Merge pull request #4 from ansible-lockdown/georgenalen

Initial Release
ansible-lockdown · Nov 5, 2020 · 0bbd547 · 0bbd547
2 parents 6bfffc5 + 1a465e7
commit 0bbd547
Show file tree

Hide file tree

Showing 43 changed files with 6,639 additions and 2 deletions.
diff --git a/.DS_Store b/.DS_Store
diff --git a/.github/.DS_Store b/.github/.DS_Store
diff --git a/.github/workflows/communitytodevel.yml b/.github/workflows/communitytodevel.yml
@@ -0,0 +1,38 @@
+# This is a basic workflow to help you get started with Actions
+
+name: CommunityToDevel
+
+# Controls when the action will run. Triggers the workflow on push or pull request
+# events but only for the devel branch
+on:
+  pull_request:
+    branches: [ devel ]
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  # This workflow contains a single job called "build"
+  build:
+    # The type of runner that the job will run on
+    runs-on: ubuntu-latest
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+      - uses: actions/checkout@v2
+
+      # Refactr pipeline for devel pull request/merge
+      - name: Refactr - Run Pipeline (to devel)
+       # You may pin to the exact commit or the version.
+        # uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53
+        uses: refactr/[email protected]
+        with:
+          # API token
+          api_token: '${{ secrets.REFACTR_KEY }}'
+          # Project ID
+          project_id: 5f47f0c4a13c7b18373e5556
+          # Job ID
+          job_id: 5f933cbcf9c74e86b1609c00
+          # Variables
+          variables: '{ "gitrepo": "https://github.com/ansible-lockdown/UBUNTU20-CIS.git", "image": "ami-0fe12c34e05228a69", "githubBranch": "${{ github.head_ref }}", "username": "ubuntu" }'
+          # Refactr API base URL
+          api_url: # optional
diff --git a/.github/workflows/develtomaster.yml b/.github/workflows/develtomaster.yml
@@ -0,0 +1,38 @@
+# This is a basic workflow to help you get started with Actions
+
+name: DevelToMaster
+
+# Controls when the action will run. Triggers the workflow on push or pull request
+# events but only for the devel branch
+on:
+  pull_request:
+    branches: [ main ]
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  # This workflow contains a single job called "build"
+  build:
+    # The type of runner that the job will run on
+    runs-on: ubuntu-latest
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+      - uses: actions/checkout@v2
+
+      # Refactr pipeline for devel pull request/merge
+      - name: Refactr - Run Pipeline (to master)
+       # You may pin to the exact commit or the version.
+        # uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53
+        uses: refactr/[email protected]
+        with:
+          # API token
+          api_token: '${{ secrets.REFACTR_KEY }}'
+          # Project ID
+          project_id: 5f47f0c4a13c7b18373e5556
+          # Job ID
+          job_id: 5f90ad90f9c74e6d1e606e33
+          # Variables
+          variables: '{ "gitrepo": "https://github.com/ansible-lockdown/UBUNTU20-CIS.git", "image": "ami-0fe12c34e05228a69", "username": "ubuntu" }'
+          # Refactr API base URL
+          api_url: # optional
diff --git a/.travis.yml b/.travis.yml
@@ -0,0 +1,29 @@
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+  apt:
+    packages:
+    - python-pip
+
+install:
+  # Install ansible
+  - pip install ansible
+
+  # Check ansible version
+  - ansible --version
+
+  # Create ansible.cfg with correct roles_path
+  - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+  # Basic role syntax check
+  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/
diff --git a/README.md b/README.md
@@ -1,2 +1,126 @@
-# UBUNTU20-CIS
-CIS Baseline Ansible Role for Ubuntu 20
+# ubuntu-20
+Ubuntu 20 CIS
+=========
+
+Configure Ubuntu 20 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant. There are some intrusive tasks that have a toggle in defaults main.yml to disable to automated fix
+
+This role **will make changes to the system** that could break things. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted.
+
+Based on [CIS Ubuntu Linux 20.04 LTS Benchmark ](https://community.cisecurity.org/collab/public/index.php).
+
+
+Requirements
+------------
+
+You should carefully read through the tasks to make sure these changes will not break your systems before running this playbook.
+If you want to do a dry run without changing anything, set the below sections (rhel8cis_section1-6) to false. 
+
+Role Variables
+--------------
+
+There are many role variables defined in defaults/main.yml. This list shows the most important.
+
+**ubtu20cis_disruption_high**: Run CIS checks that we typically do NOT want to automate due to the high probability of breaking the system (Default: false)
+
+**ubtu20cis_section1_patch**: CIS - Iniitial setup (Section 1) (Default: true)
+
+**ubtu20cis_section2_patch**: CIS - Services settings (Section 2) (Default: true)
+
+**ubtu20cis_section3_patch**: CIS - Network Configuration (Section 3) (Default: true)
+
+**ubtu20cis_section4_patch**: CIS - Logging and Auditing settings (Section 4) (Default: true)
+
+**ubtu20cis_section5_patch**: CIS - Access, Authentication and Authorization settings (Section 5) (Default: true)
+
+**ubtu20cis_section6_patch**: CIS - System Maintenance settings (Section 6) (Default: true) 
+
+
+##### Service variables:
+###### These control whether a server should or should not be allowed to continue to run these services
+
+```
+ubtu20cis_allow_autofs: false
+ubtu20cis_allow_usb_storage: false
+ubtu20cis_avahi_server: false
+ubtu20cis_cups_server: false
+ubtu20cis_dhcp_server: false
+ubtu20cis_ldap_server: false
+ubtu20cis_nfs_server: false
+ubtu20cis_dns_server: false
+ubtu20cis_vsftpd_server: false
+ubtu20cis_httpd_server: false
+ubtu20cis_dovecot_server: false
+ubtu20cis_smb_server: false
+ubtu20cis_squid_server: fase
+ubtu20cis_snmp_server: false
+ubtu20cis_rsync_server: false
+ubtu20cis_nis_server: false
+ubtu20cis_rpc_required: false
+```
+
+##### Client variables:
+###### These control whether a client should or should not be allowed to continue to run these services
+```
+ubtu20cis_nis_required: false
+ubtu20cis_rsh_required: false
+ubtu20cis_talk_required: false
+ubtu20cis_telnet_required: false
+ubtu20cis_ldap_clients_required: false
+ubtu20cis_is_router: false
+```
+
+##### IPv4 required
+`ubtu20cis_ipv4_required`
+
+##### IPv6 required
+`ubtu20cis_ipv6_required`
+
+##### X-Windows required
+`ubtu20cis_xwindows_required`
+
+##### Is system a container
+`ubtu20cis_system_is_container:`
+
+Dependencies
+------------
+
+Ansible > 2.6.5
+
+Example Playbook
+----------------
+
+This sample playbook should be run in a folder that is above the main UBUNTU-18-CIS folder.
+
+```
+- hosts: all
+  become: true
+  vars:
+      is_container: false
+
+  roles:
+
+      - role: "{{ playbook_dir }}"
+        ubtu20cis_skip_for_travis: false
+        ubtu20cis_oscap_scan: yes
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).
+```
+
+Tags
+----
+Many tags are available for precise control of what is and is not changed.
+
+Some examples of using tags:
+
+```
+    # Audit and patch the site
+    ansible-playbook site.yml --tags="patch"
+```