From addda5895cf45a2dc9a118bc5dd0ccf9b614f85b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 5 Sep 2024 08:17:35 +0100 Subject: [PATCH] initial v1.0.0 Signed-off-by: Mark Bolwell --- .gitattributes | 6 + .gitignore | 45 ++ CONTRIBUTING.md | 71 +++ Changelog.md | 3 + LICENSE | 21 + README.md | 139 +++++ goss.yml | 96 +++ run_audit.sh | 213 +++++++ section_1/cis_1.1/cis_1.1.1.1.yml | 39 ++ section_1/cis_1.1/cis_1.1.1.2.yml | 39 ++ section_1/cis_1.1/cis_1.1.1.3.yml | 39 ++ section_1/cis_1.1/cis_1.1.1.4.yml | 39 ++ section_1/cis_1.1/cis_1.1.1.5.yml | 39 ++ section_1/cis_1.1/cis_1.1.1.6.yml | 39 ++ section_1/cis_1.1/cis_1.1.1.7.yml | 41 ++ section_1/cis_1.1/cis_1.1.1.8.yml | 39 ++ section_1/cis_1.1/cis_1.1.1.9.yml | 39 ++ section_1/cis_1.1/cis_1.1.2.1.1.yml | 21 + section_1/cis_1.1/cis_1.1.2.1.2_4.yml | 66 ++ section_1/cis_1.1/cis_1.1.2.2.1.yml | 22 + section_1/cis_1.1/cis_1.1.2.2.2_4.yml | 66 ++ section_1/cis_1.1/cis_1.1.2.3.1.yml | 21 + section_1/cis_1.1/cis_1.1.2.3.2_4.yml | 58 ++ section_1/cis_1.1/cis_1.1.2.4.1.yml | 21 + section_1/cis_1.1/cis_1.1.2.4.2_3.yml | 58 ++ section_1/cis_1.1/cis_1.1.2.5.1.yml | 21 + section_1/cis_1.1/cis_1.1.2.5.2_4.yml | 66 ++ section_1/cis_1.1/cis_1.1.2.6.1.yml | 21 + section_1/cis_1.1/cis_1.1.2.6.2_4.yml | 66 ++ section_1/cis_1.1/cis_1.1.2.7.1.yml | 21 + section_1/cis_1.1/cis_1.1.2.7.2_4.yml | 66 ++ section_1/cis_1.2.1/cis_1.2.1.1.yml | 27 + section_1/cis_1.2.1/cis_1.2.1.2.yml | 22 + section_1/cis_1.2.2/cis_1.2.2.1.yml | 25 + section_1/cis_1.3.1/cis_1.3.1.1.yml | 21 + section_1/cis_1.3.1/cis_1.3.1.2.yml | 43 ++ section_1/cis_1.3.1/cis_1.3.1.3.yml | 25 + section_1/cis_1.3.1/cis_1.3.1.4.yml | 25 + section_1/cis_1.4/cis_1.4.1.yml | 24 + section_1/cis_1.4/cis_1.4.2.yml | 27 + section_1/cis_1.5/cis_1.5.1.yml | 40 ++ section_1/cis_1.5/cis_1.5.2.yml | 40 ++ section_1/cis_1.5/cis_1.5.3.yml | 94 +++ section_1/cis_1.5/cis_1.5.4.yml | 23 + section_1/cis_1.5/cis_1.5.5.yml | 36 ++ section_1/cis_1.6/cis_1.6.1.yml | 69 +++ section_1/cis_1.6/cis_1.6.2.yml | 29 + section_1/cis_1.6/cis_1.6.3.yml | 29 + section_1/cis_1.6/cis_1.6.4.yml | 26 + section_1/cis_1.6/cis_1.6.5.yml | 27 + section_1/cis_1.6/cis_1.6.6.yml | 27 + section_1/cis_1.7/cis_1.7.1.yml | 22 + section_1/cis_1.7/cis_1.7.10.yml | 25 + section_1/cis_1.7/cis_1.7.2.yml | 32 + section_1/cis_1.7/cis_1.7.3.yml | 31 + section_1/cis_1.7/cis_1.7.4.yml | 27 + section_1/cis_1.7/cis_1.7.5.yml | 26 + section_1/cis_1.7/cis_1.7.6.yml | 32 + section_1/cis_1.7/cis_1.7.7.yml | 31 + section_1/cis_1.7/cis_1.7.8.yml | 31 + section_1/cis_1.7/cis_1.7.9.yml | 30 + section_2/cis_2.1/cis_2.1.1.yml | 50 ++ section_2/cis_2.1/cis_2.1.10.yml | 48 ++ section_2/cis_2.1/cis_2.1.11.yml | 66 ++ section_2/cis_2.1/cis_2.1.12.yml | 69 +++ section_2/cis_2.1/cis_2.1.13.yml | 50 ++ section_2/cis_2.1/cis_2.1.14.yml | 50 ++ section_2/cis_2.1/cis_2.1.15.yml | 48 ++ section_2/cis_2.1/cis_2.1.16.yml | 66 ++ section_2/cis_2.1/cis_2.1.17.yml | 50 ++ section_2/cis_2.1/cis_2.1.18_apache2.yml | 66 ++ section_2/cis_2.1/cis_2.1.18_nginx.yml | 48 ++ section_2/cis_2.1/cis_2.1.19.yml | 48 ++ section_2/cis_2.1/cis_2.1.2.yml | 66 ++ section_2/cis_2.1/cis_2.1.20.yml | 25 + section_2/cis_2.1/cis_2.1.21.yml | 46 ++ section_2/cis_2.1/cis_2.1.22.yml | 25 + section_2/cis_2.1/cis_2.1.3.yml | 66 ++ section_2/cis_2.1/cis_2.1.4.yml | 48 ++ section_2/cis_2.1/cis_2.1.5.yml | 48 ++ section_2/cis_2.1/cis_2.1.6.yml | 48 ++ section_2/cis_2.1/cis_2.1.7.yml | 48 ++ section_2/cis_2.1/cis_2.1.8.yml | 82 +++ section_2/cis_2.1/cis_2.1.9.yml | 50 ++ section_2/cis_2.2/cis_2.2.1.yml | 25 + section_2/cis_2.2/cis_2.2.2.yml | 24 + section_2/cis_2.2/cis_2.2.3.yml | 23 + section_2/cis_2.2/cis_2.2.4.yml | 24 + section_2/cis_2.2/cis_2.2.5.yml | 24 + section_2/cis_2.2/cis_2.2.6.yml | 25 + section_2/cis_2.3/cis_2.3.1.1.yml | 75 +++ section_2/cis_2.3/cis_2.3.2.1.yml | 28 + section_2/cis_2.3/cis_2.3.2.2.yml | 26 + section_2/cis_2.3/cis_2.3.3.1.yml | 49 ++ section_2/cis_2.3/cis_2.3.3.2.yml | 26 + section_2/cis_2.3/cis_2.3.3.3.yml | 24 + section_2/cis_2.4/cis_2.4.1.1.yml | 46 ++ section_2/cis_2.4/cis_2.4.1.2.yml | 26 + section_2/cis_2.4/cis_2.4.1.3_7.yml | 110 ++++ section_2/cis_2.4/cis_2.4.1.8.yml | 42 ++ section_2/cis_2.4/cis_2.4.2.1.yml | 41 ++ section_3/cis_3.1/cis_3.1.1.yml | 67 ++ section_3/cis_3.1/cis_3.1.2.yml | 26 + section_3/cis_3.1/cis_3.1.3.yml | 46 ++ section_3/cis_3.2/cis_3.2.1.yml | 45 ++ section_3/cis_3.2/cis_3.2.2.yml | 48 ++ section_3/cis_3.2/cis_3.2.4.yml | 43 ++ section_3/cis_3.2/cis_3.4.3.yml | 46 ++ section_3/cis_3.3/cis_3.3.1.yml | 104 ++++ section_3/cis_3.3/cis_3.3.10.yml | 52 ++ section_3/cis_3.3/cis_3.3.11.yml | 97 +++ section_3/cis_3.3/cis_3.3.2.yml | 96 +++ section_3/cis_3.3/cis_3.3.3.yml | 52 ++ section_3/cis_3.3/cis_3.3.4.yml | 52 ++ section_3/cis_3.3/cis_3.3.5.yml | 96 +++ section_3/cis_3.3/cis_3.3.6.yml | 94 +++ section_3/cis_3.3/cis_3.3.7.yml | 96 +++ section_3/cis_3.3/cis_3.3.8.yml | 94 +++ section_3/cis_3.3/cis_3.3.9.yml | 96 +++ section_3/cis_3.3/ipv6/cis_3.3.5.yml | 96 +++ section_3/cis_3.3/ipv6/cis_3.3.8.yml | 96 +++ section_3/cis_3.3/ipv6/cis_3.3.9.yml | 108 ++++ section_4/cis_4.2/cis_4.2.1.yml | 27 + section_4/cis_4.2/cis_4.2.2.yml | 23 + section_4/cis_4.2/cis_4.2.3.yml | 24 + section_4/cis_4.2/cis_4.2.4.yml | 33 + section_4/cis_4.2/cis_4.2.5.yml | 26 + section_4/cis_4.2/cis_4.2.6.yml | 26 + section_4/cis_4.2/cis_4.2.7.yml | 26 + section_4/cis_4.3/cis_4.3.1.yml | 23 + section_4/cis_4.3/cis_4.3.10.yml | 46 ++ section_4/cis_4.3/cis_4.3.2.yml | 23 + section_4/cis_4.3/cis_4.3.3.yml | 53 ++ section_4/cis_4.3/cis_4.3.4.yml | 27 + section_4/cis_4.3/cis_4.3.5.yml | 25 + section_4/cis_4.3/cis_4.3.6.yml | 27 + section_4/cis_4.3/cis_4.3.7.yml | 27 + section_4/cis_4.3/cis_4.3.8.yml | 27 + section_4/cis_4.3/cis_4.3.9.yml | 25 + section_4/cis_4.4/cis_4.4.1.1.yml | 41 ++ section_4/cis_4.4/cis_4.4.1.2.yml | 24 + section_4/cis_4.4/cis_4.4.1.3.yml | 24 + section_4/cis_4.4/cis_4.4.2.1.yml | 27 + section_4/cis_4.4/cis_4.4.2.2.yml | 27 + section_4/cis_4.4/cis_4.4.2.3.yml | 25 + section_4/cis_4.4/cis_4.4.2.4.yml | 27 + section_4/cis_4.4/cis_4.4.3.1.yml | 27 + section_4/cis_4.4/cis_4.4.3.2.yml | 27 + section_4/cis_4.4/cis_4.4.3.3.yml | 27 + section_4/cis_4.4/cis_4.4.3.4.yml | 27 + section_5/cis_5.1/cis_5.1.1.yml | 27 + section_5/cis_5.1/cis_5.1.10.yml | 30 + section_5/cis_5.1/cis_5.1.11.yml | 30 + section_5/cis_5.1/cis_5.1.12.yml | 28 + section_5/cis_5.1/cis_5.1.13.yml | 25 + section_5/cis_5.1/cis_5.1.14.yml | 28 + section_5/cis_5.1/cis_5.1.15.yml | 34 ++ section_5/cis_5.1/cis_5.1.16.yml | 26 + section_5/cis_5.1/cis_5.1.17.yml | 27 + section_5/cis_5.1/cis_5.1.18.yml | 29 + section_5/cis_5.1/cis_5.1.19.yml | 30 + section_5/cis_5.1/cis_5.1.2.yml | 61 ++ section_5/cis_5.1/cis_5.1.20.yml | 26 + section_5/cis_5.1/cis_5.1.21.yml | 30 + section_5/cis_5.1/cis_5.1.22.yml | 30 + section_5/cis_5.1/cis_5.1.3.yml | 61 ++ section_5/cis_5.1/cis_5.1.4.yml | 28 + section_5/cis_5.1/cis_5.1.5.yml | 57 ++ section_5/cis_5.1/cis_5.1.6.yml | 30 + section_5/cis_5.1/cis_5.1.7.yml | 31 + section_5/cis_5.1/cis_5.1.8.yml | 26 + section_5/cis_5.1/cis_5.1.9.yml | 26 + section_5/cis_5.2/cis_5.2.1.yml | 26 + section_5/cis_5.2/cis_5.2.2.yml | 44 ++ section_5/cis_5.2/cis_5.2.3.yml | 27 + section_5/cis_5.2/cis_5.2.4.yml | 28 + section_5/cis_5.2/cis_5.2.5.yml | 28 + section_5/cis_5.2/cis_5.2.6.yml | 26 + section_5/cis_5.2/cis_5.2.7.yml | 42 ++ section_5/cis_5.3.1/cis_5.3.1.1.yml | 27 + section_5/cis_5.3.1/cis_5.3.1.2.yml | 26 + section_5/cis_5.3.1/cis_5.3.1.3.yml | 26 + section_5/cis_5.3.2/cis_5.3.2.1.yml | 79 +++ section_5/cis_5.3.2/cis_5.3.2.2.yml | 42 ++ section_5/cis_5.3.2/cis_5.3.2.3.yml | 24 + section_5/cis_5.3.2/cis_5.3.2.4.yml | 24 + section_5/cis_5.3.3.1/cis_5.3.3.1.1.yml | 43 ++ section_5/cis_5.3.3.1/cis_5.3.3.1.2.yml | 43 ++ section_5/cis_5.3.3.1/cis_5.3.3.1.3.yml | 42 ++ section_5/cis_5.3.3.2/cis_5.3.3.2.1.yml | 45 ++ section_5/cis_5.3.3.2/cis_5.3.3.2.2.yml | 48 ++ section_5/cis_5.3.3.2/cis_5.3.3.2.3.yml | 51 ++ section_5/cis_5.3.3.2/cis_5.3.3.2.4.yml | 48 ++ section_5/cis_5.3.3.2/cis_5.3.3.2.5.yml | 48 ++ section_5/cis_5.3.3.2/cis_5.3.3.2.6.yml | 48 ++ section_5/cis_5.3.3.2/cis_5.3.3.2.7.yml | 48 ++ section_5/cis_5.3.3.2/cis_5.3.3.2.8.yml | 28 + section_5/cis_5.3.3.3/cis_5.3.3.3.1.yml | 41 ++ section_5/cis_5.3.3.3/cis_5.3.3.3.2.yml | 41 ++ section_5/cis_5.3.3.3/cis_5.3.3.3.3.yml | 41 ++ section_5/cis_5.3.3.4/cis_5.3.3.4.1.yml | 24 + section_5/cis_5.3.3.4/cis_5.3.3.4.2.yml | 24 + section_5/cis_5.3.3.4/cis_5.3.3.4.3.yml | 24 + section_5/cis_5.3.3.4/cis_5.3.3.4.4.yml | 24 + section_5/cis_5.4.1/cis_5.4.1.1.yml | 56 ++ section_5/cis_5.4.1/cis_5.4.1.2.yml | 46 ++ section_5/cis_5.4.1/cis_5.4.1.3.yml | 45 ++ section_5/cis_5.4.1/cis_5.4.1.4.yml | 24 + section_5/cis_5.4.1/cis_5.4.1.5.yml | 40 ++ section_5/cis_5.4.1/cis_5.4.1.6.yml | 23 + section_5/cis_5.4.2/cis_5.4.2.1.yml | 27 + section_5/cis_5.4.2/cis_5.4.2.2.yml | 27 + section_5/cis_5.4.2/cis_5.4.2.3.yml | 27 + section_5/cis_5.4.2/cis_5.4.2.4.yml | 22 + section_5/cis_5.4.2/cis_5.4.2.5.yml | 28 + section_5/cis_5.4.2/cis_5.4.2.6.yml | 31 + section_5/cis_5.4.2/cis_5.4.2.7.yml | 25 + section_5/cis_5.4.3/cis_5.4.3.1.yml | 28 + section_5/cis_5.4.3/cis_5.4.3.2.yml | 25 + section_5/cis_5.4.3/cis_5.4.3.3.yml | 26 + section_6/cis_6.1.1.x/cis_6.1.1.1.yml | 24 + section_6/cis_6.1.1.x/cis_6.1.1.2.yml | 30 + section_6/cis_6.1.1.x/cis_6.1.1.3.yml | 31 + section_6/cis_6.1.2.x/cis_6.1.2.1.1.yml | 23 + section_6/cis_6.1.2.x/cis_6.1.2.1.2.yml | 30 + section_6/cis_6.1.2.x/cis_6.1.2.1.3.yml | 26 + section_6/cis_6.1.2.x/cis_6.1.2.1.4.yml | 90 +++ section_6/cis_6.1.2.x/cis_6.1.2.2.yml | 33 + section_6/cis_6.1.2.x/cis_6.1.2.3.yml | 30 + section_6/cis_6.1.2.x/cis_6.1.2.4.yml | 28 + section_6/cis_6.1.3.x/cis_6.1.3.1.yml | 23 + section_6/cis_6.1.3.x/cis_6.1.3.2.yml | 24 + section_6/cis_6.1.3.x/cis_6.1.3.3.yml | 30 + section_6/cis_6.1.3.x/cis_6.1.3.4.yml | 29 + section_6/cis_6.1.3.x/cis_6.1.3.5.yml | 37 ++ section_6/cis_6.1.3.x/cis_6.1.3.6.yml | 30 + section_6/cis_6.1.3.x/cis_6.1.3.7.yml | 62 ++ section_6/cis_6.1.3.x/cis_6.1.3.8.yml | 31 + section_6/cis_6.1.4.x/cis_6.1.4.1.yml | 25 + section_6/cis_6.2.1/cis_6.2.1.1.yml | 45 ++ section_6/cis_6.2.1/cis_6.2.1.2.yml | 25 + section_6/cis_6.2.1/cis_6.2.1.3.yml | 49 ++ section_6/cis_6.2.1/cis_6.2.1.4.yml | 49 ++ section_6/cis_6.2.2/cis_6.2.2.1.yml | 25 + section_6/cis_6.2.2/cis_6.2.2.2.yml | 25 + section_6/cis_6.2.2/cis_6.2.2.3.yml | 29 + section_6/cis_6.2.2/cis_6.2.2.4.yml | 31 + section_6/cis_6.2.3/cis_6.2.3.1.yml | 45 ++ section_6/cis_6.2.3/cis_6.2.3.10.yml | 45 ++ section_6/cis_6.2.3/cis_6.2.3.11.yml | 47 ++ section_6/cis_6.2.3/cis_6.2.3.12.yml | 45 ++ section_6/cis_6.2.3/cis_6.2.3.13.yml | 47 ++ section_6/cis_6.2.3/cis_6.2.3.14.yml | 49 ++ section_6/cis_6.2.3/cis_6.2.3.15.yml | 47 ++ section_6/cis_6.2.3/cis_6.2.3.16.yml | 47 ++ section_6/cis_6.2.3/cis_6.2.3.17.yml | 47 ++ section_6/cis_6.2.3/cis_6.2.3.18.yml | 47 ++ section_6/cis_6.2.3/cis_6.2.3.19.yml | 45 ++ section_6/cis_6.2.3/cis_6.2.3.2.yml | 45 ++ section_6/cis_6.2.3/cis_6.2.3.20.yml | 29 + section_6/cis_6.2.3/cis_6.2.3.21.yml | 25 + section_6/cis_6.2.3/cis_6.2.3.3.yml | 41 ++ section_6/cis_6.2.3/cis_6.2.3.4.yml | 49 ++ section_6/cis_6.2.3/cis_6.2.3.5.yml | 59 ++ section_6/cis_6.2.3/cis_6.2.3.6.yml | 25 + section_6/cis_6.2.3/cis_6.2.3.7.yml | 49 ++ section_6/cis_6.2.3/cis_6.2.3.8.yml | 57 ++ section_6/cis_6.2.3/cis_6.2.3.9.yml | 55 ++ section_6/cis_6.2.4/cis_6.2.4.1.yml | 25 + section_6/cis_6.2.4/cis_6.2.4.10.yml | 25 + section_6/cis_6.2.4/cis_6.2.4.2.yml | 25 + section_6/cis_6.2.4/cis_6.2.4.3.yml | 43 ++ section_6/cis_6.2.4/cis_6.2.4.4.yml | 25 + section_6/cis_6.2.4/cis_6.2.4.5.yml | 25 + section_6/cis_6.2.4/cis_6.2.4.6.yml | 25 + section_6/cis_6.2.4/cis_6.2.4.7.yml | 25 + section_6/cis_6.2.4/cis_6.2.4.8.yml | 25 + section_6/cis_6.2.4/cis_6.2.4.9.yml | 25 + section_6/cis_6.3.x/cis_6.3.1.yml | 36 ++ section_6/cis_6.3.x/cis_6.3.2.yml | 65 ++ section_6/cis_6.3.x/cis_6.3.3.yml | 30 + section_7/cis_7.1/cis_7.1.1.yml | 32 + section_7/cis_7.1/cis_7.1.10.yml | 29 + section_7/cis_7.1/cis_7.1.11.yml | 28 + section_7/cis_7.1/cis_7.1.12.yml | 31 + section_7/cis_7.1/cis_7.1.13.yml | 36 ++ section_7/cis_7.1/cis_7.1.2.yml | 32 + section_7/cis_7.1/cis_7.1.3.yml | 32 + section_7/cis_7.1/cis_7.1.4.yml | 32 + section_7/cis_7.1/cis_7.1.5.yml | 33 + section_7/cis_7.1/cis_7.1.6.yml | 33 + section_7/cis_7.1/cis_7.1.7.yml | 33 + section_7/cis_7.1/cis_7.1.8.yml | 33 + section_7/cis_7.1/cis_7.1.9.yml | 32 + section_7/cis_7.2/cis_7.2.1.yml | 24 + section_7/cis_7.2/cis_7.2.10.yml | 73 +++ section_7/cis_7.2/cis_7.2.2.yml | 24 + section_7/cis_7.2/cis_7.2.3.yml | 31 + section_7/cis_7.2/cis_7.2.4.yml | 25 + section_7/cis_7.2/cis_7.2.5.yml | 28 + section_7/cis_7.2/cis_7.2.6.yml | 28 + section_7/cis_7.2/cis_7.2.7.yml | 28 + section_7/cis_7.2/cis_7.2.8.yml | 28 + section_7/cis_7.2/cis_7.2.9.yml | 64 ++ vars/CIS.yml | 744 +++++++++++++++++++++++ 305 files changed, 12868 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 CONTRIBUTING.md create mode 100644 Changelog.md create mode 100644 LICENSE create mode 100644 README.md create mode 100644 goss.yml create mode 100755 run_audit.sh create mode 100644 section_1/cis_1.1/cis_1.1.1.1.yml create mode 100644 section_1/cis_1.1/cis_1.1.1.2.yml create mode 100644 section_1/cis_1.1/cis_1.1.1.3.yml create mode 100644 section_1/cis_1.1/cis_1.1.1.4.yml create mode 100644 section_1/cis_1.1/cis_1.1.1.5.yml create mode 100644 section_1/cis_1.1/cis_1.1.1.6.yml create mode 100644 section_1/cis_1.1/cis_1.1.1.7.yml create mode 100644 section_1/cis_1.1/cis_1.1.1.8.yml create mode 100644 section_1/cis_1.1/cis_1.1.1.9.yml create mode 100644 section_1/cis_1.1/cis_1.1.2.1.1.yml create mode 100644 section_1/cis_1.1/cis_1.1.2.1.2_4.yml create mode 100644 section_1/cis_1.1/cis_1.1.2.2.1.yml create mode 100644 section_1/cis_1.1/cis_1.1.2.2.2_4.yml create mode 100644 section_1/cis_1.1/cis_1.1.2.3.1.yml create mode 100644 section_1/cis_1.1/cis_1.1.2.3.2_4.yml create mode 100644 section_1/cis_1.1/cis_1.1.2.4.1.yml create mode 100644 section_1/cis_1.1/cis_1.1.2.4.2_3.yml create mode 100644 section_1/cis_1.1/cis_1.1.2.5.1.yml create mode 100644 section_1/cis_1.1/cis_1.1.2.5.2_4.yml create mode 100644 section_1/cis_1.1/cis_1.1.2.6.1.yml create mode 100644 section_1/cis_1.1/cis_1.1.2.6.2_4.yml create mode 100644 section_1/cis_1.1/cis_1.1.2.7.1.yml create mode 100644 section_1/cis_1.1/cis_1.1.2.7.2_4.yml create mode 100644 section_1/cis_1.2.1/cis_1.2.1.1.yml create mode 100644 section_1/cis_1.2.1/cis_1.2.1.2.yml create mode 100644 section_1/cis_1.2.2/cis_1.2.2.1.yml create mode 100644 section_1/cis_1.3.1/cis_1.3.1.1.yml create mode 100644 section_1/cis_1.3.1/cis_1.3.1.2.yml create mode 100644 section_1/cis_1.3.1/cis_1.3.1.3.yml create mode 100644 section_1/cis_1.3.1/cis_1.3.1.4.yml create mode 100644 section_1/cis_1.4/cis_1.4.1.yml create mode 100644 section_1/cis_1.4/cis_1.4.2.yml create mode 100644 section_1/cis_1.5/cis_1.5.1.yml create mode 100644 section_1/cis_1.5/cis_1.5.2.yml create mode 100644 section_1/cis_1.5/cis_1.5.3.yml create mode 100644 section_1/cis_1.5/cis_1.5.4.yml create mode 100644 section_1/cis_1.5/cis_1.5.5.yml create mode 100644 section_1/cis_1.6/cis_1.6.1.yml create mode 100644 section_1/cis_1.6/cis_1.6.2.yml create mode 100644 section_1/cis_1.6/cis_1.6.3.yml create mode 100644 section_1/cis_1.6/cis_1.6.4.yml create mode 100644 section_1/cis_1.6/cis_1.6.5.yml create mode 100644 section_1/cis_1.6/cis_1.6.6.yml create mode 100644 section_1/cis_1.7/cis_1.7.1.yml create mode 100644 section_1/cis_1.7/cis_1.7.10.yml create mode 100644 section_1/cis_1.7/cis_1.7.2.yml create mode 100644 section_1/cis_1.7/cis_1.7.3.yml create mode 100644 section_1/cis_1.7/cis_1.7.4.yml create mode 100644 section_1/cis_1.7/cis_1.7.5.yml create mode 100644 section_1/cis_1.7/cis_1.7.6.yml create mode 100644 section_1/cis_1.7/cis_1.7.7.yml create mode 100644 section_1/cis_1.7/cis_1.7.8.yml create mode 100644 section_1/cis_1.7/cis_1.7.9.yml create mode 100644 section_2/cis_2.1/cis_2.1.1.yml create mode 100644 section_2/cis_2.1/cis_2.1.10.yml create mode 100644 section_2/cis_2.1/cis_2.1.11.yml create mode 100644 section_2/cis_2.1/cis_2.1.12.yml create mode 100644 section_2/cis_2.1/cis_2.1.13.yml create mode 100644 section_2/cis_2.1/cis_2.1.14.yml create mode 100644 section_2/cis_2.1/cis_2.1.15.yml create mode 100644 section_2/cis_2.1/cis_2.1.16.yml create mode 100644 section_2/cis_2.1/cis_2.1.17.yml create mode 100644 section_2/cis_2.1/cis_2.1.18_apache2.yml create mode 100644 section_2/cis_2.1/cis_2.1.18_nginx.yml create mode 100644 section_2/cis_2.1/cis_2.1.19.yml create mode 100644 section_2/cis_2.1/cis_2.1.2.yml create mode 100644 section_2/cis_2.1/cis_2.1.20.yml create mode 100644 section_2/cis_2.1/cis_2.1.21.yml create mode 100644 section_2/cis_2.1/cis_2.1.22.yml create mode 100644 section_2/cis_2.1/cis_2.1.3.yml create mode 100644 section_2/cis_2.1/cis_2.1.4.yml create mode 100644 section_2/cis_2.1/cis_2.1.5.yml create mode 100644 section_2/cis_2.1/cis_2.1.6.yml create mode 100644 section_2/cis_2.1/cis_2.1.7.yml create mode 100644 section_2/cis_2.1/cis_2.1.8.yml create mode 100644 section_2/cis_2.1/cis_2.1.9.yml create mode 100644 section_2/cis_2.2/cis_2.2.1.yml create mode 100644 section_2/cis_2.2/cis_2.2.2.yml create mode 100644 section_2/cis_2.2/cis_2.2.3.yml create mode 100644 section_2/cis_2.2/cis_2.2.4.yml create mode 100644 section_2/cis_2.2/cis_2.2.5.yml create mode 100644 section_2/cis_2.2/cis_2.2.6.yml create mode 100644 section_2/cis_2.3/cis_2.3.1.1.yml create mode 100644 section_2/cis_2.3/cis_2.3.2.1.yml create mode 100644 section_2/cis_2.3/cis_2.3.2.2.yml create mode 100644 section_2/cis_2.3/cis_2.3.3.1.yml create mode 100644 section_2/cis_2.3/cis_2.3.3.2.yml create mode 100644 section_2/cis_2.3/cis_2.3.3.3.yml create mode 100644 section_2/cis_2.4/cis_2.4.1.1.yml create mode 100644 section_2/cis_2.4/cis_2.4.1.2.yml create mode 100644 section_2/cis_2.4/cis_2.4.1.3_7.yml create mode 100644 section_2/cis_2.4/cis_2.4.1.8.yml create mode 100644 section_2/cis_2.4/cis_2.4.2.1.yml create mode 100644 section_3/cis_3.1/cis_3.1.1.yml create mode 100644 section_3/cis_3.1/cis_3.1.2.yml create mode 100644 section_3/cis_3.1/cis_3.1.3.yml create mode 100644 section_3/cis_3.2/cis_3.2.1.yml create mode 100644 section_3/cis_3.2/cis_3.2.2.yml create mode 100644 section_3/cis_3.2/cis_3.2.4.yml create mode 100644 section_3/cis_3.2/cis_3.4.3.yml create mode 100644 section_3/cis_3.3/cis_3.3.1.yml create mode 100644 section_3/cis_3.3/cis_3.3.10.yml create mode 100644 section_3/cis_3.3/cis_3.3.11.yml create mode 100644 section_3/cis_3.3/cis_3.3.2.yml create mode 100644 section_3/cis_3.3/cis_3.3.3.yml create mode 100644 section_3/cis_3.3/cis_3.3.4.yml create mode 100644 section_3/cis_3.3/cis_3.3.5.yml create mode 100644 section_3/cis_3.3/cis_3.3.6.yml create mode 100644 section_3/cis_3.3/cis_3.3.7.yml create mode 100644 section_3/cis_3.3/cis_3.3.8.yml create mode 100644 section_3/cis_3.3/cis_3.3.9.yml create mode 100644 section_3/cis_3.3/ipv6/cis_3.3.5.yml create mode 100644 section_3/cis_3.3/ipv6/cis_3.3.8.yml create mode 100644 section_3/cis_3.3/ipv6/cis_3.3.9.yml create mode 100644 section_4/cis_4.2/cis_4.2.1.yml create mode 100644 section_4/cis_4.2/cis_4.2.2.yml create mode 100644 section_4/cis_4.2/cis_4.2.3.yml create mode 100644 section_4/cis_4.2/cis_4.2.4.yml create mode 100644 section_4/cis_4.2/cis_4.2.5.yml create mode 100644 section_4/cis_4.2/cis_4.2.6.yml create mode 100644 section_4/cis_4.2/cis_4.2.7.yml create mode 100644 section_4/cis_4.3/cis_4.3.1.yml create mode 100644 section_4/cis_4.3/cis_4.3.10.yml create mode 100644 section_4/cis_4.3/cis_4.3.2.yml create mode 100644 section_4/cis_4.3/cis_4.3.3.yml create mode 100644 section_4/cis_4.3/cis_4.3.4.yml create mode 100644 section_4/cis_4.3/cis_4.3.5.yml create mode 100644 section_4/cis_4.3/cis_4.3.6.yml create mode 100644 section_4/cis_4.3/cis_4.3.7.yml create mode 100644 section_4/cis_4.3/cis_4.3.8.yml create mode 100644 section_4/cis_4.3/cis_4.3.9.yml create mode 100644 section_4/cis_4.4/cis_4.4.1.1.yml create mode 100644 section_4/cis_4.4/cis_4.4.1.2.yml create mode 100644 section_4/cis_4.4/cis_4.4.1.3.yml create mode 100644 section_4/cis_4.4/cis_4.4.2.1.yml create mode 100644 section_4/cis_4.4/cis_4.4.2.2.yml create mode 100644 section_4/cis_4.4/cis_4.4.2.3.yml create mode 100644 section_4/cis_4.4/cis_4.4.2.4.yml create mode 100644 section_4/cis_4.4/cis_4.4.3.1.yml create mode 100644 section_4/cis_4.4/cis_4.4.3.2.yml create mode 100644 section_4/cis_4.4/cis_4.4.3.3.yml create mode 100644 section_4/cis_4.4/cis_4.4.3.4.yml create mode 100644 section_5/cis_5.1/cis_5.1.1.yml create mode 100644 section_5/cis_5.1/cis_5.1.10.yml create mode 100644 section_5/cis_5.1/cis_5.1.11.yml create mode 100644 section_5/cis_5.1/cis_5.1.12.yml create mode 100644 section_5/cis_5.1/cis_5.1.13.yml create mode 100644 section_5/cis_5.1/cis_5.1.14.yml create mode 100644 section_5/cis_5.1/cis_5.1.15.yml create mode 100644 section_5/cis_5.1/cis_5.1.16.yml create mode 100644 section_5/cis_5.1/cis_5.1.17.yml create mode 100644 section_5/cis_5.1/cis_5.1.18.yml create mode 100644 section_5/cis_5.1/cis_5.1.19.yml create mode 100644 section_5/cis_5.1/cis_5.1.2.yml create mode 100644 section_5/cis_5.1/cis_5.1.20.yml create mode 100644 section_5/cis_5.1/cis_5.1.21.yml create mode 100644 section_5/cis_5.1/cis_5.1.22.yml create mode 100644 section_5/cis_5.1/cis_5.1.3.yml create mode 100644 section_5/cis_5.1/cis_5.1.4.yml create mode 100644 section_5/cis_5.1/cis_5.1.5.yml create mode 100644 section_5/cis_5.1/cis_5.1.6.yml create mode 100644 section_5/cis_5.1/cis_5.1.7.yml create mode 100644 section_5/cis_5.1/cis_5.1.8.yml create mode 100644 section_5/cis_5.1/cis_5.1.9.yml create mode 100644 section_5/cis_5.2/cis_5.2.1.yml create mode 100644 section_5/cis_5.2/cis_5.2.2.yml create mode 100644 section_5/cis_5.2/cis_5.2.3.yml create mode 100644 section_5/cis_5.2/cis_5.2.4.yml create mode 100644 section_5/cis_5.2/cis_5.2.5.yml create mode 100644 section_5/cis_5.2/cis_5.2.6.yml create mode 100644 section_5/cis_5.2/cis_5.2.7.yml create mode 100644 section_5/cis_5.3.1/cis_5.3.1.1.yml create mode 100644 section_5/cis_5.3.1/cis_5.3.1.2.yml create mode 100644 section_5/cis_5.3.1/cis_5.3.1.3.yml create mode 100644 section_5/cis_5.3.2/cis_5.3.2.1.yml create mode 100644 section_5/cis_5.3.2/cis_5.3.2.2.yml create mode 100644 section_5/cis_5.3.2/cis_5.3.2.3.yml create mode 100644 section_5/cis_5.3.2/cis_5.3.2.4.yml create mode 100644 section_5/cis_5.3.3.1/cis_5.3.3.1.1.yml create mode 100644 section_5/cis_5.3.3.1/cis_5.3.3.1.2.yml create mode 100644 section_5/cis_5.3.3.1/cis_5.3.3.1.3.yml create mode 100644 section_5/cis_5.3.3.2/cis_5.3.3.2.1.yml create mode 100644 section_5/cis_5.3.3.2/cis_5.3.3.2.2.yml create mode 100644 section_5/cis_5.3.3.2/cis_5.3.3.2.3.yml create mode 100644 section_5/cis_5.3.3.2/cis_5.3.3.2.4.yml create mode 100644 section_5/cis_5.3.3.2/cis_5.3.3.2.5.yml create mode 100644 section_5/cis_5.3.3.2/cis_5.3.3.2.6.yml create mode 100644 section_5/cis_5.3.3.2/cis_5.3.3.2.7.yml create mode 100644 section_5/cis_5.3.3.2/cis_5.3.3.2.8.yml create mode 100644 section_5/cis_5.3.3.3/cis_5.3.3.3.1.yml create mode 100644 section_5/cis_5.3.3.3/cis_5.3.3.3.2.yml create mode 100644 section_5/cis_5.3.3.3/cis_5.3.3.3.3.yml create mode 100644 section_5/cis_5.3.3.4/cis_5.3.3.4.1.yml create mode 100644 section_5/cis_5.3.3.4/cis_5.3.3.4.2.yml create mode 100644 section_5/cis_5.3.3.4/cis_5.3.3.4.3.yml create mode 100644 section_5/cis_5.3.3.4/cis_5.3.3.4.4.yml create mode 100644 section_5/cis_5.4.1/cis_5.4.1.1.yml create mode 100644 section_5/cis_5.4.1/cis_5.4.1.2.yml create mode 100644 section_5/cis_5.4.1/cis_5.4.1.3.yml create mode 100644 section_5/cis_5.4.1/cis_5.4.1.4.yml create mode 100644 section_5/cis_5.4.1/cis_5.4.1.5.yml create mode 100644 section_5/cis_5.4.1/cis_5.4.1.6.yml create mode 100644 section_5/cis_5.4.2/cis_5.4.2.1.yml create mode 100644 section_5/cis_5.4.2/cis_5.4.2.2.yml create mode 100644 section_5/cis_5.4.2/cis_5.4.2.3.yml create mode 100644 section_5/cis_5.4.2/cis_5.4.2.4.yml create mode 100644 section_5/cis_5.4.2/cis_5.4.2.5.yml create mode 100644 section_5/cis_5.4.2/cis_5.4.2.6.yml create mode 100644 section_5/cis_5.4.2/cis_5.4.2.7.yml create mode 100644 section_5/cis_5.4.3/cis_5.4.3.1.yml create mode 100644 section_5/cis_5.4.3/cis_5.4.3.2.yml create mode 100644 section_5/cis_5.4.3/cis_5.4.3.3.yml create mode 100644 section_6/cis_6.1.1.x/cis_6.1.1.1.yml create mode 100644 section_6/cis_6.1.1.x/cis_6.1.1.2.yml create mode 100644 section_6/cis_6.1.1.x/cis_6.1.1.3.yml create mode 100644 section_6/cis_6.1.2.x/cis_6.1.2.1.1.yml create mode 100644 section_6/cis_6.1.2.x/cis_6.1.2.1.2.yml create mode 100644 section_6/cis_6.1.2.x/cis_6.1.2.1.3.yml create mode 100644 section_6/cis_6.1.2.x/cis_6.1.2.1.4.yml create mode 100644 section_6/cis_6.1.2.x/cis_6.1.2.2.yml create mode 100644 section_6/cis_6.1.2.x/cis_6.1.2.3.yml create mode 100644 section_6/cis_6.1.2.x/cis_6.1.2.4.yml create mode 100644 section_6/cis_6.1.3.x/cis_6.1.3.1.yml create mode 100644 section_6/cis_6.1.3.x/cis_6.1.3.2.yml create mode 100644 section_6/cis_6.1.3.x/cis_6.1.3.3.yml create mode 100644 section_6/cis_6.1.3.x/cis_6.1.3.4.yml create mode 100644 section_6/cis_6.1.3.x/cis_6.1.3.5.yml create mode 100644 section_6/cis_6.1.3.x/cis_6.1.3.6.yml create mode 100644 section_6/cis_6.1.3.x/cis_6.1.3.7.yml create mode 100644 section_6/cis_6.1.3.x/cis_6.1.3.8.yml create mode 100644 section_6/cis_6.1.4.x/cis_6.1.4.1.yml create mode 100644 section_6/cis_6.2.1/cis_6.2.1.1.yml create mode 100644 section_6/cis_6.2.1/cis_6.2.1.2.yml create mode 100644 section_6/cis_6.2.1/cis_6.2.1.3.yml create mode 100644 section_6/cis_6.2.1/cis_6.2.1.4.yml create mode 100644 section_6/cis_6.2.2/cis_6.2.2.1.yml create mode 100644 section_6/cis_6.2.2/cis_6.2.2.2.yml create mode 100644 section_6/cis_6.2.2/cis_6.2.2.3.yml create mode 100644 section_6/cis_6.2.2/cis_6.2.2.4.yml create mode 100644 section_6/cis_6.2.3/cis_6.2.3.1.yml create mode 100644 section_6/cis_6.2.3/cis_6.2.3.10.yml create mode 100644 section_6/cis_6.2.3/cis_6.2.3.11.yml create mode 100644 section_6/cis_6.2.3/cis_6.2.3.12.yml create mode 100644 section_6/cis_6.2.3/cis_6.2.3.13.yml create mode 100644 section_6/cis_6.2.3/cis_6.2.3.14.yml create mode 100644 section_6/cis_6.2.3/cis_6.2.3.15.yml create mode 100644 section_6/cis_6.2.3/cis_6.2.3.16.yml create mode 100644 section_6/cis_6.2.3/cis_6.2.3.17.yml create mode 100644 section_6/cis_6.2.3/cis_6.2.3.18.yml create mode 100644 section_6/cis_6.2.3/cis_6.2.3.19.yml create mode 100644 section_6/cis_6.2.3/cis_6.2.3.2.yml create mode 100644 section_6/cis_6.2.3/cis_6.2.3.20.yml create mode 100644 section_6/cis_6.2.3/cis_6.2.3.21.yml create mode 100644 section_6/cis_6.2.3/cis_6.2.3.3.yml create mode 100644 section_6/cis_6.2.3/cis_6.2.3.4.yml create mode 100644 section_6/cis_6.2.3/cis_6.2.3.5.yml create mode 100644 section_6/cis_6.2.3/cis_6.2.3.6.yml create mode 100644 section_6/cis_6.2.3/cis_6.2.3.7.yml create mode 100644 section_6/cis_6.2.3/cis_6.2.3.8.yml create mode 100644 section_6/cis_6.2.3/cis_6.2.3.9.yml create mode 100644 section_6/cis_6.2.4/cis_6.2.4.1.yml create mode 100644 section_6/cis_6.2.4/cis_6.2.4.10.yml create mode 100644 section_6/cis_6.2.4/cis_6.2.4.2.yml create mode 100644 section_6/cis_6.2.4/cis_6.2.4.3.yml create mode 100644 section_6/cis_6.2.4/cis_6.2.4.4.yml create mode 100644 section_6/cis_6.2.4/cis_6.2.4.5.yml create mode 100644 section_6/cis_6.2.4/cis_6.2.4.6.yml create mode 100644 section_6/cis_6.2.4/cis_6.2.4.7.yml create mode 100644 section_6/cis_6.2.4/cis_6.2.4.8.yml create mode 100644 section_6/cis_6.2.4/cis_6.2.4.9.yml create mode 100644 section_6/cis_6.3.x/cis_6.3.1.yml create mode 100644 section_6/cis_6.3.x/cis_6.3.2.yml create mode 100644 section_6/cis_6.3.x/cis_6.3.3.yml create mode 100644 section_7/cis_7.1/cis_7.1.1.yml create mode 100644 section_7/cis_7.1/cis_7.1.10.yml create mode 100644 section_7/cis_7.1/cis_7.1.11.yml create mode 100644 section_7/cis_7.1/cis_7.1.12.yml create mode 100644 section_7/cis_7.1/cis_7.1.13.yml create mode 100644 section_7/cis_7.1/cis_7.1.2.yml create mode 100644 section_7/cis_7.1/cis_7.1.3.yml create mode 100644 section_7/cis_7.1/cis_7.1.4.yml create mode 100644 section_7/cis_7.1/cis_7.1.5.yml create mode 100644 section_7/cis_7.1/cis_7.1.6.yml create mode 100644 section_7/cis_7.1/cis_7.1.7.yml create mode 100644 section_7/cis_7.1/cis_7.1.8.yml create mode 100644 section_7/cis_7.1/cis_7.1.9.yml create mode 100644 section_7/cis_7.2/cis_7.2.1.yml create mode 100644 section_7/cis_7.2/cis_7.2.10.yml create mode 100644 section_7/cis_7.2/cis_7.2.2.yml create mode 100644 section_7/cis_7.2/cis_7.2.3.yml create mode 100644 section_7/cis_7.2/cis_7.2.4.yml create mode 100644 section_7/cis_7.2/cis_7.2.5.yml create mode 100644 section_7/cis_7.2/cis_7.2.6.yml create mode 100644 section_7/cis_7.2/cis_7.2.7.yml create mode 100644 section_7/cis_7.2/cis_7.2.8.yml create mode 100644 section_7/cis_7.2/cis_7.2.9.yml create mode 100644 vars/CIS.yml diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..b2daffb --- /dev/null +++ b/.gitattributes @@ -0,0 +1,6 @@ +# adding github settings to show correct language +*.sh linguist-detectable=true +*.yml linguist-detectable=true +*.ps1 linguist-detectable=true +*.j2 linguist-detectable=true +*.md linguist-documentation diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..f889d9f --- /dev/null +++ b/.gitignore @@ -0,0 +1,45 @@ +.env +*.log +*.retry +.cache +.vagrant +tests/*redhat-subscription +tests/Dockerfile +*.iso +*.box +packer_cache +delete* +ignore* +# VSCode +.vscode + +# Byte-compiled / optimized / DLL files +__pycache__/ +*.py[cod] +*$py.class + +# DS_Store +.DS_Store +._* + +# Linux Editors +*~ +\#*\# +/.emacs.desktop +/.emacs.desktop.lock +.elc +auto-save-list +tramp +.\#* +*.swp +*.swo +rh-creds.env +travis.env + +# Lockdown-specific +benchparse/ +*xccdf.xml +*.retry + +# GitHub Action/Workflow files +.github/ diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..c3d4c41 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,71 @@ +Contributing to MindPoint Group Projects +======================================== + +Rules +----- + +1) All commits must be GPG signed (details in Signing section) +2) All commits must have Signed-off-by (Signed-off-by: Joan Doe ) in the commit message (details in Signing section) +3) All work is done in your own branch or own fork +4) Pull requests + a) From within the repo: All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing + b) From a forked repo: All pull requests will go into a staging branch within the repo. There are automated checks for signed commits, signoff in commit message, and functional testing when going from staging to devel +5) All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing) +6) Be open and nice to each other + +Workflow +-------- + +- Your work is done in your own individual branch. Make sure to to Signed-off and GPG sign all commits you intend to merge +- All community Pull Requests are into the devel branch. There are automated checks for GPG signed, Signed-off in commits, and functional tests before being approved. If your pull request comes in from outside of our repo, the pull request will go into a staging branch. There is info needed from our repo for our CI/CD testing. +- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release + +Signing your contribution +------------------------- + +We've chosen to use the Developer's Certificate of Origin (DCO) method +that is employed by the Linux Kernel Project, which provides a simple +way to contribute to MindPoint Group projects. + +The process is to certify the below DCO 1.1 text +:: + + Developer's Certificate of Origin 1.1 + + By making a contribution to this project, I certify that: + + (a) The contribution was created in whole or in part by me and I + have the right to submit it under the open source license + indicated in the file; or + + (b) The contribution is based upon previous work that, to the best + of my knowledge, is covered under an appropriate open source + license and I have the right under that license to submit that + work with modifications, whether created in whole or in part + by me, under the same open source license (unless I am + permitted to submit under a different license), as indicated + in the file; or + + (c) The contribution was provided directly to me by some other + person who certified (a), (b) or (c) and I have not modified + it. + + (d) I understand and agree that this project and the contribution + are public and that a record of the contribution (including all + personal information I submit with it, including my sign-off) is + maintained indefinitely and may be redistributed consistent with + this project or the open source license(s) involved. +:: + +Then, when it comes time to submit a contribution, include the +following text in your contribution commit message: + +:: + + Signed-off-by: Joan Doe + +:: + +This message can be entered manually, or if you have configured git +with the correct `user.name` and `user.email`, you can use the `-s` +option to `git commit` to automatically include the signoff message. diff --git a/Changelog.md b/Changelog.md new file mode 100644 index 0000000..fe056b4 --- /dev/null +++ b/Changelog.md @@ -0,0 +1,3 @@ +# Changes to Ubuntu24-CIS-Audit + +## 0.9 - based upon CIS 1.0.0 - Initial diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..776daab --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2024 MindPoint Group + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..dedfd9d --- /dev/null +++ b/README.md @@ -0,0 +1,139 @@ +# Ubuntu 24.04 Goss config + +## Overview + +### Based on CIS Ubuntu Linux 24.04 LTS Benchmark v1.0.0 [Release](https://downloads.cisecurity.org/#/) + +Set of configuration files and directories to run the first stages of CIS of Ubuntu 24.04 servers + +This is configured in a directory structure level. + +This could do with further testing but sections 1.x should be complete + +Goss is run based on the goss.yml file in the top level directory. This specifies the configuration. + +## variables + +file: vars/cis.yml + +Please refer to the file for all options and their meanings + +CIS listed variable for every control/benchmark can be turned on/off or section + +- other controls +enable_selinux +run_heavy_tasks + +- bespoke options +If a site has specific options e.g. password complexity these can also be set. + +## Requirements + +goss >= 0.4.4 +root privileges + +## Branches + +If running as part of the ansible playbook, this will pull in the relevant branch for the version of benchmark you are remediating. + +- e.g. v1.0.0 will pull in branch benchmark-v1.0.0 + +Devel is normally the latest benchmark version, so maybe different from the version of benchmark you wish to test. +Details will show in the README as to the benchmark for the version it is written for. + +## Usage + +You must have [goss](https://github.com/goss-org/goss/) available to your host you would like to test. + +- Run as root not sudo due to sudo and shared memory access + +Assuming you have already clone this repository you can run goss from where you wish. + +- full check + +```sh +# {{path to your goss binary}} --vars {{ path to the vars file }} -g {{path to your clone of this repo }}/goss.yml --validate + +``` + +example: + +```sh +# /usr/local/bin/goss --vars ../vars/cis.yml -g /home/bolly/rh8_cis_goss/goss.yml validate +......FF....FF................FF...F..FF.............F........................FSSSS.............FS.F.F.F.F.........FFFFF.... + +Failures/Skipped: + +Title: 1.6.1 Ensure core dumps are restricted (Automated)_sysctl +Command: suid_dumpable_2: exit-status: +Expected + : 1 +to equal + : 0 +Command: suid_dumpable_2: stdout: patterns not found: [fs.suid_dumpable = 0] + + +Title: 1.4.2 Ensure filesystem integrity is regularly checked (Automated) +Service: aidecheck: enabled: +Expected + : false +to equal + : true +Service: aidecheck: running: +Expected + : false +to equal + : true + +< ---------cut ------- > + +Title: 1.1.22 Ensure sticky bit is set on all world-writable directories +Command: version: exit-status: +Expected + : 0 +to equal + : 123 + +Total Duration: 5.102s +Count: 124, Failed: 21, Skipped: 5 + +``` + +- running a particular section of tests + +```sh +# /usr/local/bin/goss -g /home/bolly/rh8_cis_goss/section_1/cis_1.1/cis_1.1.22.yml validate +............ + +Total Duration: 0.033s +Count: 12, Failed: 0, Skipped: 0 + +``` + +- changing the output + +```sh +# /usr/local/bin/goss -g /home/bolly/rh8_cis_goss/section_1/cis_1.1/cis_1.1.22.yml validate -f documentation +Title: 1.1.20 Check for removeable media nodev +Command: floppy_nodev: exit-status: matches expectation: [0] +Command: floppy_nodev: stdout: matches expectation: [OK] +< -------cut ------- > +Title: 1.1.20 Check for removeable media noexec +Command: floppy_noexec: exit-status: matches expectation: [0] +Command: floppy_noexec: stdout: matches expectation: [OK] + + +Total Duration: 0.022s +Count: 12, Failed: 0, Skipped: 0 +``` + +## Extra settings + +Ability to add your own requirements is available in several sections + +## further information + +- [goss documentation](https://github.com/goss-org/goss/blob/master/README.md) +- [CIS standards](https://www.cisecurity.org) + +## Feedback required diff --git a/goss.yml b/goss.yml new file mode 100644 index 0000000..ebe9a16 --- /dev/null +++ b/goss.yml @@ -0,0 +1,96 @@ +gossfile: +# Section 1 + {{ if .Vars.ubtu24cis_section1 }} + section_1/*/*.yml: {} + {{ end }} + + # Section 2 + {{ if .Vars.ubtu24cis_section2 }} + # Special Services + section_2/cis_2.1/*.yml: {} + # Client Service + section_2/cis_2.2/*.yml: {} + # Time services + section_2/cis_2.3/*.yml: {} + # scheduling services + section_2/cis_2.4/*.yml: {} + {{ end }} + +# Section 3 + {{ if .Vars.ubtu24cis_section3 }} + section_3/cis_3.1/*.yml: {} + section_3/cis_3.2/*.yml: {} + section_3/cis_3.3/*.yml: {} + {{ if .Vars.ubtu24cis_ipv6_required }} + section_3/cis_3.3/ipv6/*.yml: {} + {{ end }} + {{ end }} + +# Section 4 + {{ if .Vars.ubtu24cis_section4 }} + # If ufw firewall + {{ if eq .Vars.ubtu24cis_firewall_package "ufw" }} + section_4/cis_4.2/*.yml: {} + {{ end }} + # If nftables firewall + {{ if eq .Vars.ubtu24cis_firewall_package "nftables" }} + section_4/cis_4.3/*.yml: {} + {{ end }} + # If iptables firewall + {{ if eq .Vars.ubtu24cis_firewall_package "iptables" }} + section_4/cis_4.4/*.yml: {} + {{ end }} + {{ end }} + +# Section 5 + {{ if .Vars.ubtu24cis_section5 }} + section_5/*/*.yml: {} + {{ end }} + +# Section 6 + {{ if .Vars.ubtu24cis_section6 }} + # Journald + {{ if eq .Vars.ubtu24cis_syslog_service "journald" }} + section_6/cis_6.1.1.x/*.yml: {} + section_6/cis_6.1.2.x/*.yml: {} + {{ end }} + # Rsyslog + {{ if eq .Vars.ubtu24cis_syslog_service "rsyslog" }} + section_6/cis_6.1.3.*/*.yml: {} + {{ end }} + # logrotate + section_6/cis_6.1.4.*/*.yml: {} + # Auditd and level 2 + # Auditd + {{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_auditd }} + section_6/cis_6.2.*/*.yml: {} + {{ end }} + {{ end }} + # Aide + section_6/cis_6.3.*/*.yml: {} + {{ end }} + +# Section 7 + {{ if .Vars.ubtu24cis_section7 }} + section_7/cis_7.*/*.yml: {} + {{ end }} + +# Metadata +command: + benchmark_meta: + title: Benchmark MetaData + exec: echo BenchMark MetaData + exit-status: 0 + meta: + host_machine_uuid: {{ .Vars.machine_uuid }} + host_epoch: {{ .Vars.epoch }} + host_os_locale: {{ .Vars.os_locale }} + host_os_release: {{ .Vars.os_release }} + host_os_distribution: {{ .Vars.os_distribution }} + host_automation_group: {{ .Vars.auto_group }} + host_hostname: {{ .Vars.os_hostname }} + host_system_type: {{ .Vars.system_type }} + benchmark_type: {{ .Vars.benchmark_type }} + benchmark_version: {{ .Vars.benchmark_version }} + benchmark_os: {{ .Vars.benchmark_os }} diff --git a/run_audit.sh b/run_audit.sh new file mode 100755 index 0000000..2e2ab29 --- /dev/null +++ b/run_audit.sh @@ -0,0 +1,213 @@ +#! /bin/bash +# script to run audit while populating local host data +# 13th Sept 2021 - Initial +# 9th Nov 2021 - Added root user check - more posix compliant for multiple OS types +# 10 Dec 2021 - Enhanced so more linux OS agnostic, less input required +# - added vars options for bespoke vars file +# - Ability to run as script from remediation role increased consistency +# 17 Dec 2021 - Added system_type variable - default Server will change to workstations with -w switch +# 02 Mar 2022 - Updated benchmark variable naming +# 06 Apr 2022 - Added format option in output inline with goss options e.g. json documentation this is for fault finding +# 03 May 2022 - update for audit variables improvement added by @pavloos - https://github.com/ansible-lockdown/RHEL8-CIS-Audit/pull/29 +# 10 Jun 2022 - added format output for different type - supports json,documentation or rspecish +# 04 Oct 2022 - Changed default content location to /opt +# 14 Sep 2023 - Tidyup of code, +# linting (thanks to @cf-sewe) +# Oracle included by default if RHEL family +# benchmark vars moved +# December 2023 Added goss version and testing +# April 2024 Updating of OS discovery to work for all supported OSs + +# Variables in upper case tend to be able to be adjusted +# lower case variables are discovered or built from other variables + +# Goss benchmark variables (these should not need changing unless new release) +BENCHMARK=CIS # Benchmark Name aligns to the audit +BENCHMARK_VER=2.0.0 +BENCHMARK_OS=UBUNTU24 + +# Goss host Variables +AUDIT_BIN="${AUDIT_BIN:-/usr/local/bin/goss}" # location of the goss executable +AUDIT_BIN_MIN_VER="0.4.4" +AUDIT_FILE="${AUDIT_FILE:-goss.yml}" # the default goss file used by the audit provided by the audit configuration +AUDIT_CONTENT_LOCATION="${AUDIT_CONTENT_LOCATION:-/opt}" # Location of the audit configuration file as available to the OS + +# help output +Help() +{ + # Display Help + echo "Script to run the goss audit" + echo + echo "Syntax: $0 [-f|-g|-o|-v|-w|-h]" + echo "options:" + echo "-f optional - change the format output (default value = json)" + echo "-g optional - Add a group that the server should be grouped with (default value = ungrouped)" + echo "-o optional - file to output audit data" + echo "-v optional - relative path to thevars file to load (default e.g. $AUDIT_CONTENT_LOCATION/RHEL7-$BENCHMARK/vars/$BENCHMARK.yml)" + echo "-w optional - Sets the system_type to workstation (Default - Server)" + echo "-h Print this Help." + echo +} + +# Default vars that can be set +host_system_type=Server + +## option statement +while getopts f:g:o:v::wh option; do + case "${option}" in + f ) FORMAT=${OPTARG} ;; + g ) GROUP=${OPTARG} ;; + o ) OUTFILE=${OPTARG} ;; + v ) VARS_PATH=${OPTARG} ;; + w ) host_system_type=Workstation ;; + h ) # display Help + Help + exit;; + ? ) # Invalid option + echo "Invalid option: -${OPTARG}." + Help + exit;; + esac +done + +#### Pre-Checks + +# check access need to run as root or privileges due to some configuration access +if [ "$(/usr/bin/id -u)" -ne 0 ]; then + echo "Script need to run with root privileges" + exit 1 +fi + +#### Main Script #### + +# Discover OS version aligning with audit +# Define os_vendor variable +if [ "$(uname -a | grep -c amzn)" -ge 1 ]; then + os_vendor="AMAZON" +elif [ "$(grep -Ec "rhel|oracle" /etc/os-release)" != 0 ]; then + os_vendor="RHEL" +else + os_vendor="$(hostnamectl | grep Oper | cut -d : -f2 | awk '{print toupper($1)}')" +fi + +os_maj_ver="$(grep -w VERSION_ID= /etc/os-release | awk -F\" '{print $2}' | cut -d '.' -f1)" +audit_content_version=$os_vendor$os_maj_ver-$BENCHMARK-Audit +audit_content_dir=$AUDIT_CONTENT_LOCATION/$audit_content_version +audit_vars=vars/${BENCHMARK}.yml + +# Set variable for format output +if [ -z "$FORMAT" ]; then + export format="json" +else + export format=$FORMAT +fi + +# Set variable for autogroup +if [ -z "$GROUP" ]; then + export host_auto_group="ungrouped" +else + export host_auto_group=$GROUP +fi + +# set default variable for varfile_path +if [ -z "$VARS_PATH" ]; then + export varfile_path=$audit_content_dir/$audit_vars +else + # Check -v exists fail if not + if [ -f "$VARS_PATH" ]; then + export varfile_path=$VARS_PATH + else + echo "passed option '-v' $VARS_PATH does not exist" + exit 1 + fi +fi + +## System variables captured for metadata + +host_machine_uuid="$(if [ -f /sys/class/dmi/id/product_uuid ]; then cat /sys/class/dmi/id/product_uuid; else dmidecode -s system-uuid; fi)" +host_epoch="$(date +%s)" +host_os_locale="$(date +%Z)" +host_os_name="$(grep "^NAME=" /etc/os-release | cut -d '"' -f2 | sed 's/ //' | cut -d' ' -f1)" +host_os_version="$(grep "^VERSION_ID=" /etc/os-release | cut -d '"' -f2)" +host_os_hostname="$(hostname)" + +## Set variable audit_out +if [ -z "$OUTFILE" ]; then + export audit_out=${AUDIT_CONTENT_LOCATION}/audit_${host_os_hostname}-${BENCHMARK}-${BENCHMARK_OS}_${host_epoch}.$format +else + export audit_out=${OUTFILE} +fi + +## Set the AUDIT json string +audit_json_vars='{"benchmark_type":"'"$BENCHMARK"'","benchmark_os":"'"$BENCHMARK_OS"'","benchmark_version":"'"$BENCHMARK_VER"'","machine_uuid":"'"$host_machine_uuid"'","epoch":"'"$host_epoch"'","os_locale":"'"$host_os_locale"'","os_release":"'"$host_os_version"'","os_distribution":"'"$host_os_name"'","os_hostname":"'"$host_os_hostname"'","auto_group":"'"$host_auto_group"'","system_type":"'"$host_system_type"'"}' + +## Run pre checks + +echo +echo "## Pre-Checks Start" +echo + +export FAILURE=0 +if [ -s "${AUDIT_BIN}" ]; then + echo "OK - Audit binary $AUDIT_BIN is available" + goss_installed_version="$($AUDIT_BIN -v | awk '{print $NF}' | cut -dv -f2)" + newer_version=$(echo -e "$goss_installed_version\n$AUDIT_BIN_MIN_VER" | sort -V | tail -n 1) + if [ "$goss_installed_version" = "$newer_version" ] || [ "$goss_installed_version" = "$AUDIT_BIN_MIN_VER" ]; then + echo "OK - Goss is installed and version is ok ($goss_installed_version >= $AUDIT_BIN_MIN_VER)" + else + echo "WARNING - Goss installed = ${goss_installed_version}, does not met minimum of ${AUDIT_BIN_MIN_VER}" + export FAILURE=2 + fi +else + echo "WARNING - The audit binary is not available at $AUDIT_BIN " + export FAILURE=1 +fi + +if [ -f "${audit_content_dir}/${AUDIT_FILE}" ]; then + echo "OK - ${audit_content_dir}/${AUDIT_FILE} is available" +else + echo "WARNING - the $audit_content_dir/$AUDIT_FILE is not available"; export FAILURE=3 +fi + +if [ "${FAILURE}" != 0 ]; then + echo "## Pre-checks failed please see output" + exit 1 +else + echo + echo "## Pre-checks Successful" + echo +fi + +# format output types +# json, rspecish = grep -A 4 \"summary\": $audit_out +# tap junit no output as no summary +# documentation = tail -2 $audit_out + +# defaults +output_summary="tail -2 $audit_out" +format_output="-f $format" + +if [ "$format" = json ]; then + format_output="-f json -o pretty" + output_summary='grep -A 4 \"summary\": $audit_out' +elif [ "$format" = junit ] || [ "$format" = tap ]; then + output_summary="" +fi + +## Run commands +echo "#############" +echo "Audit Started" +echo "#############" +echo +$AUDIT_BIN -g "$audit_content_dir/$AUDIT_FILE" --vars "$varfile_path" --vars-inline "$audit_json_vars" v $format_output > "$audit_out" + +# create screen output +if [ "$(grep -c $BENCHMARK "$audit_out")" != 0 ] || [ "$format" = junit ] || [ "$format" = tap ]; then + eval $output_summary + echo "Completed file can be found at $audit_out" + echo "###############" + echo "Audit Completed" + echo "###############" +else + echo -e "Fail: There were issues when running the audit please investigate $audit_out" +fi diff --git a/section_1/cis_1.1/cis_1.1.1.1.yml b/section_1/cis_1.1/cis_1.1.1.1.yml new file mode 100644 index 0000000..4daf319 --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.1.1.yml @@ -0,0 +1,39 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_1_1 }} +file: + cramfs_disabled: + title: 1.1.1.1 | Ensure cramfs kernel module is not available | modprobe + path: /etc/modprobe.d/CIS.conf + exists: true + contents: + - '/^install cramfs /bin/(true|false)/' + meta: + server: 1 + workstation: 1 + CIS_ID: 1.1.1.1 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + cramfs_blacklist: + title: 1.1.1.1 | Ensure cramfs kernel module is not available | blacklist + path: /etc/modprobe.d/blacklist.conf + exists: true + contents: + - '/^blacklist cramfs/' + meta: + server: 1 + workstation: 1 + CIS_ID: 1.1.1.1 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.1.2.yml b/section_1/cis_1.1/cis_1.1.1.2.yml new file mode 100644 index 0000000..9f8206e --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.1.2.yml @@ -0,0 +1,39 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_1_2 }} +file: + freevxfs_disabled: + title: 1.1.1.2 | Ensure freevxfs kernel module is not available | modprobe + path: /etc/modprobe.d/CIS.conf + exists: true + contents: + - '/^install freevxfs /bin/(true|false)/' + meta: + server: 1 + workstation: 1 + CIS_ID: 1.1.1.2 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + freevxfs_blacklist: + title: 1.1.1.2 | Ensure freevxfs kernel module is not available | blacklist + path: /etc/modprobe.d/blacklist.conf + exists: true + contents: + - '/^blacklist freevxfs/' + meta: + server: 1 + workstation: 1 + CIS_ID: 1.1.1.2 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.1.3.yml b/section_1/cis_1.1/cis_1.1.1.3.yml new file mode 100644 index 0000000..24105e6 --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.1.3.yml @@ -0,0 +1,39 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_1_3 }} +file: + hfs_disabled: + title: 1.1.1.3 | Ensure hfs kernel module is not available | modprobe + path: /etc/modprobe.d/CIS.conf + exists: true + contents: + - '/^install hfs /bin/(true|false)/' + meta: + server: 1 + workstation: 1 + CIS_ID: 1.1.1.3 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + hfs_blacklist: + title: 1.1.1.3 | Ensure hfs kernel module is not available | blacklist + path: /etc/modprobe.d/blacklist.conf + exists: true + contents: + - '/^blacklist hfs/' + meta: + server: 1 + workstation: 1 + CIS_ID: 1.1.1.3 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.1.4.yml b/section_1/cis_1.1/cis_1.1.1.4.yml new file mode 100644 index 0000000..972c7df --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.1.4.yml @@ -0,0 +1,39 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_1_4 }} +file: + hfsplus_disabled: + title: 1.1.1.4 | Ensure hfsplus kernel module is not available | modprobe + path: /etc/modprobe.d/CIS.conf + exists: true + contents: + - '/^install hfsplus /bin/(true|false)/' + meta: + server: 1 + workstation: 1 + CIS_ID: 1.1.1.4 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + hfsplus_blacklist: + title: 1.1.1.4 | Ensure hfsplus kernel module is not available | blacklist + path: /etc/modprobe.d/blacklist.conf + exists: true + contents: + - '/^blacklist hfsplus/' + meta: + server: 1 + workstation: 1 + CIS_ID: 1.1.1.4 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.1.5.yml b/section_1/cis_1.1/cis_1.1.1.5.yml new file mode 100644 index 0000000..d433a1c --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.1.5.yml @@ -0,0 +1,39 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_1_5 }} +file: + jffs2_disabled: + title: 1.1.1.5 | Ensure jffs2 kernel module is not available | modprobe + path: /etc/modprobe.d/CIS.conf + exists: true + contents: + - '/^install jffs2 /bin/(true|false)/' + meta: + server: 1 + workstation: 1 + CIS_ID: 1.1.1.5 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + jffs2_blacklist: + title: 1.1.1.5 | Ensure jffs2 kernel module is not available | blacklist + path: /etc/modprobe.d/blacklist.conf + exists: true + contents: + - '/^blacklist jffs2/' + meta: + server: 1 + workstation: 1 + CIS_ID: 1.1.1.5 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.1.6.yml b/section_1/cis_1.1/cis_1.1.1.6.yml new file mode 100644 index 0000000..d140c37 --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.1.6.yml @@ -0,0 +1,39 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_1_1_1_6 }} +file: + overlayfs_disabled: + title: 1.1.1.6 | Ensure overlayfs kernel module is not available | modprobe + path: /etc/modprobe.d/CIS.conf + exists: true + contents: + - '/^install overlayfs /bin/(true|false)/' + meta: + server: 2 + workstation: 2 + CIS_ID: 1.1.1.6 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + overlayfs_blacklist: + title: 1.1.1.6 | Ensure overlayfs kernel module is not available | blacklist + path: /etc/modprobe.d/blacklist.conf + exists: true + contents: + - '/^blacklist overlayfs/' + meta: + server: 2 + workstation: 2 + CIS_ID: 1.1.1.6 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.1.7.yml b/section_1/cis_1.1/cis_1.1.1.7.yml new file mode 100644 index 0000000..c1d5726 --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.1.7.yml @@ -0,0 +1,41 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if not .Vars.ubtu24cis_squashfs_required }} + {{ if .Vars.ubtu24cis_rule_1_1_1_7 }} +file: + squashfs_disabled: + title: 1.1.1.7 | Ensure squashfs kernel module is not available | modprobe + path: /etc/modprobe.d/CIS.conf + exists: true + contents: + - '/^install squashfs /bin/(true|false)/' + meta: + server: 2 + workstation: 2 + CIS_ID: 1.1.1.7 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + squashfs_blacklist: + title: 1.1.1.7 | Ensure squashfs kernel module is not available | blacklist + path: /etc/modprobe.d/blacklist.conf + exists: true + contents: + - '/^blacklist squashfs/' + meta: + server: 2 + workstation: 2 + CIS_ID: 1.1.1.7 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.1.8.yml b/section_1/cis_1.1/cis_1.1.1.8.yml new file mode 100644 index 0000000..d8c87c5 --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.1.8.yml @@ -0,0 +1,39 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_1_1_1_8 }} +file: + udf_disabled: + title: 1.1.1.8 | Ensure udf kernel module is not available | modprobe + path: /etc/modprobe.d/CIS.conf + exists: true + contents: + - '/^install udf /bin/(true|false)/' + meta: + server: 2 + workstation: 2 + CIS_ID: 1.1.1.8 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + udf_blacklist: + title: 1.1.1.8 | Ensure udf kernel module is not available | blacklist + path: /etc/modprobe.d/blacklist.conf + exists: true + contents: + - '/^blacklist udf/' + meta: + server: 2 + workstation: 2 + CIS_ID: 1.1.1.8 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.1.9.yml b/section_1/cis_1.1/cis_1.1.1.9.yml new file mode 100644 index 0000000..81af2bc --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.1.9.yml @@ -0,0 +1,39 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_1_9 }} +file: + usb-storage_disabled: + title: 1.1.1.9 | Ensure usb-storage kernel module is not available | modprobe + path: /etc/modprobe.d/CIS.conf + exists: true + contents: + - '/^install usb-storage /bin/(true|false)/' + meta: + server: 1 + workstation: 2 + CIS_ID: 1.1.1.9 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: SI-3 + usb-storage_blacklist: + title: 1.1.1.9 | Ensure usb-storage kernel module is not available | blacklist + path: /etc/modprobe.d/blacklist.conf + exists: true + contents: + - '/^blacklist usb-storage/' + meta: + server: 1 + workstation: 2 + CIS_ID: 1.1.1.9 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: SI-3 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.2.1.1.yml b/section_1/cis_1.1/cis_1.1.2.1.1.yml new file mode 100644 index 0000000..a5e65ff --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.2.1.1.yml @@ -0,0 +1,21 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_2_1_1 }} +mount: + tmp_mount: + title: 1.1.2.1.1 | Ensure /tmp is a separate partition + mountpoint: /tmp + exists: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.1.1 + CISv8: 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.2.1.2_4.yml b/section_1/cis_1.1/cis_1.1.2.1.2_4.yml new file mode 100644 index 0000000..2fc3c42 --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.2.1.2_4.yml @@ -0,0 +1,66 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_2_1_1 }} +mount: + tmp_options: + title: | + 1.1.2.1.2 | Ensure nodev option set on /tmp partition + 1.1.2.1.3 | Ensure nosuid option set on /tmp partition + 1.1.2.1.4 | Ensure noexec option set on /tmp partition + mountpoint: /tmp + exists: true + opts: + {{ if .Vars.ubtu24cis_rule_1_1_2_1_2 }} + - nodev + {{ end }} + {{ if .Vars.ubtu24cis_rule_1_1_2_1_3 }} + - nosuid + {{ end }} + {{ if .Vars.ubtu24cis_rule_1_1_2_1_4 }} + - noexec + {{ end }} + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.1.2 + - 1.1.2.1.3 + - 1.1.2.1.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - AC-3 + - MP-2 +file: + tmp_fstab_options: + title: | + 1.1.2.1.2 | Ensure nodev option set on /tmp partition + 1.1.2.1.3 | Ensure nosuid option set on /tmp partition + 1.1.2.1.4 | Ensure noexec option set on /tmp partition + exists: true + path: /etc/fstab + contents: + - '/\s\/tmp.*{{ if .Vars.ubtu24cis_rule_1_1_2_1_2 }}nodev{{ end }}/' + - '/\s\/tmp.*{{ if .Vars.ubtu24cis_rule_1_1_2_1_3 }}nosuid{{ end }}.*/' + - '/\s\/tmp.*{{ if .Vars.ubtu24cis_rule_1_1_2_1_4 }}noexec{{ end }}.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.1.2 + - 1.1.2.1.3 + - 1.1.2.1.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.2.2.1.yml b/section_1/cis_1.1/cis_1.1.2.2.1.yml new file mode 100644 index 0000000..1e2e714 --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.2.2.1.yml @@ -0,0 +1,22 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_2_2_1 }} +mount: + dev_shm_mount: + title: 1.1.2.2.1 | Ensure /dev/shm is a separate partition + mountpoint: /dev/shm + filesystem: tmpfs + exists: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.2.1 + CISv8: 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.2.2.2_4.yml b/section_1/cis_1.1/cis_1.1.2.2.2_4.yml new file mode 100644 index 0000000..dd0fd21 --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.2.2.2_4.yml @@ -0,0 +1,66 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_2_2_1 }} +mount: + dev_shm_options: + title: | + 1.1.2.2.2 | Ensure nodev option set on /dev/shm partition + 1.1.2.2.3 | Ensure nosuid option set on /dev/shm partition + 1.1.2.2.4 | Ensure noexec option set on /dev/shm partition + mountpoint: /dev/shm + exists: true + opts: + {{ if .Vars.ubtu24cis_rule_1_1_2_2_2 }} + - nodev + {{ end }} + {{ if .Vars.ubtu24cis_rule_1_1_2_2_3 }} + - nosuid + {{ end }} + {{ if .Vars.ubtu24cis_rule_1_1_2_2_4 }} + - noexec + {{ end }} + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.2.2 + - 1.1.2.2.3 + - 1.1.2.2.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - AC-3 + - MP-2 +file: + dev_shm_fstab_options: + title: | + 1.1.2.2.2 | Ensure nodev option set on /dev/shm partition + 1.1.2.2.3 | Ensure nosuid option set on /dev/shm partition + 1.1.2.2.4 | Ensure noexec option set on /dev/shm partition + exists: true + path: /etc/fstab + contents: + - '/\s\/dev\/shm.*{{ if .Vars.ubtu24cis_rule_1_1_2_2_2 }}nodev{{ end }}/' + - '/\s\/dev\/shm.*{{ if .Vars.ubtu24cis_rule_1_1_2_2_3 }}nosuid{{ end }}.*/' + - '/\s\/dev\/shm.*{{ if .Vars.ubtu24cis_rule_1_1_2_2_4 }}noexec{{ end }}.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.2.2 + - 1.1.2.2.3 + - 1.1.2.2.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.2.3.1.yml b/section_1/cis_1.1/cis_1.1.2.3.1.yml new file mode 100644 index 0000000..8b62e7a --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.2.3.1.yml @@ -0,0 +1,21 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_2_3_1 }} +mount: + home_mount: + title: 1.1.2.3.1 | Ensure separate partition exists for /home + mountpoint: /home + exists: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.3.1 + CISv8: 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.2.3.2_4.yml b/section_1/cis_1.1/cis_1.1.2.3.2_4.yml new file mode 100644 index 0000000..8737809 --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.2.3.2_4.yml @@ -0,0 +1,58 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_2_3_1 }} +mount: + home_options: + title: | + 1.1.2.3.2 | Ensure nodev option set on /home partition + 1.1.2.3.3 | Ensure nosuid option set on /home partition + mountpoint: /home + exists: true + opts: + {{ if .Vars.ubtu24cis_rule_1_1_2_3_2 }} + - nodev + {{ end }} + {{ if .Vars.ubtu24cis_rule_1_1_2_3_3 }} + - nosuid + {{ end }} + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.3.2 + - 1.1.2.3.3 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - AC-3 + - MP-2 +file: + home_fstab_options: + title: | + 1.1.2.3.2 | Ensure nodev option set on /home partition + 1.1.2.3.3 | Ensure nosuid option set on /home partition + exists: true + path: /etc/fstab + contents: + - '/\s\/home.*{{ if .Vars.ubtu24cis_rule_1_1_2_3_2 }}nodev{{ end }}/' + - '/\s\/home.*{{ if .Vars.ubtu24cis_rule_1_1_2_3_3 }}nosuid{{ end }}.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.3.2 + - 1.1.2.3.3 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.2.4.1.yml b/section_1/cis_1.1/cis_1.1.2.4.1.yml new file mode 100644 index 0000000..51556bd --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.2.4.1.yml @@ -0,0 +1,21 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_2_4_1 }} +mount: + var_mount: + title: 1.1.2.4.1 | Ensure separate partition exists for /var + mountpoint: /var + exists: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.4.1 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.2.4.2_3.yml b/section_1/cis_1.1/cis_1.1.2.4.2_3.yml new file mode 100644 index 0000000..f5dd3cc --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.2.4.2_3.yml @@ -0,0 +1,58 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_2_4_1 }} +mount: + var_options: + title: | + 1.1.2.4.2 | Ensure nodev option set on /var partition + 1.1.2.4.3 | Ensure nosuid option set on /var partition + mountpoint: '/var' + exists: true + opts: + {{ if .Vars.ubtu24cis_rule_1_1_2_4_2 }} + - nodev + {{ end }} + {{ if .Vars.ubtu24cis_rule_1_1_2_4_3 }} + - nosuid + {{ end }} + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.4.2 + - 1.1.2.4.3 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - AC-3 + - MP-2 +file: + var_fstab_options: + title: | + 1.1.2.4.2 | Ensure nodev option set on /var partition + 1.1.2.4.3 | Ensure nosuid option set on /var partition + exists: true + path: /etc/fstab + contents: + - '/\s\/var\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_4_2 }}nodev{{ end }}/' + - '/\s\/var\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_4_3 }}nosuid{{ end }}.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.4.2 + - 1.1.2.4.3 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.2.5.1.yml b/section_1/cis_1.1/cis_1.1.2.5.1.yml new file mode 100644 index 0000000..7bf219b --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.2.5.1.yml @@ -0,0 +1,21 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_2_5_1 }} +mount: + var_tmp_mount: + title: 1.1.2.5.1 | Ensure separate partition exists for /var/tmp + mountpoint: /var/tmp + exists: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.5.1 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R4: CM-7 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.2.5.2_4.yml b/section_1/cis_1.1/cis_1.1.2.5.2_4.yml new file mode 100644 index 0000000..6067e7e --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.2.5.2_4.yml @@ -0,0 +1,66 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_2_5_1 }} +mount: + var_tmp_options: + title: | + 1.1.2.5.2 | Ensure nodev option set on /var/tmp partition + 1.1.2.5.3 | Ensure nosuid option set on /var/tmp partition + 1.1.2.5.4 | Ensure noexec option set on /var/tmp partition + mountpoint: '/var/tmp' + exists: true + opts: + {{ if .Vars.ubtu24cis_rule_1_1_2_5_2 }} + - nodev + {{ end }} + {{ if .Vars.ubtu24cis_rule_1_1_2_5_3 }} + - nosuid + {{ end }} + {{ if .Vars.ubtu24cis_rule_1_1_2_5_4 }} + - noexec + {{ end }} + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.5.2 + - 1.1.2.5.3 + - 1.1.2.5.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - AC-3 + - MP-2 +file: + var_tmp_fstab_options: + title: | + 1.1.2.5.2 | Ensure nodev option set on /var/tmp partition + 1.1.2.5.3 | Ensure nosuid option set on /var/tmp partition + 1.1.2.5.4 | Ensure noexec option set on /var/tmp partition + exists: true + path: /etc/fstab + contents: + - '/\s\/var\/tmp\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_5_2 }}nodev{{ end }}/' + - '/\s\/var\/tmp\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_5_3 }}nosuid{{ end }}.*/' + - '/\s\/var\/tmp\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_5_4 }}noexec{{ end }}.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.5.2 + - 1.1.2.5.3 + - 1.1.2.5.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.2.6.1.yml b/section_1/cis_1.1/cis_1.1.2.6.1.yml new file mode 100644 index 0000000..2e29610 --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.2.6.1.yml @@ -0,0 +1,21 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_2_6_1 }} +mount: + var_log_mount: + title: 1.1.2.6.1 | Ensure separate partition exists for /var/log + mountpoint: /var/log + exists: true + meta: + server: 2 + workstation: 2 + CIS_ID: + - 1.1.2.6.1 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.2.6.2_4.yml b/section_1/cis_1.1/cis_1.1.2.6.2_4.yml new file mode 100644 index 0000000..1029cc8 --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.2.6.2_4.yml @@ -0,0 +1,66 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_2_6_1 }} +mount: + var_log_options: + title: | + 1.1.2.6.2 | Ensure nodev option set on /var/log partition + 1.1.2.6.3 | Ensure nosuid option set on /var/log partition + 1.1.2.6.4 | Ensure noexec option set on /var/log partition + mountpoint: '/var/log' + exists: true + opts: + {{ if .Vars.ubtu24cis_rule_1_1_2_6_2 }} + - nodev + {{ end }} + {{ if .Vars.ubtu24cis_rule_1_1_2_6_3 }} + - nosuid + {{ end }} + {{ if .Vars.ubtu24cis_rule_1_1_2_6_4 }} + - noexec + {{ end }} + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.6.2 + - 1.1.2.6.3 + - 1.1.2.6.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - AC-3 + - MP-2 +file: + var_log_fstab_options: + title: | + 1.1.2.6.2 | Ensure nodev option set on /var/log partition + 1.1.2.6.3 | Ensure nosuid option set on /var/log partition + 1.1.2.6.4 | Ensure noexec option set on /var/log partition + exists: true + path: /etc/fstab + contents: + - '/\s\/var\/log\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_6_2 }}nodev{{ end }}/' + - '/\s\/var\/log\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_6_3 }}nosuid{{ end }}.*/' + - '/\s\/var\/log\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_6_4 }}noexec{{ end }}.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.6.2 + - 1.1.2.6.3 + - 1.1.2.6.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.2.7.1.yml b/section_1/cis_1.1/cis_1.1.2.7.1.yml new file mode 100644 index 0000000..fe0ac17 --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.2.7.1.yml @@ -0,0 +1,21 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_2_7_1 }} +mount: + var_log_audit_mount: + title: 1.1.2.7.1 | Ensure separate partition exists for /var/log/audit + mountpoint: /var/log/audit + exists: true + meta: + server: 2 + workstation: 2 + CIS_ID: + - 1.1.2.7.1 + CISv8: 8.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.2.7.2_4.yml b/section_1/cis_1.1/cis_1.1.2.7.2_4.yml new file mode 100644 index 0000000..2bf61ca --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.2.7.2_4.yml @@ -0,0 +1,66 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_1_2_7_1 }} +mount: + var_log_audit_options: + title: | + 1.1.2.7.2 | Ensure nodev option set on /var/log/audit partition + 1.1.2.7.3 | Ensure nosuid option set on /var/log/audit partition + 1.1.2.7.4 | Ensure noexec option set on /var/log/audit partition + mountpoint: '/var/log/audit' + exists: true + opts: + {{ if .Vars.ubtu24cis_rule_1_1_2_7_2 }} + - nodev + {{ end }} + {{ if .Vars.ubtu24cis_rule_1_1_2_7_3 }} + - nosuid + {{ end }} + {{ if .Vars.ubtu24cis_rule_1_1_2_7_4 }} + - noexec + {{ end }} + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.7.2 + - 1.1.2.7.3 + - 1.1.2.7.