diff --git a/.ansible-lint b/.ansible-lint index 057c65e..b717f67 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -6,12 +6,10 @@ skip_list: - 'schema' - 'no-changed-when' - 'var-spacing' - - 'fqcn-builtins' - 'experimental' - 'name[play]' - 'name[casing]' - 'name[template]' - - 'fqcn[action]' - 'key-order[task]' - '204' - '305' diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline index d1d2ada..c1b01c1 100644 --- a/.config/.secrets.baseline +++ b/.config/.secrets.baseline @@ -105,18 +105,15 @@ }, { "path": "detect_secrets.filters.heuristic.is_templated_secret" + }, + { + "path": "detect_secrets.filters.regex.should_exclude_file", + "pattern": [ + ".config/.gitleaks-report.json", + "tasks/parse_etc_password.yml" + ] } ], - "results": { - "tasks/parse_etc_password.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/parse_etc_password.yml", - "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", - "is_verified": false, - "line_number": 18 - } - ] - }, - "generated_at": "2023-08-23T10:10:15Z" + "results": {}, + "generated_at": "2023-09-22T13:20:34Z" } diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index 8d9d15c..31a4a6b 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -27,7 +27,7 @@ repo-token: ${{ secrets.GITHUB_TOKEN }} pr-message: |- Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. + Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. # This workflow contains a single job which tests the playbook playbook-test: diff --git a/.yamllint b/.yamllint index ec46929..65faae6 100644 --- a/.yamllint +++ b/.yamllint @@ -30,4 +30,4 @@ rules: trailing-spaces: enable truthy: allowed-values: ['true', 'false'] - check-keys: false + check-keys: true diff --git a/README.md b/README.md index c93ad38..87243e1 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,4 @@ -# AMAZON 2023 CIS - Beta - -**************************** -NOTE AUDIT NOT YET AVAILABLE -**************************** +# AMAZON 2023 CIS ## Configure a Amazon 2023 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant @@ -16,7 +12,7 @@ NOTE AUDIT NOT YET AVAILABLE ![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social) [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown) -![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/61781?label=Quality&&logo=ansible) +![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/?label=Quality&&logo=ansible) ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) @@ -26,7 +22,7 @@ NOTE AUDIT NOT YET AVAILABLE [![Main Pipeline Status](https://github.com/ansible-lockdown/AMAZON2023-CIS/actions/workflows/main_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/AMAZON2023-CIS/actions/workflows/main_pipeline_validation.yml) [![Devel Pipeline Status](https://github.com/ansible-lockdown/AMAZON2023-CIS/actions/workflows/devel_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/AMAZON2023-CIS/actions/workflows/devel_pipeline_validation.yml) -![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/AMAZON2023-CIS/devel?color=dark%20green&label=Devel%20Branch%20Commits) +![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/AMAZON2023-CIS/devel?color=dark%20green&label=Devel%20Branch%20commits) ![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/AMAZON2023-CIS?label=Open%20Issues) ![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/AMAZON2023-CIS?label=Closed%20Issues&&color=success) @@ -38,13 +34,13 @@ NOTE AUDIT NOT YET AVAILABLE ## Looking for support? -[Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_RH9_cis) +[Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_AMZ2023_cis) -[Ansible support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_RH9_cis) +[Ansible support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_AMZ2023_cis) ### Community -Join us on our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users. +Join us on our [Discord Server](https://www.lockdownenterprise.com/discord) to ask questions, discuss features, or just chat with other Ansible-Lockdown users. ### Contributing @@ -96,10 +92,10 @@ Refer to [AMAZON2023-CIS-Audit](https://github.com/ansible-lockdown/AMAZON2023-C ## Documentation - [Read The Docs](https://ansible-lockdown.readthedocs.io/en/latest/) -- [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown#GH_AL_RH9_cis) -- [Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise#GH_AL_RH9_cis) -- [Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration#GH_AL_RH9_cis) -- [Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise#GH_AL_RH9_cis) +- [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown#GH_AL_AMZ2023_cis) +- [Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise#GH_AL_AMZ2023_cis) +- [Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration#GH_AL_AMZ2023_cis) +- [Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise#GH_AL_AMZ2023_cis) ## Requirements @@ -195,7 +191,6 @@ uses: ## Added Extras -- makefile - this is there purely for testing and initial setup purposes. - [pre-commit](https://pre-commit.com) can be tested and can be run from within the directory ```sh diff --git a/defaults/main.yml b/defaults/main.yml index ee4bb3c..aaf7219 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -61,6 +61,9 @@ run_audit: false # Timeout for those cmds that take longer to run where timeout set audit_cmd_timeout: 60000 +# Some tests can be resource heavy allow these to take place +amzn2023cis_run_heavy_tests: true + ### End Goss enablements #### #### Detailed settings found at the end of this document #### @@ -380,7 +383,7 @@ amzn2023cis_aide_cron: # SELinux policy amzn2023cis_selinux_pol: targeted -# chose onf or enfocing or permissive +# chose conf or enforcing or permissive amzn2023cis_selinux_enforce: enforcing # Whether or not to run tasks related to auditing/patching the desktop