dsglaser / cis-security Goto Github PK
View Code? Open in Web Editor NEWPlaybooks to implement Center for Internet Security (CIS) controls for RHEL (7-9), RHEL Clones, Ubuntu (18.04-22.04), and Microsoft Windows (10, Server 2019)
License: Other
Playbooks to implement Center for Internet Security (CIS) controls for RHEL (7-9), RHEL Clones, Ubuntu (18.04-22.04), and Microsoft Windows (10, Server 2019)
License: Other
Hello, Firstly thank you very much for collection. I would need some clarification to get to use the role included in the collection. Once the collection is installed, I try to do an include role like this. But it does not work.
---
- name: Linux Hardening
hosts: testserver
vars:
selinux: "disabled"
time_server: "ourtimeserver"
update_system: true
email_server: true
enable_firewall: false
tasks:
- name: CIS Security
include_role:
name: dsglaser.cis_security.dsglaser.cis_security
I also tried to use the role in that way. dsglaser.cis_security
and cis_security
Thx in advance for your help.
Hi
The Set root password
task configures the root_password as password instead of the value of the root_password variable
The problematic line is as follows:
password: "{{ 'root_password' | password_hash('sha512', 65534 | random(seed=inventory_hostname) | string) }}"
To resolve this issue, you should remove the apostrophe signs from around the root_password variable, as shown below:
password: "{{ root_password | password_hash('sha512', 65534 | random(seed=inventory_hostname) | string) }}"
If you get an error like secret must be unicode or bytes, not ansible.parsing.yaml
add | string
so the final line will be
password: "{{ root_password | string | password_hash('sha512', 65534 | random(seed=inventory_hostname) | string) }}"
In the case of auditing system be locked, with -e 2 flag, then the handler fails to execute and the playbook is marked as failed.
I think setting ignore_errors: True
would be better.
Are there plans to update this to cover Ubuntu 22.04 in the near future?
Hi there, (thanks for all your updates btw :) )
Can the following be updated please:
Current:
name: 3.3.2 - Ensure ICMP redirects are not accepted
ansible.builtin.set_fact:
unneeded_ipv4_network: "{{ unneeded_ipv4_network | combine({ 'net.ipv4.conf.all.accept_redirects' : '0' }) }}"
tags:
name: 3.3.2 - Ensure ICMP redirects are not accepted
ansible.builtin.set_fact:
unneeded_ipv6_network: "{{ unneeded_ipv6_network | combine({ 'net.ipv6.conf.all.accept_redirects' : '0' }) }}"
when: not ipv6_disable
tags:
Change to:
name: 3.3.2 - Ensure ICMP redirects are not accepted
ansible.builtin.set_fact:
unneeded_ipv4_network: "{{ unneeded_ipv4_network | combine({ item : '0' }) }}"
loop:
name: 3.3.2 - Ensure ICMP redirects are not accepted
ansible.builtin.set_fact:
unneeded_ipv6_network: "{{ unneeded_ipv6_network | combine({ item : '0' }) }}"
when: not ipv6_disable
loop:
Host is running Red Hat Enterprise Linux 8.7
Unable to restart service auditd: Failed to restart auditd.service: Operation refused, unit auditd.service may be requested by dependency only (it is configured to refuse manual start/stop).\nSee system logs and 'systemctl status auditd.service' for details.
Looking back at the history, use: service was there and now isn't?
The "Add unused_filesystems to /etc/modprobe.d/CIS.conf" task has improperly indented values.
The "Wait for AIDE initialization to complete" tasks has an extra colon in the command.