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - AC-3 + - MP-2 +file: + var_log_audit_fstab_options: + title: | + 1.1.2.7.2 | Ensure nodev option set on /var/log/audit partition + 1.1.2.7.3 | Ensure nosuid option set on /var/log/audit partition + 1.1.2.7.4 | Ensure noexec option set on /var/log/audit partition + exists: true + path: /etc/fstab + contents: + - '/\s\/var\/log\/audit\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_7_2 }}nodev{{ end }}/' + - '/\s\/var\/log\/audit\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_7_3 }}nosuid{{ end }}.*/' + - '/\s\/var\/log\/audit\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_7_4 }}noexec{{ end }}.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2.7.2 + - 1.1.2.7.3 + - 1.1.2.7.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.2.1/cis_1.2.1.1.yml b/section_1/cis_1.2.1/cis_1.2.1.1.yml new file mode 100644 index 0000000..6203568 --- /dev/null +++ b/section_1/cis_1.2.1/cis_1.2.1.1.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.run_heavy_tests }} + {{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_2_1_1 }} +command: + gpg_keys_list: + title: 1.2.1.1 | Ensure GPG keys are configured | Manual + exit-status: 0 + exec: echo "MANUAL - Please check manually for gpg keys" + stdout: + - '!/^MANUAL.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.2.1.1 + CISv8: + - 7.3 + - 7.4 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: SI-2 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_1/cis_1.2.1/cis_1.2.1.2.yml b/section_1/cis_1.2.1/cis_1.2.1.2.yml new file mode 100644 index 0000000..fa37d8a --- /dev/null +++ b/section_1/cis_1.2.1/cis_1.2.1.2.yml @@ -0,0 +1,22 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_2_1_2}} +command: + gpg_configd: + title: 1.2.1.2 | Ensure package manager repositories are configured | Manual + exec: echo "MANUAL - Please check manually that repositories are configured as expected" + exit-status: 0 + stdout: + - '!/^MANUAL.*/' + meta: + server: 1 + workstation: 2 + CIS_ID: 1.2.1.2 + CISv8: 7.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: SI-2 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.2.2/cis_1.2.2.1.yml b/section_1/cis_1.2.2/cis_1.2.2.1.yml new file mode 100644 index 0000000..ea02980 --- /dev/null +++ b/section_1/cis_1.2.2/cis_1.2.2.1.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_2_2_1 }} +command: + check_updates: + title: 1.2.2.1 | Ensure updates, patches, and additional security software are installed + exec: apt update | tail -1 + exit-status: 0 + timeout: {{ .Vars.timeout_ms }} + stdout: + - '!/^[1-9]{0,4}$ packages can be upgraded/' + - '/^All packages are up to date/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.2.2.1 + CISv8: 7.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: SI-2 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.3.1/cis_1.3.1.1.yml b/section_1/cis_1.3.1/cis_1.3.1.1.yml new file mode 100644 index 0000000..ee116d2 --- /dev/null +++ b/section_1/cis_1.3.1/cis_1.3.1.1.yml @@ -0,0 +1,21 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_3_1_1 }} +package: + apparmor: + title: 1.3.1.1 | Ensure AppArmor is installed + installed: true + name: apparmor + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.3.1.1 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: AC-3 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.3.1/cis_1.3.1.2.yml b/section_1/cis_1.3.1/cis_1.3.1.2.yml new file mode 100644 index 0000000..bee2a01 --- /dev/null +++ b/section_1/cis_1.3.1/cis_1.3.1.2.yml @@ -0,0 +1,43 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_3_1_2 }} +file: + apparmor_boot_grub: + title: 1.3.1.2 | Ensure AppArmor is enabled in the bootloader configuration | running grub + path: /boot/grub/grub.cfg + exists: true + contents: + - '/apparmor=1/' + - '/security=apparmor/' + - '!/apparmor=0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.3.1.2 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: AC-3 + grub_app_armor: + title: 1.3.1.2 | Ensure AppArmor is enabled in the bootloader configuration | default grub + exists: true + path: /etc/default/grub + contents: + - '/^GRUB_CMDLINE_LINUX.*apparmor=1/' + - '/^GRUB_CMDLINE_LINUX.*security=apparmor/' + - '!/apparmor=0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.3.1.2 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: AC-3 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.3.1/cis_1.3.1.3.yml b/section_1/cis_1.3.1/cis_1.3.1.3.yml new file mode 100644 index 0000000..8241107 --- /dev/null +++ b/section_1/cis_1.3.1/cis_1.3.1.3.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} +{{ if not .Vars.ubtu24cis_apparmor_disable }} + {{ if .Vars.ubtu24cis_rule_1_3_1_3 }} +command: + apparmor_enf_or_comp: + title: 1.3.1.3 | Ensure all AppArmor Profiles are in enforce or complain mode | profile + exec: LOADED=`apparmor_status | grep 'profiles are loaded' | awk '{print $1}'` && ENFORCE=`apparmor_status | grep 'profiles are in enforce mode.' | awk '{print $1}'` && COMPLAIN=`apparmor_status | grep 'profiles are in complain mode.' | awk '{print $1}'` && if [ $((LOADED + COMPLAIN)) != "$ENFORCE" ]; then echo "Profiles Error";fi + exit-status: 0 + stdout: + - '!/Profiles Error/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.3.1.3 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: AC-3 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_1/cis_1.3.1/cis_1.3.1.4.yml b/section_1/cis_1.3.1/cis_1.3.1.4.yml new file mode 100644 index 0000000..87eb40b --- /dev/null +++ b/section_1/cis_1.3.1/cis_1.3.1.4.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} +{{ if not .Vars.ubtu24cis_apparmor_disable }} + {{ if .Vars.ubtu24cis_rule_1_3_1_4 }} +command: + apparmor_enf_only: + title: 1.3.1.4 | Ensure all AppArmor Profiles are enforcing + exec: if [ `apparmor_status | grep 'profiles are in complain mode.' | awk '{print $1}'` == 0 ]; then echo "Not Enforcing" ;fi + exit-status: 0 + stdout: + - '!/Not Enforcing/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 1.3.1.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: AC-3 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_1/cis_1.4/cis_1.4.1.yml b/section_1/cis_1.4/cis_1.4.1.yml new file mode 100644 index 0000000..dd81d5e --- /dev/null +++ b/section_1/cis_1.4/cis_1.4.1.yml @@ -0,0 +1,24 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_4_1 }} +file: + bootloader_password_set: + title: 1.4.1 | Ensure bootloader password is set + path: /etc/grub.d/00_user + exists: true + contents: + - '/set superusers="{{ .Vars.ubtu24cis_grub_user }}"/' + - '/password_pbkdf2 {{ .Vars.ubtu24cis_grub_user }} {{ .Vars.ubtu24cis_bootloader_password_hash }}/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.4.1 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: AC-3 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.4/cis_1.4.2.yml b/section_1/cis_1.4/cis_1.4.2.yml new file mode 100644 index 0000000..0d77bed --- /dev/null +++ b/section_1/cis_1.4/cis_1.4.2.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_4_2 }} +file: + default_grub_perms: + title: 1.4.2 | Ensure access to bootloader if configured + exists: true + path: /boot/grub/grub.cfg + owner: root + group: root + mode: + or: + - "0400" + - "0600" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.4.2 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: AC-3 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.5/cis_1.5.1.yml b/section_1/cis_1.5/cis_1.5.1.yml new file mode 100644 index 0000000..6d7dc0f --- /dev/null +++ b/section_1/cis_1.5/cis_1.5.1.yml @@ -0,0 +1,40 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_5_1 }} +kernel-param: + kernel.randomize_va_space: + title: 1.5.1 | Ensure address space layout randomization (ASLR) is enabled | sysctl_live + value: '2' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.5.1 + CISv8: 10.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-6 +command: + aslr_enabled_2: + title: 1.5.1 | Ensure address space layout randomization (ASLR) is enabled | sysctl_configured + exit-status: + or: + - 0 + - 2 + exec: 'grep "^kernel\.randomize_va_space" /etc/sysctl.conf /etc/sysctl.d/* | cut -d ":" -f2' + stdout: + - '/kernel.randomize_va_space(\s|)=(\s|)2/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.5.1 + CISv8: 10.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-6 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.5/cis_1.5.2.yml b/section_1/cis_1.5/cis_1.5.2.yml new file mode 100644 index 0000000..7f80d99 --- /dev/null +++ b/section_1/cis_1.5/cis_1.5.2.yml @@ -0,0 +1,40 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_5_2 }} +kernel-param: + kernel.yama.ptrace_scope: + title: 1.5.2 | Ensure ptrace_scope is restricted | sysctl_live + value: '1' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.5.1 + CISv8: 10.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-6 +command: + ptrace_restrict_2: + title: 1.5.1 | Ensure ptrace_scope is restricted | sysctl_configured + exit-status: + or: + - 0 + - 2 + exec: 'grep "^kernel\.yama.ptrace_scope" /etc/sysctl.conf /etc/sysctl.d/* | cut -d ":" -f2' + stdout: + - '/kernel.yama.ptrace_scope\s*=\s*1/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.5.1 + CISv8: 10.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-6 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.5/cis_1.5.3.yml b/section_1/cis_1.5/cis_1.5.3.yml new file mode 100644 index 0000000..36313bf --- /dev/null +++ b/section_1/cis_1.5/cis_1.5.3.yml @@ -0,0 +1,94 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_5_3 }} +command: + core_dumps_limits: + title: 1.5.3 | Ensure core dumps are restricted | security/limits.conf + exit-status: + or: + - 0 + - 2 + exec: 'grep -E "\*.*hard.*core.*0" /etc/security/limits.conf /etc/security/limits.d/*' + stdout: + - '/^\/*.*\shard.*core.*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.5.3 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + Mitre_Techniques: + - T1005 + - T1005.000 + Mitre_Tactics: TA0007 + Mitre_Mitigations: NA + suid_dumpable_2: + title: 1.5.3 | Ensure core dumps are restricted | sysctl.conf + exit-status: 0 + exec: 'grep "fs\.suid_dumpable" /etc/sysctl.conf /etc/sysctl.d/*' + stdout: + - fs.suid_dumpable=0 + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.5.3 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: CM-6 +kernel-param: + fs.suid_dumpable: + title: 1.5.3 | Ensure core dumps are restricted | kernel_sysctl + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.5.3 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: CM-6 +service: + coredump: + title: 1.5.3 | Ensure core dumps are restricted | coredump service + enabled: false + running: false + skip: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.5.3 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: CM-6 +file: + coredump_restricted_conf: + title: 1.5.3 | Ensure core dumps are restricted | coredump.conf + exists: true + path: /etc/systemd/coredump.conf + contents: + - '/^Storage=none/' + - '/^ProcessSizeMax=0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.5.3 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: CM-6 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.5/cis_1.5.4.yml b/section_1/cis_1.5/cis_1.5.4.yml new file mode 100644 index 0000000..100825d --- /dev/null +++ b/section_1/cis_1.5/cis_1.5.4.yml @@ -0,0 +1,23 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_5_4 }} +package: + prelink: + title: 1.5.4 | Ensure prelink is not installed + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.5.4 + CISv8: 3.14 + CISv8_IG1: false + CISv8_IG2: false + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-1 + - CM-3 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.5/cis_1.5.5.yml b/section_1/cis_1.5/cis_1.5.5.yml new file mode 100644 index 0000000..22d97d2 --- /dev/null +++ b/section_1/cis_1.5/cis_1.5.5.yml @@ -0,0 +1,36 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_5_5 }} +package: + apport: + title: 1.5.5 | Ensure Automatic Error Reporting is not enabled | Package + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.5.5 + CISv8: 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true +file: + error_report_apport_disable: + title: 1.5.5 | Ensure Automatic Error Reporting is not enabled | disabled + exists: true + path: /etc/default/apport + contents: + - 'enabled=0' + - '!/enabled=1/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.5.5 + CISv8: 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_1/cis_1.6/cis_1.6.1.yml b/section_1/cis_1.6/cis_1.6.1.yml new file mode 100644 index 0000000..568412c --- /dev/null +++ b/section_1/cis_1.6/cis_1.6.1.yml @@ -0,0 +1,69 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_6_1 }} +file: + etc_motd_content: + title: 1.6.1 | Ensure message of the day is configured properly | motd file correct + path: /etc/motd + exists: true + contents: + - {{ .Vars.ubtu24cis_warning_banner }} + - '!/(\\v|\\r|\\m|\\s)/' + - '!/\/etc\/os-release/' + - '!/(?i)ubuntu/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.6.1 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-6 + - CM-1 + - CM-3 +{{ if .Vars.ubtu24cis_disable_dynamic_motd }} + disable_dyn_motd: + title: 1.6.1 | Ensure message of the day is configured properly | stop dynamic load + path: /etc/pam.d/sshd + exists: true + contents: + - '/#\s*session\s+optional\s+pam_motd.so\s+motd=/run/motd.dynamic/' + - '/#\s*session\s+optional\s+pam_motd.so noupdate/' + - '!/^session\s+optional\s+pam_motd.so noupdate/' + - '!/^session\s+optional\s+pam_motd.so\s+motd=/run/motd.dynamic/' +{{ end }} +{{ if not .Vars.ubtu24cis_disable_dynamic_motd }} +command: + check_motd_files: + title: 1.6.1 | Ensure message of the day is configured properly | dynamic motd files + exec: "grep -Eis \"(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/\"//g'))\" /etc/update-motd.d/*" + exit-status: + or: + - 0 + - 1 + - 2 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.6.1 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + Mitre_Techniques: + - T1082 + - T1082.000 + - T1592 + - T1592.004 + Mitre_Tactics: TA0007 + Mitre_Mitigations: NA + {{ end }} + {{ end }} +{{ end }} diff --git a/section_1/cis_1.6/cis_1.6.2.yml b/section_1/cis_1.6/cis_1.6.2.yml new file mode 100644 index 0000000..9fb2d52 --- /dev/null +++ b/section_1/cis_1.6/cis_1.6.2.yml @@ -0,0 +1,29 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_6_2 }} +command: + local_login_banner: + title: 1.6.2 | Ensure local login warning banner is configured properly + exec: grep -Eis "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/issue + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.6.2 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-6 + - CM-1 + - CM-3 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.6/cis_1.6.3.yml b/section_1/cis_1.6/cis_1.6.3.yml new file mode 100644 index 0000000..7ee64c8 --- /dev/null +++ b/section_1/cis_1.6/cis_1.6.3.yml @@ -0,0 +1,29 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_6_3 }} +command: + cremote_login_banner: + title: 1.6.3 | Ensure remote login warning banner is configured properly + exec: grep -Eis "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/issue.net + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.6.3 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-6 + - CM-1 + - CM-3 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.6/cis_1.6.4.yml b/section_1/cis_1.6/cis_1.6.4.yml new file mode 100644 index 0000000..cfcef1e --- /dev/null +++ b/section_1/cis_1.6/cis_1.6.4.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_6_4 }} +exec: + motd_permissions: + title: 1.6.4 | Ensure access to /etc/motd is configured + exec: FILE=/etc/motd && if [ -f $FILE ]; then PERMS=`stat -c '%U %G %a' $FILE`; if [ "$PERMS" != "root root 644" ]; then echo "Permissions Incorrect"; fi; fi + exit-status: 0 + stdout: + - '!/^Permissions Incorrect/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.6.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-1 + - CM-3 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.6/cis_1.6.5.yml b/section_1/cis_1.6/cis_1.6.5.yml new file mode 100644 index 0000000..1d72c2e --- /dev/null +++ b/section_1/cis_1.6/cis_1.6.5.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_6_5 }} +file: + etc_issue_perms: + title: 1.6.5 | Ensure acces to /etc/issue is configured + exists: true + path: /etc/issue + owner: root + group: root + mode: '0644' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.6.5 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-1 + - CM-3 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.6/cis_1.6.6.yml b/section_1/cis_1.6/cis_1.6.6.yml new file mode 100644 index 0000000..c53fb87 --- /dev/null +++ b/section_1/cis_1.6/cis_1.6.6.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_1_6_6 }} +file: + etc_issue_net_perms: + title: 1.6.6 | Ensure access to /etc/issue.net is configured + path: /etc/issue.net + exists: true + owner: root + group: root + mode: '0644' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.6.6 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-1 + - CM-3 + {{ end }} +{{ end }} diff --git a/section_1/cis_1.7/cis_1.7.1.yml b/section_1/cis_1.7/cis_1.7.1.yml new file mode 100644 index 0000000..3c34df8 --- /dev/null +++ b/section_1/cis_1.7/cis_1.7.1.yml @@ -0,0 +1,22 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if not .Vars.ubtu24cis_desktop_required }} + {{ if .Vars.ubtu24cis_rule_1_7_1 }} +package: + gdm3: + title: 1.7.1 | Ensure GNOME Display Manager is removed + installed: false + meta: + server: 2 + workstation: NA + CIS_ID: + - 1.7.1 + CISv8: 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-11 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_1/cis_1.7/cis_1.7.10.yml b/section_1/cis_1.7/cis_1.7.10.yml new file mode 100644 index 0000000..1f2bcbc --- /dev/null +++ b/section_1/cis_1.7/cis_1.7.10.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_desktop_required }} + {{ if .Vars.ubtu24cis_rule_1_7_10 }} +file: + gdm_xdcmp: + title: 1.7.10 | Ensure XDCMP is not enabled + path: /etc/gdm3/custom.conf + exists: true + contents: + - '!/^Enable=true/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.7.10 + CISv8: 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: SI-4 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_1/cis_1.7/cis_1.7.2.yml b/section_1/cis_1.7/cis_1.7.2.yml new file mode 100644 index 0000000..c1af958 --- /dev/null +++ b/section_1/cis_1.7/cis_1.7.2.yml @@ -0,0 +1,32 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_desktop_required }} + {{ if .Vars.ubtu24cis_rule_1_7_2 }} +file: + gdm_banner: + title: 1.7.2 | Ensure GDM login banner is configured + path: /etc/gdm3/greeter.dconf-defaults + exists: true + contents: + - '/^[org/gnome/login-screen]/' + - '/^banner-message-enable=true/' + - '/^banner-message-text='{{ .Vars.ubtu24cis_warning_banner }}'/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.7.2 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_1/cis_1.7/cis_1.7.3.yml b/section_1/cis_1.7/cis_1.7.3.yml new file mode 100644 index 0000000..4ee46fa --- /dev/null +++ b/section_1/cis_1.7/cis_1.7.3.yml @@ -0,0 +1,31 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_desktop_required }} + {{ if .Vars.ubtu24cis_rule_1_7_3 }} +command: + gdm_disable_user: + title: 1.7.3 | Ensure disable-user-list is enabled + exec: grep -E "^disable-user-list" /etc/gdm3/greeter.dconf-defaults + exit-status: 0 + stdout: + - '/^disable-user-list=true/' + - '!/^disable-user-list=false/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.7.3 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_1/cis_1.7/cis_1.7.4.yml b/section_1/cis_1.7/cis_1.7.4.yml new file mode 100644 index 0000000..399ef33 --- /dev/null +++ b/section_1/cis_1.7/cis_1.7.4.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_desktop_required }} + {{ if .Vars.ubtu24cis_rule_1_7_4 }} +file: + gdm_screensaver: + title: 1.7.4 | Ensure GDM screen locks when the user is idle + path: /etc/dconf/db/local.d/00-screensaver + exists: true + contents: + - '/^[org/gnome/desktop/session]/' + - '/^idle-delay=uint32 (1|[1-9]|[1-7][0-9]{1,2}|900)$/' + - '/^lock-delay=uint32 [0-5]$/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.7.4 + CISv8: 4.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} + {{ end }} +{{ end }} diff --git a/section_1/cis_1.7/cis_1.7.5.yml b/section_1/cis_1.7/cis_1.7.5.yml new file mode 100644 index 0000000..6216638 --- /dev/null +++ b/section_1/cis_1.7/cis_1.7.5.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_desktop_required }} + {{ if .Vars.ubtu24cis_rule_1_7_5 }} +file: + screensaver_lock_file: + title: 1.7.5 | Ensure GDM screen locks cannot be overridden + path: /etc/dconf/db/local.d/locks/00-screensave_lock + exists: true + contents: + - '^\/org\/gnome\/desktop\/session\/idle-delay/' + - '^/\/org\/gnome\/desktop\/screensaver\/lock-delay/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.7.5 + CISv8: 4.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-11 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_1/cis_1.7/cis_1.7.6.yml b/section_1/cis_1.7/cis_1.7.6.yml new file mode 100644 index 0000000..48ab163 --- /dev/null +++ b/section_1/cis_1.7/cis_1.7.6.yml @@ -0,0 +1,32 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_desktop_required }} + {{ if .Vars.ubtu24cis_rule_1_7_6 }} +file: + gnome_automount_disable: + title: 1.7.6 | Ensure GDM automatic mounting of removable media is disabled + path: /etc/dconf/db/local.d/00-media-automount + exists: true + contents: + - '/^[org/gnome/desktop/media-handling]/' + - '/^automount=false/' + - '/^automount-open=false/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.7.6 + CISv8: 10.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_1/cis_1.7/cis_1.7.7.yml b/section_1/cis_1.7/cis_1.7.7.yml new file mode 100644 index 0000000..82f3dc0 --- /dev/null +++ b/section_1/cis_1.7/cis_1.7.7.yml @@ -0,0 +1,31 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_desktop_required }} + {{ if .Vars.ubtu24cis_rule_1_7_7 }} +file: + gnome_automount_lock: + title: 1.7.7 | Ensure GDM disabling automatic mounting of removable media is not overridden + path: /etc/dconf/db/local.d/locks/00-automount_lock + exists: true + contents: + - '^/\/org\/gnome\/desktop\/media-handling\/automount/' + - '^/\/org\/gnome\/desktop\/media-handling\/automount-open/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.7.7 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_1/cis_1.7/cis_1.7.8.yml b/section_1/cis_1.7/cis_1.7.8.yml new file mode 100644 index 0000000..38c7ca6 --- /dev/null +++ b/section_1/cis_1.7/cis_1.7.8.yml @@ -0,0 +1,31 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_desktop_required }} + {{ if .Vars.ubtu24cis_rule_1_7_8 }} +file: + gdm_autorun_never: + title: 1.7.8 | Ensure GDM autorun-never is enabled + path: /etc/dconf/db/local.d/00-media-autorun + exists: true + contents: + - '/^[org/gnome/desktop/media-handling]/' + - '/^autrun-never=true/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.7.8 + CISv8: 10.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_1/cis_1.7/cis_1.7.9.yml b/section_1/cis_1.7/cis_1.7.9.yml new file mode 100644 index 0000000..1152cbf --- /dev/null +++ b/section_1/cis_1.7/cis_1.7.9.yml @@ -0,0 +1,30 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_desktop_required }} + {{ if .Vars.ubtu24cis_rule_1_7_9 }} +file: + gdm_autorun_lock: + title: 1.7.9 | Ensure GDM autorun-never is not overridden + path: /etc/dconf/db/local.d/locks/00-autorun_lock + exists: true + contents: + - '^/\/org\/gnome\/desktop\/media-handling\/autorun-never/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.7.9 + CISv8: 10.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.1.yml b/section_2/cis_2.1/cis_2.1.1.yml new file mode 100644 index 0000000..b1662c6 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.1.yml @@ -0,0 +1,50 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_1 }} + {{ if not .Vars.ubtu24cis_autofs_services }} + {{ if not .Vars.ubtu24cis_autofs_mask }} +package: + autofs_pkg: + title: 2.1.1 | Ensure autofs services are not in use | pkg removed + name: autofs + installed: false + meta: + server: 1 + workstation: 2 + CIS_ID: + - 2.1.1 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - SI-3 + - MP-7 + {{ end }} + {{ if .Vars.ubtu24cis_autofs_mask }} +file: + autofs_masked: + title: 2.1.1 | Ensure autofs services are not in use | masked + path: /etc/systemd/system/autofs.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 2 + CIS_ID: + - 2.1.1 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - SI-3 + - MP-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.10.yml b/section_2/cis_2.1/cis_2.1.10.yml new file mode 100644 index 0000000..4200b27 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.10.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_10 }} + {{ if not .Vars.ubtu24cis_nis_server }} + {{ if not .Vars.ubtu24cis_nis_mask }} +package: + ypserv_pkg: + title: 2.1.10 | Ensure nis server services are not in use | pkg removed + name: ypserv + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.10 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_nis_mask }} +file: + ypserv_service_masked: + title: 2.1.10 | Ensure nis server services are not in use | masked + path: /etc/systemd/system/ypserv-server.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.10 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.11.yml b/section_2/cis_2.1/cis_2.1.11.yml new file mode 100644 index 0000000..f9c87a7 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.11.yml @@ -0,0 +1,66 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_11 }} + {{ if not .Vars.ubtu24cis_print_server }} + {{ if not .Vars.ubtu24cis_print_mask }} +package: + cups_pkg: + title: 2.1.11 | Ensure print server services are not in use | pkg removed + name: cups + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.11 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_print_mask }} +file: + cups_service_masked: + title: 2.1.11 | Ensure print server services are not in use | masked + path: /etc/systemd/system/cups.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.11 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + cups_socket_masked: + title: 2.1.11 | Ensure print server services are not in use | masked + path: /etc/systemd/system/cups.socket + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.11 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.12.yml b/section_2/cis_2.1/cis_2.1.12.yml new file mode 100644 index 0000000..4b6c659 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.12.yml @@ -0,0 +1,69 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_12 }} + {{ if not .Vars.ubtu24cis_rpc_server }} + {{ if not .Vars.ubtu24cis_rpc_mask }} +package: + rpcbind_pkg: + title: 2.1.12 | Ensure rpcbind services are not in use | pkg removed + name: rpcbind + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.12 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_rpc_mask }} +file: + rpcbind_service_masked: + title: 2.1.12 | Ensure rpc services are not in use | masked + path: /etc/systemd/system/rpcbind.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.12 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-7 + rpcbind_socket_masked: + title: 2.1.12 | Ensure rpc services are not in use | masked + path: /etc/systemd/system/rpcbind.socket + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.12 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.13.yml b/section_2/cis_2.1/cis_2.1.13.yml new file mode 100644 index 0000000..851ef47 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.13.yml @@ -0,0 +1,50 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_13 }} + {{ if not .Vars.ubtu24cis_rsync_server }} + {{ if not .Vars.ubtu24cis_rsync_mask }} +package: + rsync_pkg: + title: 2.1.13 | Ensure rsync services are not in use | pkg removed + name: rsync + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.13 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_rsync_mask }} +file: + rsync_service_masked: + title: 2.1.13 | Ensure rsync services are not in use | masked + path: /etc/systemd/system/rsync.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.13 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.14.yml b/section_2/cis_2.1/cis_2.1.14.yml new file mode 100644 index 0000000..b77f880 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.14.yml @@ -0,0 +1,50 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_14 }} + {{ if not .Vars.ubtu24cis_samba_server }} + {{ if not .Vars.ubtu24cis_samba_mask }} +package: + samba_pkg: + title: 2.1.14 | Ensure samba file server services are not in use | pkg removed + name: samba + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.14 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_samba_mask }} +file: + samba_service_masked: + title: 2.1.14 | Ensure samba server services are not in use | masked + path: /etc/systemd/system/smbd.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.14 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.15.yml b/section_2/cis_2.1/cis_2.1.15.yml new file mode 100644 index 0000000..03bc1b3 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.15.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_15 }} + {{ if not .Vars.ubtu24cis_snmp_server }} + {{ if not .Vars.ubtu24cis_snmp_mask }} +package: + snmp_pkg: + title: 2.1.15 | Ensure snmp services are not in use | pkg removed + name: snmpd + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.15 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_snmp_mask }} +file: + snmp_service_masked: + title: 2.1.15 | Ensure snmp services are not in use | masked + path: /etc/systemd/system/snmpd.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.15 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.16.yml b/section_2/cis_2.1/cis_2.1.16.yml new file mode 100644 index 0000000..8a228a6 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.16.yml @@ -0,0 +1,66 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_16 }} + {{ if not .Vars.ubtu24cis_tftp_server }} + {{ if not .Vars.ubtu24cis_tftp_mask }} +package: + tftp_pkg: + title: 2.1.16 | Ensure tftp server services are not in use | pkg removed + name: tftpd-hpa + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.16 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_tftp_mask }} +file: + tftp_service_masked: + title: 2.1.16 | Ensure tftp server services are not in use | masked + path: /etc/systemd/system/tftpd-hpa.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.16 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + tftp_socket_masked: + title: 2.1.16 | Ensure tftp server services are not in use | masked + path: /etc/systemd/system/tftp.socket + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.16 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.17.yml b/section_2/cis_2.1/cis_2.1.17.yml new file mode 100644 index 0000000..33ab739 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.17.yml @@ -0,0 +1,50 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_17 }} + {{ if not .Vars.ubtu24cis_squid_server }} + {{ if not .Vars.ubtu24cis_squid_mask }} +package: + squid_pkg: + title: 2.1.17 | Ensure web proxy server services are not in use | pkg removed + name: squid + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.17 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_squid_mask }} +file: + squid_service_masked: + title: 2.1.17 | Ensure web proxy server services are not in use | masked + path: /etc/systemd/system/squid.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.17 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.18_apache2.yml b/section_2/cis_2.1/cis_2.1.18_apache2.yml new file mode 100644 index 0000000..2c0d1c2 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.18_apache2.yml @@ -0,0 +1,66 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_18 }} + {{ if not .Vars.ubtu24cis_apache2_server }} + {{ if not .Vars.ubtu24cis_apache2_mask }} +package: + apache2_pkg: + title: 2.1.18 | Ensure web server services are not in use | pkg removed + name: apache2 + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.18 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_apache2_mask }} +file: + apache2_service_masked: + title: 2.1.18 | Ensure web server services are not in use | masked + path: /etc/systemd/system/apache2.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.18 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + apache2_socket_masked: + title: 2.1.18 | Ensure web server services are not in use | masked + path: /etc/systemd/system/apache2.socket + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.18 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.18_nginx.yml b/section_2/cis_2.1/cis_2.1.18_nginx.yml new file mode 100644 index 0000000..943d5c2 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.18_nginx.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_18 }} + {{ if not .Vars.ubtu24cis_nginx_server }} + {{ if not .Vars.ubtu24cis_nginx_mask }} +package: + nginx_pkg: + title: 2.1.18 | Ensure web server services are not in use | pkg removed + name: nginx + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.18 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_nginx_mask }} +file: + nginx_service_masked: + title: 2.1.18 | Ensure web server services are not in use | masked + path: /etc/systemd/system/nginx.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.18 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.19.yml b/section_2/cis_2.1/cis_2.1.19.yml new file mode 100644 index 0000000..85b7127 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.19.