commit addda5895cf45a2dc9a118bc5dd0ccf9b614f85b Author: Mark Bolwell Date: Thu Sep 5 08:17:35 2024 +0100 initial v1.0.0 Signed-off-by: Mark Bolwell diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..b2daffb --- /dev/null +++ b/.gitattributes @@ -0,0 +1,6 @@ +# adding github settings to show correct language +*.sh linguist-detectable=true +*.yml linguist-detectable=true +*.ps1 linguist-detectable=true +*.j2 linguist-detectable=true +*.md linguist-documentation diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..f889d9f --- /dev/null +++ b/.gitignore @@ -0,0 +1,45 @@ +.env +*.log +*.retry +.cache +.vagrant +tests/*redhat-subscription +tests/Dockerfile +*.iso +*.box +packer_cache +delete* +ignore* +# VSCode +.vscode + +# Byte-compiled / optimized / DLL files +__pycache__/ +*.py[cod] +*$py.class + +# DS_Store +.DS_Store +._* + +# Linux Editors +*~ +\#*\# +/.emacs.desktop +/.emacs.desktop.lock +.elc +auto-save-list +tramp +.\#* +*.swp +*.swo +rh-creds.env +travis.env + +# Lockdown-specific +benchparse/ +*xccdf.xml +*.retry + +# GitHub Action/Workflow files +.github/ diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..c3d4c41 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,71 @@ +Contributing to MindPoint Group Projects +======================================== + +Rules +----- + +1) All commits must be GPG signed (details in Signing section) +2) All commits must have Signed-off-by (Signed-off-by: Joan Doe ) in the commit message (details in Signing section) +3) All work is done in your own branch or own fork +4) Pull requests + a) From within the repo: All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing + b) From a forked repo: All pull requests will go into a staging branch within the repo. There are automated checks for signed commits, signoff in commit message, and functional testing when going from staging to devel +5) All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing) +6) Be open and nice to each other + +Workflow +-------- + +- Your work is done in your own individual branch. Make sure to to Signed-off and GPG sign all commits you intend to merge +- All community Pull Requests are into the devel branch. There are automated checks for GPG signed, Signed-off in commits, and functional tests before being approved. If your pull request comes in from outside of our repo, the pull request will go into a staging branch. There is info needed from our repo for our CI/CD testing. +- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release + +Signing your contribution +------------------------- + +We've chosen to use the Developer's Certificate of Origin (DCO) method +that is employed by the Linux Kernel Project, which provides a simple +way to contribute to MindPoint Group projects. + +The process is to certify the below DCO 1.1 text +:: + + Developer's Certificate of Origin 1.1 + + By making a contribution to this project, I certify that: + + (a) The contribution was created in whole or in part by me and I + have the right to submit it under the open source license + indicated in the file; or + + (b) The contribution is based upon previous work that, to the best + of my knowledge, is covered under an appropriate open source + license and I have the right under that license to submit that + work with modifications, whether created in whole or in part + by me, under the same open source license (unless I am + permitted to submit under a different license), as indicated + in the file; or + + (c) The contribution was provided directly to me by some other + person who certified (a), (b) or (c) and I have not modified + it. + + (d) I understand and agree that this project and the contribution + are public and that a record of the contribution (including all + personal information I submit with it, including my sign-off) is + maintained indefinitely and may be redistributed consistent with + this project or the open source license(s) involved. +:: + +Then, when it comes time to submit a contribution, include the +following text in your contribution commit message: + +:: + + Signed-off-by: Joan Doe + +:: + +This message can be entered manually, or if you have configured git +with the correct `user.name` and `user.email`, you can use the `-s` +option to `git commit` to automatically include the signoff message. diff --git a/Changelog.md b/Changelog.md new file mode 100644 index 0000000..fe056b4 --- /dev/null +++ b/Changelog.md @@ -0,0 +1,3 @@ +# Changes to Ubuntu24-CIS-Audit + +## 0.9 - based upon CIS 1.0.0 - Initial diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..776daab --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2024 MindPoint Group + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..dedfd9d --- /dev/null +++ b/README.md @@ -0,0 +1,139 @@ +# Ubuntu 24.04 Goss config + +## Overview + +### Based on CIS Ubuntu Linux 24.04 LTS Benchmark v1.0.0 [Release](https://downloads.cisecurity.org/#/) + +Set of configuration files and directories to run the first stages of CIS of Ubuntu 24.04 servers + +This is configured in a directory structure level. + +This could do with further testing but sections 1.x should be complete + +Goss is run based on the goss.yml file in the top level directory. This specifies the configuration. + +## variables + +file: vars/cis.yml + +Please refer to the file for all options and their meanings + +CIS listed variable for every control/benchmark can be turned on/off or section + +- other controls +enable_selinux +run_heavy_tasks + +- bespoke options +If a site has specific options e.g. password complexity these can also be set. + +## Requirements + +goss >= 0.4.4 +root privileges + +## Branches + +If running as part of the ansible playbook, this will pull in the relevant branch for the version of benchmark you are remediating. + +- e.g. v1.0.0 will pull in branch benchmark-v1.0.0 + +Devel is normally the latest benchmark version, so maybe different from the version of benchmark you wish to test. +Details will show in the README as to the benchmark for the version it is written for. + +## Usage + +You must have [goss](https://github.com/goss-org/goss/) available to your host you would like to test. + +- Run as root not sudo due to sudo and shared memory access + +Assuming you have already clone this repository you can run goss from where you wish. + +- full check + +```sh +# {{path to your goss binary}} --vars {{ path to the vars file }} -g {{path to your clone of this repo }}/goss.yml --validate + +``` + +example: + +```sh +# /usr/local/bin/goss --vars ../vars/cis.yml -g /home/bolly/rh8_cis_goss/goss.yml validate +......FF....FF................FF...F..FF.............F........................FSSSS.............FS.F.F.F.F.........FFFFF.... + +Failures/Skipped: + +Title: 1.6.1 Ensure core dumps are restricted (Automated)_sysctl +Command: suid_dumpable_2: exit-status: +Expected + : 1 +to equal + : 0 +Command: suid_dumpable_2: stdout: patterns not found: [fs.suid_dumpable = 0] + + +Title: 1.4.2 Ensure filesystem integrity is regularly checked (Automated) +Service: aidecheck: enabled: +Expected + : false +to equal + : true +Service: aidecheck: running: +Expected + : false +to equal + : true + +< ---------cut ------- > + +Title: 1.1.22 Ensure sticky bit is set on all world-writable directories +Command: version: exit-status: +Expected + : 0 +to equal + : 123 + +Total Duration: 5.102s +Count: 124, Failed: 21, Skipped: 5 + +``` + +- running a particular section of tests + +```sh +# /usr/local/bin/goss -g /home/bolly/rh8_cis_goss/section_1/cis_1.1/cis_1.1.22.yml validate +............ + +Total Duration: 0.033s +Count: 12, Failed: 0, Skipped: 0 + +``` + +- changing the output + +```sh +# /usr/local/bin/goss -g /home/bolly/rh8_cis_goss/section_1/cis_1.1/cis_1.1.22.yml validate -f documentation +Title: 1.1.20 Check for removeable media nodev +Command: floppy_nodev: exit-status: matches expectation: [0] +Command: floppy_nodev: stdout: matches expectation: [OK] +< -------cut ------- > +Title: 1.1.20 Check for removeable media noexec +Command: floppy_noexec: exit-status: matches expectation: [0] +Command: floppy_noexec: stdout: matches expectation: [OK] + + +Total Duration: 0.022s +Count: 12, Failed: 0, Skipped: 0 +``` + +## Extra settings + +Ability to add your own requirements is available in several sections + +## further information + +- [goss documentation](https://github.com/goss-org/goss/blob/master/README.md) +- [CIS standards](https://www.cisecurity.org) + +## Feedback required diff --git a/goss.yml b/goss.yml new file mode 100644 index 0000000..ebe9a16 --- /dev/null +++ b/goss.yml @@ -0,0 +1,96 @@ +gossfile: +# Section 1 + {{ if .Vars.ubtu24cis_section1 }} + section_1/*/*.yml: {} + {{ end }} + + # Section 2 + {{ if .Vars.ubtu24cis_section2 }} + # Special Services + section_2/cis_2.1/*.yml: {} + # Client Service + section_2/cis_2.2/*.yml: {} + # Time services + section_2/cis_2.3/*.yml: {} + # scheduling services + section_2/cis_2.4/*.yml: {} + {{ end }} + +# Section 3 + {{ if .Vars.ubtu24cis_section3 }} + section_3/cis_3.1/*.yml: {} + section_3/cis_3.2/*.yml: {} + section_3/cis_3.3/*.yml: {} + {{ if .Vars.ubtu24cis_ipv6_required }} + section_3/cis_3.3/ipv6/*.yml: {} + {{ end }} + {{ end }} + +# Section 4 + {{ if .Vars.ubtu24cis_section4 }} + # If ufw firewall + {{ if eq .Vars.ubtu24cis_firewall_package "ufw" }} + section_4/cis_4.2/*.yml: {} + {{ end }} + # If nftables firewall + {{ if eq .Vars.ubtu24cis_firewall_package "nftables" }} + section_4/cis_4.3/*.yml: {} + {{ end }} + # If iptables firewall + {{ if eq .Vars.ubtu24cis_firewall_package "iptables" }} + section_4/cis_4.4/*.yml: {} + {{ end }} + {{ end }} + +# Section 5 + {{ if .Vars.ubtu24cis_section5 }} + section_5/*/*.yml: {} + {{ end }} + +# Section 6 + {{ if .Vars.ubtu24cis_section6 }} + # Journald + {{ if eq .Vars.ubtu24cis_syslog_service "journald" }} + section_6/cis_6.1.1.x/*.yml: {} + section_6/cis_6.1.2.x/*.yml: {} + {{ end }} + # Rsyslog + {{ if eq .Vars.ubtu24cis_syslog_service "rsyslog" }} + section_6/cis_6.1.3.*/*.yml: {} + {{ end }} + # logrotate + section_6/cis_6.1.4.*/*.yml: {} + # Auditd and level 2 + # Auditd + {{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_auditd }} + section_6/cis_6.2.*/*.yml: {} + {{ end }} + {{ end }} + # Aide + section_6/cis_6.3.*/*.yml: {} + {{ end }} + +# Section 7 + {{ if .Vars.ubtu24cis_section7 }} + section_7/cis_7.*/*.yml: {} + {{ end }} + +# Metadata +command: + benchmark_meta: + title: Benchmark MetaData + exec: echo BenchMark MetaData + exit-status: 0 + meta: + host_machine_uuid: {{ .Vars.machine_uuid }} + host_epoch: {{ .Vars.epoch }} + host_os_locale: {{ .Vars.os_locale }} + host_os_release: {{ .Vars.os_release }} + host_os_distribution: {{ .Vars.os_distribution }} + host_automation_group: {{ .Vars.auto_group }} + host_hostname: {{ .Vars.os_hostname }} + host_system_type: {{ .Vars.system_type }} + benchmark_type: {{ .Vars.benchmark_type }} + benchmark_version: {{ .Vars.benchmark_version }} + benchmark_os: {{ .Vars.benchmark_os }} diff --git a/run_audit.sh b/run_audit.sh new file mode 100755 index 0000000..2e2ab29 --- /dev/null +++ b/run_audit.sh @@ -0,0 +1,213 @@ +#! /bin/bash +# script to run audit while populating local host data +# 13th Sept 2021 - Initial +# 9th Nov 2021 - Added root user check - more posix compliant for multiple OS types +# 10 Dec 2021 - Enhanced so more linux OS agnostic, less input required +# - added vars options for bespoke vars file +# - Ability to run as script from remediation role increased consistency +# 17 Dec 2021 - Added system_type variable - default Server will change to workstations with -w switch +# 02 Mar 2022 - Updated benchmark variable naming +# 06 Apr 2022 - Added format option in output inline with goss options e.g. json documentation this is for fault finding +# 03 May 2022 - update for audit variables improvement added by @pavloos - https://github.com/ansible-lockdown/RHEL8-CIS-Audit/pull/29 +# 10 Jun 2022 - added format output for different type - supports json,documentation or rspecish +# 04 Oct 2022 - Changed default content location to /opt +# 14 Sep 2023 - Tidyup of code, +# linting (thanks to @cf-sewe) +# Oracle included by default if RHEL family +# benchmark vars moved +# December 2023 Added goss version and testing +# April 2024 Updating of OS discovery to work for all supported OSs + +# Variables in upper case tend to be able to be adjusted +# lower case variables are discovered or built from other variables + +# Goss benchmark variables (these should not need changing unless new release) +BENCHMARK=CIS # Benchmark Name aligns to the audit +BENCHMARK_VER=2.0.0 +BENCHMARK_OS=UBUNTU24 + +# Goss host Variables +AUDIT_BIN="${AUDIT_BIN:-/usr/local/bin/goss}" # location of the goss executable +AUDIT_BIN_MIN_VER="0.4.4" +AUDIT_FILE="${AUDIT_FILE:-goss.yml}" # the default goss file used by the audit provided by the audit configuration +AUDIT_CONTENT_LOCATION="${AUDIT_CONTENT_LOCATION:-/opt}" # Location of the audit configuration file as available to the OS + +# help output +Help() +{ + # Display Help + echo "Script to run the goss audit" + echo + echo "Syntax: $0 [-f|-g|-o|-v|-w|-h]" + echo "options:" + echo "-f optional - change the format output (default value = json)" + echo "-g optional - Add a group that the server should be grouped with (default value = ungrouped)" + echo "-o optional - file to output audit data" + echo "-v optional - relative path to thevars file to load (default e.g. $AUDIT_CONTENT_LOCATION/RHEL7-$BENCHMARK/vars/$BENCHMARK.yml)" + echo "-w optional - Sets the system_type to workstation (Default - Server)" + echo "-h Print this Help." + echo +} + +# Default vars that can be set +host_system_type=Server + +## option statement +while getopts f:g:o:v::wh option; do + case "${option}" in + f ) FORMAT=${OPTARG} ;; + g ) GROUP=${OPTARG} ;; + o ) OUTFILE=${OPTARG} ;; + v ) VARS_PATH=${OPTARG} ;; + w ) host_system_type=Workstation ;; + h ) # display Help + Help + exit;; + ? ) # Invalid option + echo "Invalid option: -${OPTARG}." + Help + exit;; + esac +done + +#### Pre-Checks + +# check access need to run as root or privileges due to some configuration access +if [ "$(/usr/bin/id -u)" -ne 0 ]; then + echo "Script need to run with root privileges" + exit 1 +fi + +#### Main Script #### + +# Discover OS version aligning with audit +# Define os_vendor variable +if [ "$(uname -a | grep -c amzn)" -ge 1 ]; then + os_vendor="AMAZON" +elif [ "$(grep -Ec "rhel|oracle" /etc/os-release)" != 0 ]; then + os_vendor="RHEL" +else + os_vendor="$(hostnamectl | grep Oper | cut -d : -f2 | awk '{print toupper($1)}')" +fi + +os_maj_ver="$(grep -w VERSION_ID= /etc/os-release | awk -F\" '{print $2}' | cut -d '.' -f1)" +audit_content_version=$os_vendor$os_maj_ver-$BENCHMARK-Audit +audit_content_dir=$AUDIT_CONTENT_LOCATION/$audit_content_version +audit_vars=vars/${BENCHMARK}.yml + +# Set variable for format output +if [ -z "$FORMAT" ]; then + export format="json" +else + export format=$FORMAT +fi + +# Set variable for autogroup +if [ -z "$GROUP" ]; then + export host_auto_group="ungrouped" +else + export host_auto_group=$GROUP +fi + +# set default variable for varfile_path +if [ -z "$VARS_PATH" ]; then + export varfile_path=$audit_content_dir/$audit_vars +else + # Check -v exists fail if not + if [ -f "$VARS_PATH" ]; then + export varfile_path=$VARS_PATH + else + echo "passed option '-v' $VARS_PATH does not exist" + exit 1 + fi +fi + +## System variables captured for metadata + +host_machine_uuid="$(if [ -f /sys/class/dmi/id/product_uuid ]; then cat /sys/class/dmi/id/product_uuid; else dmidecode -s system-uuid; fi)" +host_epoch="$(date +%s)" +host_os_locale="$(date +%Z)" +host_os_name="$(grep "^NAME=" /etc/os-release | cut -d '"' -f2 | sed 's/ //' | cut -d' ' -f1)" +host_os_version="$(grep "^VERSION_ID=" /etc/os-release | cut -d '"' -f2)" +host_os_hostname="$(hostname)" + +## Set variable audit_out +if [ -z "$OUTFILE" ]; then + export audit_out=${AUDIT_CONTENT_LOCATION}/audit_${host_os_hostname}-${BENCHMARK}-${BENCHMARK_OS}_${host_epoch}.$format +else + export audit_out=${OUTFILE} +fi + +## Set the AUDIT json string +audit_json_vars='{"benchmark_type":"'"$BENCHMARK"'","benchmark_os":"'"$BENCHMARK_OS"'","benchmark_version":"'"$BENCHMARK_VER"'","machine_uuid":"'"$host_machine_uuid"'","epoch":"'"$host_epoch"'","os_locale":"'"$host_os_locale"'","os_release":"'"$host_os_version"'","os_distribution":"'"$host_os_name"'","os_hostname":"'"$host_os_hostname"'","auto_group":"'"$host_auto_group"'","system_type":"'"$host_system_type"'"}' + +## Run pre checks + +echo +echo "## Pre-Checks Start" +echo + +export FAILURE=0 +if [ -s "${AUDIT_BIN}" ]; then + echo "OK - Audit binary $AUDIT_BIN is available" + goss_installed_version="$($AUDIT_BIN -v | awk '{print $NF}' | cut -dv -f2)" + newer_version=$(echo -e "$goss_installed_version\n$AUDIT_BIN_MIN_VER" | sort -V | tail -n 1) + if [ "$goss_installed_version" = "$newer_version" ] || [ "$goss_installed_version" = "$AUDIT_BIN_MIN_VER" ]; then + echo "OK - Goss is installed and version is ok ($goss_installed_version >= $AUDIT_BIN_MIN_VER)" + else + echo "WARNING - Goss installed = ${goss_installed_version}, does not met minimum of ${AUDIT_BIN_MIN_VER}" + export FAILURE=2 + fi +else + echo "WARNING - The audit binary is not available at $AUDIT_BIN " + export FAILURE=1 +fi + +if [ -f "${audit_content_dir}/${AUDIT_FILE}" ]; then + echo "OK - ${audit_content_dir}/${AUDIT_FILE} is available" +else + echo "WARNING - the $audit_content_dir/$AUDIT_FILE is not available"; export FAILURE=3 +fi + +if [ "${FAILURE}" != 0 ]; then + echo "## Pre-checks failed please see output" + exit 1 +else + echo + echo "## Pre-checks Successful" + echo +fi + +# format output types +# json, rspecish = grep -A 4 \"summary\": $audit_out +# tap junit no output as no summary +# documentation = tail -2 $audit_out + +# defaults +output_summary="tail -2 $audit_out" +format_output="-f $format" + +if [ "$format" = json ]; then + format_output="-f json -o pretty" + output_summary='grep -A 4 \"summary\": $audit_out' +elif [ "$format" = junit ] || [ "$format" = tap ]; then + output_summary="" +fi + +## Run commands +echo "#############" +echo "Audit Started" +echo "#############" +echo +$AUDIT_BIN -g "$audit_content_dir/$AUDIT_FILE" --vars "$varfile_path" --vars-inline "$audit_json_vars" v $format_output > "$audit_out" + +# create screen output +if [ "$(grep -c $BENCHMARK "$audit_out")" != 0 ] || [ "$format" = junit ] || [ "$format" = tap ]; then + eval $output_summary + echo "Completed file can be found at $audit_out" + echo "###############" + echo "Audit Completed" + echo "###############" +else + echo -e "Fail: There were issues when running the audit please investigate $audit_out" +fi diff --git a/section_1/cis_1.1/cis_1.1.1.1.yml b/section_1/cis_1.1/cis_1.1.1.1.yml new file mode 100644 index 0000000..4daf319 --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.1.1.yml @@ -0,0 +1,39 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_1_1 }} +file: + cramfs_disabled: + title: 1.1.1.1 | Ensure cramfs kernel module is not available | modprobe + path: /etc/modprobe.d/CIS.conf + exists: true + contents: + - '/^install cramfs /bin/(true|false)/' + meta: + server: 1 + workstation: 1 + CIS_ID: 1.1.1.1 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + cramfs_blacklist: + title: 1.1.1.1 | Ensure cramfs kernel module is not available | blacklist + path: /etc/modprobe.d/blacklist.conf + exists: true + contents: + - '/^blacklist cramfs/' + meta: + server: 1 + workstation: 1 + CIS_ID: 1.1.1.1 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.1.2.yml b/section_1/cis_1.1/cis_1.1.1.2.yml new file mode 100644 index 0000000..9f8206e --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.1.2.yml @@ -0,0 +1,39 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_1_2 }} +file: + freevxfs_disabled: + title: 1.1.1.2 | Ensure freevxfs kernel module is not available | modprobe + path: /etc/modprobe.d/CIS.conf + exists: true + contents: + - '/^install freevxfs /bin/(true|false)/' + meta: + server: 1 + workstation: 1 + CIS_ID: 1.1.1.2 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + freevxfs_blacklist: + title: 1.1.1.2 | Ensure freevxfs kernel module is not available | blacklist + path: /etc/modprobe.d/blacklist.conf + exists: true + contents: + - '/^blacklist freevxfs/' + meta: + server: 1 + workstation: 1 + CIS_ID: 1.1.1.2 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.1.3.yml b/section_1/cis_1.1/cis_1.1.1.3.yml new file mode 100644 index 0000000..24105e6 --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.1.3.yml @@ -0,0 +1,39 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_1_3 }} +file: + hfs_disabled: + title: 1.1.1.3 | Ensure hfs kernel module is not available | modprobe + path: /etc/modprobe.d/CIS.conf + exists: true + contents: + - '/^install hfs /bin/(true|false)/' + meta: + server: 1 + workstation: 1 + CIS_ID: 1.1.1.3 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + hfs_blacklist: + title: 1.1.1.3 | Ensure hfs kernel module is not available | blacklist + path: /etc/modprobe.d/blacklist.conf + exists: true + contents: + - '/^blacklist hfs/' + meta: + server: 1 + workstation: 1 + CIS_ID: 1.1.1.3 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.1.4.yml b/section_1/cis_1.1/cis_1.1.1.4.yml new file mode 100644 index 0000000..972c7df --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.1.4.yml @@ -0,0 +1,39 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_1_4 }} +file: + hfsplus_disabled: + title: 1.1.1.4 | Ensure hfsplus kernel module is not available | modprobe + path: /etc/modprobe.d/CIS.conf + exists: true + contents: + - '/^install hfsplus /bin/(true|false)/' + meta: + server: 1 + workstation: 1 + CIS_ID: 1.1.1.4 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + hfsplus_blacklist: + title: 1.1.1.4 | Ensure hfsplus kernel module is not available | blacklist + path: /etc/modprobe.d/blacklist.conf + exists: true + contents: + - '/^blacklist hfsplus/' + meta: + server: 1 + workstation: 1 + CIS_ID: 1.1.1.4 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.1.5.yml b/section_1/cis_1.1/cis_1.1.1.5.yml new file mode 100644 index 0000000..d433a1c --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.1.5.yml @@ -0,0 +1,39 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_1_5 }} +file: + jffs2_disabled: + title: 1.1.1.5 | Ensure jffs2 kernel module is not available | modprobe + path: /etc/modprobe.d/CIS.conf + exists: true + contents: + - '/^install jffs2 /bin/(true|false)/' + meta: + server: 1 + workstation: 1 + CIS_ID: 1.1.1.5 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + jffs2_blacklist: + title: 1.1.1.5 | Ensure jffs2 kernel module is not available | blacklist + path: /etc/modprobe.d/blacklist.conf + exists: true + contents: + - '/^blacklist jffs2/' + meta: + server: 1 + workstation: 1 + CIS_ID: 1.1.1.5 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.1.6.yml b/section_1/cis_1.1/cis_1.1.1.6.yml new file mode 100644 index 0000000..d140c37 --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.1.6.yml @@ -0,0 +1,39 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_1_1_1_6 }} +file: + overlayfs_disabled: + title: 1.1.1.6 | Ensure overlayfs kernel module is not available | modprobe + path: /etc/modprobe.d/CIS.conf + exists: true + contents: + - '/^install overlayfs /bin/(true|false)/' + meta: + server: 2 + workstation: 2 + CIS_ID: 1.1.1.6 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + overlayfs_blacklist: + title: 1.1.1.6 | Ensure overlayfs kernel module is not available | blacklist + path: /etc/modprobe.d/blacklist.conf + exists: true + contents: + - '/^blacklist overlayfs/' + meta: + server: 2 + workstation: 2 + CIS_ID: 1.1.1.6 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.1.7.yml b/section_1/cis_1.1/cis_1.1.1.7.yml new file mode 100644 index 0000000..c1d5726 --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.1.7.yml @@ -0,0 +1,41 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if not .Vars.ubtu24cis_squashfs_required }} + {{ if .Vars.ubtu24cis_rule_1_1_1_7 }} +file: + squashfs_disabled: + title: 1.1.1.7 | Ensure squashfs kernel module is not available | modprobe + path: /etc/modprobe.d/CIS.conf + exists: true + contents: + - '/^install squashfs /bin/(true|false)/' + meta: + server: 2 + workstation: 2 + CIS_ID: 1.1.1.7 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + squashfs_blacklist: + title: 1.1.1.7 | Ensure squashfs kernel module is not available | blacklist + path: /etc/modprobe.d/blacklist.conf + exists: true + contents: + - '/^blacklist squashfs/' + meta: + server: 2 + workstation: 2 + CIS_ID: 1.1.1.7 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.1.8.yml b/section_1/cis_1.1/cis_1.1.1.8.yml new file mode 100644 index 0000000..d8c87c5 --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.1.8.yml @@ -0,0 +1,39 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_1_1_1_8 }} +file: + udf_disabled: + title: 1.1.1.8 | Ensure udf kernel module is not available | modprobe + path: /etc/modprobe.d/CIS.conf + exists: true + contents: + - '/^install udf /bin/(true|false)/' + meta: + server: 2 + workstation: 2 + CIS_ID: 1.1.1.8 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + udf_blacklist: + title: 1.1.1.8 | Ensure udf kernel module is not available | blacklist + path: /etc/modprobe.d/blacklist.conf + exists: true + contents: + - '/^blacklist udf/' + meta: + server: 2 + workstation: 2 + CIS_ID: 1.1.1.8 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.1.9.yml b/section_1/cis_1.1/cis_1.1.1.9.yml new file mode 100644 index 0000000..81af2bc --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.1.9.yml @@ -0,0 +1,39 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_1_9 }} +file: + usb-storage_disabled: + title: 1.1.1.9 | Ensure usb-storage kernel module is not available | modprobe + path: /etc/modprobe.d/CIS.conf + exists: true + contents: + - '/^install usb-storage /bin/(true|false)/' + meta: + server: 1 + workstation: 2 + CIS_ID: 1.1.1.9 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: SI-3 + usb-storage_blacklist: + title: 1.1.1.9 | Ensure usb-storage kernel module is not available | blacklist + path: /etc/modprobe.d/blacklist.conf + exists: true + contents: + - '/^blacklist usb-storage/' + meta: + server: 1 + workstation: 2 + CIS_ID: 1.1.1.9 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: SI-3 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.2.1.1.yml b/section_1/cis_1.1/cis_1.1.2.1.1.yml new file mode 100644 index 0000000..a5e65ff --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.2.1.1.yml @@ -0,0 +1,21 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_2_1_1 }} +mount: + tmp_mount: + title: 1.1.2.1.1 | Ensure /tmp is a separate partition + mountpoint: /tmp + exists: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.1.1 + CISv8: 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.2.1.2_4.yml b/section_1/cis_1.1/cis_1.1.2.1.2_4.yml new file mode 100644 index 0000000..2fc3c42 --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.2.1.2_4.yml @@ -0,0 +1,66 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_2_1_1 }} +mount: + tmp_options: + title: | + 1.1.2.1.2 | Ensure nodev option set on /tmp partition + 1.1.2.1.3 | Ensure nosuid option set on /tmp partition + 1.1.2.1.4 | Ensure noexec option set on /tmp partition + mountpoint: /tmp + exists: true + opts: + {{ if .Vars.ubtu24cis_rule_1_1_2_1_2 }} + - nodev + {{ end }} + {{ if .Vars.ubtu24cis_rule_1_1_2_1_3 }} + - nosuid + {{ end }} + {{ if .Vars.ubtu24cis_rule_1_1_2_1_4 }} + - noexec + {{ end }} + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.1.2 + - 1.1.2.1.3 + - 1.1.2.1.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - AC-3 + - MP-2 +file: + tmp_fstab_options: + title: | + 1.1.2.1.2 | Ensure nodev option set on /tmp partition + 1.1.2.1.3 | Ensure nosuid option set on /tmp partition + 1.1.2.1.4 | Ensure noexec option set on /tmp partition + exists: true + path: /etc/fstab + contents: + - '/\s\/tmp.*{{ if .Vars.ubtu24cis_rule_1_1_2_1_2 }}nodev{{ end }}/' + - '/\s\/tmp.*{{ if .Vars.ubtu24cis_rule_1_1_2_1_3 }}nosuid{{ end }}.*/' + - '/\s\/tmp.*{{ if .Vars.ubtu24cis_rule_1_1_2_1_4 }}noexec{{ end }}.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.1.2 + - 1.1.2.1.3 + - 1.1.2.1.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.2.2.1.yml b/section_1/cis_1.1/cis_1.1.2.2.1.yml new file mode 100644 index 0000000..1e2e714 --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.2.2.1.yml @@ -0,0 +1,22 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_2_2_1 }} +mount: + dev_shm_mount: + title: 1.1.2.2.1 | Ensure /dev/shm is a separate partition + mountpoint: /dev/shm + filesystem: tmpfs + exists: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.2.1 + CISv8: 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.2.2.2_4.yml b/section_1/cis_1.1/cis_1.1.2.2.2_4.yml new file mode 100644 index 0000000..dd0fd21 --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.2.2.2_4.yml @@ -0,0 +1,66 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_2_2_1 }} +mount: + dev_shm_options: + title: | + 1.1.2.2.2 | Ensure nodev option set on /dev/shm partition + 1.1.2.2.3 | Ensure nosuid option set on /dev/shm partition + 1.1.2.2.4 | Ensure noexec option set on /dev/shm partition + mountpoint: /dev/shm + exists: true + opts: + {{ if .Vars.ubtu24cis_rule_1_1_2_2_2 }} + - nodev + {{ end }} + {{ if .Vars.ubtu24cis_rule_1_1_2_2_3 }} + - nosuid + {{ end }} + {{ if .Vars.ubtu24cis_rule_1_1_2_2_4 }} + - noexec + {{ end }} + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.2.2 + - 1.1.2.2.3 + - 1.1.2.2.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - AC-3 + - MP-2 +file: + dev_shm_fstab_options: + title: | + 1.1.2.2.2 | Ensure nodev option set on /dev/shm partition + 1.1.2.2.3 | Ensure nosuid option set on /dev/shm partition + 1.1.2.2.4 | Ensure noexec option set on /dev/shm partition + exists: true + path: /etc/fstab + contents: + - '/\s\/dev\/shm.*{{ if .Vars.ubtu24cis_rule_1_1_2_2_2 }}nodev{{ end }}/' + - '/\s\/dev\/shm.*{{ if .Vars.ubtu24cis_rule_1_1_2_2_3 }}nosuid{{ end }}.*/' + - '/\s\/dev\/shm.*{{ if .Vars.ubtu24cis_rule_1_1_2_2_4 }}noexec{{ end }}.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.2.2 + - 1.1.2.2.3 + - 1.1.2.2.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.2.3.1.yml b/section_1/cis_1.1/cis_1.1.2.3.1.yml new file mode 100644 index 0000000..8b62e7a --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.2.3.1.yml @@ -0,0 +1,21 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_2_3_1 }} +mount: + home_mount: + title: 1.1.2.3.1 | Ensure separate partition exists for /home + mountpoint: /home + exists: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.3.1 + CISv8: 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.2.3.2_4.yml b/section_1/cis_1.1/cis_1.1.2.3.2_4.yml new file mode 100644 index 0000000..8737809 --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.2.3.2_4.yml @@ -0,0 +1,58 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_2_3_1 }} +mount: + home_options: + title: | + 1.1.2.3.2 | Ensure nodev option set on /home partition + 1.1.2.3.3 | Ensure nosuid option set on /home partition + mountpoint: /home + exists: true + opts: + {{ if .Vars.ubtu24cis_rule_1_1_2_3_2 }} + - nodev + {{ end }} + {{ if .Vars.ubtu24cis_rule_1_1_2_3_3 }} + - nosuid + {{ end }} + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.3.2 + - 1.1.2.3.3 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - AC-3 + - MP-2 +file: + home_fstab_options: + title: | + 1.1.2.3.2 | Ensure nodev option set on /home partition + 1.1.2.3.3 | Ensure nosuid option set on /home partition + exists: true + path: /etc/fstab + contents: + - '/\s\/home.*{{ if .Vars.ubtu24cis_rule_1_1_2_3_2 }}nodev{{ end }}/' + - '/\s\/home.*{{ if .Vars.ubtu24cis_rule_1_1_2_3_3 }}nosuid{{ end }}.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.3.2 + - 1.1.2.3.3 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.2.4.1.yml b/section_1/cis_1.1/cis_1.1.2.4.1.yml new file mode 100644 index 0000000..51556bd --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.2.4.1.yml @@ -0,0 +1,21 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_2_4_1 }} +mount: + var_mount: + title: 1.1.2.4.1 | Ensure separate partition exists for /var + mountpoint: /var + exists: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.4.1 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.2.4.2_3.yml b/section_1/cis_1.1/cis_1.1.2.4.2_3.yml new file mode 100644 index 0000000..f5dd3cc --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.2.4.2_3.yml @@ -0,0 +1,58 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_2_4_1 }} +mount: + var_options: + title: | + 1.1.2.4.2 | Ensure nodev option set on /var partition + 1.1.2.4.3 | Ensure nosuid option set on /var partition + mountpoint: '/var' + exists: true + opts: + {{ if .Vars.ubtu24cis_rule_1_1_2_4_2 }} + - nodev + {{ end }} + {{ if .Vars.ubtu24cis_rule_1_1_2_4_3 }} + - nosuid + {{ end }} + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.4.2 + - 1.1.2.4.3 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - AC-3 + - MP-2 +file: + var_fstab_options: + title: | + 1.1.2.4.2 | Ensure nodev option set on /var partition + 1.1.2.4.3 | Ensure nosuid option set on /var partition + exists: true + path: /etc/fstab + contents: + - '/\s\/var\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_4_2 }}nodev{{ end }}/' + - '/\s\/var\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_4_3 }}nosuid{{ end }}.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.4.2 + - 1.1.2.4.3 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.2.5.1.yml b/section_1/cis_1.1/cis_1.1.2.5.1.yml new file mode 100644 index 0000000..7bf219b --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.2.5.1.yml @@ -0,0 +1,21 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_2_5_1 }} +mount: + var_tmp_mount: + title: 1.1.2.5.1 | Ensure separate partition exists for /var/tmp + mountpoint: /var/tmp + exists: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.5.1 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R4: CM-7 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.2.5.2_4.yml b/section_1/cis_1.1/cis_1.1.2.5.2_4.yml new file mode 100644 index 0000000..6067e7e --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.2.5.2_4.yml @@ -0,0 +1,66 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_2_5_1 }} +mount: + var_tmp_options: + title: | + 1.1.2.5.2 | Ensure nodev option set on /var/tmp partition + 1.1.2.5.3 | Ensure nosuid option set on /var/tmp partition + 1.1.2.5.4 | Ensure noexec option set on /var/tmp partition + mountpoint: '/var/tmp' + exists: true + opts: + {{ if .Vars.ubtu24cis_rule_1_1_2_5_2 }} + - nodev + {{ end }} + {{ if .Vars.ubtu24cis_rule_1_1_2_5_3 }} + - nosuid + {{ end }} + {{ if .Vars.ubtu24cis_rule_1_1_2_5_4 }} + - noexec + {{ end }} + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.5.2 + - 1.1.2.5.3 + - 1.1.2.5.