From 44cc63f7c8e4aedf3efc5ad97828b18f26d87d69 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 23 Aug 2023 11:08:32 +0100 Subject: [PATCH 01/11] updated ignore keys Signed-off-by: Mark Bolwell --- .gitignore | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.gitignore b/.gitignore index f67408e..2f4b6f3 100644 --- a/.gitignore +++ b/.gitignore @@ -46,3 +46,10 @@ benchparse/ # GitHub Action/Workflow files .github/ + +# key types +*.pem +*.ppk +*.key +*.rsa +*.ecdsa From eee188a2cb546728ef5b890fbe6665b7a9b03d54 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 23 Aug 2023 11:12:17 +0100 Subject: [PATCH 02/11] updated allowed secrets Signed-off-by: Mark Bolwell --- .config/.gitleaks-report.json | 22 ++++++++++++++++++++++ .config/.secrets.baseline | 2 +- vars/main.yml | 21 +++++++++++++++++++++ 3 files changed, 44 insertions(+), 1 deletion(-) create mode 100644 .config/.gitleaks-report.json create mode 100644 vars/main.yml diff --git a/.config/.gitleaks-report.json b/.config/.gitleaks-report.json new file mode 100644 index 0000000..54aafac --- /dev/null +++ b/.config/.gitleaks-report.json @@ -0,0 +1,22 @@ +[ + { + "Description": "Generic API Key", + "StartLine": 115, + "EndLine": 115, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360\"", + "Secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", + "File": ".config/.secrets.baseline", + "SymlinkFile": "", + "Commit": "a5f558a34ac453f9581a1c37f71bd36383a9c3ed", + "Entropy": 3.8439426, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-08-23T09:28:17Z", + "Message": "initial\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "a5f558a34ac453f9581a1c37f71bd36383a9c3ed:.config/.secrets.baseline:generic-api-key:115" + } +] diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline index eb8b8b7..d1d2ada 100644 --- a/.config/.secrets.baseline +++ b/.config/.secrets.baseline @@ -118,5 +118,5 @@ } ] }, - "generated_at": "2023-08-23T09:27:45Z" + "generated_at": "2023-08-23T10:10:15Z" } diff --git a/vars/main.yml b/vars/main.yml new file mode 100644 index 0000000..9fb2c6f --- /dev/null +++ b/vars/main.yml @@ -0,0 +1,21 @@ +--- + +min_ansible_version: 2.10.1 +amzn2023cis_allowed_crypto_policies: + - 'DEFAULT' + - 'FUTURE' + - 'FIPS' + +amzn2023cis_allowed_crypto_policies_modules: + - 'OSPP' + - 'AD-SUPPORT' + - 'AD-SUPPORT-LEGACY' + +# Used to control warning summary +warn_control_list: "" +warn_count: 0 + +gpg_key_package: "{{ ansible_distribution | lower }}-gpg-keys" + +os_gpg_key_pubkey_name: gpg-pubkey-d832c631-63977702 +os_gpg_key_pubkey_content: "Amazon Linux d832c631" From e82bca4854dce96421c18e76d8736aac0504f032 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 23 Aug 2023 13:39:33 +0100 Subject: [PATCH 03/11] fix logic and typos Signed-off-by: Mark Bolwell --- tasks/main.yml | 7 +------ tasks/prelim.yml | 4 ++-- tasks/section_3/cis_3.1.x.yml | 14 +++++++++----- tasks/section_4/cis_4.1.x.yml | 4 ++-- tasks/section_5/cis_5.2.4.x.yml | 2 +- tasks/section_6/cis_6.1.x.yml | 3 ++- 6 files changed, 17 insertions(+), 17 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index bf62c1f..edb4187 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -3,7 +3,7 @@ - name: Check OS version and family ansible.builtin.assert: - that: (ansible_distribution == 'Amazon' ansible_distribution_major_version is version_compare('2023', '==') + that: (ansible_distribution == 'Amazon' and ansible_distribution_major_version is version_compare('2023', '==')) fail_msg: "This role can only be run against Supported OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}" when: @@ -85,11 +85,6 @@ tags: - always -- name: Include OS specific variables - ansible.builtin.include_vars: "{{ ansible_distribution }}.yml" - tags: - - always - - name: Include preliminary steps ansible.builtin.import_tasks: prelim.yml tags: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 822c29f..e858806 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -73,10 +73,10 @@ current_crypto_module: "{{ amzn2023cis_system_wide_crypto_policy.stdout.split(':')[1] }}" when: "':' in amzn2023cis_system_wide_crypto_policy.stdout" when: - - amzn2023cis_rule_1_10 + - amzn2023cis_rule_1_9 tags: - level1-server - - rule_1.10 + - rule_1.9 - crypto - name: "PRELIM | if systemd coredump" diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 1ea69fc..2fda66c 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -33,7 +33,8 @@ mode: '0600' owner: root group: root - loop: "{{ protocol }}" # item used by template + loop: + - "{{ protocol }}" # item used by template - name: "3.1.2 | PATCH | Ensure DCCP is disabled | blacklist" ansible.builtin.lineinfile: @@ -62,7 +63,8 @@ mode: '0600' owner: root group: root - loop: "{{ protocol }}" # item used by template + loop: + - "{{ protocol }}" # item used by template - name: "3.1.3 | PATCH | Ensure SCTP is disabled | blacklist" ansible.builtin.lineinfile: @@ -92,7 +94,8 @@ mode: '0600' owner: root group: root - loop: "{{ protocol }}" # item used by template + loop: + - "{{ protocol }}" # item used by template - name: "3.1.4 | PATCH | Ensure RDS is disabled | blacklist" ansible.builtin.lineinfile: @@ -109,7 +112,7 @@ - level2-server - patch - tipc - - rule_3.1.3 + - rule_3.1.4 - nist_sp800-53r5_CM-7 - name: "3.1.5 | PATCH | Ensure TIPC is disabled" @@ -121,7 +124,8 @@ mode: '0600' owner: root group: root - loop: "{{ protocol }}" # item used by template + loop: + - "{{ protocol }}" # item used by template - name: "3.1.5 | PATCH | Ensure TIPC is disabled | blacklist" ansible.builtin.lineinfile: diff --git a/tasks/section_4/cis_4.1.x.yml b/tasks/section_4/cis_4.1.x.yml index d99ae10..758c94c 100644 --- a/tasks/section_4/cis_4.1.x.yml +++ b/tasks/section_4/cis_4.1.x.yml @@ -136,7 +136,7 @@ group: root mode: '0600' when: - - amzn2023cis_rule_5_1_8 + - amzn2023cis_rule_4_1_8 tags: - level1-server - patch @@ -165,7 +165,7 @@ group: root mode: '0600' when: - - amzn2023cis_rule_5_1_9 + - amzn2023cis_rule_4_1_9 tags: - level1-server - patch diff --git a/tasks/section_5/cis_5.2.4.x.yml b/tasks/section_5/cis_5.2.4.x.yml index 4b9a327..1aff30d 100644 --- a/tasks/section_5/cis_5.2.4.x.yml +++ b/tasks/section_5/cis_5.2.4.x.yml @@ -23,7 +23,7 @@ "5.2.