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_19 }} + {{ if not .Vars.ubtu24cis_xinetd_server }} + {{ if not .Vars.ubtu24cis_xinetd_mask }} +package: + xinetd_pkg: + title: 2.1.19 | Ensure xinetd services are not in use | pkg removed + name: xinetd + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.19 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_xinetd_mask }} +file: + xinetd_service_masked: + title: 2.1.19 | Ensure xinetd services are not in use | masked + path: /etc/systemd/system/xinetd.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.19 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.2.yml b/section_2/cis_2.1/cis_2.1.2.yml new file mode 100644 index 0000000..0aacb59 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.2.yml @@ -0,0 +1,66 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_2 }} + {{ if not .Vars.ubtu24cis_avahi_server }} + {{ if not .Vars.ubtu24cis_avahi_mask }} +package: + avahi_pkg: + title: 2.1.2 | Ensure avahi daemon services are not in use | pkg removed + name: avahi + installed: false + meta: + server: 1 + workstation: 2 + CIS_ID: + - 2.1.2 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - SI-4 + {{ end }} + {{ if .Vars.ubtu24cis_avahi_mask }} +file: + avahi_socket_masked: + title: 2.1.2 | Ensure avahi daemon services are not in use | masked + path: /etc/systemd/system/avahi-daemon.socket + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 2 + CIS_ID: + - 2.1.2 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - SI-4 + avahi_service_masked: + title: 2.1.2 | Ensure avahi daemon services are not in use | masked + path: /etc/systemd/system/avahi-daemon.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 2 + CIS_ID: + - 2.1.2 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - SI-4 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.20.yml b/section_2/cis_2.1/cis_2.1.20.yml new file mode 100644 index 0000000..e34ef59 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.20.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_20 }} + {{ if not .Vars.ubtu24cis_xwindow_server }} +package: + xwindow_pkg: + title: 2.1.20 | Ensure X window server services are not in use | pkg removed + name: xserver-common + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.20 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-11 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.21.yml b/section_2/cis_2.1/cis_2.1.21.yml new file mode 100644 index 0000000..7cae73d --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.21.yml @@ -0,0 +1,46 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_is_mail_server }} + {{ if .Vars.ubtu24cis_rule_2_1_21 }} +command: + mta_listening_port25: + title: 2.1.21 Ensure mail transfer agent is configured for local-only mode + exit-status: 1 + exec: 'ss -lntu | grep -E ":25\s" | grep -E -v "\s(127.0.0.1|\[?::1\]?):25\s"' + stdout: ['!/./'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.21 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 +file: + /etc/postfix/main.conf: + title: 2.1.21 | Ensure mail transfer agent is configured for local-only mode + exists: true + contents: + - '/^inet_interfaces\s*=\s*loopback-only/' + - '!/^inet_interfaces\s*=\s*all/' + - '!/^(?i)inet_interfaces\s*=\s*ipv4/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.21 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.22.yml b/section_2/cis_2.1/cis_2.1.22.yml new file mode 100644 index 0000000..3285bff --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.22.yml @@ -0,0 +1,25 @@ +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_22 }} +command: + manual_listening_ports: + title: 2.1.22 | Ensure only approved services are listening on a network interface | Manual Check required + exit-status: + or: + - 0 + - 1 + exec: echo "Manual!! - Please check only approved services are listening" + stdout: ['!/./'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.22 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.3.yml b/section_2/cis_2.1/cis_2.1.3.yml new file mode 100644 index 0000000..01af9c0 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.3.yml @@ -0,0 +1,66 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_3 }} + {{ if not .Vars.ubtu24cis_dhcp_server }} + {{ if not .Vars.ubtu24cis_dhcp_mask }} +package: + dhcp_pkg: + title: 2.1.3 | Ensure dhcp server services are not in use | pkg removed + name: isc-dhcp-server + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.3 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_dhcp_mask }} +file: + dhcp_service_masked: + title: 2.1.3 | Ensure dhcp server services are not in use | masked + path: /etc/systemd/system/isc-dhcp-server.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.3 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + dhcp6_service_masked: + title: 2.1.3 | Ensure dhcp server services are not in use | masked + path: /etc/systemd/system/isc-dhcp-server6.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.3 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.4.yml b/section_2/cis_2.1/cis_2.1.4.yml new file mode 100644 index 0000000..927e6ae --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.4.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_4 }} + {{ if not .Vars.ubtu24cis_dns_server }} + {{ if not .Vars.ubtu24cis_dns_mask }} +package: + dns_pkg: + title: 2.1.4 | Ensure dns server services are not in use | pkg removed + name: bind9 + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.4 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_dns_mask }} +file: + dns_service_masked: + title: 2.1.4 | Ensure dns server services are not in use | masked + path: /etc/systemd/system/bind9.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.4 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.5.yml b/section_2/cis_2.1/cis_2.1.5.yml new file mode 100644 index 0000000..2d53305 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.5.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_5 }} + {{ if not .Vars.ubtu24cis_dnsmasq_server }} + {{ if not .Vars.ubtu24cis_dnsmasq_mask }} +package: + dnsmasq_pkg: + title: 2.1.5 | Ensure dnsmasq server services are not in use | pkg removed + name: dnsmasq + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.5 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_dnsmasq_mask }} +file: + dnsmasq_service_masked: + title: 2.1.5 | Ensure dnsmasq server services are not in use | masked + path: /etc/systemd/system/dnsmasq.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.5 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.6.yml b/section_2/cis_2.1/cis_2.1.6.yml new file mode 100644 index 0000000..595f22a --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.6.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_6 }} + {{ if not .Vars.ubtu24cis_ftp_server }} + {{ if not .Vars.ubtu24cis_ftp_mask }} +package: + ftp_pkg: + title: 2.1.6 | Ensure ftp server services are not in use | pkg removed + name: vsftp + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.6 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_ftp_mask }} +file: + ftp_service_masked: + title: 2.1.6 | Ensure ftp server services are not in use | masked + path: /etc/systemd/system/vsftpd.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.6 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.7.yml b/section_2/cis_2.1/cis_2.1.7.yml new file mode 100644 index 0000000..24af33c --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.7.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_7 }} + {{ if not .Vars.ubtu24cis_ldap_server }} + {{ if not .Vars.ubtu24cis_ldap_mask }} +package: + ldap_pkg: + title: 2.1.7 | Ensure ldap server services are not in use | pkg removed + name: slapd + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.7 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_ldap_mask }} +file: + ldap_service_masked: + title: 2.1.7 | Ensure ldap server services are not in use | masked + path: /etc/systemd/system/slapd.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.7 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.8.yml b/section_2/cis_2.1/cis_2.1.8.yml new file mode 100644 index 0000000..cffab98 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.8.yml @@ -0,0 +1,82 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_8 }} + {{ if not .Vars.ubtu24cis_message_server }} + {{ if not .Vars.ubtu24cis_message_mask }} +package: + dovecot_imapd_pkg: + title: 2.1.8 | Ensure message access server services are not in use | pkg removed + name: dovecot-imapd + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.8 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + dovecot_pop3d_pkg: + title: 2.1.8 | Ensure message access server services are not in use | pkg removed + name: dovecot-pop3d + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.8 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_message_mask }} +file: + dovecot_service_masked: + title: 2.1.8 | Ensure message access server services are not in use | masked + path: /etc/systemd/system/dovecot.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.8 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + dovecot_socket_masked: + title: 2.1.8 | Ensure message access server services are not in use | masked + path: /etc/systemd/system/dovecot.socket + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.8 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.9.yml b/section_2/cis_2.1/cis_2.1.9.yml new file mode 100644 index 0000000..58b0ace --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.9.yml @@ -0,0 +1,50 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_9 }} + {{ if not .Vars.ubtu24cis_nfs_server }} + {{ if not .Vars.ubtu24cis_nfs_mask }} +package: + nfs_pkg: + title: 2.1.9 | Ensure network file system services are not in use | pkg removed + name: nfs-kernel-server + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.9 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_nfs_mask }} +file: + nfs_service_masked: + title: 2.1.9 | Ensure network file system services are not in use | masked + path: /etc/systemd/system/nfs-server.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.9 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.1.yml b/section_2/cis_2.2/cis_2.2.1.yml new file mode 100644 index 0000000..2e262f6 --- /dev/null +++ b/section_2/cis_2.2/cis_2.2.1.yml @@ -0,0 +1,25 @@ +--- + +{{ if not .Vars.ubtu24cis_nis_client_required }} + {{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_2_1 }} +package: + nis_client: + title: 2.2.1 | Ensure NIS Client is not installed + installed: false + name: nis + meta: + server: 1 + workstation: 1 + CIS_ID: 2.2.1 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - CM-11 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.2.yml b/section_2/cis_2.2/cis_2.2.2.yml new file mode 100644 index 0000000..fc06aec --- /dev/null +++ b/section_2/cis_2.2/cis_2.2.2.yml @@ -0,0 +1,24 @@ +--- + +{{ if not .Vars.ubtu24cis_rsh_client }} + {{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_2_2 }} +package: + rsh-client: + title: 2.2.2 | Ensure rsh client is not installed + name: rsh-client + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: 2.2.2 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.3.yml b/section_2/cis_2.2/cis_2.2.3.yml new file mode 100644 index 0000000..2a6f80a --- /dev/null +++ b/section_2/cis_2.2/cis_2.2.3.yml @@ -0,0 +1,23 @@ +--- + +{{ if not .Vars.ubtu24cis_talk_client }} + {{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_2_3 }} +package: + talk: + title: 2.2.3 | Ensure talk client is not installed + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: 2.2.3 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.4.yml b/section_2/cis_2.2/cis_2.2.4.yml new file mode 100644 index 0000000..d6c24d8 --- /dev/null +++ b/section_2/cis_2.2/cis_2.2.4.yml @@ -0,0 +1,24 @@ +--- + +{{ if not .Vars.ubtu24cis_telnet_required }} + {{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_2_4 }} +package: + telnet: + title: 2.2.4 | Ensure telnet client is not installed + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: 2.2.4 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - CM-11 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.5.yml b/section_2/cis_2.2/cis_2.2.5.yml new file mode 100644 index 0000000..10507a9 --- /dev/null +++ b/section_2/cis_2.2/cis_2.2.5.yml @@ -0,0 +1,24 @@ +--- + +{{ if not .Vars.ubtu24cis_ldap_clients_required }} + {{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_2_5 }} +package: + ldap-utils: + title: 2.2.5 | Ensure LDAP client is not installed + installed: false + name: ldap-utils + meta: + server: 1 + workstation: 1 + CIS_ID: 2.2.5 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.6.yml b/section_2/cis_2.2/cis_2.2.6.yml new file mode 100644 index 0000000..3cce36c --- /dev/null +++ b/section_2/cis_2.2/cis_2.2.6.yml @@ -0,0 +1,25 @@ +--- + +{{ if not .Vars.ubtu24cis_ftp_client }} + {{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_2_6 }} +package: + ftp_client: + title: 2.2.6 | Ensure ftp client is not installed + installed: false + name: ftp + meta: + server: 1 + workstation: 1 + CIS_ID: 2.2.6 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - CM-11 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.3/cis_2.3.1.1.yml b/section_2/cis_2.3/cis_2.3.1.1.yml new file mode 100644 index 0000000..6b91037 --- /dev/null +++ b/section_2/cis_2.3/cis_2.3.1.1.yml @@ -0,0 +1,75 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_3_1_1 }} +package: + {{ .Vars.ubtu24cis_time_sync_tool }}: + title: 2.3.1.1 | Ensure a single time synchronization daemon is in use + installed: true + meta: + server: 1 + workstation: 1 + CIS_ID: 2.3.1.1 + CISv8: + - 8.4 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - AU-12 + {{ if eq .Vars.ubtu24cis_time_sync_tool "systemd-timesyncd" }} + ntp: + title: 2.3.1.1 | Ensure time synchronization is in use | ntp service + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: 2.3.1.1 + CISv8: + - 8.4 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - AU-12 + chrony: + title: 2.3.1.1 | Ensure time synchronization is in use | chrony service + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: 2.3.1.1 + CISv8: + - 8.4 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - AU-12 + {{ end }} + {{ if ne .Vars.ubtu24cis_time_sync_tool "systemd-timesyncd" }} +file: + timesync_masked: + title: 2.3.1.1 | Ensure time synchronization is in use | systemd-timesyncd masked + path: /etc/systemd/system/systemd-timesyncd.service + filetype: symlink + linked-to: /dev/null + exists: true + meta: + server: 1 + workstation: 1 + CIS_ID: 2.3.1.1 + CISv8: + - 8.4 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - AU-12 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.3/cis_2.3.2.1.yml b/section_2/cis_2.3/cis_2.3.2.1.yml new file mode 100644 index 0000000..5b3cdae --- /dev/null +++ b/section_2/cis_2.3/cis_2.3.2.1.yml @@ -0,0 +1,28 @@ +--- + +{{ if eq .Vars.ubtu24cis_time_sync_tool "systemd-timesyncd" }} + {{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_3_2_1 }} +file: + timesynd_timeservers: + title: 2.3.2.1 | Ensure systemd-timesyncd configured with authorized timeserver + path: /etc/systemd/timesyncd.conf.d/50-timesyncd.conf + exists: true + contents: + - '/^NTP={{ .Vars.ubtu24cis_time_pool_name }}/' + - '/^FallbackNTP={{- range .Vars.ubtu24cis_time_servers }}{{ .name }} {{ end }}/' + meta: + server: 1 + workstation: 1 + CIS_ID: 2.3.2.1 + CISv8: + - 8.4 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-7 + - AU-8 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.3/cis_2.3.2.2.yml b/section_2/cis_2.3/cis_2.3.2.2.yml new file mode 100644 index 0000000..626b51e --- /dev/null +++ b/section_2/cis_2.3/cis_2.3.2.2.yml @@ -0,0 +1,26 @@ +--- + +{{ if eq .Vars.ubtu24cis_time_sync_tool "systemd-timesyncd" }} + {{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_3_2_2 }} +service: + timesyncd: + title: 2.3.2.2 | Ensure systemd-timesyncd is enabled and running + enabled: true + running: true + name: systemd-timesyncd + meta: + server: 1 + workstation: 1 + CIS_ID: 2.3.2.2 + CISv8: + - 8.4 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-7 + - AU-8 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.3/cis_2.3.3.1.yml b/section_2/cis_2.3/cis_2.3.3.1.yml new file mode 100644 index 0000000..fbef77d --- /dev/null +++ b/section_2/cis_2.3/cis_2.3.3.1.yml @@ -0,0 +1,49 @@ +--- + +{{ if eq .Vars.ubtu24cis_time_sync_tool "chrony" }} + {{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_3_3_1 }} +file: + chrony_pool: + title: 2.3.3.1 | Ensure chrony is configured with authorized timeserver | timeserver pool + path: /etc/chrony/sources.d/pool.source + exists: true + contents: + {{- range .Vars.ubtu24cis_time_pool }} + - '/^pool {{ .name }} {{ .options }}/' + {{ end }} + meta: + server: 1 + workstation: 1 + CIS_ID: 2.3.3.1 + CISv8: + - 8.4 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - AU-12 + chrony_timeservers: + title: 2.3.3.1 | Ensure chrony is configured with authorized timeserver | timeserver servers + path: /etc/chrony/sources.d/server.source + exists: true + contents: + {{- range .Vars.ubtu24cis_time_servers }} + - '/^server {{ .name }} {{ .options }}/' + {{ end }} + meta: + server: 1 + workstation: 1 + CIS_ID: 2.3.3.1 + CISv8: + - 8.4 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - AU-12 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.3/cis_2.3.3.2.yml b/section_2/cis_2.3/cis_2.3.3.2.yml new file mode 100644 index 0000000..143e150 --- /dev/null +++ b/section_2/cis_2.3/cis_2.3.3.2.yml @@ -0,0 +1,26 @@ +--- + +{{ if eq .Vars.ubtu24cis_time_sync_tool "chrony" }} + {{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_1_2_2 }} +file: + chrony_user: + title: 2.3.3.2 | Ensure chrony is running as user _chrony + path: /etc/chrony/chrony.conf + exists: true + contents: + - '/^user _chrony/' + meta: + server: 1 + workstation: 1 + CIS_ID: 2.3.3.2 + CISv8: + - 8.4 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-8 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.3/cis_2.3.3.3.yml b/section_2/cis_2.3/cis_2.3.3.3.yml new file mode 100644 index 0000000..664e184 --- /dev/null +++ b/section_2/cis_2.3/cis_2.3.3.3.yml @@ -0,0 +1,24 @@ +--- + +{{ if eq .Vars.ubtu24cis_time_sync_tool "chrony" }} + {{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_3_3_3 }} +service: + chronyd: + title: 2.3.3.3 | Ensure chrony is enabled and running + enabled: true + running: true + meta: + server: 1 + workstation: 1 + CIS_ID: 2.3.3.3 + CISv8: + - 8.4 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-8 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_2/cis_2.4/cis_2.4.1.1.yml b/section_2/cis_2.4/cis_2.4.1.1.yml new file mode 100644 index 0000000..11ef222 --- /dev/null +++ b/section_2/cis_2.4/cis_2.4.1.1.yml @@ -0,0 +1,46 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_4_1_1 }} +package: + cron: + title: 2.4.1.1 | Ensure cron daemon is enabled and active | pkg + installed: true + name: cron + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.4.1.1 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 +service: + cron: + title: 2.4.1.1 | Ensure cron daemon is enabled and running | service + running: true + enabled: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.4.1.1 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_2/cis_2.4/cis_2.4.1.2.yml b/section_2/cis_2.4/cis_2.4.1.2.yml new file mode 100644 index 0000000..53e2d4b --- /dev/null +++ b/section_2/cis_2.4/cis_2.4.1.2.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_4_1_2 }} +file: + crontab_perms: + title: 2.4.1.2 | Ensure permissions on /etc/crontab are configured + path: /etc/crontab + exists: true + owner: root + group: root + mode: "0600" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.4.1.2 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_2/cis_2.4/cis_2.4.1.3_7.yml b/section_2/cis_2.4/cis_2.4.1.3_7.yml new file mode 100644 index 0000000..d93809e --- /dev/null +++ b/section_2/cis_2.4/cis_2.4.1.3_7.yml @@ -0,0 +1,110 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_4_1_3 }} +file: + cron_hourly_perms: + title: 2.4.1.3 | Ensure permissions on /etc/cron.hourly are configured + path: /etc/cron.hourly + exists: true + owner: root + group: root + mode: "0700" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.4.1.3 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} + {{ if .Vars.ubtu24cis_rule_2_4_1_4 }} + cron_daily_perms: + title: 2.4.1.4 | Ensure permissions on /etc/cron.daily are configured + path: /etc/cron.daily + exists: true + owner: root + group: root + mode: "0700" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.4.1.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} + {{ if .Vars.ubtu24cis_rule_2_4_1_5 }} + cron_weekly_perms: + title: 2.4.1.5 | Ensure permissions on /etc/cron.weekly are configured + path: /etc/cron.weekly + exists: true + owner: root + group: root + mode: "0700" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.4.1.5 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} + {{ if .Vars.ubtu24cis_rule_2_4_1_6 }} + cron_monthly_perms: + title: 2.4.1.6 | Ensure permissions on /etc/cron.monthly are configured + path: /etc/cron.monthly + exists: true + owner: root + group: root + mode: "0700" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.4.1.6 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} + {{ if .Vars.ubtu24cis_rule_2_4_1_7 }} + cron_d_perms: + title: 2.4.1.7 | Ensure permissions on /etc/cron.d are configured + path: /etc/cron.d + exists: true + owner: root + group: root + mode: "0700" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.4.1.7 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_2/cis_2.4/cis_2.4.1.8.yml b/section_2/cis_2.4/cis_2.4.1.8.yml new file mode 100644 index 0000000..6b20236 --- /dev/null +++ b/section_2/cis_2.4/cis_2.4.1.8.yml @@ -0,0 +1,42 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_4_1_8 }} +file: + cron_deny_absent: + title: 2.4.1.8 | Ensure cron is restricted to authorized users + path: /etc/cron.deny + exists: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.4.1.8 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + /etc/cron.allow: + title: 2.4.1.8 | Ensure cron is restricted to authorized users + exists: true + owner: root + group: root + mode: "0640" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.4.1.8 + - 2.4.1.8 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_2/cis_2.4/cis_2.4.2.1.yml b/section_2/cis_2.4/cis_2.4.2.1.yml new file mode 100644 index 0000000..cf2445c --- /dev/null +++ b/section_2/cis_2.4/cis_2.4.2.1.yml @@ -0,0 +1,41 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_2_4_2_1 }} +file: + at_deny_absent: + title: 2.4.2.1 | Ensure at is restricted to authorized users + path: /etc/at.deny + exists: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.4.2.1 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + /etc/at.allow: + title: 2.4.2.1 | Ensure at is restricted to authorized users + exists: true + owner: root + group: root + mode: "0640" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.4.2.1 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.1/cis_3.1.1.yml b/section_3/cis_3.1/cis_3.1.1.yml new file mode 100644 index 0000000..e7eaed3 --- /dev/null +++ b/section_3/cis_3.1/cis_3.1.1.yml @@ -0,0 +1,67 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if not .Vars.ubtu24cis_ipv6_required }} + {{ if .Vars.ubtu24cis_rule_3_1_1 }} + {{ if eq .Vars.ubtu24cis_ipv6_disable "grub" }} +command: + grub_ipv6: + title: 3.1.1 | Ensure IPv6 status is identified | via grub boot + exec: grep -i "^[^#]\s.*ipv6" /boot/grub/grub.cfg + exit-status: 0 + stdout: + - '/^\s*linux.*ipv6.disable=1/' + - '!/ipv6.disable=0/' + meta: + server: 2 + workstation: 2 + CIS_ID: 3.1.1 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + ipv6_etc_default_grub: + title: 3.1.1 | Ensure IPv6 status is identified | default grub + exec: grep -i "GRUB_CMDLINE_LINUX=.*ipv6" /etc/default/grub + exit-status: 0 + stdout: + - '/^GRUB_CMDLINE_LINUX=.*ipv6.disable=1/' + - '!/ipv6.disable=0/' + meta: + server: 2 + workstation: 2 + CIS_ID: 3.1.1 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ if eq .Vars.ubtu24cis_ipv6_disable "sysctl" }} + file: + ipv6_disabled: + title: 3.1.1 | Ensure IPv6 status is identified | sysctl all disable + path: /proc/sys/net/ipv6/conf/all/disable_ipv6 + exists: true + contents: + - '/^1/' + meta: + server: 2 + workstation: 2 + CIS_ID: 3.3.1 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_3/cis_3.1/cis_3.1.2.yml b/section_3/cis_3.1/cis_3.1.2.yml new file mode 100644 index 0000000..5764ccb --- /dev/null +++ b/section_3/cis_3.1/cis_3.1.2.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_3_1_2 }} +command: + wireless_disabled: + title: 3.1.2 | Ensure wireless interfaces are disabled | MANUAL + exit-status: 0 + exec: "if [ $(find /sys/class/net/*/ -type d -name wireless) ]; then echo MANUAL; else echo OK; fi" + stdout: + - '/^OK/' + - '!/^MANUAL/' + meta: + server: 1 + workstation: 2 + CIS_ID: + - 3.1.2 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.1/cis_3.1.3.yml b/section_3/cis_3.1/cis_3.1.3.yml new file mode 100644 index 0000000..e7f0a16 --- /dev/null +++ b/section_3/cis_3.1/cis_3.1.3.yml @@ -0,0 +1,46 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_3_1_3 }} + {{ if not .Vars.ubtu24cis_bluetooth_service }} + {{ if not .Vars.ubtu24cis_bluetooth_mask }} +package: + bluetooth_pkg: + title: 3.1.3 | Ensure bluetooth services are not in use | pkg removed + name: bluez + installed: false + meta: + server: 1 + workstation: 2 + CIS_ID: + - 3.1.3 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + {{ end }} + {{ if .Vars.ubtu24cis_bluetooth_mask }} +file: + bluetooth_service_masked: + title: 3.1.3 | Ensure bluetooth services are not in use | masked + path: /etc/systemd/system/bluetooth.service + exists: true + filetype: symlink + linked-to: /dev/null + meta: + server: 1 + workstation: 2 + CIS_ID: + - 3.1.3 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: CM-7 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_3/cis_3.2/cis_3.2.1.yml b/section_3/cis_3.2/cis_3.2.1.yml new file mode 100644 index 0000000..6968d06 --- /dev/null +++ b/section_3/cis_3.2/cis_3.2.1.yml @@ -0,0 +1,45 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_3_2_1 }} +command: + modprobe_dccp: + title: 3.2.1 | Ensure dccp kernel module is not available | DCCP config + exit-status: 0 + exec: 'modprobe -n -v dccp' + stdout: + - '/install /bin/(true|false)/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 3.2.1 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - SI-4 + lsmod_dccp: + title: 3.2.1 | Ensure dccp kernel module is not available | running dccp + exit-status: 1 + exec: lsmod | grep -i dccp + stdout: + - '!/^.*/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 3.2.1 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - SI-4 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.2/cis_3.2.2.yml b/section_3/cis_3.2/cis_3.2.2.yml new file mode 100644 index 0000000..f2738ea --- /dev/null +++ b/section_3/cis_3.2/cis_3.2.2.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_3_2_2 }} +command: + modprobe_TIPC: + title: 3.2.2 | Ensure tipc kernel module is not available | tipc config + exit-status: + or: + - 0 + - 1 + exec: 'modprobe -n -v tipc' + stdout: + - '/install /bin/(true|false)/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 3.2.2 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - SI-4 + lsmod_TIPC: + title: 3.2.2 | Ensure tipc kernel module is not available | running tipc + exit-status: 1 + exec: lsmod | grep -i tipc + stdout: + - '!/^.*/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 3.2.2 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - SI-4 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.2/cis_3.2.4.yml b/section_3/cis_3.2/cis_3.2.4.yml new file mode 100644 index 0000000..048c307 --- /dev/null +++ b/section_3/cis_3.2/cis_3.2.4.yml @@ -0,0 +1,43 @@ +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_3_2_4 }} +command: + modprobe_sctp: + title: 3.2.4 | Ensure sctp kernel module is not available | sctp config + exit-status: 0 + exec: 'modprobe -n -v sctp' + stdout: + - '/install /bin/(true|false)/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 3.2.4 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - SI-4 + lsmod_sctp: + title: 3.2.4 | Ensure sctp kernel module is not available | running sctp + exit-status: 1 + exec: lsmod | grep -i sctp + stdout: + - '!/^.*/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 3.2.4 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - SI-4 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.2/cis_3.4.3.yml b/section_3/cis_3.2/cis_3.4.3.yml new file mode 100644 index 0000000..c6d9970 --- /dev/null +++ b/section_3/cis_3.2/cis_3.4.3.yml @@ -0,0 +1,46 @@ +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_3_2_3 }} +command: + modprobe_RDS: + title: 3.2.3 | Ensure rds kernel module is not available | rds config + exit-status: + or: + - 0 + - 1 + exec: 'modprobe -n -v rds' + stdout: + - '/install /bin/(true|false)/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 3.2.3 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - SI-4 + lsmod_RDS: + title: 3.2.3 | Ensure rds kernel module is not available | running rds + exit-status: 1 + exec: lsmod | grep -i rds + stdout: + - '!/^.*/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 3.2.3 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + - SI-4 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.3/cis_3.3.1.yml b/section_3/cis_3.3/cis_3.3.1.yml new file mode 100644 index 0000000..98fd482 --- /dev/null +++ b/section_3/cis_3.3/cis_3.3.1.yml @@ -0,0 +1,104 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if not .Vars.ubtu24cis_is_router }} + {{ if .Vars.ubtu24cis_rule_3_3_1 }} +kernel-param: + net.ipv4.ip_forward: + title: 3.3.1 | Ensure IP forwarding is disabled | IPv4 + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.1 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ if .Vars.ubtu24cis_ipv6_required }} + net.ipv6.conf.all.forwarding: + title: 3.3.1 | Ensure IP forwarding is disabled | IPv6 + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.1 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +command: + ipv4_ip_forward: + title: 3.3.1 | Ensure IP forwarding is disabled | IPv4 config + exec: grep -E "^\s*net\.ipv4\.ip_forward" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf + exit-status: + or: + - 0 + - 1 + - 2 + stdout: + - '/^.*:net.ipv4.ip_forward\s*=\s*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.1 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ if .Vars.ubtu24cis_ipv6_required }} + ipv6_ip_forward: + title: 3.3.1 | Ensure IP forwarding is disabled | IPv6 config + exec: grep -E "^\s*net\.ipv6\.conf\.all\.forwarding" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf + exit-status: + or: + - 0 + - 1 + - 2 + stdout: + - '/^.*:net.ipv6.conf.all.forwarding\s*=\s*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.1 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_3/cis_3.3/cis_3.3.10.yml b/section_3/cis_3.3/cis_3.3.10.yml new file mode 100644 index 0000000..1774ef0 --- /dev/null +++ b/section_3/cis_3.3/cis_3.3.10.yml @@ -0,0 +1,52 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_3_3_10 }} +kernel-param: + net.ipv4.tcp_syncookies: + title: 3.3.10 | Ensure TCP SYN Cookies is enabled | ipv4 syncookies + value: '1' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.10 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 +command: + ipv4_tcp_syncookies: + title: 3.3.10 | Ensure TCP SYN Cookies is enabled | ipv4 syncookies conf + exec: grep "net\.ipv4\.tcp_syncookies" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^\/etc\/sysctl.*:net.ipv4.tcp_syncookies\s*=\s*1/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.10 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.3/cis_3.3.11.yml b/section_3/cis_3.3/cis_3.3.11.yml new file mode 100644 index 0000000..6beb69d --- /dev/null +++ b/section_3/cis_3.3/cis_3.3.11.yml @@ -0,0 +1,97 @@ +--- +{{ if .Vars.ubtu24cis_ipv6_required }} +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_3_3_11 }} +kernel-param: + net.ipv6.conf.all.accept_ra: + title: 3.3.11 | Ensure ipv6 router advertisements are not accepted | all accept + value: '1' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.11 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + net.ipv6.conf.default.accept_ra: + title: 3.3.11 | Ensure ipv6 router advertisements are not accepted | default accept + value: '1' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.11 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 +command: + ipv6_all_accept_ra: + title: 3.3.11 | Ensure ipv6 router advertisements are not acceptedd | all accept + exec: grep "net\.ipv6\conf\.all\.accept_ra" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^\/etc\/sysctl.*:net.ipv6.conf.all.accept_ra\s*=\s*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.11 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + ipv6_all_default_ra: + title: 3.3.11 | Ensure ipv6 router advertisements are not acceptedd | all accept + exec: grep "net\.ipv6\conf\.default\.accept_ra" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^\/etc\/sysctl.*:net.ipv6.conf.default.accept_ra\s*=\s*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.11 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} +{{ end }} diff --git a/section_3/cis_3.3/cis_3.3.2.yml b/section_3/cis_3.3/cis_3.3.2.yml new file mode 100644 index 0000000..189367e --- /dev/null +++ b/section_3/cis_3.3/cis_3.3.2.yml @@ -0,0 +1,96 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_3_3_2 }} +kernel-param: + net.ipv4.conf.all.send_redirects: + title: 3.3.2 | Ensure packet redirect sending is disabled | all send_redirect + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.2 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + net.ipv4.conf.default.send_redirects: + title: 3.3.2 | Ensure packet redirect sending is disabled | default send_redirects + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.2 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 +command: + ipv4_disable_all_redirect: + title: 3.3.2 | Ensure packet redirect sending is disabled | all send_redirect config + exec: grep -E "^\s*net\.ipv4\.conf\.all\.send_redirects" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/.