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - AC-3 + - MP-2 +file: + var_tmp_fstab_options: + title: | + 1.1.2.5.2 | Ensure nodev option set on /var/tmp partition + 1.1.2.5.3 | Ensure nosuid option set on /var/tmp partition + 1.1.2.5.4 | Ensure noexec option set on /var/tmp partition + exists: true + path: /etc/fstab + contents: + - '/\s\/var\/tmp\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_5_2 }}nodev{{ end }}/' + - '/\s\/var\/tmp\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_5_3 }}nosuid{{ end }}.*/' + - '/\s\/var\/tmp\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_5_4 }}noexec{{ end }}.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.5.2 + - 1.1.2.5.3 + - 1.1.2.5.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.2.6.1.yml b/section_1/cis_1.1/cis_1.1.2.6.1.yml new file mode 100644 index 0000000..2e29610 --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.2.6.1.yml @@ -0,0 +1,21 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_2_6_1 }} +mount: + var_log_mount: + title: 1.1.2.6.1 | Ensure separate partition exists for /var/log + mountpoint: /var/log + exists: true + meta: + server: 2 + workstation: 2 + CIS_ID: + - 1.1.2.6.1 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.2.6.2_4.yml b/section_1/cis_1.1/cis_1.1.2.6.2_4.yml new file mode 100644 index 0000000..1029cc8 --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.2.6.2_4.yml @@ -0,0 +1,66 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_2_6_1 }} +mount: + var_log_options: + title: | + 1.1.2.6.2 | Ensure nodev option set on /var/log partition + 1.1.2.6.3 | Ensure nosuid option set on /var/log partition + 1.1.2.6.4 | Ensure noexec option set on /var/log partition + mountpoint: '/var/log' + exists: true + opts: + {{ if .Vars.ubtu24cis_rule_1_1_2_6_2 }} + - nodev + {{ end }} + {{ if .Vars.ubtu24cis_rule_1_1_2_6_3 }} + - nosuid + {{ end }} + {{ if .Vars.ubtu24cis_rule_1_1_2_6_4 }} + - noexec + {{ end }} + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.6.2 + - 1.1.2.6.3 + - 1.1.2.6.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - AC-3 + - MP-2 +file: + var_log_fstab_options: + title: | + 1.1.2.6.2 | Ensure nodev option set on /var/log partition + 1.1.2.6.3 | Ensure nosuid option set on /var/log partition + 1.1.2.6.4 | Ensure noexec option set on /var/log partition + exists: true + path: /etc/fstab + contents: + - '/\s\/var\/log\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_6_2 }}nodev{{ end }}/' + - '/\s\/var\/log\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_6_3 }}nosuid{{ end }}.*/' + - '/\s\/var\/log\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_6_4 }}noexec{{ end }}.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.6.2 + - 1.1.2.6.3 + - 1.1.2.6.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.2.7.1.yml b/section_1/cis_1.1/cis_1.1.2.7.1.yml new file mode 100644 index 0000000..fe0ac17 --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.2.7.1.yml @@ -0,0 +1,21 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_2_7_1 }} +mount: + var_log_audit_mount: + title: 1.1.2.7.1 | Ensure separate partition exists for /var/log/audit + mountpoint: /var/log/audit + exists: true + meta: + server: 2 + workstation: 2 + CIS_ID: + - 1.1.2.7.1 + CISv8: 8.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.2.7.2_4.yml b/section_1/cis_1.1/cis_1.1.2.7.2_4.yml new file mode 100644 index 0000000..2bf61ca --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.2.7.2_4.yml @@ -0,0 +1,66 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_2_7_1 }} +mount: + var_log_audit_options: + title: | + 1.1.2.7.2 | Ensure nodev option set on /var/log/audit partition + 1.1.2.7.3 | Ensure nosuid option set on /var/log/audit partition + 1.1.2.7.4 | Ensure noexec option set on /var/log/audit partition + mountpoint: '/var/log/audit' + exists: true + opts: + {{ if .Vars.ubtu24cis_rule_1_1_2_7_2 }} + - nodev + {{ end }} + {{ if .Vars.ubtu24cis_rule_1_1_2_7_3 }} + - nosuid + {{ end }} + {{ if .Vars.ubtu24cis_rule_1_1_2_7_4 }} + - noexec + {{ end }} + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.7.2 + - 1.1.2.7.3 + - 1.1.2.7.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - AC-3 + - MP-2 +file: + var_log_audit_fstab_options: + title: | + 1.1.2.7.2 | Ensure nodev option set on /var/log/audit partition + 1.1.2.7.3 | Ensure nosuid option set on /var/log/audit partition + 1.1.2.7.4 | Ensure noexec option set on /var/log/audit partition + exists: true + path: /etc/fstab + contents: + - '/\s\/var\/log\/audit\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_7_2 }}nodev{{ end }}/' + - '/\s\/var\/log\/audit\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_7_3 }}nosuid{{ end }}.*/' + - '/\s\/var\/log\/audit\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_7_4 }}noexec{{ end }}.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.7.2 + - 1.1.2.7.3 + - 1.1.2.7.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.2.1/cis_1.2.1.1.yml b/section_1/cis_1.2.1/cis_1.2.1.1.yml new file mode 100644 index 0000000..6203568 --- /dev/null +++ b/section_1/cis_1.2.1/cis_1.2.1.1.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.run_heavy_tests }} + {{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_2_1_1 }} +command: + gpg_keys_list: + title: 1.2.1.1 | Ensure GPG keys are configured | Manual + exit-status: 0 + exec: echo "MANUAL - Please check manually for gpg keys" + stdout: + - '!/^MANUAL.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.2.1.1 + CISv8: + - 7.3 + - 7.4 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: SI-2 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_1/cis_1.2.1/cis_1.2.1.2.yml b/section_1/cis_1.2.1/cis_1.2.1.2.yml new file mode 100644 index 0000000..fa37d8a --- /dev/null +++ b/section_1/cis_1.2.1/cis_1.2.1.2.yml @@ -0,0 +1,22 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_2_1_2}} +command: + gpg_configd: + title: 1.2.1.2 | Ensure package manager repositories are configured | Manual + exec: echo "MANUAL - Please check manually that repositories are configured as expected" + exit-status: 0 + stdout: + - '!/^MANUAL.*/' + meta: + server: 1 + workstation: 2 + CIS_ID: 1.2.1.2 + CISv8: 7.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: SI-2 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.2.2/cis_1.2.2.1.yml b/section_1/cis_1.2.2/cis_1.2.2.1.yml new file mode 100644 index 0000000..ea02980 --- /dev/null +++ b/section_1/cis_1.2.2/cis_1.2.2.1.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_2_2_1 }} +command: + check_updates: + title: 1.2.2.1 | Ensure updates, patches, and additional security software are installed + exec: apt update | tail -1 + exit-status: 0 + timeout: {{ .Vars.timeout_ms }} + stdout: + - '!/^[1-9]{0,4}$ packages can be upgraded/' + - '/^All packages are up to date/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.2.2.1 + CISv8: 7.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: SI-2 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.3.1/cis_1.3.1.1.yml b/section_1/cis_1.3.1/cis_1.3.1.1.yml new file mode 100644 index 0000000..ee116d2 --- /dev/null +++ b/section_1/cis_1.3.1/cis_1.3.1.1.yml @@ -0,0 +1,21 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_3_1_1 }} +package: + apparmor: + title: 1.3.1.1 | Ensure AppArmor is installed + installed: true + name: apparmor + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.3.1.1 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: AC-3 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.3.1/cis_1.3.1.2.yml b/section_1/cis_1.3.1/cis_1.3.1.2.yml new file mode 100644 index 0000000..bee2a01 --- /dev/null +++ b/section_1/cis_1.3.1/cis_1.3.1.2.yml @@ -0,0 +1,43 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_3_1_2 }} +file: + apparmor_boot_grub: + title: 1.3.1.2 | Ensure AppArmor is enabled in the bootloader configuration | running grub + path: /boot/grub/grub.cfg + exists: true + contents: + - '/apparmor=1/' + - '/security=apparmor/' + - '!/apparmor=0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.3.1.2 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: AC-3 + grub_app_armor: + title: 1.3.1.2 | Ensure AppArmor is enabled in the bootloader configuration | default grub + exists: true + path: /etc/default/grub + contents: + - '/^GRUB_CMDLINE_LINUX.*apparmor=1/' + - '/^GRUB_CMDLINE_LINUX.*security=apparmor/' + - '!/apparmor=0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.3.1.2 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: AC-3 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.3.1/cis_1.3.1.3.yml b/section_1/cis_1.3.1/cis_1.3.1.3.yml new file mode 100644 index 0000000..8241107 --- /dev/null +++ b/section_1/cis_1.3.1/cis_1.3.1.3.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} +{{ if not .Vars.ubtu24cis_apparmor_disable }} + {{ if .Vars.ubtu24cis_rule_1_3_1_3 }} +command: + apparmor_enf_or_comp: + title: 1.3.1.3 | Ensure all AppArmor Profiles are in enforce or complain mode | profile + exec: LOADED=`apparmor_status | grep 'profiles are loaded' | awk '{print $1}'` && ENFORCE=`apparmor_status | grep 'profiles are in enforce mode.' | awk '{print $1}'` && COMPLAIN=`apparmor_status | grep 'profiles are in complain mode.' | awk '{print $1}'` && if [ $((LOADED + COMPLAIN)) != "$ENFORCE" ]; then echo "Profiles Error";fi + exit-status: 0 + stdout: + - '!/Profiles Error/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.3.1.3 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: AC-3 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_1/cis_1.3.1/cis_1.3.1.4.yml b/section_1/cis_1.3.1/cis_1.3.1.4.yml new file mode 100644 index 0000000..87eb40b --- /dev/null +++ b/section_1/cis_1.3.1/cis_1.3.1.4.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} +{{ if not .Vars.ubtu24cis_apparmor_disable }} + {{ if .Vars.ubtu24cis_rule_1_3_1_4 }} +command: + apparmor_enf_only: + title: 1.3.1.4 | Ensure all AppArmor Profiles are enforcing + exec: if [ `apparmor_status | grep 'profiles are in complain mode.' | awk '{print $1}'` == 0 ]; then echo "Not Enforcing" ;fi + exit-status: 0 + stdout: + - '!/Not Enforcing/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 1.3.1.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: AC-3 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_1/cis_1.4/cis_1.4.1.yml b/section_1/cis_1.4/cis_1.4.1.yml new file mode 100644 index 0000000..dd81d5e --- /dev/null +++ b/section_1/cis_1.4/cis_1.4.1.yml @@ -0,0 +1,24 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_4_1 }} +file: + bootloader_password_set: + title: 1.4.1 | Ensure bootloader password is set + path: /etc/grub.d/00_user + exists: true + contents: + - '/set superusers="{{ .Vars.ubtu24cis_grub_user }}"/' + - '/password_pbkdf2 {{ .Vars.ubtu24cis_grub_user }} {{ .Vars.ubtu24cis_bootloader_password_hash }}/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.4.1 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: AC-3 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.4/cis_1.4.2.yml b/section_1/cis_1.4/cis_1.4.2.yml new file mode 100644 index 0000000..0d77bed --- /dev/null +++ b/section_1/cis_1.4/cis_1.4.2.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_4_2 }} +file: + default_grub_perms: + title: 1.4.2 | Ensure access to bootloader if configured + exists: true + path: /boot/grub/grub.cfg + owner: root + group: root + mode: + or: + - "0400" + - "0600" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.4.2 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: AC-3 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.5/cis_1.5.1.yml b/section_1/cis_1.5/cis_1.5.1.yml new file mode 100644 index 0000000..6d7dc0f --- /dev/null +++ b/section_1/cis_1.5/cis_1.5.1.yml @@ -0,0 +1,40 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_5_1 }} +kernel-param: + kernel.randomize_va_space: + title: 1.5.1 | Ensure address space layout randomization (ASLR) is enabled | sysctl_live + value: '2' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.5.1 + CISv8: 10.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-6 +command: + aslr_enabled_2: + title: 1.5.1 | Ensure address space layout randomization (ASLR) is enabled | sysctl_configured + exit-status: + or: + - 0 + - 2 + exec: 'grep "^kernel\.randomize_va_space" /etc/sysctl.conf /etc/sysctl.d/* | cut -d ":" -f2' + stdout: + - '/kernel.randomize_va_space(\s|)=(\s|)2/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.5.1 + CISv8: 10.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-6 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.5/cis_1.5.2.yml b/section_1/cis_1.5/cis_1.5.2.yml new file mode 100644 index 0000000..7f80d99 --- /dev/null +++ b/section_1/cis_1.5/cis_1.5.2.yml @@ -0,0 +1,40 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_5_2 }} +kernel-param: + kernel.yama.ptrace_scope: + title: 1.5.2 | Ensure ptrace_scope is restricted | sysctl_live + value: '1' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.5.1 + CISv8: 10.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-6 +command: + ptrace_restrict_2: + title: 1.5.1 | Ensure ptrace_scope is restricted | sysctl_configured + exit-status: + or: + - 0 + - 2 + exec: 'grep "^kernel\.yama.ptrace_scope" /etc/sysctl.conf /etc/sysctl.d/* | cut -d ":" -f2' + stdout: + - '/kernel.yama.ptrace_scope\s*=\s*1/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.5.1 + CISv8: 10.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-6 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.5/cis_1.5.3.yml b/section_1/cis_1.5/cis_1.5.3.yml new file mode 100644 index 0000000..36313bf --- /dev/null +++ b/section_1/cis_1.5/cis_1.5.3.yml @@ -0,0 +1,94 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_5_3 }} +command: + core_dumps_limits: + title: 1.5.3 | Ensure core dumps are restricted | security/limits.conf + exit-status: + or: + - 0 + - 2 + exec: 'grep -E "\*.*hard.*core.*0" /etc/security/limits.conf /etc/security/limits.d/*' + stdout: + - '/^\/*.*\shard.*core.*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.5.3 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + Mitre_Techniques: + - T1005 + - T1005.000 + Mitre_Tactics: TA0007 + Mitre_Mitigations: NA + suid_dumpable_2: + title: 1.5.3 | Ensure core dumps are restricted | sysctl.conf + exit-status: 0 + exec: 'grep "fs\.suid_dumpable" /etc/sysctl.conf /etc/sysctl.d/*' + stdout: + - fs.suid_dumpable=0 + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.5.3 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: CM-6 +kernel-param: + fs.suid_dumpable: + title: 1.5.3 | Ensure core dumps are restricted | kernel_sysctl + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.5.3 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: CM-6 +service: + coredump: + title: 1.5.3 | Ensure core dumps are restricted | coredump service + enabled: false + running: false + skip: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.5.3 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: CM-6 +file: + coredump_restricted_conf: + title: 1.5.3 | Ensure core dumps are restricted | coredump.conf + exists: true + path: /etc/systemd/coredump.conf + contents: + - '/^Storage=none/' + - '/^ProcessSizeMax=0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.5.3 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: CM-6 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.5/cis_1.5.4.yml b/section_1/cis_1.5/cis_1.5.4.yml new file mode 100644 index 0000000..100825d --- /dev/null +++ b/section_1/cis_1.5/cis_1.5.4.yml @@ -0,0 +1,23 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_5_4 }} +package: + prelink: + title: 1.5.4 | Ensure prelink is not installed + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.5.4 + CISv8: 3.14 + CISv8_IG1: false + CISv8_IG2: false + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-1 + - CM-3 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.5/cis_1.5.5.yml b/section_1/cis_1.5/cis_1.5.5.yml new file mode 100644 index 0000000..22d97d2 --- /dev/null +++ b/section_1/cis_1.5/cis_1.5.5.yml @@ -0,0 +1,36 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_5_5 }} +package: + apport: + title: 1.5.5 | Ensure Automatic Error Reporting is not enabled | Package + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.5.5 + CISv8: 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true +file: + error_report_apport_disable: + title: 1.5.5 | Ensure Automatic Error Reporting is not enabled | disabled + exists: true + path: /etc/default/apport + contents: + - 'enabled=0' + - '!/enabled=1/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.5.5 + CISv8: 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_1/cis_1.6/cis_1.6.1.yml b/section_1/cis_1.6/cis_1.6.1.yml new file mode 100644 index 0000000..568412c --- /dev/null +++ b/section_1/cis_1.6/cis_1.6.1.yml @@ -0,0 +1,69 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_6_1 }} +file: + etc_motd_content: + title: 1.6.1 | Ensure message of the day is configured properly | motd file correct + path: /etc/motd + exists: true + contents: + - {{ .Vars.ubtu24cis_warning_banner }} + - '!/(\\v|\\r|\\m|\\s)/' + - '!/\/etc\/os-release/' + - '!/(?i)ubuntu/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.6.1 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-6 + - CM-1 + - CM-3 +{{ if .Vars.ubtu24cis_disable_dynamic_motd }} + disable_dyn_motd: + title: 1.6.1 | Ensure message of the day is configured properly | stop dynamic load + path: /etc/pam.d/sshd + exists: true + contents: + - '/#\s*session\s+optional\s+pam_motd.so\s+motd=/run/motd.dynamic/' + - '/#\s*session\s+optional\s+pam_motd.so noupdate/' + - '!/^session\s+optional\s+pam_motd.so noupdate/' + - '!/^session\s+optional\s+pam_motd.so\s+motd=/run/motd.dynamic/' +{{ end }} +{{ if not .Vars.ubtu24cis_disable_dynamic_motd }} +command: + check_motd_files: + title: 1.6.1 | Ensure message of the day is configured properly | dynamic motd files + exec: "grep -Eis \"(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/\"//g'))\" /etc/update-motd.d/*" + exit-status: + or: + - 0 + - 1 + - 2 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.6.1 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + Mitre_Techniques: + - T1082 + - T1082.000 + - T1592 + - T1592.004 + Mitre_Tactics: TA0007 + Mitre_Mitigations: NA + {{ end }} + {{ end }} +{{ end }} diff --git a/section_1/cis_1.6/cis_1.6.2.yml b/section_1/cis_1.6/cis_1.6.2.yml new file mode 100644 index 0000000..9fb2d52 --- /dev/null +++ b/section_1/cis_1.6/cis_1.6.2.yml @@ -0,0 +1,29 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_6_2 }} +command: + local_login_banner: + title: 1.6.2 | Ensure local login warning banner is configured properly + exec: grep -Eis "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/issue + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.6.2 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-6 + - CM-1 + - CM-3 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.6/cis_1.6.3.yml b/section_1/cis_1.6/cis_1.6.3.yml new file mode 100644 index 0000000..7ee64c8 --- /dev/null +++ b/section_1/cis_1.6/cis_1.6.3.yml @@ -0,0 +1,29 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_6_3 }} +command: + cremote_login_banner: + title: 1.6.3 | Ensure remote login warning banner is configured properly + exec: grep -Eis "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/issue.net + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.6.3 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-6 + - CM-1 + - CM-3 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.6/cis_1.6.4.yml b/section_1/cis_1.6/cis_1.6.4.yml new file mode 100644 index 0000000..cfcef1e --- /dev/null +++ b/section_1/cis_1.6/cis_1.6.4.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_6_4 }} +exec: + motd_permissions: + title: 1.6.4 | Ensure access to /etc/motd is configured + exec: FILE=/etc/motd && if [ -f $FILE ]; then PERMS=`stat -c '%U %G %a' $FILE`; if [ "$PERMS" != "root root 644" ]; then echo "Permissions Incorrect"; fi; fi + exit-status: 0 + stdout: + - '!/^Permissions Incorrect/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.6.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-1 + - CM-3 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.6/cis_1.6.5.yml b/section_1/cis_1.6/cis_1.6.5.yml new file mode 100644 index 0000000..1d72c2e --- /dev/null +++ b/section_1/cis_1.6/cis_1.6.5.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_6_5 }} +file: + etc_issue_perms: + title: 1.6.5 | Ensure acces to /etc/issue is configured + exists: true + path: /etc/issue + owner: root + group: root + mode: '0644' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.6.5 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-1 + - CM-3 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.6/cis_1.6.6.yml b/section_1/cis_1.6/cis_1.6.6.yml new file mode 100644 index 0000000..c53fb87 --- /dev/null +++ b/section_1/cis_1.6/cis_1.6.6.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_6_6 }} +file: + etc_issue_net_perms: + title: 1.6.6 | Ensure access to /etc/issue.net is configured + path: /etc/issue.net + exists: true + owner: root + group: root + mode: '0644' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.6.6 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-1 + - CM-3 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.7/cis_1.7.1.yml b/section_1/cis_1.7/cis_1.7.1.yml new file mode 100644 index 0000000..3c34df8 --- /dev/null +++ b/section_1/cis_1.7/cis_1.7.1.yml @@ -0,0 +1,22 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if not .Vars.ubtu24cis_desktop_required }} + {{ if .Vars.ubtu24cis_rule_1_7_1 }} +package: + gdm3: + title: 1.7.1 | Ensure GNOME Display Manager is removed + installed: false + meta: + server: 2 + workstation: NA + CIS_ID: + - 1.7.1 + CISv8: 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-11 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_1/cis_1.7/cis_1.7.10.yml b/section_1/cis_1.7/cis_1.7.10.yml new file mode 100644 index 0000000..1f2bcbc --- /dev/null +++ b/section_1/cis_1.7/cis_1.7.10.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_desktop_required }} + {{ if .Vars.ubtu24cis_rule_1_7_10 }} +file: + gdm_xdcmp: + title: 1.7.10 | Ensure XDCMP is not enabled + path: /etc/gdm3/custom.conf + exists: true + contents: + - '!/^Enable=true/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.7.10 + CISv8: 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: SI-4 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_1/cis_1.7/cis_1.7.2.yml b/section_1/cis_1.7/cis_1.7.2.yml new file mode 100644 index 0000000..c1af958 --- /dev/null +++ b/section_1/cis_1.7/cis_1.7.2.yml @@ -0,0 +1,32 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_desktop_required }} + {{ if .Vars.ubtu24cis_rule_1_7_2 }} +file: + gdm_banner: + title: 1.7.2 | Ensure GDM login banner is configured + path: /etc/gdm3/greeter.dconf-defaults + exists: true + contents: + - '/^[org/gnome/login-screen]/' + - '/^banner-message-enable=true/' + - '/^banner-message-text='{{ .Vars.ubtu24cis_warning_banner }}'/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.7.2 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_1/cis_1.7/cis_1.7.3.yml b/section_1/cis_1.7/cis_1.7.3.yml new file mode 100644 index 0000000..4ee46fa --- /dev/null +++ b/section_1/cis_1.7/cis_1.7.3.yml @@ -0,0 +1,31 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_desktop_required }} + {{ if .Vars.ubtu24cis_rule_1_7_3 }} +command: + gdm_disable_user: + title: 1.7.3 | Ensure disable-user-list is enabled + exec: grep -E "^disable-user-list" /etc/gdm3/greeter.dconf-defaults + exit-status: 0 + stdout: + - '/^disable-user-list=true/' + - '!/^disable-user-list=false/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.7.3 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_1/cis_1.7/cis_1.7.4.yml b/section_1/cis_1.7/cis_1.7.4.yml new file mode 100644 index 0000000..399ef33 --- /dev/null +++ b/section_1/cis_1.7/cis_1.7.4.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_desktop_required }} + {{ if .Vars.ubtu24cis_rule_1_7_4 }} +file: + gdm_screensaver: + title: 1.7.4 | Ensure GDM screen locks when the user is idle + path: /etc/dconf/db/local.d/00-screensaver + exists: true + contents: + - '/^[org/gnome/desktop/session]/' + - '/^idle-delay=uint32 (1|[1-9]|[1-7][0-9]{1,2}|900)$/' + - '/^lock-delay=uint32 [0-5]$/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.7.4 + CISv8: 4.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} + {{ end }} +{{ end }} diff --git a/section_1/cis_1.7/cis_1.7.5.yml b/section_1/cis_1.7/cis_1.7.5.yml new file mode 100644 index 0000000..6216638 --- /dev/null +++ b/section_1/cis_1.7/cis_1.7.5.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_desktop_required }} + {{ if .Vars.ubtu24cis_rule_1_7_5 }} +file: + screensaver_lock_file: + title: 1.7.5 | Ensure GDM screen locks cannot be overridden + path: /etc/dconf/db/local.d/locks/00-screensave_lock + exists: true + contents: + - '^\/org\/gnome\/desktop\/session\/idle-delay/' + - '^/\/org\/gnome\/desktop\/screensaver\/lock-delay/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.7.5 + CISv8: 4.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-11 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_1/cis_1.7/cis_1.7.6.yml b/section_1/cis_1.7/cis_1.7.6.yml new file mode 100644 index 0000000..48ab163 --- /dev/null +++ b/section_1/cis_1.7/cis_1.7.6.yml @@ -0,0 +1,32 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_desktop_required }} + {{ if .Vars.ubtu24cis_rule_1_7_6 }} +file: + gnome_automount_disable: + title: 1.7.6 | Ensure GDM automatic mounting of removable media is disabled + path: /etc/dconf/db/local.d/00-media-automount + exists: true + contents: + - '/^[org/gnome/desktop/media-handling]/' + - '/^automount=false/' + - '/^automount-open=false/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.7.6 + CISv8: 10.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_1/cis_1.7/cis_1.7.7.yml b/section_1/cis_1.7/cis_1.7.7.yml new file mode 100644 index 0000000..82f3dc0 --- /dev/null +++ b/section_1/cis_1.7/cis_1.7.7.yml @@ -0,0 +1,31 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_desktop_required }} + {{ if .Vars.ubtu24cis_rule_1_7_7 }} +file: + gnome_automount_lock: + title: 1.7.7 | Ensure GDM disabling automatic mounting of removable media is not overridden + path: /etc/dconf/db/local.d/locks/00-automount_lock + exists: true + contents: + - '^/\/org\/gnome\/desktop\/media-handling\/automount/' + - '^/\/org\/gnome\/desktop\/media-handling\/automount-open/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.7.7 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_1/cis_1.7/cis_1.7.8.yml b/section_1/cis_1.7/cis_1.7.8.yml new file mode 100644 index 0000000..38c7ca6 --- /dev/null +++ b/section_1/cis_1.7/cis_1.7.8.yml @@ -0,0 +1,31 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_desktop_required }} + {{ if .Vars.ubtu24cis_rule_1_7_8 }} +file: + gdm_autorun_never: + title: 1.7.8 | Ensure GDM autorun-never is enabled + path: /etc/dconf/db/local.d/00-media-autorun + exists: true + contents: + - '/^[org/gnome/desktop/media-handling]/' + - '/^autrun-never=true/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.7.8 + CISv8: 10.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_1/cis_1.7/cis_1.7.9.yml b/section_1/cis_1.7/cis_1.7.9.yml new file mode 100644 index 0000000..1152cbf --- /dev/null +++ b/section_1/cis_1.7/cis_1.7.9.yml @@ -0,0 +1,30 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_desktop_required }} + {{ if .Vars.ubtu24cis_rule_1_7_9 }} +file: + gdm_autorun_lock: + title: 1.7.9 | Ensure GDM autorun-never is not overridden + path: /etc/dconf/db/local.d/locks/00-autorun_lock + exists: true + contents: + - '^/\/org\/gnome\/desktop\/media-handling\/autorun-never/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.7.9 + CISv8: 10.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.1.yml b/section_2/cis_2.1/cis_2.1.1.yml new file mode 100644 index 0000000..b1662c6 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.1.yml @@ -0,0 +1,50 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_1 }} + {{ if not .Vars.ubtu24cis_autofs_services }} + {{ if not .Vars.ubtu24cis_autofs_mask }} +package: + autofs_pkg: + title: 2.1.1 | Ensure autofs services are not in use | pkg removed + name: autofs + installed: false + meta: + server: 1 + workstation: 2 + CIS_ID: + - 2.1.1 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - SI-3 + - MP-7 + {{ end }} + {{ if .Vars.ubtu24cis_autofs_mask }} +file: + autofs_masked: + title: 2.1.1 | Ensure autofs services are not in use | masked + path: /etc/systemd/system/autofs.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 2 + CIS_ID: + - 2.1.1 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - SI-3 + - MP-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.10.yml b/section_2/cis_2.1/cis_2.1.10.yml new file mode 100644 index 0000000..4200b27 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.10.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_10 }} + {{ if not .Vars.ubtu24cis_nis_server }} + {{ if not .Vars.ubtu24cis_nis_mask }} +package: + ypserv_pkg: + title: 2.1.10 | Ensure nis server services are not in use | pkg removed + name: ypserv + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.10 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_nis_mask }} +file: + ypserv_service_masked: + title: 2.1.10 | Ensure nis server services are not in use | masked + path: /etc/systemd/system/ypserv-server.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.10 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.11.yml b/section_2/cis_2.1/cis_2.1.11.yml new file mode 100644 index 0000000..f9c87a7 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.11.yml @@ -0,0 +1,66 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_11 }} + {{ if not .Vars.ubtu24cis_print_server }} + {{ if not .Vars.ubtu24cis_print_mask }} +package: + cups_pkg: + title: 2.1.11 | Ensure print server services are not in use | pkg removed + name: cups + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.11 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_print_mask }} +file: + cups_service_masked: + title: 2.1.11 | Ensure print server services are not in use | masked + path: /etc/systemd/system/cups.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.11 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + cups_socket_masked: + title: 2.1.11 | Ensure print server services are not in use | masked + path: /etc/systemd/system/cups.socket + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.11 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.12.yml b/section_2/cis_2.1/cis_2.1.12.yml new file mode 100644 index 0000000..4b6c659 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.12.yml @@ -0,0 +1,69 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_12 }} + {{ if not .Vars.ubtu24cis_rpc_server }} + {{ if not .Vars.ubtu24cis_rpc_mask }} +package: + rpcbind_pkg: + title: 2.1.12 | Ensure rpcbind services are not in use | pkg removed + name: rpcbind + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.12 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_rpc_mask }} +file: + rpcbind_service_masked: + title: 2.1.12 | Ensure rpc services are not in use | masked + path: /etc/systemd/system/rpcbind.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.12 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-7 + rpcbind_socket_masked: + title: 2.1.12 | Ensure rpc services are not in use | masked + path: /etc/systemd/system/rpcbind.socket + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.12 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.13.yml b/section_2/cis_2.1/cis_2.1.13.yml new file mode 100644 index 0000000..851ef47 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.13.yml @@ -0,0 +1,50 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_13 }} + {{ if not .Vars.ubtu24cis_rsync_server }} + {{ if not .Vars.ubtu24cis_rsync_mask }} +package: + rsync_pkg: + title: 2.1.13 | Ensure rsync services are not in use | pkg removed + name: rsync + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.13 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_rsync_mask }} +file: + rsync_service_masked: + title: 2.1.13 | Ensure rsync services are not in use | masked + path: /etc/systemd/system/rsync.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.13 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.14.yml b/section_2/cis_2.1/cis_2.1.14.yml new file mode 100644 index 0000000..b77f880 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.14.yml @@ -0,0 +1,50 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_14 }} + {{ if not .Vars.ubtu24cis_samba_server }} + {{ if not .Vars.ubtu24cis_samba_mask }} +package: + samba_pkg: + title: 2.1.14 | Ensure samba file server services are not in use | pkg removed + name: samba + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.14 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_samba_mask }} +file: + samba_service_masked: + title: 2.1.14 | Ensure samba server services are not in use | masked + path: /etc/systemd/system/smbd.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.14 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.15.yml b/section_2/cis_2.1/cis_2.1.15.yml new file mode 100644 index 0000000..03bc1b3 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.15.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_15 }} + {{ if not .Vars.ubtu24cis_snmp_server }} + {{ if not .Vars.ubtu24cis_snmp_mask }} +package: + snmp_pkg: + title: 2.1.15 | Ensure snmp services are not in use | pkg removed + name: snmpd + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.15 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_snmp_mask }} +file: + snmp_service_masked: + title: 2.1.15 | Ensure snmp services are not in use | masked + path: /etc/systemd/system/snmpd.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.15 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.16.yml b/section_2/cis_2.1/cis_2.1.16.yml new file mode 100644 index 0000000..8a228a6 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.16.yml @@ -0,0 +1,66 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_16 }} + {{ if not .Vars.ubtu24cis_tftp_server }} + {{ if not .Vars.ubtu24cis_tftp_mask }} +package: + tftp_pkg: + title: 2.1.16 | Ensure tftp server services are not in use | pkg removed + name: tftpd-hpa + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.16 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_tftp_mask }} +file: + tftp_service_masked: + title: 2.1.16 | Ensure tftp server services are not in use | masked + path: /etc/systemd/system/tftpd-hpa.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.16 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + tftp_socket_masked: + title: 2.1.16 | Ensure tftp server services are not in use | masked + path: /etc/systemd/system/tftp.socket + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.16 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.17.yml b/section_2/cis_2.1/cis_2.1.17.yml new file mode 100644 index 0000000..33ab739 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.17.yml @@ -0,0 +1,50 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_17 }} + {{ if not .Vars.ubtu24cis_squid_server }} + {{ if not .Vars.ubtu24cis_squid_mask }} +package: + squid_pkg: + title: 2.1.17 | Ensure web proxy server services are not in use | pkg removed + name: squid + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.17 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_squid_mask }} +file: + squid_service_masked: + title: 2.1.17 | Ensure web proxy server services are not in use | masked + path: /etc/systemd/system/squid.