Ansible Role to Automate CIS v1.1.0 Ubuntu Linux 18.04 LTS, 20.04 LTS Remediation
Home Page: https://alivx.github.io/CIS-Ubuntu-20.04-Ansible/
License: GNU General Public License v3.0
Start implementing the following points:
TASK [CIS-Ubuntu-20.04-Ansible : 1.9 Ensure updates, patches, and additional security software are installed] ***********************************************
fatal: [node-1]: FAILED! => {"msg": "the field 'tags' should be a list of ((<type 'basestring'>,), <type 'int'>), but the item '1.9' is a <type 'float'>\n\nThe error appears to be in '.../CIS-Ubuntu-20.04-Ansible/tasks/section_1_Initial_Setup.yaml': line 873, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n# 1.9 Ensure updates, patches, and additional security software are installed\n- name: 1.9 Ensure updates, patches, and additional security software are installed\n ^ here\n"}
...ignoring
TASK [CIS-Ubuntu-20.04-Ansible : 1.10 Ensure GDM is removed or login is configured] *************************************************************************
fatal: [node-1]: FAILED! => {"msg": "the field 'tags' should be a list of ((<type 'basestring'>,), <type 'int'>), but the item '1.1' is a <type 'float'>\n\nThe error appears to be in '.../CIS-Ubuntu-20.04-Ansible/tasks/section_1_Initial_Setup.yaml': line 883, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n# 1.10 Ensure GDM is removed or login is configured\n- name: 1.10 Ensure GDM is removed or login is configured\n ^ here\n"}
...ignoring
Simple fix: in Tasks/section_1_Initial_Setup.yaml change the tags 1.9 and 1.10 to strings. :-)
Describe the bug
I'ts not a bug, but just a question because im unfamiliar with the ansible command. I try to run it on an separate host and getting this message:
root@server:/home/acc/UBUNTU22-CIS$ ansible-playbook site.yml
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does
not match 'all'
[WARNING]: Could not match supplied host pattern, ignoring: server.fqdn.de
PLAY [server.fqdn.de] *********************************************************************************
skipping: no hosts matched
my site.yml looks like:
---
- hosts: server.fqdn.de
become: true
roles:
- role: "{{ playbook_dir }}"
What should I do to run the playbook on an remote host? Thanks in advance :-)
Describe the bug
The tag-ids mentioned against the Task listed in the Table of Roles are not in sync with actual task-ids used in the yaml declarations of the task.
This leads to incorrect hardening roles getting applied on the machine.
For example the tag-id 2.2.4 from README.md says it is for Ensure CUPS is not installed (Automated).
But if you check the code base then this tag-id is assigned for ./tasks/section_2_Services.yaml:449:- name: 2.2.4 Ensure telnet client is not installed
To Reproduce
Steps to reproduce the behavior:
grep the the tag-id 2.2.4 in the code repository itself.
Expected behavior
The tag-ids should be uniquely assigned to each role task and has to be aligned while mentioning in the README.md and index.html.
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
Not Applicable
Additional context
None
Describe the bug
Easy one: about section lists 18.04 while the rest of the project has updated to 20.04.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Update text to 20.04.
Screenshots
Desktop (please complete the following information):
Additional context
n/a
Describe the bug
In section_1_Initial_Setup.yaml:
Line 1021:
Line 1050:
To Reproduce
Expected behavior
No Error
Screenshots
Hi,
I was checking out this repo and noticed that the - diy tag appears to be missing under section 1.2.1 (whilst the description you've typed clearly states that the specifics on patch update procedures are left to the organization.
Take a look here:
Just thought you wanted to know.
Thanks for the playbook and I hope you have a great day.
Describe the bug
The Task headings list maintained in the README.md and index.html files is not correct for some tasks.
This leads to incorrect mapping of task-tags while applying hardening.
This bug targets the text changes only.
To Reproduce
Steps to reproduce the behavior:
./tasks/ directory.
Expected behavior
The Strings should be aligned in all the places. This will make sure that user is choosing the correct tag-id for his use.