*:net.ipv4.conf.all.send_redirects\s*=\s*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.2 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + ipv4_disable_def_redirect: + title: 3.3.2 | Ensure packet redirect sending is disabled | default send_redirect config + exec: grep -E "^\s*net\.ipv4\.conf\.default\.send_redirects" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/.*:net.ipv4.conf.default.send_redirects=0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.2 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.3/cis_3.3.3.yml b/section_3/cis_3.3/cis_3.3.3.yml new file mode 100644 index 0000000..5038f92 --- /dev/null +++ b/section_3/cis_3.3/cis_3.3.3.yml @@ -0,0 +1,52 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_3_3_3 }} +kernel-param: + net.ipv4.icmp_ignore_bogus_error_responses: + title: 3.3.3 | Ensure bogus ICMP responses are ignored | ignore bogus icmp + value: '1' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.3 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 +command: + ipv4_ignore_bogus: + title: 3.3.3 | Ensure bogus ICMP responses are ignored | ignore bogus icmp conf + exec: grep "net.ipv4.icmp_ignore_bogus_error_responses" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^\/etc\/sysctl.*:net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.3 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.3/cis_3.3.4.yml b/section_3/cis_3.3/cis_3.3.4.yml new file mode 100644 index 0000000..94e9cbb --- /dev/null +++ b/section_3/cis_3.3/cis_3.3.4.yml @@ -0,0 +1,52 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_3_3_4 }} +kernel-param: + net.ipv4.icmp_echo_ignore_broadcasts: + title: 3.3.4 | Ensure broadcast ICMP requests are ignored | ipv4 ignore broadcast icmp + value: '1' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.4 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 +command: + ipv4_ignore_icmp_broadcast: + title: 3.3.4 | Ensure broadcast ICMP requests are ignored | ipv4 ignore broadcast icmp conf + exec: grep "net\.ipv4\.icmp_echo_ignore_broadcasts" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^\/etc\/sysctl.*:net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.4 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.3/cis_3.3.5.yml b/section_3/cis_3.3/cis_3.3.5.yml new file mode 100644 index 0000000..390a66d --- /dev/null +++ b/section_3/cis_3.3/cis_3.3.5.yml @@ -0,0 +1,96 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_3_3_5 }} +kernel-param: + net.ipv4.conf.all.accept_redirects: + title: 3.3.5 | Ensure ICMP redirects are not accepted | ipv4 all icmp redirects + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.5 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + net.ipv4.conf.default.accept_redirects: + title: 3.3.5 | Ensure ICMP redirects are not accepted | ipv4 default icmp redirects + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.5 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 +command: + ipv4_all_icmp_redirects: + title: 3.3.5 | Ensure ICMP redirects are not accepted | ipv4 all icmp redirects conf + exec: grep "net\.ipv4\.conf\.all\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^\/etc\/sysctl.*:net.ipv4.conf.all.accept_redirects\s*=\s*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.5 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + ipv4_def_icmp_redirects: + title: 3.3.5 | Ensure ICMP redirects are not accepted | ipv4 def icmp redirects conf + exec: grep "net\.ipv4\.conf\.default\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^\/etc\/sysctl.*:net.ipv4.conf.default.accept_redirects\s*=\s*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.5 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.3/cis_3.3.6.yml b/section_3/cis_3.3/cis_3.3.6.yml new file mode 100644 index 0000000..5aab92d --- /dev/null +++ b/section_3/cis_3.3/cis_3.3.6.yml @@ -0,0 +1,94 @@ +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_3_3_6 }} +kernel-param: + net.ipv4.conf.all.secure_redirects: + title: 3.3.6 | Ensure secure ICMP redirects are not accepted | ipv4 all sec redirects + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.6 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + net.ipv4.conf.default.secure_redirects: + title: 3.3.6 | Ensure secure ICMP redirects are not accepted | ipv4 def sec redirects + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.2.6 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 +command: + ipv4_all_sec_redirects: + title: 3.3.6 | Ensure secure ICMP redirects are not accepted | ipv4 all sec redirects conf + exec: grep "net\.ipv4\.conf\.all\.secure_redirects" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^\/etc\/sysctl.*:net.ipv4.conf.all.secure_redirects\s*=\s*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.6 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + ipv4_def_sec_redirects: + title: 3.3.6 | Ensure secure ICMP redirects are not accepted | ipv4 all def redirects conf + exec: grep "net\.ipv4\.conf\.default\.secure_redirects" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^\/etc\/sysctl.*:net.ipv4.conf.default.secure_redirects\s*=\s*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.6 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.3/cis_3.3.7.yml b/section_3/cis_3.3/cis_3.3.7.yml new file mode 100644 index 0000000..1cc592d --- /dev/null +++ b/section_3/cis_3.3/cis_3.3.7.yml @@ -0,0 +1,96 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_3_3_7 }} +kernel-param: + net.ipv4.conf.all.rp_filter: + title: 3.3.7 | Ensure Reverse Path Filtering is enabled | ipv4 all rp_filter + value: '1' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.7 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + net.ipv4.conf.default.rp_filter: + title: 3.3.7 | Ensure Reverse Path Filtering is enabled | ipv4 default rp_filter + value: '1' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.7 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 +command: + ipv4_all_rp_filter: + title: 3.3.7 | Ensure Reverse Path Filtering is enabled | ipv4 all rp_filter conf + exec: grep "net\.ipv4\.conf\.all\.rp_filter" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^\/etc\/sysctl.*:net.ipv4.conf.all.rp_filter\s*=\s*1/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.7 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + ipv4_def_rp_filter: + title: 3.3.7 | Ensure Reverse Path Filtering is enabled | ipv4 def rp_filter conf + exec: grep "net\.ipv4\.conf\.default\.rp_filter" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^\/etc\/sysctl.*:net.ipv4.conf.default.rp_filter\s*=\s*1/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.7 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.3/cis_3.3.8.yml b/section_3/cis_3.3/cis_3.3.8.yml new file mode 100644 index 0000000..00e023a --- /dev/null +++ b/section_3/cis_3.3/cis_3.3.8.yml @@ -0,0 +1,94 @@ +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_3_3_8 }} +kernel-param: + net.ipv4.conf.all.accept_source_route: + title: 3.3.8 | Ensure source routed packets are not accepted | IPv4 all source routed + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.1 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + net.ipv4.conf.default.accept_source_route: + title: 3.3.8 | Ensure source routed packets are not accepted | IPv4 default source routed + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.8 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 +command: + ipv4_all_source_route: + title: 3.3.8 | Ensure source routed packets are not accepted | IPv4 all source routed conf + exec: grep "net\.ipv4\.conf\.all\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^\/etc\/sysctl.*:net.ipv4.conf.all.accept_source_route\s*=\s*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.8 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + ipv4_def_source_route: + title: 3.3.8 | Ensure source routed packets are not accepted | IPv4 default source routed conf + exec: grep "net\.ipv4\.conf\.default\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^\/etc\/sysctl.*:net.ipv4.conf.default.accept_source_route\s*=\s*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.8 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.3/cis_3.3.9.yml b/section_3/cis_3.3/cis_3.3.9.yml new file mode 100644 index 0000000..aba186d --- /dev/null +++ b/section_3/cis_3.3/cis_3.3.9.yml @@ -0,0 +1,96 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_3_3_9 }} +kernel-param: + net.ipv4.conf.all.log_martians: + title: 3.3.9 | Ensure suspicious packets are logged | ipv4 all martians + value: '1' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.9 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + net.ipv4.conf.default.log_martians: + title: 3.3.9 | Ensure suspicious packets are logged | ipv4 default martians + value: '1' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.9 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 +command: + ipv4_all_martians: + title: 3.3.9 | Ensure suspicious packets are logged | ipv4 all martians conf + exec: grep "net\.ipv4\.conf\.all\.log_martians" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^\/etc\/sysctl.*:net.ipv4.conf.all.log_martians\s*=\s*1/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.9 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + ipv4_def_martians: + title: 3.3.9 | Ensure suspicious packets are logged | ipv4 default martians conf + exec: grep "net\.ipv4\.conf\.default\.log_martians" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^\/etc\/sysctl.*:net.ipv4.conf.default.log_martians\s*=\s*1/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.9 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.3/ipv6/cis_3.3.5.yml b/section_3/cis_3.3/ipv6/cis_3.3.5.yml new file mode 100644 index 0000000..1c02549 --- /dev/null +++ b/section_3/cis_3.3/ipv6/cis_3.3.5.yml @@ -0,0 +1,96 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_3_3_5 }} +kernel-param: + net.ipv6.conf.all.accept_redirects: + title: 3.3.5 | Ensure ICMP redirects are not accepted | ipv6 all icmp redirects + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.5 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + net.ipv6.conf.default.accept_redirects: + title: 3.3.5 | Ensure ICMP redirects are not accepted | ipv6 default icmp redirects + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.5 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 +command: + ipv6_all_icmp_redirects: + title: 3.3.5 | Ensure ICMP redirects are not accepted | ipv6 all icmp redirects conf + exec: grep "net\.ipv6\.conf\.all\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^net.ipv6.conf.all.accept_redirects(\s|)=(\s|)0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.5 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + ipv6_def_icmp_redirects: + title: 3.3.5 | Ensure ICMP redirects are not accepted | ipv6 def icmp redirects conf + exec: grep "net\.ipv6\.conf\.default\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^net.ipv6.conf.default.accept_redirects(\s|)=(\s|)0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.5 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.3/ipv6/cis_3.3.8.yml b/section_3/cis_3.3/ipv6/cis_3.3.8.yml new file mode 100644 index 0000000..b74af71 --- /dev/null +++ b/section_3/cis_3.3/ipv6/cis_3.3.8.yml @@ -0,0 +1,96 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_3_3_8 }} +kernel-param: + net.ipv6.conf.all.accept_source_route: + title: 3.3.8 | Ensure source routed packets are not accepted | IPv6 all source routed + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.8 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + net.ipv6.conf.default.accept_source_route: + title: 3.3.8 | Ensure source routed packets are not accepted | IPv6 default source routed + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.8 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 +command: + ipv6_all_source_route: + title: 3.3.8 | Ensure source routed packets are not accepted | IPv6 all source routed conf + exec: grep "net\.ipv6\.conf\.all\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^net.ipv6.conf.all.accept_source_route= 0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.8 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + ipv6_def_source_route: + title: 3.3.8 | Ensure source routed packets are not accepted | IPv6 default source routed conf + exec: grep "net\.ipv6\.conf\.default\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^net.ipv6.conf.default.accept_source_route(\s|)=(\s|)0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.8 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_3/cis_3.3/ipv6/cis_3.3.9.yml b/section_3/cis_3.3/ipv6/cis_3.3.9.yml new file mode 100644 index 0000000..5a7bb6f --- /dev/null +++ b/section_3/cis_3.3/ipv6/cis_3.3.9.yml @@ -0,0 +1,108 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_3_3_9 }} +kernel-param: + net.ipv6.conf.all.accept_ra: + title: 3.3.9 | Ensure IPv6 router advertisements are not accepted | ipv6 all router adverts + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.9 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + Mitre_Techniques: + - T1557 + - T1557.001 + Mitre_Tactics: + - TA0006 + - TA0040 + Mitre_Mitigations: + - M1030 + - M1042 + net.ipv6.conf.default.accept_ra: + title: 3.3.9 | Ensure IPv6 router advertisements are not accepted | ipv6 def router adverts + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.9 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + Mitre_Techniques: + - T1557 + - T1557.001 + Mitre_Tactics: + - TA0006 + - TA0040 + Mitre_Mitigations: + - M1030 + - M1042 +command: + ipv6_all_rtr_adverts: + title: 3.3.9 | Ensure IPv6 router advertisements are not accepted | ipv6 all router adverts conf + exec: grep "net\.ipv6\.conf\.all\.accept_ra" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^net.ipv6.conf.all.accept_ra = 0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.9 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + Mitre_Techniques: + - T1557 + - T1557.001 + Mitre_Tactics: + - TA0006 + - TA0040 + Mitre_Mitigations: + - M1030 + - M1042 + ipv6_def_rtr_adverts: + title: 3.3.9 | Ensure IPv6 router advertisements are not accepted | ipv6 default router adverts conf + exec: grep "net\.ipv6\.conf\.default\.accept_ra" /etc/sysctl.conf /etc/sysctl.d/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/^net.ipv6.conf.default.accept_ra(\s|)=(\s|)0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.3.9 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + Mitre_Techniques: + - T1557 + - T1557.001 + Mitre_Tactics: + - TA0006 + - TA0040 + Mitre_Mitigations: + - M1030 + - M1042 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.2/cis_4.2.1.yml b/section_4/cis_4.2/cis_4.2.1.yml new file mode 100644 index 0000000..b0c0b6f --- /dev/null +++ b/section_4/cis_4.2/cis_4.2.1.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_2_1 }} +package: + ufw: + title: 4.2.1 | Ensure ufw is installed + installed: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.2.1 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.2/cis_4.2.2.yml b/section_4/cis_4.2/cis_4.2.2.yml new file mode 100644 index 0000000..d36a8aa --- /dev/null +++ b/section_4/cis_4.2/cis_4.2.2.yml @@ -0,0 +1,23 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_2_2 }} +package: + iptables-persistent: + title: 4.2.2 | Ensure iptables-persistent is not installed with ufw + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.2.2 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.2/cis_4.2.3.yml b/section_4/cis_4.2/cis_4.2.3.yml new file mode 100644 index 0000000..01612c6 --- /dev/null +++ b/section_4/cis_4.2/cis_4.2.3.yml @@ -0,0 +1,24 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_2_3 }} +service: + ufw: + title: 4.2.3 | Ensure ufw service is enabled + running: true + enabled: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.2.3 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.2/cis_4.2.4.yml b/section_4/cis_4.2/cis_4.2.4.yml new file mode 100644 index 0000000..b6dbaa8 --- /dev/null +++ b/section_4/cis_4.2/cis_4.2.4.yml @@ -0,0 +1,33 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_2_4 }} +command: + ufw_loopback: + title: 4.2.4 | Ensure ufw loopback traffic is configured + exec: ufw status verbose + exit-status: 0 + stdout: + - '/^Anywhere on lo\s+ ALLOW IN\s+ Anywhere/' + - '/^Anywhere\s+DENY IN\s+127.0.0.0\/8/' + - '/^Anywhere\s+ ALLOW OUT\s+ Anywhere on lo/' + {{ if .Vars.ubtu24cis_ipv6_required}} + - '/^Anywhere \(v6\) on lo\s+ALLOW IN\s+Anywhere \(v6\)/' + - '/^Anywhere \(v6\)\s+DENY IN\s+::1/' + - '/^Anywhere \(v6\)\s+ALLOW OUT\s+Anywhere \(v6\) on lo/' + {{ end }} + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.2.4 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.2/cis_4.2.5.yml b/section_4/cis_4.2/cis_4.2.5.yml new file mode 100644 index 0000000..bac29b0 --- /dev/null +++ b/section_4/cis_4.2/cis_4.2.5.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_2_5 }} +command: + ufw_outbound: + title: 4.2.5 | Ensure ufw outbound connections are configured | Manual + exec: echo "Manual - Please confirm firewall outbound Policies match site policies" + exit-status: 0 + stdout: + - '!/^Manual/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.2.5 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.2/cis_4.2.6.yml b/section_4/cis_4.2/cis_4.2.6.yml new file mode 100644 index 0000000..af52120 --- /dev/null +++ b/section_4/cis_4.2/cis_4.2.6.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_2_6 }} +command: + ufw_open_ports: + title: 4.2.6 | Ensure ufw firewall rules exist for all open ports | Manual + exec: echo "Manual - Please confirm firewall rules exist for open ports match site policies" + exit-status: 0 + stdout: + - '!/^Manual/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.2.6 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.2/cis_4.2.7.yml b/section_4/cis_4.2/cis_4.2.7.yml new file mode 100644 index 0000000..b4d2f3d --- /dev/null +++ b/section_4/cis_4.2/cis_4.2.7.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_2_7 }} +command: + ufw_def_deny: + title: 4.2.7 | Ensure ufw default deny firewall policy + exec: 'ufw status verbose | grep Default:' + exit-status: 0 + stdout: + - '/^Default: deny \(incoming\), deny \(outgoing\), disabled \(routed\)/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.2.7 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.3/cis_4.3.1.yml b/section_4/cis_4.3/cis_4.3.1.yml new file mode 100644 index 0000000..27f763a --- /dev/null +++ b/section_4/cis_4.3/cis_4.3.1.yml @@ -0,0 +1,23 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_1 }} +package: + nftables: + title: 4.3.1 | Ensure nftables is installed + installed: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.1 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.3/cis_4.3.10.yml b/section_4/cis_4.3/cis_4.3.10.yml new file mode 100644 index 0000000..c34d4bf --- /dev/null +++ b/section_4/cis_4.3/cis_4.3.10.yml @@ -0,0 +1,46 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_10 }} +file: + nftable_perm: + title: 4.3.10 | Ensure nftables rules are permanent | conf file exists + path: /etc/nftables.conf + exists: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.10 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 +command: + nft_rules: + title: 4.3.10 | Ensure nftables rules are permanent | conf file exists + exec: echo "Manual - Please review nfttables configuration and matches site policy" + exit-status: 0 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.10 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.3/cis_4.3.2.yml b/section_4/cis_4.3/cis_4.3.2.yml new file mode 100644 index 0000000..300b7c3 --- /dev/null +++ b/section_4/cis_4.3/cis_4.3.2.yml @@ -0,0 +1,23 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_2 }} +package: + ufw: + title: 4.3.2 | Ensure ufw is uninstalled or disabled with nftables + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.2 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.3/cis_4.3.3.yml b/section_4/cis_4.3/cis_4.3.3.yml new file mode 100644 index 0000000..a0e2bd5 --- /dev/null +++ b/section_4/cis_4.3/cis_4.3.3.yml @@ -0,0 +1,53 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_3 }} +command: + iptables_flushed: + title: 4.3.3 | Ensure iptables are flushed with nftables | iptable IPv4 flushed + exec: iptables -L + exit-status: + or: + - 0 + - 1 + stdout: + - '!/^.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.3 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + ip6tables_flushed: + title: 4.3.3 | Ensure iptables are flushed with nftables | iptable IPv4 flushed + exec: ip6tables -L + exit-status: + or: + - 0 + - 1 + stdout: + - '!/^.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.3 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - SC-7 + - CA-9 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.3/cis_4.3.4.yml b/section_4/cis_4.3/cis_4.3.4.yml new file mode 100644 index 0000000..f7d0e85 --- /dev/null +++ b/section_4/cis_4.3/cis_4.3.4.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_4 }} +command: + nft_tables: + title: 4.3.4 | Ensure a nftables table exists | Manual + exec: echo "Manual - Please confirm nfttables table exists and matched site policy" + exit-status: 0 + stdout: + - '!/^Manual/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.4 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.3/cis_4.3.5.yml b/section_4/cis_4.3/cis_4.3.5.yml new file mode 100644 index 0000000..30e7b7e --- /dev/null +++ b/section_4/cis_4.3/cis_4.3.5.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_5 }} +command: + nft_chains: + title: 4.3.5 | Ensure nftables base chains exist + exec: echo "Manual - Please confirm nfttables base chain exists and matched site policy" + exit-status: 0 + stdout: + - '!/^Manual/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.5 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_4/cis_4.3/cis_4.3.6.yml b/section_4/cis_4.3/cis_4.3.6.yml new file mode 100644 index 0000000..43ba05c --- /dev/null +++ b/section_4/cis_4.3/cis_4.3.6.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_6 }} +command: + nft_loopback: + title: 4.3.6 | Ensure nftables loopback traffic is configured | Manual + exec: echo "Manual - Please confirm nfttables loopback traffic configured and matched site policy" + exit-status: 0 + stdout: + - '!/^Manual/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.6 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.3/cis_4.3.7.yml b/section_4/cis_4.3/cis_4.3.7.yml new file mode 100644 index 0000000..f0e1875 --- /dev/null +++ b/section_4/cis_4.3/cis_4.3.7.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_7 }} +command: + nft_conns: + title: 4.3.7 | Ensure nftables outbound and established connections are configured | Manual + exec: echo "Manual - Please confirm nfttables connections are configured and matched site policy" + exit-status: 0 + stdout: + - '!/^Manual/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.7 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.3/cis_4.3.8.yml b/section_4/cis_4.3/cis_4.3.8.yml new file mode 100644 index 0000000..a28a00e --- /dev/null +++ b/section_4/cis_4.3/cis_4.3.8.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_8 }} +command: + nft_def_deny: + title: 4.3.8 | Ensure nftables default deny firewall policy | Manual + exec: echo "Manual - Please confirm nfttables default denies are configured and matched site policy" + exit-status: 0 + stdout: + - '!/^Manual/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.8 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.3/cis_4.3.9.yml b/section_4/cis_4.3/cis_4.3.9.yml new file mode 100644 index 0000000..d12d4ff --- /dev/null +++ b/section_4/cis_4.3/cis_4.3.9.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_9 }} +service: + nftables: + title: 4.3.9 | Ensure nftables service is enabled + running: true + enabled: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.9 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.4/cis_4.4.1.1.yml b/section_4/cis_4.4/cis_4.4.1.1.yml new file mode 100644 index 0000000..92994d5 --- /dev/null +++ b/section_4/cis_4.4/cis_4.4.1.1.yml @@ -0,0 +1,41 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_4_1_1 }} +package: + iptables: + title: 4.4.1.1 | Ensure iptables packages are installed | iptables pkg + installed: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.4.1.1 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + iptables-persistent: + title: 4.4.1.1 | Ensure iptables packages are installed | iptables-persistent pkg + installed: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.4.1.1 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.4/cis_4.4.1.2.yml b/section_4/cis_4.4/cis_4.4.1.2.yml new file mode 100644 index 0000000..d7ac7b3 --- /dev/null +++ b/section_4/cis_4.4/cis_4.4.1.2.yml @@ -0,0 +1,24 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_4_1_2 }} +package: + nftables: + title: 4.4.1.2 | Ensure nftables is not installed with iptables + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.4.1.2 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.4/cis_4.4.1.3.yml b/section_4/cis_4.4/cis_4.4.1.3.yml new file mode 100644 index 0000000..49cbdfa --- /dev/null +++ b/section_4/cis_4.4/cis_4.4.1.3.yml @@ -0,0 +1,24 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_1_3 }} +package: + ufw: + title: 4.3.1.3 | Ensure ufw is not in use with iptables + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.1.3 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.4/cis_4.4.2.1.yml b/section_4/cis_4.4/cis_4.4.2.1.yml new file mode 100644 index 0000000..14ec0ca --- /dev/null +++ b/section_4/cis_4.4/cis_4.4.2.1.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_2_1 }} +command: + ipt_def_deny: + title: 4.3.2.1 | Ensure iptables default deny firewall policy | Manual + exec: echo "Manual - Please confirm iptables default denies are configured and matched site policy" + exit-status: 0 + stdout: + - '!/^Manual/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.2.1 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.4/cis_4.4.2.2.yml b/section_4/cis_4.4/cis_4.4.2.2.yml new file mode 100644 index 0000000..d4c6af5 --- /dev/null +++ b/section_4/cis_4.4/cis_4.4.2.2.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_2_2 }} +command: + ipt_loopback: + title: 4.3.2.2 | Ensure iptables loopback traffic is configured | Manual + exec: echo "Manual - Please confirm iptables loopback connections are configured and matched site policy" + exit-status: 0 + stdout: + - '!/^Manual/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.2.2 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.4/cis_4.4.2.3.yml b/section_4/cis_4.4/cis_4.4.2.3.yml new file mode 100644 index 0000000..40f1e42 --- /dev/null +++ b/section_4/cis_4.4/cis_4.4.2.3.yml @@ -0,0 +1,25 @@ +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_2_3 }} +command: + ipt_conns_config: + title: 4.3.2.3 | Ensure iptables outbound and established connections are configured | Manual + exec: echo "Manual - Please confirm iptables outbound and connections are configured and matched site policy" + exit-status: 0 + stdout: + - '!/^Manual/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.2.3 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.4/cis_4.4.2.4.yml b/section_4/cis_4.4/cis_4.4.2.4.yml new file mode 100644 index 0000000..9e23f61 --- /dev/null +++ b/section_4/cis_4.4/cis_4.4.2.4.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_2_4 }} +command: + ipt_open_ports: + title: 4.3.2.4 | Ensure iptables firewall rules exist for all open ports + exec: echo "Manual - Please confirm iptables rules for open ports configured and matched site policy" + exit-status: 0 + stdout: + - '!/^Manual/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.2.4 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.4/cis_4.4.3.1.yml b/section_4/cis_4.4/cis_4.4.3.1.yml new file mode 100644 index 0000000..e91ee10 --- /dev/null +++ b/section_4/cis_4.4/cis_4.4.3.1.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_3_1 }} +command: + ipt6_def_deny: + title: 4.3.3.1 | Ensure ip6tables default deny firewall policy | Manual + exec: echo "Manual - Please confirm ip6tables default denies are configured and matched site policy" + exit-status: 0 + stdout: + - '!/^Manual/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.3.1 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.4/cis_4.4.3.2.yml b/section_4/cis_4.4/cis_4.4.3.2.yml new file mode 100644 index 0000000..398875c --- /dev/null +++ b/section_4/cis_4.4/cis_4.4.3.2.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_3_2 }} +command: + ipt6_loopback: + title: 4.3.3.2 | Ensure ip6tables loopback traffic is configured | Manual + exec: echo "Manual - Please confirm ip6tables loopback connections are configured and matched site policy" + exit-status: 0 + stdout: + - '!/^Manual/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.3.2 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.4/cis_4.4.3.3.yml b/section_4/cis_4.4/cis_4.4.3.3.yml new file mode 100644 index 0000000..5da09a4 --- /dev/null +++ b/section_4/cis_4.4/cis_4.4.3.3.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_3_3 }} +command: + ipt6_conns_config: + title: 4.3.3.3 | Ensure ip6tables outbound and established connections are configured | Manual + exec: echo "Manual - Please confirm ip6tables outbound and connections are configured and matched site policy" + exit-status: 0 + stdout: + - '!/^Manual/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.3.3 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + {{ end }} +{{ end }} diff --git a/section_4/cis_4.4/cis_4.4.3.4.yml b/section_4/cis_4.4/cis_4.4.3.4.yml new file mode 100644 index 0000000..6c5dc30 --- /dev/null +++ b/section_4/cis_4.4/cis_4.4.3.4.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_4_3_3_4 }} +command: + ipt6_open_ports: + title: 4.3.3.4 | Ensure ip6tables firewall rules exist for all open ports | Manual + exec: echo "Manual - Please confirm ip6tables rules for open ports configured and matched site policy" + exit-status: 0 + stdout: + - '!/^Manual/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.3.3.4 + CISv8: + - 4.4 + - 4.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CA-9 + - SC-7 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.1.yml b/section_5/cis_5.1/cis_5.1.1.yml new file mode 100644 index 0000000..599b24f --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.1.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_1 }} +file: + sshd_config_perms: + title: 5.1.1 | Ensure permissions on /etc/ssh/sshd_config are configured + path: /etc/ssh/sshd_config + exists: true + mode: "0600" + owner: root + group: root + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.1 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.10.yml b/section_5/cis_5.1/cis_5.1.10.yml new file mode 100644 index 0000000..cfd4a72 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.10.yml @@ -0,0 +1,30 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_10 }} +file: + ssh_hostbased_auth: + title: 5.1.10 | Ensure SSH HostbasedAuthentication is disabled + path: /etc/ssh/sshd_config + exists: true + contents: + - '/^(?i)HostbasedAuthentication no/' + - '!/^(?i)HostbasedAuthentication yes/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.10 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.11.yml b/section_5/cis_5.1/cis_5.1.11.yml new file mode 100644 index 0000000..ab66ab9 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.11.yml @@ -0,0 +1,30 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_11 }} +file: + ssh_rhosts: + title: 5.1.11 | Ensure sshd IgnoreRhosts is enabled + path: /etc/ssh/sshd_config + exists: true + contents: + - '/^(?i)Ignorerhosts yes/' + - '!/^(?i)Ignorerhosts no/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.11 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.12.yml b/section_5/cis_5.1/cis_5.1.12.yml new file mode 100644 index 0000000..1166766 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.12.yml @@ -0,0 +1,28 @@ +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_12 }} +file: + sshd_KEX: + title: 5.1.12 | Ensure sshd Kex algorithms is configured + path: /etc/ssh/sshd_config + exists: true + contents: + {{ range .Vars.ubtu24cis_ssh_strong_kex }} + - '/^KexAlgorithms.*{{ . }}/' + {{ end }} + {{ range .Vars.ubtu24cis_ssh_weak_kex }} + - '!/^KexAlgorithms.*!{{ . }}/' + {{ end }} + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.12 + CISv8: + - 3.10 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - SC-8 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.13.yml b/section_5/cis_5.1/cis_5.1.13.yml new file mode 100644 index 0000000..75bceb9 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.13.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_13 }} +file: + ssh_logingrace: + title: 5.1.21 | Ensure sshd LoginGraceTime is configured + path: /etc/ssh/sshd_config + exists: true + contents: + - '/^(?i)LoginGraceTime ([1-9]|[1-5][0-9]|60)$/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.13 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.14.yml b/section_5/cis_5.1/cis_5.1.14.yml new file mode 100644 index 0000000..c8da9c8 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.14.yml @@ -0,0 +1,28 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_14 }} +file: + ssh_loglevel: + title: 5.1.14 | Ensure sshd LogLevel is configured + path: /etc/ssh/sshd_config + exists: true + contents: + - '/LogLevel (VERBOSE|INFO)/' + - '!