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.17 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.18_apache2.yml b/section_2/cis_2.1/cis_2.1.18_apache2.yml new file mode 100644 index 0000000..2c0d1c2 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.18_apache2.yml @@ -0,0 +1,66 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_18 }} + {{ if not .Vars.ubtu24cis_apache2_server }} + {{ if not .Vars.ubtu24cis_apache2_mask }} +package: + apache2_pkg: + title: 2.1.18 | Ensure web server services are not in use | pkg removed + name: apache2 + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.18 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_apache2_mask }} +file: + apache2_service_masked: + title: 2.1.18 | Ensure web server services are not in use | masked + path: /etc/systemd/system/apache2.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.18 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + apache2_socket_masked: + title: 2.1.18 | Ensure web server services are not in use | masked + path: /etc/systemd/system/apache2.socket + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.18 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.18_nginx.yml b/section_2/cis_2.1/cis_2.1.18_nginx.yml new file mode 100644 index 0000000..943d5c2 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.18_nginx.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_18 }} + {{ if not .Vars.ubtu24cis_nginx_server }} + {{ if not .Vars.ubtu24cis_nginx_mask }} +package: + nginx_pkg: + title: 2.1.18 | Ensure web server services are not in use | pkg removed + name: nginx + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.18 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_nginx_mask }} +file: + nginx_service_masked: + title: 2.1.18 | Ensure web server services are not in use | masked + path: /etc/systemd/system/nginx.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.18 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.19.yml b/section_2/cis_2.1/cis_2.1.19.yml new file mode 100644 index 0000000..85b7127 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.19.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_19 }} + {{ if not .Vars.ubtu24cis_xinetd_server }} + {{ if not .Vars.ubtu24cis_xinetd_mask }} +package: + xinetd_pkg: + title: 2.1.19 | Ensure xinetd services are not in use | pkg removed + name: xinetd + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.19 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_xinetd_mask }} +file: + xinetd_service_masked: + title: 2.1.19 | Ensure xinetd services are not in use | masked + path: /etc/systemd/system/xinetd.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.19 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.2.yml b/section_2/cis_2.1/cis_2.1.2.yml new file mode 100644 index 0000000..0aacb59 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.2.yml @@ -0,0 +1,66 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_2 }} + {{ if not .Vars.ubtu24cis_avahi_server }} + {{ if not .Vars.ubtu24cis_avahi_mask }} +package: + avahi_pkg: + title: 2.1.2 | Ensure avahi daemon services are not in use | pkg removed + name: avahi + installed: false + meta: + server: 1 + workstation: 2 + CIS_ID: + - 2.1.2 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - SI-4 + {{ end }} + {{ if .Vars.ubtu24cis_avahi_mask }} +file: + avahi_socket_masked: + title: 2.1.2 | Ensure avahi daemon services are not in use | masked + path: /etc/systemd/system/avahi-daemon.socket + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 2 + CIS_ID: + - 2.1.2 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - SI-4 + avahi_service_masked: + title: 2.1.2 | Ensure avahi daemon services are not in use | masked + path: /etc/systemd/system/avahi-daemon.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 2 + CIS_ID: + - 2.1.2 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - SI-4 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.20.yml b/section_2/cis_2.1/cis_2.1.20.yml new file mode 100644 index 0000000..e34ef59 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.20.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_20 }} + {{ if not .Vars.ubtu24cis_xwindow_server }} +package: + xwindow_pkg: + title: 2.1.20 | Ensure X window server services are not in use | pkg removed + name: xserver-common + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.20 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-11 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.21.yml b/section_2/cis_2.1/cis_2.1.21.yml new file mode 100644 index 0000000..7cae73d --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.21.yml @@ -0,0 +1,46 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_is_mail_server }} + {{ if .Vars.ubtu24cis_rule_2_1_21 }} +command: + mta_listening_port25: + title: 2.1.21 Ensure mail transfer agent is configured for local-only mode + exit-status: 1 + exec: 'ss -lntu | grep -E ":25\s" | grep -E -v "\s(127.0.0.1|\[?::1\]?):25\s"' + stdout: ['!/./'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.21 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 +file: + /etc/postfix/main.conf: + title: 2.1.21 | Ensure mail transfer agent is configured for local-only mode + exists: true + contents: + - '/^inet_interfaces\s*=\s*loopback-only/' + - '!/^inet_interfaces\s*=\s*all/' + - '!/^(?i)inet_interfaces\s*=\s*ipv4/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.21 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.22.yml b/section_2/cis_2.1/cis_2.1.22.yml new file mode 100644 index 0000000..3285bff --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.22.yml @@ -0,0 +1,25 @@ +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_22 }} +command: + manual_listening_ports: + title: 2.1.22 | Ensure only approved services are listening on a network interface | Manual Check required + exit-status: + or: + - 0 + - 1 + exec: echo "Manual!! - Please check only approved services are listening" + stdout: ['!/./'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.22 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.3.yml b/section_2/cis_2.1/cis_2.1.3.yml new file mode 100644 index 0000000..01af9c0 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.3.yml @@ -0,0 +1,66 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_3 }} + {{ if not .Vars.ubtu24cis_dhcp_server }} + {{ if not .Vars.ubtu24cis_dhcp_mask }} +package: + dhcp_pkg: + title: 2.1.3 | Ensure dhcp server services are not in use | pkg removed + name: isc-dhcp-server + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.3 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_dhcp_mask }} +file: + dhcp_service_masked: + title: 2.1.3 | Ensure dhcp server services are not in use | masked + path: /etc/systemd/system/isc-dhcp-server.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.3 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + dhcp6_service_masked: + title: 2.1.3 | Ensure dhcp server services are not in use | masked + path: /etc/systemd/system/isc-dhcp-server6.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.3 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.4.yml b/section_2/cis_2.1/cis_2.1.4.yml new file mode 100644 index 0000000..927e6ae --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.4.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_4 }} + {{ if not .Vars.ubtu24cis_dns_server }} + {{ if not .Vars.ubtu24cis_dns_mask }} +package: + dns_pkg: + title: 2.1.4 | Ensure dns server services are not in use | pkg removed + name: bind9 + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.4 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_dns_mask }} +file: + dns_service_masked: + title: 2.1.4 | Ensure dns server services are not in use | masked + path: /etc/systemd/system/bind9.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.4 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.5.yml b/section_2/cis_2.1/cis_2.1.5.yml new file mode 100644 index 0000000..2d53305 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.5.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_5 }} + {{ if not .Vars.ubtu24cis_dnsmasq_server }} + {{ if not .Vars.ubtu24cis_dnsmasq_mask }} +package: + dnsmasq_pkg: + title: 2.1.5 | Ensure dnsmasq server services are not in use | pkg removed + name: dnsmasq + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.5 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_dnsmasq_mask }} +file: + dnsmasq_service_masked: + title: 2.1.5 | Ensure dnsmasq server services are not in use | masked + path: /etc/systemd/system/dnsmasq.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.5 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.6.yml b/section_2/cis_2.1/cis_2.1.6.yml new file mode 100644 index 0000000..595f22a --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.6.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_6 }} + {{ if not .Vars.ubtu24cis_ftp_server }} + {{ if not .Vars.ubtu24cis_ftp_mask }} +package: + ftp_pkg: + title: 2.1.6 | Ensure ftp server services are not in use | pkg removed + name: vsftp + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.6 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_ftp_mask }} +file: + ftp_service_masked: + title: 2.1.6 | Ensure ftp server services are not in use | masked + path: /etc/systemd/system/vsftpd.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.6 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.7.yml b/section_2/cis_2.1/cis_2.1.7.yml new file mode 100644 index 0000000..24af33c --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.7.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_7 }} + {{ if not .Vars.ubtu24cis_ldap_server }} + {{ if not .Vars.ubtu24cis_ldap_mask }} +package: + ldap_pkg: + title: 2.1.7 | Ensure ldap server services are not in use | pkg removed + name: slapd + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.7 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_ldap_mask }} +file: + ldap_service_masked: + title: 2.1.7 | Ensure ldap server services are not in use | masked + path: /etc/systemd/system/slapd.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.7 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.8.yml b/section_2/cis_2.1/cis_2.1.8.yml new file mode 100644 index 0000000..cffab98 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.8.yml @@ -0,0 +1,82 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_8 }} + {{ if not .Vars.ubtu24cis_message_server }} + {{ if not .Vars.ubtu24cis_message_mask }} +package: + dovecot_imapd_pkg: + title: 2.1.8 | Ensure message access server services are not in use | pkg removed + name: dovecot-imapd + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.8 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + dovecot_pop3d_pkg: + title: 2.1.8 | Ensure message access server services are not in use | pkg removed + name: dovecot-pop3d + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.8 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_message_mask }} +file: + dovecot_service_masked: + title: 2.1.8 | Ensure message access server services are not in use | masked + path: /etc/systemd/system/dovecot.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.8 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + dovecot_socket_masked: + title: 2.1.8 | Ensure message access server services are not in use | masked + path: /etc/systemd/system/dovecot.socket + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.8 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.9.yml b/section_2/cis_2.1/cis_2.1.9.yml new file mode 100644 index 0000000..58b0ace --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.9.yml @@ -0,0 +1,50 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_9 }} + {{ if not .Vars.ubtu24cis_nfs_server }} + {{ if not .Vars.ubtu24cis_nfs_mask }} +package: + nfs_pkg: + title: 2.1.9 | Ensure network file system services are not in use | pkg removed + name: nfs-kernel-server + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.9 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_nfs_mask }} +file: + nfs_service_masked: + title: 2.1.9 | Ensure network file system services are not in use | masked + path: /etc/systemd/system/nfs-server.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.9 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.1.yml b/section_2/cis_2.2/cis_2.2.1.yml new file mode 100644 index 0000000..2e262f6 --- /dev/null +++ b/section_2/cis_2.2/cis_2.2.1.yml @@ -0,0 +1,25 @@ +--- + +{{ if not .Vars.ubtu24cis_nis_client_required }} + {{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_2_1 }} +package: + nis_client: + title: 2.2.1 | Ensure NIS Client is not installed + installed: false + name: nis + meta: + server: 1 + workstation: 1 + CIS_ID: 2.2.1 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - CM-11 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.2.yml b/section_2/cis_2.2/cis_2.2.2.yml new file mode 100644 index 0000000..fc06aec --- /dev/null +++ b/section_2/cis_2.2/cis_2.2.2.yml @@ -0,0 +1,24 @@ +--- + +{{ if not .Vars.ubtu24cis_rsh_client }} + {{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_2_2 }} +package: + rsh-client: + title: 2.2.2 | Ensure rsh client is not installed + name: rsh-client + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: 2.2.2 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.3.yml b/section_2/cis_2.2/cis_2.2.3.yml new file mode 100644 index 0000000..2a6f80a --- /dev/null +++ b/section_2/cis_2.2/cis_2.2.3.yml @@ -0,0 +1,23 @@ +--- + +{{ if not .Vars.ubtu24cis_talk_client }} + {{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_2_3 }} +package: + talk: + title: 2.2.3 | Ensure talk client is not installed + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: 2.2.3 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.4.yml b/section_2/cis_2.2/cis_2.2.4.yml new file mode 100644 index 0000000..d6c24d8 --- /dev/null +++ b/section_2/cis_2.2/cis_2.2.4.yml @@ -0,0 +1,24 @@ +--- + +{{ if not .Vars.ubtu24cis_telnet_required }} + {{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_2_4 }} +package: + telnet: + title: 2.2.4 | Ensure telnet client is not installed + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: 2.2.4 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - CM-11 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.5.yml b/section_2/cis_2.2/cis_2.2.5.yml new file mode 100644 index 0000000..10507a9 --- /dev/null +++ b/section_2/cis_2.2/cis_2.2.5.yml @@ -0,0 +1,24 @@ +--- + +{{ if not .Vars.ubtu24cis_ldap_clients_required }} + {{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_2_5 }} +package: + ldap-utils: + title: 2.2.5 | Ensure LDAP client is not installed + installed: false + name: ldap-utils + meta: + server: 1 + workstation: 1 + CIS_ID: 2.2.5 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.6.yml b/section_2/cis_2.2/cis_2.2.6.yml new file mode 100644 index 0000000..3cce36c --- /dev/null +++ b/section_2/cis_2.2/cis_2.2.6.yml @@ -0,0 +1,25 @@ +--- + +{{ if not .Vars.ubtu24cis_ftp_client }} + {{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_2_6 }} +package: + ftp_client: + title: 2.2.6 | Ensure ftp client is not installed + installed: false + name: ftp + meta: + server: 1 + workstation: 1 + CIS_ID: 2.2.6 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - CM-11 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.3/cis_2.3.1.1.yml b/section_2/cis_2.3/cis_2.3.1.1.yml new file mode 100644 index 0000000..6b91037 --- /dev/null +++ b/section_2/cis_2.3/cis_2.3.1.1.yml @@ -0,0 +1,75 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_3_1_1 }} +package: + {{ .Vars.ubtu24cis_time_sync_tool }}: + title: 2.3.1.1 | Ensure a single time synchronization daemon is in use + installed: true + meta: + server: 1 + workstation: 1 + CIS_ID: 2.3.1.1 + CISv8: + - 8.4 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - AU-12 + {{ if eq .Vars.ubtu24cis_time_sync_tool "systemd-timesyncd" }} + ntp: + title: 2.3.1.1 | Ensure time synchronization is in use | ntp service + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: 2.3.1.1 + CISv8: + - 8.4 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - AU-12 + chrony: + title: 2.3.1.1 | Ensure time synchronization is in use | chrony service + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: 2.3.1.1 + CISv8: + - 8.4 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - AU-12 + {{ end }} + {{ if ne .Vars.ubtu24cis_time_sync_tool "systemd-timesyncd" }} +file: + timesync_masked: + title: 2.3.1.1 | Ensure time synchronization is in use | systemd-timesyncd masked + path: /etc/systemd/system/systemd-timesyncd.service + filetype: symlink + linked-to: /dev/null + exists: true + meta: + server: 1 + workstation: 1 + CIS_ID: 2.3.1.1 + CISv8: + - 8.4 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - AU-12 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.3/cis_2.3.2.1.yml b/section_2/cis_2.3/cis_2.3.2.1.yml new file mode 100644 index 0000000..5b3cdae --- /dev/null +++ b/section_2/cis_2.3/cis_2.3.2.1.yml @@ -0,0 +1,28 @@ +--- + +{{ if eq .Vars.ubtu24cis_time_sync_tool "systemd-timesyncd" }} + {{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_3_2_1 }} +file: + timesynd_timeservers: + title: 2.3.2.1 | Ensure systemd-timesyncd configured with authorized timeserver + path: /etc/systemd/timesyncd.conf.d/50-timesyncd.conf + exists: true + contents: + - '/^NTP={{ .Vars.ubtu24cis_time_pool_name }}/' + - '/^FallbackNTP={{- range .Vars.ubtu24cis_time_servers }}{{ .name }} {{ end }}/' + meta: + server: 1 + workstation: 1 + CIS_ID: 2.3.2.1 + CISv8: + - 8.4 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-7 + - AU-8 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.3/cis_2.3.2.2.yml b/section_2/cis_2.3/cis_2.3.2.2.yml new file mode 100644 index 0000000..626b51e --- /dev/null +++ b/section_2/cis_2.3/cis_2.3.2.2.yml @@ -0,0 +1,26 @@ +--- + +{{ if eq .Vars.ubtu24cis_time_sync_tool "systemd-timesyncd" }} + {{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_3_2_2 }} +service: + timesyncd: + title: 2.3.2.2 | Ensure systemd-timesyncd is enabled and running + enabled: true + running: true + name: systemd-timesyncd + meta: + server: 1 + workstation: 1 + CIS_ID: 2.3.2.2 + CISv8: + - 8.4 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-7 + - AU-8 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.3/cis_2.3.3.1.yml b/section_2/cis_2.3/cis_2.3.3.1.yml new file mode 100644 index 0000000..fbef77d --- /dev/null +++ b/section_2/cis_2.3/cis_2.3.3.1.yml @@ -0,0 +1,49 @@ +--- + +{{ if eq .Vars.ubtu24cis_time_sync_tool "chrony" }} + {{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_3_3_1 }} +file: + chrony_pool: + title: 2.3.3.1 | Ensure chrony is configured with authorized timeserver | timeserver pool + path: /etc/chrony/sources.d/pool.source + exists: true + contents: + {{- range .Vars.ubtu24cis_time_pool }} + - '/^pool {{ .name }} {{ .options }}/' + {{ end }} + meta: + server: 1 + workstation: 1 + CIS_ID: 2.3.3.1 + CISv8: + - 8.4 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - AU-12 + chrony_timeservers: + title: 2.3.3.1 | Ensure chrony is configured with authorized timeserver | timeserver servers + path: /etc/chrony/sources.d/server.source + exists: true + contents: + {{- range .Vars.ubtu24cis_time_servers }} + - '/^server {{ .name }} {{ .options }}/' + {{ end }} + meta: + server: 1 + workstation: 1 + CIS_ID: 2.3.3.1 + CISv8: + - 8.4 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - AU-12 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.3/cis_2.3.3.2.yml b/section_2/cis_2.3/cis_2.3.3.2.yml new file mode 100644 index 0000000..143e150 --- /dev/null +++ b/section_2/cis_2.3/cis_2.3.3.2.yml @@ -0,0 +1,26 @@ +--- + +{{ if eq .Vars.ubtu24cis_time_sync_tool "chrony" }} + {{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_2_2 }} +file: + chrony_user: + title: 2.3.3.2 | Ensure chrony is running as user _chrony + path: /etc/chrony/chrony.conf + exists: true + contents: + - '/^user _chrony/' + meta: + server: 1 + workstation: 1 + CIS_ID: 2.3.3.2 + CISv8: + - 8.4 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-8 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.3/cis_2.3.3.3.yml b/section_2/cis_2.3/cis_2.3.3.3.yml new file mode 100644 index 0000000..664e184 --- /dev/null +++ b/section_2/cis_2.3/cis_2.3.3.3.yml @@ -0,0 +1,24 @@ +--- + +{{ if eq .Vars.ubtu24cis_time_sync_tool "chrony" }} + {{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_3_3_3 }} +service: + chronyd: + title: 2.3.3.3 | Ensure chrony is enabled and running + enabled: true + running: true + meta: + server: 1 + workstation: 1 + CIS_ID: 2.3.3.3 + CISv8: + - 8.4 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-8 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.4/cis_2.4.1.1.yml b/section_2/cis_2.4/cis_2.4.1.1.yml new file mode 100644 index 0000000..11ef222 --- /dev/null +++ b/section_2/cis_2.4/cis_2.4.1.1.yml @@ -0,0 +1,46 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_4_1_1 }} +package: + cron: + title: 2.4.1.1 | Ensure cron daemon is enabled and active | pkg + installed: true + name: cron + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.4.1.1 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 +service: + cron: + title: 2.4.1.1 | Ensure cron daemon is enabled and running | service + running: true + enabled: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.4.1.1 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_2/cis_2.4/cis_2.4.1.2.yml b/section_2/cis_2.4/cis_2.4.1.2.yml new file mode 100644 index 0000000..53e2d4b --- /dev/null +++ b/section_2/cis_2.4/cis_2.4.1.2.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_4_1_2 }} +file: + crontab_perms: + title: 2.4.1.2 | Ensure permissions on /etc/crontab are configured + path: /etc/crontab + exists: true + owner: root + group: root + mode: "0600" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.4.1.2 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_2/cis_2.4/cis_2.4.1.3_7.yml b/section_2/cis_2.4/cis_2.4.1.3_7.yml new file mode 100644 index 0000000..d93809e --- /dev/null +++ b/section_2/cis_2.4/cis_2.4.1.3_7.yml @@ -0,0 +1,110 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_4_1_3 }} +file: + cron_hourly_perms: + title: 2.4.1.3 | Ensure permissions on /etc/cron.hourly are configured + path: /etc/cron.hourly + exists: true + owner: root + group: root + mode: "0700" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.4.1.3 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} + {{ if .Vars.ubtu24cis_rule_2_4_1_4 }} + cron_daily_perms: + title: 2.4.1.4 | Ensure permissions on /etc/cron.daily are configured + path: /etc/cron.daily + exists: true + owner: root + group: root + mode: "0700" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.4.1.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} + {{ if .Vars.ubtu24cis_rule_2_4_1_5 }} + cron_weekly_perms: + title: 2.4.1.5 | Ensure permissions on /etc/cron.weekly are configured + path: /etc/cron.weekly + exists: true + owner: root + group: root + mode: "0700" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.4.1.5 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} + {{ if .Vars.ubtu24cis_rule_2_4_1_6 }} + cron_monthly_perms: + title: 2.4.1.6 | Ensure permissions on /etc/cron.monthly are configured + path: /etc/cron.monthly + exists: true + owner: root + group: root + mode: "0700" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.4.1.6 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} + {{ if .Vars.ubtu24cis_rule_2_4_1_7 }} + cron_d_perms: + title: 2.4.1.7 | Ensure permissions on /etc/cron.d are configured + path: /etc/cron.d + exists: true + owner: root + group: root + mode: "0700" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.4.1.7 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_2/cis_2.4/cis_2.4.1.8.yml b/section_2/cis_2.4/cis_2.4.1.8.yml new file mode 100644 index 0000000..6b20236 --- /dev/null +++ b/section_2/cis_2.4/cis_2.4.1.8.yml @@ -0,0 +1,42 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_4_1_8 }} +file: + cron_deny_absent: + title: 2.4.1.8 | Ensure cron is restricted to authorized users + path: /etc/cron.deny + exists: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.4.1.8 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + /etc/cron.allow: + title: 2.4.1.8 | Ensure cron is restricted to authorized users + exists: true + owner: root + group: root + mode: "0640" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.4.1.8 + - 2.4.1.8 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_2/cis_2.4/cis_2.4.2.1.yml b/section_2/cis_2.4/cis_2.4.2.1.yml new file mode 100644 index 0000000..cf2445c --- /dev/null +++ b/section_2/cis_2.4/cis_2.4.2.1.yml @@ -0,0 +1,41 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_4_2_1 }} +file: + at_deny_absent: + title: 2.4.2.1 | Ensure at is restricted to authorized users + path: /etc/at.deny + exists: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.4.2.1 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + /etc/at.allow: + title: 2.4.2.1 | Ensure at is restricted to authorized users + exists: true + owner: root + group: root + mode: "0640" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.4.2.1 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.1/cis_3.1.1.yml b/section_3/cis_3.1/cis_3.1.1.yml new file mode 100644 index 0000000..e7eaed3 --- /dev/null +++ b/section_3/cis_3.1/cis_3.1.1.yml @@ -0,0 +1,67 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if not .Vars.ubtu24cis_ipv6_required }} + {{ if .Vars.ubtu24cis_rule_3_1_1 }} + {{ if eq .Vars.ubtu24cis_ipv6_disable "grub" }} +command: + grub_ipv6: + title: 3.1.1 | Ensure IPv6 status is identified | via grub boot + exec: grep -i "^[^#]\s.*ipv6" /boot/grub/grub.cfg + exit-status: 0 + stdout: + - '/^\s*linux.*ipv6.disable=1/' + - '!/ipv6.disable=0/' + meta: + server: 2 + workstation: 2 + CIS_ID: 3.1.1 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + ipv6_etc_default_grub: + title: 3.1.1 | Ensure IPv6 status is identified | default grub + exec: grep -i "GRUB_CMDLINE_LINUX=.*ipv6" /etc/default/grub + exit-status: 0 + stdout: + - '/^GRUB_CMDLINE_LINUX=.*ipv6.disable=1/' + - '!/ipv6.disable=0/' + meta: + server: 2 + workstation: 2 + CIS_ID: 3.1.1 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if eq .Vars.ubtu24cis_ipv6_disable "sysctl" }} + file: + ipv6_disabled: + title: 3.1.1 | Ensure IPv6 status is identified | sysctl all disable + path: /proc/sys/net/ipv6/conf/all/disable_ipv6 + exists: true + contents: + - '/^1/' + meta: + server: 2 + workstation: 2 + CIS_ID: 3.3.1 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_3/cis_3.1/cis_3.1.2.yml b/section_3/cis_3.1/cis_3.1.2.yml new file mode 100644 index 0000000..5764ccb --- /dev/null +++ b/section_3/cis_3.1/cis_3.1.2.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_3_1_2 }} +command: + wireless_disabled: + title: 3.1.2 | Ensure wireless interfaces are disabled | MANUAL + exit-status: 0 + exec: "if [ $(find /sys/class/net/*/ -type d -name wireless) ]; then echo MANUAL; else echo OK; fi" + stdout: + - '/^OK/' + - '!/^MANUAL/' + meta: + server: 1 + workstation: 2 + CIS_ID: + - 3.1.2 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.1/cis_3.1.3.yml b/section_3/cis_3.1/cis_3.1.3.yml new file mode 100644 index 0000000..e7f0a16 --- /dev/null +++ b/section_3/cis_3.1/cis_3.1.3.yml @@ -0,0 +1,46 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_3_1_3 }} + {{ if not .Vars.ubtu24cis_bluetooth_service }} + {{ if not .Vars.ubtu24cis_bluetooth_mask }} +package: + bluetooth_pkg: + title: 3.1.3 | Ensure bluetooth services are not in use | pkg removed + name: bluez + installed: false + meta: + server: 1 + workstation: 2 + CIS_ID: + - 3.1.3 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_bluetooth_mask }} +file: + bluetooth_service_masked: + title: 3.1.3 | Ensure bluetooth services are not in use | masked + path: /etc/systemd/system/bluetooth.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 2 + CIS_ID: + - 3.1.3 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_3/cis_3.2/cis_3.2.1.yml b/section_3/cis_3.2/cis_3.2.1.yml new file mode 100644 index 0000000..6968d06 --- /dev/null +++ b/section_3/cis_3.2/cis_3.2.1.yml @@ -0,0 +1,45 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_3_2_1 }} +command: + modprobe_dccp: + title: 3.2.1 | Ensure dccp kernel module is not available | DCCP config + exit-status: 0 + exec: 'modprobe -n -v dccp' + stdout: + - '/install /bin/(true|false)/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 3.2.1 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - SI-4 + lsmod_dccp: + title: 3.2.1 | Ensure dccp kernel module is not available | running dccp + exit-status: 1 + exec: lsmod | grep -i dccp + stdout: + - '!/^.*/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 3.2.1 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - SI-4 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.2/cis_3.2.2.yml b/section_3/cis_3.2/cis_3.2.2.yml new file mode 100644 index 0000000..f2738ea --- /dev/null +++ b/section_3/cis_3.2/cis_3.2.2.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_3_2_2 }} +command: + modprobe_TIPC: + title: 3.2.2 | Ensure tipc kernel module is not available | tipc config + exit-status: + or: + - 0 + - 1 + exec: 'modprobe -n -v tipc' + stdout: + - '/install /bin/(true|false)/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 3.2.2 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - SI-4 + lsmod_TIPC: + title: 3.2.2 | Ensure tipc kernel module is not available | running tipc + exit-status: 1 + exec: lsmod | grep -i tipc + stdout: + - '!/^.*/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 3.2.2 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - SI-4 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.2/cis_3.2.4.yml b/section_3/cis_3.2/cis_3.2.4.yml new file mode 100644 index 0000000..048c307 --- /dev/null +++ b/section_3/cis_3.2/cis_3.2.4.yml @@ -0,0 +1,43 @@ +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_3_2_4 }} +command: + modprobe_sctp: + title: 3.2.4 | Ensure sctp kernel module is not available | sctp config + exit-status: 0 + exec: 'modprobe -n -v sctp' + stdout: + - '/install /bin/(true|false)/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 3.2.4 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - SI-4 + lsmod_sctp: + title: 3.2.4 | Ensure sctp kernel module is not available | running sctp + exit-status: 1 + exec: lsmod | grep -i sctp + stdout: + - '!/^.*/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 3.2.4 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - SI-4 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.2/cis_3.4.3.yml b/section_3/cis_3.2/cis_3.4.3.yml new file mode 100644 index 0000000..c6d9970 --- /dev/null +++ b/section_3/cis_3.2/cis_3.4.3.yml @@ -0,0 +1,46 @@ +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_3_2_3 }} +command: + modprobe_RDS: + title: 3.2.3 | Ensure rds kernel module is not available | rds config + exit-status: + or: + - 0 + - 1 + exec: 'modprobe -n -v rds' + stdout: + - '/install /bin/(true|false)/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 3.2.3 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - SI-4 + lsmod_RDS: + title: 3.2.3 | Ensure rds kernel module is not available | running rds + exit-status: 1 + exec: lsmod | grep -i rds + stdout: + - '!/^.*/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 3.2.3 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - SI-4 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.3/cis_3.3.1.yml b/section_3/cis_3.3/cis_3.3.1.yml new file mode 100644 index 0000000..98fd482 --- /dev/null +++ b/section_3/cis_3.3/cis_3.3.1.yml @@ -0,0 +1,104 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if not .Vars.ubtu24cis_is_router }} + {{ if .Vars.ubtu24cis_rule_3_3_1 }} +kernel-param: + net.ipv4.ip_forward: + title: 3.3.1 | Ensure IP forwarding is disabled | IPv4 + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.1 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ if .Vars.ubtu24cis_ipv6_required }} + net.ipv6.conf.all.forwarding: + title: 3.3.1 | Ensure IP forwarding is disabled | IPv6 + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.1 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +command: + ipv4_ip_forward: + title: 3.3.1 | Ensure IP forwarding is disabled | IPv4 config + exec: grep -E "^\s*net\.ipv4\.ip_forward" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf + exit-status: + or: + - 0 + - 1 + - 2 + stdout: + - '/^.*:net.ipv4.ip_forward\s*=\s*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.1 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ if .Vars.ubtu24cis_ipv6_required }} + ipv6_ip_forward: + title: 3.3.1 | Ensure IP forwarding is disabled | IPv6 config + exec: grep -E "^\s*net\.ipv6\.conf\.all\.forwarding" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf + exit-status: + or: + - 0 + - 1 + - 2 + stdout: + - '/^.*:net.ipv6.conf.all.forwarding\s*=\s*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.1 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_3/cis_3.3/cis_3.3.10.yml b/section_3/cis_3.3/cis_3.3.10.yml new file mode 100644 index 0000000..1774ef0 --- /dev/null +++ b/section_3/cis_3.3/cis_3.3.10.yml @@ -0,0 +1,52 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_3_3_10 }} +kernel-param: + net.ipv4.tcp_syncookies: + title: 3.3.10 | Ensure TCP SYN Cookies is enabled | ipv4 syncookies + value: '1' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.10 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 +command: + ipv4_tcp_syncookies: + title: 3.3.10 | Ensure TCP SYN Cookies is enabled | ipv4 syncookies conf + exec: grep "net\.ipv4\.tcp_syncookies" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^\/etc\/sysctl.*:net.ipv4.tcp_syncookies\s*=\s*1/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.10 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.3/cis_3.3.11.yml b/section_3/cis_3.3/cis_3.3.11.yml new file mode 100644 index 0000000..6beb69d --- /dev/null +++ b/section_3/cis_3.3/cis_3.3.11.yml @@ -0,0 +1,97 @@ +--- +{{ if .Vars.ubtu24cis_ipv6_required }} +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_3_3_11 }} +kernel-param: + net.ipv6.conf.all.accept_ra: + title: 3.3.11 | Ensure ipv6 router advertisements are not accepted | all accept + value: '1' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.11 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + net.ipv6.conf.default.accept_ra: + title: 3.3.11 | Ensure ipv6 router advertisements are not accepted | default accept + value: '1' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.11 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 +command: + ipv6_all_accept_ra: + title: 3.3.11 | Ensure ipv6 router advertisements are not acceptedd | all accept + exec: grep "net\.ipv6\conf\.all\.accept_ra" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^\/etc\/sysctl.