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
Not Applicable
Additional context
Not Applicable
Hi
after applying these hardening ssh tunnel does not work / for example i want to establish 10.10.10.10:8080 to linuxIP:8080 but does not work.
In test 5.2.14:
Superfluous space in list of sshd algorithms in /etc/ssh/sshd_config breaks sshd: "diffie-hellman- group14-sha256"
line: "KexAlgorithms curve25519-sha256,[email protected],diffie-hellman- group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256"
When trying to apply control 3.3.4 in the conditional to check whether ufw is present before restarting the service, the condition will never be able to be assessed as the error is in stderr rather than in stdout. It was constantly failing:
... thus the last line above should be replaced with the following line, after which it happily skips the control and completes without issues:
- "'not found' not in ufw_check.stderr"
Describe the bug
name: 1.5.1 Ensure XD/NX support is enabled
NX/XD support is currently tested with a simple grep on dmesg. NX will match on other modules (such as the string QNX4). NX/XD error comes up on some system and not on other systems with identical settings, just dependent on how long the system has been running (the ringbuffer with the messages is erased sometimes as soon as 2 days).
I found a more reliable way of doing it is by querying journalctl -k --boot | grep -E "NX (Execute Disable) protection" and then tail -1 and then test for disabled but it is not guaranteed, once the logs rotate out its gone.
One can test if the administrator has disabled noexec32 in the https://www.kernel.org/doc/Documentation/admin-guide/kernel-parameters.txt and one can test /proc/cpuinfo for whether NX is supported by the CPU. Not sure which approach to take for making sure it is enabled in a running kernel (by default it should be unless you're running some ancient hardware).
Also doesn't take into account ARM64 (eg. Raspberry Pi), XD is not a string that will match on current kernels
dmesg | grep NX with the expected response being "NX (Execute Disable) protection: active" is now standard for both AMD and Intel platforms according to the CIS Benchmark for Debian.
To Reproduce
Run the playbook on a host recently booted and one where dmesg has been cleared
Expected behavior
Test should reflect actual settings
Hi @alivx ,
I am facing a issue during remediation step where in I am getting the below error in step 1.7.1 Ensure message of the day is configured properly. I am not able to identify where I need to configure inventory_dir and custom_motd_file_path.
> 1.7.4 Ensure permissions on /etc/motd are configured] *************************************************************
fatal: [localhost]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: ['{{ custom_motd_file_path }}', 'files/templates/motd.j2']: {{ inventory_dir }}/custom_templates/motd_custom.txt: '**inventory_di**r**' is undefined**\n\nThe error appears to be in '/home/anupama/CIS-Ubuntu-20.04-Ansible/tasks/section_1_Initial_Setup.yaml': line 960, column 5, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n- block:\n - name: \"1.7.1 Ensure message of the day is configured properly\\n\n ^ here\nThis one looks easy to fix. It seems that there is a value started\nwith a quote, and the YAML parser is expecting to see the line ended\nwith the same kind of quote. For instance:\n\n when: \"ok\" in result.stdout\n\nCould be written as:\n\n when: '\"ok\" in result.stdout'\n\nOr equivalently:\n\n when: \"'ok' in result.stdout\"\n"}
The folder structure is as advised on github
-run.yaml
-CIS-Ubuntu-20.04-Ansible
configuration of run.yaml
- name: Harden Server
hosts: localhost
become: yes
remote_user: root
gather_facts: yes
roles:
- CIS-Ubuntu-20.04-Ansible
Thank you!
