Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixing issue https://github.com/ansible-lockdown/AMAZON2023-CIS/issues/30 #31

Merged
merged 2 commits into from
Jan 30, 2024
Merged

Fixing issue https://github.com/ansible-lockdown/AMAZON2023-CIS/issues/30 #31

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7bc0c12
Fixing issue https://code.siemens.com/infosec-pss-gov/security-crafte…
DianaMariaDDM Dec 20, 2023
9488e19
Removing trailing whitespaces and fixing an end-of-file
DianaMariaDDM Jan 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions tasks/prelim.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,25 @@
- ssh
- level1_server

- name: "PRELIM | Section 4.2 | SSH - Identify files in sshd_config.d Dir"
ansible.builtin.find:
patterns: '*.conf'
path: /etc/ssh/sshd_config.d
register: sshd_d_conf_files
when:
- "'openssh-server' in ansible_facts.packages"
tags:
- always

- name: "PRELIM | Section 4.2 | SSH - Search for main cfg file"
ansible.builtin.stat:
path: "{{ amzn2023cis_sshd_config_file }}"
register: main_sshd_cfg
when:
- "'openssh-server' in ansible_facts.packages"
tags:
- always

- name: "PRELIM | Section 5.2 | Configure System Accounting (auditd)"
ansible.builtin.package:
name: audit
Expand Down
70 changes: 56 additions & 14 deletions tasks/section_4/cis_4.2.x.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,10 +125,13 @@

- name: "4.2.5 | PATCH | Ensure SSH LogLevel is appropriate"
ansible.builtin.lineinfile:
path: "{{ amzn2023cis_sshd_config_file }}"
path: "{{ item.path }}"
regexp: "^#LogLevel|^LogLevel"
line: 'LogLevel {{ amzn2023cis_ssh_loglevel }}'
validate: sshd -t -f %s
with_items:
- "{{ sshd_d_conf_files.files }}"
- "{{ main_sshd_cfg.stat }}"
when:
- amzn2023cis_rule_4_2_5
tags:
Expand All @@ -142,10 +145,13 @@

- name: "4.2.6 | PATCH | Ensure SSH PAM is enabled"
ansible.builtin.lineinfile:
path: "{{ amzn2023cis_sshd_config_file }}"
path: "{{ item.path }}"
regexp: "^#UsePAM|^UsePAM"
line: 'UsePAM yes'
validate: sshd -t -f %s
with_items:
- "{{ sshd_d_conf_files.files }}"
- "{{ main_sshd_cfg.stat }}"
when:
- amzn2023cis_rule_4_2_6
tags:
Expand All @@ -161,10 +167,13 @@

- name: "4.2.7 | PATCH | Ensure SSH root login is disabled"
ansible.builtin.lineinfile:
path: "{{ amzn2023cis_sshd_config_file }}"
path: "{{ item.path }}"
regexp: "^#PermitRootLogin|^PermitRootLogin"
line: 'PermitRootLogin no'
validate: sshd -t -f %s
with_items:
- "{{ sshd_d_conf_files.files }}"
- "{{ main_sshd_cfg.stat }}"
when:
- amzn2023cis_rule_4_2_7
tags:
Expand All @@ -176,10 +185,13 @@

- name: "4.2.8 | PATCH | Ensure SSH HostbasedAuthentication is disabled"
ansible.builtin.lineinfile:
path: "{{ amzn2023cis_sshd_config_file }}"
path: "{{ item.path }}"
regexp: "^#HostbasedAuthentication|^HostbasedAuthentication"
line: 'HostbasedAuthentication no'
validate: sshd -t -f %s
with_items:
- "{{ sshd_d_conf_files.files }}"
- "{{ main_sshd_cfg.stat }}"
when:
- amzn2023cis_rule_4_2_8
tags:
Expand All @@ -195,10 +207,13 @@

- name: "4.2.9 | PATCH | Ensure SSH PermitEmptyPasswords is disabled"
ansible.builtin.lineinfile:
path: "{{ amzn2023cis_sshd_config_file }}"
path: "{{ item.path }}"
regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords"
line: 'PermitEmptyPasswords no'
validate: sshd -t -f %s
with_items:
- "{{ sshd_d_conf_files.files }}"
- "{{ main_sshd_cfg.stat }}"
when:
- amzn2023cis_rule_4_2_9
tags:
Expand All @@ -214,10 +229,13 @@

- name: "4.2.10 | PATCH | Ensure SSH PermitUserEnvironment is disabled"
ansible.builtin.lineinfile:
path: "{{ amzn2023cis_sshd_config_file }}"
path: "{{ item.path }}"
regexp: "^#PermitUserEnvironment|^PermitUserEnvironment"
line: 'PermitUserEnvironment no'
validate: sshd -t -f %s
with_items:
- "{{ sshd_d_conf_files.files }}"
- "{{ main_sshd_cfg.stat }}"
when:
- amzn2023cis_rule_4_2_10
tags:
Expand Down Expand Up @@ -252,10 +270,13 @@