*:net.ipv6.conf.all.accept_ra\s*=\s*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.11 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + ipv6_all_default_ra: + title: 3.3.11 | Ensure ipv6 router advertisements are not acceptedd | all accept + exec: grep "net\.ipv6\conf\.default\.accept_ra" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^\/etc\/sysctl.*:net.ipv6.conf.default.accept_ra\s*=\s*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.11 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} +{{ end }} diff --git a/section_3/cis_3.3/cis_3.3.2.yml b/section_3/cis_3.3/cis_3.3.2.yml new file mode 100644 index 0000000..189367e --- /dev/null +++ b/section_3/cis_3.3/cis_3.3.2.yml @@ -0,0 +1,96 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_3_3_2 }} +kernel-param: + net.ipv4.conf.all.send_redirects: + title: 3.3.2 | Ensure packet redirect sending is disabled | all send_redirect + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.2 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + net.ipv4.conf.default.send_redirects: + title: 3.3.2 | Ensure packet redirect sending is disabled | default send_redirects + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.2 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 +command: + ipv4_disable_all_redirect: + title: 3.3.2 | Ensure packet redirect sending is disabled | all send_redirect config + exec: grep -E "^\s*net\.ipv4\.conf\.all\.send_redirects" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/.*:net.ipv4.conf.all.send_redirects\s*=\s*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.2 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + ipv4_disable_def_redirect: + title: 3.3.2 | Ensure packet redirect sending is disabled | default send_redirect config + exec: grep -E "^\s*net\.ipv4\.conf\.default\.send_redirects" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/.*:net.ipv4.conf.default.send_redirects=0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.2 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.3/cis_3.3.3.yml b/section_3/cis_3.3/cis_3.3.3.yml new file mode 100644 index 0000000..5038f92 --- /dev/null +++ b/section_3/cis_3.3/cis_3.3.3.yml @@ -0,0 +1,52 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_3_3_3 }} +kernel-param: + net.ipv4.icmp_ignore_bogus_error_responses: + title: 3.3.3 | Ensure bogus ICMP responses are ignored | ignore bogus icmp + value: '1' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.3 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 +command: + ipv4_ignore_bogus: + title: 3.3.3 | Ensure bogus ICMP responses are ignored | ignore bogus icmp conf + exec: grep "net.ipv4.icmp_ignore_bogus_error_responses" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^\/etc\/sysctl.*:net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.3 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.3/cis_3.3.4.yml b/section_3/cis_3.3/cis_3.3.4.yml new file mode 100644 index 0000000..94e9cbb --- /dev/null +++ b/section_3/cis_3.3/cis_3.3.4.yml @@ -0,0 +1,52 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_3_3_4 }} +kernel-param: + net.ipv4.icmp_echo_ignore_broadcasts: + title: 3.3.4 | Ensure broadcast ICMP requests are ignored | ipv4 ignore broadcast icmp + value: '1' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.4 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 +command: + ipv4_ignore_icmp_broadcast: + title: 3.3.4 | Ensure broadcast ICMP requests are ignored | ipv4 ignore broadcast icmp conf + exec: grep "net\.ipv4\.icmp_echo_ignore_broadcasts" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^\/etc\/sysctl.*:net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.4 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.3/cis_3.3.5.yml b/section_3/cis_3.3/cis_3.3.5.yml new file mode 100644 index 0000000..390a66d --- /dev/null +++ b/section_3/cis_3.3/cis_3.3.5.yml @@ -0,0 +1,96 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_3_3_5 }} +kernel-param: + net.ipv4.conf.all.accept_redirects: + title: 3.3.5 | Ensure ICMP redirects are not accepted | ipv4 all icmp redirects + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.5 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + net.ipv4.conf.default.accept_redirects: + title: 3.3.5 | Ensure ICMP redirects are not accepted | ipv4 default icmp redirects + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.5 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 +command: + ipv4_all_icmp_redirects: + title: 3.3.5 | Ensure ICMP redirects are not accepted | ipv4 all icmp redirects conf + exec: grep "net\.ipv4\.conf\.all\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^\/etc\/sysctl.*:net.ipv4.conf.all.accept_redirects\s*=\s*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.5 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + ipv4_def_icmp_redirects: + title: 3.3.5 | Ensure ICMP redirects are not accepted | ipv4 def icmp redirects conf + exec: grep "net\.ipv4\.conf\.default\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^\/etc\/sysctl.*:net.ipv4.conf.default.accept_redirects\s*=\s*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.5 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.3/cis_3.3.6.yml b/section_3/cis_3.3/cis_3.3.6.yml new file mode 100644 index 0000000..5aab92d --- /dev/null +++ b/section_3/cis_3.3/cis_3.3.6.yml @@ -0,0 +1,94 @@ +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_3_3_6 }} +kernel-param: + net.ipv4.conf.all.secure_redirects: + title: 3.3.6 | Ensure secure ICMP redirects are not accepted | ipv4 all sec redirects + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.6 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + net.ipv4.conf.default.secure_redirects: + title: 3.3.6 | Ensure secure ICMP redirects are not accepted | ipv4 def sec redirects + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.2.6 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 +command: + ipv4_all_sec_redirects: + title: 3.3.6 | Ensure secure ICMP redirects are not accepted | ipv4 all sec redirects conf + exec: grep "net\.ipv4\.conf\.all\.secure_redirects" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^\/etc\/sysctl.*:net.ipv4.conf.all.secure_redirects\s*=\s*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.6 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + ipv4_def_sec_redirects: + title: 3.3.6 | Ensure secure ICMP redirects are not accepted | ipv4 all def redirects conf + exec: grep "net\.ipv4\.conf\.default\.secure_redirects" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^\/etc\/sysctl.*:net.ipv4.conf.default.secure_redirects\s*=\s*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.6 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.3/cis_3.3.7.yml b/section_3/cis_3.3/cis_3.3.7.yml new file mode 100644 index 0000000..1cc592d --- /dev/null +++ b/section_3/cis_3.3/cis_3.3.7.yml @@ -0,0 +1,96 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_3_3_7 }} +kernel-param: + net.ipv4.conf.all.rp_filter: + title: 3.3.7 | Ensure Reverse Path Filtering is enabled | ipv4 all rp_filter + value: '1' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.7 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + net.ipv4.conf.default.rp_filter: + title: 3.3.7 | Ensure Reverse Path Filtering is enabled | ipv4 default rp_filter + value: '1' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.7 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 +command: + ipv4_all_rp_filter: + title: 3.3.7 | Ensure Reverse Path Filtering is enabled | ipv4 all rp_filter conf + exec: grep "net\.ipv4\.conf\.all\.rp_filter" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^\/etc\/sysctl.*:net.ipv4.conf.all.rp_filter\s*=\s*1/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.7 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + ipv4_def_rp_filter: + title: 3.3.7 | Ensure Reverse Path Filtering is enabled | ipv4 def rp_filter conf + exec: grep "net\.ipv4\.conf\.default\.rp_filter" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^\/etc\/sysctl.*:net.ipv4.conf.default.rp_filter\s*=\s*1/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.7 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.3/cis_3.3.8.yml b/section_3/cis_3.3/cis_3.3.8.yml new file mode 100644 index 0000000..00e023a --- /dev/null +++ b/section_3/cis_3.3/cis_3.3.8.yml @@ -0,0 +1,94 @@ +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_3_3_8 }} +kernel-param: + net.ipv4.conf.all.accept_source_route: + title: 3.3.8 | Ensure source routed packets are not accepted | IPv4 all source routed + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.1 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + net.ipv4.conf.default.accept_source_route: + title: 3.3.8 | Ensure source routed packets are not accepted | IPv4 default source routed + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.8 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 +command: + ipv4_all_source_route: + title: 3.3.8 | Ensure source routed packets are not accepted | IPv4 all source routed conf + exec: grep "net\.ipv4\.conf\.all\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^\/etc\/sysctl.*:net.ipv4.conf.all.accept_source_route\s*=\s*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.8 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + ipv4_def_source_route: + title: 3.3.8 | Ensure source routed packets are not accepted | IPv4 default source routed conf + exec: grep "net\.ipv4\.conf\.default\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^\/etc\/sysctl.*:net.ipv4.conf.default.accept_source_route\s*=\s*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.8 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.3/cis_3.3.9.yml b/section_3/cis_3.3/cis_3.3.9.yml new file mode 100644 index 0000000..aba186d --- /dev/null +++ b/section_3/cis_3.3/cis_3.3.9.yml @@ -0,0 +1,96 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_3_3_9 }} +kernel-param: + net.ipv4.conf.all.log_martians: + title: 3.3.9 | Ensure suspicious packets are logged | ipv4 all martians + value: '1' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.9 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + net.ipv4.conf.default.log_martians: + title: 3.3.9 | Ensure suspicious packets are logged | ipv4 default martians + value: '1' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.9 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 +command: + ipv4_all_martians: + title: 3.3.9 | Ensure suspicious packets are logged | ipv4 all martians conf + exec: grep "net\.ipv4\.conf\.all\.log_martians" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^\/etc\/sysctl.*:net.ipv4.conf.all.log_martians\s*=\s*1/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.9 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + ipv4_def_martians: + title: 3.3.9 | Ensure suspicious packets are logged | ipv4 default martians conf + exec: grep "net\.ipv4\.conf\.default\.log_martians" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^\/etc\/sysctl.*:net.ipv4.conf.default.log_martians\s*=\s*1/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.9 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.3/ipv6/cis_3.3.5.yml b/section_3/cis_3.3/ipv6/cis_3.3.5.yml new file mode 100644 index 0000000..1c02549 --- /dev/null +++ b/section_3/cis_3.3/ipv6/cis_3.3.5.yml @@ -0,0 +1,96 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_3_3_5 }} +kernel-param: + net.ipv6.conf.all.accept_redirects: + title: 3.3.5 | Ensure ICMP redirects are not accepted | ipv6 all icmp redirects + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.5 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + net.ipv6.conf.default.accept_redirects: + title: 3.3.5 | Ensure ICMP redirects are not accepted | ipv6 default icmp redirects + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.5 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 +command: + ipv6_all_icmp_redirects: + title: 3.3.5 | Ensure ICMP redirects are not accepted | ipv6 all icmp redirects conf + exec: grep "net\.ipv6\.conf\.all\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^net.ipv6.conf.all.accept_redirects(\s|)=(\s|)0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.5 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + ipv6_def_icmp_redirects: + title: 3.3.5 | Ensure ICMP redirects are not accepted | ipv6 def icmp redirects conf + exec: grep "net\.ipv6\.conf\.default\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^net.ipv6.conf.default.accept_redirects(\s|)=(\s|)0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.5 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.3/ipv6/cis_3.3.8.yml b/section_3/cis_3.3/ipv6/cis_3.3.8.yml new file mode 100644 index 0000000..b74af71 --- /dev/null +++ b/section_3/cis_3.3/ipv6/cis_3.3.8.yml @@ -0,0 +1,96 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_3_3_8 }} +kernel-param: + net.ipv6.conf.all.accept_source_route: + title: 3.3.8 | Ensure source routed packets are not accepted | IPv6 all source routed + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.8 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + net.ipv6.conf.default.accept_source_route: + title: 3.3.8 | Ensure source routed packets are not accepted | IPv6 default source routed + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.8 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 +command: + ipv6_all_source_route: + title: 3.3.8 | Ensure source routed packets are not accepted | IPv6 all source routed conf + exec: grep "net\.ipv6\.conf\.all\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^net.ipv6.conf.all.accept_source_route= 0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.8 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + ipv6_def_source_route: + title: 3.3.8 | Ensure source routed packets are not accepted | IPv6 default source routed conf + exec: grep "net\.ipv6\.conf\.default\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^net.ipv6.conf.default.accept_source_route(\s|)=(\s|)0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.8 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.3/ipv6/cis_3.3.9.yml b/section_3/cis_3.3/ipv6/cis_3.3.9.yml new file mode 100644 index 0000000..5a7bb6f --- /dev/null +++ b/section_3/cis_3.3/ipv6/cis_3.3.9.yml @@ -0,0 +1,108 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_3_3_9 }} +kernel-param: + net.ipv6.conf.all.accept_ra: + title: 3.3.9 | Ensure IPv6 router advertisements are not accepted | ipv6 all router adverts + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.9 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + Mitre_Techniques: + - T1557 + - T1557.001 + Mitre_Tactics: + - TA0006 + - TA0040 + Mitre_Mitigations: + - M1030 + - M1042 + net.ipv6.conf.default.accept_ra: + title: 3.3.9 | Ensure IPv6 router advertisements are not accepted | ipv6 def router adverts + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.9 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + Mitre_Techniques: + - T1557 + - T1557.001 + Mitre_Tactics: + - TA0006 + - TA0040 + Mitre_Mitigations: + - M1030 + - M1042 +command: + ipv6_all_rtr_adverts: + title: 3.3.9 | Ensure IPv6 router advertisements are not accepted | ipv6 all router adverts conf + exec: grep "net\.ipv6\.conf\.all\.accept_ra" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^net.ipv6.conf.all.accept_ra = 0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.9 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + Mitre_Techniques: + - T1557 + - T1557.001 + Mitre_Tactics: + - TA0006 + - TA0040 + Mitre_Mitigations: + - M1030 + - M1042 + ipv6_def_rtr_adverts: + title: 3.3.9 | Ensure IPv6 router advertisements are not accepted | ipv6 default router adverts conf + exec: grep "net\.ipv6\.conf\.default\.accept_ra" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^net.ipv6.conf.default.accept_ra(\s|)=(\s|)0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.9 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + Mitre_Techniques: + - T1557 + - T1557.001 + Mitre_Tactics: + - TA0006 + - TA0040 + Mitre_Mitigations: + - M1030 + - M1042 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.2/cis_4.2.1.yml b/section_4/cis_4.2/cis_4.2.1.yml new file mode 100644 index 0000000..b0c0b6f --- /dev/null +++ b/section_4/cis_4.2/cis_4.2.1.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_2_1 }} +package: + ufw: + title: 4.2.1 | Ensure ufw is installed + installed: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.2.1 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.2/cis_4.2.2.yml b/section_4/cis_4.2/cis_4.2.2.yml new file mode 100644 index 0000000..d36a8aa --- /dev/null +++ b/section_4/cis_4.2/cis_4.2.2.yml @@ -0,0 +1,23 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_2_2 }} +package: + iptables-persistent: + title: 4.2.2 | Ensure iptables-persistent is not installed with ufw + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.2.2 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.2/cis_4.2.3.yml b/section_4/cis_4.2/cis_4.2.3.yml new file mode 100644 index 0000000..01612c6 --- /dev/null +++ b/section_4/cis_4.2/cis_4.2.3.yml @@ -0,0 +1,24 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_2_3 }} +service: + ufw: + title: 4.2.3 | Ensure ufw service is enabled + running: true + enabled: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.2.3 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.2/cis_4.2.4.yml b/section_4/cis_4.2/cis_4.2.4.yml new file mode 100644 index 0000000..b6dbaa8 --- /dev/null +++ b/section_4/cis_4.2/cis_4.2.4.yml @@ -0,0 +1,33 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_2_4 }} +command: + ufw_loopback: + title: 4.2.4 | Ensure ufw loopback traffic is configured + exec: ufw status verbose + exit-status: 0 + stdout: + - '/^Anywhere on lo\s+ ALLOW IN\s+ Anywhere/' + - '/^Anywhere\s+DENY IN\s+127.0.0.0\/8/' + - '/^Anywhere\s+ ALLOW OUT\s+ Anywhere on lo/' + {{ if .Vars.ubtu24cis_ipv6_required}} + - '/^Anywhere \(v6\) on lo\s+ALLOW IN\s+Anywhere \(v6\)/' + - '/^Anywhere \(v6\)\s+DENY IN\s+::1/' + - '/^Anywhere \(v6\)\s+ALLOW OUT\s+Anywhere \(v6\) on lo/' + {{ end }} + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.2.4 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.2/cis_4.2.5.yml b/section_4/cis_4.2/cis_4.2.5.yml new file mode 100644 index 0000000..bac29b0 --- /dev/null +++ b/section_4/cis_4.2/cis_4.2.5.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_2_5 }} +command: + ufw_outbound: + title: 4.2.5 | Ensure ufw outbound connections are configured | Manual + exec: echo "Manual - Please confirm firewall outbound Policies match site policies" + exit-status: 0 + stdout: + - '!/^Manual/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.2.5 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.2/cis_4.2.6.yml b/section_4/cis_4.2/cis_4.2.6.yml new file mode 100644 index 0000000..af52120 --- /dev/null +++ b/section_4/cis_4.2/cis_4.2.6.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_2_6 }} +command: + ufw_open_ports: + title: 4.2.6 | Ensure ufw firewall rules exist for all open ports | Manual + exec: echo "Manual - Please confirm firewall rules exist for open ports match site policies" + exit-status: 0 + stdout: + - '!/^Manual/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.2.6 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.2/cis_4.2.7.yml b/section_4/cis_4.2/cis_4.2.7.yml new file mode 100644 index 0000000..b4d2f3d --- /dev/null +++ b/section_4/cis_4.2/cis_4.2.7.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_2_7 }} +command: + ufw_def_deny: + title: 4.2.7 | Ensure ufw default deny firewall policy + exec: 'ufw status verbose | grep Default:' + exit-status: 0 + stdout: + - '/^Default: deny \(incoming\), deny \(outgoing\), disabled \(routed\)/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.2.7 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.3/cis_4.3.1.yml b/section_4/cis_4.3/cis_4.3.1.yml new file mode 100644 index 0000000..27f763a --- /dev/null +++ b/section_4/cis_4.3/cis_4.3.1.yml @@ -0,0 +1,23 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_1 }} +package: + nftables: + title: 4.3.1 | Ensure nftables is installed + installed: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.1 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.3/cis_4.3.10.yml b/section_4/cis_4.3/cis_4.3.10.yml new file mode 100644 index 0000000..c34d4bf --- /dev/null +++ b/section_4/cis_4.3/cis_4.3.10.yml @@ -0,0 +1,46 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_10 }} +file: + nftable_perm: + title: 4.3.10 | Ensure nftables rules are permanent | conf file exists + path: /etc/nftables.conf + exists: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.10 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 +command: + nft_rules: + title: 4.3.10 | Ensure nftables rules are permanent | conf file exists + exec: echo "Manual - Please review nfttables configuration and matches site policy" + exit-status: 0 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.10 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.3/cis_4.3.2.yml b/section_4/cis_4.3/cis_4.3.2.yml new file mode 100644 index 0000000..300b7c3 --- /dev/null +++ b/section_4/cis_4.3/cis_4.3.2.yml @@ -0,0 +1,23 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_2 }} +package: + ufw: + title: 4.3.2 | Ensure ufw is uninstalled or disabled with nftables + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.2 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.3/cis_4.3.3.yml b/section_4/cis_4.3/cis_4.3.3.yml new file mode 100644 index 0000000..a0e2bd5 --- /dev/null +++ b/section_4/cis_4.3/cis_4.3.3.yml @@ -0,0 +1,53 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_3 }} +command: + iptables_flushed: + title: 4.3.3 | Ensure iptables are flushed with nftables | iptable IPv4 flushed + exec: iptables -L + exit-status: + or: + - 0 + - 1 + stdout: + - '!/^.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.3 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + ip6tables_flushed: + title: 4.3.3 | Ensure iptables are flushed with nftables | iptable IPv4 flushed + exec: ip6tables -L + exit-status: + or: + - 0 + - 1 + stdout: + - '!/^.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.3 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - SC-7 + - CA-9 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.3/cis_4.3.4.yml b/section_4/cis_4.3/cis_4.3.4.yml new file mode 100644 index 0000000..f7d0e85 --- /dev/null +++ b/section_4/cis_4.3/cis_4.3.4.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_4 }} +command: + nft_tables: + title: 4.3.4 | Ensure a nftables table exists | Manual + exec: echo "Manual - Please confirm nfttables table exists and matched site policy" + exit-status: 0 + stdout: + - '!/^Manual/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.4 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.3/cis_4.3.5.yml b/section_4/cis_4.3/cis_4.3.5.yml new file mode 100644 index 0000000..30e7b7e --- /dev/null +++ b/section_4/cis_4.3/cis_4.3.5.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_5 }} +command: + nft_chains: + title: 4.3.5 | Ensure nftables base chains exist + exec: echo "Manual - Please confirm nfttables base chain exists and matched site policy" + exit-status: 0 + stdout: + - '!/^Manual/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.5 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_4/cis_4.3/cis_4.3.6.yml b/section_4/cis_4.3/cis_4.3.6.yml new file mode 100644 index 0000000..43ba05c --- /dev/null +++ b/section_4/cis_4.3/cis_4.3.6.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_6 }} +command: + nft_loopback: + title: 4.3.6 | Ensure nftables loopback traffic is configured | Manual + exec: echo "Manual - Please confirm nfttables loopback traffic configured and matched site policy" + exit-status: 0 + stdout: + - '!/^Manual/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.6 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.3/cis_4.3.7.yml b/section_4/cis_4.3/cis_4.3.7.yml new file mode 100644 index 0000000..f0e1875 --- /dev/null +++ b/section_4/cis_4.3/cis_4.3.7.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_7 }} +command: + nft_conns: + title: 4.3.7 | Ensure nftables outbound and established connections are configured | Manual + exec: echo "Manual - Please confirm nfttables connections are configured and matched site policy" + exit-status: 0 + stdout: + - '!/^Manual/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.7 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.3/cis_4.3.8.yml b/section_4/cis_4.3/cis_4.3.8.yml new file mode 100644 index 0000000..a28a00e --- /dev/null +++ b/section_4/cis_4.3/cis_4.3.8.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_8 }} +command: + nft_def_deny: + title: 4.3.8 | Ensure nftables default deny firewall policy | Manual + exec: echo "Manual - Please confirm nfttables default denies are configured and matched site policy" + exit-status: 0 + stdout: + - '!/^Manual/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.8 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.3/cis_4.3.9.yml b/section_4/cis_4.3/cis_4.3.9.yml new file mode 100644 index 0000000..d12d4ff --- /dev/null +++ b/section_4/cis_4.3/cis_4.3.9.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_9 }} +service: + nftables: + title: 4.3.9 | Ensure nftables service is enabled + running: true + enabled: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.9 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.4/cis_4.4.1.1.yml b/section_4/cis_4.4/cis_4.4.1.1.yml new file mode 100644 index 0000000..92994d5 --- /dev/null +++ b/section_4/cis_4.4/cis_4.4.1.1.yml @@ -0,0 +1,41 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_4_1_1 }} +package: + iptables: + title: 4.4.1.1 | Ensure iptables packages are installed | iptables pkg + installed: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.4.1.1 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + iptables-persistent: + title: 4.4.1.1 | Ensure iptables packages are installed | iptables-persistent pkg + installed: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.4.1.1 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.4/cis_4.4.1.2.yml b/section_4/cis_4.4/cis_4.4.1.2.yml new file mode 100644 index 0000000..d7ac7b3 --- /dev/null +++ b/section_4/cis_4.4/cis_4.4.1.2.yml @@ -0,0 +1,24 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_4_1_2 }} +package: + nftables: + title: 4.4.1.2 | Ensure nftables is not installed with iptables + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.4.1.2 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.4/cis_4.4.1.3.yml b/section_4/cis_4.4/cis_4.4.1.3.yml new file mode 100644 index 0000000..49cbdfa --- /dev/null +++ b/section_4/cis_4.4/cis_4.4.1.3.yml @@ -0,0 +1,24 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_1_3 }} +package: + ufw: + title: 4.3.1.3 | Ensure ufw is not in use with iptables + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.1.3 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.4/cis_4.4.2.1.yml b/section_4/cis_4.4/cis_4.4.2.1.yml new file mode 100644 index 0000000..14ec0ca --- /dev/null +++ b/section_4/cis_4.4/cis_4.4.2.1.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_2_1 }} +command: + ipt_def_deny: + title: 4.3.2.1 | Ensure iptables default deny firewall policy | Manual + exec: echo "Manual - Please confirm iptables default denies are configured and matched site policy" + exit-status: 0 + stdout: + - '!/^Manual/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.2.1 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.4/cis_4.4.2.2.yml b/section_4/cis_4.4/cis_4.4.2.2.yml new file mode 100644 index 0000000..d4c6af5 --- /dev/null +++ b/section_4/cis_4.4/cis_4.4.2.2.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_2_2 }} +command: + ipt_loopback: + title: 4.3.2.2 | Ensure iptables loopback traffic is configured | Manual + exec: echo "Manual - Please confirm iptables loopback connections are configured and matched site policy" + exit-status: 0 + stdout: + - '!/^Manual/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.2.2 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.4/cis_4.4.2.3.yml b/section_4/cis_4.4/cis_4.4.2.3.yml new file mode 100644 index 0000000..40f1e42 --- /dev/null +++ b/section_4/cis_4.4/cis_4.4.2.3.yml @@ -0,0 +1,25 @@ +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_2_3 }} +command: + ipt_conns_config: + title: 4.3.2.3 | Ensure iptables outbound and established connections are configured | Manual + exec: echo "Manual - Please confirm iptables outbound and connections are configured and matched site policy" + exit-status: 0 + stdout: + - '!/^Manual/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.2.3 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.4/cis_4.4.2.4.yml b/section_4/cis_4.4/cis_4.4.2.4.yml new file mode 100644 index 0000000..9e23f61 --- /dev/null +++ b/section_4/cis_4.4/cis_4.4.2.4.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_2_4 }} +command: + ipt_open_ports: + title: 4.3.2.4 | Ensure iptables firewall rules exist for all open ports + exec: echo "Manual - Please confirm iptables rules for open ports configured and matched site policy" + exit-status: 0 + stdout: + - '!/^Manual/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.2.4 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.4/cis_4.4.3.1.yml b/section_4/cis_4.4/cis_4.4.3.1.yml new file mode 100644 index 0000000..e91ee10 --- /dev/null +++ b/section_4/cis_4.4/cis_4.4.3.1.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_3_1 }} +command: + ipt6_def_deny: + title: 4.3.3.1 | Ensure ip6tables default deny firewall policy | Manual + exec: echo "Manual - Please confirm ip6tables default denies are configured and matched site policy" + exit-status: 0 + stdout: + - '!/^Manual/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.3.1 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.4/cis_4.4.3.2.yml b/section_4/cis_4.4/cis_4.4.3.2.yml new file mode 100644 index 0000000..398875c --- /dev/null +++ b/section_4/cis_4.4/cis_4.4.3.2.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_3_2 }} +command: + ipt6_loopback: + title: 4.3.3.2 | Ensure ip6tables loopback traffic is configured | Manual + exec: echo "Manual - Please confirm ip6tables loopback connections are configured and matched site policy" + exit-status: 0 + stdout: + - '!/^Manual/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.3.2 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.4/cis_4.4.3.3.yml b/section_4/cis_4.4/cis_4.4.3.3.yml new file mode 100644 index 0000000..5da09a4 --- /dev/null +++ b/section_4/cis_4.4/cis_4.4.3.3.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_3_3 }} +command: + ipt6_conns_config: + title: 4.3.3.3 | Ensure ip6tables outbound and established connections are configured | Manual + exec: echo "Manual - Please confirm ip6tables outbound and connections are configured and matched site policy" + exit-status: 0 + stdout: + - '!/^Manual/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.3.3 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.4/cis_4.4.3.4.yml b/section_4/cis_4.4/cis_4.4.3.4.yml new file mode 100644 index 0000000..6c5dc30 --- /dev/null +++ b/section_4/cis_4.4/cis_4.4.3.4.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_3_4 }} +command: + ipt6_open_ports: + title: 4.3.3.4 | Ensure ip6tables firewall rules exist for all open ports | Manual + exec: echo "Manual - Please confirm ip6tables rules for open ports configured and matched site policy" + exit-status: 0 + stdout: + - '!/^Manual/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.3.4 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.1.yml b/section_5/cis_5.1/cis_5.1.1.yml new file mode 100644 index 0000000..599b24f --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.1.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_1 }} +file: + sshd_config_perms: + title: 5.1.1 | Ensure permissions on /etc/ssh/sshd_config are configured + path: /etc/ssh/sshd_config + exists: true + mode: "0600" + owner: root + group: root + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.1 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.10.yml b/section_5/cis_5.1/cis_5.1.10.yml new file mode 100644 index 0000000..cfd4a72 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.10.yml @@ -0,0 +1,30 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_10 }} +file: + ssh_hostbased_auth: + title: 5.1.10 | Ensure SSH HostbasedAuthentication is disabled + path: /etc/ssh/sshd_config + exists: true + contents: + - '/^(?i)HostbasedAuthentication no/' + - '!/^(?i)HostbasedAuthentication yes/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.10 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.11.yml b/section_5/cis_5.1/cis_5.1.11.yml new file mode 100644 index 0000000..ab66ab9 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.11.yml @@ -0,0 +1,30 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_11 }} +file: + ssh_rhosts: + title: 5.1.11 | Ensure sshd IgnoreRhosts is enabled + path: /etc/ssh/sshd_config + exists: true + contents: + - '/^(?i)Ignorerhosts yes/' + - '!/^(?i)Ignorerhosts no/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.11 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.12.yml b/section_5/cis_5.1/cis_5.1.12.yml new file mode 100644 index 0000000..1166766 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.12.yml @@ -0,0 +1,28 @@ +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_12 }} +file: + sshd_KEX: + title: 5.1.12 | Ensure sshd Kex algorithms is configured + path: /etc/ssh/sshd_config + exists: true + contents: + {{ range .Vars.ubtu24cis_ssh_strong_kex }} + - '/^KexAlgorithms.*{{ . }}/' + {{ end }} + {{ range .Vars.ubtu24cis_ssh_weak_kex }} + - '!/^KexAlgorithms.*!{{ . }}/' + {{ end }} + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.12 + CISv8: + - 3.10 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - SC-8 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.13.yml b/section_5/cis_5.1/cis_5.1.13.yml new file mode 100644 index 0000000..75bceb9 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.13.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_13 }} +file: + ssh_logingrace: + title: 5.1.21 | Ensure sshd LoginGraceTime is configured + path: /etc/ssh/sshd_config + exists: true + contents: + - '/^(?i)LoginGraceTime ([1-9]|[1-5][0-9]|60)$/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.13 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.14.yml b/section_5/cis_5.1/cis_5.1.14.yml new file mode 100644 index 0000000..c8da9c8 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.14.yml @@ -0,0 +1,28 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_14 }} +file: + ssh_loglevel: + title: 5.1.14 | Ensure sshd LogLevel is configured + path: /etc/ssh/sshd_config + exists: true + contents: + - '/LogLevel (VERBOSE|INFO)/' + - '!/^LogLevel DEBUG/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.14 + CISv8: + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - AU-12 + - SI-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.15.yml b/section_5/cis_5.1/cis_5.1.15.yml new file mode 100644 index 0000000..513f4b9 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.15.yml @@ -0,0 +1,34 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_15 }} +file: + sshd_MACS: + title: 5.1.15 | Ensure only strong MACs are used + path: /etc/ssh/sshd_config + exists: true + contents: + {{ range .Vars.ubtu24cis_ssh_strong_macs }} + - '/(?i)^MACs.