environment @@ -419,15 +422,10 @@ amzn2023cis_is_mail_server: false # Note the options # Packages are used for client services and Server- only remove if you dont use the client service # - -amzn2023cis_use_nfs_server: false -amzn2023cis_use_nfs_service: false - -amzn2023cis_use_rpc_server: false -amzn2023cis_use_rpc_service: false - -amzn2023cis_use_rsync_server: false -amzn2023cis_use_rsync_service: false +# optional either remove or mask +amzn2023cis_nfs_server: mask +amzn2023cis_rpc_server: mask +amzn2023cis_rsync_server: mask #### 2.3 Service clients amzn2023cis_telnet_required: false @@ -475,10 +473,10 @@ amzn2023cis_auditd: max_log_file_action: keep_logs # The audit_back_log_limit value should never be below 8192 -amzn2023cis_audit_back_log_limit: 8192 +amzn2023cis_audit_back_log_limit: '8192' # The max_log_file parameter should be based on your sites policy -amzn2023cis_max_log_file_size: 10 +amzn2023cis_max_log_file_size: '10' ### 4.1.3.x audit template update_audit_template: false @@ -495,7 +493,7 @@ amzn2023cis_auditd_extra_conf: {} ## Preferred method of logging ## Whether rsyslog or journald preferred method for local logging ## Affects rsyslog cis 4.2.1.3 and journald cis 4.2.2.5 -amzn2023cis_syslog: rsyslog +amzn2023cis_syslog_service: rsyslog amzn2023cis_rsyslog_ansiblemanaged: true #### 4.2.1.6 remote and destation log server name @@ -570,7 +568,7 @@ amzn2023cis_authselect_custom_profile_select: false amzn2023cis_pass: max_days: 365 - min_days: 7 + min_days: 1 warn_age: 7 # UID settings for interactive users @@ -636,10 +634,10 @@ audit_run_script_environment: AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" ### Goss binary settings ### -audit_bin_release: v0.3.23 +audit_bin_release: v0.4.0 audit_bin_version: - AMD64_checksum: 'sha256:9e9f24e25f86d6adf2e669a9ffbe8c3d7b9b439f5f877500dea02ba837e10e4d' - ARM64_checksum: 'sha256:7b0794fa590857e7d64ef436e1a100ca26f6039f269a6138009aa837d27d7f9e' + AMD64_checksum: 'sha256:9cb37863d3d25e2af80cb5cf55198c0c115b2477724153ba9afd0a2e544cb46e' + ARM64_checksum: 'sha256:ce364fad93f9c0702e73767d60fddbb87a8c5f2a586b0d99ec823e8331e6a73b' audit_bin_path: /usr/local/bin/ audit_bin: "{{ audit_bin_path }}goss" audit_format: json diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 29f8960..c4a2e4b 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -23,7 +23,7 @@ when: - get_audit_binary_method == 'download' -- name: Pre Audit Setup | copy audit binary +- name: Pre Audit Setup | Copy audit binary ansible.builtin.copy: src: "{{ audit_bin_copy_location }}" dest: "{{ audit_bin }}" diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 664cf79..5e58427 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -20,7 +20,8 @@ - Restart auditd - name: POST | AUDITD | Add Warning count for changes to template file | Warn Count # noqa no-handler - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: 'Auditd template updated, see diff output for details' when: diff --git a/tasks/main.yml b/tasks/main.yml index edb4187..678c65a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -2,12 +2,12 @@ # tasks file for AMAZON2023 - name: Check OS version and family + when: + - os_check ansible.builtin.assert: that: (ansible_distribution == 'Amazon' and ansible_distribution_major_version is version_compare('2023', '==')) fail_msg: "This role can only be run against Supported OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}" - when: - - os_check tags: - always @@ -20,6 +20,8 @@ - always - name: Ensure root password is set + when: + - amzn2023cis_rule_4_6_6 block: - name: Ensure root password is set ansible.builtin.shell: passwd -S root | grep "Password set, SHA512 crypt" @@ -31,8 +33,6 @@ that: root_passwd_set.rc == 0 fail_msg: "You have rule 5.6.6 enabled this requires that you have a root password set" success_msg: "You have a root password set" - when: - - amzn2023cis_rule_4_6_6 tags: - level1-server - patch @@ -41,6 +41,9 @@ - rule_4.6.6 - name: Setup rules if container + when: + - ansible_connection == 'docker' or + ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] block: - name: Discover and set container variable if required ansible.builtin.set_fact: @@ -51,13 +54,10 @@ file: "{{ container_vars_file }}" - name: Output if discovered is a container - ansible.builtin.debug: - msg: system has been discovered as a container when: - system_is_container - when: - - ansible_connection == 'docker' or - ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] + ansible.builtin.debug: + msg: system has been discovered as a container tags: - container_discovery - always @@ -69,13 +69,13 @@ success_msg: "Crypto policy is a permitted version" - name: Check crypto-policy module input + when: + - amzn2023cis_rule_1_9 + - amzn2023cis_crypto_policy_module | length > 0 ansible.builtin.assert: that: amzn2023cis_crypto_policy_module in amzn2023cis_allowed_crypto_policies_modules fail_msg: "Crypto policy module is not a permitted version" success_msg: "Crypto policy module is a permitted version" - when: - - amzn2023cis_rule_1_9 - - amzn2023cis_crypto_policy_module | length > 0 tags: - rule_1.9 @@ -86,77 +86,101 @@ - always - name: Include preliminary steps - ansible.builtin.import_tasks: prelim.yml + ansible.builtin.import_tasks: + file: prelim.yml tags: - prelim_tasks - always -- name: run pre_remediation audit - ansible.builtin.include_tasks: pre_remediation_audit.yml +- name: Run pre_remediation audit when: - run_audit + ansible.builtin.include_tasks: + file: pre_remediation_audit.yml + tags: + - run_audit -- name: run Section 1 tasks - ansible.builtin.import_tasks: section_1/main.yml - when: amzn2023cis_section1 +- name: Run Section 1 tasks + when: + - amzn2023cis_section1 + ansible.builtin.import_tasks: + file: section_1/main.yml tags: - amzn2023cis_section1 -- name: run Section 2 tasks - ansible.builtin.import_tasks: section_2/main.yml - when: amzn2023cis_section2 +- name: Run Section 2 tasks + when: + - amzn2023cis_section2 + ansible.builtin.import_tasks: + file: section_2/main.yml tags: - amzn2023cis_section2 -- name: run Section 3 tasks - ansible.builtin.import_tasks: section_3/main.yml - when: amzn2023cis_section3 +- name: Run Section 3 tasks + when: + - amzn2023cis_section3 + ansible.builtin.import_tasks: + file: section_3/main.yml tags: - amzn2023cis_section3 -- name: run Section 4 tasks - ansible.builtin.import_tasks: section_4/main.yml - when: amzn2023cis_section4 +- name: Run Section 4 tasks + when: + - amzn2023cis_section4 + ansible.builtin.import_tasks: + file: section_4/main.yml tags: - amzn2023cis_section4 -- name: run Section 5 tasks - ansible.builtin.import_tasks: section_5/main.yml - when: amzn2023cis_section5 +- name: Run Section 5 tasks + when: + - amzn2023cis_section5 + ansible.builtin.import_tasks: + file: section_5/main.yml tags: - amzn2023cis_section5 -- name: run Section 6 tasks - ansible.builtin.import_tasks: section_6/main.yml - when: amzn2023cis_section6 +- name: Run Section 6 tasks + when: + - amzn2023cis_section6 + ansible.builtin.import_tasks: + file: section_6/main.yml tags: - amzn2023cis_section6 - name: run auditd logic - ansible.builtin.import_tasks: auditd.yml - when: update_audit_template + when: + - update_audit_template + ansible.builtin.import_tasks: + file: auditd.yml tags: - always - name: run post remediation tasks - ansible.builtin.import_tasks: post.yml + ansible.builtin.import_tasks: + file: post.yml tags: - post_tasks - always - name: run post_remediation audit - ansible.builtin.import_tasks: post_remediation_audit.yml when: - run_audit + ansible.builtin.import_tasks: + file: post_remediation_audit.yml - name: Show Audit Summary + when: + - run_audit ansible.builtin.debug: msg: "{{ audit_results.split('\n') }}" - when: run_audit + tags: + - run_audit - name: If Warnings found Output count and control IDs affected + when: + - warn_count != 0 ansible.builtin.debug: msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ warn_control_list }}" - when: warn_count != 0 tags: - always diff --git a/tasks/post.yml b/tasks/post.yml index 0621b13..b681f02 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -46,7 +46,8 @@ - skip_reboot - name: "POST | Warning a reboot required but skip option set | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml when: - change_requires_reboot - skip_reboot diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 711f59b..4b60075 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,7 +1,8 @@ --- - name: Pre Audit Binary Setup | Setup the LE audit - ansible.builtin.include_tasks: LE_audit_setup.yml + ansible.builtin.include_tasks: + file: LE_audit_setup.yml when: - setup_audit tags: @@ -20,7 +21,7 @@ name: git state: present - - name: Pre Audit Setup | retrieve audit content files from git + - name: Pre Audit Setup | Retrieve audit content files from git ansible.builtin.git: repo: "{{ audit_file_git }}" dest: "{{ audit_conf_dir }}" @@ -28,7 +29,7 @@ when: - audit_content == 'git' -- name: Pre Audit Setup | copy to audit content files to server +- name: Pre Audit Setup | Copy to audit content files to server ansible.builtin.copy: src: "{{ audit_local_copy }}" dest: "{{ audit_conf_dest }}" @@ -36,14 +37,14 @@ when: - audit_content == 'copy' -- name: Pre Audit Setup | unarchive audit content files on server +- name: Pre Audit Setup | Unarchive audit content files on server ansible.builtin.unarchive: src: "{{ audit_conf_copy }}" dest: "{{ audit_conf_dir }}" when: - audit_content == 'archived' -- name: Pre Audit Setup | get audit content from url +- name: Pre Audit Setup | Get audit content from url ansible.builtin.get_url: url: "{{ audit_files_url }}" dest: "{{ audit_conf_dir }}" @@ -59,9 +60,8 @@ - name: Pre Audit Setup | If audit ensure goss is available ansible.builtin.assert: + that: goss_available.stat.exists msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - when: - - not goss_available.stat.exists when: - run_audit diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 504bf4b..90bb606 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -12,7 +12,8 @@ - users - name: "PRELIM | capture /etc/password variables" - ansible.builtin.include_tasks: parse_etc_password.yml + ansible.builtin.include_tasks: + file: parse_etc_password.yml tags: - rule_5.5.2 - rule_5.6.2 @@ -110,13 +111,13 @@ path: /sys/firmware/efi register: amzn2023cis_efi_boot - - name: "PRELIM | set legacy boot and grub path | Bios" + - name: "PRELIM | Set legacy boot and grub path | Bios" ansible.builtin.set_fact: amzn2023cis_legacy_boot: true grub2_path: /etc/grub2.cfg when: not amzn2023cis_efi_boot.stat.exists - - name: "PRELIM | set grub fact | UEFI" + - name: "PRELIM | Set grub fact | UEFI" ansible.builtin.set_fact: grub2_path: /etc/grub2-efi.cfg when: amzn2023cis_efi_boot.stat.exists @@ -246,7 +247,7 @@ changed_when: false register: gid_min_id - - name: "PRELIM | set_facts for interactive uid/gid" + - name: "PRELIM | Set_facts for interactive uid/gid" ansible.builtin.set_fact: min_int_uid: "{{ uid_min_id.stdout }}" max_int_uid: "{{ uid_max_id.stdout }}" @@ -264,8 +265,3 @@ manager: auto tags: - always - -- name: "PRELIM | Set audit to not run if amazon 2023" - ansible.builtin.set_fact: - run_audit: false - when: ansible_distribution_major_version == '2023' diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index 0e82c70..514651d 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -7,7 +7,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Present" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.1.2.1' required_mount: '/tmp' diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index