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files" ansible.builtin.file: path: "{{ audit_discovered_logfile.stdout }}" - mode: "{% if auditd_logfile.stat.mode != '0600' %}'0640'{% endif %}" + mode: "{% if auditd_logfile.stat.mode != '0600' %}0640{% endif %}" owner: root group: root when: diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 909fdf5..e9c0d30 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -264,6 +264,7 @@ when: amzn2023cis_6_1_11_unowned_files_found or amzn2023cis_6_1_11_ungrouped_files_found vars: amzn2023cis_6_1_11_unowned_files_found: false + amzn2023cis_6_1_11_ungrouped_files_found: false when: - amzn2023cis_rule_6_1_11 tags: @@ -336,7 +337,7 @@ - name: "6.1.12 | AUDIT | Ensure SUID and SGID files are reviewed | Alert SGID exist" ansible.builtin.debug: msg: "Warning!! SGID set on items in {{ amzn2023cis_6_1_12_sgid_perms | json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid] - when: amzn2023cis_6_1_13_sgid_found + when: amzn2023cis_6_1_12_sgid_found - name: "6.1.12 | AUDIT | Ensure SUID and SGID files are reviewed | Alert SUID/SGID exist | warning" ansible.builtin.import_tasks: warning_facts.yml From 1e41cb8bb1a8bed1a86445b9d429d9e434403d19 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 23 Aug 2023 13:40:32 +0100 Subject: [PATCH 04/11] control ID alignment Signed-off-by: Mark Bolwell --- defaults/main.yml | 232 +++++++++++++------------ templates/ansible_vars_goss.yml.j2 | 260 ++++++++++++++--------------- templates/audit/99_auditd.rules.j2 | 42 ++--- 3 files changed, 269 insertions(+), 265 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index ca1d40a..ee4bb3c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -119,6 +119,7 @@ amzn2023cis_rule_1_4_2: true amzn2023cis_rule_1_5_1: true amzn2023cis_rule_1_5_2: true amzn2023cis_rule_1_5_3: true +amzn2023cis_rule_1_5_4: true amzn2023cis_rule_1_6_1_1: true amzn2023cis_rule_1_6_1_2: true amzn2023cis_rule_1_6_1_3: true @@ -167,6 +168,8 @@ amzn2023cis_rule_2_4: true amzn2023cis_rule_3_1_1: true amzn2023cis_rule_3_1_2: true amzn2023cis_rule_3_1_3: true +amzn2023cis_rule_3_1_4: true +amzn2023cis_rule_3_1_5: true amzn2023cis_rule_3_2_1: true amzn2023cis_rule_3_2_2: true amzn2023cis_rule_3_3_1: true @@ -189,118 +192,129 @@ amzn2023cis_rule_3_4_2_6: true amzn2023cis_rule_3_4_2_7: true # Section 4 rules -amzn2023cis_rule_4_1_1_1: true -amzn2023cis_rule_4_1_1_2: true -amzn2023cis_rule_4_1_1_3: true -amzn2023cis_rule_4_1_1_4: true -amzn2023cis_rule_4_1_2_1: true -amzn2023cis_rule_4_1_2_2: true -amzn2023cis_rule_4_1_2_3: true -amzn2023cis_rule_4_1_3_1: true -amzn2023cis_rule_4_1_3_2: true -amzn2023cis_rule_4_1_3_3: true -amzn2023cis_rule_4_1_3_4: true -amzn2023cis_rule_4_1_3_5: true -amzn2023cis_rule_4_1_3_6: true -amzn2023cis_rule_4_1_3_7: true -amzn2023cis_rule_4_1_3_8: true -amzn2023cis_rule_4_1_3_9: true -amzn2023cis_rule_4_1_3_10: true -amzn2023cis_rule_4_1_3_11: true -amzn2023cis_rule_4_1_3_12: true -amzn2023cis_rule_4_1_3_13: true -amzn2023cis_rule_4_1_3_14: true -amzn2023cis_rule_4_1_3_15: true -amzn2023cis_rule_4_1_3_16: true -amzn2023cis_rule_4_1_3_17: true -amzn2023cis_rule_4_1_3_18: true -amzn2023cis_rule_4_1_3_19: true -amzn2023cis_rule_4_1_3_20: true -amzn2023cis_rule_4_1_3_21: true -amzn2023cis_rule_4_1_4_1: true -amzn2023cis_rule_4_1_4_2: true -amzn2023cis_rule_4_1_4_3: true -amzn2023cis_rule_4_1_4_4: true -amzn2023cis_rule_4_1_4_5: true -amzn2023cis_rule_4_1_4_6: true -amzn2023cis_rule_4_1_4_7: true -amzn2023cis_rule_4_1_4_8: true -amzn2023cis_rule_4_1_4_9: true -amzn2023cis_rule_4_1_4_10: true -amzn2023cis_rule_4_2_1_1: true -amzn2023cis_rule_4_2_1_2: true -amzn2023cis_rule_4_2_1_3: true -amzn2023cis_rule_4_2_1_4: true -amzn2023cis_rule_4_2_1_5: true -amzn2023cis_rule_4_2_1_6: true -amzn2023cis_rule_4_2_1_7: true -amzn2023cis_rule_4_2_2_1_1: true -amzn2023cis_rule_4_2_2_1_2: true -amzn2023cis_rule_4_2_2_1_3: true -amzn2023cis_rule_4_2_2_1_4: true -amzn2023cis_rule_4_2_2_2: true -amzn2023cis_rule_4_2_2_3: true -amzn2023cis_rule_4_2_2_4: true -amzn2023cis_rule_4_2_2_5: true -amzn2023cis_rule_4_2_2_6: true -amzn2023cis_rule_4_2_2_7: true +amzn2023cis_rule_4_1_1: true +amzn2023cis_rule_4_1_2: true +amzn2023cis_rule_4_1_3: true +amzn2023cis_rule_4_1_4: true +amzn2023cis_rule_4_1_5: true +amzn2023cis_rule_4_1_6: true +amzn2023cis_rule_4_1_7: true +amzn2023cis_rule_4_1_8: true +amzn2023cis_rule_4_1_9: true +amzn2023cis_rule_4_2_1: true +amzn2023cis_rule_4_2_2: true amzn2023cis_rule_4_2_3: true -amzn2023cis_rule_4_3: true +amzn2023cis_rule_4_2_4: true +amzn2023cis_rule_4_2_5: true +amzn2023cis_rule_4_2_6: true +amzn2023cis_rule_4_2_7: true +amzn2023cis_rule_4_2_8: true +amzn2023cis_rule_4_2_9: true +amzn2023cis_rule_4_2_10: true +amzn2023cis_rule_4_2_11: true +amzn2023cis_rule_4_2_12: true +amzn2023cis_rule_4_2_13: true +amzn2023cis_rule_4_2_14: true +amzn2023cis_rule_4_2_15: true +amzn2023cis_rule_4_2_16: true +amzn2023cis_rule_4_2_17: true +amzn2023cis_rule_4_2_18: true +amzn2023cis_rule_4_2_19: true +amzn2023cis_rule_4_2_20: true + +amzn2023cis_rule_4_3_1: true +amzn2023cis_rule_4_3_2: true +amzn2023cis_rule_4_3_3: true +amzn2023cis_rule_4_3_4: true +amzn2023cis_rule_4_3_5: true +amzn2023cis_rule_4_3_6: true + +amzn2023cis_rule_4_4_1: true +amzn2023cis_rule_4_4_2: true + +amzn2023cis_rule_4_5_1: true +amzn2023cis_rule_4_5_2: true +amzn2023cis_rule_4_5_3: true +amzn2023cis_rule_4_5_4: true + +amzn2023cis_rule_4_6_1_1: true +amzn2023cis_rule_4_6_1_2: true +amzn2023cis_rule_4_6_1_3: true +amzn2023cis_rule_4_6_1_4: true +amzn2023cis_rule_4_6_1_5: true + +amzn2023cis_rule_4_6_2: true +amzn2023cis_rule_4_6_3: true +amzn2023cis_rule_4_6_4: true +amzn2023cis_rule_4_6_5: true +amzn2023cis_rule_4_6_6: true # Section 5 rules -amzn2023cis_rule_5_1_1: true -amzn2023cis_rule_5_1_2: true +amzn2023cis_rule_5_1_1_1: true +amzn2023cis_rule_5_1_1_2: true +amzn2023cis_rule_5_1_1_3: true +amzn2023cis_rule_5_1_1_4: true +amzn2023cis_rule_5_1_1_5: true +amzn2023cis_rule_5_1_1_6: true +amzn2023cis_rule_5_1_1_7: true + +amzn2023cis_rule_5_1_2_1_1: true +amzn2023cis_rule_5_1_2_1_2: true +amzn2023cis_rule_5_1_2_1_3: true +amzn2023cis_rule_5_1_2_1_4: true + +amzn2023cis_rule_5_1_2_2: true +amzn2023cis_rule_5_1_2_3: true +amzn2023cis_rule_5_1_2_4: true +amzn2023cis_rule_5_1_2_5: true +amzn2023cis_rule_5_1_2_6: true +amzn2023cis_rule_5_1_2_7: true + amzn2023cis_rule_5_1_3: true -amzn2023cis_rule_5_1_4: true -amzn2023cis_rule_5_1_5: true -amzn2023cis_rule_5_1_6: true -amzn2023cis_rule_5_1_7: true -amzn2023cis_rule_5_1_8: true -amzn2023cis_rule_5_1_9: true -amzn2023cis_rule_5_2_1: true -amzn2023cis_rule_5_2_2: true -amzn2023cis_rule_5_2_3: true -amzn2023cis_rule_5_2_4: true -amzn2023cis_rule_5_2_5: true -amzn2023cis_rule_5_2_6: true -amzn2023cis_rule_5_2_7: true -amzn2023cis_rule_5_2_8: true -amzn2023cis_rule_5_2_9: true -amzn2023cis_rule_5_2_10: true -amzn2023cis_rule_5_2_12: true -amzn2023cis_rule_5_2_11: true -amzn2023cis_rule_5_2_13: true -amzn2023cis_rule_5_2_14: true -amzn2023cis_rule_5_2_15: true -amzn2023cis_rule_5_2_16: true -amzn2023cis_rule_5_2_17: true -amzn2023cis_rule_5_2_18: true -amzn2023cis_rule_5_2_19: true -amzn2023cis_rule_5_2_20: true -amzn2023cis_rule_5_3_1: true -amzn2023cis_rule_5_3_2: true -amzn2023cis_rule_5_3_3: true -amzn2023cis_rule_5_3_4: true -amzn2023cis_rule_5_3_5: true -amzn2023cis_rule_5_3_6: true -amzn2023cis_rule_5_3_7: true -amzn2023cis_rule_5_4_1: true -amzn2023cis_rule_5_4_2: true -amzn2023cis_rule_5_5_1: true -amzn2023cis_rule_5_5_2: true -amzn2023cis_rule_5_5_3: true -amzn2023cis_rule_5_5_4: true -amzn2023cis_rule_5_5_5: true -amzn2023cis_rule_5_6_1_1: true -amzn2023cis_rule_5_6_1_2: true -amzn2023cis_rule_5_6_1_3: true -amzn2023cis_rule_5_6_1_4: true -amzn2023cis_rule_5_6_1_5: true -amzn2023cis_rule_5_6_2: true -amzn2023cis_rule_5_6_3: true -amzn2023cis_rule_5_6_4: true -amzn2023cis_rule_5_6_5: true -amzn2023cis_rule_5_6_6: true + +amzn2023cis_rule_5_2_1_1: true +amzn2023cis_rule_5_2_1_2: true +amzn2023cis_rule_5_2_1_3: true +amzn2023cis_rule_5_2_1_4: true + +amzn2023cis_rule_5_2_2_1: true +amzn2023cis_rule_5_2_2_2: true +amzn2023cis_rule_5_2_2_3: true + +amzn2023cis_rule_5_2_3_1: true +amzn2023cis_rule_5_2_3_2: true +amzn2023cis_rule_5_2_3_3: true +amzn2023cis_rule_5_2_3_4: true +amzn2023cis_rule_5_2_3_5: true +amzn2023cis_rule_5_2_3_6: true +amzn2023cis_rule_5_2_3_7: true +amzn2023cis_rule_5_2_3_8: true +amzn2023cis_rule_5_2_3_9: true +amzn2023cis_rule_5_2_3_10: true +amzn2023cis_rule_5_2_3_11: true +amzn2023cis_rule_5_2_3_12: true +amzn2023cis_rule_5_2_3_13: true +amzn2023cis_rule_5_2_3_14: true +amzn2023cis_rule_5_2_3_15: true +amzn2023cis_rule_5_2_3_16: true +amzn2023cis_rule_5_2_3_17: true +amzn2023cis_rule_5_2_3_18: true +amzn2023cis_rule_5_2_3_19: true +amzn2023cis_rule_5_2_3_20: true +amzn2023cis_rule_5_2_3_21: true + +amzn2023cis_rule_5_2_4_1: true +amzn2023cis_rule_5_2_4_2: true +amzn2023cis_rule_5_2_4_3: true +amzn2023cis_rule_5_2_4_4: true +amzn2023cis_rule_5_2_4_5: true +amzn2023cis_rule_5_2_4_6: true +amzn2023cis_rule_5_2_4_7: true +amzn2023cis_rule_5_2_4_8: true +amzn2023cis_rule_5_2_4_9: true +amzn2023cis_rule_5_2_4_10: true + +amzn2023cis_rule_5_3: true # Section 6 rules amzn2023cis_rule_6_1_1: true @@ -612,6 +626,8 @@ amzn2023cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | # This will allow the removal of .netrc, .forward or .rhosts if found from user home_dirs amzn2023cis_remove_other_dot_files: false +amzn2023cis_6_2_11_home_follow_symlinks: false + #### Goss Configuration Settings #### # Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" audit_run_script_environment: diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 224a80b..78fc06a 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -93,6 +93,7 @@ amzn2023cis_rule_1_4_2: {{ amzn2023cis_rule_1_4_2 }} amzn2023cis_rule_1_5_1: {{ amzn2023cis_rule_1_5_1 }} amzn2023cis_rule_1_5_2: {{ amzn2023cis_rule_1_5_2 }} amzn2023cis_rule_1_5_3: {{ amzn2023cis_rule_1_5_3 }} +amzn2023cis_rule_1_5_4: {{ amzn2023cis_rule_1_5_4 }} # 1.6 Mandatory Access Control amzn2023cis_rule_1_6_1_1: {{ amzn2023cis_rule_1_6_1_1 }} amzn2023cis_rule_1_6_1_2: {{ amzn2023cis_rule_1_6_1_2 }} @@ -151,6 +152,8 @@ amzn2023cis_rule_2_4: true amzn2023cis_rule_3_1_1: {{ amzn2023cis_rule_3_1_1 }} amzn2023cis_rule_3_1_2: {{ amzn2023cis_rule_3_1_2 }} amzn2023cis_rule_3_1_3: {{ amzn2023cis_rule_3_1_3 }} +amzn2023cis_rule_3_1_3: {{ amzn2023cis_rule_3_1_4 }} +amzn2023cis_rule_3_1_3: {{ amzn2023cis_rule_3_1_5 }} # 3.2 Network Parameters (Host Only) amzn2023cis_rule_3_2_1: {{ amzn2023cis_rule_3_2_1 }} amzn2023cis_rule_3_2_2: {{ amzn2023cis_rule_3_2_2 }} @@ -177,145 +180,130 @@ amzn2023cis_rule_3_4_2_5: {{ amzn2023cis_rule_3_4_2_5 }} amzn2023cis_rule_3_4_2_6: {{ amzn2023cis_rule_3_4_2_6 }} amzn2023cis_rule_3_4_2_7: {{ amzn2023cis_rule_3_4_2_7 }} -# Section 4 rules -# 4.1 Configure System Accounting -amzn2023cis_rule_4_1_1_1: {{ amzn2023cis_rule_4_1_1_1 }} -amzn2023cis_rule_4_1_1_2: {{ amzn2023cis_rule_4_1_1_2 }} -amzn2023cis_rule_4_1_1_3: {{ amzn2023cis_rule_4_1_1_3 }} -amzn2023cis_rule_4_1_1_4: {{ amzn2023cis_rule_4_1_1_4 }} - -# 4.1.2 Configure Data retention -amzn2023cis_rule_4_1_2_1: {{ amzn2023cis_rule_4_1_2_1 }} -amzn2023cis_rule_4_1_2_2: {{ amzn2023cis_rule_4_1_2_2 }} -amzn2023cis_rule_4_1_2_3: {{ amzn2023cis_rule_4_1_2_3 }} - -# 4.1.3 Configure auditd rules -amzn2023cis_rule_4_1_3_1: {{ amzn2023cis_rule_4_1_3_1 }} -amzn2023cis_rule_4_1_3_2: {{ amzn2023cis_rule_4_1_3_2 }} -amzn2023cis_rule_4_1_3_3: {{ amzn2023cis_rule_4_1_3_3 }} -amzn2023cis_rule_4_1_3_4: {{ amzn2023cis_rule_4_1_3_4 }} -amzn2023cis_rule_4_1_3_5: {{ amzn2023cis_rule_4_1_3_5 }} -amzn2023cis_rule_4_1_3_6: {{ amzn2023cis_rule_4_1_3_6 }} -amzn2023cis_rule_4_1_3_7: {{ amzn2023cis_rule_4_1_3_7 }} -amzn2023cis_rule_4_1_3_8: {{ amzn2023cis_rule_4_1_3_8 }} -amzn2023cis_rule_4_1_3_9: {{ amzn2023cis_rule_4_1_3_9 }} -amzn2023cis_rule_4_1_3_10: {{ amzn2023cis_rule_4_1_3_10 }} -amzn2023cis_rule_4_1_3_11: {{ amzn2023cis_rule_4_1_3_11 }} -amzn2023cis_rule_4_1_3_12: {{ amzn2023cis_rule_4_1_3_12 }} -amzn2023cis_rule_4_1_3_13: {{ amzn2023cis_rule_4_1_3_13 }} -amzn2023cis_rule_4_1_3_14: {{ amzn2023cis_rule_4_1_3_14 }} -amzn2023cis_rule_4_1_3_15: {{ amzn2023cis_rule_4_1_3_15 }} -amzn2023cis_rule_4_1_3_16: {{ amzn2023cis_rule_4_1_3_16 }} -amzn2023cis_rule_4_1_3_17: {{ amzn2023cis_rule_4_1_3_17 }} -amzn2023cis_rule_4_1_3_18: {{ amzn2023cis_rule_4_1_3_18 }} -amzn2023cis_rule_4_1_3_19: {{ amzn2023cis_rule_4_1_3_19 }} -amzn2023cis_rule_4_1_3_20: {{ amzn2023cis_rule_4_1_3_20 }} -amzn2023cis_rule_4_1_3_21: {{ amzn2023cis_rule_4_1_3_21 }} - -# 4.1.4 Configure auditd file Access -amzn2023cis_rule_4_1_4_1: {{ amzn2023cis_rule_4_1_4_1 }} -amzn2023cis_rule_4_1_4_2: {{ amzn2023cis_rule_4_1_4_2 }} -amzn2023cis_rule_4_1_4_3: {{ amzn2023cis_rule_4_1_4_3 }} -amzn2023cis_rule_4_1_4_4: {{ amzn2023cis_rule_4_1_4_4 }} -amzn2023cis_rule_4_1_4_5: {{ amzn2023cis_rule_4_1_4_5 }} -amzn2023cis_rule_4_1_4_6: {{ amzn2023cis_rule_4_1_4_6 }} -amzn2023cis_rule_4_1_4_7: {{ amzn2023cis_rule_4_1_4_7 }} -amzn2023cis_rule_4_1_4_8: {{ amzn2023cis_rule_4_1_4_8 }} -amzn2023cis_rule_4_1_4_9: {{ amzn2023cis_rule_4_1_4_9 }} -amzn2023cis_rule_4_1_4_10: {{ amzn2023cis_rule_4_1_4_10 }} - -# 4.2.1 Configure rsyslog -amzn2023cis_rule_4_2_1_1: {{ amzn2023cis_rule_4_2_1_1 }} -amzn2023cis_rule_4_2_1_2: {{ amzn2023cis_rule_4_2_1_2 }} -amzn2023cis_rule_4_2_1_2: {{ amzn2023cis_rule_4_2_1_3 }} -amzn2023cis_rule_4_2_1_3: {{ amzn2023cis_rule_4_2_1_3 }} -amzn2023cis_rule_4_2_1_4: {{ amzn2023cis_rule_4_2_1_4 }} -amzn2023cis_rule_4_2_1_5: {{ amzn2023cis_rule_4_2_1_5 }} -amzn2023cis_rule_4_2_1_6: {{ amzn2023cis_rule_4_2_1_6 }} -amzn2023cis_rule_4_2_1_7: {{ amzn2023cis_rule_4_2_1_7 }} - -# 4.2.2 Configure journald -amzn2023cis_rule_4_2_2_1_1: {{ amzn2023cis_rule_4_2_2_1_1 }} -amzn2023cis_rule_4_2_2_1_2: {{ amzn2023cis_rule_4_2_2_1_2 }} -amzn2023cis_rule_4_2_2_1_3: {{ amzn2023cis_rule_4_2_2_1_3 }} -amzn2023cis_rule_4_2_2_1_4: {{ amzn2023cis_rule_4_2_2_1_4 }} -amzn2023cis_rule_4_2_2_2: {{ amzn2023cis_rule_4_2_2_2 }} -amzn2023cis_rule_4_2_2_3: {{ amzn2023cis_rule_4_2_2_3 }} -amzn2023cis_rule_4_2_2_4: {{ amzn2023cis_rule_4_2_2_4 }} -amzn2023cis_rule_4_2_2_5: {{ amzn2023cis_rule_4_2_2_5 }} -amzn2023cis_rule_4_2_2_6: {{ amzn2023cis_rule_4_2_2_6 }} -amzn2023cis_rule_4_2_2_7: {{ amzn2023cis_rule_4_2_2_7 }} +# Section 4 rules +amzn2023cis_rule_4_1_1: {{ amzn2023cis_rule_4_1_1 }} +amzn2023cis_rule_4_1_2: {{ amzn2023cis_rule_4_1_2 }} +amzn2023cis_rule_4_1_3: {{ amzn2023cis_rule_4_1_3 }} +amzn2023cis_rule_4_1_4: {{ amzn2023cis_rule_4_1_4 }} +amzn2023cis_rule_4_1_5: {{ amzn2023cis_rule_4_1_5 }} +amzn2023cis_rule_4_1_6: {{ amzn2023cis_rule_4_1_6 }} +amzn2023cis_rule_4_1_7: {{ amzn2023cis_rule_4_1_7 }} +amzn2023cis_rule_4_1_8: {{ amzn2023cis_rule_4_1_8 }} +amzn2023cis_rule_4_1_9: {{ amzn2023cis_rule_4_1_9 }} +amzn2023cis_rule_4_2_1: {{ amzn2023cis_rule_4_2_1 }} +amzn2023cis_rule_4_2_2: {{ amzn2023cis_rule_4_2_2 }} amzn2023cis_rule_4_2_3: {{ amzn2023cis_rule_4_2_3 }} +amzn2023cis_rule_4_2_4: {{ amzn2023cis_rule_4_2_4 }} +amzn2023cis_rule_4_2_5: {{ amzn2023cis_rule_4_2_5 }} +amzn2023cis_rule_4_2_6: {{ amzn2023cis_rule_4_2_6 }} +amzn2023cis_rule_4_2_7: {{ amzn2023cis_rule_4_2_7 }} +amzn2023cis_rule_4_2_8: {{ amzn2023cis_rule_4_2_8 }} +amzn2023cis_rule_4_2_9: {{ amzn2023cis_rule_4_2_9 }} +amzn2023cis_rule_4_2_10: {{ amzn2023cis_rule_4_2_10 }} +amzn2023cis_rule_4_2_11: {{ amzn2023cis_rule_4_2_11 }} +amzn2023cis_rule_4_2_12: {{ amzn2023cis_rule_4_2_12 }} +amzn2023cis_rule_4_2_13: {{ amzn2023cis_rule_4_2_13 }} +amzn2023cis_rule_4_2_14: {{ amzn2023cis_rule_4_2_14 }} +amzn2023cis_rule_4_2_15: {{ amzn2023cis_rule_4_2_15 }} +amzn2023cis_rule_4_2_16: {{ amzn2023cis_rule_4_2_16 }} +amzn2023cis_rule_4_2_17: {{ amzn2023cis_rule_4_2_17 }} +amzn2023cis_rule_4_2_18: {{ amzn2023cis_rule_4_2_18}} +amzn2023cis_rule_4_2_19: {{ amzn2023cis_rule_4_2_19 }} +amzn2023cis_rule_4_2_20: {{ amzn2023cis_rule_4_2_20 }} + +amzn2023cis_rule_4_3_1: {{ amzn2023cis_rule_4_3_1 }} +amzn2023cis_rule_4_3_2: {{ amzn2023cis_rule_4_3_2 }} +amzn2023cis_rule_4_3_3: {{ amzn2023cis_rule_4_3_3 }} +amzn2023cis_rule_4_3_4: {{ amzn2023cis_rule_4_3_4 }} +amzn2023cis_rule_4_3_5: {{ amzn2023cis_rule_4_3_5 }} +amzn2023cis_rule_4_3_6: {{ amzn2023cis_rule_4_3_6 }} + +amzn2023cis_rule_4_4_1: {{ amzn2023cis_rule_4_4_1 }} +amzn2023cis_rule_4_4_2: {{ amzn2023cis_rule_4_4_2 }} + +amzn2023cis_rule_4_5_1: {{ amzn2023cis_rule_4_5_1 }} +amzn2023cis_rule_4_5_2: {{ amzn2023cis_rule_4_5_2 }} +amzn2023cis_rule_4_5_3: {{ amzn2023cis_rule_4_5_3 }} +amzn2023cis_rule_4_5_4: {{ amzn2023cis_rule_4_5_4 }} + +amzn2023cis_rule_4_6_1_1: {{ amzn2023cis_rule_4_6_1_1 }} +amzn2023cis_rule_4_6_1_2: {{ amzn2023cis_rule_4_6_1_2 }} +amzn2023cis_rule_4_6_1_3: {{ amzn2023cis_rule_4_6_1_3 }} +amzn2023cis_rule_4_6_1_4: {{ amzn2023cis_rule_4_6_1_4 }} +amzn2023cis_rule_4_6_1_5: {{ amzn2023cis_rule_4_6_1_5 }} + +amzn2023cis_rule_4_6_2: {{ amzn2023cis_rule_4_6_2 }} +amzn2023cis_rule_4_6_3: {{ amzn2023cis_rule_4_6_3 }} +amzn2023cis_rule_4_6_4: {{ amzn2023cis_rule_4_6_4 }} +amzn2023cis_rule_4_6_5: {{ amzn2023cis_rule_4_6_5 }} +amzn2023cis_rule_4_6_6: {{ amzn2023cis_rule_4_6_6 }} + +# Section 5 rules +amzn2023cis_rule_5_1_1_1: {{ amzn2023cis_rule_5_1_1_1 }} +amzn2023cis_rule_5_1_1_2: {{ amzn2023cis_rule_5_1_1_2 }} +amzn2023cis_rule_5_1_1_3: {{ amzn2023cis_rule_5_1_1_3 }} +amzn2023cis_rule_5_1_1_4: {{ amzn2023cis_rule_5_1_1_4 }} +amzn2023cis_rule_5_1_1_5: {{ amzn2023cis_rule_5_1_1_5 }} +amzn2023cis_rule_5_1_1_6: {{ amzn2023cis_rule_5_1_1_6 }} +amzn2023cis_rule_5_1_1_7: {{ amzn2023cis_rule_5_1_1_7 }} + +amzn2023cis_rule_5_1_2_1_1: {{ amzn2023cis_rule_5_1_2_1_1 }} +amzn2023cis_rule_5_1_2_1_2: {{ amzn2023cis_rule_5_1_2_1_2 }} +amzn2023cis_rule_5_1_2_1_3: {{ amzn2023cis_rule_5_1_2_1_3 }} +amzn2023cis_rule_5_1_2_1_4: {{ amzn2023cis_rule_5_1_2_1_4 }} + +amzn2023cis_rule_5_1_2_2: {{ amzn2023cis_rule_5_1_2_2 }} +amzn2023cis_rule_5_1_2_3: {{ amzn2023cis_rule_5_1_2_3 }} +amzn2023cis_rule_5_1_2_4: {{ amzn2023cis_rule_5_1_2_4 }} +amzn2023cis_rule_5_1_2_5: {{ amzn2023cis_rule_5_1_2_5 }} +amzn2023cis_rule_5_1_2_6: {{ amzn2023cis_rule_5_1_2_6 }} +amzn2023cis_rule_5_1_2_7: {{ amzn2023cis_rule_5_1_2_7 }} -# 4.3 Logrotate -amzn2023cis_rule_4_3: {{ amzn2023cis_rule_4_3 }} - -# Section 5 -# Authentication and Authorization -# 5.1 Configure time-based job schedulers -amzn2023cis_rule_5_1_1: {{ amzn2023cis_rule_5_1_1 }} -amzn2023cis_rule_5_1_2: {{ amzn2023cis_rule_5_1_2 }} amzn2023cis_rule_5_1_3: {{ amzn2023cis_rule_5_1_3 }} -amzn2023cis_rule_5_1_4: {{ amzn2023cis_rule_5_1_4 }} -amzn2023cis_rule_5_1_5: {{ amzn2023cis_rule_5_1_5 }} -amzn2023cis_rule_5_1_6: {{ amzn2023cis_rule_5_1_6 }} -amzn2023cis_rule_5_1_7: {{ amzn2023cis_rule_5_1_7 }} -amzn2023cis_rule_5_1_8: {{ amzn2023cis_rule_5_1_8 }} -amzn2023cis_rule_5_1_9: {{ amzn2023cis_rule_5_1_9 }} - -# 5.2 Configure SSH Server -amzn2023cis_rule_5_2_1: {{ amzn2023cis_rule_5_2_1 }} -amzn2023cis_rule_5_2_2: {{ amzn2023cis_rule_5_2_2 }} -amzn2023cis_rule_5_2_3: {{ amzn2023cis_rule_5_2_3 }} -amzn2023cis_rule_5_2_4: {{ amzn2023cis_rule_5_2_4 }} -amzn2023cis_rule_5_2_5: {{ amzn2023cis_rule_5_2_5 }} -amzn2023cis_rule_5_2_6: {{ amzn2023cis_rule_5_2_6 }} -amzn2023cis_rule_5_2_7: {{ amzn2023cis_rule_5_2_7 }} -amzn2023cis_rule_5_2_8: {{ amzn2023cis_rule_5_2_8 }} -amzn2023cis_rule_5_2_9: {{ amzn2023cis_rule_5_2_9 }} -amzn2023cis_rule_5_2_10: {{ amzn2023cis_rule_5_2_10 }} -amzn2023cis_rule_5_2_11: {{ amzn2023cis_rule_5_2_11 }} -amzn2023cis_rule_5_2_12: {{ amzn2023cis_rule_5_2_12 }} -amzn2023cis_rule_5_2_13: {{ amzn2023cis_rule_5_2_13 }} -amzn2023cis_rule_5_2_14: {{ amzn2023cis_rule_5_2_14 }} -amzn2023cis_rule_5_2_15: {{ amzn2023cis_rule_5_2_15 }} -amzn2023cis_rule_5_2_16: {{ amzn2023cis_rule_5_2_16 }} -amzn2023cis_rule_5_2_17: {{ amzn2023cis_rule_5_2_17 }} -amzn2023cis_rule_5_2_18: {{ amzn2023cis_rule_5_2_18 }} -amzn2023cis_rule_5_2_19: {{ amzn2023cis_rule_5_2_19 }} -amzn2023cis_rule_5_2_20: {{ amzn2023cis_rule_5_2_20 }} -# 5.3 Configure privilege escalation -amzn2023cis_rule_5_3_1: {{ amzn2023cis_rule_5_3_1 }} -amzn2023cis_rule_5_3_2: {{ amzn2023cis_rule_5_3_2 }} -amzn2023cis_rule_5_3_3: {{ amzn2023cis_rule_5_3_3 }} -amzn2023cis_rule_5_3_4: {{ amzn2023cis_rule_5_3_4 }} -amzn2023cis_rule_5_3_5: {{ amzn2023cis_rule_5_3_5 }} -amzn2023cis_rule_5_3_6: {{ amzn2023cis_rule_5_3_6 }} -amzn2023cis_rule_5_3_7: {{ amzn2023cis_rule_5_3_7 }} - -# 5.4 Configure authselect - -amzn2023cis_rule_5_4_1: {{ amzn2023cis_rule_5_4_1 }} -amzn2023cis_rule_5_4_2: {{ amzn2023cis_rule_5_4_2 }} - -# 5.5 Configure PAM -amzn2023cis_rule_5_5_1: {{ amzn2023cis_rule_5_5_1 }} -amzn2023cis_rule_5_5_2: {{ amzn2023cis_rule_5_5_2 }} -amzn2023cis_rule_5_5_3: {{ amzn2023cis_rule_5_5_3 }} -amzn2023cis_rule_5_5_4: {{ amzn2023cis_rule_5_5_4 }} - -# 5.6 User Accounts and Environment -# 5.6.1 Set Shadow Password Suite Parameters -amzn2023cis_rule_5_6_1_1: {{ amzn2023cis_rule_5_6_1_1 }} -amzn2023cis_rule_5_6_1_2: {{ amzn2023cis_rule_5_6_1_2 }} -amzn2023cis_rule_5_6_1_3: {{ amzn2023cis_rule_5_6_1_3 }} -amzn2023cis_rule_5_6_1_4: {{ amzn2023cis_rule_5_6_1_4 }} -amzn2023cis_rule_5_6_1_5: {{ amzn2023cis_rule_5_6_1_5 }} -amzn2023cis_rule_5_6_2: {{ amzn2023cis_rule_5_6_2 }} -amzn2023cis_rule_5_6_3: {{ amzn2023cis_rule_5_6_3 }} -amzn2023cis_rule_5_6_4: {{ amzn2023cis_rule_5_6_4 }} -amzn2023cis_rule_5_6_5: {{ amzn2023cis_rule_5_6_5 }} -amzn2023cis_rule_5_6_6: {{ amzn2023cis_rule_5_6_6 }} + +amzn2023cis_rule_5_2_1_1: {{ amzn2023cis_rule_5_2_1_1 }} +amzn2023cis_rule_5_2_1_2: {{ amzn2023cis_rule_5_2_1_2 }} +amzn2023cis_rule_5_2_1_3: {{ amzn2023cis_rule_5_2_1_3 }} +amzn2023cis_rule_5_2_1_4: {{ amzn2023cis_rule_5_2_1_4 }} + +amzn2023cis_rule_5_2_2_1: {{ amzn2023cis_rule_5_2_2_1 }} +amzn2023cis_rule_5_2_2_2: {{ amzn2023cis_rule_5_2_2_2 }} +amzn2023cis_rule_5_2_2_3: {{ amzn2023cis_rule_5_2_2_3 }} + +amzn2023cis_rule_5_2_3_1: {{ amzn2023cis_rule_5_2_3_1 }} +amzn2023cis_rule_5_2_3_2: {{ amzn2023cis_rule_5_2_3_2 }} +amzn2023cis_rule_5_2_3_3: {{ amzn2023cis_rule_5_2_3_3 }} +amzn2023cis_rule_5_2_3_4: {{ amzn2023cis_rule_5_2_3_4 }} +amzn2023cis_rule_5_2_3_5: {{ amzn2023cis_rule_5_2_3_5 }} +amzn2023cis_rule_5_2_3_6: {{ amzn2023cis_rule_5_2_3_6 }} +amzn2023cis_rule_5_2_3_7: {{ amzn2023cis_rule_5_2_3_7 }} +amzn2023cis_rule_5_2_3_8: {{ amzn2023cis_rule_5_2_3_8 }} +amzn2023cis_rule_5_2_3_9: {{ amzn2023cis_rule_5_2_3_9 }} +amzn2023cis_rule_5_2_3_10: {{ amzn2023cis_rule_5_2_3_10 }} +amzn2023cis_rule_5_2_3_11: {{ amzn2023cis_rule_5_2_3_11 }} +amzn2023cis_rule_5_2_3_12: {{ amzn2023cis_rule_5_2_3_12 }} +amzn2023cis_rule_5_2_3_13: {{ amzn2023cis_rule_5_2_3_13 }} +amzn2023cis_rule_5_2_3_14: {{ amzn2023cis_rule_5_2_3_14 }} +amzn2023cis_rule_5_2_3_15: {{ amzn2023cis_rule_5_2_3_15 }} +amzn2023cis_rule_5_2_3_16: {{ amzn2023cis_rule_5_2_3_16 }} +amzn2023cis_rule_5_2_3_17: {{ amzn2023cis_rule_5_2_3_17 }} +amzn2023cis_rule_5_2_3_18: {{ amzn2023cis_rule_5_2_3_18 }} +amzn2023cis_rule_5_2_3_19: {{ amzn2023cis_rule_5_2_3_19 }} +amzn2023cis_rule_5_2_3_20: {{ amzn2023cis_rule_5_2_3_20 }} +amzn2023cis_rule_5_2_3_21: {{ amzn2023cis_rule_5_2_3_21 }} + +amzn2023cis_rule_5_2_4_1: {{ amzn2023cis_rule_5_2_4_1 }} +amzn2023cis_rule_5_2_4_2: {{ amzn2023cis_rule_5_2_4_2 }} +amzn2023cis_rule_5_2_4_3: {{ amzn2023cis_rule_5_2_4_3 }} +amzn2023cis_rule_5_2_4_4: {{ amzn2023cis_rule_5_2_4_4 }} +amzn2023cis_rule_5_2_4_5: {{ amzn2023cis_rule_5_2_4_5 }} +amzn2023cis_rule_5_2_4_6: {{ amzn2023cis_rule_5_2_4_6 }} +amzn2023cis_rule_5_2_4_7: {{ amzn2023cis_rule_5_2_4_7 }} +amzn2023cis_rule_5_2_4_8: {{ amzn2023cis_rule_5_2_4_8 }} +amzn2023cis_rule_5_2_4_9: {{ amzn2023cis_rule_5_2_4_9 }} +amzn2023cis_rule_5_2_4_10: {{ amzn2023cis_rule_5_2_4_10 }} + +amzn2023cis_rule_5_3: {{ amzn2023cis_rule_5_3 }} # Section 6 # 6 System Maintenance diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 923da33..a908b6f 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -1,26 +1,26 @@ -## Ansible controlled file +## Ansible controlled filescope # Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC ### YOUR CHANGES WILL BE LOST! # This template will set all of the auditd configurations via a handler in the role in one task instead of individually -{% if amzn2023cis_rule_4_1_3_1 %} +{% if amzn2023cis_rule_5_2_3_1 %} -w /etc/sudoers -p wa -k scope -w /etc/sudoers.d -p wa -k scope {% endif %} -{% if amzn2023cis_rule_4_1_3_2 %} +{% if amzn2023cis_rule_5_2_3_2 %} -a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation -a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation {% endif %} -{% if amzn2023cis_rule_4_1_3_3 %} +{% if amzn2023cis_rule_5_2_3_3 %} -w {{ amzn2023cis_sudolog_location }} -p wa -k sudo_log_file {% endif %} -{% if amzn2023cis_rule_4_1_3_4 %} +{% if amzn2023cis_rule_5_2_3_4 %} -a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change -w /etc/localtime -p wa -k time-change {% endif %} -{% if amzn2023cis_rule_4_1_3_5 %} +{% if amzn2023cis_rule_5_2_3_5 %} -a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale -a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale -w /etc/issue -p wa -k system-locale @@ -29,25 +29,25 @@ -w /etc/sysconfig/network -p wa -k system-locale -w /etc/sysconfig/network-scripts -p wa -k system-locale {% endif %} -{% if amzn2023cis_rule_4_1_3_6 %} +{% if amzn2023cis_rule_5_2_3_6 %} {% for proc in priv_procs.stdout_lines -%} -a always,exit -F path={{ proc }} -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k privileged {% endfor %} {% endif %} -{% if amzn2023cis_rule_4_1_3_7 %} +{% if amzn2023cis_rule_5_2_3_7 %} -a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=unset -k access -a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=unset -k access -a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=unset -k access -a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=unset -k access {% endif %} -{% if amzn2023cis_rule_4_1_3_8 %} +{% if amzn2023cis_rule_5_2_3_8 %} -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity {% endif %} -{% if amzn2023cis_rule_4_1_3_9 %} +{% if amzn2023cis_rule_5_2_3_9 %} -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod @@ -55,44 +55,44 @@ -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod {% endif %} -{% if amzn2023cis_rule_4_1_3_10 %} +{% if amzn2023cis_rule_5_2_3_10 %} -a always,exit -F arch=b32 -S mount -F auid>={{ min_int_uid }} -F auid!=unset -k mounts -a always,exit -F arch=b64 -S mount -F auid>={{ min_int_uid }} -F auid!=unset -k mounts {% endif %} -{% if amzn2023cis_rule_4_1_3_11 %} +{% if amzn2023cis_rule_5_2_3_11 %} -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session {% endif %} -{% if amzn2023cis_rule_4_1_3_12 %} +{% if amzn2023cis_rule_5_2_3_12 %} -w /var/log/lastlog -p wa -k logins -w /var/run/faillock -p wa -k logins {% endif %} -{% if amzn2023cis_rule_4_1_3_13 %} +{% if amzn2023cis_rule_5_2_3_13 %} -a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>={{ min_int_uid }} -F auid!=unset -F key=delete -a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>={{ min_int_uid }} -F auid!=unset -F key=delete {% endif %} -{% if amzn2023cis_rule_4_1_3_14 %} +{% if amzn2023cis_rule_5_2_3_14 %} -w /etc/selinux -p wa -k MAC-policy -w /usr/share/selinux -p wa -k MAC-policy {% endif %} -{% if amzn2023cis_rule_4_1_3_15 %} +{% if amzn2023cis_rule_5_2_3_15 %} -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k perm_chng {% endif %} -{% if amzn2023cis_rule_4_1_3_16 %} +{% if amzn2023cis_rule_5_2_3_16 %} -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k perm_chng {% endif %} -{% if amzn2023cis_rule_4_1_3_17 %} +{% if amzn2023cis_rule_5_2_3_17 %} -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k priv_cmd {% endif %} -{% if amzn2023cis_rule_4_1_3_18 %} +{% if amzn2023cis_rule_5_2_3_18 %} -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k usermod {% endif %} -{% if amzn2023cis_rule_4_1_3_19 %} +{% if amzn2023cis_rule_5_2_3_19 %} -a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>={{ min_int_uid }} -F auid!