*{{ . }}/' + {{ end }} + {{ range .Vars.ubtu24cis_ssh_weak_macs }} + - '!/(?i)^MACs.*{{ . }}/' + {{ end }} + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.15 + CISv8: + - 3.10 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.16.yml b/section_5/cis_5.1/cis_5.1.16.yml new file mode 100644 index 0000000..e90adf9 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.16.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_16 }} +file: + sshd_authtries: + title: 5.1.16 | Ensure sshd MaxAuthTries is configured + path: /etc/ssh/sshd_config + exists: true + contents: + - '/(?i)maxauthtries [1-4]/' + - '!/(?i)maxauthtries ([5-9]|[1-9]{2,})/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.16 + CISv8: + - 8.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.17.yml b/section_5/cis_5.1/cis_5.1.17.yml new file mode 100644 index 0000000..d1e8acd --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.17.yml @@ -0,0 +1,27 @@ +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_17 }} +file: + ssh_maxsessions: + title: 5.1.17 | Ensure SSH MaxSessions is limited + path: /etc/ssh/sshd_config + exists: true + contents: + - '/^(?i)MaxSessions ([2-9]|10)/' + - '!/^MaxSessions (1|1[1-9]|[2-9][0-9]|[1-9]{3,})/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.17 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.18.yml b/section_5/cis_5.1/cis_5.1.18.yml new file mode 100644 index 0000000..4f73456 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.18.yml @@ -0,0 +1,29 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_18 }} +file: + ssh_maxstartups: + title: 5.1.18 | Ensure SSH MaxStartups is configured + path: /etc/ssh/sshd_config + exists: true + contents: + - 'MaxStartups 10:30:60' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.18 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.19.yml b/section_5/cis_5.1/cis_5.1.19.yml new file mode 100644 index 0000000..a8c86c1 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.19.yml @@ -0,0 +1,30 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_19 }} +file: + ssh_empty_passwd: + title: 5.1.19 | Ensure SSH PermitEmptyPasswords is configured + path: /etc/ssh/sshd_config + exists: true + contents: + - '/^(?i)PermitEmptyPasswords no/' + - '!/^(?i)PermitEmptyPasswords yes/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.19 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.2.yml b/section_5/cis_5.1/cis_5.1.2.yml new file mode 100644 index 0000000..7f3fdc1 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.2.yml @@ -0,0 +1,61 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_2 }} +command: + /etc/ssh/ssh_host_prv_key_user: + title: 5.1.2 | Ensure permissions on SSH private host key files are configured | user + exec: "userkeys=$(sudo find /etc/ssh/ -name *_key -type f ! -user root ); echo $userkeys" + exit-status: 0 + stdout: ['!/./'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.3 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + /etc/ssh/ssh_host_prv_key_group: + title: 5.1.2 | Ensure permissions on SSH private host key files are configured | group + exec: "groupkeys=$(sudo find /etc/ssh/ -name *_key -type f ! -group root ); echo $groupkeys" + exit-status: 0 + stdout: ['!/./'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.2 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + /etc/ssh/ssh_host_prv_key_perms: + title: 5.1.2 | Ensure permissions on SSH private host key files are configured | perms + exec: "keyperms=$(sudo find /etc/ssh/ -name *_key -type f -perm /137 ); echo $keyperms" + exit-status: 0 + stdout: ['!/./'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.2 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.20.yml b/section_5/cis_5.1/cis_5.1.20.yml new file mode 100644 index 0000000..4087900 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.20.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_20 }} +file: + ssh_permit_root: + title: 5.1.20 | Ensure SSH PermitRootLogin is configured + path: /etc/ssh/sshd_config + exists: true + contents: + - '/^(?i)PermitRootLogin no/' + - '!/^(?i)PermitRootLogin yes/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.20 + CISv8: + - 5.4 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-6 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.21.yml b/section_5/cis_5.1/cis_5.1.21.yml new file mode 100644 index 0000000..6ae4073 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.21.yml @@ -0,0 +1,30 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_21 }} +file: + ssh_userenv: + title: 5.1.21 | Ensure SSH PermitUserEnvironment is disabled + path: /etc/ssh/sshd_config + exists: true + contents: + - '/^(?i)PermitUserEnvironment no/' + - '!/^(?i)PermitUserEnvironment yes/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.21 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.22.yml b/section_5/cis_5.1/cis_5.1.22.yml new file mode 100644 index 0000000..c684b5c --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.22.yml @@ -0,0 +1,30 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_22 }} +file: + ssh_usepam: + title: 5.1.22 | Ensure SSH PAM is enabled + path: /etc/ssh/sshd_config + exists: true + contents: + - 'UsePAM yes' + - '!/^UsePAM no/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.22 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.3.yml b/section_5/cis_5.1/cis_5.1.3.yml new file mode 100644 index 0000000..69b888d --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.3.yml @@ -0,0 +1,61 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_3 }} +command: + /etc/ssh/ssh_host_pub_key_user: + title: 5.1.3 | Ensure permissions on SSH pub host key files are configured | user + exec: "userkeys=$(sudo find /etc/ssh/ -name *_key.pub -type f ! -user root ); echo $userkeys" + exit-status: 0 + stdout: ['!/./'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.3 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + /etc/ssh/ssh_host_pub_key_group: + title: 5.1.3 | Ensure permissions on SSH private host key files are configured | group + exec: "groupkeys=$(sudo find /etc/ssh/ -name *_key.pub -type f ! -group root ); echo $groupkeys" + exit-status: 0 + stdout: ['!/./'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.3 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + /etc/ssh/ssh_host_pub_key_perms: + title: 5.1.3 | Ensure permissions on SSH private host key files are configured | perms + exec: "keysperm=$(sudo find /etc/ssh/ -name *_key.pub -type f -perm /137 ); echo $keyperms" + exit-status: 0 + stdout: ['!/./'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.3 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.4.yml b/section_5/cis_5.1/cis_5.1.4.yml new file mode 100644 index 0000000..a233b15 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.4.yml @@ -0,0 +1,28 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_4 }} +file: + sshd_access_limited: + title: 5.1.4 | Ensure SSH access is configured + path: /etc/ssh/sshd_config + exists: true + contents: + {{ range .Vars.ubtu24cis_sshd_access }} + - {{ . }} + {{ end }} + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.4 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.5.yml b/section_5/cis_5.1/cis_5.1.5.yml new file mode 100644 index 0000000..f691d73 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.5.yml @@ -0,0 +1,57 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_5 }} +file: + ssh_banner: + title: 5.1.5 | Ensure sshd banner is configured | sshd_default + path: /etc/ssh/sshd_config + exists: true + contents: + - 'Banner /etc/issue.net' + - '!/^Banner none/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.5 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 +command: + ssh_configd_banner: + title: 5.1.5 | Ensure SSH warning banner configured | conf.d banner settings + exec: grep -Eis '^\s*Banner\s+"?none\b'/etc/ssh/sshd_config.d/*.conf + exit-status: + or: + - 0 + - 1 + - 2 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.5 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.6.yml b/section_5/cis_5.1/cis_5.1.6.yml new file mode 100644 index 0000000..59f85a9 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.6.yml @@ -0,0 +1,30 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_6 }} +file: + sshd_ciphers: + title: 5.1.6 | Ensure only strong Ciphers are used + path: /etc/ssh/sshd_config + exists: true + contents: + {{ range .Vars.ubtu24cis_ssh_strong_ciphers }} + - '/^Ciphers.*{{ . }}/' + {{ end }} + {{ range .Vars.ubtu24cis_ssh_weak_ciphers }} + - '!/^Ciphers.*{{ . }}/' + {{ end }} + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.6 + CISv8: + - 3.10 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - SC-8 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.7.yml b/section_5/cis_5.1/cis_5.1.7.yml new file mode 100644 index 0000000..bbff7b3 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.7.yml @@ -0,0 +1,31 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_7 }} +file: + sshd_clientalive: + title: 5.1.7 | Ensure sshd ClientAloveInterval and CLientAliveCountMax are configured + path: /etc/ssh/sshd_config + exists: true + contents: + - 'ClientAliveInterval {{ .Vars.ubtu24cis_ssh_aliveinterval }}' + - 'ClientAliveCountMax {{ .Vars.ubtu24cis_ssh_countmax }}' + - '/ClientAliveInterval ([1-9]|[1-2][0-9][0-9]|300)/' + - '/ClientAliveCountMax [0-3]/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.7 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.8.yml b/section_5/cis_5.1/cis_5.1.8.yml new file mode 100644 index 0000000..dcd1ffa --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.8.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_5_1_8 }} +file: + sshd_disableforwarding: + title: 5.1.8 | Ensure sshd DisableForwarding is enabled + path: /etc/ssh/sshd_config + exists: true + contents: + - 'DisableForwarding yes' + - '!/^DisableForwarding no/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 5.1.8 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.9.yml b/section_5/cis_5.1/cis_5.1.9.yml new file mode 100644 index 0000000..bc50682 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.9.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_5_1_9 }} +file: + sshd_gssapiauth: + title: 5.1.9 | Ensure sshd GSSAPIAuthentication is disabled + path: /etc/ssh/sshd_config + exists: true + contents: + - 'GSSAPIAuthentication no' + - '!/^GSSAPIAuthentication yes/' + meta: + server: 2 + workstation: 1 + CIS_ID: + - 5.1.9 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.1.yml b/section_5/cis_5.2/cis_5.2.1.yml new file mode 100644 index 0000000..0d5c0f4 --- /dev/null +++ b/section_5/cis_5.2/cis_5.2.1.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_2_1 }} +package: + sudo: + title: 5.2.1 | Ensure sudo is installed + installed: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.1 + CISv8: + - 5.4 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.2.yml b/section_5/cis_5.2/cis_5.2.2.yml new file mode 100644 index 0000000..f45b0ba --- /dev/null +++ b/section_5/cis_5.2/cis_5.2.2.yml @@ -0,0 +1,44 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_2_2 }} +file: + sudoers_use_pty: + title: 5.2.2 | Ensure sudo commands use pty | Config + path: /etc/sudoers + exists: true + contents: + - '/^Defaults.*\suse_pty/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.2 + CISv8: + - 5.4 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-6 +command: + pty_sudoers_d: + title: 5.2.2 | Ensure sudo commands use pty | sudoers.d + exec: "ls -1 /etc/sudoers.d/* > /dev/null 2>&1; if [ '$?' = '0' ]; then grep -c '^Defaults\\s*use_pty' /etc/sudoers.d/*; else echo 99;fi" + exit-status: 0 + stdout: + - '/[0-99]/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.2 + CISv8: + - 5.4 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-6 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.3.yml b/section_5/cis_5.2/cis_5.2.3.yml new file mode 100644 index 0000000..c4793d9 --- /dev/null +++ b/section_5/cis_5.2/cis_5.2.3.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_2_3 }} +command: + log_sudoers_d: + title: 5.2.3 | Ensure sudo log file exists | sudoers.d + exec: "grep -Ec '^Defaults logfile=/var/log/*.log' /etc/sudoers /etc/sudoers.d/.*/" + exit-status: + lt: 3 + stdout: + - '/[1:99]/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.3 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - AU-12 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.4.yml b/section_5/cis_5.2/cis_5.2.4.yml new file mode 100644 index 0000000..f04f089 --- /dev/null +++ b/section_5/cis_5.2/cis_5.2.4.yml @@ -0,0 +1,28 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_5_2_4 }} +command: + nopasswd_sudoers_d: + title: 5.2.4 | Ensure users must provide password for privilege escalation + exec: grep -R NOPASSWD /etc/sudoers /etc/sudoers.d/* | grep -v '.*\:#' + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 5.2.4 + CISv8: + - 5.4 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-6 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.5.yml b/section_5/cis_5.2/cis_5.2.5.yml new file mode 100644 index 0000000..a1a55f1 --- /dev/null +++ b/section_5/cis_5.2/cis_5.2.5.yml @@ -0,0 +1,28 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_2_5 }} +command: + authenticate_sudoers: + title: 5.2.5 | Ensure re-authentication for privilege escalation is not disabled globally + exec: 'grep -r "^[^#].*\!authenticate" /etc/sudoers*' + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.5 + CISv8: + - 5.4 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-6 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.6.yml b/section_5/cis_5.2/cis_5.2.6.yml new file mode 100644 index 0000000..e008184 --- /dev/null +++ b/section_5/cis_5.2/cis_5.2.6.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_2_6 }} +command: + sudo_timeout: + title: 5.2.6 | Ensure sudo authentication timeout is configured correctly + exec: grep -rP "timestamp_timeout=\K[0-9]*" /etc/sudoers* + exit-status: 0 + stdout: + - '!/timestamp_timeout=(-1|1[6-9]|[2-9][0-9]|[1-9][0-9]{2,})/' + - '/timestamp_timeout=([5-9]|1[0-5])/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.6 + CISv8: + - 5.4 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-6 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.7.yml b/section_5/cis_5.2/cis_5.2.7.yml new file mode 100644 index 0000000..cc7e086 --- /dev/null +++ b/section_5/cis_5.2/cis_5.2.7.yml @@ -0,0 +1,42 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_2_7 }} +file: + su_conf: + title: 5.2.7 | Ensure access to the su command is restricted + path: /etc/pam.d/su + exists: true + contents: + - '/^auth\s+required\s+pam_wheel.so use_uid group={{ .Vars.ubtu24cis_sugroup }}/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.7 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-6 +command: + sugroup_etc_group: + title: 5.2.7 | Ensure access to the su command is restricted + exec: grep {{ .Vars.ubtu24cis_sugroup }} /etc/group | awk -F':' '{print $NF}' + exit-status: 0 + stdout: + - '!/^[a-zA-Z]/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.7 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-6 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.1/cis_5.3.1.1.yml b/section_5/cis_5.3.1/cis_5.3.1.1.yml new file mode 100644 index 0000000..aab5a33 --- /dev/null +++ b/section_5/cis_5.3.1/cis_5.3.1.1.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_1_1 }} +package: + libpam-runtime: + title: 5.3.1.1 | Ensure latest version of pam is installed + installed: true + versions: + not: + - '1.4.0-11ubuntu2.1' + - '1.4.0-11ubuntu2.2' + - '1.4.0-11ubuntu2.3' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.1.1 + CISv8: + - 5.4 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} + diff --git a/section_5/cis_5.3.1/cis_5.3.1.2.yml b/section_5/cis_5.3.1/cis_5.3.1.2.yml new file mode 100644 index 0000000..d162e6c --- /dev/null +++ b/section_5/cis_5.3.1/cis_5.3.1.2.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_1_2 }} +package: + libpam-modules: + title: 5.3.1.2 | Ensure latest version of libpam-modules is installed + installed: true + versions: + not: + - '1.4.0-11ubuntu2.1' + - '1.4.0-11ubuntu2.2' + - '1.4.0-11ubuntu2.3' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.1.2 + CISv8: + - 5.4 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.1/cis_5.3.1.3.yml b/section_5/cis_5.3.1/cis_5.3.1.3.yml new file mode 100644 index 0000000..67e6eb3 --- /dev/null +++ b/section_5/cis_5.3.1/cis_5.3.1.3.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_1_3 }} +package: + libpam-pwquality: + title: 5.3.1.3 | Ensure latest version of libpam-pwquality is installed + installed: true + versions: + not: + - '1.4.0-11ubuntu2.1' + - '1.4.0-11ubuntu2.2' + - '1.4.0-11ubuntu2.3' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.1.3 + CISv8: + - 5.4 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.2/cis_5.3.2.1.yml b/section_5/cis_5.3.2/cis_5.3.2.1.yml new file mode 100644 index 0000000..14423f4 --- /dev/null +++ b/section_5/cis_5.3.2/cis_5.3.2.1.yml @@ -0,0 +1,79 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_2_1 }} +file: + pam_unix_enabled_common_act: + title: 5.3.2.1 | Ensure pam_unix module is enabled + path: /etc/pam.d/common-account + exists: true + contents: + - '/^account\s*\[success=\d new_authtok_reqd=done default=ignore\]\s*pam_unix.so/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.2.1 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - IA-5 + pam_unix_enabled_common_session: + title: 5.3.2.1 | Ensure pam_unix module is enabled + path: /etc/pam.d/common-session + exists: true + contents: + - '/^\s*session\s*required\s+pam_unix.so/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.2.1 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - IA-5 + pam_unix_enabled_common_auth: + title: 5.3.2.1 | Ensure pam_unix module is enabled + path: /etc/pam.d/common-auth + exists: true + contents: + - '/^\s*auth\s+\[success=\d default=.*\]\s+pam_unix.so/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.2.1 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - IA-5 + pam_unix_enabled_common_password: + title: 5.3.2.1 | Ensure pam_unix module is enabled + path: /etc/pam.d/common-password + exists: true + contents: + - '/^\s*password\s+\[success=\d default=.*\]\s+pam_unix.so/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.2.1 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.2/cis_5.3.2.2.yml b/section_5/cis_5.3.2/cis_5.3.2.2.yml new file mode 100644 index 0000000..e1ea732 --- /dev/null +++ b/section_5/cis_5.3.2/cis_5.3.2.2.yml @@ -0,0 +1,42 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_2_2 }} +file: + pam_faillock_enabled_common_act: + title: 5.3.2.2 | Ensure pam_faillock module is enabled + path: /etc/pam.d/common-account + exists: true + contents: + - '/^\s*account\s+(requisite|required)\s+pam_faillock.so/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.2.2 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + pam_faillock_enabled_common_auth: + title: 5.3.2.2 | Ensure pam_faillock module is enabled + path: /etc/pam.d/common-auth + exists: true + contents: + - '/^\s*auth\s+(requisite|required)\s+pam_faillock.so\s+preauth/' + - '/^auth\s*\[default=die\]\s+pam_faillock.so\s+authfail/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.2.2 + CISv8: + - 6.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.2/cis_5.3.2.3.yml b/section_5/cis_5.3.2/cis_5.3.2.3.yml new file mode 100644 index 0000000..7778c99 --- /dev/null +++ b/section_5/cis_5.3.2/cis_5.3.2.3.yml @@ -0,0 +1,24 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_2_3 }} +file: + pam_pwquality_enabled_common_passwd: + title: 5.3.2.3 | Ensure pam_pwquality module is enabled + path: /etc/pam.d/common-password + exists: true + contents: + - '/^\s*password\s+(required|requisite)\s+pam_pwquality.so/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.2.3 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.2/cis_5.3.2.4.yml b/section_5/cis_5.3.2/cis_5.3.2.4.yml new file mode 100644 index 0000000..4b39d19 --- /dev/null +++ b/section_5/cis_5.3.2/cis_5.3.2.4.yml @@ -0,0 +1,24 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_2_4 }} +file: + pam_pwhistory_enabled_common_passwd: + title: 5.3.2.4 | Ensure pam_pwhistory module is enabled + path: /etc/pam.d/common-password + exists: true + contents: + - '/^\s*password\s+(required|requisite)\s+pam_pwhistory.so/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.2.4 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.1/cis_5.3.3.1.1.yml b/section_5/cis_5.3.3.1/cis_5.3.3.1.1.yml new file mode 100644 index 0000000..be19786 --- /dev/null +++ b/section_5/cis_5.3.3.1/cis_5.3.3.1.1.yml @@ -0,0 +1,43 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_3_1_1 }} +file: + faillock_attempts_deny: + title: 5.3.3.1.1 | Ensure password failed attempts lockout is configured + path: /etc/security/faillock.conf + exists: true + contents: + - '/^deny\s*=\s*[1-5]$/' + - '!/^deny\s*=\s*([5-9]|[0-9]{2,})/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.1.1 + CISv8: + - 6.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA +command: + faillock_attempts_deny_removed: + title: 5.3.3.1.1 | Ensure password failed attempts lockout is configured + exec: grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?deny\b' /usr/share/pam-configs/* + exit-status: 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.1.1 + CISv8: + - 6.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.1/cis_5.3.3.1.2.yml b/section_5/cis_5.3.3.1/cis_5.3.3.1.2.yml new file mode 100644 index 0000000..b58460f --- /dev/null +++ b/section_5/cis_5.3.3.1/cis_5.3.3.1.2.yml @@ -0,0 +1,43 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_3_1_2 }} +file: + faillock_unlock_time: + title: 5.3.3.1.2 | Ensure password unlock time is configured + path: /etc/security/faillock.conf + exists: true + contents: + - '/^unlock_time\s*=\s*([1-9]|[1-9][0-9]|[1-8][0-9]{1,2}|900)$/' + - '!/^unlock_time\s*=\s*(90[1-9]|9[1-9][0-9]|[1-9][0-9][0-9]{2,})/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.1.2 + CISv8: + - 6.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA +command: + faillock_unlock_time_removed: + title: 5.3.3.1.2 | Ensure password unlock time is configured + exec: grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?unlock_time\b' /usr/share/pam-configs/* + exit-status: 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.1.2 + CISv8: + - 6.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.1/cis_5.3.3.1.3.yml b/section_5/cis_5.3.3.1/cis_5.3.3.1.3.yml new file mode 100644 index 0000000..14d3d2c --- /dev/null +++ b/section_5/cis_5.3.3.1/cis_5.3.3.1.3.yml @@ -0,0 +1,42 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_5_3_3_1_3 }} +file: + faillock_even_root: + title: 5.3.3.1.3 | Ensure password unlock time is configured + path: /etc/security/faillock.conf + exists: true + contents: + - '/^(even_deny_root|root_unlock_time\s*=\s*([6-9][0-9]|[1-3][0-9]{2,2}))/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 5.3.3.1.3 + CISv8: + - 6.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA +command: + faillock_even_root_removed: + title: 5.3.3.1.3 | Ensure password unlock time is configured + exec: grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?(even_deny_root|root_unlock_time)' /usr/share/pam-configs/* + exit-status: 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.1.3 + CISv8: + - 6.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.2/cis_5.3.3.2.1.yml b/section_5/cis_5.3.3.2/cis_5.3.3.2.1.yml new file mode 100644 index 0000000..16d23fa --- /dev/null +++ b/section_5/cis_5.3.3.2/cis_5.3.3.2.1.yml @@ -0,0 +1,45 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_3_2_1 }} +command: + password_character_changed: + title: 5.3.3.2.1 | Ensure password number of changed characters is configured + exec: grep -Psi -- '^\h*difok\h*=\h*([2-9]|[1-9][0-9]+)\b' /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf + exit-status: + or: + - 0 + - 1 + stdout: + - '/.*\:difok\s*=\s*[2-9]/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.1 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 +file: + passwd_change_not_pamd: + title: 5.3.3.2.1 | Ensure password number of changed characters is configured + path: /etc/pam.d/common-password + exists: true + contents: + - '!/^\s+password\s+(requisite|required|sufficient)\s+pam_pwquality\.so\s+([^#\n\r]+\s+)?difok\s*=\s*([0-1])\b/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.1 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.2/cis_5.3.3.2.2.yml b/section_5/cis_5.3.3.2/cis_5.3.3.2.2.yml new file mode 100644 index 0000000..ef60f3d --- /dev/null +++ b/section_5/cis_5.3.3.2/cis_5.3.3.2.2.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_3_2_2 }} +command: + password_minlen: + title: 5.3.3.2.2 | Ensure minimum password length is configured + exec: grep -Psi -- '^\h*minlen\h*=\h*(1[4-9]|[2-9][0-9]|[1-9][0-9]{2,})\b' /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf + exit-status: + or: + - 0 + - 1 + stdout: + - '/.*\:minlen\s*=\s*(1[4-9]|[2-4][0-9])/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.2 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + password_minlen_not_pamd: + title: 5.3.3.2.2 | Ensure minimum password length is configured + exec: grep -Psi -- '^\h*password\h+(requisite|required|sufficient)\h+pam_pwquality\.so\h+([^#\n\r]+\h+)?minlen\h*=\h*([0-9]|1[0-3])\b' /etc/pam.d/system-auth /etc/pam.d/common-password + exit-status: + or: + - 0 + - 1 + - 2 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.2 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.2/cis_5.3.3.2.3.yml b/section_5/cis_5.3.3.2/cis_5.3.3.2.3.yml new file mode 100644 index 0000000..a81ec81 --- /dev/null +++ b/section_5/cis_5.3.3.2/cis_5.3.3.2.3.yml @@ -0,0 +1,51 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_3_2_3 }} +command: + password_complex: + title: 5.3.3.2.3 | Ensure password complexity is configured + exec: grep -Psi -- '^\h*(minclass|[dulo]credit)\b' /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf + exit-status: + or: + - 0 + - 1 + stdout: + - '/.*\:minclass\s*=\s*([1-9]|[1-9][0-9])/' + - '/.*\:ucredit\s*=\s*(0|-\d)/' + - '/.*\:lcredit\s*=\s*(0|-\d)/' + - '/.*\:dcredit\s*=\s*(0|-\d)/' + - '/.*\:ocredit\s*=\s*(0|-\d)/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.3 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + password_complex_not_pamd: + title: 5.3.3.2.3 | Ensure password complexity is configured + exec: grep -Psi -- '^\h*password\h+(requisite|required|sufficient)\h+pam_pwquality\.so\h+([^#\n\r]+\h+)?(minclass=\d*|[dulo]credit=-?\d*)\b' /etc/pam.d/common-password + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.3 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.2/cis_5.3.3.2.4.yml b/section_5/cis_5.3.3.2/cis_5.3.3.2.4.yml new file mode 100644 index 0000000..afe3a08 --- /dev/null +++ b/section_5/cis_5.3.3.2/cis_5.3.3.2.4.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_3_2_4 }} +command: + password_consecutive_characters: + title: 5.3.3.2.4 | Ensure password same consecutive characters is configured + exec: grep -Psi -- '^\h*maxrepeat\h*=\h*[1-3]\b' /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf + exit-status: + or: + - 0 + - 1 + stdout: + - '/.*\:maxrepeat\s*=\s*[1-3]/' + - '!/.*\:maxrepeat\s*=\s*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.4 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + consecutive_characters_not_pamd: + title: 5.3.3.2.4 | Ensure password same consecutive characters is configured + exec: grep -Psi -- '^\h*password\h+(requisite|required|sufficient)\h+pam_pwquality\.so\h+([^#\n\r]+\h+)?maxrepeat\h*=\h*(0|[4-9]|[1-9][0-9]+)\b' /etc/pam.d/common-password + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.4 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.2/cis_5.3.3.2.5.yml b/section_5/cis_5.3.3.2/cis_5.3.3.2.5.yml new file mode 100644 index 0000000..6743598 --- /dev/null +++ b/section_5/cis_5.3.3.2/cis_5.3.3.2.5.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_3_2_5 }} +command: + password_maxseq: + title: 5.3.3.2.5 | Ensure password maximum sequential characters is configured + exec: grep -Psi -- '^\h*maxsequence\h*=\h*[1-3]\b' /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf + exit-status: + or: + - 0 + - 1 + stdout: + - '/.*\:maxsequence\s*=\s*[1-3]/' + - '!/.*\:maxsequence\s*=\s*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.5 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + maxseq_not_pamd: + title: 5.3.3.2.5 | Ensure password maximum sequential characters is configured + exec: grep -Psi -- '^\h*password\h+(requisite|required|sufficient)\h+pam_pwquality\.so\h+([^#\n\r]+\h+)?maxsequence\h*=\h*(0|[4-9]|[1-9][0-9]+)\b' /etc/pam.d/common-password + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.5 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.2/cis_5.3.3.2.6.yml b/section_5/cis_5.3.3.2/cis_5.3.3.2.6.yml new file mode 100644 index 0000000..676bb7b --- /dev/null +++ b/section_5/cis_5.3.3.2/cis_5.3.3.2.6.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_3_2_6 }} +command: + password_dictchk: + title: 5.3.3.2.6 | Ensure password maximum sequential characters is configured + exec: grep -Psi -- '^\h*dictcheck\s*=' /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf + exit-status: + or: + - 0 + - 1 + stdout: + - '/.*\:dictcheck\s*=\s*1/' + - '!/.*\:dictcheck\s*=\s*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.6 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + dictchk_not_pamd: + title: 5.3.3.2.6 | Ensure password maximum sequential characters is configured + exec: grep -Psi -- '^\h*password\h+(requisite|required|sufficient)\h+pam_pwquality\.so\h+([^#\n\r]+\h+)?dictcheck\h*=\h*0\b' /etc/pam.d/common-password + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.6 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.2/cis_5.3.3.2.7.yml b/section_5/cis_5.3.3.2/cis_5.3.3.2.7.yml new file mode 100644 index 0000000..71fb965 --- /dev/null +++ b/section_5/cis_5.3.3.2/cis_5.3.3.2.7.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_3_2_7 }} +command: + password_quality_enforce: + title: 5.3.3.2.7 | Ensure password quality checking is enforced + exec: grep -Psi -- '^\h*enforcing\s*=\s*' /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf + exit-status: + or: + - 0 + - 1 + stdout: + - '/.*\:enforcing\s*=\s*1/' + - '!/.*\:enforcing\s*=\s*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.7 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + quality_enforce_not_pamd: + title: 5.3.3.2.7 | Ensure password quality checking is enforced + exec: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwquality\.so\h+([^#\n\r]+\h+)?enforcing=0\b' /etc/pam.d/common-password + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.7 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.2/cis_5.3.3.2.8.yml b/section_5/cis_5.3.3.2/cis_5.3.3.2.8.yml new file mode 100644 index 0000000..884f297 --- /dev/null +++ b/section_5/cis_5.3.3.2/cis_5.3.3.2.8.yml @@ -0,0 +1,28 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_3_2_8 }} +command: + password_quality_enforce_root: + title: 5.3.3.2.8 | Ensure password quality checking is enforced + exec: grep -Psi -- '^\s*enforce_for_root\b' /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf + exit-status: + or: + - 0 + - 1 + stdout: + - '/.*\:enforce_for_root/' + - '!/.*\:#\s*enforce_for_root\s*=\s*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.7 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.3/cis_5.3.3.3.1.yml b/section_5/cis_5.3.3.3/cis_5.3.3.3.1.yml new file mode 100644 index 0000000..c72e507 --- /dev/null +++ b/section_5/cis_5.3.3.3/cis_5.3.3.3.1.yml @@ -0,0 +1,41 @@ +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_3_3_1 }} +file: + pwhistory_remember_common_passwd: + title: 5.3.3.3.1 | Ensure password history remember is configured | common-password + path: /etc/pam.d/common-password + exists: true + contents: + - '/^\s*password\s*(requisite|required)\s*pam_pwhistory.so.*remember\s*=\s*(2[4-9]|[3-9][0-9])/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.3.1 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 +command: + pwhistory_remember_pam_configs: + title: 5.3.3.3.1 | Ensure password history remember is configured | pam_configs + exec: for file in `awk '/Password-Type:/{ f = 1;next } /-Type:/{ f = 0 } f {if (/pam_pwhistory\.so/) print FILENAME}' /usr/share/pam-configs/*`; do grep pam_pwhistory $file | grep -v remember; done + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.3.1 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.3/cis_5.3.3.3.2.yml b/section_5/cis_5.3.3.3/cis_5.3.3.3.2.yml new file mode 100644 index 0000000..9b772e4 --- /dev/null +++ b/section_5/cis_5.3.3.3/cis_5.3.3.3.2.yml @@ -0,0 +1,41 @@ +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_3_3_2 }} +file: + pwhistory_enforce_for_root: + title: 5.3.3.3.2 | Ensure password history is enforced for the root user | common-password + path: /etc/pam.d/common-password + exists: true + contents: + - '/^\s*password\s*(requisite|required)\s*pam_pwhistory.so.*enforce_for_root/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.3.2 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 +command: + pwhistory_enforce_for_root_pam_configs: + title: 5.3.3.3.2 | Ensure password history is enforced for the root user | pam_configs + exec: for file in `awk '/Password-Type:/{ f = 1;next } /-Type:/{ f = 0 } f {if (/pam_pwhistory\.so/) print FILENAME}' /usr/share/pam-configs/*`; do grep pam_pwhistory $file | grep -v enforce_for_root; done + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.3.2 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.3/cis_5.3.3.3.3.yml b/section_5/cis_5.3.3.3/cis_5.3.3.3.3.yml new file mode 100644 index 0000000..a811970 --- /dev/null +++ b/section_5/cis_5.3.3.3/cis_5.3.3.3.3.yml @@ -0,0 +1,41 @@ +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_3_3_2 }} +file: + pwhistory_use_authtok: + title: 5.3.3.3.2 | Ensure pam_pwhistory includes use_authtok | common-password + path: /etc/pam.d/common-password + exists: true + contents: + - '/^\s*password\s*(requisite|required)\s*pam_pwhistory.so.