- name: "4.2.12 | PATCH | Ensure SSH X11 forwarding is disabled"
ansible.builtin.lineinfile:
path: "{{ amzn2023cis_sshd_config_file }}"
path: "{{ item.path }}"
regexp: "^#X11Forwarding|^X11Forwarding"
line: 'X11Forwarding no'
validate: sshd -t -f %s
with_items:
- "{{ sshd_d_conf_files.files }}"
- "{{ main_sshd_cfg.stat }}"
when:
- amzn2023cis_rule_4_2_12
tags:
Expand All @@ -267,10 +288,13 @@

- name: "4.2.13 | PATCH | Ensure SSH AllowTcpForwarding is disabled"
ansible.builtin.lineinfile:
path: "{{ amzn2023cis_sshd_config_file }}"
path: "{{ item.path }}"
regexp: "^#AllowTcpForwarding|^AllowTcpForwarding"
line: 'AllowTcpForwarding no'
validate: sshd -t -f %s
with_items:
- "{{ sshd_d_conf_files.files }}"
- "{{ main_sshd_cfg.stat }}"
when:
- amzn2023cis_rule_4_2_13
tags:
Expand Down Expand Up @@ -327,10 +351,13 @@

- name: "4.2.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less"
ansible.builtin.lineinfile:
path: "{{ amzn2023cis_sshd_config_file }}"
path: "{{ item.path }}"
regexp: '^(#)?MaxAuthTries \d'
line: 'MaxAuthTries 4'
validate: sshd -t -f %s
with_items:
- "{{ sshd_d_conf_files.files }}"
- "{{ main_sshd_cfg.stat }}"
when:
- amzn2023cis_rule_4_2_16
tags:
Expand All @@ -342,10 +369,13 @@

- name: "4.2.17 | PATCH | Ensure SSH MaxStartups is configured"
ansible.builtin.lineinfile:
path: "{{ amzn2023cis_sshd_config_file }}"
path: "{{ item.path }}"
regexp: "^#MaxStartups|^MaxStartups"
line: 'MaxStartups 10:30:60'
validate: sshd -t -f %s
with_items:
- "{{ sshd_d_conf_files.files }}"
- "{{ main_sshd_cfg.stat }}"
when:
- amzn2023cis_rule_4_2_17
tags:
Expand All @@ -361,10 +391,13 @@

- name: "4.2.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less"
ansible.builtin.lineinfile:
path: "{{ amzn2023cis_sshd_config_file }}"
path: "{{ item.path }}"
regexp: "^#MaxSessions|^MaxSessions"
line: 'MaxSessions {{ amzn2023cis_ssh_maxsessions }}'
validate: sshd -t -f %s
with_items:
- "{{ sshd_d_conf_files.files }}"
- "{{ main_sshd_cfg.stat }}"
when:
- amzn2023cis_rule_4_2_18
tags:
Expand All @@ -380,10 +413,13 @@

- name: "4.2.19 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less"
ansible.builtin.lineinfile:
path: "{{ amzn2023cis_sshd_config_file }}"
path: "{{ item.path }}"
regexp: "^#LoginGraceTime|^LoginGraceTime"
line: "LoginGraceTime {{ amzn2023cis_sshd['logingracetime'] }}"
validate: sshd -t -f %s
with_items:
- "{{ sshd_d_conf_files.files }}"
- "{{ main_sshd_cfg.stat }}"
when:
- amzn2023cis_rule_4_2_19
tags:
Expand All @@ -397,17 +433,23 @@
block:
- name: "4.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval"
ansible.builtin.lineinfile:
path: "{{ amzn2023cis_sshd_config_file }}"
path: "{{ item.path }}"
regexp: '^ClientAliveInterval'
line: "ClientAliveInterval {{ amzn2023cis_sshd['clientaliveinterval'] }}"
validate: sshd -t -f %s
with_items:
- "{{ sshd_d_conf_files.files }}"
- "{{ main_sshd_cfg.stat }}"

- name: "4.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3"
ansible.builtin.lineinfile:
path: "{{ amzn2023cis_sshd_config_file }}"
path: "{{ item.path }}"
regexp: '^ClientAliveCountMax'
line: "ClientAliveCountMax {{ amzn2023cis_sshd['clientalivecountmax'] }}"
validate: sshd -t -f %s
with_items:
- "{{ sshd_d_conf_files.files }}"
- "{{ main_sshd_cfg.stat }}"
when:
- amzn2023cis_rule_4_2_20
tags:
Expand Down
Loading