a931e80..fda1806 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -7,7 +7,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.1.3.1' required_mount: '/var' diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index 8dbf162..317635c 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -8,7 +8,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.1.4.1' required_mount: '/var/tmp' diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index 700bfd0..26e0926 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -7,7 +7,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Present" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.1.5.1' diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index 41f3dcf..72c6055 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -7,7 +7,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.1.6.1' diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index bdeb432..53a7424 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -7,7 +7,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Present" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.1.7.1' diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index 6159ca3..d9577ec 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -8,7 +8,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.8.1 | AUDIT | Ensure separate partition exists for /home | Present" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.1.8.1' diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 62b5df9..2b853de 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -71,7 +71,8 @@ - "{{ dnf_configured.stdout_lines }}" - name: "1.2.3 | AUDIT | Ensure package manager repositories are configured | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.2.3' when: diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index ffea6e7..33ef1c7 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -97,7 +97,8 @@ when: amzn2023cis_1_6_1_6_unconf_services.stdout | length > 0 - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml when: amzn2023cis_1_6_1_6_unconf_services.stdout | length > 0 vars: warn_control_id: '1.6.1.6' diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index 1cd9d91..f6acd63 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -1,54 +1,71 @@ --- - name: "SECTION | 1.1.1.x | Disable unused filesystems" - ansible.builtin.import_tasks: cis_1.1.1.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.1.x.yml - name: "SECTION | 1.1.2.x | Configure /tmp" - ansible.builtin.import_tasks: cis_1.1.2.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.2.x.yml - name: "SECTION | 1.1.3.x | Configure /var" - ansible.builtin.import_tasks: cis_1.1.3.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.3.x.yml - name: "SECTION | 1.1.4.x | Configure /var/tmp" - ansible.builtin.import_tasks: cis_1.1.4.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.4.x.yml - name: "SECTION | 1.1.5.x | Configure /var/log" - ansible.builtin.import_tasks: cis_1.1.5.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.5.x.yml - name: "SECTION | 1.1.6.x | Configure /var/log/audit" - ansible.builtin.import_tasks: cis_1.1.6.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.6.x.yml - name: "SECTION | 1.1.7.x | Configure /home" - ansible.builtin.import_tasks: cis_1.1.7.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.7.x.yml - name: "SECTION | 1.1.8.x | Configure /dev/shm" - ansible.builtin.import_tasks: cis_1.1.8.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.8.x.yml - name: "SECTION | 1.1.9 | Disable various mounting" - ansible.builtin.import_tasks: cis_1.1.9.yml + ansible.builtin.import_tasks: + file: cis_1.1.9.yml - name: "SECTION | 1.2 | Configure Software Updates" - ansible.builtin.import_tasks: cis_1.2.x.yml + ansible.builtin.import_tasks: + file: cis_1.2.x.yml - name: "SECTION | 1.3 | Filesystem Integrity Checking" - ansible.builtin.import_tasks: cis_1.3.x.yml + ansible.builtin.import_tasks: + file: cis_1.3.x.yml when: amzn2023cis_config_aide - name: "SECTION | 1.4 | Secure Boot Settings" - ansible.builtin.import_tasks: cis_1.4.x.yml + ansible.builtin.import_tasks: + file: cis_1.4.x.yml - name: "SECTION | 1.5 | Additional Process Hardening" - ansible.builtin.import_tasks: cis_1.5.x.yml + ansible.builtin.import_tasks: + file: cis_1.5.x.yml - name: "SECTION | 1.6 | Mandatory Access Control" - include_tasks: cis_1.6.1.x.yml + ansible.builtin.include_tasks: + file: cis_1.6.1.x.yml when: not amzn2023cis_selinux_disable - name: "SECTION | 1.7 | Command Line Warning Banners" - ansible.builtin.import_tasks: cis_1.7.x.yml + ansible.builtin.import_tasks: + file: cis_1.7.x.yml - name: "SECTION | 1.8 | Updates and Patches" - ansible.builtin.import_tasks: cis_1.8.yml + ansible.builtin.import_tasks: + file: cis_1.8.yml - name: "SECTION | 1.9 | Crypto policies" - include_tasks: cis_1.9.yml + ansible.builtin.include_tasks: + file: cis_1.9.yml diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index e26b190..549600a 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -275,17 +275,16 @@ name: nfs-utils state: absent when: - - not amzn2023cis_use_nfs_server - - not amzn2023cis_use_nfs_service + - amzn2023cis_nfs_server == "remove" - name: "2.2.16 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | mask service" ansible.builtin.systemd: name: nfs-server masked: true state: stopped + daemon_reload: true when: - - not amzn2023cis_use_nfs_server - - amzn2023cis_use_nfs_service + - amzn2023cis_nfs_server == "mask" when: - "'nfs-utils' in ansible_facts.packages" - amzn2023cis_rule_2_2_16 @@ -307,17 +306,16 @@ name: rpcbind state: absent when: - - not amzn2023cis_use_rpc_server - - not amzn2023cis_use_rpc_service + - amzn2023cis_rpc_server == "remove" - name: "2.2.17 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | mask