/^LogLevel DEBUG/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.14 + CISv8: + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - AU-12 + - SI-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.15.yml b/section_5/cis_5.1/cis_5.1.15.yml new file mode 100644 index 0000000..513f4b9 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.15.yml @@ -0,0 +1,34 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_15 }} +file: + sshd_MACS: + title: 5.1.15 | Ensure only strong MACs are used + path: /etc/ssh/sshd_config + exists: true + contents: + {{ range .Vars.ubtu24cis_ssh_strong_macs }} + - '/(?i)^MACs.*{{ . }}/' + {{ end }} + {{ range .Vars.ubtu24cis_ssh_weak_macs }} + - '!/(?i)^MACs.*{{ . }}/' + {{ end }} + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.15 + CISv8: + - 3.10 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.16.yml b/section_5/cis_5.1/cis_5.1.16.yml new file mode 100644 index 0000000..e90adf9 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.16.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_16 }} +file: + sshd_authtries: + title: 5.1.16 | Ensure sshd MaxAuthTries is configured + path: /etc/ssh/sshd_config + exists: true + contents: + - '/(?i)maxauthtries [1-4]/' + - '!/(?i)maxauthtries ([5-9]|[1-9]{2,})/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.16 + CISv8: + - 8.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.17.yml b/section_5/cis_5.1/cis_5.1.17.yml new file mode 100644 index 0000000..d1e8acd --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.17.yml @@ -0,0 +1,27 @@ +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_17 }} +file: + ssh_maxsessions: + title: 5.1.17 | Ensure SSH MaxSessions is limited + path: /etc/ssh/sshd_config + exists: true + contents: + - '/^(?i)MaxSessions ([2-9]|10)/' + - '!/^MaxSessions (1|1[1-9]|[2-9][0-9]|[1-9]{3,})/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.17 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.18.yml b/section_5/cis_5.1/cis_5.1.18.yml new file mode 100644 index 0000000..4f73456 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.18.yml @@ -0,0 +1,29 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_18 }} +file: + ssh_maxstartups: + title: 5.1.18 | Ensure SSH MaxStartups is configured + path: /etc/ssh/sshd_config + exists: true + contents: + - 'MaxStartups 10:30:60' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.18 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.19.yml b/section_5/cis_5.1/cis_5.1.19.yml new file mode 100644 index 0000000..a8c86c1 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.19.yml @@ -0,0 +1,30 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_19 }} +file: + ssh_empty_passwd: + title: 5.1.19 | Ensure SSH PermitEmptyPasswords is configured + path: /etc/ssh/sshd_config + exists: true + contents: + - '/^(?i)PermitEmptyPasswords no/' + - '!/^(?i)PermitEmptyPasswords yes/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.19 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.2.yml b/section_5/cis_5.1/cis_5.1.2.yml new file mode 100644 index 0000000..7f3fdc1 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.2.yml @@ -0,0 +1,61 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_2 }} +command: + /etc/ssh/ssh_host_prv_key_user: + title: 5.1.2 | Ensure permissions on SSH private host key files are configured | user + exec: "userkeys=$(sudo find /etc/ssh/ -name *_key -type f ! -user root ); echo $userkeys" + exit-status: 0 + stdout: ['!/./'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.3 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + /etc/ssh/ssh_host_prv_key_group: + title: 5.1.2 | Ensure permissions on SSH private host key files are configured | group + exec: "groupkeys=$(sudo find /etc/ssh/ -name *_key -type f ! -group root ); echo $groupkeys" + exit-status: 0 + stdout: ['!/./'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.2 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + /etc/ssh/ssh_host_prv_key_perms: + title: 5.1.2 | Ensure permissions on SSH private host key files are configured | perms + exec: "keyperms=$(sudo find /etc/ssh/ -name *_key -type f -perm /137 ); echo $keyperms" + exit-status: 0 + stdout: ['!/./'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.2 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.20.yml b/section_5/cis_5.1/cis_5.1.20.yml new file mode 100644 index 0000000..4087900 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.20.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_20 }} +file: + ssh_permit_root: + title: 5.1.20 | Ensure SSH PermitRootLogin is configured + path: /etc/ssh/sshd_config + exists: true + contents: + - '/^(?i)PermitRootLogin no/' + - '!/^(?i)PermitRootLogin yes/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.20 + CISv8: + - 5.4 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-6 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.21.yml b/section_5/cis_5.1/cis_5.1.21.yml new file mode 100644 index 0000000..6ae4073 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.21.yml @@ -0,0 +1,30 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_21 }} +file: + ssh_userenv: + title: 5.1.21 | Ensure SSH PermitUserEnvironment is disabled + path: /etc/ssh/sshd_config + exists: true + contents: + - '/^(?i)PermitUserEnvironment no/' + - '!/^(?i)PermitUserEnvironment yes/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.21 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.22.yml b/section_5/cis_5.1/cis_5.1.22.yml new file mode 100644 index 0000000..c684b5c --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.22.yml @@ -0,0 +1,30 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_22 }} +file: + ssh_usepam: + title: 5.1.22 | Ensure SSH PAM is enabled + path: /etc/ssh/sshd_config + exists: true + contents: + - 'UsePAM yes' + - '!/^UsePAM no/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.22 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.3.yml b/section_5/cis_5.1/cis_5.1.3.yml new file mode 100644 index 0000000..69b888d --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.3.yml @@ -0,0 +1,61 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_3 }} +command: + /etc/ssh/ssh_host_pub_key_user: + title: 5.1.3 | Ensure permissions on SSH pub host key files are configured | user + exec: "userkeys=$(sudo find /etc/ssh/ -name *_key.pub -type f ! -user root ); echo $userkeys" + exit-status: 0 + stdout: ['!/./'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.3 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + /etc/ssh/ssh_host_pub_key_group: + title: 5.1.3 | Ensure permissions on SSH private host key files are configured | group + exec: "groupkeys=$(sudo find /etc/ssh/ -name *_key.pub -type f ! -group root ); echo $groupkeys" + exit-status: 0 + stdout: ['!/./'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.3 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + /etc/ssh/ssh_host_pub_key_perms: + title: 5.1.3 | Ensure permissions on SSH private host key files are configured | perms + exec: "keysperm=$(sudo find /etc/ssh/ -name *_key.pub -type f -perm /137 ); echo $keyperms" + exit-status: 0 + stdout: ['!/./'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.3 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.4.yml b/section_5/cis_5.1/cis_5.1.4.yml new file mode 100644 index 0000000..a233b15 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.4.yml @@ -0,0 +1,28 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_4 }} +file: + sshd_access_limited: + title: 5.1.4 | Ensure SSH access is configured + path: /etc/ssh/sshd_config + exists: true + contents: + {{ range .Vars.ubtu24cis_sshd_access }} + - {{ . }} + {{ end }} + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.4 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.5.yml b/section_5/cis_5.1/cis_5.1.5.yml new file mode 100644 index 0000000..f691d73 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.5.yml @@ -0,0 +1,57 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_5 }} +file: + ssh_banner: + title: 5.1.5 | Ensure sshd banner is configured | sshd_default + path: /etc/ssh/sshd_config + exists: true + contents: + - 'Banner /etc/issue.net' + - '!/^Banner none/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.5 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 +command: + ssh_configd_banner: + title: 5.1.5 | Ensure SSH warning banner configured | conf.d banner settings + exec: grep -Eis '^\s*Banner\s+"?none\b'/etc/ssh/sshd_config.d/*.conf + exit-status: + or: + - 0 + - 1 + - 2 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.5 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.6.yml b/section_5/cis_5.1/cis_5.1.6.yml new file mode 100644 index 0000000..59f85a9 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.6.yml @@ -0,0 +1,30 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_6 }} +file: + sshd_ciphers: + title: 5.1.6 | Ensure only strong Ciphers are used + path: /etc/ssh/sshd_config + exists: true + contents: + {{ range .Vars.ubtu24cis_ssh_strong_ciphers }} + - '/^Ciphers.*{{ . }}/' + {{ end }} + {{ range .Vars.ubtu24cis_ssh_weak_ciphers }} + - '!/^Ciphers.*{{ . }}/' + {{ end }} + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.6 + CISv8: + - 3.10 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - SC-8 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.7.yml b/section_5/cis_5.1/cis_5.1.7.yml new file mode 100644 index 0000000..bbff7b3 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.7.yml @@ -0,0 +1,31 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_1_7 }} +file: + sshd_clientalive: + title: 5.1.7 | Ensure sshd ClientAloveInterval and CLientAliveCountMax are configured + path: /etc/ssh/sshd_config + exists: true + contents: + - 'ClientAliveInterval {{ .Vars.ubtu24cis_ssh_aliveinterval }}' + - 'ClientAliveCountMax {{ .Vars.ubtu24cis_ssh_countmax }}' + - '/ClientAliveInterval ([1-9]|[1-2][0-9][0-9]|300)/' + - '/ClientAliveCountMax [0-3]/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.7 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.8.yml b/section_5/cis_5.1/cis_5.1.8.yml new file mode 100644 index 0000000..dcd1ffa --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.8.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_5_1_8 }} +file: + sshd_disableforwarding: + title: 5.1.8 | Ensure sshd DisableForwarding is enabled + path: /etc/ssh/sshd_config + exists: true + contents: + - 'DisableForwarding yes' + - '!/^DisableForwarding no/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 5.1.8 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.9.yml b/section_5/cis_5.1/cis_5.1.9.yml new file mode 100644 index 0000000..bc50682 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.9.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_5_1_9 }} +file: + sshd_gssapiauth: + title: 5.1.9 | Ensure sshd GSSAPIAuthentication is disabled + path: /etc/ssh/sshd_config + exists: true + contents: + - 'GSSAPIAuthentication no' + - '!/^GSSAPIAuthentication yes/' + meta: + server: 2 + workstation: 1 + CIS_ID: + - 5.1.9 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-7 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.1.yml b/section_5/cis_5.2/cis_5.2.1.yml new file mode 100644 index 0000000..0d5c0f4 --- /dev/null +++ b/section_5/cis_5.2/cis_5.2.1.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_2_1 }} +package: + sudo: + title: 5.2.1 | Ensure sudo is installed + installed: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.1 + CISv8: + - 5.4 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.2.yml b/section_5/cis_5.2/cis_5.2.2.yml new file mode 100644 index 0000000..f45b0ba --- /dev/null +++ b/section_5/cis_5.2/cis_5.2.2.yml @@ -0,0 +1,44 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_2_2 }} +file: + sudoers_use_pty: + title: 5.2.2 | Ensure sudo commands use pty | Config + path: /etc/sudoers + exists: true + contents: + - '/^Defaults.*\suse_pty/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.2 + CISv8: + - 5.4 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-6 +command: + pty_sudoers_d: + title: 5.2.2 | Ensure sudo commands use pty | sudoers.d + exec: "ls -1 /etc/sudoers.d/* > /dev/null 2>&1; if [ '$?' = '0' ]; then grep -c '^Defaults\\s*use_pty' /etc/sudoers.d/*; else echo 99;fi" + exit-status: 0 + stdout: + - '/[0-99]/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.2 + CISv8: + - 5.4 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-6 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.3.yml b/section_5/cis_5.2/cis_5.2.3.yml new file mode 100644 index 0000000..c4793d9 --- /dev/null +++ b/section_5/cis_5.2/cis_5.2.3.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_2_3 }} +command: + log_sudoers_d: + title: 5.2.3 | Ensure sudo log file exists | sudoers.d + exec: "grep -Ec '^Defaults logfile=/var/log/*.log' /etc/sudoers /etc/sudoers.d/.*/" + exit-status: + lt: 3 + stdout: + - '/[1:99]/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.3 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - AU-12 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.4.yml b/section_5/cis_5.2/cis_5.2.4.yml new file mode 100644 index 0000000..f04f089 --- /dev/null +++ b/section_5/cis_5.2/cis_5.2.4.yml @@ -0,0 +1,28 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_5_2_4 }} +command: + nopasswd_sudoers_d: + title: 5.2.4 | Ensure users must provide password for privilege escalation + exec: grep -R NOPASSWD /etc/sudoers /etc/sudoers.d/* | grep -v '.*\:#' + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 5.2.4 + CISv8: + - 5.4 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-6 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.5.yml b/section_5/cis_5.2/cis_5.2.5.yml new file mode 100644 index 0000000..a1a55f1 --- /dev/null +++ b/section_5/cis_5.2/cis_5.2.5.yml @@ -0,0 +1,28 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_2_5 }} +command: + authenticate_sudoers: + title: 5.2.5 | Ensure re-authentication for privilege escalation is not disabled globally + exec: 'grep -r "^[^#].*\!authenticate" /etc/sudoers*' + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.5 + CISv8: + - 5.4 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-6 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.6.yml b/section_5/cis_5.2/cis_5.2.6.yml new file mode 100644 index 0000000..e008184 --- /dev/null +++ b/section_5/cis_5.2/cis_5.2.6.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_2_6 }} +command: + sudo_timeout: + title: 5.2.6 | Ensure sudo authentication timeout is configured correctly + exec: grep -rP "timestamp_timeout=\K[0-9]*" /etc/sudoers* + exit-status: 0 + stdout: + - '!/timestamp_timeout=(-1|1[6-9]|[2-9][0-9]|[1-9][0-9]{2,})/' + - '/timestamp_timeout=([5-9]|1[0-5])/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.6 + CISv8: + - 5.4 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-6 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.7.yml b/section_5/cis_5.2/cis_5.2.7.yml new file mode 100644 index 0000000..cc7e086 --- /dev/null +++ b/section_5/cis_5.2/cis_5.2.7.yml @@ -0,0 +1,42 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_2_7 }} +file: + su_conf: + title: 5.2.7 | Ensure access to the su command is restricted + path: /etc/pam.d/su + exists: true + contents: + - '/^auth\s+required\s+pam_wheel.so use_uid group={{ .Vars.ubtu24cis_sugroup }}/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.7 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-6 +command: + sugroup_etc_group: + title: 5.2.7 | Ensure access to the su command is restricted + exec: grep {{ .Vars.ubtu24cis_sugroup }} /etc/group | awk -F':' '{print $NF}' + exit-status: 0 + stdout: + - '!/^[a-zA-Z]/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.7 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-6 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.1/cis_5.3.1.1.yml b/section_5/cis_5.3.1/cis_5.3.1.1.yml new file mode 100644 index 0000000..aab5a33 --- /dev/null +++ b/section_5/cis_5.3.1/cis_5.3.1.1.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_1_1 }} +package: + libpam-runtime: + title: 5.3.1.1 | Ensure latest version of pam is installed + installed: true + versions: + not: + - '1.4.0-11ubuntu2.1' + - '1.4.0-11ubuntu2.2' + - '1.4.0-11ubuntu2.3' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.1.1 + CISv8: + - 5.4 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} + diff --git a/section_5/cis_5.3.1/cis_5.3.1.2.yml b/section_5/cis_5.3.1/cis_5.3.1.2.yml new file mode 100644 index 0000000..d162e6c --- /dev/null +++ b/section_5/cis_5.3.1/cis_5.3.1.2.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_1_2 }} +package: + libpam-modules: + title: 5.3.1.2 | Ensure latest version of libpam-modules is installed + installed: true + versions: + not: + - '1.4.0-11ubuntu2.1' + - '1.4.0-11ubuntu2.2' + - '1.4.0-11ubuntu2.3' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.1.2 + CISv8: + - 5.4 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.1/cis_5.3.1.3.yml b/section_5/cis_5.3.1/cis_5.3.1.3.yml new file mode 100644 index 0000000..67e6eb3 --- /dev/null +++ b/section_5/cis_5.3.1/cis_5.3.1.3.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_1_3 }} +package: + libpam-pwquality: + title: 5.3.1.3 | Ensure latest version of libpam-pwquality is installed + installed: true + versions: + not: + - '1.4.0-11ubuntu2.1' + - '1.4.0-11ubuntu2.2' + - '1.4.0-11ubuntu2.3' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.1.3 + CISv8: + - 5.4 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.2/cis_5.3.2.1.yml b/section_5/cis_5.3.2/cis_5.3.2.1.yml new file mode 100644 index 0000000..14423f4 --- /dev/null +++ b/section_5/cis_5.3.2/cis_5.3.2.1.yml @@ -0,0 +1,79 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_2_1 }} +file: + pam_unix_enabled_common_act: + title: 5.3.2.1 | Ensure pam_unix module is enabled + path: /etc/pam.d/common-account + exists: true + contents: + - '/^account\s*\[success=\d new_authtok_reqd=done default=ignore\]\s*pam_unix.so/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.2.1 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - IA-5 + pam_unix_enabled_common_session: + title: 5.3.2.1 | Ensure pam_unix module is enabled + path: /etc/pam.d/common-session + exists: true + contents: + - '/^\s*session\s*required\s+pam_unix.so/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.2.1 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - IA-5 + pam_unix_enabled_common_auth: + title: 5.3.2.1 | Ensure pam_unix module is enabled + path: /etc/pam.d/common-auth + exists: true + contents: + - '/^\s*auth\s+\[success=\d default=.*\]\s+pam_unix.so/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.2.1 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - IA-5 + pam_unix_enabled_common_password: + title: 5.3.2.1 | Ensure pam_unix module is enabled + path: /etc/pam.d/common-password + exists: true + contents: + - '/^\s*password\s+\[success=\d default=.*\]\s+pam_unix.so/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.2.1 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.2/cis_5.3.2.2.yml b/section_5/cis_5.3.2/cis_5.3.2.2.yml new file mode 100644 index 0000000..e1ea732 --- /dev/null +++ b/section_5/cis_5.3.2/cis_5.3.2.2.yml @@ -0,0 +1,42 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_2_2 }} +file: + pam_faillock_enabled_common_act: + title: 5.3.2.2 | Ensure pam_faillock module is enabled + path: /etc/pam.d/common-account + exists: true + contents: + - '/^\s*account\s+(requisite|required)\s+pam_faillock.so/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.2.2 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + pam_faillock_enabled_common_auth: + title: 5.3.2.2 | Ensure pam_faillock module is enabled + path: /etc/pam.d/common-auth + exists: true + contents: + - '/^\s*auth\s+(requisite|required)\s+pam_faillock.so\s+preauth/' + - '/^auth\s*\[default=die\]\s+pam_faillock.so\s+authfail/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.2.2 + CISv8: + - 6.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.2/cis_5.3.2.3.yml b/section_5/cis_5.3.2/cis_5.3.2.3.yml new file mode 100644 index 0000000..7778c99 --- /dev/null +++ b/section_5/cis_5.3.2/cis_5.3.2.3.yml @@ -0,0 +1,24 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_2_3 }} +file: + pam_pwquality_enabled_common_passwd: + title: 5.3.2.3 | Ensure pam_pwquality module is enabled + path: /etc/pam.d/common-password + exists: true + contents: + - '/^\s*password\s+(required|requisite)\s+pam_pwquality.so/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.2.3 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.2/cis_5.3.2.4.yml b/section_5/cis_5.3.2/cis_5.3.2.4.yml new file mode 100644 index 0000000..4b39d19 --- /dev/null +++ b/section_5/cis_5.3.2/cis_5.3.2.4.yml @@ -0,0 +1,24 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_2_4 }} +file: + pam_pwhistory_enabled_common_passwd: + title: 5.3.2.4 | Ensure pam_pwhistory module is enabled + path: /etc/pam.d/common-password + exists: true + contents: + - '/^\s*password\s+(required|requisite)\s+pam_pwhistory.so/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.2.4 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.1/cis_5.3.3.1.1.yml b/section_5/cis_5.3.3.1/cis_5.3.3.1.1.yml new file mode 100644 index 0000000..be19786 --- /dev/null +++ b/section_5/cis_5.3.3.1/cis_5.3.3.1.1.yml @@ -0,0 +1,43 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_3_1_1 }} +file: + faillock_attempts_deny: + title: 5.3.3.1.1 | Ensure password failed attempts lockout is configured + path: /etc/security/faillock.conf + exists: true + contents: + - '/^deny\s*=\s*[1-5]$/' + - '!/^deny\s*=\s*([5-9]|[0-9]{2,})/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.1.1 + CISv8: + - 6.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA +command: + faillock_attempts_deny_removed: + title: 5.3.3.1.1 | Ensure password failed attempts lockout is configured + exec: grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?deny\b' /usr/share/pam-configs/* + exit-status: 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.1.1 + CISv8: + - 6.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.1/cis_5.3.3.1.2.yml b/section_5/cis_5.3.3.1/cis_5.3.3.1.2.yml new file mode 100644 index 0000000..b58460f --- /dev/null +++ b/section_5/cis_5.3.3.1/cis_5.3.3.1.2.yml @@ -0,0 +1,43 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_3_1_2 }} +file: + faillock_unlock_time: + title: 5.3.3.1.2 | Ensure password unlock time is configured + path: /etc/security/faillock.conf + exists: true + contents: + - '/^unlock_time\s*=\s*([1-9]|[1-9][0-9]|[1-8][0-9]{1,2}|900)$/' + - '!/^unlock_time\s*=\s*(90[1-9]|9[1-9][0-9]|[1-9][0-9][0-9]{2,})/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.1.2 + CISv8: + - 6.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA +command: + faillock_unlock_time_removed: + title: 5.3.3.1.2 | Ensure password unlock time is configured + exec: grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?unlock_time\b' /usr/share/pam-configs/* + exit-status: 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.1.2 + CISv8: + - 6.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.1/cis_5.3.3.1.3.yml b/section_5/cis_5.3.3.1/cis_5.3.3.1.3.yml new file mode 100644 index 0000000..14d3d2c --- /dev/null +++ b/section_5/cis_5.3.3.1/cis_5.3.3.1.3.yml @@ -0,0 +1,42 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_5_3_3_1_3 }} +file: + faillock_even_root: + title: 5.3.3.1.3 | Ensure password unlock time is configured + path: /etc/security/faillock.conf + exists: true + contents: + - '/^(even_deny_root|root_unlock_time\s*=\s*([6-9][0-9]|[1-3][0-9]{2,2}))/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 5.3.3.1.3 + CISv8: + - 6.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA +command: + faillock_even_root_removed: + title: 5.3.3.1.3 | Ensure password unlock time is configured + exec: grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?(even_deny_root|root_unlock_time)' /usr/share/pam-configs/* + exit-status: 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.1.3 + CISv8: + - 6.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.2/cis_5.3.3.2.1.yml b/section_5/cis_5.3.3.2/cis_5.3.3.2.1.yml new file mode 100644 index 0000000..16d23fa --- /dev/null +++ b/section_5/cis_5.3.3.2/cis_5.3.3.2.1.yml @@ -0,0 +1,45 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_3_2_1 }} +command: + password_character_changed: + title: 5.3.3.2.1 | Ensure password number of changed characters is configured + exec: grep -Psi -- '^\h*difok\h*=\h*([2-9]|[1-9][0-9]+)\b' /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf + exit-status: + or: + - 0 + - 1 + stdout: + - '/.*\:difok\s*=\s*[2-9]/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.1 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 +file: + passwd_change_not_pamd: + title: 5.3.3.2.1 | Ensure password number of changed characters is configured + path: /etc/pam.d/common-password + exists: true + contents: + - '!/^\s+password\s+(requisite|required|sufficient)\s+pam_pwquality\.so\s+([^#\n\r]+\s+)?difok\s*=\s*([0-1])\b/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.1 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.2/cis_5.3.3.2.2.yml b/section_5/cis_5.3.3.2/cis_5.3.3.2.2.yml new file mode 100644 index 0000000..ef60f3d --- /dev/null +++ b/section_5/cis_5.3.3.2/cis_5.3.3.2.2.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_3_2_2 }} +command: + password_minlen: + title: 5.3.3.2.2 | Ensure minimum password length is configured + exec: grep -Psi -- '^\h*minlen\h*=\h*(1[4-9]|[2-9][0-9]|[1-9][0-9]{2,})\b' /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf + exit-status: + or: + - 0 + - 1 + stdout: + - '/.*\:minlen\s*=\s*(1[4-9]|[2-4][0-9])/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.2 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + password_minlen_not_pamd: + title: 5.3.3.2.2 | Ensure minimum password length is configured + exec: grep -Psi -- '^\h*password\h+(requisite|required|sufficient)\h+pam_pwquality\.so\h+([^#\n\r]+\h+)?minlen\h*=\h*([0-9]|1[0-3])\b' /etc/pam.d/system-auth /etc/pam.d/common-password + exit-status: + or: + - 0 + - 1 + - 2 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.2 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.2/cis_5.3.3.2.3.yml b/section_5/cis_5.3.3.2/cis_5.3.3.2.3.yml new file mode 100644 index 0000000..a81ec81 --- /dev/null +++ b/section_5/cis_5.3.3.2/cis_5.3.3.2.3.yml @@ -0,0 +1,51 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_3_2_3 }} +command: + password_complex: + title: 5.3.3.2.3 | Ensure password complexity is configured + exec: grep -Psi -- '^\h*(minclass|[dulo]credit)\b' /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf + exit-status: + or: + - 0 + - 1 + stdout: + - '/.*\:minclass\s*=\s*([1-9]|[1-9][0-9])/' + - '/.*\:ucredit\s*=\s*(0|-\d)/' + - '/.*\:lcredit\s*=\s*(0|-\d)/' + - '/.*\:dcredit\s*=\s*(0|-\d)/' + - '/.*\:ocredit\s*=\s*(0|-\d)/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.3 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + password_complex_not_pamd: + title: 5.3.3.2.3 | Ensure password complexity is configured + exec: grep -Psi -- '^\h*password\h+(requisite|required|sufficient)\h+pam_pwquality\.so\h+([^#\n\r]+\h+)?(minclass=\d*|[dulo]credit=-?\d*)\b' /etc/pam.d/common-password + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.3 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.2/cis_5.3.3.2.4.yml b/section_5/cis_5.3.3.2/cis_5.3.3.2.4.yml new file mode 100644 index 0000000..afe3a08 --- /dev/null +++ b/section_5/cis_5.3.3.2/cis_5.3.3.2.4.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_3_2_4 }} +command: + password_consecutive_characters: + title: 5.3.3.2.4 | Ensure password same consecutive characters is configured + exec: grep -Psi -- '^\h*maxrepeat\h*=\h*[1-3]\b' /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf + exit-status: + or: + - 0 + - 1 + stdout: + - '/.*\:maxrepeat\s*=\s*[1-3]/' + - '!/.*\:maxrepeat\s*=\s*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.4 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + consecutive_characters_not_pamd: + title: 5.3.3.2.4 | Ensure password same consecutive characters is configured + exec: grep -Psi -- '^\h*password\h+(requisite|required|sufficient)\h+pam_pwquality\.so\h+([^#\n\r]+\h+)?maxrepeat\h*=\h*(0|[4-9]|[1-9][0-9]+)\b' /etc/pam.d/common-password + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.4 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.2/cis_5.3.3.2.5.yml b/section_5/cis_5.3.3.2/cis_5.3.3.2.5.yml new file mode 100644 index 0000000..6743598 --- /dev/null +++ b/section_5/cis_5.3.3.2/cis_5.3.3.2.5.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_3_2_5 }} +command: + password_maxseq: + title: 5.3.3.2.5 | Ensure password maximum sequential characters is configured + exec: grep -Psi -- '^\h*maxsequence\h*=\h*[1-3]\b' /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf + exit-status: + or: + - 0 + - 1 + stdout: + - '/.*\:maxsequence\s*=\s*[1-3]/' + - '!/.*\:maxsequence\s*=\s*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.5 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + maxseq_not_pamd: + title: 5.3.3.2.5 | Ensure password maximum sequential characters is configured + exec: grep -Psi -- '^\h*password\h+(requisite|required|sufficient)\h+pam_pwquality\.so\h+([^#\n\r]+\h+)?maxsequence\h*=\h*(0|[4-9]|[1-9][0-9]+)\b' /etc/pam.d/common-password + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.5 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.2/cis_5.3.3.2.6.yml b/section_5/cis_5.3.3.2/cis_5.3.3.2.6.yml new file mode 100644 index 0000000..676bb7b --- /dev/null +++ b/section_5/cis_5.3.3.2/cis_5.3.3.2.6.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_3_2_6 }} +command: + password_dictchk: + title: 5.3.3.2.6 | Ensure password maximum sequential characters is configured + exec: grep -Psi -- '^\h*dictcheck\s*=' /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf + exit-status: + or: + - 0 + - 1 + stdout: + - '/.*\:dictcheck\s*=\s*1/' + - '!/.*\:dictcheck\s*=\s*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.6 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + dictchk_not_pamd: + title: 5.3.3.2.6 | Ensure password maximum sequential characters is configured + exec: grep -Psi -- '^\h*password\h+(requisite|required|sufficient)\h+pam_pwquality\.so\h+([^#\n\r]+\h+)?dictcheck\h*=\h*0\b' /etc/pam.d/common-password + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.6 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.2/cis_5.3.3.2.7.yml b/section_5/cis_5.3.3.2/cis_5.3.3.2.7.yml new file mode 100644 index 0000000..71fb965 --- /dev/null +++ b/section_5/cis_5.3.3.2/cis_5.3.3.2.7.yml @@ -0,0 +1,48 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_3_2_7 }} +command: + password_quality_enforce: + title: 5.3.3.2.7 | Ensure password quality checking is enforced + exec: grep -Psi -- '^\h*enforcing\s*=\s*' /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf + exit-status: + or: + - 0 + - 1 + stdout: + - '/.*\:enforcing\s*=\s*1/' + - '!/.*\:enforcing\s*=\s*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.7 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + quality_enforce_not_pamd: + title: 5.3.3.2.7 | Ensure password quality checking is enforced + exec: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwquality\.so\h+([^#\n\r]+\h+)?enforcing=0\b' /etc/pam.d/common-password + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.7 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.2/cis_5.3.3.2.8.yml b/section_5/cis_5.3.3.2/cis_5.3.3.2.8.yml new file mode 100644 index 0000000..884f297 --- /dev/null +++ b/section_5/cis_5.3.3.2/cis_5.3.3.2.8.yml @@ -0,0 +1,28 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_3_2_8 }} +command: + password_quality_enforce_root: + title: 5.3.3.2.8 | Ensure password quality checking is enforced + exec: grep -Psi -- '^\s*enforce_for_root\b' /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf + exit-status: + or: + - 0 + - 1 + stdout: + - '/.*\:enforce_for_root/' + - '!/.*\:#\s*enforce_for_root\s*=\s*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.2.7 + CISv8: + - 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.3/cis_5.3.3.3.1.yml b/section_5/cis_5.3.3.3/cis_5.3.3.3.1.yml new file mode 100644 index 0000000..c72e507 --- /dev/null +++ b/section_5/cis_5.3.3.3/cis_5.3.3.3.1.yml @@ -0,0 +1,41 @@ +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_3_3_1 }} +file: + pwhistory_remember_common_passwd: + title: 5.3.3.3.1 | Ensure password history remember is configured | common-password + path: /etc/pam.d/common-password + exists: true + contents: + - '/^\s*password\s*(requisite|required)\s*pam_pwhistory.so.*remember\s*=\s*(2[4-9]|[3-9][0-9])/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.3.1 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 +command: + pwhistory_remember_pam_configs: + title: 5.3.3.3.1 | Ensure password history remember is configured | pam_configs + exec: for file in `awk '/Password-Type:/{ f = 1;next } /-Type:/{ f = 0 } f {if (/pam_pwhistory\.so/) print FILENAME}' /usr/share/pam-configs/*`; do grep pam_pwhistory $file | grep -v remember; done + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.3.1 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.3/cis_5.3.3.3.2.yml b/section_5/cis_5.3.3.3/cis_5.3.3.3.2.yml new file mode 100644 index 0000000..9b772e4 --- /dev/null +++ b/section_5/cis_5.3.3.3/cis_5.3.3.3.2.yml @@ -0,0 +1,41 @@ +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_3_3_2 }} +file: + pwhistory_enforce_for_root: + title: 5.3.3.3.2 | Ensure password history is enforced for the root user | common-password + path: /etc/pam.d/common-password + exists: true + contents: + - '/^\s*password\s*(requisite|required)\s*pam_pwhistory.so.