Failure on standard execution during task:
5.4.1.1 Ensure password expiration is 365 days or less | chage
stderr: chage: user 'ubuntu' does not exist in /etc/passed
Build:
Terminal error message below:
When trying to apply control 3.3.4 in the conditional to check whether 'ufw' is present before restarting the service, the condition will never be able to be assessed as the error is in stderr rather than in stdout. It was constantly failing:
... thus the last line above should be replaced with the following line, after which it happily skips the control and completes without issues:
- "'not found' not in ufw_check.stderr"
... and some more proof:
Task 4.4 states "Ensure logrotate assigns appropriate permissions"
In the CIS document the following example is given:
Edit /etc/logrotate.conf and update the create line to read 0640 or more restrictive,
following local site policy
Example:
create 0640 root utmp
Even though this is just an example, the "root utmp" is copied literally into the task and this leads to new log files getting wrong groups, which consecuently leads to logs not being able to be written to these files.
# 4.4 Ensure logrotate assigns appropriate permissions
# It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected.
- name: 4.4 Ensure logrotate assigns appropriate permissions
lineinfile:
dest: /etc/logrotate.conf
regexp: "^create"
line: "create 0640 root utmp"
The correct way should be just changing the file permissions, without changing the already set owner/group, something like:
path: /etc/logrotate.conf
regexp: '^create (.*) (.*)$'
line: 'create 0640 \2'
backrefs: yes
```
Describe the bug
Small change to Travis CI build file to use Python 3 in anticipation of pip 21.0 deprecating support for Python 2 in January 2021.
To Reproduce
Trigger a build in Travis CI
Expected behavior
Deprecation warning should not be visible.
This doesn't look like it's anything important as it doesn't seem to break anything, however the following line is found twice inside the template for chrony "files/templates/chrony.conf.j2" :
driftfile {{ chrony_driftfile }}
My understanding is that this is only needed once?
Hi Alivx,
Hope you are having a wonderful day!
I believe this should be referencing the variable grub_backlog_limit and will need the curly braces.
Describe the bug
When this role is ran including all of the tasks, after it configures sudo in section five, it can no longer perform any tasks resulting in the error "Missing sudo password" Also if I comment out them or restructure the order of operations (move that section of 5 to the bottom and run 6 before 5) I cannot ssh into the machine.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Error: "Missing sudo password"
Desktop (please complete the following information):
Additional context
Add any other context about the problem here.
I am a rookie with ansible. I have installed it and have cloned your repository.
I create a role using ansible-galaxy inti and copied all of the content into that directory.
Now I am getting an error
root@build-server:/etc/ansible/roles/CIS-Ubuntu-20.04-Ansible# ansible-playbook -i inventory run.yaml --list-tags
ERROR! Syntax Error while loading YAML.
did not find expected '-' indicator
The error appears to be in '/etc/ansible/roles/CIS-Ubuntu-20.04-Ansible/defaults/main.yml': line 12, column 1, but may
be elsewhere in the file depending on the exact syntax problem.
The offending line appears to be:
disable_cramfs: yes
^ here
Thank you for your help
Describe the bug
The Travis CI build uses the name of the repository to define the name of the role to upload.
The repository name contains characters that are not valid for an ansible role name.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Forking the repository should result in a new repo with a working Travis CI build.
Workaround
Renaming the forked repository addresses naming incompatibility but results in failing tests as test.yml is hard coded to the repository name.
Describe the bug
allowd_hosts: "ALL: 0.0.0.0/0.0.0.0, 192.168.2.0/255.255.255.0" in defaults/main.yaml not used in any task
Instead of hardcoding the value in the playbook file (tests 5.2.21 and 5.2.22), it'd be better to allow the value to be configured in the main.yml file, fore easy customisation.
I will create a PR for this.
hi
ansible 2.9 does not support some option of you use in your playbook please upgrade it.
Thank you for your efforts.
Describe the bug
To Reproduce
ansible-playbook -i host run.yaml --tags="1.1.1.5"ansible-playbook -i host run.yaml --tags="1.1.1.6"Expected behavior
Console output for running 1.1.1.5:
root@ip-xxx-xx-xx-xx:/srv# ansible-playbook -i host run.yaml --tags="1.1.1.5"
[DEPRECATION WARNING]: "include" is deprecated, use include_tasks/import_tasks instead. This feature will be removed in version 2.16.
Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
PLAY [127.0.0.1] *********************************************************************************************************************
TASK [CIS-Ubuntu-20.04-Ansible : 1.1.1.5 Ensure mounting of hfsplus filesystems is disabled] *****************************************
changed: [localhost]
TASK [CIS-Ubuntu-20.04-Ansible : 1.1.1.5 Ensure mounting of hfsplus filesystems is disabled | modprobe] ******************************
ok: [localhost]
TASK [CIS-Ubuntu-20.04-Ansible : 1.1.1.6 Ensure mounting of squashfs filesystems is disabled] ****************************************
skipping: [localhost]
TASK [CIS-Ubuntu-20.04-Ansible : 1.1.1.6 Ensure mounting of squashfs filesystems is disabled | modprobe] *****************************
skipping: [localhost]
PLAY RECAP ***************************************************************************************************************************
localhost : ok=2 changed=1 unreachable=0 failed=0 skipped=2 rescued=0 ignored=0
Console output for running 1.1.1.6:
root@ip-xxx-xx-xx-xx:/srv# ansible-playbook -i host run.yaml --tags="1.1.1.6"
[DEPRECATION WARNING]: "include" is deprecated, use include_tasks/import_tasks instead. This feature will be removed in version 2.16.
Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
PLAY [127.0.0.1] *********************************************************************************************************************
PLAY RECAP ***************************************************************************************************************************
Desktop (please complete the following information):
TASK [CIS-Ubuntu-20.04-Ansible : 1.7.1.2 Ensure AppArmor is enabled in the bootloader configuration] ************************************************************************************************************
fatal: [192.168.x.x]: FAILED! => {"changed": false, "msg": "Unsupported parameters for (replace) module: follow Supported parameters include: after, attributes, backup, before, encoding, group, mode, owner, path, regexp, replace, selevel, serole, setype, seuser, unsafe_writes, validate"}
Got an error on section 5.2.21 that the ssh_max_startups variable was not set. I discovered that the variable defined in defaults/main.yml is defined as "ssh_max_Startups:". I changed the capital S to lower case and it resolved the error.
TASK [CIS-Ubuntu-20.04-Ansible : 5.2.21 Ensure SSH MaxStartups is configured to {{ ssh_max_startups }}] **********************************
fatal: [vm-cr-test-ubu-01]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'ssh_max_startups' is undefined\n\nThe error appears to be in '/home/crussell/workspace/CIS-Ubuntu-20.04-Ansible/tasks/section_5_Access_Authentication_and_Authorization.yaml': line 451, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n# To protect a system from denial of service due to a large number of pending authentication connection attempts, use the rate limiting function of MaxStartups to protect availability of sshd logins and prevent overwhelming the daemon.\n- name: \"5.2.21 Ensure SSH MaxStartups is configured to {{ ssh_max_startups }}\"\n ^ here\nWe could be wrong, but this one looks like it might be an issue with\nmissing quotes. Always quote template expression brackets when they\nstart a value. For instance:\n\n with_items:\n - {{ foo }}\n\nShould be written as:\n\n with_items:\n - \"{{ foo }}\"\n"}
In some cases, hardening of ssh/scp should allow the explicit use of weaker protocols, for instance when other servers that connect to the hardened server don't possess certain strong protocols and as a consequence, can't connect amymore.
This can be implemented by allowing the MAC and KexAlgorithms to be defined/overwritten from the configuration.
For instance:
SSH_MACs: "[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-sha1-96"
ssh_key_algorithms: "curve25519-sha256,[email protected],diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1"
# 5.2.13 Ensure only strong MAC algorithms are used
# MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be exploited with expanded computing power. An attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the SSH tunnel and capture credentials and information
- name: 5.2.13 Ensure only strong MAC algorithms are used
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: "^MACs"
line: "MACs ${{ ssh_MACs }}" <------------
tags:
- section5
- level_1_server
- level_1_workstation
- 5.2.13
# 5.2.14 Ensure only strong Key Exchange algorithms are used
# Key exchange methods that are considered weak should be removed. A key exchange method may be weak because too few bits are used, or the hashing algorithm is considered too weak. Using weak algorithms could expose connections to man-in-the-middle attacks
- name: 5.2.14 Ensure only strong Key Exchange algorithms are used
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: "^KexAlgorithms"
line: "KexAlgorithms ${{ ssh_key_algorithms }} <------------
tags:
- section5
- level_1_server
- level_1_workstation
- 5.2.14
If you agree with this, @alivx , I will create the PR.