$ diff -u .ansible/collections/ansible_collections/dsglaser/cis_security/roles/cis_security/tasks/type-files/redhat-8-type.yml redhat-8-type.yml > rh8t.patch
$ cat rh8t.patch
--- .ansible/collections/ansible_collections/dsglaser/cis_security/roles/cis_security/tasks/type-files/redhat-8-type.yml 2022-08-05 02:16:05.128045797 +0000
+++ redhat-8-type.yml 2022-08-05 02:10:19.569043922 +0000
@@ -88,9 +88,9 @@
line: "install {{ item }} /bin/true"
state: present
create: true
- owner: root
- group: root
- mode: 0644
+ owner: root
+ group: root
+ mode: 0644
with_items:
- "{{ unused_filesystems }}"
@@ -585,7 +585,7 @@
- 1.4.1
- name: Wait for AIDE initialization to complete
- ansible.builtin.async_status:: jid={{ aide.ansible_job_id }}
+ ansible.builtin.async_status: jid={{ aide.ansible_job_id }}
register: aide_status
until: aide_status.finished
when: ( not aide_path.stat.exists or not aide_path.stat.isreg ) and ansible_distribution != "SLES"
That normal ?
TASK [dsglaser.cis_security.cis_security : 2.2.1.3 - configure sysconfig time_server options] ***
changed: [templates8.domain] => {"changed": true, "checksum": "c81fc383a075ffadae9801d9c7ee7528c271abaf", "dest": "/etc/sysconfig/chronyd", "gid": 0, "group": "root", "md5sum": "b9583a310fb2cd295b8e054abbc5c1fc", "mode": "0644", "owner": "root", "size": 19, "src": "/root/.ansible/tmp/ansible-tmp-1607016045.3845468-10993-207435942943047/source", "state": "file", "uid": 0}
I don't understand why I see this point is normally only for RHEL7 not 8
Thx!
# With the list complete, use it with the system's package manager
# to remove packages from the system that are not needed.
- name: Remove unused_filesystem list
ansible.builtin.dnf:
name: unused_filesystems
state: absent
I think in the above unused_filesystems
should be '{{ unused_filesystems }}'
.
Hi (thanks for the quick responses!)
RHEL8
An additional file needs to be added to the loop for this condition to pass.
Current:
loop:
- /etc/bashrc
- /etc/profile
changed to:
loop:
- /etc/bashrc
- /etc/profile
- /etc/login.defs
CentOS 8
"Could not find or access 'audit_rules/session.rules'"
roles/cis_security/tasks/type-files/redhat-8-type.yml
1537 src: audit_rules/session.rules
roles/cis_security/tasks/type-files/redhat-8-type.yml
1537 src: audit_rules/sessions.rules
I deployed a minimal RHEL9 images and ran the task against it. It fails here:
RUNNING HANDLER [cis : Reboot] *************************************************
changed: [rhel9base]
RUNNING HANDLER [cis : Restart sshd] *******************************************
changed: [rhel9base]
RUNNING HANDLER [cis : Restart chronyd] ****************************************
changed: [rhel9base]
RUNNING HANDLER [cis : Restart journald] ***************************************
changed: [rhel9base]
RUNNING HANDLER [cis : Start firewalld] ****************************************
fatal: [rhel9base]: FAILED! => {"changed": false, "msg": "Unable to start service firewalld: Failed to start firewalld.service: Unit firewalld.service is masked.\n"}
PLAY RECAP *********************************************************************
rhel9base : ok=220 changed=100 unreachable=0 failed=1 skipped=87 rescued=0 ignored=0
The code says:
- name: Add unused_filesystems to /etc/modprobe.d/CIS.conf
ansible.builtin.lineinfile:
dest: /etc/modprobe.d/CIS.conf
line: "install {{ item }} /bin/true"
state: present
create: true
owner: root
group: root
mode: 0644
setype: modules_conf_t
with_items:
- "{{ unused_filesystems }}"
The standard wants /bin/false
.
Spelling issue in section 4.1.8 in ubuntu-18-type.yml
Line 1549 should read "src: audit_rules/sessions.rules"
missing s in sessions.rules
Original line is "src: audit_rules/session.rules"
Do you think it would be useful to add the possibility to disable the firewall. A useful option might be disabled. Thx!
Currently there is no clear license for this code. Could you please add a license file to the repo.
Thanks.
