-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.yml
431 lines (376 loc) · 20.6 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
---
- name: Cisco-ASA Firewall STIG Config
hosts: all
vars_files: secrets/secrets.yml
gather_facts: True
connection: network_cli
become: yes
tasks:
- name: Create the lists for ACLs
set_fact:
insideInList: "{{insideInACL.split('\n')}}"
insideOutList: "{{insideOutACL.split('\n')}}"
outsideInList: "{{outsideInACL.split('\n')}}"
outsideCryptomapACLList: "{{outsideCryptomapACL.split('\n')}}"
outsideCryptomapList: "{{outsideCryptomap.split('\n')}}"
ipsecProposalList: "{{ipsecProposal.split('\n')}}"
tunnelGroupList: "{{tunnelGroups.split('\n')}}"
vpnFilterList: "{{vpnFilterACL.split('\n')}}"
- name: Grabbing running config
cisco.asa.asa_command:
commands: show running-config | include access-list inside_access_in extended
register: running_config
- name: CASA-FW-000010 - The Cisco ASA must be configured to filter outbound traffic, allowing only authorized ports and services. (1/2)
block:
- name: CASA-FW-000010 - The Cisco ASA must be configured to filter outbound traffic, allowing only authorized ports and services. (1/2) Clearing if incorrect
cisco.asa.asa_config:
lines: "{{insideInList}}"
match: exact
replace: block
before: clear configure access-list inside_access_in
config: "{{running_config.stdout[0]}}"
rescue:
- name: CASA-FW-000010 - The Cisco ASA must be configured to filter outbound traffic, allowing only authorized ports and services. (1/2) Creating if not found
cisco.asa.asa_config:
lines: "{{insideInList}}"
match: exact
replace: block
- name: CASA-FW-000010 - The Cisco ASA must be configured to filter outbound traffic, allowing only authorized ports and services. (2/2)
cisco.asa.asa_config:
lines:
- access-group inside_access_in in interface inside
- name: Grabbing interface facts
cisco.asa.asa_facts:
gather_network_resources: all
- name: Grabbing running config
cisco.asa.asa_command:
commands: show running-config all
register: running_config
- name: CASA-FW-000020 - The Cisco ASA must immediately use updates made to policy enforcement mechanisms such as firewall rules, security policies, and security zones.
cisco.asa.asa_config:
lines:
- no asp rule-engine transactional-commit access-group
defaults: Yes
when: 'not running_config.stdout[0] is search("no asp rule-engine transactional-commit access-group")'
- name: Grabbing running config
cisco.asa.asa_command:
commands: show running-config | include access-list {{vpnFilterACLName}} extended
register: running_config
- name: CASA-FW-000030 - The Cisco ASA must be configured to restrict VPN traffic according to organization-defined filtering rules. (1/7)
block:
- name: CASA-FW-000030 - The Cisco ASA must be configured to restrict VPN traffic according to organization-defined filtering rules. (1/7)
cisco.asa.asa_config:
lines: "{{vpnFilterList}}"
match: exact
replace: block
config: "{{running_config.stdout[0]}}"
rescue:
- name: CASA-FW-000030 - The Cisco ASA must be configured to restrict VPN traffic according to organization-defined filtering rules. (1/7) Creating if not found
cisco.asa.asa_config:
lines: "{{vpnFilterList}}"
match: exact
replace: block
- name: Grabbing running config
cisco.asa.asa_command:
commands: show running-config
register: running_config
- name: CASA-FW-000030 - The Cisco ASA must be configured to restrict VPN traffic according to organization-defined filtering rules. (2/7)
cisco.asa.asa_config:
lines:
- group-policy {{groupPolicyName}} internal
when: not running_config.stdout[0] is search("group-policy {{groupPolicyName}}")
- name: CASA-FW-000030 - The Cisco ASA must be configured to restrict VPN traffic according to organization-defined filtering rules. (3/7)
cisco.asa.asa_config:
lines:
- vpn-tunnel-protocol ikev2
- vpn-filter value {{vpnFilterACLName}}
parents: group-policy {{groupPolicyName}} attributes
- name: CASA-FW-000030 - The Cisco ASA must be configured to restrict VPN traffic according to organization-defined filtering rules. (4/7)
cisco.asa.asa_config:
lines:
- tunnel-group {{item}} type ipsec-l2l
loop: "{{tunnelGroupList}}"
when: 'tunnelGroupList[0] != tunnelGroupList[-1] and item != ""'
- name: CASA-FW-000030 - The Cisco ASA must be configured to restrict VPN traffic according to organization-defined filtering rules. (5/7)
cisco.asa.asa_config:
lines:
- tunnel-group {{tunnelGroupList[0]}} type ipsec-l2l
when: 'tunnelGroupList[0] == tunnelGroupList[-1] and tunnelGroupList[0] != ""'
- name: CASA-FW-000030 - The Cisco ASA must be configured to restrict VPN traffic according to organization-defined filtering rules. (6/7)
cisco.asa.asa_config:
lines:
- default-group-policy {{groupPolicyName}}
parents: tunnel-group {{item}} general-attributes
loop: "{{tunnelGroupList}}"
when: 'tunnelGroupList[0] != tunnelGroupList[-1] and item != ""'
- name: CASA-FW-000030 - The Cisco ASA must be configured to restrict VPN traffic according to organization-defined filtering rules. (7/7)
cisco.asa.asa_config:
lines:
- default-group-policy {{groupPolicyName}}
parents: tunnel-group {{tunnelGroupList[0]}} general-attributes
when: 'tunnelGroupList[0] == tunnelGroupList[-1] and tunnelGroupList[0] != ""'
- name: CASA-FW-000040 - The Cisco ASA must be configured to generate traffic log entries containing information to establish what type of events occurred. (1/3)
cisco.asa.asa_acls:
config:
acls:
- name: "{{item.name}}"
acl_type: "{{item.acl_type}}"
aces:
- line: "{{item.aces[-1].line|int +1|int}}"
grant: deny
protocol: ip
source:
any: True
destination:
any: True
log: default
protocol_options:
ip: True
state: merged
loop: "{{ansible_network_resources.acls.acls}}"
when: 'item.aces is defined and item.aces[-1].grant is defined and item.aces[-1].grant == "deny" and (item.aces[-1].protocol != "ip" or not item.aces[-1].source.any or not item.aces[-1].destination.any or (item.aces[-1].log is defined and item.aces[-1].log != "default"))'
- name: CASA-FW-000040 - The Cisco ASA must be configured to generate traffic log entries containing information to establish what type of events occurred. (2/3)
cisco.asa.asa_acls:
config:
acls:
- name: "{{item.name}}"
acl_type: "{{item.acl_type}}"
aces:
- line: "{{item.aces[-1].line|int + 1|int}}"
grant: deny
protocol: ip
source:
any: True
destination:
any: True
log: default
protocol_options:
ip: True
state: merged
loop: "{{ansible_network_resources.acls.acls}}"
when: 'item.aces is defined and item.aces[-1].grant is defined and item.aces[-1].grant == "permit"'
- name: CASA-FW-000040 - The Cisco ASA must be configured to generate traffic log entries containing information to establish what type of events occurred. (3/3)
cisco.asa.asa_acls:
config:
acls:
- name: "{{item.name}}"
acl_type: "{{item.acl_type}}"
aces:
- line: 1
grant: deny
protocol: ip
source:
any: True
destination:
any: True
log: default
protocol_options:
ip: True
state: merged
loop: "{{ansible_network_resources.acls.acls}}"
when: 'item.aces is not defined'
- name: CASA-FW-000050 - The Cisco ASA must be configured to generate traffic log entries containing information to establish when (date and time) the events occurred.
cisco.asa.asa_config:
lines:
- logging timestamp
- name: CASA-FW-000090 - The Cisco ASA must be configured to queue log records locally in the event that the central audit server is down or not reachable.
cisco.asa.asa_config:
lines:
- logging buffered notifications
- logging queue 8192
- name: CASA-FW-000100 - The Cisco ASA must be configured to use TCP when sending log records to the central audit server.