*enforce_for_root/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.3.2 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 +command: + pwhistory_enforce_for_root_pam_configs: + title: 5.3.3.3.2 | Ensure password history is enforced for the root user | pam_configs + exec: for file in `awk '/Password-Type:/{ f = 1;next } /-Type:/{ f = 0 } f {if (/pam_pwhistory\.so/) print FILENAME}' /usr/share/pam-configs/*`; do grep pam_pwhistory $file | grep -v enforce_for_root; done + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.3.2 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.3/cis_5.3.3.3.3.yml b/section_5/cis_5.3.3.3/cis_5.3.3.3.3.yml new file mode 100644 index 0000000..a811970 --- /dev/null +++ b/section_5/cis_5.3.3.3/cis_5.3.3.3.3.yml @@ -0,0 +1,41 @@ +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_3_3_2 }} +file: + pwhistory_use_authtok: + title: 5.3.3.3.2 | Ensure pam_pwhistory includes use_authtok | common-password + path: /etc/pam.d/common-password + exists: true + contents: + - '/^\s*password\s*(requisite|required)\s*pam_pwhistory.so.*use_authtok/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.3.2 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 +command: + pwhistory_use_authtok_pam_configs: + title: 5.3.3.3.2 | Ensure pam_pwhistory includes use_authtok | pam_configs + exec: for file in `awk '/Password-Type:/{ f = 1;next } /-Type:/{ f = 0 } f {if (/pam_pwhistory\.so/) print FILENAME}' /usr/share/pam-configs/*`; do grep pam_pwhistory $file | grep -v use_authtok; done + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.3.2 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.4/cis_5.3.3.4.1.yml b/section_5/cis_5.3.3.4/cis_5.3.3.4.1.yml new file mode 100644 index 0000000..765a2f2 --- /dev/null +++ b/section_5/cis_5.3.3.4/cis_5.3.3.4.1.yml @@ -0,0 +1,24 @@ +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_3_4_1 }} +command: + pam_unix_nullok_pam_configs: + title: 5.3.3.4.1 | Ensure pam_unix does not include nullok + exec: grep -PH -- '^\h*^\h*[^#\n\r]+\h+pam_unix\.so\b' /etc/pam.d/common-{password,auth,account,session,session-noninteractive} /usr/share/pam-configs/* | grep -P -- '\bnullok\b' + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.4.1 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.4/cis_5.3.3.4.2.yml b/section_5/cis_5.3.3.4/cis_5.3.3.4.2.yml new file mode 100644 index 0000000..1d88bc0 --- /dev/null +++ b/section_5/cis_5.3.3.4/cis_5.3.3.4.2.yml @@ -0,0 +1,24 @@ +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_3_4_2 }} +command: + pam_unix_remember_pam_configs: + title: 5.3.3.4.2 | Ensure pam_unix does not include remember + exec: grep -PH -- '^\h*^\h*[^#\n\r]+\h+pam_unix\.so\b' /etc/pam.d/common-{password,auth,account,session,session-noninteractive} /usr/share/pam-configs/* | grep -P -- '\bremember\b' + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.4.2 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.4/cis_5.3.3.4.3.yml b/section_5/cis_5.3.3.4/cis_5.3.3.4.3.yml new file mode 100644 index 0000000..94b362a --- /dev/null +++ b/section_5/cis_5.3.3.4/cis_5.3.3.4.3.yml @@ -0,0 +1,24 @@ +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_3_4_3 }} +command: + pam_unix_strong_password_pam_configs: + title: 5.3.3.4.3 | Ensure pam_unix includes a strong password hashing algorithm + exec: grep -PH -- '^\h*password\h+([^#\n\r]+)\h+pam_unix\.so\h+([^#\n\r]+\h+)?(sha512|yescrypt)\b' /etc/pam.d/common-password /usr/share/pam-configs/* + exit-status: + or: + - 0 + - 1 + stdout: + - '/.*:password\s+([^#\n\r]+)\s+pam_unix\.so.*(yescrypt|sha512)/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.4.3 + CISv8: 3.11 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3.3.4/cis_5.3.3.4.4.yml b/section_5/cis_5.3.3.4/cis_5.3.3.4.4.yml new file mode 100644 index 0000000..5e6f318 --- /dev/null +++ b/section_5/cis_5.3.3.4/cis_5.3.3.4.4.yml @@ -0,0 +1,24 @@ +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_3_3_4_4 }} +command: + pam_unix_use_authtok_pam_configs: + title: 5.3.3.4.4 | Ensure pam_unix includes a use_authtok + exec: grep -PH -- '^\s*password\s+([^#\n\r]+)\s+pam_unix\.so\s+([^#\n\r]+\s+)?use_authtok\b' /etc/pam.d/common-password + exit-status: + or: + - 0 + - 1 + stdout: + - '/.*:password\s+([^#\n\r]+)\s+pam_unix\.so.*use_authtok/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3.4.4 + CISv8: 3.11 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4.1/cis_5.4.1.1.yml b/section_5/cis_5.4.1/cis_5.4.1.1.yml new file mode 100644 index 0000000..d8180fd --- /dev/null +++ b/section_5/cis_5.4.1/cis_5.4.1.1.yml @@ -0,0 +1,56 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_4_1_1 }} +file: + login_defs_PASS_MAX_DAYS: + title: 5.4.1.1 | Ensure password expiration is configured | logins.def + path: /etc/login.defs + exists: true + contents: + - '/^PASS_MAX_DAYS\s*{{ .Vars.ubtu24cis_pass.max_days }}/' + - '!/^PASS_MAX_DAYS\s*(36[6-9]|[4-9][0-9][0-9]|[1-9][0-9]{3,})/' + - '!/^PASS_MAX_DAYS\s*-1/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.1.1 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 +command: + users_max_pw_expire: + title: 5.4.1.1 | Ensure password expiration is 365 days or less | user_check + exec: "awk -F: '(/^[^:]+:[^!*]/) {print $5}' /etc/shadow" + exit-status: + or: + - 0 + - 1 + stdout: + - '/^(36[0-5]|3[0-5][0-9]|[1-2][0-9][0-9]|[0-9][0-9]|[1-9])$/' + - '!/^(36[6-9]|3[7-9][0-9]|[4-9][0-9]{2,})$/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.1.1 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4.1/cis_5.4.1.2.yml b/section_5/cis_5.4.1/cis_5.4.1.2.yml new file mode 100644 index 0000000..f2c5760 --- /dev/null +++ b/section_5/cis_5.4.1/cis_5.4.1.2.yml @@ -0,0 +1,46 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_5_4_1_2 }} +file: + login_defs_PASS_MIN_DAYS: + title: 5.4.1.2 | Ensure minimum password age is configured + path: /etc/login.defs + exists: true + contents: + - '/^PASS_MIN_DAYS\s{{ .Vars.ubtu24cis_pass.min_days }}/' + - '/^PASS_MIN_DAYS\s([1-9]|[1-9][0-9]{2,})/' + - '!/^PASS_MIN_DAYS\s*(-[1-9]|0)/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 5.4.1.2 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA +command: + users_min_pw_expire: + title: 5.4.1.1 | Ensure minimum password age is configured | user_check + exec: "awk -F: '(/^[^:]+:[^!*]/) {print $4}' /etc/shadow" + exit-status: + or: + - 0 + - 1 + stdout: + - '/^([1-9]|[1-9][0-9]{2,})$/' + - '!/^0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.1.1 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4.1/cis_5.4.1.3.yml b/section_5/cis_5.4.1/cis_5.4.1.3.yml new file mode 100644 index 0000000..9030d8f --- /dev/null +++ b/section_5/cis_5.4.1/cis_5.4.1.3.yml @@ -0,0 +1,45 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_4_1_3 }} +file: + login_def_PASS_WARN_AGE: + title: 5.4.1.3 | Ensure password expiration warning days is configured | logins.def + path: /etc/login.defs + exists: true + contents: + - '/^PASS_WARN_AGE\s*{{ .Vars.ubtu24cis_pass.warn_age }}/' + - '!/^PASS_WARN_AGE\s*[1-6]/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.1.3 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA +command: + user_expire_warn: + title: 5.4.1.3 | Ensure password expiration warning days is configured | user_warning + exec: "awk -F: '(/^[^:]+:[^!*]/) {print $6}' /etc/shadow" + exit-status: + or: + - 0 + - 1 + stdout: + - '/^([7-9]|[1-3][0-9])$/' + - '!/^([0-6]|-1)$/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.1.3 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4.1/cis_5.4.1.4.yml b/section_5/cis_5.4.1/cis_5.4.1.4.yml new file mode 100644 index 0000000..ab17230 --- /dev/null +++ b/section_5/cis_5.4.1/cis_5.4.1.4.yml @@ -0,0 +1,24 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_4_1_4 }} +file: + yescrypt_login_defs: + title: 5.4.1.4 | Ensure password hashing algorithm is up to date with the latest standards | common password + path: /etc/login.defs + exists: true + contents: + - '/^ENCRYPT_METHOD (YESCRYPT|SHA512)/' + - '!/^ENCRYPT_METHOD (md5|bigcrypt|sha256|blowfish)/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.1.4 + CISv8: 3.11 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4.1/cis_5.4.1.5.yml b/section_5/cis_5.4.1/cis_5.4.1.5.yml new file mode 100644 index 0000000..cbd2bb0 --- /dev/null +++ b/section_5/cis_5.4.1/cis_5.4.1.5.yml @@ -0,0 +1,40 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_4_1_5 }} +command: + inactive_passwd: + title: 5.4.1.5 | Ensure inactive password lock is configured | password + exec: useradd -D | grep INACTIVE + exit-status: 0 + stdout: + - '/^INACTIVE=([1-9]|[1-3][0-9]|4[0-5])$/' + - '!/INACTIVE=(-1|4[6-9]|[5-9][0-9]{1,})/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.1.5 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + inactive_users: + title: 5.4.1.5 | Ensure inactive password lock is configured | users + exec: "cat /etc/shadow | grep -v '!*' | awk -F':' '{ if ($7 > 45 ){ print $1 } }'" + stdout: + - '!/.*/' + exit-status: 0 + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.1.5 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4.1/cis_5.4.1.6.yml b/section_5/cis_5.4.1/cis_5.4.1.6.yml new file mode 100644 index 0000000..f5369e5 --- /dev/null +++ b/section_5/cis_5.4.1/cis_5.4.1.6.yml @@ -0,0 +1,23 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_4_1_6 }} +command: + passwd_chg_past: + title: 5.4.1.6 | Ensure all users last password change date is in the past + exec: 'for usr in `cut -d: -f1 /etc/shadow`; do [ "$(date --date="$(chage --list $usr | grep "^Last password change" | cut -d: -f2)" +%s)" -gt "$(date "+%s")" ] && echo "Failed" ; done' + exit-status: 1 + stdout: + - '!/Failed/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.1.6 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4.2/cis_5.4.2.1.yml b/section_5/cis_5.4.2/cis_5.4.2.1.yml new file mode 100644 index 0000000..88613d2 --- /dev/null +++ b/section_5/cis_5.4.2/cis_5.4.2.1.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_4_2_1 }} +command: + root_only_uid_0: + title: 5.4.2.1 | Ensure root is the only UID 0 account + exec: "awk -F: '($3 == 0) { print $1 }' /etc/passwd" + exit-status: 0 + stdout: ['root'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.2.1 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4.2/cis_5.4.2.2.yml b/section_5/cis_5.4.2/cis_5.4.2.2.yml new file mode 100644 index 0000000..5d09abd --- /dev/null +++ b/section_5/cis_5.4.2/cis_5.4.2.2.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_4_2_2 }} +command: + root_only_gid_0: + title: 5.4.2.2 | Ensure root is the only GID 0 account + exec: "awk -F: '($1 !~ /^(sync|shutdown|halt|operator)/ && $4=='0') {print $1\":\"$4}' /etc/passwd" + exit-status: 0 + stdout: ['root:0'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.2.2 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4.2/cis_5.4.2.3.yml b/section_5/cis_5.4.2/cis_5.4.2.3.yml new file mode 100644 index 0000000..449abbd --- /dev/null +++ b/section_5/cis_5.4.2/cis_5.4.2.3.yml @@ -0,0 +1,27 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_4_2_3 }} +command: + group_root_only_0: + title: 5.4.2.3 | Ensure group root is the only GID 0 group + exec: "awk -F: '$3=='0'{print $1\":\"$3}' /etc/group" + exit-status: 0 + stdout: ['root:0'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.2.3 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4.2/cis_5.4.2.4.yml b/section_5/cis_5.4.2/cis_5.4.2.4.yml new file mode 100644 index 0000000..ba4559c --- /dev/null +++ b/section_5/cis_5.4.2/cis_5.4.2.4.yml @@ -0,0 +1,22 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_4_2_4 }} +command: + root_passwd_set: + title: 5.4.2.4 | Ensure root password is set + exec: "passwd -S root | awk '$2 ~ /^P/ {print \"OK Password\"}'" + exit-status: 0 + stdout: ['OK Password'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.2.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4.2/cis_5.4.2.5.yml b/section_5/cis_5.4.2/cis_5.4.2.5.yml new file mode 100644 index 0000000..fa73ed5 --- /dev/null +++ b/section_5/cis_5.4.2/cis_5.4.2.5.yml @@ -0,0 +1,28 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_4_2_5 }} +command: + root_path_check: + title: 5.4.2.5 | Ensure root path Integrity + exec: "/bin/bash --login -c 'env | grep ^PATH=' | sed -e 's/PATH=//' -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'" + exit-status: 0 + stdout: + - '!/\\./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.2.5 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4.2/cis_5.4.2.6.yml b/section_5/cis_5.4.2/cis_5.4.2.6.yml new file mode 100644 index 0000000..4788e85 --- /dev/null +++ b/section_5/cis_5.4.2/cis_5.4.2.6.yml @@ -0,0 +1,31 @@ +--- + + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_4_2_6 }} +command: + root_umask_bash_profile: + title: 5.4.2.6 | Ensure root user umask is configured + exec: grep -i umask /root/.bash_profile /root/bashrc + exit-status: + or: + - 0 + - 1 + - 2 + stdout: + - '/umask 00(2|7)7/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.2.6 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} + diff --git a/section_5/cis_5.4.2/cis_5.4.2.7.yml b/section_5/cis_5.4.2/cis_5.4.2.7.yml new file mode 100644 index 0000000..3ee8644 --- /dev/null +++ b/section_5/cis_5.4.2/cis_5.4.2.7.yml @@ -0,0 +1,25 @@ +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_4_2_7 }} +command: + secure_system_accts: + title: 5.4.2.7 | Ensure system accounts do not have a valid login shell + exec: "awk -F: '$3<1000' /etc/passwd | grep -Ev 'root|sync|halt|shutdown|nfsnobody|/sbin/nologin|/bin/false'" + exit-status: 1 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.2.7 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-2(5) + - AC-3 + - AC-11 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4.3/cis_5.4.3.1.yml b/section_5/cis_5.4.3/cis_5.4.3.1.yml new file mode 100644 index 0000000..3b7a4f9 --- /dev/null +++ b/section_5/cis_5.4.3/cis_5.4.3.1.yml @@ -0,0 +1,28 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_5_4_3_1 }} +file: + nologin_not_in_shells: + title: 5.4.3.1 | Ensure nologin is not listed in /etc/shells + exists: true + path: /etc/shells + contents: + - '!/.*nologin/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 5.4.3.1 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4.3/cis_5.4.3.2.yml b/section_5/cis_5.4.3/cis_5.4.3.2.yml new file mode 100644 index 0000000..8df1f5b --- /dev/null +++ b/section_5/cis_5.4.3/cis_5.4.3.2.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_4_3_2 }} +command: + check_timeout: + title: 5.4.3.2 | Ensure default user shell timeout is configured + exec: 'grep TMOUT /etc/profile.d/*.sh /etc/profile /etc/profile.d/*.sh| cut -d ":" -f2' + exit-status: 0 + stdout: + - '/^(readonly |)TMOUT/' + - '/TMOUT=([1-8][0-9]{0,2}|900)$/' + - '/export TMOUT/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.3.2 + CISv8: 4.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4.3/cis_5.4.3.3.yml b/section_5/cis_5.4.3/cis_5.4.3.3.yml new file mode 100644 index 0000000..ad14a88 --- /dev/null +++ b/section_5/cis_5.4.3/cis_5.4.3.3.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_5_4_3_3 }} +command: + umask_profile_scripts: + title: 5.4.3.3 | Ensure default user umask is configured + exec: 'grep -i "^\s*umask" /etc/profile /etc/profile.d/*.sh /etc/login.defs | cut -d ":" -f 2' + exit-status: 0 + stdout: + - '/(?i)umask\s+0[2-7][7]/' + - '!/(?i)umask\s+[7][0-1][0-6]/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.3.3 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.1.x/cis_6.1.1.1.yml b/section_6/cis_6.1.1.x/cis_6.1.1.1.yml new file mode 100644 index 0000000..f431fbd --- /dev/null +++ b/section_6/cis_6.1.1.x/cis_6.1.1.1.yml @@ -0,0 +1,24 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_2_1_1 }} +service: + systemd-journald: + title: 6.2.1.1 | Ensure journald service is enabled and active + running: true + enabled: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.2.1.1 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-7 + - AU-12 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.1.x/cis_6.1.1.2.yml b/section_6/cis_6.1.1.x/cis_6.1.1.2.yml new file mode 100644 index 0000000..ba4ebe3 --- /dev/null +++ b/section_6/cis_6.1.1.x/cis_6.1.1.2.yml @@ -0,0 +1,30 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_1_1_2 }} +command: + /etc/tmpfiles.d/systemd.conf: + title: 6.2.1.1.2 | Ensure journald log file access is configured | Manual Check Required + exec: echo "Manual - Please check journald default permissions" + exit-status: 0 + stdout: + - '!/^Manual/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.1.2 + CISv8: + - 3.3 + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - AU-2 + - AU-12 + - MP-2 + - SI-5 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.1.x/cis_6.1.1.3.yml b/section_6/cis_6.1.1.x/cis_6.1.1.3.yml new file mode 100644 index 0000000..7644cab --- /dev/null +++ b/section_6/cis_6.1.1.x/cis_6.1.1.3.yml @@ -0,0 +1,31 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_1_1_3 }} +command: + log_rotate_journald_conf: + title: 6.1.1.3 | Ensure journald log file rotation is configured + exec: grep -Ei "max|keep" /etc/systemd/journald.conf /etc/systemd/journald.conf.d/*.conf + exit-status: 0 + stdout: + - '/.*\:SystemMaxUse=/' + - '/.*\:SystemKeepFree=/' + - '/.*\:RuntimeMaxUse=/' + - '/.*\:RuntimeKeepFree=/' + - '/.*\:MaxFileSec=/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.1.3 + CISv8: + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-7 + - AU-12 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.2.x/cis_6.1.2.1.1.yml b/section_6/cis_6.1.2.x/cis_6.1.2.1.1.yml new file mode 100644 index 0000000..bd0cfa3 --- /dev/null +++ b/section_6/cis_6.1.2.x/cis_6.1.2.1.1.yml @@ -0,0 +1,23 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_1_2_1_1 }} + {{ if not .Vars.ubtu24cis_is_syslog_server }} +package: + systemd-journal-remote: + title: 6.1.2.1.1 | Ensure systemd-journal-remote is installed + installed: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.2.1.1 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-4 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.2.x/cis_6.1.2.1.2.yml b/section_6/cis_6.1.2.x/cis_6.1.2.1.2.yml new file mode 100644 index 0000000..2a4e8ea --- /dev/null +++ b/section_6/cis_6.1.2.x/cis_6.1.2.1.2.yml @@ -0,0 +1,30 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_1_2_1_2 }} + {{ if not .Vars.ubtu24cis_is_syslog_server }} +file: + journal_remote_configured: + title: 6.1.2.1.2 | Ensure systemd-journal-upload authentication is configured + path: /etc/systemd/journal-upload.conf + exists: true + contents: + - '/^URL=/' + - '/ServerKeyFile=.*.pem' + - '/ServerCertificateFile=.*.pem' + - '/TrustedCertificateFile=.*.pem' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.2.1.2 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-12 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.2.x/cis_6.1.2.1.3.yml b/section_6/cis_6.1.2.x/cis_6.1.2.1.3.yml new file mode 100644 index 0000000..73b34ec --- /dev/null +++ b/section_6/cis_6.1.2.x/cis_6.1.2.1.3.yml @@ -0,0 +1,26 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_1_2_1_3 }} + {{ if not .Vars.ubtu24cis_is_syslog_server }} +service: + systemd-journal-upload.service: + title: 6.1.2.1.3 | Ensure systemd-journal-upload is enabled and active + name: systemd-journal-upload.service + running: true + enabled: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.2.1.3 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-12 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.2.x/cis_6.1.2.1.4.yml b/section_6/cis_6.1.2.x/cis_6.1.2.1.4.yml new file mode 100644 index 0000000..d1a1a5c --- /dev/null +++ b/section_6/cis_6.1.2.x/cis_6.1.2.1.4.yml @@ -0,0 +1,90 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_1_2_1_4 }} + {{ if not .Vars.ubtu24cis_is_syslog_server }} +service: + systemd-journal-remote.service: + title: 6.1.2.1.4 | Ensure systemd-journal-remote service is not in use | service + running: false + # enabled: false # managed by socket so seen as indirect although not enabled - goss issue + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.2.1.4 + CISv8: + - 4.8 + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-7 + - AU-12 + systemd-journal-remote.socket: + title: 6.1.2.1.4 | Ensure systemd-journal-remote service is not in use | socket + running: false + enabled: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.2.1.4 + CISv8: + - 4.8 + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-7 + - AU-12 +command: + journald_service_masked: + title: 6.1.2.1.4 | Ensure systemd-journal-remote service is not in use | service masked + exec: systemctl is-enabled systemd-journal-remote.socket + exit-status: 1 + stdout: + - '/^masked/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.2.1.4 + CISv8: + - 4.8 + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-7 + - AU-12 + journald_socket_masked: + title: 6.1.2.1.4 | Ensure systemd-journal-remote service is not in use | socket masked + exec: systemctl is-enabled systemd-journal-remote.socket + exit-status: 1 + stdout: + - '/^masked/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.2.1.4 + CISv8: + - 4.8 + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-7 + - AU-12 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.2.x/cis_6.1.2.2.yml b/section_6/cis_6.1.2.x/cis_6.1.2.2.yml new file mode 100644 index 0000000..7be25c9 --- /dev/null +++ b/section_6/cis_6.1.2.x/cis_6.1.2.2.yml @@ -0,0 +1,33 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_1_2_2 }} +command: + forward_journald_disabled: + title: 6.1.2.2 | Ensure journald ForwardToSyslog is disabled + exec: grep -i forwardtosyslog /etc/systemd/journald.conf /etc/systemd/journald.conf.d/*.conf + exit-status: + or: + - 0 + - 1 + stdout: + - '/.*\:ForwardToSyslog\s*=\s*no/' + - '!/.*\:ForwardToSyslog\s*=\s*yes/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.2.2 + CISv8: + - 8.2 + - 8.9 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-6 + - AU-7 + - AU-12 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.2.x/cis_6.1.2.3.yml b/section_6/cis_6.1.2.x/cis_6.1.2.3.yml new file mode 100644 index 0000000..07cdcd6 --- /dev/null +++ b/section_6/cis_6.1.2.x/cis_6.1.2.3.yml @@ -0,0 +1,30 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_1_2_3 }} +command: + compress_journald_conf: + title: 6.1.2.3 | Ensure journald is configured to compress large log files + exec: grep -i Compress= /etc/systemd/journald.conf /etc/systemd/journald.conf.d/*.conf + exit-status: + or: + - 0 + - 1 + stdout: + - '/.*\:Compress\s*=\s*yes/' + - '!/.*\:Compress\s*=\s*[Nn][Oo]/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.2.3 + CISv8: + - 8.2 + - 8.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-4 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.2.x/cis_6.1.2.4.yml b/section_6/cis_6.1.2.x/cis_6.1.2.4.yml new file mode 100644 index 0000000..cddce14 --- /dev/null +++ b/section_6/cis_6.1.2.x/cis_6.1.2.4.yml @@ -0,0 +1,28 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_1_2_4 }} +command: + storage_journald_conf: + title: 6.1.2.4 | Ensure journald Storage is configured + exec: grep -i Storage= /etc/systemd/journald.conf /etc/systemd/journald.conf.d/*.conf + exit-status: + or: + - 0 + - 1 + stdout: + - '/.*\:Storage=persistent/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.2.4 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - AU-12 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.3.x/cis_6.1.3.1.yml b/section_6/cis_6.1.3.x/cis_6.1.3.1.yml new file mode 100644 index 0000000..d19403f --- /dev/null +++ b/section_6/cis_6.1.3.x/cis_6.1.3.1.yml @@ -0,0 +1,23 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_1_3_1 }} +package: + rsyslog: + title: 6.1.3.1 | Ensure rsyslog is installed + installed: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.3.1 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-3 + - AU-12 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.3.x/cis_6.1.3.2.yml b/section_6/cis_6.1.3.x/cis_6.1.3.2.yml new file mode 100644 index 0000000..8e1cd76 --- /dev/null +++ b/section_6/cis_6.1.3.x/cis_6.1.3.2.yml @@ -0,0 +1,24 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_1_3_2 }} +service: + rsyslog: + title: 6.1.3.2 | Ensure rsyslog service is enabled and active + running: true + enabled: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.3.2 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-3 + - AU-12 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.3.x/cis_6.1.3.3.yml b/section_6/cis_6.1.3.x/cis_6.1.3.3.yml new file mode 100644 index 0000000..e68e594 --- /dev/null +++ b/section_6/cis_6.1.3.x/cis_6.1.3.3.yml @@ -0,0 +1,30 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_1_3_3 }} +command: + forward_journald_conf: + title: 6.1.3.3 | Ensure journald is not configured to send logs to rsyslog + exec: grep -i forward /etc/systemd/journald.conf /etc/systemd/journald.conf.d/ + exit-status: 0 + stdout: + - '!/^\.*:ForwardToSyslog/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.3.3 + CISv8: + - 8.2 + - 8.9 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - AU-2 + - AU-4 + - AU-12 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.3.x/cis_6.1.3.4.yml b/section_6/cis_6.1.3.x/cis_6.1.3.4.yml new file mode 100644 index 0000000..496bbc7 --- /dev/null +++ b/section_6/cis_6.1.3.x/cis_6.1.3.4.yml @@ -0,0 +1,29 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_1_3_4 }} +command: + perms_rsyslog_d: + title: 6.1.3.4 | Ensure rsyslog default file permissions configured + exec: 'grep -s ^\$FileCreateMode /etc/rsyslog.conf /etc/rsyslog.d/*.conf | cut -f2 -d:' + exit-status: 0 + stdout: + - '/\$FileCreateMode 06[0-4]0/' + - '!/\$FileCreateMode 06[6-7][0-7]/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.3.4 + CISv8: + - 3.3 + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - AC-6 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.3.x/cis_6.1.3.5.yml b/section_6/cis_6.1.3.x/cis_6.1.3.5.yml new file mode 100644 index 0000000..b80f754 --- /dev/null +++ b/section_6/cis_6.1.3.x/cis_6.1.3.5.yml @@ -0,0 +1,37 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_1_3_5 }} +file: + /etc/rsyslog.conf: + title: 6.1.3.5 | Ensure logging is configured + exists: true + contents: + - '/^\*.emerg\s+:omusrmsg:\*/' + - '/auth,authpriv.\*\s+/var/log/secure/' + - '/^mail.\*\s+-/var/log/mail/' + - '/^mail.info\s+-/var/log/mail.info/' + - '/^mail.err\s+/var/log/mail.err/' + - '/^cron.\*\s+/var/log/cron/' + - '/^*.=warning;\*.=err\s+-/var/log/warn/' + - '/^*.crit\s+/var/log/warn/' + - '/^*.*;mail.none;news.none\s+/var/log/messages/' + - '/^local0,local1.\*\s+-/var/log/localmessages/' + - '/^local2,local3.\*\s+-/var/log/localmessages/' + - '/^local4,local5.\*\s+-/var/log/localmessages/' + - '/^local6,local7.\*\s+-/var/log/localmessages/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.3.5 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-7 + - AU-12 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.3.x/cis_6.1.3.6.yml b/section_6/cis_6.1.3.x/cis_6.1.3.6.yml new file mode 100644 index 0000000..417db5b --- /dev/null +++ b/section_6/cis_6.1.3.x/cis_6.1.3.6.yml @@ -0,0 +1,30 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_1_3_6 }} + {{ if not .Vars.ubtu24cis_remote_log_server }} +command: + remote_syslog: + title: 6.1.3.6 | Ensure rsyslog is configured to send logs to a remote host + exec: 'grep -E "action.*omfwd.*target" /etc/rsyslog.conf /etc/rsyslog.d/*.conf' + exit-status: + or: + - 0 + - 2 + stdout: + - '*.* action(type="omfwd" target="{{ .Vars.ubtu24cis_remote_log_host }}" port="{{ .Vars.ubtu24cis_remote_log_port }}"' + - protocol="{{ .Vars.ubtu24cis_remote_log_protocol }}" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.3.6 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-6 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.3.x/cis_6.1.3.7.yml b/section_6/cis_6.1.3.x/cis_6.1.3.7.yml new file mode 100644 index 0000000..57c5f52 --- /dev/null +++ b/section_6/cis_6.1.3.x/cis_6.1.3.7.yml @@ -0,0 +1,62 @@ + +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_1_3_7 }} + {{ if not .Vars.ubtu24cis_remote_log_server }} +command: + local_syslog_module: + title: 6.1.3.7 | Ensure rsyslog is not configured to recieve logs from a remote client | module + exec: grep "imtcp" /etc/rsyslog.conf /etc/rsyslog.d/*.conf | grep -Ev ":#|port=" + exit-status: + or: + - 0 + - 1 + - 2 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.3.7 + CISv8: + - 4.8 + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-7 + - AU-12 + - CM-6 + local_syslog_input: + title: 6.1.3.7 | Ensure rsyslog is not configured to recieve logs from a remote client | server/port + exec: grep -E "imtcp\" port|InputTCPServerRun" /etc/rsyslog.conf /etc/rsyslog.d/*.conf | grep -v ":#" + exit-status: + or: + - 0 + - 1 + - 2 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.3.7 + CISv8: + - 4.8 + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-7 + - AU-12 + - CM-6 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.3.x/cis_6.1.3.8.yml b/section_6/cis_6.1.3.x/cis_6.1.3.8.yml new file mode 100644 index 0000000..8d89db0 --- /dev/null +++ b/section_6/cis_6.1.3.x/cis_6.1.3.8.yml @@ -0,0 +1,31 @@ + +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_1_3_8 }} +command: + rsyslog_logrotate: + title: 6.1.3.8 | Ensure rsyslog logrotate is configured + exec: grep -A9 "rsyslog/*.log" /etc/logrotate.conf /etc/logrotate.d/* + exit-status: + or: + - 0 + - 1 + - 2 + stdout: + - '/.*: rotate/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.3.8 + CISv8: + - 4.8 + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-8 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1.4.x/cis_6.1.4.1.yml b/section_6/cis_6.1.4.x/cis_6.1.4.1.yml new file mode 100644 index 0000000..fb1ed63 --- /dev/null +++ b/section_6/cis_6.1.4.x/cis_6.1.4.1.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_6_1_4_1 }} +command: + logfile_configured: + title: 6.1.4.1 | Ensure access to all logfiles has been configured + exec: | + find /var/log/ -type f \( -name 'lastlog' -o -name 'wtmp' -o -name 'btmp' \) -perm /g+x,o+wx -exec ls -l "{}" + ; find /var/log/ -type f \( -name 'secure' -o -name 'auth*' -o -name 'syslog' -o -name 'messages' \) -perm /u+x,g+wx,o+rwx -exec ls -l "{}" +; find /var/log/ -type f \( -name 'SSSD' -o -name 'sssd' -o -name 'gdm*' \) -perm /ug+x,o+rwx -exec ls -l "{}" + + exit-status: 0 + stdout: ['!/./'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.4.1 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.1/cis_6.2.1.1.yml b/section_6/cis_6.2.1/cis_6.2.1.1.yml new file mode 100644 index 0000000..164785c --- /dev/null +++ b/section_6/cis_6.2.1/cis_6.2.1.1.yml @@ -0,0 +1,45 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_1_1 }} +package: + audit_packages: + title: 6.2.1.1 | Ensure auditd packages are installed | auditd pkg + installed: true + name: auditd + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.1.1 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-3 + - AU-12 + - SI-5 + audispd-plugins: + title: 6.2.1.1 | Ensure auditd is installed | audispd-plugins pkg + name: audispd-plugins + installed: true + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.1.1 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-3 + - AU-12 + - SI-5 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.1/cis_6.2.1.2.yml b/section_6/cis_6.2.1/cis_6.2.1.2.yml new file mode 100644 index 0000000..de73cce --- /dev/null +++ b/section_6/cis_6.2.1/cis_6.2.1.2.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_1_2 }} +service: + auditd: + title: 6.2.1.2 | Ensure auditd service is enabled and active + enabled: true + running: true + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.1.2 + CISv8: + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-12 + - SI-5 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.1/cis_6.2.1.3.yml b/section_6/cis_6.2.1/cis_6.2.1.3.yml new file mode 100644 index 0000000..4004095 --- /dev/null +++ b/section_6/cis_6.2.1/cis_6.2.1.3.yml @@ -0,0 +1,49 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_1_3 }} +command: + auditd_grub: + title: 6.2.1.3 | Ensure auditing for processes that start prior to auditd is enabled | bootloader file + exec: grep "^\s*linux" /boot/grub/grub.cfg | grep -Evc "audit=1" + exit-status: 1 + stdout: + - '0' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.1.3 + CISv8: + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-3 + - AU-12 +file: + grub_audit_start: + title: 6.2.1.3 | Ensure auditing for processes that start prior to auditd is enabled | default grub + path: /etc/default/grub + exists: true + contents: + - '/^GRUB_CMDLINE_LINUX=.*audit=1/' + - '!/audit=0/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.1.3 + CISv8: + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-3 + - AU-12 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.1/cis_6.2.1.4.yml b/section_6/cis_6.2.1/cis_6.2.1.4.yml new file mode 100644 index 0000000..6aa9a6e --- /dev/null +++ b/section_6/cis_6.2.1/cis_6.2.1.4.yml @@ -0,0 +1,49 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_1_4 }} +command: + auditd_grub_backlog: + title: 6.2.1.4 | Ensure audit_backlog_limit is sufficient | bootloader file + exec: grep "^\s*linux" /boot/grub/grub.cfg | grep -Evc "audit_backlog_limit=" + exit-status: 1 + stdout: + - '0' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.1.4 + CISv8: + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-3 + - AU-12 +file: + grub_audit_backlog: + title: 6.2.1.4 | Ensure audit_backlog_limit is sufficient | default grub + path: /etc/default/grub + exists: true + contents: + - '/GRUB_CMDLINE_LINUX=".*audit_backlog_limit={{ .Vars.ubtu24cis_auditd.auditd_backlog_limit }}/' + - '/audit_backlog_limit=(819[2-9]|8[2-9]{2,}|9[0-9]{3,}|[1-9]{5,})/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.1.4 + CISv8: + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-3 + - AU-12 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.2/cis_6.2.2.1.yml b/section_6/cis_6.2.2/cis_6.2.2.1.yml new file mode 100644 index 0000000..2ce72c9 --- /dev/null +++ b/section_6/cis_6.2.2/cis_6.2.2.1.