Hi,
Getting the below error and I believe that it is due to the following issues:
ERROR:
ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE)
There was an error in line 21 of /etc/audit/audit.rules
There was an error in line 34 of /etc/audit/audit.rules
etc
00-datetime.rules - Needs a new line after line 3
-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -F key=time-change
-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -F key=time-change
-w /etc/localtime -p wa -k time-change
because the following was happening in the /etc/audit/audit.rules, merging the last line of 00-datetime.rules and the first line of 00-delete.rules:
-w /etc/localtime -p wa -k time-change-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=unset -k delete
00-network.rules - First two lines need changing from:
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k -F system-locale
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k -F system-locale
to:
-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale
00-user_emulation.rules - needs new line at the end of line 2 as the below was occuring in /etc/audit/audit.rules:
-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation-e 2
Host is running Red Hat Enterprise Linux 8.7
Destination directory /etc/dconf/db/local.d does not exist
distro.d exists in /etc/dconf/db but not local.d
password_hash_alg is set to 'yescrypt' but to pass it needs to be 'sha512'
Hi
For ubuntu22, ubuntu18, redhat9, redhat8, redhat7 the task Process removal list
tries to uninstall the unneeded_packages package instead of the packages listed in the unneeded_packages variable
- name: Process removal list
ansible.builtin.package:
name: unneeded_packages
state: absent
to fix the issue replace unneeded_packages with "{{ unneeded_packages }}"
like below:
- name: Process removal list
ansible.builtin.apt:
name: "{{ unneeded_packages }}"
state: absent
I'm getting the following error on multiple Ubuntu (20.04) machines:
TASK [cis_security : Create a symbolic link] ***********************************
fatal: []: FAILED! => {"changed": false, "gid": 0, "group": "root", "mode": "0644", "msg": "src file does not exist, use "force=yes" if you really want to create the link: /etc/systemd/system/tmp.mount", "owner": "root", "path": "/etc/systemd/system/local-fs.target.wants/tmp.mount", "size": 149, "src": "/etc/systemd/system/tmp.mount", "state": "file", "uid": 0}
Path to template folder ommitted - line 1572
Original line
" src: bad-file-access.rules"
should be
" src: audit_rules/bad-file-access.rules"
FAILED! => {"changed": true, "cmd": "/usr/sbin/augenrules --load", "delta": "0:00:00.002983", "end": "2022-01-19 01:53:26.639735", "msg": "non-zero return code", "rc": 127, "start": "2022-01-19 01:53:26.636752", "stderr": "/bin/sh: 1: /usr/sbin/augenrules: not found", "stderr_lines": ["/bin/sh: 1: /usr/sbin/augenrules: not found"], "stdout": "", "stdout_lines": []}
Host is running Red Hat Enterprise Linux 8.7
Getting the following error:
Fatal: [servername]: FAILED! =>
{
"msg": "The conditional check '( ansible_selinux.mode == "disabled" and selinux | lower != "disabled" ) or selinux_installed.changed' failed.
The error was: error while evaluating conditional (( ansible_selinux.mode == "disabled" and selinux | lower != "disabled" ) or selinux_installed.changed): 'dict object' has no attribute 'mode'. 'dict object' has no attribute 'mode'\n\n
The error appears to be in '/runner/requirements_collections/ansible_collections/dsglaser/cis_security/roles/cis_security/tasks/type-files/redhat-8-type.yml': line 821, column 3, but may\n
be elsewhere in the file depending on the exact syntax problem.\n\n
The offending line appears to be:\n\n
}
If I want to run the role in check mode I got an error and I think I know the cause.
TASK [dsglaser.cis_security.cis_security : Determine if /dev/shm has nodev set] ***
skipping: [templates8.saq.qc.ca] => {"changed": false, "msg": "skipped, running in check mode"}
TASK [dsglaser.cis_security.cis_security : 1.1.15 - Report to user] ************
fatal: [templates8.saq.qc.ca]: FAILED! => {"msg": "The conditional check 'devshm_nodev_out is defined and devshm_nodev_out.stdout' failed. The error was: error while evaluating conditional (devshm_nodev_out is defined and devshm_nodev_out.stdout): 'dict object' has no attribute 'stdout'\n\nThe error appears to be in '/tmp/awx_121_fzv6u2ra/requirements_collections/ansible_collections/dsglaser/cis_security/roles/cis_security/tasks/type-files/redhat-8-type.yml': line 352, column 9, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n # Let the user know if we did not find the option set.\n - name: 1.1.15 - Report to user\n ^ here\n"}
I think I got an error because the step dsglaser.cis_security.cis_security : Determine if /dev/shm has nodev set
is skipped so dsglaser.cis_security.cis_security : 1.1.15 - Report to user
cannont access empty data.