service" ansible.builtin.systemd: name: rpcbind.socket masked: true state: stopped + daemon_reload: true when: - - amzn2023cis_use_rpc_server - - not amzn2023cis_use_rpc_service + - amzn2023cis_rpc_server == "mask" when: - "'rpcbind' in ansible_facts.packages" - amzn2023cis_rule_2_2_17 @@ -331,26 +329,26 @@ # The name title of the service says mask the service, but the fix allows for both options # Options available in default/main if to remove the package default is false just mask the server service -- name: "2.2.18 | PATCH | Ensure rsync service is not enabled " +- name: "2.2.18 | PATCH | Ensure rsync-daemon is not installed or the rsyncd service is masked " block: - name: "2.2.18 | PATCH | Ensure rsync-daemon is not installed or the rsync service is masked | remove package" ansible.builtin.package: name: rsync-daemon state: absent when: - - not amzn2023cis_use_rsync_server + - amzn2023cis_rsync_server == "remove" - not amzn2023cis_use_rsync_service - - name: "2.2.18 | PATCH | Ensure rsync service is not enabled | mask service" + - name: "2.2.18 | PATCH | Ensure rsync-daemon is not installed or the rsyncd service is masked | mask service" ansible.builtin.systemd: name: rsyncd masked: true state: stopped + daemon_reload: true when: - - amzn2023cis_use_rsync_server - - not amzn2023cis_use_rsync_service + - amzn2023cis_rsync_server == "mask" when: - - "'rsync' in ansible_facts.packages" + - "'rsync-daemon' in ansible_facts.packages" - amzn2023cis_rule_2_2_18 tags: - level1-server diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml index 4d53a0d..393d4aa 100644 --- a/tasks/section_2/cis_2.4.yml +++ b/tasks/section_2/cis_2.4.yml @@ -25,7 +25,8 @@ - "{{ amzn2023cis_2_4_sockets.stdout_lines }}" - name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '2.4' when: diff --git a/tasks/section_2/main.yml b/tasks/section_2/main.yml index 39b912d..3e8996a 100644 --- a/tasks/section_2/main.yml +++ b/tasks/section_2/main.yml @@ -1,13 +1,17 @@ --- - name: "SECTION | 2.1 | Time Synchronization" - ansible.builtin.import_tasks: cis_2.1.x.yml + ansible.builtin.import_tasks: + file: cis_2.1.x.yml - name: "SECTION | 2.2 | Special Purpose Services" - ansible.builtin.import_tasks: cis_2.2.x.yml + ansible.builtin.import_tasks: + file: cis_2.2.x.yml - name: "SECTION | 2.3 | Service Clients" - ansible.builtin.import_tasks: cis_2.3.x.yml + ansible.builtin.import_tasks: + file: cis_2.3.x.yml - name: "SECTION | 2.4 | Nonessential services removed" - ansible.builtin.import_tasks: cis_2.4.yml + ansible.builtin.import_tasks: + file: cis_2.4.yml diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index 764c2fd..b579fcf 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -20,22 +20,16 @@ block: - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | nftables" ansible.builtin.systemd: - name: "{{ item }}" + name: firewalld masked: true - loop: - - firewalld when: - - item in ansible_facts.packages - amzn2023cis_firewall == 'nftables' - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | firewalld" ansible.builtin.systemd: - name: "{{ item }}" + name: nftables masked: true - loop: - - nftables when: - - item in ansible_facts.packages - amzn2023cis_firewall == 'firewalld' - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | package installed" diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index d9861d5..54a1ef0 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -47,7 +47,8 @@ - not amzn2023cis_nft_tables_autonewtable - name: "3.4.2.2 | AUDIT | Ensure an nftables table exists | Alert on no tables | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml when: - amzn2023cis_3_4_2_2_nft_tables.stdout | length == 0 - not amzn2023cis_nft_tables_autonewtable diff --git a/tasks/section_3/main.yml b/tasks/section_3/main.yml index 535aba9..34553d7 100644 --- a/tasks/section_3/main.yml +++ b/tasks/section_3/main.yml @@ -1,16 +1,21 @@ --- - name: "SECTION | 3.1.x | Disable unused network protocols and devices" - ansible.builtin.import_tasks: cis_3.1.x.yml + ansible.builtin.import_tasks: + file: cis_3.1.x.yml - name: "SECTION | 3.2.x | Network Parameters (Host Only)" - ansible.builtin.import_tasks: cis_3.2.x.yml + ansible.builtin.import_tasks: + file: cis_3.2.x.yml - name: "SECTION | 3.3.x | Network Parameters (host and Router)" - ansible.builtin.import_tasks: cis_3.3.x.yml + ansible.builtin.import_tasks: + file: cis_3.3.x.yml - name: "SECTION | 3.4.1.x | Firewall configuration" - ansible.builtin.import_tasks: cis_3.4.1.x.yml + ansible.builtin.import_tasks: + file: cis_3.4.1.x.yml - name: "SECTION | 3.4.2.x | Configure firewall" - ansible.builtin.import_tasks: cis_3.4.2.x.yml + ansible.builtin.import_tasks: + file: cis_3.4.2.x.yml diff --git a/tasks/section_4/cis_4.6.1.x.yml b/tasks/section_4/cis_4.6.1.x.yml index d33ac8d..82094ba 100644 --- a/tasks/section_4/cis_4.6.1.x.yml +++ b/tasks/section_4/cis_4.6.1.x.yml @@ -113,7 +113,8 @@ - not amzn2023cis_futurepwchgdate_autofix - name: "4.6.1.5 | AUDIT | Ensure all users last password change date is in the past | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml when: - amzn2023cis_4_6_1_5_user_list.stdout | length > 0 - not amzn2023cis_futurepwchgdate_autofix diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml index b1fed95..f780ee8 100644 --- a/tasks/section_4/main.yml +++ b/tasks/section_4/main.yml @@ -3,24 +3,31 @@ # Access, Authentication, and Authorization - name: "SECTION | 4.1 | Configure time-based job schedulers" - ansible.builtin.import_tasks: cis_4.1.x.yml + ansible.builtin.import_tasks: + file: cis_4.1.x.yml - name: "SECTION | 4.2 | Configure SSH Server" - ansible.builtin.import_tasks: cis_4.2.x.yml + ansible.builtin.import_tasks: + file: cis_4.2.x.yml when: - "'openssh-server' in ansible_facts.packages" - name: "SECTION | 4.3 | Configure privilege