*use_authtok/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.3.2 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 +command: + pwhistory_use_authtok_pam_configs: + title: 5.3.3.3.2 | Ensure pam_pwhistory includes use_authtok | pam_configs + exec: for file in `awk '/Password-Type:/{ f = 1;next } /-Type:/{ f = 0 } f {if (/pam_pwhistory\.so/) print FILENAME}' /usr/share/pam-configs/*`; do grep pam_pwhistory $file | grep -v use_authtok; done + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.3.2 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.4/cis_5.3.3.4.1.yml b/section_5/cis_5.3.3.4/cis_5.3.3.4.1.yml new file mode 100644 index 0000000..765a2f2 --- /dev/null +++ b/section_5/cis_5.3.3.4/cis_5.3.3.4.1.yml @@ -0,0 +1,24 @@ +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_3_4_1 }} +command: + pam_unix_nullok_pam_configs: + title: 5.3.3.4.1 | Ensure pam_unix does not include nullok + exec: grep -PH -- '^\h*^\h*[^#\n\r]+\h+pam_unix\.so\b' /etc/pam.d/common-{password,auth,account,session,session-noninteractive} /usr/share/pam-configs/* | grep -P -- '\bnullok\b' + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.4.1 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.4/cis_5.3.3.4.2.yml b/section_5/cis_5.3.3.4/cis_5.3.3.4.2.yml new file mode 100644 index 0000000..1d88bc0 --- /dev/null +++ b/section_5/cis_5.3.3.4/cis_5.3.3.4.2.yml @@ -0,0 +1,24 @@ +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_3_4_2 }} +command: + pam_unix_remember_pam_configs: + title: 5.3.3.4.2 | Ensure pam_unix does not include remember + exec: grep -PH -- '^\h*^\h*[^#\n\r]+\h+pam_unix\.so\b' /etc/pam.d/common-{password,auth,account,session,session-noninteractive} /usr/share/pam-configs/* | grep -P -- '\bremember\b' + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.4.2 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.4/cis_5.3.3.4.3.yml b/section_5/cis_5.3.3.4/cis_5.3.3.4.3.yml new file mode 100644 index 0000000..94b362a --- /dev/null +++ b/section_5/cis_5.3.3.4/cis_5.3.3.4.3.yml @@ -0,0 +1,24 @@ +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_3_4_3 }} +command: + pam_unix_strong_password_pam_configs: + title: 5.3.3.4.3 | Ensure pam_unix includes a strong password hashing algorithm + exec: grep -PH -- '^\h*password\h+([^#\n\r]+)\h+pam_unix\.so\h+([^#\n\r]+\h+)?(sha512|yescrypt)\b' /etc/pam.d/common-password /usr/share/pam-configs/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/.*:password\s+([^#\n\r]+)\s+pam_unix\.so.*(yescrypt|sha512)/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.4.3 + CISv8: 3.11 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.4/cis_5.3.3.4.4.yml b/section_5/cis_5.3.3.4/cis_5.3.3.4.4.yml new file mode 100644 index 0000000..5e6f318 --- /dev/null +++ b/section_5/cis_5.3.3.4/cis_5.3.3.4.4.yml @@ -0,0 +1,24 @@ +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_3_4_4 }} +command: + pam_unix_use_authtok_pam_configs: + title: 5.3.3.4.4 | Ensure pam_unix includes a use_authtok + exec: grep -PH -- '^\s*password\s+([^#\n\r]+)\s+pam_unix\.so\s+([^#\n\r]+\s+)?use_authtok\b' /etc/pam.d/common-password + exit-status: + or: + - 0 + - 1 + stdout: + - '/.*:password\s+([^#\n\r]+)\s+pam_unix\.so.*use_authtok/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.4.4 + CISv8: 3.11 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4.1/cis_5.4.1.1.yml b/section_5/cis_5.4.1/cis_5.4.1.1.yml new file mode 100644 index 0000000..d8180fd --- /dev/null +++ b/section_5/cis_5.4.1/cis_5.4.1.1.yml @@ -0,0 +1,56 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_4_1_1 }} +file: + login_defs_PASS_MAX_DAYS: + title: 5.4.1.1 | Ensure password expiration is configured | logins.def + path: /etc/login.defs + exists: true + contents: + - '/^PASS_MAX_DAYS\s*{{ .Vars.ubtu24cis_pass.max_days }}/' + - '!/^PASS_MAX_DAYS\s*(36[6-9]|[4-9][0-9][0-9]|[1-9][0-9]{3,})/' + - '!/^PASS_MAX_DAYS\s*-1/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.1.1 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 +command: + users_max_pw_expire: + title: 5.4.1.1 | Ensure password expiration is 365 days or less | user_check + exec: "awk -F: '(/^[^:]+:[^!*]/) {print $5}' /etc/shadow" + exit-status: + or: + - 0 + - 1 + stdout: + - '/^(36[0-5]|3[0-5][0-9]|[1-2][0-9][0-9]|[0-9][0-9]|[1-9])$/' + - '!/^(36[6-9]|3[7-9][0-9]|[4-9][0-9]{2,})$/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.1.1 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4.1/cis_5.4.1.2.yml b/section_5/cis_5.4.1/cis_5.4.1.2.yml new file mode 100644 index 0000000..f2c5760 --- /dev/null +++ b/section_5/cis_5.4.1/cis_5.4.1.2.yml @@ -0,0 +1,46 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_5_4_1_2 }} +file: + login_defs_PASS_MIN_DAYS: + title: 5.4.1.2 | Ensure minimum password age is configured + path: /etc/login.defs + exists: true + contents: + - '/^PASS_MIN_DAYS\s{{ .Vars.ubtu24cis_pass.min_days }}/' + - '/^PASS_MIN_DAYS\s([1-9]|[1-9][0-9]{2,})/' + - '!/^PASS_MIN_DAYS\s*(-[1-9]|0)/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 5.4.1.2 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA +command: + users_min_pw_expire: + title: 5.4.1.1 | Ensure minimum password age is configured | user_check + exec: "awk -F: '(/^[^:]+:[^!*]/) {print $4}' /etc/shadow" + exit-status: + or: + - 0 + - 1 + stdout: + - '/^([1-9]|[1-9][0-9]{2,})$/' + - '!/^0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.1.1 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4.1/cis_5.4.1.3.yml b/section_5/cis_5.4.1/cis_5.4.1.3.yml new file mode 100644 index 0000000..9030d8f --- /dev/null +++ b/section_5/cis_5.4.1/cis_5.4.1.3.yml @@ -0,0 +1,45 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_4_1_3 }} +file: + login_def_PASS_WARN_AGE: + title: 5.4.1.3 | Ensure password expiration warning days is configured | logins.def + path: /etc/login.defs + exists: true + contents: + - '/^PASS_WARN_AGE\s*{{ .Vars.ubtu24cis_pass.warn_age }}/' + - '!/^PASS_WARN_AGE\s*[1-6]/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.1.3 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA +command: + user_expire_warn: + title: 5.4.1.3 | Ensure password expiration warning days is configured | user_warning + exec: "awk -F: '(/^[^:]+:[^!*]/) {print $6}' /etc/shadow" + exit-status: + or: + - 0 + - 1 + stdout: + - '/^([7-9]|[1-3][0-9])$/' + - '!/^([0-6]|-1)$/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.1.3 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4.1/cis_5.4.1.4.yml b/section_5/cis_5.4.1/cis_5.4.1.4.yml new file mode 100644 index 0000000..ab17230 --- /dev/null +++ b/section_5/cis_5.4.1/cis_5.4.1.4.yml @@ -0,0 +1,24 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_4_1_4 }} +file: + yescrypt_login_defs: + title: 5.4.1.4 | Ensure password hashing algorithm is up to date with the latest standards | common password + path: /etc/login.defs + exists: true + contents: + - '/^ENCRYPT_METHOD (YESCRYPT|SHA512)/' + - '!/^ENCRYPT_METHOD (md5|bigcrypt|sha256|blowfish)/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.1.4 + CISv8: 3.11 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4.1/cis_5.4.1.5.yml b/section_5/cis_5.4.1/cis_5.4.1.5.yml new file mode 100644 index 0000000..cbd2bb0 --- /dev/null +++ b/section_5/cis_5.4.1/cis_5.4.1.5.yml @@ -0,0 +1,40 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_4_1_5 }} +command: + inactive_passwd: + title: 5.4.1.5 | Ensure inactive password lock is configured | password + exec: useradd -D | grep INACTIVE + exit-status: 0 + stdout: + - '/^INACTIVE=([1-9]|[1-3][0-9]|4[0-5])$/' + - '!/INACTIVE=(-1|4[6-9]|[5-9][0-9]{1,})/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.1.5 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + inactive_users: + title: 5.4.1.5 | Ensure inactive password lock is configured | users + exec: "cat /etc/shadow | grep -v '!*' | awk -F':' '{ if ($7 > 45 ){ print $1 } }'" + stdout: + - '!/.*/' + exit-status: 0 + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.1.5 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4.1/cis_5.4.1.6.yml b/section_5/cis_5.4.1/cis_5.4.1.6.yml new file mode 100644 index 0000000..f5369e5 --- /dev/null +++ b/section_5/cis_5.4.1/cis_5.4.1.6.yml @@ -0,0 +1,23 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_4_1_6 }} +command: + passwd_chg_past: + title: 5.4.1.6 | Ensure all users last password change date is in the past + exec: 'for usr in `cut -d: -f1 /etc/shadow`; do [ "$(date --date="$(chage --list $usr | grep "^Last password change" | cut -d: -f2)" +%s)" -gt "$(date "+%s")" ] && echo "Failed" ; done' + exit-status: 1 + stdout: + - '!/Failed/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.1.6 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4.2/cis_5.4.2.1.yml b/section_5/cis_5.4.2/cis_5.4.2.1.yml new file mode 100644 index 0000000..88613d2 --- /dev/null +++ b/section_5/cis_5.4.2/cis_5.4.2.1.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_4_2_1 }} +command: + root_only_uid_0: + title: 5.4.2.1 | Ensure root is the only UID 0 account + exec: "awk -F: '($3 == 0) { print $1 }' /etc/passwd" + exit-status: 0 + stdout: ['root'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.2.1 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4.2/cis_5.4.2.2.yml b/section_5/cis_5.4.2/cis_5.4.2.2.yml new file mode 100644 index 0000000..5d09abd --- /dev/null +++ b/section_5/cis_5.4.2/cis_5.4.2.2.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_4_2_2 }} +command: + root_only_gid_0: + title: 5.4.2.2 | Ensure root is the only GID 0 account + exec: "awk -F: '($1 !~ /^(sync|shutdown|halt|operator)/ && $4=='0') {print $1\":\"$4}' /etc/passwd" + exit-status: 0 + stdout: ['root:0'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.2.2 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4.2/cis_5.4.2.3.yml b/section_5/cis_5.4.2/cis_5.4.2.3.yml new file mode 100644 index 0000000..449abbd --- /dev/null +++ b/section_5/cis_5.4.2/cis_5.4.2.3.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_4_2_3 }} +command: + group_root_only_0: + title: 5.4.2.3 | Ensure group root is the only GID 0 group + exec: "awk -F: '$3=='0'{print $1\":\"$3}' /etc/group" + exit-status: 0 + stdout: ['root:0'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.2.3 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4.2/cis_5.4.2.4.yml b/section_5/cis_5.4.2/cis_5.4.2.4.yml new file mode 100644 index 0000000..ba4559c --- /dev/null +++ b/section_5/cis_5.4.2/cis_5.4.2.4.yml @@ -0,0 +1,22 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_4_2_4 }} +command: + root_passwd_set: + title: 5.4.2.4 | Ensure root password is set + exec: "passwd -S root | awk '$2 ~ /^P/ {print \"OK Password\"}'" + exit-status: 0 + stdout: ['OK Password'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.2.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4.2/cis_5.4.2.5.yml b/section_5/cis_5.4.2/cis_5.4.2.5.yml new file mode 100644 index 0000000..fa73ed5 --- /dev/null +++ b/section_5/cis_5.4.2/cis_5.4.2.5.yml @@ -0,0 +1,28 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_4_2_5 }} +command: + root_path_check: + title: 5.4.2.5 | Ensure root path Integrity + exec: "/bin/bash --login -c 'env | grep ^PATH=' | sed -e 's/PATH=//' -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'" + exit-status: 0 + stdout: + - '!/\\./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.2.5 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4.2/cis_5.4.2.6.yml b/section_5/cis_5.4.2/cis_5.4.2.6.yml new file mode 100644 index 0000000..4788e85 --- /dev/null +++ b/section_5/cis_5.4.2/cis_5.4.2.6.yml @@ -0,0 +1,31 @@ +--- + + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_4_2_6 }} +command: + root_umask_bash_profile: + title: 5.4.2.6 | Ensure root user umask is configured + exec: grep -i umask /root/.bash_profile /root/bashrc + exit-status: + or: + - 0 + - 1 + - 2 + stdout: + - '/umask 00(2|7)7/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.2.6 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} + diff --git a/section_5/cis_5.4.2/cis_5.4.2.7.yml b/section_5/cis_5.4.2/cis_5.4.2.7.yml new file mode 100644 index 0000000..3ee8644 --- /dev/null +++ b/section_5/cis_5.4.2/cis_5.4.2.7.yml @@ -0,0 +1,25 @@ +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_4_2_7 }} +command: + secure_system_accts: + title: 5.4.2.7 | Ensure system accounts do not have a valid login shell + exec: "awk -F: '$3<1000' /etc/passwd | grep -Ev 'root|sync|halt|shutdown|nfsnobody|/sbin/nologin|/bin/false'" + exit-status: 1 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.2.7 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-2(5) + - AC-3 + - AC-11 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4.3/cis_5.4.3.1.yml b/section_5/cis_5.4.3/cis_5.4.3.1.yml new file mode 100644 index 0000000..3b7a4f9 --- /dev/null +++ b/section_5/cis_5.4.3/cis_5.4.3.1.yml @@ -0,0 +1,28 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_5_4_3_1 }} +file: + nologin_not_in_shells: + title: 5.4.3.1 | Ensure nologin is not listed in /etc/shells + exists: true + path: /etc/shells + contents: + - '!/.*nologin/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 5.4.3.1 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4.3/cis_5.4.3.2.yml b/section_5/cis_5.4.3/cis_5.4.3.2.yml new file mode 100644 index 0000000..8df1f5b --- /dev/null +++ b/section_5/cis_5.4.3/cis_5.4.3.2.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_4_3_2 }} +command: + check_timeout: + title: 5.4.3.2 | Ensure default user shell timeout is configured + exec: 'grep TMOUT /etc/profile.d/*.sh /etc/profile /etc/profile.d/*.sh| cut -d ":" -f2' + exit-status: 0 + stdout: + - '/^(readonly |)TMOUT/' + - '/TMOUT=([1-8][0-9]{0,2}|900)$/' + - '/export TMOUT/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.3.2 + CISv8: 4.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4.3/cis_5.4.3.3.yml b/section_5/cis_5.4.3/cis_5.4.3.3.yml new file mode 100644 index 0000000..ad14a88 --- /dev/null +++ b/section_5/cis_5.4.3/cis_5.4.3.3.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_4_3_3 }} +command: + umask_profile_scripts: + title: 5.4.3.3 | Ensure default user umask is configured + exec: 'grep -i "^\s*umask" /etc/profile /etc/profile.d/*.sh /etc/login.defs | cut -d ":" -f 2' + exit-status: 0 + stdout: + - '/(?i)umask\s+0[2-7][7]/' + - '!/(?i)umask\s+[7][0-1][0-6]/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.3.3 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.1.x/cis_6.1.1.1.yml b/section_6/cis_6.1.1.x/cis_6.1.1.1.yml new file mode 100644 index 0000000..f431fbd --- /dev/null +++ b/section_6/cis_6.1.1.x/cis_6.1.1.1.yml @@ -0,0 +1,24 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_2_1_1 }} +service: + systemd-journald: + title: 6.2.1.1 | Ensure journald service is enabled and active + running: true + enabled: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.2.1.1 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-7 + - AU-12 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.1.x/cis_6.1.1.2.yml b/section_6/cis_6.1.1.x/cis_6.1.1.2.yml new file mode 100644 index 0000000..ba4ebe3 --- /dev/null +++ b/section_6/cis_6.1.1.x/cis_6.1.1.2.yml @@ -0,0 +1,30 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_1_1_2 }} +command: + /etc/tmpfiles.d/systemd.conf: + title: 6.2.1.1.2 | Ensure journald log file access is configured | Manual Check Required + exec: echo "Manual - Please check journald default permissions" + exit-status: 0 + stdout: + - '!/^Manual/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.1.2 + CISv8: + - 3.3 + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - AU-2 + - AU-12 + - MP-2 + - SI-5 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.1.x/cis_6.1.1.3.yml b/section_6/cis_6.1.1.x/cis_6.1.1.3.yml new file mode 100644 index 0000000..7644cab --- /dev/null +++ b/section_6/cis_6.1.1.x/cis_6.1.1.3.yml @@ -0,0 +1,31 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_1_1_3 }} +command: + log_rotate_journald_conf: + title: 6.1.1.3 | Ensure journald log file rotation is configured + exec: grep -Ei "max|keep" /etc/systemd/journald.conf /etc/systemd/journald.conf.d/*.conf + exit-status: 0 + stdout: + - '/.*\:SystemMaxUse=/' + - '/.*\:SystemKeepFree=/' + - '/.*\:RuntimeMaxUse=/' + - '/.*\:RuntimeKeepFree=/' + - '/.*\:MaxFileSec=/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.1.3 + CISv8: + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-7 + - AU-12 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.2.x/cis_6.1.2.1.1.yml b/section_6/cis_6.1.2.x/cis_6.1.2.1.1.yml new file mode 100644 index 0000000..bd0cfa3 --- /dev/null +++ b/section_6/cis_6.1.2.x/cis_6.1.2.1.1.yml @@ -0,0 +1,23 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_1_2_1_1 }} + {{ if not .Vars.ubtu24cis_is_syslog_server }} +package: + systemd-journal-remote: + title: 6.1.2.1.1 | Ensure systemd-journal-remote is installed + installed: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.2.1.1 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-4 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.2.x/cis_6.1.2.1.2.yml b/section_6/cis_6.1.2.x/cis_6.1.2.1.2.yml new file mode 100644 index 0000000..2a4e8ea --- /dev/null +++ b/section_6/cis_6.1.2.x/cis_6.1.2.1.2.yml @@ -0,0 +1,30 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_1_2_1_2 }} + {{ if not .Vars.ubtu24cis_is_syslog_server }} +file: + journal_remote_configured: + title: 6.1.2.1.2 | Ensure systemd-journal-upload authentication is configured + path: /etc/systemd/journal-upload.conf + exists: true + contents: + - '/^URL=/' + - '/ServerKeyFile=.*.pem' + - '/ServerCertificateFile=.*.pem' + - '/TrustedCertificateFile=.*.pem' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.2.1.2 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-12 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.2.x/cis_6.1.2.1.3.yml b/section_6/cis_6.1.2.x/cis_6.1.2.1.3.yml new file mode 100644 index 0000000..73b34ec --- /dev/null +++ b/section_6/cis_6.1.2.x/cis_6.1.2.1.3.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_1_2_1_3 }} + {{ if not .Vars.ubtu24cis_is_syslog_server }} +service: + systemd-journal-upload.service: + title: 6.1.2.1.3 | Ensure systemd-journal-upload is enabled and active + name: systemd-journal-upload.service + running: true + enabled: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.2.1.3 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-12 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.2.x/cis_6.1.2.1.4.yml b/section_6/cis_6.1.2.x/cis_6.1.2.1.4.yml new file mode 100644 index 0000000..d1a1a5c --- /dev/null +++ b/section_6/cis_6.1.2.x/cis_6.1.2.1.4.yml @@ -0,0 +1,90 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_1_2_1_4 }} + {{ if not .Vars.ubtu24cis_is_syslog_server }} +service: + systemd-journal-remote.service: + title: 6.1.2.1.4 | Ensure systemd-journal-remote service is not in use | service + running: false + # enabled: false # managed by socket so seen as indirect although not enabled - goss issue + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.2.1.4 + CISv8: + - 4.8 + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-7 + - AU-12 + systemd-journal-remote.socket: + title: 6.1.2.1.4 | Ensure systemd-journal-remote service is not in use | socket + running: false + enabled: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.2.1.4 + CISv8: + - 4.8 + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-7 + - AU-12 +command: + journald_service_masked: + title: 6.1.2.1.4 | Ensure systemd-journal-remote service is not in use | service masked + exec: systemctl is-enabled systemd-journal-remote.socket + exit-status: 1 + stdout: + - '/^masked/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.2.1.4 + CISv8: + - 4.8 + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-7 + - AU-12 + journald_socket_masked: + title: 6.1.2.1.4 | Ensure systemd-journal-remote service is not in use | socket masked + exec: systemctl is-enabled systemd-journal-remote.socket + exit-status: 1 + stdout: + - '/^masked/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.2.1.4 + CISv8: + - 4.8 + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-7 + - AU-12 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.2.x/cis_6.1.2.2.yml b/section_6/cis_6.1.2.x/cis_6.1.2.2.yml new file mode 100644 index 0000000..7be25c9 --- /dev/null +++ b/section_6/cis_6.1.2.x/cis_6.1.2.2.yml @@ -0,0 +1,33 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_1_2_2 }} +command: + forward_journald_disabled: + title: 6.1.2.2 | Ensure journald ForwardToSyslog is disabled + exec: grep -i forwardtosyslog /etc/systemd/journald.conf /etc/systemd/journald.conf.d/*.conf + exit-status: + or: + - 0 + - 1 + stdout: + - '/.*\:ForwardToSyslog\s*=\s*no/' + - '!/.*\:ForwardToSyslog\s*=\s*yes/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.2.2 + CISv8: + - 8.2 + - 8.9 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-6 + - AU-7 + - AU-12 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.2.x/cis_6.1.2.3.yml b/section_6/cis_6.1.2.x/cis_6.1.2.3.yml new file mode 100644 index 0000000..07cdcd6 --- /dev/null +++ b/section_6/cis_6.1.2.x/cis_6.1.2.3.yml @@ -0,0 +1,30 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_1_2_3 }} +command: + compress_journald_conf: + title: 6.1.2.3 | Ensure journald is configured to compress large log files + exec: grep -i Compress= /etc/systemd/journald.conf /etc/systemd/journald.conf.d/*.conf + exit-status: + or: + - 0 + - 1 + stdout: + - '/.*\:Compress\s*=\s*yes/' + - '!/.*\:Compress\s*=\s*[Nn][Oo]/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.2.3 + CISv8: + - 8.2 + - 8.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-4 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.2.x/cis_6.1.2.4.yml b/section_6/cis_6.1.2.x/cis_6.1.2.4.yml new file mode 100644 index 0000000..cddce14 --- /dev/null +++ b/section_6/cis_6.1.2.x/cis_6.1.2.4.yml @@ -0,0 +1,28 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_1_2_4 }} +command: + storage_journald_conf: + title: 6.1.2.4 | Ensure journald Storage is configured + exec: grep -i Storage= /etc/systemd/journald.conf /etc/systemd/journald.conf.d/*.conf + exit-status: + or: + - 0 + - 1 + stdout: + - '/.*\:Storage=persistent/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.2.4 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - AU-12 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.3.x/cis_6.1.3.1.yml b/section_6/cis_6.1.3.x/cis_6.1.3.1.yml new file mode 100644 index 0000000..d19403f --- /dev/null +++ b/section_6/cis_6.1.3.x/cis_6.1.3.1.yml @@ -0,0 +1,23 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_1_3_1 }} +package: + rsyslog: + title: 6.1.3.1 | Ensure rsyslog is installed + installed: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.3.1 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-3 + - AU-12 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.3.x/cis_6.1.3.2.yml b/section_6/cis_6.1.3.x/cis_6.1.3.2.yml new file mode 100644 index 0000000..8e1cd76 --- /dev/null +++ b/section_6/cis_6.1.3.x/cis_6.1.3.2.yml @@ -0,0 +1,24 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_1_3_2 }} +service: + rsyslog: + title: 6.1.3.2 | Ensure rsyslog service is enabled and active + running: true + enabled: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.3.2 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-3 + - AU-12 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.3.x/cis_6.1.3.3.yml b/section_6/cis_6.1.3.x/cis_6.1.3.3.yml new file mode 100644 index 0000000..e68e594 --- /dev/null +++ b/section_6/cis_6.1.3.x/cis_6.1.3.3.yml @@ -0,0 +1,30 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_1_3_3 }} +command: + forward_journald_conf: + title: 6.1.3.3 | Ensure journald is not configured to send logs to rsyslog + exec: grep -i forward /etc/systemd/journald.conf /etc/systemd/journald.conf.d/ + exit-status: 0 + stdout: + - '!/^\.*:ForwardToSyslog/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.3.3 + CISv8: + - 8.2 + - 8.9 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - AU-2 + - AU-4 + - AU-12 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.3.x/cis_6.1.3.4.yml b/section_6/cis_6.1.3.x/cis_6.1.3.4.yml new file mode 100644 index 0000000..496bbc7 --- /dev/null +++ b/section_6/cis_6.1.3.x/cis_6.1.3.4.yml @@ -0,0 +1,29 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_1_3_4 }} +command: + perms_rsyslog_d: + title: 6.1.3.4 | Ensure rsyslog default file permissions configured + exec: 'grep -s ^\$FileCreateMode /etc/rsyslog.conf /etc/rsyslog.d/*.conf | cut -f2 -d:' + exit-status: 0 + stdout: + - '/\$FileCreateMode 06[0-4]0/' + - '!/\$FileCreateMode 06[6-7][0-7]/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.3.4 + CISv8: + - 3.3 + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - AC-6 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.3.x/cis_6.1.3.5.yml b/section_6/cis_6.1.3.x/cis_6.1.3.5.yml new file mode 100644 index 0000000..b80f754 --- /dev/null +++ b/section_6/cis_6.1.3.x/cis_6.1.3.5.yml @@ -0,0 +1,37 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_1_3_5 }} +file: + /etc/rsyslog.conf: + title: 6.1.3.5 | Ensure logging is configured + exists: true + contents: + - '/^\*.emerg\s+:omusrmsg:\*/' + - '/auth,authpriv.\*\s+/var/log/secure/' + - '/^mail.\*\s+-/var/log/mail/' + - '/^mail.info\s+-/var/log/mail.info/' + - '/^mail.err\s+/var/log/mail.err/' + - '/^cron.\*\s+/var/log/cron/' + - '/^*.=warning;\*.=err\s+-/var/log/warn/' + - '/^*.crit\s+/var/log/warn/' + - '/^*.*;mail.none;news.none\s+/var/log/messages/' + - '/^local0,local1.\*\s+-/var/log/localmessages/' + - '/^local2,local3.\*\s+-/var/log/localmessages/' + - '/^local4,local5.\*\s+-/var/log/localmessages/' + - '/^local6,local7.\*\s+-/var/log/localmessages/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.3.5 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-7 + - AU-12 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.3.x/cis_6.1.3.6.yml b/section_6/cis_6.1.3.x/cis_6.1.3.6.yml new file mode 100644 index 0000000..417db5b --- /dev/null +++ b/section_6/cis_6.1.3.x/cis_6.1.3.6.yml @@ -0,0 +1,30 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_1_3_6 }} + {{ if not .Vars.ubtu24cis_remote_log_server }} +command: + remote_syslog: + title: 6.1.3.6 | Ensure rsyslog is configured to send logs to a remote host + exec: 'grep -E "action.*omfwd.*target" /etc/rsyslog.conf /etc/rsyslog.d/*.conf' + exit-status: + or: + - 0 + - 2 + stdout: + - '*.* action(type="omfwd" target="{{ .Vars.ubtu24cis_remote_log_host }}" port="{{ .Vars.ubtu24cis_remote_log_port }}"' + - protocol="{{ .Vars.ubtu24cis_remote_log_protocol }}" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.3.6 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-6 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.3.x/cis_6.1.3.7.yml b/section_6/cis_6.1.3.x/cis_6.1.3.7.yml new file mode 100644 index 0000000..57c5f52 --- /dev/null +++ b/section_6/cis_6.1.3.x/cis_6.1.3.7.yml @@ -0,0 +1,62 @@ + +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_1_3_7 }} + {{ if not .Vars.ubtu24cis_remote_log_server }} +command: + local_syslog_module: + title: 6.1.3.7 | Ensure rsyslog is not configured to recieve logs from a remote client | module + exec: grep "imtcp" /etc/rsyslog.conf /etc/rsyslog.d/*.conf | grep -Ev ":#|port=" + exit-status: + or: + - 0 + - 1 + - 2 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.3.7 + CISv8: + - 4.8 + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-7 + - AU-12 + - CM-6 + local_syslog_input: + title: 6.1.3.7 | Ensure rsyslog is not configured to recieve logs from a remote client | server/port + exec: grep -E "imtcp\" port|InputTCPServerRun" /etc/rsyslog.conf /etc/rsyslog.d/*.conf | grep -v ":#" + exit-status: + or: + - 0 + - 1 + - 2 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.3.7 + CISv8: + - 4.8 + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-7 + - AU-12 + - CM-6 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.3.x/cis_6.1.3.8.yml b/section_6/cis_6.1.3.x/cis_6.1.3.8.yml new file mode 100644 index 0000000..8d89db0 --- /dev/null +++ b/section_6/cis_6.1.3.x/cis_6.1.3.8.yml @@ -0,0 +1,31 @@ + +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_1_3_8 }} +command: + rsyslog_logrotate: + title: 6.1.3.8 | Ensure rsyslog logrotate is configured + exec: grep -A9 "rsyslog/*.log" /etc/logrotate.conf /etc/logrotate.d/* + exit-status: + or: + - 0 + - 1 + - 2 + stdout: + - '/.*: rotate/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.3.8 + CISv8: + - 4.8 + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-8 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.4.x/cis_6.1.4.1.yml b/section_6/cis_6.1.4.x/cis_6.1.4.1.yml new file mode 100644 index 0000000..fb1ed63 --- /dev/null +++ b/section_6/cis_6.1.4.x/cis_6.1.4.1.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_1_4_1 }} +command: + logfile_configured: + title: 6.1.4.1 | Ensure access to all logfiles has been configured + exec: | + find /var/log/ -type f \( -name 'lastlog' -o -name 'wtmp' -o -name 'btmp' \) -perm /g+x,o+wx -exec ls -l "{}" + ; find /var/log/ -type f \( -name 'secure' -o -name 'auth*' -o -name 'syslog' -o -name 'messages' \) -perm /u+x,g+wx,o+rwx -exec ls -l "{}" +; find /var/log/ -type f \( -name 'SSSD' -o -name 'sssd' -o -name 'gdm*' \) -perm /ug+x,o+rwx -exec ls -l "{}" + + exit-status: 0 + stdout: ['!/./'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.4.1 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.1/cis_6.2.1.1.yml b/section_6/cis_6.2.1/cis_6.2.1.1.yml new file mode 100644 index 0000000..164785c --- /dev/null +++ b/section_6/cis_6.2.1/cis_6.2.1.1.yml @@ -0,0 +1,45 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_1_1 }} +package: + audit_packages: + title: 6.2.1.1 | Ensure auditd packages are installed | auditd pkg + installed: true + name: auditd + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.1.1 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-3 + - AU-12 + - SI-5 + audispd-plugins: + title: 6.2.1.1 | Ensure auditd is installed | audispd-plugins pkg + name: audispd-plugins + installed: true + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.1.1 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-3 + - AU-12 + - SI-5 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.1/cis_6.2.1.2.yml b/section_6/cis_6.2.1/cis_6.2.1.2.yml new file mode 100644 index 0000000..de73cce --- /dev/null +++ b/section_6/cis_6.2.1/cis_6.2.1.2.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_1_2 }} +service: + auditd: + title: 6.2.1.2 | Ensure auditd service is enabled and active + enabled: true + running: true + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.1.2 + CISv8: + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-12 + - SI-5 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.1/cis_6.2.1.3.yml b/section_6/cis_6.2.1/cis_6.2.1.3.yml new file mode 100644 index 0000000..4004095 --- /dev/null +++ b/section_6/cis_6.2.1/cis_6.2.1.3.yml @@ -0,0 +1,49 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_1_3 }} +command: + auditd_grub: + title: 6.2.1.3 | Ensure auditing for processes that start prior to auditd is enabled | bootloader file + exec: grep "^\s*linux" /boot/grub/grub.cfg | grep -Evc "audit=1" + exit-status: 1 + stdout: + - '0' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.1.3 + CISv8: + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-3 + - AU-12 +file: + grub_audit_start: + title: 6.2.1.3 | Ensure auditing for processes that start prior to auditd is enabled | default grub + path: /etc/default/grub + exists: true + contents: + - '/^GRUB_CMDLINE_LINUX=.*audit=1/' + - '!/audit=0/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.1.3 + CISv8: + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-3 + - AU-12 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.1/cis_6.2.1.4.yml b/section_6/cis_6.2.1/cis_6.2.1.4.yml new file mode 100644 index 0000000..6aa9a6e --- /dev/null +++ b/section_6/cis_6.2.1/cis_6.2.1.4.yml @@ -0,0 +1,49 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_1_4 }} +command: + auditd_grub_backlog: + title: 6.2.1.4 | Ensure audit_backlog_limit is sufficient | bootloader file + exec: grep "^\s*linux" /boot/grub/grub.cfg | grep -Evc "audit_backlog_limit=" + exit-status: 1 + stdout: + - '0' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.1.4 + CISv8: + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-3 + - AU-12 +file: + grub_audit_backlog: + title: 6.2.1.4 | Ensure audit_backlog_limit is sufficient | default grub + path: /etc/default/grub + exists: true + contents: + - '/GRUB_CMDLINE_LINUX=".*audit_backlog_limit={{ .Vars.ubtu24cis_auditd.auditd_backlog_limit }}/' + - '/audit_backlog_limit=(819[2-9]|8[2-9]{2,}|9[0-9]{3,}|[1-9]{5,})/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.1.4 + CISv8: + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-3 + - AU-12 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.2/cis_6.2.2.1.yml b/section_6/cis_6.2.2/cis_6.2.2.1.yml new file mode 100644 index 0000000..2ce72c9 --- /dev/null +++ b/section_6/cis_6.2.2/cis_6.2.2.1.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_2_1 }} +command: + auditd_max_log_file: + title: 6.2.2.1 | Ensure audit log storage size is configured + exec: grep -E "^max_log_file" /etc/audit/auditd.conf + exit-status: 0 + stdout: + - '/max_log_file = [1-9][0-9]{1,2}/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.2.1 + CISv8: + - 8.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-8 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.2/cis_6.2.2.2.yml b/section_6/cis_6.2.2/cis_6.2.2.2.yml new file mode 100644 index 0000000..98b1a69 --- /dev/null +++ b/section_6/cis_6.2.2/cis_6.2.2.2.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_2_2 }} +command: + auditd_max_log_action: + title: 6.2.2.2 | Ensure audit logs are not automatically deleted + exec: grep -E "^max_log_file_action" /etc/audit/auditd.conf + exit-status: 0 + stdout: + - 'max_log_file_action = {{ .Vars.ubtu24cis_auditd.max_log_file_action }}' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.2.2 + CISv8: + - 8.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-8 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.2/cis_6.2.2.3.yml b/section_6/cis_6.2.2/cis_6.2.2.3.yml new file mode 100644 index 0000000..2d770b4 --- /dev/null +++ b/section_6/cis_6.2.2/cis_6.2.2.3.yml @@ -0,0 +1,29 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_2_3 }} +file: + auditd_space_actions: + title: 6.2.2.3 | Ensure system is disabled when audit logs are full + path: /etc/audit/auditd.conf + exists: true + contents: + - '/disk_full_action\s*=\s*(halt|single)/' + - '/disk_error_action\s*=\s*(syslog|single|halt)/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.2.3 + CISv8: + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-8 + - AU-12 + - SI-5 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.2/cis_6.2.2.4.yml b/section_6/cis_6.2.2/cis_6.2.2.4.yml new file mode 100644 index 0000000..11d4fec --- /dev/null +++ b/section_6/cis_6.2.2/cis_6.2.2.4.yml @@ -0,0 +1,31 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_2_4 }} +command: + auditd_space_actions: + title: 6.2.2.4 | Ensure system warns when audit logs are low on space + exec: grep -E "action" /etc/audit/auditd.conf + exit-status: 0 + stdout: + - '/space_left_action\s*=\s*{{ .Vars.ubtu24cis_auditd.space_left_action }}/' + - '/space_left_action\s*=\s*(email|exec|single|halt)/' + - '/^admin_space_left_action\s*=\s*{{ .Vars.ubtu24cis_auditd.admin_space_left_action }}/' + - '/^admin_space_left_action\s*=\s*(single|halt)/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.2.4 + CISv8: + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-8 + - AU-12 + - SI-5 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.1.yml b/section_6/cis_6.2.3/cis_6.2.3.1.yml new file mode 100644 index 0000000..8bd729a --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.1.yml @@ -0,0 +1,45 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_1 }} +command: + auditd_admin_scope_cnf: + title: 6.2.3.1 | Ensure changes to system administration scope (sudoers) is collected | Config + exec: grep scope /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '-w /etc/sudoers -p wa -k scope' + - '-w /etc/sudoers.d -p wa -k scope' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.1 + CISv8: + - 8.