@
--- ---
- name: Copy main CIS benchmark ruleset - name: Copy main CIS benchmark ruleset
copy: ansible.builtin.copy:
src: auditd/cis-hardening.rules src: auditd/cis-hardening.rules
dest: /etc/audit/rules.d/cis-hardening.rules dest: /etc/audit/rules.d/cis-hardening.rules
owner: root owner: root
group: root group: root
mode: "0600" mode: "0600"
- name: Copy privileged commands ruleset - name: Copy privileged commands ruleset
copy: ansible.builtin.copy:
src: auditd/privileged.rules src: auditd/privileged.rules
dest: /etc/audit/rules.d/privileged.rules dest: /etc/audit/rules.d/privileged.rules
owner: root owner: root

26
tasks/cron.yaml Normal file
View File

@@ -0,0 +1,26 @@
---
- name: Enable crond
ansible.builtin.service:
name: crond
state: started
enabled: true
- name: Set cron file security
ansible.builtin.file:
path: "{{ item }}"
owner: root
group: root
mode: "0600"
loop:
- /etc/crontab
- name: Set cron.* directory security
ansible.builtin.file:
path: "{{ item }}"
owner: root
group: root
mode: "0700"
loop:
- /etc/cron.hourly
- /etc/cron.daily
- /etc/cron.weekly
- /etc/cron.monthly
- /etc/cron.d

40
tasks/file_security.yaml
View File

@@ -1,16 +1,22 @@
--- ---
- name: Change grub file modes # noqa: ignore-errors - name: Check if grub file exists
file: ansible.builtin.stat:
path: "{{ item }}" path: "{{ item }}"
owner: root register: grub_results
group: root
mode: "0600"
ignore_errors: true
loop: loop:
- /boot/grub2/grub.cfg - /boot/grub2/grub.cfg
- /boot/grub2/grubenv - /boot/grub2/grubenv
ignore_errors: true
- name: Change grub file modes
ansible.builtin.file:
path: "{{ item.item }}"
owner: root
group: root
mode: "0600"
loop: "{{ grub_results.results }}"
when: item.stat.exists
- name: Change MOTD files security - name: Change MOTD files security
file: ansible.builtin.file:
path: "{{ item }}" path: "{{ item }}"
owner: root owner: root
group: root group: root
@@ -19,23 +25,3 @@
- /etc/motd - /etc/motd
- /etc/issue - /etc/issue
- /etc/issue.net - /etc/issue.net
- name: Set cron file security
file:
path: "{{ item }}"
owner: root
group: root
mode: "0600"
loop:
- /etc/crontab
- name: Set cron.* directory security
file:
path: "{{ item }}"
owner: root
group: root
mode: "0700"
loop:
- /etc/cron.hourly
- /etc/cron.daily
- /etc/cron.weekly
- /etc/cron.monthly
- /etc/cron.d

31
tasks/journald.yaml Normal file
View File

@@ -0,0 +1,31 @@
---
- name: Forward journald to syslog
community.general.ini_file:
path: /etc/systemd/journald.conf
section: Journal
option: ForwardToSyslog
value: "yes"
owner: root
group: root
mode: "0644"
notify: restart journald
- name: Compress journald logs
community.general.ini_file:
path: /etc/systemd/journald.conf
section: Journal
option: Compress
value: "yes"
owner: root
group: root
mode: "0644"
notify: restart journald
- name: Ensure logs are wrote to persistent disk
community.general.ini_file:
path: /etc/systemd/journald.conf
section: Journal
option: Storage
value: persistent
owner: root
group: root
mode: "0644"
notify: restart journald

2
tasks/limits.yaml
View File

@@ -1,6 +1,6 @@
--- ---
- name: Add core limits - name: Add core limits
pam_limits: community.general.pam_limits:
dest: /etc/security/limits.d/core.conf dest: /etc/security/limits.d/core.conf
domain: "*" domain: "*"
limit_type: hard limit_type: hard

20
tasks/logindefs.yaml Normal file
View File

@@ -0,0 +1,20 @@
---
# Modify login.defs
- name: Set Default umask for Users
ansible.builtin.lineinfile:
dest: "/etc/login.defs"
regexp: "UMASK"
line: "UMASK 077"
state: present
- name: Set Home filemode
ansible.builtin.lineinfile:
dest: "/etc/login.defs"
regexp: "HOME_MODE"
line: "HOME_MODE 0701"
state: present
- name: Disable user groups
ansible.builtin.lineinfile:
dest: "/etc/login.defs"
regexp: "USERGROUPS_ENAB"
line: "USERGROUPS_ENAB no"
state: present

5
tasks/main.yaml
View File

@@ -1,8 +1,13 @@
--- ---
- include: auditd.yaml - include: auditd.yaml
- include: limits.yaml - include: limits.yaml
- include: proc.yaml
- include: sudo.yaml - include: sudo.yaml
- include: file_security.yaml - include: file_security.yaml
- include: cron.yaml
- include: ssh.yaml - include: ssh.yaml
- include: sysctl.yaml - include: sysctl.yaml
- include: logindefs.yaml
- include: journald.yaml
- include: rsyslog.yaml
- include: aide.yaml - include: aide.yaml

10
tasks/proc.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
# Tighten down /proc
- name: Hide other user's PIDs for non-root users
ansible.posix.mount:
src: proc
path: /proc
opts: defaults,hidepid=1,gid=986
state: present
fstype: proc
notify: remount proc

18
tasks/rsyslog.yaml Normal file
View File

@@ -0,0 +1,18 @@
---
- name: Install rsyslog
ansible.builtin.package:
name: rsyslog
state: present
- name: Set FileCreateMode for rsyslog
ansible.builtin.copy:
dest: /etc/rsyslog.d/00-filecreatemode.conf
owner: root
group: root
mode: "0644"
content: "$FileCreateMode 0640\n"
notify: restart rsyslog
- name: Start rsyslog
ansible.builtin.service:
name: rsyslog
state: started
enabled: true

9
tasks/services.yaml Normal file
View File

@@ -0,0 +1,9 @@
---
- name: Disable services
ansible.builtin.service:
name: "{{ item }}"
state: stopped
enabled: false
loop:
- rpcbind.socket
- rpcbind.service

4
tasks/ssh.yaml
View File

@@ -1,12 +1,12 @@
--- ---
- name: Set sshd_config file security - name: Set sshd_config file security
file: ansible.builtin.file:
path: /etc/ssh/sshd_config path: /etc/ssh/sshd_config
owner: root owner: root
group: root group: root
mode: "0600" mode: "0600"
- name: Set SSHD configuration values - name: Set SSHD configuration values
lineinfile: ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config path: /etc/ssh/sshd_config
regexp: "^{{ item.key }}" regexp: "^{{ item.key }}"
line: "{{ item.key }} {{ item.value }}" line: "{{ item.key }} {{ item.value }}"

2
tasks/sudo.yaml
View File

@@ -1,6 +1,6 @@
--- ---
- name: Ensure sudo access is logged - name: Ensure sudo access is logged
copy: ansible.builtin.copy:
dest: /etc/sudoers.d/logfile.conf dest: /etc/sudoers.d/logfile.conf
owner: root owner: root
group: root group: root