escalation" - ansible.builtin.import_tasks: cis_4.3.x.yml + ansible.builtin.import_tasks: + file: cis_4.3.x.yml - name: "SECTION | 4.4 | Configure authselect" - ansible.builtin.import_tasks: cis_4.4.x.yml + ansible.builtin.import_tasks: + file: cis_4.4.x.yml - name: "SECTION | 4.5 | Configure PAM " - ansible.builtin.import_tasks: cis_4.5.x.yml + ansible.builtin.import_tasks: + file: cis_4.5.x.yml - name: "SECTION | 4.6.1.x | Shadow Password Suite Parameters" - ansible.builtin.import_tasks: cis_4.6.1.x.yml + ansible.builtin.import_tasks: + file: cis_4.6.1.x.yml - name: "SECTION | 4.6.x | Misc. User Account Settings" - ansible.builtin.import_tasks: cis_4.6.x.yml + ansible.builtin.import_tasks: + file: cis_4.6.x.yml diff --git a/tasks/section_5/cis_5.1.1.x.yml b/tasks/section_5/cis_5.1.1.x.yml index 6618cb5..20181c7 100644 --- a/tasks/section_5/cis_5.1.1.x.yml +++ b/tasks/section_5/cis_5.1.1.x.yml @@ -38,7 +38,7 @@ notify: Restart rsyslog when: - amzn2023cis_rule_5_1_1_3 - - amzn2023cis_syslog == "rsyslog" + - amzn2023cis_syslog_service == "rsyslog" tags: - level1-server - patch diff --git a/tasks/section_5/cis_5.1.2.x.yml b/tasks/section_5/cis_5.1.2.x.yml index 152654a..70d04e7 100644 --- a/tasks/section_5/cis_5.1.2.x.yml +++ b/tasks/section_5/cis_5.1.2.x.yml @@ -98,7 +98,8 @@ when: "'static' not in amzn2023cis_5_1_2_2_status.stdout" - name: "5.1.2.2 | AUDIT | Ensure journald service is enabled | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml when: "'static' not in amzn2023cis_5_1_2_2_status.stdout" vars: warn_control_id: '5.1.2.2' diff --git a/tasks/section_5/cis_5.2.1.x.yml b/tasks/section_5/cis_5.2.1.x.yml index a53edae..30c1b0b 100644 --- a/tasks/section_5/cis_5.2.1.x.yml +++ b/tasks/section_5/cis_5.2.1.x.yml @@ -28,7 +28,7 @@ - name: "5.2.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" block: - name: "5.2.1.2 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX" - ansible.builtin.shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' + ansible.builtin.shell: grep 'GRUB_CMDLINE_LINUX_DEFAULT=' /etc/default/grub | sed 's/.$//' changed_when: false failed_when: false check_mode: false @@ -45,7 +45,7 @@ - name: "5.2.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add audit setting if missing" ansible.builtin.lineinfile: path: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX=' + regexp: '^GRUB_CMDLINE_LINUX_DEFAULT=' line: '{{ amzn2023cis_5_2_1_2_grub_cmdline_linux.stdout }} audit=1"' notify: Grub2cfg when: "'audit=' not in amzn2023cis_5_2_1_2_grub_cmdline_linux.stdout" @@ -64,7 +64,7 @@ - name: "5.2.1.3 | PATCH | Ensure audit_backlog_limit is sufficient" block: - name: "5.2.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Get GRUB_CMDLINE_LINUX" - ansible.builtin.shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' + ansible.builtin.shell: grep 'GRUB_CMDLINE_LINUX_DEFAULT=' /etc/default/grub | sed 's/.$//' changed_when: false failed_when: false check_mode: false @@ -81,7 +81,7 @@ - name: "5.2.1.3 | PATCH | Ensure audit_backlog_limit is sufficient | Add audit_backlog_limit setting if missing" ansible.builtin.lineinfile: path: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX=' + regexp: '^GRUB_CMDLINE_LINUX_DEFAULT=' line: '{{ amzn2023cis_5_2_1_3_grub_cmdline_linux.stdout }} audit_backlog_limit={{ amzn2023cis_audit_back_log_limit }}"' notify: Grub2cfg when: "'audit_backlog_limit=' not in amzn2023cis_5_2_1_3_grub_cmdline_linux.stdout" diff --git a/tasks/section_5/cis_5.3.yml b/tasks/section_5/cis_5.3.yml index 614d3c5..e4b4fd9 100644 --- a/tasks/section_5/cis_5.3.yml +++ b/tasks/section_5/cis_5.3.yml @@ -39,7 +39,8 @@ loop: "{{ log_rotates.files }}" - name: "5.3 | AUDIT | Ensure logrotate is configured | Warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '5.3' when: log_rotates.matched > 0 diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml index dca539f..447229f 100644 --- a/tasks/section_5/main.yml +++ b/tasks/section_5/main.yml @@ -3,32 +3,41 @@ # Logging and Auditing - name: "SECTION | 5.1.1 | Configure Logging - rsyslog" - ansible.builtin.import_tasks: cis_5.1.1.x.yml - when: amzn2023cis_syslog == 'rsyslog' + ansible.builtin.import_tasks: + file: cis_5.1.1.x.yml + when: amzn2023cis_syslog_service == 'rsyslog' - name: "SECTION | 5.1.2 | Configure Logging - journald" - ansible.builtin.import_tasks: cis_5.1.2.x.yml - when: amzn2023cis_syslog == 'journald' + ansible.builtin.import_tasks: + file: cis_5.1.2.x.yml + when: amzn2023cis_syslog_service == 'journald' - name: "SECTION | 5.1.3 | Configure logfile perms" - ansible.builtin.import_tasks: cis_5.1.3.yml + ansible.builtin.import_tasks: + file: cis_5.1.3.yml - name: "SECTION | 5.2.1 | Configure System Accounting (auditd)" - ansible.builtin.import_tasks: cis_5.2.1.x.yml + ansible.builtin.import_tasks: + file: cis_5.2.1.x.yml when: - not system_is_container - name: "SECTION | 5.2.2 | Configure Data Retention" - ansible.builtin.import_tasks: cis_5.2.2.x.yml + ansible.builtin.import_tasks: + file: cis_5.2.2.x.yml - name: "SECTION | 5.2.3 | Configure Auditd rules" - ansible.builtin.import_tasks: cis_5.2.3.x.yml + ansible.builtin.import_tasks: + file: cis_5.2.3.x.yml - name: "SECTION | 5.2.4 | Configure Audit files" - ansible.builtin.import_tasks: cis_5.2.4.x.yml + ansible.builtin.import_tasks: + file: cis_5.2.4.x.yml - name: "SECTION | 5.3 | Configure LogRotate" - ansible.builtin.import_tasks: cis_5.3.yml + ansible.builtin.import_tasks: + file: cis_5.3.yml - name: "SECTION | 5.3 | Configure logrotate" - ansible.builtin.import_tasks: cis_5.3.yml + ansible.builtin.import_tasks: + file: cis_5.3.yml diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index e9c0d30..826117a 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -153,7 +153,8 @@ The file list can be found in {{ amzn2023cis_rpm_audit_file }}" - name: "6.1.9 | AUDIT | Audit system file permissions | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '6.1.9' when: amzn2023cis_6_1_9_packages_rpm.stdout|length > 0 @@ -258,7 +259,8 @@ when: amzn2023cis_6_1_11_ungrouped_files_found - name: "6.1.11 | AUDIT | Ensure no unowned or ungrouped files or directories exist | warning" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '6.1.11' when: amzn2023cis_6_1_11_unowned_files_found or amzn2023cis_6_1_11_ungrouped_files_found @@ -340,7 +342,8 @@ when: amzn2023cis_6_1_12_sgid_found - name: "6.1.12 | AUDIT | Ensure SUID and SGID files are reviewed | Alert SUID/SGID exist | warning" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '6.1.12' when: amzn2023cis_6_1_12_suid_found or amzn2023cis_6_1_12_sgid_found diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 5a5b593..c100d41 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -15,7 +15,8 @@ when: shadow_passwd.stdout | length > 0 - name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | warning fact" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '6.2.1' when: shadow_passwd.stdout | length >= 1 @@ -58,7 +59,8 @@ when: amzn2023cis_6_2_3_passwd_gid_check.stdout | length >= 1 - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '6.2.3' when: amzn2023cis_6_2_3_passwd_gid_check.stdout | length >= 1 @@ -90,7 +92,8 @@ when: amzn2023cis_6_2_4_user_uid_check.stdout | length >= 1 - name: "6.2.4 | AUDIT| Ensure no duplicate UIDs exist | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml when: amzn2023cis_6_2_4_user_uid_check.stdout | length >= 1 vars: warn_control_id: '6.2.4' @@ -122,7 +125,8 @@ when: amzn2023cis_6_2_5_user_user_check.stdout | length >= 1 - name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '6.2.5' when: amzn2023cis_6_2_5_user_user_check.stdout_lines | length >= 1 @@ -155,7 +159,8 @@ when: amzn2023cis_6_2_6_user_username_check.stdout | length >= 1 - name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '6.2.6' when: amzn2023cis_6_2_6_user_username_check.stdout | length >= 1 @@ -188,7 +193,8 @@ when: amzn2023cis_6_2_7_group_group_check.stdout is not defined - name: "6.2.7 | AUDIT | Ensure no duplicate group names exist | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '6.2.7' when: amzn2023cis_6_2_7_group_group_check.stdout is not defined diff --git a/tasks/section_6/main.yml b/tasks/section_6/main.yml index 35328e5..b194fdc 100644 --- a/tasks/section_6/main.yml +++ b/tasks/section_6/main.yml @@ -1,7 +1,9 @@ --- - name: "SECTION | 6.1 | System File Permissions" - ansible.builtin.import_tasks: cis_6.1.x.yml + ansible.builtin.import_tasks: + file: cis_6.1.x.yml - name: "SECTION | 6.2 | User and Group Settings" - ansible.builtin.import_tasks: cis_6.2.x.yml + ansible.builtin.import_tasks: + file: cis_6.2.x.yml diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 78fc06a..00e421d 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -10,6 +10,7 @@ host_os_distribution: {{ ansible_distribution | lower }} # timeout for each command to run where set - default = 10seconds/10000ms timeout_ms: 60000 +amzn2023cis_run_heavy_tests: {{ amzn2023cis_run_heavy_tests }} amzn2023cis_section1: {{ amzn2023cis_section1 }} amzn2023cis_section2: {{ amzn2023cis_section2 }} @@ -22,13 +23,15 @@ amzn2023cis_level_1: {{ amzn2023cis_level_1 }} amzn2023cis_level_2: {{ amzn2023cis_level_2 }} amzn2023cis_selinux_disable: {{ amzn2023cis_selinux_disable }} +amzn2023cis_selinux_state: {{ amzn2023cis_selinux_enforce }} + +amzn2023cis_legacy_boot: {{ amzn2023cis_legacy_boot }} +amzn2023cis_bootloader_file: /boot/grub2/grub.cfg +amzn2023cis_bootloader_user: /boot/grub2/user.cfg # to enable rules that may have IO impact on a system e.g. full filesystem scans or CPU heavy run_heavy_tests: true - -amzn2023cis_set_boot_pass: {{ amzn2023cis_set_boot_pass }} - # These variables correspond with the CIS rule IDs or paragraph numbers defined in # the CIS benchmark documents. # PLEASE NOTE: These work in coordination with the section # group variables and tags. @@ -152,8 +155,8 @@ amzn2023cis_rule_2_4: true amzn2023cis_rule_3_1_1: {{ amzn2023cis_rule_3_1_1 }} amzn2023cis_rule_3_1_2: {{ amzn2023cis_rule_3_1_2 }} amzn2023cis_rule_3_1_3: {{ amzn2023cis_rule_3_1_3 }} -amzn2023cis_rule_3_1_3: {{ amzn2023cis_rule_3_1_4 }} -amzn2023cis_rule_3_1_3: {{ amzn2023cis_rule_3_1_5 }} +amzn2023cis_rule_3_1_4: {{ amzn2023cis_rule_3_1_4 }} +amzn2023cis_rule_3_1_5: {{ amzn2023cis_rule_3_1_5 }} # 3.2 Network Parameters (Host Only) amzn2023cis_rule_3_2_1: {{ amzn2023cis_rule_3_2_1 }} amzn2023cis_rule_3_2_2: {{ amzn2023cis_rule_3_2_2 }} @@ -349,6 +352,13 @@ amzn2023cis_warning_banner: {{ amzn2023cis_warning_banner }} amzn2023cis_aide_scan: cron # Section 2 +#### 2.1.2 Time Synchronization servers - used in template file chrony.conf.j2 +amzn2023cis_time_synchronization_servers: +{% for name in amzn2023cis_time_synchronization_servers %} + - {{ name }} +{% endfor %} +amzn2023cis_chrony_server_options: "minpoll 8" + ## 2.2 Special Purposes # Set to 'true' if X Windows is needed in your environment amzn2023cis_xwindows_required: false @@ -371,14 +381,12 @@ amzn2023cis_telnet_server: {{ amzn2023cis_telnet_server }} amzn2023cis_is_mail_server: {{ amzn2023cis_is_mail_server }} # Note the options -# Packages are used for client services and Server- only remove if you dont use the client service +# Packages are used for client services and Server - only remove if you dont use the client service # -amzn2023cis_use_nfs_server: {{ amzn2023cis_use_nfs_server }} -amzn2023cis_use_nfs_service: {{ amzn2023cis_use_nfs_service }} -amzn2023cis_use_rpc_server: {{ amzn2023cis_use_rpc_server }} -amzn2023cis_use_rpc_service: {{ amzn2023cis_use_rpc_service }} -amzn2023cis_use_rsync_server: {{ amzn2023cis_use_rsync_server }} -amzn2023cis_use_rsync_service: {{ amzn2023cis_use_rsync_service }} +# Set either mask or remove +amzn2023cis_nfs_server: {{ amzn2023cis_nfs_server }} +amzn2023cis_rpc_server: {{ amzn2023cis_rpc_server }} +amzn2023cis_rsync_server: {{ amzn2023cis_rsync_server }} #### 2.3 Service clients amzn2023cis_telnet_required: {{ amzn2023cis_telnet_required }} @@ -406,25 +414,10 @@ amzn2023cis_nft_tables_tablename: {{ amzn2023cis_nft_tables_tablename }} amzn2023cis_nft_tables_autochaincreate: {{ amzn2023cis_nft_tables_autochaincreate }} # Section 4 - -## Set if host is a logserver -amzn2023cis_remote_log_server: {{ amzn2023cis_remote_log_server }} - -# Remote logserver settings -amzn2023cis_remote_log_host: {{ amzn2023cis_remote_log_host }} -amzn2023cis_remote_log_port: {{ amzn2023cis_remote_log_port }} -amzn2023cis_remote_log_protocol: {{ amzn2023cis_remote_log_protocol }} -amzn2023cis_remote_log_retrycount: {{ amzn2023cis_remote_log_retrycount }} -amzn2023cis_remote_log_queuesize: {{ amzn2023cis_remote_log_queuesize }} - -## syslog -amzn2023cis_syslog: {{ amzn2023cis_syslog }} - -# Section 5 # This will allow use of drop in files when CIS adopts them. amzn2023cis_sshd_config_file: {{ amzn2023cis_sshd_config_file }} -## 5.2.4 Note the following to understand precedence and layout +## Note the following to understand precedence and layout amzn2023cis_sshd_limited: false amzn2023cis_sshd_access: - AllowUser @@ -432,33 +425,97 @@ amzn2023cis_sshd_access: - DenyUser - DenyGroup -## 5.3.2 & 5.4.2 Enable automation to select custom profile options, using the settings above +amzn2023cis_sshd: + clientalivecountmax: {{ amzn2023cis_sshd.clientalivecountmax }} + clientaliveinterval: {{ amzn2023cis_sshd.clientaliveinterval }} + logingracetime: {{ amzn2023cis_sshd.logingracetime }} + +## Enable automation to select custom profile options, using the settings above amzn2023cis_authselect_custom_profile_select: {{ amzn2023cis_authselect_custom_profile_select }} -## 5.3.2 Authselect select false if using AD or RHEL ID mgmt +## Authselect select false if using AD or RHEL ID mgmt amzn2023cis_authselect: custom_profile_name: {{ amzn2023cis_authselect['custom_profile_name'] }} default_file_to_copy: {{ amzn2023cis_authselect['default_file_to_copy'] }} -## 5.4.1 Enable automation to create custom profile settings, using the setings above +## Enable automation to create custom profile settings, using the setings above amzn2023cis_authselect_custom_profile_create: {{ amzn2023cis_authselect_custom_profile_create }} -# 5.5.1 ## PAM amzn2023cis_pam_password: - minlen: {{ amzn2023cis_pam_password['minlen'] }} - minclass: {{ amzn2023cis_pam_password['minclass'] }} + minlen: '{{ amzn2023cis_pam_password['minlen'] }}' + minclass: '{{ amzn2023cis_pam_password['minclass'] }}' amzn2023cis_pam_passwd_retry: "3" -## 5.5.3 choose one of below +## choose one of below amzn2023cis_pwhistory_so: "14" amzn2023cis_passwd_remember: "5" -## 5.6.x login.defs password settings +## login.defs password settings amzn2023cis_pass: max_days: {{ amzn2023cis_pass['max_days'] }} min_days: {{ amzn2023cis_pass['min_days'] }} warn_age: {{ amzn2023cis_pass['warn_age'] }} -## 5.3.7 set sugroup if differs from wheel +##set sugroup if differs from wheel amzn2023cis_sugroup: {{ amzn2023cis_sugroup }} + + +## Section 5 + + +## Set if host is a logserver +amzn2023cis_remote_log_server: {{ amzn2023cis_remote_log_server }} + +# Remote logserver settings +amzn2023cis_remote_log_host: {{ amzn2023cis_remote_log_host }} +amzn2023cis_remote_log_port: {{ amzn2023cis_remote_log_port }} +amzn2023cis_remote_log_protocol: {{ amzn2023cis_remote_log_protocol }} +amzn2023cis_remote_log_retrycount: {{ amzn2023cis_remote_log_retrycount }} +amzn2023cis_remote_log_queuesize: {{ amzn2023cis_remote_log_queuesize }} + +## syslog +amzn2023cis_is_syslog_server: {{ amzn2023cis_system_is_log_server }} +amzn2023cis_syslog_service: "{{ amzn2023cis_syslog_service }}" +amzn2023cis_remote_log_server: "{{ amzn2023cis_remote_log_server }}" + +#### remote and destination log server name +amzn2023cis_remote_log_server: false +amzn2023cis_remote_log_host: logagg.example.com +amzn2023cis_remote_log_port: 514 +amzn2023cis_remote_log_protocol: tcp +amzn2023cis_remote_log_retrycount: 100 +amzn2023cis_remote_log_queuesize: 1000 + +amzn2023cis_system_is_log_server: {{ amzn2023cis_system_is_log_server }} + +# +# amzn2023cis_journal_upload_url is the ip address to upload the journal entries to +amzn2023cis_journal_upload_url: 192.168.50.42 + +# The paths below have the default paths/files, but allow user to create custom paths/filenames +amzn2023cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem" +amzn2023cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem" +amzn2023cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem" + + +# The variables below related to journald, please set these to your site specific values +# amzn2023cis_journald_systemmaxuse is the max amount of disk space the logs will use +amzn2023cis_journald_systemmaxuse: 10M +# amzn2023cis_journald_systemkeepfree is the amount of disk space to keep free +amzn2023cis_journald_systemkeepfree: 100G +amzn2023cis_journald_runtimemaxuse: 10M +amzn2023cis_journald_runtimekeepfree: 100G +# amzn2023cis_journald_MaxFileSec is how long in time to keep log files. Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks +amzn2023cis_journald_maxfilesec: 1month + +amzn2023cis_logrotate: "daily" + +## auditd settings +amzn2023cis_auditd: + space_left_action: email + action_mail_acct: root + admin_space_left_action: {{ amzn2023cis_auditd.admin_space_left_action }} + max_log_file_action: {{ amzn2023cis_auditd.max_log_file_action }} + auditd_backlog_limit: {{ amzn2023cis_audit_back_log_limit }} + max_log_file_size: {{ amzn2023cis_max_log_file_size }}