Describe the bug
Re-ran this against an ubuntu 20.04 instance in AWS and got:
atal: [localhost]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'inventory_dir' is undefined\n\nThe error appears to be in '/tmp/CIS-Ubuntu-20.04-Ansible/tasks/section_1_Initial_Setup.yaml': line 873, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n# has to be defined in the variable "custom_motd_file_path".\n- name: 1.8.1.1 Ensure message of the day is configured properly\n ^ here\n"}
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Expected it to complete without error.
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
Ansible 2.9.6
config file = /etc/ansible/ansible.cfg
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3/dist-packages/ansible
executable location = /usr/bin/ansible
python version = 3.8.5 (default, Jul 28 2020, 12:59:40) [GCC 9.3.0]
Additional context
None.
Describe the bug
An error message appears when checking 4.4
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The install expects logrotate to be present, is that expected?
If so, should the package be installed by the role?
Screenshots
TASK [CIS-Ubuntu-20.04-Ansible : 4.4 Ensure logrotate assigns appropriate permissions] ****************************************************************************************************************************
fatal: [185.52.192.201]: FAILED! => {"changed": false, "msg": "Destination /etc/logrotate.conf does not exist !", "rc": 257}
RUNNING HANDLER [CIS-Ubuntu-20.04-Ansible : journald restart] *****************************************************************************************************************************************************
RUNNING HANDLER [CIS-Ubuntu-20.04-Ansible : rsyslog restart] ******************************************************************************************************************************************************
PLAY RECAP ********************************************************************************************************************************************************************************************************
185.52.192.201 : ok=153 changed=74 unreachable=0 failed=1 skipped=29 rescued=0 ignored=3
Desktop (please complete the following information):
Additional info:
Adding the package installation passed this step successfully
ansible-lint Warnings:
. [E303] mount used in place of mount module
. [E204] Lines should be no longer than 160 chars
. [E305] Use shell only when shell functionality is required
. [E303] systemctl used in place of systemd module
. [E305] Use shell only when shell functionality is required
. [E301] Commands should not change things if nothing needs doing
. [E306] Shells that use pipes should set the pipefail option
. [E502] All tasks should be named
. [E502] All tasks should be named
. [E502] All tasks should be named
. [E204] Lines should be no longer than 160 chars
. [E601] Don't compare to literal True/False
. [E301] Commands should not change things if nothing needs doing
. [E502] All tasks should be named
. [E502] All tasks should be named
. [E102] No Jinja2 in when
. [E102] No Jinja2 in when
. [E301] Commands should not change things if nothing needs doing
. [E602] Don't compare to empty string
. [E102] No Jinja2 in when
. [E102] No Jinja2 in when
ERROR! the role 'CIS-Ubuntu-20.04-Ansible' was not found in /opt/hardening/roles:/root/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:/opt/hardening
The error appears to be in '/opt/hardening/run.yaml': line 7, column 7, but may
be elsewhere in the file depending on the exact syntax problem.
The offending line appears to be:
roles:
- { role: "CIS-Ubuntu-20.04-Ansible" }
^ here
This one looks easy to fix. It seems that there is a value started
with a quote, and the YAML parser is expecting to see the line ended
with the same kind of quote. For instance:
when: "ok" in result.stdout
Could be written as:
when: '"ok" in result.stdout'
Or equivalently:
when: "'ok' in result.stdout"
Describe the bug
Permission error when trying to run any tasks with the script module
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Permissions error when trying to run the scrips
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
Additional context
adding to the script modules fixes the issue
args:
executable: /bin/sh
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.