cisco.asa.asa_config:
lines:
- logging host {{loggingInterface}} {{logHost}} 6/1514
- logging permit-hostdown
- name: Grabbing running config
cisco.asa.asa_command:
commands: show running-config telnet | exclude timeout
register: running_config
- name: CASA-FW-000130 - The Cisco ASA must be configured to disable or remove unnecessary network services and functions that are not used as part of its role in the architecture. (1/2)
cisco.asa.asa_config:
lines:
- no {{item}}
when: running_config.stdout[0] is search ("telnet") and running_config.stdout_lines[0][0] != running_config.stdout_lines[0][-1]
loop: "{{running_config.stdout_lines[0] if running_config.stdout_lines[0] is iterable and running_config.stdout_lines[0] is not string}}"
- name: CASA-FW-000130 - The Cisco ASA must be configured to disable or remove unnecessary network services and functions that are not used as part of its role in the architecture. (2/2)
cisco.asa.asa_config:
lines:
- no {{running_config.stdout[0]}}
when: running_config.stdout[0] is search ("telnet") and running_config.stdout_lines[0][0] == running_config.stdout_lines[0][-1]
- name: CASA-FW-000150 - The Cisco ASA must be configured to enable threat detection to mitigate risks of denial-of-service (DoS) attacks.
cisco.asa.asa_config:
lines:
- threat-detection basic-threat
- name: Grabbing running config
cisco.asa.asa_command:
commands: show running-config | include access-list outside_access_in extended
register: running_config
- name: CASA-FW-000230 - The Cisco ASA perimeter firewall must be configured to filter traffic destined to the enclave in accordance with the specific traffic that is approved and registered in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments (1/2)
block:
- name: CASA-FW-000230 - The Cisco ASA perimeter firewall must be configured to filter traffic destined to the enclave in accordance with the specific traffic that is approved and registered in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments (1/2) Clearing if incorrect
cisco.asa.asa_config:
lines: "{{outsideInList}}"
match: exact
replace: block
before: clear configure access-list outside_access_in
config: "{{running_config.stdout[0]}}"
rescue:
- name: CASA-FW-000230 - The Cisco ASA perimeter firewall must be configured to filter traffic destined to the enclave in accordance with the specific traffic that is approved and registered in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments (1/2) Creating if not found
cisco.asa.asa_config:
lines: "{{outsideInList}}"
match: exact
replace: block
- name: CASA-FW-000230 - CASA-FW-000170 - The Cisco ASA perimeter firewall must be configured to filter traffic destined to the enclave in accordance with the specific traffic that is approved and registered in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments (2/2)
cisco.asa.asa_config:
lines:
- access-group outside_access_in in interface outside
- name: CASA-FW-000200 - The Cisco ASA must be configured to send log data of denied traffic to a central audit server for analysis.
cisco.asa.asa_config:
lines:
- logging trap notifications
- name: CASA-FW-000210 - The Cisco ASA must be configured to generate a real-time alert to organization-defined personnel and/or the firewall administrator in the event communication with the central audit server is lost.
cisco.asa.asa_config:
lines:
- logging mail warnings
- logging recipient-address {{recipientAddress}} level warnings
- logging from-address {{ansible_net_hostname}}@{{emailDomain}}
- smtp-server {{smtpServer}}
- name: CASA-FW-000220 - The Cisco ASA must be configured to implement scanning threat detection.
cisco.asa.asa_config:
lines:
- threat-detection scanning-threat shun
- name: Grabbing running config
cisco.asa.asa_command:
commands: show running-config | include access-list outside_access_in extended
register: running_config
- name: CASA-FW-000230 - The Cisco ASA must be configured to filter inbound traffic on all external interfaces. (1/2)
cisco.asa.asa_config:
lines: "{{outsideInList}}"
match: exact
replace: block
before: clear configure access-list outside_access_in
config: "{{running_config.stdout[0]}}"
- name: CASA-FW-000230 - The Cisco ASA must be configured to filter inbound traffic on all external interfaces. (2/2)
cisco.asa.asa_config:
lines:
- access-group outside_access_in in interface outside
- name: Grabbing running config
cisco.asa.asa_command:
commands: show running-config | include access-list inside_access_in extended
register: running_config
- name: CASA-FW-000240 - The Cisco ASA must be configured to filter outbound traffic on all internal interfaces. (1/2)
cisco.asa.asa_config:
lines: "{{insideInList}}"
match: exact
replace: block
before: clear configure access-list inside_access_in
config: "{{running_config.stdout[0]}}"