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + auditd_admin_scope_live: + title: 6.2.3.1 | Ensure changes to system administration scope (sudoers) is collected | Live + exec: auditctl -l | grep scope + exit-status: 0 + stdout: + - '-w /etc/sudoers -p wa -k scope' + - '-w /etc/sudoers.d -p wa -k scope' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.1 + CISv8: + - 8.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.10.yml b/section_6/cis_6.2.3/cis_6.2.3.10.yml new file mode 100644 index 0000000..bd53687 --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.10.yml @@ -0,0 +1,45 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_10 }} +command: + auditd_mounts_cnf: + title: 6.2.3.10 | Ensure successful file system mounts are collected | Config + exec: grep mounts /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '/-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=(unset|4294967295|-1) -k mounts/' + - '/-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=(unset|4294967295|-1) -k mounts/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.10 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + auditd_mounts_live: + title: 6.2.3.10 | Ensure successful file system mounts are collected | Live + exec: auditctl -l | grep mounts + exit-status: 0 + stdout: + - '/-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=mounts/' + - '/-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=mounts/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.10 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.11.yml b/section_6/cis_6.2.3/cis_6.2.3.11.yml new file mode 100644 index 0000000..dc0826b --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.11.yml @@ -0,0 +1,47 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_11 }} +command: + auditd_sessions_cnf: + title: 6.2.3.11 | Ensure session initiation information is collected | Config + exec: "grep -E '(session|logins)' /etc/audit/rules.d/*.rules" + exit-status: 0 + stdout: + - '-w /var/run/utmp -p wa -k session' + - '-w /var/log/wtmp -p wa -k session' + - '-w /var/log/btmp -p wa -k session' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.11 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + auditd_session_live: + title: 6.2.3.11 | Ensure session initiation information is collected | Live + exec: "auditctl -l | grep -E '(session|logins)'" + exit-status: 0 + stdout: + - '-w /var/run/utmp -p wa -k session' + - '-w /var/log/wtmp -p wa -k session' + - '-w /var/log/btmp -p wa -k session' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.11 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.12.yml b/section_6/cis_6.2.3/cis_6.2.3.12.yml new file mode 100644 index 0000000..0f80450 --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.12.yml @@ -0,0 +1,45 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_12 }} +command: + auditd_logins_cnf: + title: 6.2.3.12 | Ensure login and logout events are collected | Config + exec: grep -R --include="*.rules" logins /etc/audit/rules.d/ + exit-status: 0 + stdout: + - '/.*\:-w /var/run/faillock -p wa -k logins/' + - '/.*\:-w /var/log/lastlog -p wa -k logins/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.12 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + auditd_logins_live: + title: 6.2.3.12 | Ensure login and logout events are collected | Live + exec: auditctl -l | grep logins + exit-status: 0 + stdout: + - '-w /var/run/faillock -p wa -k logins' + - '-w /var/log/lastlog -p wa -k logins' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.12 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.13.yml b/section_6/cis_6.2.3/cis_6.2.3.13.yml new file mode 100644 index 0000000..6ff2c2f --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.13.yml @@ -0,0 +1,47 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_13 }} +command: + auditd_delete_cnf: + title: 6.2.3.13 | Ensure file deletion events by users are collected | Conf + exec: grep delete /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '/-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=(unset|4294967295|-1) -k delete/' + - '/-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=(unset|4294967295|-1) -k delete/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.13 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-12 + - SC-7 + auditd_delete_live: + title: 6.2.3.13 | Ensure file deletion events by users are collected | Live + exec: auditctl -l | grep delete + exit-status: 0 + stdout: + - '/-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=delete/' + - '/-a always,exit -F arch=b32 -S unlink,rename,unlinkat,renameat -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=delete/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.13 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-12 + - SC-7 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.14.yml b/section_6/cis_6.2.3/cis_6.2.3.14.yml new file mode 100644 index 0000000..3553544 --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.14.yml @@ -0,0 +1,49 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if not .Vars.ubtu24cis_apparmor_disable }} +command: + {{ if .Vars.ubtu24cis_rule_6_2_3_14 }} + auditd_MAC_cnf: + title: 6.2.3.14 | Ensure events that modify the system's Mandatory Access Controls are collected | Config + exec: grep MAC-policy /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '-w /etc/apparmor/ -p wa -k MAC-policy' + - '-w /etc/apparmor.d/ -p wa -k MAC-policy' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.14 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - CM-6 + auditd_MAC_live: + title: 6.2.6 | Ensure events that modify the system's Mandatory Access Controls are collected | Live + exec: auditctl -l | grep MAC-policy + exit-status: 0 + stdout: + - '-w /etc/apparmor -p wa -k MAC-policy' + - '-w /etc/apparmor.d -p wa -k MAC-policy' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.14 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - CM-6 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.15.yml b/section_6/cis_6.2.3/cis_6.2.3.15.yml new file mode 100644 index 0000000..c254bc1 --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.15.yml @@ -0,0 +1,47 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_15 }} +command: + chcon_module_cnf: + title: 6.2.3.15 | Ensure successful and unsuccessful attempts to use the chcon command are recorded | Config + exec: grep chcon /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '/-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=(unset|4294967295|-1) -k perm_chng/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.15 + CISv8: + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-12 + - SI-5 + chcon_module_live: + title: 6.2.3.15 | Ensure successful and unsuccessful attempts to use the chcon command are recorded | Live + exec: auditctl -l | grep chcon + exit-status: 0 + stdout: + - '/-a always,exit -S all -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=perm_chng/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.15 + CISv8: + - 8.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-12 + - SI-5 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.16.yml b/section_6/cis_6.2.3/cis_6.2.3.16.yml new file mode 100644 index 0000000..8fe4eb6 --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.16.yml @@ -0,0 +1,47 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_16 }} +command: + setfacl_module_cnf: + title: 6.2.3.16 | Ensure successful and unsuccessful attempts to use the setfacl command are recorded | Config + exec: grep setfacl /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '/-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=(unset|4294967295|-1) -k perm_chng/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.16 + CISv8: + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-12 + - SI-5 + setfacl_module_live: + title: 6.2.3.16 | Ensure successful and unsuccessful attempts to use the setfacl command are recorded | Live + exec: auditctl -l | grep setfacl + exit-status: 0 + stdout: + - '/-a always,exit -S all -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=perm_chng/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.16 + CISv8: + - 8.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-12 + - SI-5 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.17.yml b/section_6/cis_6.2.3/cis_6.2.3.17.yml new file mode 100644 index 0000000..dbf6cb3 --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.17.yml @@ -0,0 +1,47 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_17 }} +command: + chacl_module_cnf: + title: 6.2.3.17 | Ensure successful and unsuccessful attempts to use the chacl command are recorded | Config + exec: grep chacl /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '/-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=(unset|4294967295|-1) -k perm_chng/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.17 + CISv8: + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-12 + - SI-5 + chacl_module_live: + title: 6.2.3.17 | Ensure successful and unsuccessful attempts to use the chacl command are recorded | Live + exec: auditctl -l | grep chacl + exit-status: 0 + stdout: + - '/-a always,exit -S all -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=perm_chng/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.17 + CISv8: + - 8.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-12 + - SI-5 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.18.yml b/section_6/cis_6.2.3/cis_6.2.3.18.yml new file mode 100644 index 0000000..e19d66d --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.18.yml @@ -0,0 +1,47 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_18 }} +command: + usermod_module_cnf: + title: 6.2.3.18 | Ensure successful and unsuccessful attempts to use the usermod command are recorded | Config + exec: grep usermod /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '/-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=(unset|4294967295|-1) -k usermod/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.18 + CISv8: + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-12 + - SI-5 + usermod_module_live: + title: 6.2.3.18 | Ensure successful and unsuccessful attempts to use the usermod command are recorded | Live + exec: auditctl -l | grep usermod + exit-status: 0 + stdout: + - '/-a always,exit -S all -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=usermod/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.18 + CISv8: + - 8.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-12 + - SI-5 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.19.yml b/section_6/cis_6.2.3/cis_6.2.3.19.yml new file mode 100644 index 0000000..e90b6e5 --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.19.yml @@ -0,0 +1,45 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_19 }} +command: + auditd_module_cnf: + title: 6.2.3.19 | Ensure kernel module loading and unloading is collected | Config + exec: grep kernel_module /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '/-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=1000 -F auid!=(unset|4294967295|-1) -k kernel_modules/' + - '/-a always,exit -F path=\/usr\/bin\/kmod -F perm=x -F auid>=1000 -F auid!=(unset|4294967295|-1) -k kernel_modules/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.19 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - CM-6 + auditd_admin_module_live: + title: 6.2.3.19 | Ensure kernel module loading and unloading is collected | Live + exec: auditctl -l | grep kernel_module + exit-status: 0 + stdout: + - '/-a always,exit -F arch=b64 -S create_module,init_module,delete_module,query_module,finit_module -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=kernel_modules/' + - '/-a always,exit -S all -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=kernel_modules/' + meta: + server: 2 + workstation: 2 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - CM-6 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.2.yml b/section_6/cis_6.2.3/cis_6.2.3.2.yml new file mode 100644 index 0000000..50149dd --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.2.yml @@ -0,0 +1,45 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_2 }} +command: + auditd_sudo_actions: + title: 6.2.3.2 | Ensure actions as another user are always logged | Config + exec: grep user_emulation /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '/.*:-a always,exit -F arch=b64 -C euid!=uid -F auid!=(unset|4294967295|-1) -S execve -k user_emulation/' + - '/.*:-a always,exit -F arch=b32 -C euid!=uid -F auid!=(unset|4294967295|-1) -S execve -k user_emulation/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.2 + CISv8: + - 8.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + auditd_sudo_actions_live: + title: 6.2.3.2 | Ensure actions as another user are always logged | Live + exec: auditctl -l | grep user_emulation + exit-status: 0 + stdout: + - '/-a always,exit -F arch=b64 -S execve -C uid!=euid -F auid!=(unset|4294967295|-1) -F key=user_emulation/' + - '/-a always,exit -F arch=b32 -S execve -C uid!=euid -F auid!=(unset|4294967295|-1) -F key=user_emulation/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.2 + CISv8: + - 8.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.20.yml b/section_6/cis_6.2.3/cis_6.2.3.20.yml new file mode 100644 index 0000000..20ef5f6 --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.20.yml @@ -0,0 +1,29 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_20 }} +command: + auditd_immutable: + title: 6.2.3.20 | Ensure the audit configuration is immutable + exec: 'grep "-e 2" /etc/audit/rules.d/*.rules | cut -d ":" -f2' + exit-status: 0 + stdout: + - '-e 2' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.20 + CISv8: + - 3.3 + - 8.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - AU-3 + - AU-12 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.21.yml b/section_6/cis_6.2.3/cis_6.2.3.21.yml new file mode 100644 index 0000000..4e64c02 --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.21.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_21 }} +command: + auditd_config_match: + title: 6.2.3.21 | Ensure the audit configuration is immutable + exec: augenrules --check + exit-status: 0 + stdout: + - '/.*: No change/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.21 + CISv8: + - 8.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.3.yml b/section_6/cis_6.2.3/cis_6.2.3.3.yml new file mode 100644 index 0000000..23bdb96 --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.3.yml @@ -0,0 +1,41 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_3 }} +command: + auditd_sudolog_chg: + title: 6.2.3.3 | Ensure events that modify the sudo log file are collected | Config + exec: grep sudo_log_file /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '-w /var/log/sudo.log -p wa -k sudo_log_file' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.3 + CISv8: + - 8.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + auditd_sudolog_chg_live: + title: 6.2.3.3 | Ensure events that modify the sudo log file are collected | Live + exec: auditctl -l | grep sudo_log_file + exit-status: 0 + stdout: + - '-w /var/log/sudo.log -p wa -k sudo_log_file' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.3 + CISv8: + - 8.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.4.yml b/section_6/cis_6.2.3/cis_6.2.3.4.yml new file mode 100644 index 0000000..62e6eb6 --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.4.yml @@ -0,0 +1,49 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_4 }} +command: + auditd_time_cnf: + title: 6.2.3.4 | Ensure events that modify date and time information are collected | Config + exec: grep time-change /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change' + - '-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change' + - '-w /etc/localtime -p wa -k time-change' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.4 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - CM-6 + auditd_time_live: + title: 6.2.3.4 | Ensure events that modify date and time information are collected | Live + exec: auditctl -l | grep time-change + exit-status: 0 + stdout: + - '-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -F key=time-change' + - '-a always,exit -F arch=b32 -S settimeofday,adjtimex,clock_settime -F key=time-change' + - '-w /etc/localtime -p wa -k time-change' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.4 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - CM-6 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.5.yml b/section_6/cis_6.2.3/cis_6.2.3.5.yml new file mode 100644 index 0000000..63455fd --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.5.yml @@ -0,0 +1,59 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_5 }} +command: + auditd_locale_cnf: + title: 6.2.3.5 | Ensure events that modify the system's network environment are collected | Config + exec: grep system-locale /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale' + - '-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale' + - '-w /etc/issue -p wa -k system-locale' + - '-w /etc/issue.net -p wa -k system-locale' + - '-w /etc/hosts -p wa -k system-locale' + - '-w /etc/networks -p wa -k system-locale' + - '-w /etc/network -p wa -k system-locale' + - '-w /etc/netplan -p wa -k system-locale' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.5 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - CM-6 + auditd_locale_live: + title: 6.2.3.5 | Ensure events that modify the system's network environment are collected | Live + exec: auditctl -l | grep system-locale + exit-status: 0 + stdout: + - '-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale' + - '-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale' + - '-w /etc/issue -p wa -k system-locale' + - '-w /etc/issue.net -p wa -k system-locale' + - '-w /etc/hosts -p wa -k system-locale' + - '-w /etc/networks -p wa -k system-locale' + - '-w /etc/network -p wa -k system-locale' + - '-w /etc/netplan -p wa -k system-locale' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.5 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - CM-6 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.6.yml b/section_6/cis_6.2.3/cis_6.2.3.6.yml new file mode 100644 index 0000000..eb5cf79 --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.6.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_6 }} +command: + auditd_priv_cmds_cnf: + title: 6.2.3.6 | Ensure use of privileged commands is collected | Config + exec: grep delete /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.6 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - AU-3(1) + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.7.yml b/section_6/cis_6.2.3/cis_6.2.3.7.yml new file mode 100644 index 0000000..cd520fa --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.7.yml @@ -0,0 +1,49 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_7 }} +command: + auditd_access_cnf: + title: 6.2.3.7 | Ensure unsuccessful unauthorized file access attempts are collected | Conf + exec: sh -c "grep auid /etc/audit/rules.d/*.rules" + exit-status: 0 + stdout: + - '/-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=(unset|4294967295|-1) -k access/' + - '/-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=(unset|4294967295|-1) -k access/' + - '/-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=(unset|4294967295|-1) -k access/' + - '/-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=(unset|4294967295|-1) -k access/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.7 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + auditd_access_live: + title: 6.2.3.7 |Ensure unsuccessful unauthorized file access attempts are collected | Live + exec: auditctl -l | grep access + exit-status: 0 + stdout: + - '/-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat -F exit=-EACCES -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=access/' + - '/-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat -F exit=-EACCES -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=access/' + - '/-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat -F exit=-EPERM -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=access/' + - '/-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat -F exit=-EPERM -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=access/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.7 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.8.yml b/section_6/cis_6.2.3/cis_6.2.3.8.yml new file mode 100644 index 0000000..138e88d --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.8.yml @@ -0,0 +1,57 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_8 }} +command: + auditd_identity_cnf: + title: 6.2.3.8 | Ensure events that modify user/group information are collected | Config + exec: grep identity /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '-w /etc/group -p wa -k identity' + - '-w /etc/passwd -p wa -k identity' + - '-w /etc/gshadow -p wa -k identity' + - '-w /etc/shadow -p wa -k identity' + - '-w /etc/nsswitch.conf -p wa -k identity' + - '-w /etc/pam.conf -p wa -k identity' + - '-w /etc/pam.d -p wa -k identity' + - '-w /etc/security/opasswd -p wa -k identity' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.8 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + auditd_identity_live: + title: 6.2.3.8 | Ensure events that modify user/group information are collected | Live + exec: auditctl -l | grep identity + exit-status: 0 + stdout: + - '-w /etc/group -p wa -k identity' + - '-w /etc/passwd -p wa -k identity' + - '-w /etc/gshadow -p wa -k identity' + - '-w /etc/nsswitch.conf -p wa -k identity' + - '-w /etc/pam.conf -p wa -k identity' + - '-w /etc/pam.d -p wa -k identity' + - '-w /etc/shadow -p wa -k identity' + - '-w /etc/security/opasswd -p wa -k identity' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.8 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.9.yml b/section_6/cis_6.2.3/cis_6.2.3.9.yml new file mode 100644 index 0000000..7c103bd --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.9.yml @@ -0,0 +1,55 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_9 }} +command: + auditd_perms_cnf: + title: 6.2.3.9 | Ensure discretionary access control permission modification events are collected | Config + exec: grep perm_mod /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '/-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=(unset|4294967295|-1) -k perm_mod/' + - '/-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=(unset|4294967295|-1) -k perm_mod/' + - '/-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=(unset|4294967295|-1) -k perm_mod/' + - '/-a always,exit -F arch=b32 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=(unset|4294967295|-1) -k perm_mod/' + - '/-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=(unset|4294967295|-1) -k perm_mod/' + - '/-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=(unset|4294967295|-1) -k perm_mod/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.9 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - CM-6 + auditd_perms_live: + title: 6.2.3.9 | Ensure discretionary access control permission modification events are collected | Live + exec: auditctl -l | grep perm_mod + exit-status: 0 + stdout: + - '/-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=perm_mod/' + - '/-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=perm_mod/' + - '/-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=perm_mod/' + - '/-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=perm_mod/' + - '/-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=perm_mod/' + - '/-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=perm_mod/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.9 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - CM-6 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.4/cis_6.2.4.1.yml b/section_6/cis_6.2.4/cis_6.2.4.1.yml new file mode 100644 index 0000000..7a15730 --- /dev/null +++ b/section_6/cis_6.2.4/cis_6.2.4.1.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_4_1 }} +command: + audit_logfile_perms: + title: 6.2.4.1 | Ensure audit log files mode is configured + exec: for file in `grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'`; do stat -Lc "%n_%a" $file; done + exit-status: 0 + stdout: + - '/.*_6(0|4)0$/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.4.1 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.4/cis_6.2.4.10.yml b/section_6/cis_6.2.4/cis_6.2.4.10.yml new file mode 100644 index 0000000..f5e5fbf --- /dev/null +++ b/section_6/cis_6.2.4/cis_6.2.4.10.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_4_10 }} +command: + audit_tools_group: + title: 6.2.4.10 | Ensure audit tools group owner is configured + exec: stat -c "%n_%G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules + exit-status: 0 + stdout: + - '/.*_root$/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.4.10 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.4/cis_6.2.4.2.yml b/section_6/cis_6.2.4/cis_6.2.4.2.yml new file mode 100644 index 0000000..220f41f --- /dev/null +++ b/section_6/cis_6.2.4/cis_6.2.4.2.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_4_2 }} +command: + audit_logfile_owner: + title: 6.2.4.2 | Ensure audit log files owner is configured + exec: for file in `grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'`; do stat -Lc "%n_%U" $file; done + exit-status: 0 + stdout: + - '/.*_root$/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.4.2 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.4/cis_6.2.4.3.yml b/section_6/cis_6.2.4/cis_6.2.4.3.yml new file mode 100644 index 0000000..cffaf7e --- /dev/null +++ b/section_6/cis_6.2.4/cis_6.2.4.3.yml @@ -0,0 +1,43 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_4_3 }} +command: + audit_logfile_group_setting: + title: 6.2.4.3 | Ensure audit log files group owner is configured + exec: grep log_group /etc/audit/audit* | awk '{ print $NF }' + exit-status: 0 + stdout: + - '/^(adm|root)$/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.4.3 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + audit_logfile_group: + title: 6.2.4.3 | Ensure only authorized groups are assigned ownership of audit log files + exec: for file in `grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'`; do stat -Lc " %n_%G" $file; done + exit-status: 0 + stdout: + - '/.*_(adm|root)$/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.4.3 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.4/cis_6.2.4.4.yml b/section_6/cis_6.2.4/cis_6.2.4.4.yml new file mode 100644 index 0000000..97ddece --- /dev/null +++ b/section_6/cis_6.2.4/cis_6.2.4.4.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_4_4 }} +command: + audit_logfile_dir_perms: + title: 6.2.4.4 | Ensure the audit log file directory mode is configured + exec: for dir in `dirname \`grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'\``; do stat -Lc " %n_%a" $dir; done + exit-status: 0 + stdout: + - '/.*_7(0|5)0$/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.4.4 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.4/cis_6.2.4.5.yml b/section_6/cis_6.2.4/cis_6.2.4.5.yml new file mode 100644 index 0000000..13ed1f4 --- /dev/null +++ b/section_6/cis_6.2.4/cis_6.2.4.5.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_4_5 }} +command: + audit_conf_perms: + title: 6.2.4.5 | Ensure audit configuration files mode is configured + exec: for file in `find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \)`; do stat -Lc " %n_%a" $file; done + exit-status: 0 + stdout: + - '/.*_6(0|4)0$/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.4.5 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.4/cis_6.2.4.6.yml b/section_6/cis_6.2.4/cis_6.2.4.6.yml new file mode 100644 index 0000000..7f8c8a8 --- /dev/null +++ b/section_6/cis_6.2.4/cis_6.2.4.6.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_4_6 }} +command: + audit_conf_owner: + title: 6.2.4.6 | Ensure audit configuration files owner is configured + exec: for file in `find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \)`; do stat -Lc " %n_%U" $file; done + exit-status: 0 + stdout: + - '/.*_root$/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.4.6 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.4/cis_6.2.4.7.yml b/section_6/cis_6.2.4/cis_6.2.4.7.yml new file mode 100644 index 0000000..4916c8d --- /dev/null +++ b/section_6/cis_6.2.4/cis_6.2.4.7.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_4_7 }} +command: + audit_conf_group: + title: 6.2.4.7 | Ensure audit configuration files group owner is configured + exec: for file in `find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \)`; do stat -Lc " %n_%U" $file; done + exit-status: 0 + stdout: + - '/.*_root$/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.4.7 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.4/cis_6.2.4.8.yml b/section_6/cis_6.2.4/cis_6.2.4.8.yml new file mode 100644 index 0000000..2d9e0ae --- /dev/null +++ b/section_6/cis_6.2.4/cis_6.2.4.8.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_4_8 }} +command: + audit_tools_perms: + title: 6.2.4.8 | Ensure audit tools mode is configured + exec: stat -c "%n_%a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules + exit-status: 0 + stdout: + - '/.*_7(0|5)(0|5)$/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.4.8 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.4/cis_6.2.4.9.yml b/section_6/cis_6.2.4/cis_6.2.4.9.yml new file mode 100644 index 0000000..7d121c0 --- /dev/null +++ b/section_6/cis_6.2.4/cis_6.2.4.9.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_4_9 }} +command: + audit_tools_owner: + title: 6.2.4.9 | Ensure audit tools owner is configured + exec: stat -c "%n_%U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules + exit-status: 0 + stdout: + - '/.*_root$/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.4.9 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.3.x/cis_6.3.1.yml b/section_6/cis_6.3.x/cis_6.3.1.yml new file mode 100644 index 0000000..8dbd738 --- /dev/null +++ b/section_6/cis_6.3.x/cis_6.3.1.yml @@ -0,0 +1,36 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_config_aide }} + {{ if .Vars.ubtu24cis_rule_6_3_1 }} +package: + aide: + title: 6.3.1 | Ensure AIDE is installed | aide pkg + installed: true + meta: + server: 1 + workstation: 1 + CIS_ID: 6.3.1 + CISv8: 3.14 + CISv8_IG1: false + CISv8_IG2: false + CISv8_IG3: true + NIST800-53R5: + - AU-2 + aide-common: + title: 6.3.1 | Ensure AIDE is installed | aide-common pkg + installed: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.3.1 + CISv8: 3.14 + CISv8_IG1: false + CISv8_IG2: false + CISv8_IG3: true + NIST800-53R5: + - AU-2 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_6/cis_6.3.x/cis_6.3.2.yml b/section_6/cis_6.3.x/cis_6.3.2.yml new file mode 100644 index 0000000..d9d3000 --- /dev/null +++ b/section_6/cis_6.3.x/cis_6.3.2.yml @@ -0,0 +1,65 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_config_aide }} + {{ if .Vars.ubtu24cis_rule_6_3_2 }} + {{ if eq .Vars.ubtu24cis_aide_scan "cron" }} +command: + aide_cron: + title: 6.3.2 | Ensure filesystem integrity is regularly checked | aide cron + exit-status: + or: + - 0 + - 2 + exec: "grep -rs aide /etc/cron.* /etc/crontab /var/spool/cron/*" + stdout: + - '!/^#/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.3.2 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +service: + {{ if eq .Vars.ubtu24cis_aide_scan "timer" }} + aidecheck: + title: 6.3.2 | Ensure filesystem integrity is regularly checked | aidecheck service + name: aidecheck.service + enabled: true + running: true + skip: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.3.2 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + aidecheck.timer: + title: 6.3.2 | Ensure filesystem integrity is regularly checked | aidecheck timer + name: aidecheck.timer + enabled: true + running: true + skip: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.3.2 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_6/cis_6.3.x/cis_6.3.3.yml b/section_6/cis_6.3.x/cis_6.3.3.yml new file mode 100644 index 0000000..092044c --- /dev/null +++ b/section_6/cis_6.3.x/cis_6.3.3.yml @@ -0,0 +1,30 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_config_aide }} + {{ if .Vars.ubtu24cis_rule_6_3_3 }} +command: + audit_tools_crypto: + title: 6.3.3 | Ensure cryptographic mechanisms are used to protect the integrity of audit tools + exec: grep -P -- '(\/sbin\/(audit|au)\H*\b)' /etc/aide/aide.conf + exit-status: 0 + stdout: + - '/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512' + - '/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512' + - '/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512' + - '/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512' + - '/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512' + - '/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.3.3 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: NA + {{ end }} + {{ end }} +{{ end }} diff --git a/section_7/cis_7.1/cis_7.1.1.yml b/section_7/cis_7.1/cis_7.1.1.yml new file mode 100644 index 0000000..7392aa8 --- /dev/null +++ b/section_7/cis_7.1/cis_7.1.1.yml @@ -0,0 +1,32 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_1_1 }} +file: + passwd_perms: + title: 7.1.1 | Ensure permissions on /etc/passwd are configured + path: /etc/passwd + exists: true + owner: root + group: root + mode: + or: + - "0644" + - "0640" + - "0604" + - "0600" + - "0400" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.1.1 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.1/cis_7.1.10.yml b/section_7/cis_7.1/cis_7.1.10.yml new file mode 100644 index 0000000..065c2c9 --- /dev/null +++ b/section_7/cis_7.1/cis_7.1.10.yml @@ -0,0 +1,29 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_1_10 }} +file: + etc_security_opasswd_perms: + title: 7.1.10 | Ensure permissions on /etc/security/opasswd are configured + path: /etc/security/opasswd + exists: true + owner: root + group: root + mode: + or: + - "0600" + - "0400" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.1.10 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.1/cis_7.1.11.yml b/section_7/cis_7.1/cis_7.1.11.yml new file mode 100644 index 0000000..307434d --- /dev/null +++ b/section_7/cis_7.1/cis_7.1.11.yml @@ -0,0 +1,28 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.run_heavy_tests }} + {{ if .Vars.ubtu24cis_rule_7_1_11 }} +command: + world_writable: + title: 7.1.11 | Ensure world writable files and directories are secured + exec: "df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -o -type d \\( -perm -0002 -a ! -perm -1000 \\)" + exit-status: 0 + timeout: {{ .Vars.timeout_ms }} + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.1.11 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_7/cis_7.1/cis_7.1.12.yml b/section_7/cis_7.1/cis_7.1.12.yml new file mode 100644 index 0000000..ac408d8 --- /dev/null +++ b/section_7/cis_7.1/cis_7.1.12.yml @@ -0,0 +1,31 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.run_heavy_tests }} + {{ if .Vars.ubtu24cis_rule_7_1_12 }} +command: + unowned_dirs: + title: 7.1.12 | Ensure no files or directories without an owner and a group exist + exec: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -o -nogroup | grep -v journal-upload" + exit-status: + or: + - 0 + - 1 + timeout: {{ .Vars.timeout_ms }} + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.1.12 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_7/cis_7.1/cis_7.1.13.yml b/section_7/cis_7.1/cis_7.1.13.yml new file mode 100644 index 0000000..e3f60bc --- /dev/null +++ b/section_7/cis_7.1/cis_7.1.13.yml @@ -0,0 +1,36 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.run_heavy_tests }} + {{ if .Vars.ubtu24cis_rule_7_1_13 }} +command: + audit_sgid: + title: 7.1.13 | Ensure SUID and SGID files are reviewed | Manual + exec: "df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -02000 -o -perm -04000" + timeout: {{ .Vars.timeout_ms }} + exit-status: + or: + - 0 + - 1 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.1.13 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + - AC-3 + - MP-2 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_7/cis_7.1/cis_7.1.2.yml b/section_7/cis_7.1/cis_7.1.2.yml new file mode 100644 index 0000000..b517667 --- /dev/null +++ b/section_7/cis_7.1/cis_7.1.2.yml @@ -0,0 +1,32 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_1_2 }} +file: + passwd-_perms: + title: 7.1.2 | Ensure permissions on /etc/passwd- are configured + path: /etc/passwd + exists: true + owner: root + group: root + mode: + or: + - "0644" + - "0640" + - "0604" + - "0600" + - "0400" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.1.2 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.1/cis_7.1.3.yml b/section_7/cis_7.1/cis_7.1.3.yml new file mode 100644 index 0000000..e8eafce --- /dev/null +++ b/section_7/cis_7.1/cis_7.1.3.yml @@ -0,0 +1,32 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_1_3 }} +file: + group_perms: + title: 7.1.3 | Ensure permissions on /etc/group are configured + path: /etc/group + exists: true + owner: root + group: root + mode: + or: + - "0644" + - "0640" + - "0604" + - "0600" + - "0400" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.1.3 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.1/cis_7.1.4.yml b/section_7/cis_7.1/cis_7.1.4.yml new file mode 100644 index 0000000..84ff248 --- /dev/null +++ b/section_7/cis_7.1/cis_7.1.4.yml @@ -0,0 +1,32 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_1_4 }} +file: + group-_perms: + title: 7.1.4 | Ensure permissions on /etc/group- are configured + path: /etc/group- + exists: true + owner: root + group: root + mode: + or: + - "0644" + - "0640" + - "0604" + - "0600" + - "0400" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.1.