First of all, thanks for the great work.
I checked out the Control 3.4.4.1(redhat-8-type.yml) for iptables and firewalld.
with CIS CentOS Linux 8 Benchmark v1.0.0 - 10-31-2019
The CIS Benchmark has not mentioned to disable firewalld but use firewalld as a frontend for nftables, however, I found the redhat-8-type.yml disabled it. Instead, iptables-service is the one who need to be disabled/remove due to "3.4.2.6 Ensure iptables is not enabled (Scored)" in CIS Benchmark.
Hello @dev
In this file you call an incorrect Handler. You must call
notify: rebuild grub
and not
notify: rebuild ubuntu-grub
Have a nice day
I'm running this role on RHEL8 with Ansible v2.8.13.
IMHO the syntax for excluding tags as mentioned in the readme is wrong. Instead of using --exclude-tags you should use
--skip-tags.
Check 1.5.1 fails (maybe because this is an EFI boot ?) with:
(item=/boot/grub2/grub.cfg) => {"ansible_loop_var": "item", "changed": false, "item": "/boot/grub2/grub.cfg", "msg": "file (/boot/grub2/grub.cfg) is absent, cannot continue", "path": "/boot/grub2/grub.cfg"}
Hi,
In addition to:
install "unused_filesystems" /bin/false
can
blacklist "unused_filesystems"
be added as well?
Example:
install squashfs /bin/false
blacklist squashfs
The reason is a a CIS CAT scan fails because it is missing.
Thanks.
Host is running Red Hat Enterprise Linux 8.7
"The conditional check 'unconfined_services_out.stdout' failed. The error was: error while evaluating conditional (unconfined_services_out.stdout): 'dict object' has no attribute 'stdout'. 'dict object' has no attribute 'stdout'\n\n
The error appears to be in '/runner/requirements_collections/ansible_collections/dsglaser/cis_security/roles/cis_security/tasks/type-files/redhat-8-type.yml': line 861, column 7, but may\n
be elsewhere in the file depending on the exact syntax problem.\n\n
The offending line appears to be:\n\n
# Print any findings to the user\n
- name: 1.6.1.6 - Report on unconfined running services to user\n
^ here\n
Hi, me again :)
I noticed that not all the partition checks have the mount_options variable so the debug checks aren't running. Can you check that all the partition checks are configured to check the fsoption are being checked.
control tag to check:
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
Example:
/var doen't have it
- name: 1.1.3.1 - Determine if /var is on a separate partition
ansible.builtin.set_fact:
mount_count: "addition{{ mount_count + 1 }}"
when: item.mount == "/var"
with_items:
- "{{ ansible_mounts }}"
- name: 1.1.3.2 - Report to user if /var does not have nodev set
ansible.builtin.debug:
msg: "FAILED CONTROL: /var does not have nodev set"
when: mount_options is defined and "nodev" not in mount_options and mount_count == 0
changed_when: true
tags:
- 1.1.3.2
whereas /var/tmp does have it
- name: 1.1.4.1 - Determine if /var/tmp is on a separate partition
ansible.builtin.set_fact:
mount_count: "addition{{ mount_count + 1 }}"
mount_options: "{{ item.options }}"
when: item.mount == "/var/tmp"
with_items:
- "{{ ansible_mounts }}"
tags:
- 1.1.4.1
- name: 1.1.4.2 - Report to user if /var/tmp does not have noexec set
ansible.builtin.debug:
msg: "FAILED CONTROL: /var/tmp/ does not have noexec set"
when: mount_options is defined and "noexec" not in mount_options and mount_count == 0
changed_when: true
tags:
- 1.1.4.2
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.