=unset -k kernel_modules -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k kernel_modules {% endif %} -{% if amzn2023cis_rule_4_1_3_20 %} +{% if amzn2023cis_rule_5_2_3_20 %} -e 2 {% endif %} From 4fc1516a990fe8c9588976fd5cdb2e90bb884c8e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 23 Aug 2023 13:40:59 +0100 Subject: [PATCH 05/11] fix pkg name Signed-off-by: Mark Bolwell --- vars/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vars/main.yml b/vars/main.yml index 9fb2c6f..0acf92d 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -15,7 +15,7 @@ amzn2023cis_allowed_crypto_policies_modules: warn_control_list: "" warn_count: 0 -gpg_key_package: "{{ ansible_distribution | lower }}-gpg-keys" +gpg_key_package: "system-release" os_gpg_key_pubkey_name: gpg-pubkey-d832c631-63977702 os_gpg_key_pubkey_content: "Amazon Linux d832c631" From dcdff6fee541092ed7d828211f1698e152a0b943 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 23 Aug 2023 13:41:26 +0100 Subject: [PATCH 06/11] removed conditional Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.3.x.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index dc36aec..f951332 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -45,7 +45,6 @@ job: "{{ amzn2023cis_aide_cron['aide_job'] }}" when: - amzn2023cis_rule_1_3_2 - - not system_is_ec2 tags: - level1-server - aide @@ -68,7 +67,6 @@ validate: aide -D --config %s when: - amzn2023cis_rule_1_3_2 - - not system_is_ec2 tags: - level1-server - aide From 404bc583fd603f17b15b0bae8b12d5df02d228df Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 23 Aug 2023 13:53:35 +0100 Subject: [PATCH 07/11] updated for control and patching issue Signed-off-by: Mark Bolwell --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 22a5166..80d45df 100644 --- a/README.md +++ b/README.md @@ -167,6 +167,9 @@ We encourage you (the community) to contribute to this role. Please read the rul Variable used to unset. AMAZON2023cis_default_repo: true # to be set to false if using repo that does have this ability +controls +1.2.2 and 1.2.4 affect default repos and will stop patching from occuring + CIS Documented rules 6.1.1 and 6.1.2 are identical. So section 6 only has 12 items compared to documentation ## Pipeline Testing From e648768b80b295fbc34e60411182cbd046a46a51 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 23 Aug 2023 14:04:35 +0100 Subject: [PATCH 08/11] tidyup Signed-off-by: Mark Bolwell --- README.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 80d45df..aebe659 100644 --- a/README.md +++ b/README.md @@ -164,13 +164,12 @@ We encourage you (the community) to contribute to this role. Please read the rul ## Known Issues -Variable used to unset. -AMAZON2023cis_default_repo: true # to be set to false if using repo that does have this ability +Default builds dont have a root password set, so prelim will fail. Please set a root password using the correct encryption version -controls -1.2.2 and 1.2.4 affect default repos and will stop patching from occuring +CIS Documented controls -CIS Documented rules 6.1.1 and 6.1.2 are identical. So section 6 only has 12 items compared to documentation +- 1.2.2 and 1.2.4 affect default repos and will stop patching from occuring +- 6.1.1 and 6.1.2 are identical. So section 6 only has 12 items compared to documentation. ## Pipeline Testing From be52e295c4aa0cdfc03826aa564e97a92cbc298d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 23 Aug 2023 14:05:39 +0100 Subject: [PATCH 09/11] added beta to title Signed-off-by: Mark Bolwell --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index aebe659..95e1d3d 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# AMAZON 2023 CIS +# AMAZON 2023 CIS - Beta ## Configure a Amazon 2023 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant From 79fceada7dedc81d76f4a473b6a49cf723109841 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 23 Aug 2023 14:08:46 +0100 Subject: [PATCH 10/11] added audit comment Signed-off-by: Mark Bolwell --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 95e1d3d..c93ad38 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,9 @@ # AMAZON 2023 CIS - Beta +**************************** +NOTE AUDIT NOT YET AVAILABLE +**************************** + ## Configure a Amazon 2023 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant ### Based on [ CIS Amazon 2023 Benchmark v1.0.0 - 26-06-2023 ](https://www.cisecurity.org/cis-benchmarks/) From a909ca6919183d3b6dd0470c0d76ba4d17c3ceda Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 23 Aug 2023 14:15:49 +0100 Subject: [PATCH 11/11] added workflow files Signed-off-by: Mark Bolwell --- .../workflows/devel_pipeline_validation.yml | 138 ++++++++++++++++++ .../workflows/main_pipeline_validation.yml | 127 ++++++++++++++++ .github/workflows/update_galaxy.yml | 21 +++ 3 files changed, 286 insertions(+) create mode 100644 .github/workflows/devel_pipeline_validation.yml create mode 100644 .github/workflows/main_pipeline_validation.yml create mode 100644 .github/workflows/update_galaxy.yml diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml new file mode 100644 index 0000000..a4e7d48 --- /dev/null +++ b/.github/workflows/devel_pipeline_validation.yml @@ -0,0 +1,138 @@ +--- + + name: Devel pipeline + + on: # yamllint disable-line rule:truthy + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - devel + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + + # A workflow run is made up of one or more jobs + # that can run sequentially or in parallel + jobs: + # This will create messages for first time contributers and direct them to the Discord server + welcome: + runs-on: ubuntu-latest + + steps: + - uses: actions/first-interaction@main + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. + + # This workflow contains a single job which tests the playbook + playbook-test: + # The type of runner that the job will run on + runs-on: ubuntu-latest + env: + ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} + # Imported as a variable by terraform + TF_VAR_repository: ${{ github.event.repository.name }} + defaults: + run: + shell: bash + working-directory: .github/workflows/github_linux_IaC + + steps: + - name: Clone ${{ github.event.repository.name }} + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + + # Pull in terraform code for linux servers + - name: Clone github IaC plan + uses: actions/checkout@v3 + with: + repository: ansible-lockdown/github_linux_IaC + path: .github/workflows/github_linux_IaC + + - name: Add_ssh_key + working-directory: .github/workflows + env: + SSH_AUTH_SOCK: /tmp/ssh_agent.sock + PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" + run: | + mkdir .ssh + chmod 700 .ssh + echo $PRIVATE_KEY > .ssh/github_actions.pem + chmod 600 .ssh/github_actions.pem + + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + pwd + ls + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Init + id: init + run: terraform init + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Validate + id: validate + run: terraform validate + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Apply + id: apply + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false + + ## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + run: cat hosts.yml + + # Aws deployments taking a while to come up insert sleep or playbook fails + + - name: Sleep for 60 seconds + run: sleep 60s + + # Run the ansible playbook + - name: Run_Ansible_Playbook + uses: arillso/action.playbook@master + with: + playbook: site.yml + inventory: .github/workflows/github_linux_IaC/hosts.yml + galaxy_file: collections/requirements.yml + private_key: ${{ secrets.SSH_PRV_KEY }} + # verbose: 3 + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + + # Remove test system - User secrets to keep if necessary + + - name: Terraform_Destroy + if: always() && env.ENABLE_DEBUG == 'false' + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml new file mode 100644 index 0000000..0b149fb --- /dev/null +++ b/.github/workflows/main_pipeline_validation.yml @@ -0,0 +1,127 @@ +--- + + name: Main pipeline + + on: # yamllint disable-line rule:truthy + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - main + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + + # A workflow run is made up of one or more jobs + # that can run sequentially or in parallel + jobs: + + # This workflow contains a single job which tests the playbook + playbook-test: + # The type of runner that the job will run on + runs-on: ubuntu-latest + env: + ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} + # Imported as a variable by terraform + TF_VAR_repository: ${{ github.event.repository.name }} + defaults: + run: + shell: bash + working-directory: .github/workflows/github_linux_IaC + + steps: + - name: Clone ${{ github.event.repository.name }} + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + + # Pull in terraform code for linux servers + - name: Clone github IaC plan + uses: actions/checkout@v3 + with: + repository: ansible-lockdown/github_linux_IaC + path: .github/workflows/github_linux_IaC + + - name: Add_ssh_key + working-directory: .github/workflows + env: + SSH_AUTH_SOCK: /tmp/ssh_agent.sock + PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" + run: | + mkdir .ssh + chmod 700 .ssh + echo $PRIVATE_KEY > .ssh/github_actions.pem + chmod 600 .ssh/github_actions.pem + + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + pwd + ls + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Init + id: init + run: terraform init + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Validate + id: validate + run: terraform validate + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Apply + id: apply + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false + + ## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + run: cat hosts.yml + + # Aws deployments taking a while to come up insert sleep or playbook fails + + - name: Sleep for 60 seconds + run: sleep 60s + + # Run the ansible playbook + - name: Run_Ansible_Playbook + uses: arillso/action.playbook@master + with: + playbook: site.yml + inventory: .github/workflows/github_linux_IaC/hosts.yml + galaxy_file: collections/requirements.yml + private_key: ${{ secrets.SSH_PRV_KEY }} + # verbose: 3 + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + + # Remove test system - User secrets to keep if necessary + + - name: Terraform_Destroy + if: always() && env.ENABLE_DEBUG == 'false' + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml new file mode 100644 index 0000000..951a53c --- /dev/null +++ b/.github/workflows/update_galaxy.yml @@ -0,0 +1,21 @@ +--- + +# This is a basic workflow to help you get started with Actions + +name: update galaxy + +# Controls when the action will run. +# Triggers the workflow on merge request events to the main branch +on: + push: + branches: + - main +jobs: + update_role: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: robertdebock/galaxy-action@master + with: + galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} + git_branch: main