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.1/cis_7.1.5.yml b/section_7/cis_7.1/cis_7.1.5.yml new file mode 100644 index 0000000..d02a27d --- /dev/null +++ b/section_7/cis_7.1/cis_7.1.5.yml @@ -0,0 +1,33 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_1_5 }} +file: + shadow_perms: + title: 7.1.5 | Ensure permissions on /etc/shadow are configured + path: /etc/shadow + exists: true + owner: root + group: + or: + - root + - shadow + mode: + or: + - "0640" + - "0600" + - "0400" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.1.5 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.1/cis_7.1.6.yml b/section_7/cis_7.1/cis_7.1.6.yml new file mode 100644 index 0000000..46b0c01 --- /dev/null +++ b/section_7/cis_7.1/cis_7.1.6.yml @@ -0,0 +1,33 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_1_6 }} +file: + shadow-_perms: + title: 7.1.6 | Ensure permissions on /etc/shadow- are configured + path: /etc/shadow- + exists: true + owner: root + group: + or: + - root + - shadow + mode: + or: + - "0640" + - "0600" + - "0400" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.1.6 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.1/cis_7.1.7.yml b/section_7/cis_7.1/cis_7.1.7.yml new file mode 100644 index 0000000..959d021 --- /dev/null +++ b/section_7/cis_7.1/cis_7.1.7.yml @@ -0,0 +1,33 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_1_7 }} +file: + gshadow_perms: + title: 7.1.7 | Ensure permissions on /etc/gshadow are configured + path: /etc/gshadow + exists: true + owner: root + group: + or: + - root + - shadow + mode: + or: + - "0640" + - "0600" + - "0400" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.1.7 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.1/cis_7.1.8.yml b/section_7/cis_7.1/cis_7.1.8.yml new file mode 100644 index 0000000..b832558 --- /dev/null +++ b/section_7/cis_7.1/cis_7.1.8.yml @@ -0,0 +1,33 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_1_8 }} +file: + gshadow-_perms: + title: 7.1.8 | Ensure permissions on /etc/gshadow- are configured + path: /etc/gshadow- + exists: true + owner: root + group: + or: + - root + - shadow + mode: + or: + - "0640" + - "0600" + - "0400" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.1.8 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.1/cis_7.1.9.yml b/section_7/cis_7.1/cis_7.1.9.yml new file mode 100644 index 0000000..7c5fe4e --- /dev/null +++ b/section_7/cis_7.1/cis_7.1.9.yml @@ -0,0 +1,32 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_1_9 }} +file: + etc_shells_perms: + title: 7.1.9 | Ensure permissions on /etc/shells are configured + path: /etc/shells + exists: true + owner: root + group: root + mode: + or: + - "0644" + - "0640" + - "0604" + - "0600" + - "0400" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.1.9 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.2/cis_7.2.1.yml b/section_7/cis_7.2/cis_7.2.1.yml new file mode 100644 index 0000000..6ce81d6 --- /dev/null +++ b/section_7/cis_7.2/cis_7.2.1.yml @@ -0,0 +1,24 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_2_1 }} +file: + shadowed_passwds: + title: 7.2.1 | Ensure accounts in /etc/passwd use shadowed passwords + path: /etc/passwd + exists: true + contents: + - '/^.*:x:/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.2.1 + CISv8: 3.11 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - IA-5 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.2/cis_7.2.10.yml b/section_7/cis_7.2/cis_7.2.10.yml new file mode 100644 index 0000000..74128ab --- /dev/null +++ b/section_7/cis_7.2/cis_7.2.10.yml @@ -0,0 +1,73 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_2_10 }} +command: + bad_dot_files: + title: 7.2.10 | Ensure local interactive user dot files access is configured | bad dot files + exec: 'find /home/ -name "\.forward" -o -name "\.netrc" -o -name "\.rhosts"' + exit-status: 0 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.2.10 + CISv8: 3.3 + CISv8_IG1: True + CISv8_IG2: True + CISv8_IG3: True + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + dot_file_perms: + title: 7.2.10 | Ensure local interactive user dot files access is configured | dot files permissions + exec: 'find /home/ -name "\.*" -perm /g+w,o+w | grep -v .bash_history' + exit-status: + or: + - 0 + - 1 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.2.10 + CISv8: 3.3 + CISv8_IG1: True + CISv8_IG2: True + CISv8_IG3: True + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + dot_file_bash_history: + title: 7.2.10 | Ensure local interactive user dot files access is configured | bash_history files permissions + exec: 'find /home/ -name "\.bash_history" -perm /go+rwx' + exit-status: 0 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.2.10 + CISv8: 3.3 + CISv8_IG1: True + CISv8_IG2: True + CISv8_IG3: True + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.2/cis_7.2.2.yml b/section_7/cis_7.2/cis_7.2.2.yml new file mode 100644 index 0000000..53ef4d2 --- /dev/null +++ b/section_7/cis_7.2/cis_7.2.2.yml @@ -0,0 +1,24 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_2_2 }} +file: + passwd_fields_not_empty_shadow: + title: 7.2.2 | Ensure password fields are not empty + path: /etc/shadow + exists: true + contents: + - '!/^*.[a-z]::/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.2.2 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - IA-5 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.2/cis_7.2.3.yml b/section_7/cis_7.2/cis_7.2.3.yml new file mode 100644 index 0000000..056c23b --- /dev/null +++ b/section_7/cis_7.2/cis_7.2.3.yml @@ -0,0 +1,31 @@ +--- + +{{ if .Vars.ubtu24cis_rule_7_2_3 }} + {{ if .Vars.ubtu24cis_level_1 }} +command: + passwd_group_exist: + title: 7.2.3 | Ensure all groups in /etc/passwd exist in /etc/group + exec: "awk -F: '{print $4}' /etc/passwd |sort -u > /tmp/uid && awk -F: '{print $3}' /etc/group| sort -u> /tmp/gid && comm -23 /tmp/uid /tmp/gid && rm -f /tmp/uid /tmp/gid" + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.2.3 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.2/cis_7.2.4.yml b/section_7/cis_7.2/cis_7.2.4.yml new file mode 100644 index 0000000..eadcbc4 --- /dev/null +++ b/section_7/cis_7.2/cis_7.2.4.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_2_4 }} +file: + shadow_group_empty: + title: 7.2.4 | Ensure shadow group is empty + path: /etc/group + exists: true + contents: + - '/^shadow:x:\d{2,}:$/' + - '!/^shadow:x:\d{2,}:./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.2.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - IA-5 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.2/cis_7.2.5.yml b/section_7/cis_7.2/cis_7.2.5.yml new file mode 100644 index 0000000..3cd1bc0 --- /dev/null +++ b/section_7/cis_7.2/cis_7.2.5.yml @@ -0,0 +1,28 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_2_5 }} +command: + no_dup_uid: + title: 7.2.5 | Ensure no duplicate UIDs exist + exec: "cat /etc/passwd | cut -d: -f3 | uniq -d" + exit-status: 0 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.2.5 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.2/cis_7.2.6.yml b/section_7/cis_7.2/cis_7.2.6.yml new file mode 100644 index 0000000..3af78ac --- /dev/null +++ b/section_7/cis_7.2/cis_7.2.6.yml @@ -0,0 +1,28 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_2_6 }} +command: + no_dup_gid: + title: 7.2.6 | Ensure no duplicate GIDs exist + exec: "cat /etc/group | cut -d: -f3 | uniq -d" + exit-status: 0 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.2.6 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.2/cis_7.2.7.yml b/section_7/cis_7.2/cis_7.2.7.yml new file mode 100644 index 0000000..41eb888 --- /dev/null +++ b/section_7/cis_7.2/cis_7.2.7.yml @@ -0,0 +1,28 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_2_7 }} +command: + no_dup_username: + title: 7.2.7 | Ensure no duplicate user names exist + exec: "cat /etc/passwd | cut -d: -f1 | uniq -d" + exit-status: 0 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.2.7 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.2/cis_7.2.8.yml b/section_7/cis_7.2/cis_7.2.8.yml new file mode 100644 index 0000000..e4ef614 --- /dev/null +++ b/section_7/cis_7.2/cis_7.2.8.yml @@ -0,0 +1,28 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_2_8 }} +command: + no_dup_groupname: + title: 7.2.8 | Ensure no duplicate group names exist + exec: "cat /etc/group | cut -d: -f1 | uniq -d" + exit-status: 0 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.2.8 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.2/cis_7.2.9.yml b/section_7/cis_7.2/cis_7.2.9.yml new file mode 100644 index 0000000..4449720 --- /dev/null +++ b/section_7/cis_7.2/cis_7.2.9.yml @@ -0,0 +1,64 @@ +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_2_9 }} +command: + home_dirs_exist: + title: 7.2.9 | Ensure local interactive user home directories are configured | Directories exist + exec: for i in `cat /etc/passwd | grep -Ev "halt|sync|shutdown|nfsnobody|nologin|false" | cut -d ':' -f6`; do if [ ! -d $i ]; then echo "homedir missing $i"; fi; done + exit-status: + or: + - 0 + - 1 + - 2 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.2.9 + CISv8: 3.3 + CISv8_IG1: True + CISv8_IG2: True + CISv8_IG3: True + NIST800-53R5: NA + home_dirs_ownership: + title: 7.2.9 | Ensure local interactive user home directories are configured | Directory ownership + exec: "getent passwd {1000..60000} | awk -F: '{ print $1 \" \" $7 }' | while read user dir; do if [ $user != 'ftpd' ]; then owner=$(stat -L -c \"%U\" \"$dir\"); if [ \"$owner\" != \"$user\" ]; then echo \"home dir for $user owned by $owner\"; fi; fi; done" + exit-status: + or: + - 0 + - 1 + - 2 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.2.9 + CISv8: 3.3 + CISv8_IG1: True + CISv8_IG2: True + CISv8_IG3: True + NIST800-53R5: NA + home_dirs_permissions: + title: 7.2.9 | Ensure local interactive user home directories are configured | Directory permissions + exec: export def_home=`grep "^HOME=" /etc/default/useradd |cut -d= -f2` && for i in `ls $def_home`; do stat -c "%a %n" $def_home/$i | grep -Ev "7[0-5]0|syslog"; done + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.2.9 + CISv8: 3.3 + CISv8_IG1: True + CISv8_IG2: True + CISv8_IG3: True + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/vars/CIS.yml b/vars/CIS.yml new file mode 100644 index 0000000..20126ec --- /dev/null +++ b/vars/CIS.yml @@ -0,0 +1,744 @@ +--- + +## metadata for Audit benchmark +benchmark_version: '2.0.0' + + +# timeout for each command to run where set - default = 10seconds/10000ms +timeout_ms: 120000 + +ubtu24cis_section1: true +ubtu24cis_section2: true +ubtu24cis_section3: true +ubtu24cis_section4: true +ubtu24cis_section5: true +ubtu24cis_section6: true +ubtu24cis_section7: true + +ubtu24cis_level_1: true +ubtu24cis_level_2: true + + +# to enable rules that may have IO impact on a system e.g. full filesystem scans or CPU heavy +run_heavy_tests: true + +# True is BIOS based system else set to false +ubtu24cis_legacy_boot: true + +## +## Rule-specific switches +## +## Use the switches below to disable specific rules independently of the chosen profile +## + +## Section 1 Fixes +# Section 1 is Initial setup (FileSystem Configuration, Configure Software Updates, Filesystem Integrity Checking, Secure Boot Settings, +# Additional Process Hardening, Mandatory Access Control, Command Line Warning Banners, and GNOME Display Manager) + +# 1.1 Filesystems +# 1.1.1 Configure Filesystem Kernel Modules +ubtu24cis_rule_1_1_1_1: true +ubtu24cis_rule_1_1_1_2: true +ubtu24cis_rule_1_1_1_3: true +ubtu24cis_rule_1_1_1_4: true +ubtu24cis_rule_1_1_1_5: true +ubtu24cis_rule_1_1_1_6: true +ubtu24cis_rule_1_1_1_7: true +ubtu24cis_rule_1_1_1_8: true +ubtu24cis_rule_1_1_1_9: true +ubtu24cis_rule_1_1_1_10: true + +# 1.1.2 Configure Filesystem Partitions +# /tmp +ubtu24cis_rule_1_1_2_1_1: true +ubtu24cis_rule_1_1_2_1_2: true +ubtu24cis_rule_1_1_2_1_3: true +ubtu24cis_rule_1_1_2_1_4: true + +# /dev/shm +ubtu24cis_rule_1_1_2_2_1: true +ubtu24cis_rule_1_1_2_2_2: true +ubtu24cis_rule_1_1_2_2_3: true +ubtu24cis_rule_1_1_2_2_4: true + +# /home +ubtu24cis_rule_1_1_2_3_1: true +ubtu24cis_rule_1_1_2_3_2: true +ubtu24cis_rule_1_1_2_3_3: true + +# /var +ubtu24cis_rule_1_1_2_4_1: true +ubtu24cis_rule_1_1_2_4_2: true +ubtu24cis_rule_1_1_2_4_3: true + +# /var/tmp +ubtu24cis_rule_1_1_2_5_1: true +ubtu24cis_rule_1_1_2_5_2: true +ubtu24cis_rule_1_1_2_5_3: true +ubtu24cis_rule_1_1_2_5_4: true + +# /var/log +ubtu24cis_rule_1_1_2_6_1: true +ubtu24cis_rule_1_1_2_6_2: true +ubtu24cis_rule_1_1_2_6_3: true +ubtu24cis_rule_1_1_2_6_4: true + +# /var/log/audit +ubtu24cis_rule_1_1_2_7_1: true +ubtu24cis_rule_1_1_2_7_2: true +ubtu24cis_rule_1_1_2_7_3: true +ubtu24cis_rule_1_1_2_7_4: true + +# 1.2 Package mgmt +# 1.2.1 Configure Package repositories +ubtu24cis_rule_1_2_1_1: true +ubtu24cis_rule_1_2_1_2: true +# 1.2.2 Configure Package updates +ubtu24cis_rule_1_2_2_1: true + +# 1.3 Mandatory Access Control +## 1.3.1 Configure AppArmor +ubtu24cis_rule_1_3_1_1: true +ubtu24cis_rule_1_3_1_2: true +ubtu24cis_rule_1_3_1_3: true +ubtu24cis_rule_1_3_1_4: true + +# 1.4 Configure Bootloader +ubtu24cis_rule_1_4_1: true +ubtu24cis_rule_1_4_2: true + +# 1.5 Configure additional Process Hardening +ubtu24cis_rule_1_5_1: true +ubtu24cis_rule_1_5_2: true +ubtu24cis_rule_1_5_3: true +ubtu24cis_rule_1_5_4: true +ubtu24cis_rule_1_5_5: true + +# 1.6 Configure Command Line Warning Banners +ubtu24cis_rule_1_6_1: true +ubtu24cis_rule_1_6_2: true +ubtu24cis_rule_1_6_3: true +ubtu24cis_rule_1_6_4: true +ubtu24cis_rule_1_6_5: true +ubtu24cis_rule_1_6_6: true + +# 1.7 Configure GNOME Display Manager +ubtu24cis_rule_1_7_1: true +ubtu24cis_rule_1_7_2: true +ubtu24cis_rule_1_7_3: true +ubtu24cis_rule_1_7_4: true +ubtu24cis_rule_1_7_5: true +ubtu24cis_rule_1_7_6: true +ubtu24cis_rule_1_7_7: true +ubtu24cis_rule_1_7_8: true +ubtu24cis_rule_1_7_9: true +ubtu24cis_rule_1_7_10: true + +## Section 2 Fixes +# Section 2 is Services (Special Purpose Services, and service clients) + +# 2.1 Configure Server Services +ubtu24cis_rule_2_1_1: true +ubtu24cis_rule_2_1_2: true +ubtu24cis_rule_2_1_3: true +ubtu24cis_rule_2_1_4: true +ubtu24cis_rule_2_1_5: true +ubtu24cis_rule_2_1_6: true +ubtu24cis_rule_2_1_7: true +ubtu24cis_rule_2_1_8: true +ubtu24cis_rule_2_1_9: true +ubtu24cis_rule_2_1_10: true +ubtu24cis_rule_2_1_11: true +ubtu24cis_rule_2_1_12: true +ubtu24cis_rule_2_1_13: true +ubtu24cis_rule_2_1_14: true +ubtu24cis_rule_2_1_15: true +ubtu24cis_rule_2_1_16: true +ubtu24cis_rule_2_1_17: true +ubtu24cis_rule_2_1_18: true +ubtu24cis_rule_2_1_19: true +ubtu24cis_rule_2_1_20: true +ubtu24cis_rule_2_1_21: true +ubtu24cis_rule_2_1_22: true + +# 2.2 Configure client services +ubtu24cis_rule_2_2_1: true +ubtu24cis_rule_2_2_2: true +ubtu24cis_rule_2_2_3: true +ubtu24cis_rule_2_2_4: true +ubtu24cis_rule_2_2_5: true +ubtu24cis_rule_2_2_6: true + +# Ensure time synchronization is in use +ubtu24cis_rule_2_3_1_1: true +# Configure systemd-timesyncd +ubtu24cis_rule_2_3_2_1: true +ubtu24cis_rule_2_3_2_2: true +# Configure Chrony +ubtu24cis_rule_2_3_3_1: true +ubtu24cis_rule_2_3_3_2: true +ubtu24cis_rule_2_3_3_3: true + +# 2.4 Job Schedulers +# 2.4.1 Configure Cron +ubtu24cis_rule_2_4_1_1: true +ubtu24cis_rule_2_4_1_2: true +ubtu24cis_rule_2_4_1_3: true +ubtu24cis_rule_2_4_1_4: true +ubtu24cis_rule_2_4_1_5: true +ubtu24cis_rule_2_4_1_6: true +ubtu24cis_rule_2_4_1_7: true +ubtu24cis_rule_2_4_1_8: true +# Configure At +ubtu24cis_rule_2_4_2_1: true + +## Section 3 Network Configuration +# 3.1 Configure Network Devices +ubtu24cis_rule_3_1_1: true +ubtu24cis_rule_3_1_2: true +ubtu24cis_rule_3_1_3: true +# 3.2 Configure Network Kernel Modules (Host Only) +ubtu24cis_rule_3_2_1: true +ubtu24cis_rule_3_2_2: true +ubtu24cis_rule_3_2_3: true +ubtu24cis_rule_3_2_4: true +# 3.3 Configure Network Kernel Parameters (Host and Router) +ubtu24cis_rule_3_3_1: true +ubtu24cis_rule_3_3_2: true +ubtu24cis_rule_3_3_3: true +ubtu24cis_rule_3_3_4: true +ubtu24cis_rule_3_3_5: true +ubtu24cis_rule_3_3_6: true +ubtu24cis_rule_3_3_7: true +ubtu24cis_rule_3_3_8: true +ubtu24cis_rule_3_3_9: true +ubtu24cis_rule_3_3_10: true +ubtu24cis_rule_3_3_11: true + +## Section 4 Host Based Firewall + +# 4.1 single firewall +ubtu24cis_rule_4_1_1: true + +# 4.2 Configure UncomplicatedFirewall +ubtu24cis_rule_4_2_1: true +ubtu24cis_rule_4_2_2: true +ubtu24cis_rule_4_2_3: true +ubtu24cis_rule_4_2_4: true +ubtu24cis_rule_4_2_5: true +ubtu24cis_rule_4_2_6: true +ubtu24cis_rule_4_2_7: true +# 4.3 Configure nftables +ubtu24cis_rule_4_3_1: true +ubtu24cis_rule_4_3_2: true +ubtu24cis_rule_4_3_3: true +ubtu24cis_rule_4_3_4: true +ubtu24cis_rule_4_3_5: true +ubtu24cis_rule_4_3_6: true +ubtu24cis_rule_4_3_7: true +ubtu24cis_rule_4_3_8: true +ubtu24cis_rule_4_3_9: true +ubtu24cis_rule_4_3_10: true + +# 4.4.1 Configure iptables software +ubtu24cis_rule_4_4_1_1: true +ubtu24cis_rule_4_4_1_2: true +ubtu24cis_rule_4_4_1_3: true + +# 4.4.2 Configure IPv4 iptables +ubtu24cis_rule_4_4_2_1: true +ubtu24cis_rule_4_4_2_2: true +ubtu24cis_rule_4_4_2_3: true +ubtu24cis_rule_4_4_2_4: true +# 4.4.3 Configure IPv6 iptables +ubtu24cis_rule_4_4_3_1: true +ubtu24cis_rule_4_4_3_2: true +ubtu24cis_rule_4_4_3_3: true +ubtu24cis_rule_4_4_3_4: true + +## Section 5 Access Control +# 5.1 Configure SSH Server +ubtu24cis_rule_5_1_1: true +ubtu24cis_rule_5_1_2: true +ubtu24cis_rule_5_1_3: true +ubtu24cis_rule_5_1_4: true +ubtu24cis_rule_5_1_5: true +ubtu24cis_rule_5_1_6: true +ubtu24cis_rule_5_1_7: true +ubtu24cis_rule_5_1_8: true +ubtu24cis_rule_5_1_9: true +ubtu24cis_rule_5_1_10: true +ubtu24cis_rule_5_1_11: true +ubtu24cis_rule_5_1_12: true +ubtu24cis_rule_5_1_13: true +ubtu24cis_rule_5_1_14: true +ubtu24cis_rule_5_1_15: true +ubtu24cis_rule_5_1_16: true +ubtu24cis_rule_5_1_17: true +ubtu24cis_rule_5_1_18: true +ubtu24cis_rule_5_1_19: true +ubtu24cis_rule_5_1_20: true +ubtu24cis_rule_5_1_21: true +ubtu24cis_rule_5_1_22: true +# 5.2 Configure privilege escalation +ubtu24cis_rule_5_2_1: true +ubtu24cis_rule_5_2_2: true +ubtu24cis_rule_5_2_3: true +ubtu24cis_rule_5_2_4: true +ubtu24cis_rule_5_2_5: true +ubtu24cis_rule_5_2_6: true +ubtu24cis_rule_5_2_7: true +# 5.3.1 Configure PAM software packages +ubtu24cis_rule_5_3_1_1: true +ubtu24cis_rule_5_3_1_2: true +ubtu24cis_rule_5_3_1_3: true +# 5.3.2 Configure pam-auth-update profiles +ubtu24cis_rule_5_3_2_1: true +ubtu24cis_rule_5_3_2_2: true +ubtu24cis_rule_5_3_2_3: true +ubtu24cis_rule_5_3_2_4: true +# 5.3.3.1 Configure pam_faillock module +ubtu24cis_rule_5_3_3_1_1: true +ubtu24cis_rule_5_3_3_1_2: true +ubtu24cis_rule_5_3_3_1_3: true +# 5.3.3.2 Configure pam_quality module +ubtu24cis_rule_5_3_3_2_1: true +ubtu24cis_rule_5_3_3_2_2: true +ubtu24cis_rule_5_3_3_2_3: true +ubtu24cis_rule_5_3_3_2_4: true +ubtu24cis_rule_5_3_3_2_5: true +ubtu24cis_rule_5_3_3_2_6: true +ubtu24cis_rule_5_3_3_2_7: true +ubtu24cis_rule_5_3_3_2_8: true +# 5.3.3.3 Configure pam_history module +# This are added as part of 5.3.2.4 using jinja2 template +ubtu24cis_rule_5_3_3_3_1: true +ubtu24cis_rule_5_3_3_3_2: true +ubtu24cis_rule_5_3_3_3_3: true +# 5.3.3.4 Configure pam_unix module +ubtu24cis_rule_5_3_3_4_1: true +ubtu24cis_rule_5_3_3_4_2: true +ubtu24cis_rule_5_3_3_4_3: true +ubtu24cis_rule_5_3_3_4_4: true +# 5.4 User Accounts and Environment +# 5.4.1 Configure shadow password suite parameters +ubtu24cis_rule_5_4_1_1: true +ubtu24cis_rule_5_4_1_2: true +ubtu24cis_rule_5_4_1_3: true +ubtu24cis_rule_5_4_1_4: true +ubtu24cis_rule_5_4_1_5: true +ubtu24cis_rule_5_4_1_6: true +# 5.4.2 Configure root and system accounts and environment +ubtu24cis_rule_5_4_2_1: true +ubtu24cis_rule_5_4_2_2: true +ubtu24cis_rule_5_4_2_3: true +ubtu24cis_rule_5_4_2_4: true +ubtu24cis_rule_5_4_2_5: true +ubtu24cis_rule_5_4_2_6: true +ubtu24cis_rule_5_4_2_7: true +ubtu24cis_rule_5_4_2_8: true +# 5.4.2 Configure user default environment +ubtu24cis_rule_5_4_3_1: true +ubtu24cis_rule_5_4_3_2: true +ubtu24cis_rule_5_4_3_3: true + +## Section 6 + +# 6.2.1.x Configure systemd-journald service +ubtu24cis_rule_6_1_1_1: true +ubtu24cis_rule_6_1_1_2: true +ubtu24cis_rule_6_1_1_3: true +ubtu24cis_rule_6_1_1_4: true +# 6.1.2.1 Configure journald +ubtu24cis_rule_6_1_2_1_1: true +ubtu24cis_rule_6_1_2_1_2: true +ubtu24cis_rule_6_1_2_1_3: true +ubtu24cis_rule_6_1_2_1_4: true +ubtu24cis_rule_6_1_2_2: true +ubtu24cis_rule_6_1_2_3: true +ubtu24cis_rule_6_1_2_4: true +# 6.1.3 Configure rsyslog +ubtu24cis_rule_6_1_3_1: true +ubtu24cis_rule_6_1_3_2: true +ubtu24cis_rule_6_1_3_3: true +ubtu24cis_rule_6_1_3_4: true +ubtu24cis_rule_6_1_3_5: true +ubtu24cis_rule_6_1_3_6: true +ubtu24cis_rule_6_1_3_7: true +# 6.1.3.8 logrotate +ubtu24cis_rule_6_1_3_8: true +# 6.1.4.1 configure logfiles +ubtu24cis_rule_6_1_4_1: true +# 6.2.1 Configure auditd services +ubtu24cis_rule_6_2_1_1: true +ubtu24cis_rule_6_2_1_2: true +ubtu24cis_rule_6_2_1_3: true +ubtu24cis_rule_6_2_1_4: true +# 6.2.2 Configure auditd data retention +ubtu24cis_rule_6_2_2_1: true +ubtu24cis_rule_6_2_2_2: true +ubtu24cis_rule_6_2_2_3: true +ubtu24cis_rule_6_2_2_4: true +# 6.2.3 Configure auditd rules +ubtu24cis_rule_6_2_3_1: true +ubtu24cis_rule_6_2_3_2: true +ubtu24cis_rule_6_2_3_3: true +ubtu24cis_rule_6_2_3_4: true +ubtu24cis_rule_6_2_3_5: true +ubtu24cis_rule_6_2_3_6: true +ubtu24cis_rule_6_2_3_7: true +ubtu24cis_rule_6_2_3_8: true +ubtu24cis_rule_6_2_3_9: true +ubtu24cis_rule_6_2_3_10: true +ubtu24cis_rule_6_2_3_11: true +ubtu24cis_rule_6_2_3_12: true +ubtu24cis_rule_6_2_3_13: true +ubtu24cis_rule_6_2_3_14: true +ubtu24cis_rule_6_2_3_15: true +ubtu24cis_rule_6_2_3_16: true +ubtu24cis_rule_6_2_3_17: true +ubtu24cis_rule_6_2_3_18: true +ubtu24cis_rule_6_2_3_19: true +ubtu24cis_rule_6_2_3_20: true +ubtu24cis_rule_6_2_3_21: true +# 6.2.4 Configure audit file access +ubtu24cis_rule_6_2_4_1: true +ubtu24cis_rule_6_2_4_2: true +ubtu24cis_rule_6_2_4_3: true +ubtu24cis_rule_6_2_4_4: true +ubtu24cis_rule_6_2_4_5: true +ubtu24cis_rule_6_2_4_6: true +ubtu24cis_rule_6_2_4_7: true +ubtu24cis_rule_6_2_4_8: true +ubtu24cis_rule_6_2_4_9: true +ubtu24cis_rule_6_2_4_10: true +# 6.3 Configure Filesystem Integrity Checking +ubtu24cis_rule_6_3_1: true +ubtu24cis_rule_6_3_2: true +ubtu24cis_rule_6_3_3: true + +## Section 7 +# 7.1 System File Permissions +ubtu24cis_rule_7_1_1: true +ubtu24cis_rule_7_1_2: true +ubtu24cis_rule_7_1_3: true +ubtu24cis_rule_7_1_4: true +ubtu24cis_rule_7_1_5: true +ubtu24cis_rule_7_1_6: true +ubtu24cis_rule_7_1_7: true +ubtu24cis_rule_7_1_8: true +ubtu24cis_rule_7_1_9: true +ubtu24cis_rule_7_1_10: true +ubtu24cis_rule_7_1_11: true +ubtu24cis_rule_7_1_12: true +ubtu24cis_rule_7_1_13: true +# 7.2 Local User and Group Settings +ubtu24cis_rule_7_2_1: true +ubtu24cis_rule_7_2_2: true +ubtu24cis_rule_7_2_3: true +ubtu24cis_rule_7_2_4: true +ubtu24cis_rule_7_2_5: true +ubtu24cis_rule_7_2_6: true +ubtu24cis_rule_7_2_7: true +ubtu24cis_rule_7_2_8: true +ubtu24cis_rule_7_2_9: true +ubtu24cis_rule_7_2_10: true + +## System functionality configuration variables +## +## There are certain functionalities of a system +## that may require either to skip certain CIS rules +## or install certain packages. +## Set the respective variable to `true` in order to +## enable a certain functionality on the system + +# This variable governs whether specific CIS rules +# concerned with acceptance and routing of packages +# are skipped. +ubtu24cis_is_router: false + +## IPv4 requirement toggle +# This variable governs whether ipv4 is enabled or disabled. +ubtu24cis_ipv4_required: true + +## IPv6 requirement toggle +# This variable governs whether ipv6 is enabled or disabled. +ubtu24cis_ipv6_required: false + +## Desktop requirement toggle +# This variable governs, whether CIS rules regarding GDM +# and X-Windows are carried out. +ubtu24cis_desktop_required: false + +## Section 1 + +# If system uses squahshfs e.gf. snap package manager set true +ubtu24cis_squashfs_required: true + +## Controls 1.3.1.3 and 1.3.1.4 Ensure all AppArmor Profiles are in enforce (1.3.1.3/4) or complain (1.3.1.3) mode + +# This variable disables the implementation of rules 1.3.1.3 and 1.3.1.4 +# regarding enforcing profiles or putting them in complain mode +ubtu24cis_apparmor_disable: false + +## Controls 1.4.x - Boot password +# +# THIS VARIABLE SHOULD BE CHANGED AND INCORPORATED INTO VAULT +# THIS VALUE IS WHAT THE ROOT PW WILL BECOME!!!!!!!! +# HAVING THAT PW EXPOSED IN RAW TEXT IS NOT SECURE!!!! +ubtu24cis_grub_user: root +ubtu24cis_bootloader_password_hash: "grub.pbkdf2.sha512.changethispassword" # pragma: allowlist secret + +## Controls 1.5.x + +## Controls 1.6.x - Warning banners +# The controls 1.6.x set various warning banners and protect the respective files +# by tightening the access rights. + +# This variable specifies the warning banner displayed to the user +# after local login, remote login, and as motd (message of the day) +# Noe that the banner text must not contain the below items in order to be +# compliant with CIS: \m, \r, \s, \v or references to the OS platform +ubtu24cis_warning_banner: | + Authorized uses only. All activity may be monitored and reported. + +# This variable governs, whether dynamic motd is disabled (as required by control 1.7.1) +ubtu24cis_disable_dynamic_motd: true + +## Controls 1.7.x - Settings for GDM +# This variable specifies the GNOME configuration database file to which configurations are written. +# (See https://help.gnome.org/admin/system-admin-guide/stable/dconf-keyfiles.html.en) +# The default database is `local`. +ubtu24cis_dconf_db_name: local + +## +# Section 2 +## + +## +## Service configuration variables. +## +## Set the respective variable to true to keep the service. +## otherwise the service is stopped and disabled +## +# Service configuration +# Options are +# true to leave installed if exists not changes take place +# false - this removes the package +# mask - if a dependancy for product so cannot be removed +# Server Services +ubtu24cis_autofs_services: false +ubtu24cis_autofs_mask: false +ubtu24cis_avahi_server: false +ubtu24cis_avahi_mask: false +ubtu24cis_dhcp_server: false +ubtu24cis_dhcp_mask: false +ubtu24cis_dns_server: false +ubtu24cis_dns_mask: false +ubtu24cis_dnsmasq_server: false +ubtu24cis_dnsmasq_mask: false +ubtu24cis_ftp_server: false +ubtu24cis_ftp_mask: false +ubtu24cis_ldap_server: false +ubtu24cis_ldap_mask: false +ubtu24cis_message_server: false # This is for messaging dovecot and dovecot-pop3 +ubtu24cis_message_mask: false +ubtu24cis_nfs_server: true +ubtu24cis_nfs_mask: true +ubtu24cis_nis_server: true # set to mask if nis client required +ubtu24cis_nis_mask: false +ubtu24cis_print_server: false # replaces cups +ubtu24cis_print_mask: false +ubtu24cis_rpc_server: true +ubtu24cis_rpc_mask: true +ubtu24cis_rsync_server: false +ubtu24cis_rsync_mask: false +ubtu24cis_samba_server: false +ubtu24cis_samba_mask: false +ubtu24cis_snmp_server: false +ubtu24cis_snmp_mask: false +ubtu24cis_telnet_server: false +ubtu24cis_telnet_mask: false +ubtu24cis_tftp_server: false +ubtu24cis_tftp_mask: false +ubtu24cis_squid_server: false +ubtu24cis_squid_mask: false +ubtu24cis_apache2_server: false +ubtu24cis_apache2_mask: false +ubtu24cis_nginx_server: false +ubtu24cis_nginx_mask: false +ubtu24cis_xinetd_server: false +ubtu24cis_xinetd_mask: false +ubtu24cis_xwindow_server: false # will remove mask not an option +ubtu24cis_is_mail_server: false + +# Client Services +ubtu24cis_nis_client_required: false # Same package as NIS server +ubtu24cis_rsh_client: false +ubtu24cis_talk_client: false +ubtu24cis_telnet_required: false +ubtu24cis_ldap_clients_required: false +ubtu24cis_ftp_client: false + +## Control 2.3.1.1 +# This variable choses the tool used for time synchronization +# The two options are `chrony`and `systemd-timesyncd`. +ubtu24cis_time_sync_tool: "systemd-timesyncd" + +## Controls 2.3.x - Configure time pools & servers for chrony and timesyncd +# The following variable represents a list of of time server pools used +# for configuring chrony and timesyncd. +# Each list item contains two settings, `name` (the domain name of the pool) and synchronization `options`. +# The default setting for the `options` is `iburst maxsources 4` -- please refer to the documentation +# of the time synchronization mechanism you are using. +ubtu24cis_time_pool_name: time.nist.gov + +# The following variable represents a list of of time servers used +# for configuring chrony and timesyncd +# Each list item contains two settings, `name` (the domain name of the server) and synchronization `options`. +# The default setting for the `options` is `iburst` -- please refer to the documentation +# of the time synchronization mechanism you are using. +ubtu24cis_time_servers: +- name: time-a-g.nist.gov + options: iburst +- name: time-b-g.nist.gov + options: iburst +- name: time-c-g.nist.gov + options: iburst + +# Section 3 +## Control 3.1.1 - Ensure system is checked to determine if IPv6 is enabled +# This variable governs the mechanism of how the disabling of IPV6 is carried out. +# Its possible values are `grub` and `sysctl`. +ubtu24cis_ipv6_disable: grub + +## Control 3.1.3 - Ensure bluetooth Services are not in use +# This control managed how the bluetooth service is managaed +# Options are +# true to leave installed if exists not changes take place +# false - this removes the package +# mask - if a dependancy for product so cannot be removed +ubtu24cis_bluetooth_service: false +ubtu24cis_bluetooth_mask: false + +## Control 3.3.x - Networking configuration +# This variable contains the path to the file in which, sysctl saves its configurations. +# Its default value is `/etc/sysctl.conf`. +ubtu24cis_sysctl_network_conf: /etc/sysctl.conf + +# +### Section 4 +# +## Controls 4.1.x, 4.2.x, and 4.3.x - Firewall configuration +# This variable represents the toggle for which firewall package is used. +# The options that have an effect on the system are `ufw` and `iptables`. +# The option `nftables` is also possible, but will only result in a message, +# that `nftables` has been chosen; all settings have to be carried out manually. +# Any other value, e.g. `none` will skip all firewall-related controls. +ubtu24cis_firewall_package: "ufw" + +## auditd settings +ubtu24cis_auditd: + space_left_action: email + action_mail_acct: root + admin_space_left_action: halt + max_log_file_action: keep_logs + auditd_backlog_limit: 8192 + +## syslog +# Set which syslog service +# journald or rsyslog +ubtu24cis_syslog_service: 'journald' +ubtu24cis_is_syslog_server: false + +### Section 5 +# Note the following to understand precedence and layout +ubtu24cis_sshd_access: + - AllowUser + - AllowGroup + - DenyUser + - DenyGroup + +ubtu24cis_ssh_strong_ciphers: + - aes256-gcm@openssh.com + - aes128-gcm@openssh.com + - aes256-ctr + - aes192-ctr + - aes128-ctr +ubtu24cis_ssh_weak_ciphers: + - 3des-cbc + - aes128-cbc + - aes192-cbc + - aes256-cbc + - arcfour + - chacha20-poly1305@openssh.com + - arcfour128 + - arcfour256 + - blowfish-cbc + - cast128-cbc + - rijndael-cbc@lysator.liu.se + +ubtu24cis_ssh_strong_macs: + - HMAC-SHA1 + - hmac-sha2-256 + - hmac-sha2-512 +ubtu24cis_ssh_weak_macs: + - hmac-md5 + - hmac-md5-96 + - hmac-ripemd160 + - hmac-sha1-96 + - umac-64@openssh.com + - umac-128@openssh.com + - hmac-md5-etm@openssh.com + - hmac-md5-96-etm@openssh.com + - hmac-ripemd160-etm@openssh.com + - hmac-sha1-etm@openssh.com + - hmac-sha1-96-etm@openssh.com + - umac-64-etm@openssh.com + - umac-128-etm@openssh.com + - hmac-sha2-512-etm@openssh.com + - hmac-sha2-256-etm@openssh.com + +ubtu24cis_ssh_strong_kex: + - ecdh-sha2-nistp256 + - ecdh-sha2-nistp521 + - diffie-hellman-group-exchange-sha256 + - diffie-hellman-group14-sha256 + - diffie-hellman-group16-sha512 + - diffie-hellman-group18-sha512 +ubtu24cis_ssh_weak_kex: + - diffie-hellman-group1-sha1 + - diffie-hellman-group14-sha1 + - diffie-hellman-group-exchange-sha1 + +ubtu24cis_ssh_aliveinterval: 300 +ubtu24cis_ssh_countmax: 3 +## PAM +ubtu24cis_pam_password: + minlen: "14" + minclass: "4" + +ubtu24cis_pam_passwd_retry: "3" + +# choose one of below +ubtu24cis_pwhistory_so: "14" +ubtu24cis_passwd_remember: "5" + +# logins.def password settings +ubtu24cis_pass: + max_days: "365" + min_days: "1" + warn_age: "7" + +# set sugroup if differs from wheel +ubtu24cis_sugroup: nosugroup + +# var log location variable +ubtu24cis_varlog_location: "/var/log/sudo.log" + +# Section 6 +ubtu24cis_config_aide: true + +# 6.1.2 +# aide setup via - cron, timer +ubtu24cis_aide_scan: cron