- name: CASA-FW-000240 - The Cisco ASA must be configured to filter outbound traffic on all internal interfaces. (1/2)
cisco.asa.asa_config:
lines:
- access-group inside_access_in in interface inside
- name: Grabbing running config
cisco.asa.asa_command:
commands: show running-config | include access-list secure_access_out extended
register: running_config
- name: CASA-FW-000250 - The Cisco ASA perimeter firewall must be configured to block all outbound management traffic. (1/2)
block:
- name: CASA-FW-000250 - The Cisco ASA perimeter firewall must be configured to block all outbound management traffic. (1/2) Clearing if incorrect
cisco.asa.asa_config:
lines: "{{insideOutList}}"
match: exact
replace: block
before: clear configure access-list secure_access_out
config: "{{running_config.stdout[0]}}"
rescue:
- name: CASA-FW-000250 - The Cisco ASA perimeter firewall must be configured to block all outbound management traffic. (1/2) Creating if not found
cisco.asa.asa_config:
lines: "{{insideOutList}}"
match: exact
replace: block
- name: CASA-FW-000250 - The Cisco ASA perimeter firewall must be configured to block all outbound management traffic. (2/2)
cisco.asa.asa_config:
lines:
- access-group secure_access_out out interface secure
- name: CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel. (1/4)
cisco.asa.asa_config:
lines: "{{ipsecProposalList}}"
parents: "crypto ipsec ikev2 ipsec-proposal {{ipsecProposalID}}"
- name: Grabbing running config
cisco.asa.asa_command:
commands: show running-config | include access-list {{cryptoMapACLName}}
register: running_config
- name: CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel. (2/4)
block:
- name: CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel. (2/4) Clearing if incorrect
cisco.asa.asa_config:
lines: "{{outsideCryptomapACLList}}"
replace: block
match: exact
before: clear configure access-list {{cryptoMapACLName}}
config: "{{running_config.stdout[0]}}"
rescue:
- name: CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel. (2/3) Creating if not found
cisco.asa.asa_config:
lines: "{{outsideCryptomapACLList}}"
replace: block
match: exact
config: "{{running_config.stdout[0]}}"
- name: Grabbing running config
cisco.asa.asa_command:
commands: show running-config | include crypto map {{cryptoMapName}} .*
register: running_config
- name: CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel. (3/4)
block:
- name: CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel. (3/4)
cisco.asa.asa_config:
lines: "{{outsideCryptomapList}}"
config: "{{running_config.stdout[0]}}"
rescue:
- name: CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel. (3/4) Creating if not found
cisco.asa.asa_config:
lines: "{{outsideCryptomapList}}"
config: "{{running_config.stdout[0]}}"
- name: Checking for tunnel
cisco.asa.asa_command:
commands: show vpn-session
register: vpn_sessions
- name: CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel. (4/4) Creating if not found
cisco.asa.asa_config:
lines:
- "{{outsideCryptomapKey}}"
when: not vpn_sessions.stdout[0] is search("Site-to-Site VPN")
- name: CASA-FW-000270 - The Cisco ASA must be configured to inspect all inbound and outbound traffic at the application layer.
cisco.asa.asa_config:
lines:
- service-policy global_policy global
- name: CASA-FW-000280 - The Cisco ASA must be configured to inspect all inbound and outbound IPv6 traffic for unknown or out-of-order extension headers.
cisco.asa.asa_config:
lines:
- inspect ipv6
parents:
- policy-map global_policy
- class inspection_default
- name: Grabbing running config
cisco.asa.asa_command:
commands: show running-config | include access-list inside_access_in extended
register: running_config
- name: CASA-FW-000290 - The Cisco ASA must be configured to restrict it from accepting outbound packets that contain an illegitimate address in the source address field via an egress filter or by enabling Unicast Reverse Path Forwarding (uRPF). (1/2)
cisco.asa.asa_config:
lines: "{{insideInList}}"
match: exact
replace: block
before: clear configure access-list inside_access_in
config: "{{running_config.stdout[0]}}"
- name: CASA-FW-000290 - The Cisco ASA must be configured to restrict it from accepting outbound packets that contain an illegitimate address in the source address field via an egress filter or by enabling Unicast Reverse Path Forwarding (uRPF). (2/2)
cisco.asa.asa_config:
lines:
- access-group inside_access_in in interface inside
- name: CASA-FW-000300 - The Cisco ASA must be configured to generate an alert that can be forwarded to organization-defined personnel and/or the firewall administrator when denial-of-service (DoS) incidents are detected.
cisco.asa.asa_config:
lines:
- logging mail warnings
- logging recipient-address {{recipientAddress}} level warnings
- logging from-address {{ansible_net_hostname}}@{{emailDomain}}
- smtp-server {{smtpServer}}