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_2_1 }} +command: + auditd_max_log_file: + title: 6.2.2.1 | Ensure audit log storage size is configured + exec: grep -E "^max_log_file" /etc/audit/auditd.conf + exit-status: 0 + stdout: + - '/max_log_file = [1-9][0-9]{1,2}/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.2.1 + CISv8: + - 8.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-8 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.2/cis_6.2.2.2.yml b/section_6/cis_6.2.2/cis_6.2.2.2.yml new file mode 100644 index 0000000..98b1a69 --- /dev/null +++ b/section_6/cis_6.2.2/cis_6.2.2.2.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_2_2 }} +command: + auditd_max_log_action: + title: 6.2.2.2 | Ensure audit logs are not automatically deleted + exec: grep -E "^max_log_file_action" /etc/audit/auditd.conf + exit-status: 0 + stdout: + - 'max_log_file_action = {{ .Vars.ubtu24cis_auditd.max_log_file_action }}' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.2.2 + CISv8: + - 8.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-8 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.2/cis_6.2.2.3.yml b/section_6/cis_6.2.2/cis_6.2.2.3.yml new file mode 100644 index 0000000..2d770b4 --- /dev/null +++ b/section_6/cis_6.2.2/cis_6.2.2.3.yml @@ -0,0 +1,29 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_2_3 }} +file: + auditd_space_actions: + title: 6.2.2.3 | Ensure system is disabled when audit logs are full + path: /etc/audit/auditd.conf + exists: true + contents: + - '/disk_full_action\s*=\s*(halt|single)/' + - '/disk_error_action\s*=\s*(syslog|single|halt)/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.2.3 + CISv8: + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-8 + - AU-12 + - SI-5 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.2/cis_6.2.2.4.yml b/section_6/cis_6.2.2/cis_6.2.2.4.yml new file mode 100644 index 0000000..11d4fec --- /dev/null +++ b/section_6/cis_6.2.2/cis_6.2.2.4.yml @@ -0,0 +1,31 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_2_4 }} +command: + auditd_space_actions: + title: 6.2.2.4 | Ensure system warns when audit logs are low on space + exec: grep -E "action" /etc/audit/auditd.conf + exit-status: 0 + stdout: + - '/space_left_action\s*=\s*{{ .Vars.ubtu24cis_auditd.space_left_action }}/' + - '/space_left_action\s*=\s*(email|exec|single|halt)/' + - '/^admin_space_left_action\s*=\s*{{ .Vars.ubtu24cis_auditd.admin_space_left_action }}/' + - '/^admin_space_left_action\s*=\s*(single|halt)/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.2.4 + CISv8: + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-8 + - AU-12 + - SI-5 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.1.yml b/section_6/cis_6.2.3/cis_6.2.3.1.yml new file mode 100644 index 0000000..8bd729a --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.1.yml @@ -0,0 +1,45 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_1 }} +command: + auditd_admin_scope_cnf: + title: 6.2.3.1 | Ensure changes to system administration scope (sudoers) is collected | Config + exec: grep scope /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '-w /etc/sudoers -p wa -k scope' + - '-w /etc/sudoers.d -p wa -k scope' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.1 + CISv8: + - 8.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + auditd_admin_scope_live: + title: 6.2.3.1 | Ensure changes to system administration scope (sudoers) is collected | Live + exec: auditctl -l | grep scope + exit-status: 0 + stdout: + - '-w /etc/sudoers -p wa -k scope' + - '-w /etc/sudoers.d -p wa -k scope' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.1 + CISv8: + - 8.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.10.yml b/section_6/cis_6.2.3/cis_6.2.3.10.yml new file mode 100644 index 0000000..bd53687 --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.10.yml @@ -0,0 +1,45 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_10 }} +command: + auditd_mounts_cnf: + title: 6.2.3.10 | Ensure successful file system mounts are collected | Config + exec: grep mounts /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '/-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=(unset|4294967295|-1) -k mounts/' + - '/-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=(unset|4294967295|-1) -k mounts/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.10 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + auditd_mounts_live: + title: 6.2.3.10 | Ensure successful file system mounts are collected | Live + exec: auditctl -l | grep mounts + exit-status: 0 + stdout: + - '/-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=mounts/' + - '/-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=mounts/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.10 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-6 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.11.yml b/section_6/cis_6.2.3/cis_6.2.3.11.yml new file mode 100644 index 0000000..dc0826b --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.11.yml @@ -0,0 +1,47 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_11 }} +command: + auditd_sessions_cnf: + title: 6.2.3.11 | Ensure session initiation information is collected | Config + exec: "grep -E '(session|logins)' /etc/audit/rules.d/*.rules" + exit-status: 0 + stdout: + - '-w /var/run/utmp -p wa -k session' + - '-w /var/log/wtmp -p wa -k session' + - '-w /var/log/btmp -p wa -k session' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.11 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + auditd_session_live: + title: 6.2.3.11 | Ensure session initiation information is collected | Live + exec: "auditctl -l | grep -E '(session|logins)'" + exit-status: 0 + stdout: + - '-w /var/run/utmp -p wa -k session' + - '-w /var/log/wtmp -p wa -k session' + - '-w /var/log/btmp -p wa -k session' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.11 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.12.yml b/section_6/cis_6.2.3/cis_6.2.3.12.yml new file mode 100644 index 0000000..0f80450 --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.12.yml @@ -0,0 +1,45 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_12 }} +command: + auditd_logins_cnf: + title: 6.2.3.12 | Ensure login and logout events are collected | Config + exec: grep -R --include="*.rules" logins /etc/audit/rules.d/ + exit-status: 0 + stdout: + - '/.*\:-w /var/run/faillock -p wa -k logins/' + - '/.*\:-w /var/log/lastlog -p wa -k logins/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.12 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + auditd_logins_live: + title: 6.2.3.12 | Ensure login and logout events are collected | Live + exec: auditctl -l | grep logins + exit-status: 0 + stdout: + - '-w /var/run/faillock -p wa -k logins' + - '-w /var/log/lastlog -p wa -k logins' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.12 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.13.yml b/section_6/cis_6.2.3/cis_6.2.3.13.yml new file mode 100644 index 0000000..6ff2c2f --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.13.yml @@ -0,0 +1,47 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_13 }} +command: + auditd_delete_cnf: + title: 6.2.3.13 | Ensure file deletion events by users are collected | Conf + exec: grep delete /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '/-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=(unset|4294967295|-1) -k delete/' + - '/-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=(unset|4294967295|-1) -k delete/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.13 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-12 + - SC-7 + auditd_delete_live: + title: 6.2.3.13 | Ensure file deletion events by users are collected | Live + exec: auditctl -l | grep delete + exit-status: 0 + stdout: + - '/-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=delete/' + - '/-a always,exit -F arch=b32 -S unlink,rename,unlinkat,renameat -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=delete/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.13 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-12 + - SC-7 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.14.yml b/section_6/cis_6.2.3/cis_6.2.3.14.yml new file mode 100644 index 0000000..3553544 --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.14.yml @@ -0,0 +1,49 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if not .Vars.ubtu24cis_apparmor_disable }} +command: + {{ if .Vars.ubtu24cis_rule_6_2_3_14 }} + auditd_MAC_cnf: + title: 6.2.3.14 | Ensure events that modify the system's Mandatory Access Controls are collected | Config + exec: grep MAC-policy /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '-w /etc/apparmor/ -p wa -k MAC-policy' + - '-w /etc/apparmor.d/ -p wa -k MAC-policy' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.14 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - CM-6 + auditd_MAC_live: + title: 6.2.6 | Ensure events that modify the system's Mandatory Access Controls are collected | Live + exec: auditctl -l | grep MAC-policy + exit-status: 0 + stdout: + - '-w /etc/apparmor -p wa -k MAC-policy' + - '-w /etc/apparmor.d -p wa -k MAC-policy' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.14 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - CM-6 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.15.yml b/section_6/cis_6.2.3/cis_6.2.3.15.yml new file mode 100644 index 0000000..c254bc1 --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.15.yml @@ -0,0 +1,47 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_15 }} +command: + chcon_module_cnf: + title: 6.2.3.15 | Ensure successful and unsuccessful attempts to use the chcon command are recorded | Config + exec: grep chcon /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '/-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=(unset|4294967295|-1) -k perm_chng/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.15 + CISv8: + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-12 + - SI-5 + chcon_module_live: + title: 6.2.3.15 | Ensure successful and unsuccessful attempts to use the chcon command are recorded | Live + exec: auditctl -l | grep chcon + exit-status: 0 + stdout: + - '/-a always,exit -S all -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=perm_chng/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.15 + CISv8: + - 8.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-12 + - SI-5 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.16.yml b/section_6/cis_6.2.3/cis_6.2.3.16.yml new file mode 100644 index 0000000..8fe4eb6 --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.16.yml @@ -0,0 +1,47 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_16 }} +command: + setfacl_module_cnf: + title: 6.2.3.16 | Ensure successful and unsuccessful attempts to use the setfacl command are recorded | Config + exec: grep setfacl /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '/-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=(unset|4294967295|-1) -k perm_chng/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.16 + CISv8: + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-12 + - SI-5 + setfacl_module_live: + title: 6.2.3.16 | Ensure successful and unsuccessful attempts to use the setfacl command are recorded | Live + exec: auditctl -l | grep setfacl + exit-status: 0 + stdout: + - '/-a always,exit -S all -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=perm_chng/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.16 + CISv8: + - 8.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-12 + - SI-5 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.17.yml b/section_6/cis_6.2.3/cis_6.2.3.17.yml new file mode 100644 index 0000000..dbf6cb3 --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.17.yml @@ -0,0 +1,47 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_17 }} +command: + chacl_module_cnf: + title: 6.2.3.17 | Ensure successful and unsuccessful attempts to use the chacl command are recorded | Config + exec: grep chacl /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '/-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=(unset|4294967295|-1) -k perm_chng/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.17 + CISv8: + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-12 + - SI-5 + chacl_module_live: + title: 6.2.3.17 | Ensure successful and unsuccessful attempts to use the chacl command are recorded | Live + exec: auditctl -l | grep chacl + exit-status: 0 + stdout: + - '/-a always,exit -S all -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=perm_chng/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.17 + CISv8: + - 8.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-12 + - SI-5 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.18.yml b/section_6/cis_6.2.3/cis_6.2.3.18.yml new file mode 100644 index 0000000..e19d66d --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.18.yml @@ -0,0 +1,47 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_18 }} +command: + usermod_module_cnf: + title: 6.2.3.18 | Ensure successful and unsuccessful attempts to use the usermod command are recorded | Config + exec: grep usermod /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '/-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=(unset|4294967295|-1) -k usermod/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.18 + CISv8: + - 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-12 + - SI-5 + usermod_module_live: + title: 6.2.3.18 | Ensure successful and unsuccessful attempts to use the usermod command are recorded | Live + exec: auditctl -l | grep usermod + exit-status: 0 + stdout: + - '/-a always,exit -S all -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=usermod/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.18 + CISv8: + - 8.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-2 + - AU-12 + - SI-5 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.19.yml b/section_6/cis_6.2.3/cis_6.2.3.19.yml new file mode 100644 index 0000000..e90b6e5 --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.19.yml @@ -0,0 +1,45 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_19 }} +command: + auditd_module_cnf: + title: 6.2.3.19 | Ensure kernel module loading and unloading is collected | Config + exec: grep kernel_module /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '/-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=1000 -F auid!=(unset|4294967295|-1) -k kernel_modules/' + - '/-a always,exit -F path=\/usr\/bin\/kmod -F perm=x -F auid>=1000 -F auid!=(unset|4294967295|-1) -k kernel_modules/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.19 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - CM-6 + auditd_admin_module_live: + title: 6.2.3.19 | Ensure kernel module loading and unloading is collected | Live + exec: auditctl -l | grep kernel_module + exit-status: 0 + stdout: + - '/-a always,exit -F arch=b64 -S create_module,init_module,delete_module,query_module,finit_module -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=kernel_modules/' + - '/-a always,exit -S all -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=kernel_modules/' + meta: + server: 2 + workstation: 2 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - CM-6 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.2.yml b/section_6/cis_6.2.3/cis_6.2.3.2.yml new file mode 100644 index 0000000..50149dd --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.2.yml @@ -0,0 +1,45 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_2 }} +command: + auditd_sudo_actions: + title: 6.2.3.2 | Ensure actions as another user are always logged | Config + exec: grep user_emulation /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '/.*:-a always,exit -F arch=b64 -C euid!=uid -F auid!=(unset|4294967295|-1) -S execve -k user_emulation/' + - '/.*:-a always,exit -F arch=b32 -C euid!=uid -F auid!=(unset|4294967295|-1) -S execve -k user_emulation/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.2 + CISv8: + - 8.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + auditd_sudo_actions_live: + title: 6.2.3.2 | Ensure actions as another user are always logged | Live + exec: auditctl -l | grep user_emulation + exit-status: 0 + stdout: + - '/-a always,exit -F arch=b64 -S execve -C uid!=euid -F auid!=(unset|4294967295|-1) -F key=user_emulation/' + - '/-a always,exit -F arch=b32 -S execve -C uid!=euid -F auid!=(unset|4294967295|-1) -F key=user_emulation/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.2 + CISv8: + - 8.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.20.yml b/section_6/cis_6.2.3/cis_6.2.3.20.yml new file mode 100644 index 0000000..20ef5f6 --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.20.yml @@ -0,0 +1,29 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_20 }} +command: + auditd_immutable: + title: 6.2.3.20 | Ensure the audit configuration is immutable + exec: 'grep "-e 2" /etc/audit/rules.d/*.rules | cut -d ":" -f2' + exit-status: 0 + stdout: + - '-e 2' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.20 + CISv8: + - 3.3 + - 8.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - AU-3 + - AU-12 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.21.yml b/section_6/cis_6.2.3/cis_6.2.3.21.yml new file mode 100644 index 0000000..4e64c02 --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.21.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_21 }} +command: + auditd_config_match: + title: 6.2.3.21 | Ensure the audit configuration is immutable + exec: augenrules --check + exit-status: 0 + stdout: + - '/.*: No change/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.21 + CISv8: + - 8.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.3.yml b/section_6/cis_6.2.3/cis_6.2.3.3.yml new file mode 100644 index 0000000..23bdb96 --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.3.yml @@ -0,0 +1,41 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_3 }} +command: + auditd_sudolog_chg: + title: 6.2.3.3 | Ensure events that modify the sudo log file are collected | Config + exec: grep sudo_log_file /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '-w /var/log/sudo.log -p wa -k sudo_log_file' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.3 + CISv8: + - 8.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + auditd_sudolog_chg_live: + title: 6.2.3.3 | Ensure events that modify the sudo log file are collected | Live + exec: auditctl -l | grep sudo_log_file + exit-status: 0 + stdout: + - '-w /var/log/sudo.log -p wa -k sudo_log_file' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.3 + CISv8: + - 8.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.4.yml b/section_6/cis_6.2.3/cis_6.2.3.4.yml new file mode 100644 index 0000000..62e6eb6 --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.4.yml @@ -0,0 +1,49 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_4 }} +command: + auditd_time_cnf: + title: 6.2.3.4 | Ensure events that modify date and time information are collected | Config + exec: grep time-change /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change' + - '-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change' + - '-w /etc/localtime -p wa -k time-change' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.4 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - CM-6 + auditd_time_live: + title: 6.2.3.4 | Ensure events that modify date and time information are collected | Live + exec: auditctl -l | grep time-change + exit-status: 0 + stdout: + - '-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -F key=time-change' + - '-a always,exit -F arch=b32 -S settimeofday,adjtimex,clock_settime -F key=time-change' + - '-w /etc/localtime -p wa -k time-change' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.4 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - CM-6 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.5.yml b/section_6/cis_6.2.3/cis_6.2.3.5.yml new file mode 100644 index 0000000..63455fd --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.5.yml @@ -0,0 +1,59 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_5 }} +command: + auditd_locale_cnf: + title: 6.2.3.5 | Ensure events that modify the system's network environment are collected | Config + exec: grep system-locale /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale' + - '-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale' + - '-w /etc/issue -p wa -k system-locale' + - '-w /etc/issue.net -p wa -k system-locale' + - '-w /etc/hosts -p wa -k system-locale' + - '-w /etc/networks -p wa -k system-locale' + - '-w /etc/network -p wa -k system-locale' + - '-w /etc/netplan -p wa -k system-locale' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.5 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - CM-6 + auditd_locale_live: + title: 6.2.3.5 | Ensure events that modify the system's network environment are collected | Live + exec: auditctl -l | grep system-locale + exit-status: 0 + stdout: + - '-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale' + - '-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale' + - '-w /etc/issue -p wa -k system-locale' + - '-w /etc/issue.net -p wa -k system-locale' + - '-w /etc/hosts -p wa -k system-locale' + - '-w /etc/networks -p wa -k system-locale' + - '-w /etc/network -p wa -k system-locale' + - '-w /etc/netplan -p wa -k system-locale' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.5 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - CM-6 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.6.yml b/section_6/cis_6.2.3/cis_6.2.3.6.yml new file mode 100644 index 0000000..eb5cf79 --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.6.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_6 }} +command: + auditd_priv_cmds_cnf: + title: 6.2.3.6 | Ensure use of privileged commands is collected | Config + exec: grep delete /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.6 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - AU-3(1) + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.7.yml b/section_6/cis_6.2.3/cis_6.2.3.7.yml new file mode 100644 index 0000000..cd520fa --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.7.yml @@ -0,0 +1,49 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_7 }} +command: + auditd_access_cnf: + title: 6.2.3.7 | Ensure unsuccessful unauthorized file access attempts are collected | Conf + exec: sh -c "grep auid /etc/audit/rules.d/*.rules" + exit-status: 0 + stdout: + - '/-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=(unset|4294967295|-1) -k access/' + - '/-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=(unset|4294967295|-1) -k access/' + - '/-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=(unset|4294967295|-1) -k access/' + - '/-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=(unset|4294967295|-1) -k access/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.7 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + auditd_access_live: + title: 6.2.3.7 |Ensure unsuccessful unauthorized file access attempts are collected | Live + exec: auditctl -l | grep access + exit-status: 0 + stdout: + - '/-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat -F exit=-EACCES -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=access/' + - '/-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat -F exit=-EACCES -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=access/' + - '/-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat -F exit=-EPERM -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=access/' + - '/-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat -F exit=-EPERM -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=access/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.7 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.8.yml b/section_6/cis_6.2.3/cis_6.2.3.8.yml new file mode 100644 index 0000000..138e88d --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.8.yml @@ -0,0 +1,57 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_8 }} +command: + auditd_identity_cnf: + title: 6.2.3.8 | Ensure events that modify user/group information are collected | Config + exec: grep identity /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '-w /etc/group -p wa -k identity' + - '-w /etc/passwd -p wa -k identity' + - '-w /etc/gshadow -p wa -k identity' + - '-w /etc/shadow -p wa -k identity' + - '-w /etc/nsswitch.conf -p wa -k identity' + - '-w /etc/pam.conf -p wa -k identity' + - '-w /etc/pam.d -p wa -k identity' + - '-w /etc/security/opasswd -p wa -k identity' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.8 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + auditd_identity_live: + title: 6.2.3.8 | Ensure events that modify user/group information are collected | Live + exec: auditctl -l | grep identity + exit-status: 0 + stdout: + - '-w /etc/group -p wa -k identity' + - '-w /etc/passwd -p wa -k identity' + - '-w /etc/gshadow -p wa -k identity' + - '-w /etc/nsswitch.conf -p wa -k identity' + - '-w /etc/pam.conf -p wa -k identity' + - '-w /etc/pam.d -p wa -k identity' + - '-w /etc/shadow -p wa -k identity' + - '-w /etc/security/opasswd -p wa -k identity' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.8 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.3/cis_6.2.3.9.yml b/section_6/cis_6.2.3/cis_6.2.3.9.yml new file mode 100644 index 0000000..7c103bd --- /dev/null +++ b/section_6/cis_6.2.3/cis_6.2.3.9.yml @@ -0,0 +1,55 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_3_9 }} +command: + auditd_perms_cnf: + title: 6.2.3.9 | Ensure discretionary access control permission modification events are collected | Config + exec: grep perm_mod /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '/-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=(unset|4294967295|-1) -k perm_mod/' + - '/-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=(unset|4294967295|-1) -k perm_mod/' + - '/-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=(unset|4294967295|-1) -k perm_mod/' + - '/-a always,exit -F arch=b32 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=(unset|4294967295|-1) -k perm_mod/' + - '/-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=(unset|4294967295|-1) -k perm_mod/' + - '/-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=(unset|4294967295|-1) -k perm_mod/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.9 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - CM-6 + auditd_perms_live: + title: 6.2.3.9 | Ensure discretionary access control permission modification events are collected | Live + exec: auditctl -l | grep perm_mod + exit-status: 0 + stdout: + - '/-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=perm_mod/' + - '/-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=perm_mod/' + - '/-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=perm_mod/' + - '/-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=perm_mod/' + - '/-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=perm_mod/' + - '/-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=(unset|4294967295|-1) -F key=perm_mod/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.3.9 + CISv8: + - 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + - CM-6 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.4/cis_6.2.4.1.yml b/section_6/cis_6.2.4/cis_6.2.4.1.yml new file mode 100644 index 0000000..7a15730 --- /dev/null +++ b/section_6/cis_6.2.4/cis_6.2.4.1.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_4_1 }} +command: + audit_logfile_perms: + title: 6.2.4.1 | Ensure audit log files mode is configured + exec: for file in `grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'`; do stat -Lc "%n_%a" $file; done + exit-status: 0 + stdout: + - '/.*_6(0|4)0$/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.4.1 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.4/cis_6.2.4.10.yml b/section_6/cis_6.2.4/cis_6.2.4.10.yml new file mode 100644 index 0000000..f5e5fbf --- /dev/null +++ b/section_6/cis_6.2.4/cis_6.2.4.10.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_4_10 }} +command: + audit_tools_group: + title: 6.2.4.10 | Ensure audit tools group owner is configured + exec: stat -c "%n_%G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules + exit-status: 0 + stdout: + - '/.*_root$/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.4.10 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.4/cis_6.2.4.2.yml b/section_6/cis_6.2.4/cis_6.2.4.2.yml new file mode 100644 index 0000000..220f41f --- /dev/null +++ b/section_6/cis_6.2.4/cis_6.2.4.2.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_4_2 }} +command: + audit_logfile_owner: + title: 6.2.4.2 | Ensure audit log files owner is configured + exec: for file in `grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'`; do stat -Lc "%n_%U" $file; done + exit-status: 0 + stdout: + - '/.*_root$/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.4.2 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.4/cis_6.2.4.3.yml b/section_6/cis_6.2.4/cis_6.2.4.3.yml new file mode 100644 index 0000000..cffaf7e --- /dev/null +++ b/section_6/cis_6.2.4/cis_6.2.4.3.yml @@ -0,0 +1,43 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_4_3 }} +command: + audit_logfile_group_setting: + title: 6.2.4.3 | Ensure audit log files group owner is configured + exec: grep log_group /etc/audit/audit* | awk '{ print $NF }' + exit-status: 0 + stdout: + - '/^(adm|root)$/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.4.3 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + audit_logfile_group: + title: 6.2.4.3 | Ensure only authorized groups are assigned ownership of audit log files + exec: for file in `grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'`; do stat -Lc " %n_%G" $file; done + exit-status: 0 + stdout: + - '/.*_(adm|root)$/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.4.3 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.4/cis_6.2.4.4.yml b/section_6/cis_6.2.4/cis_6.2.4.4.yml new file mode 100644 index 0000000..97ddece --- /dev/null +++ b/section_6/cis_6.2.4/cis_6.2.4.4.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_4_4 }} +command: + audit_logfile_dir_perms: + title: 6.2.4.4 | Ensure the audit log file directory mode is configured + exec: for dir in `dirname \`grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'\``; do stat -Lc " %n_%a" $dir; done + exit-status: 0 + stdout: + - '/.*_7(0|5)0$/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.4.4 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.4/cis_6.2.4.5.yml b/section_6/cis_6.2.4/cis_6.2.4.5.yml new file mode 100644 index 0000000..13ed1f4 --- /dev/null +++ b/section_6/cis_6.2.4/cis_6.2.4.5.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_4_5 }} +command: + audit_conf_perms: + title: 6.2.4.5 | Ensure audit configuration files mode is configured + exec: for file in `find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \)`; do stat -Lc " %n_%a" $file; done + exit-status: 0 + stdout: + - '/.*_6(0|4)0$/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.4.5 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.4/cis_6.2.4.6.yml b/section_6/cis_6.2.4/cis_6.2.4.6.yml new file mode 100644 index 0000000..7f8c8a8 --- /dev/null +++ b/section_6/cis_6.2.4/cis_6.2.4.6.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_4_6 }} +command: + audit_conf_owner: + title: 6.2.4.6 | Ensure audit configuration files owner is configured + exec: for file in `find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \)`; do stat -Lc " %n_%U" $file; done + exit-status: 0 + stdout: + - '/.*_root$/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.4.6 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.4/cis_6.2.4.7.yml b/section_6/cis_6.2.4/cis_6.2.4.7.yml new file mode 100644 index 0000000..4916c8d --- /dev/null +++ b/section_6/cis_6.2.4/cis_6.2.4.7.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_4_7 }} +command: + audit_conf_group: + title: 6.2.4.7 | Ensure audit configuration files group owner is configured + exec: for file in `find /etc/audit/ -type f \( -name '*.conf' -o -name '*.rules' \)`; do stat -Lc " %n_%U" $file; done + exit-status: 0 + stdout: + - '/.*_root$/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.4.7 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.4/cis_6.2.4.8.yml b/section_6/cis_6.2.4/cis_6.2.4.8.yml new file mode 100644 index 0000000..2d9e0ae --- /dev/null +++ b/section_6/cis_6.2.4/cis_6.2.4.8.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_4_8 }} +command: + audit_tools_perms: + title: 6.2.4.8 | Ensure audit tools mode is configured + exec: stat -c "%n_%a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules + exit-status: 0 + stdout: + - '/.*_7(0|5)(0|5)$/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.4.8 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.2.4/cis_6.2.4.9.yml b/section_6/cis_6.2.4/cis_6.2.4.9.yml new file mode 100644 index 0000000..7d121c0 --- /dev/null +++ b/section_6/cis_6.2.4/cis_6.2.4.9.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_rule_6_2_4_9 }} +command: + audit_tools_owner: + title: 6.2.4.9 | Ensure audit tools owner is configured + exec: stat -c "%n_%U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules + exit-status: 0 + stdout: + - '/.*_root$/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.2.4.9 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AU-3 + {{ end }} +{{ end }} diff --git a/section_6/cis_6.3.x/cis_6.3.1.yml b/section_6/cis_6.3.x/cis_6.3.1.yml new file mode 100644 index 0000000..8dbd738 --- /dev/null +++ b/section_6/cis_6.3.x/cis_6.3.1.yml @@ -0,0 +1,36 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_config_aide }} + {{ if .Vars.ubtu24cis_rule_6_3_1 }} +package: + aide: + title: 6.3.1 | Ensure AIDE is installed | aide pkg + installed: true + meta: + server: 1 + workstation: 1 + CIS_ID: 6.3.1 + CISv8: 3.14 + CISv8_IG1: false + CISv8_IG2: false + CISv8_IG3: true + NIST800-53R5: + - AU-2 + aide-common: + title: 6.3.1 | Ensure AIDE is installed | aide-common pkg + installed: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.3.1 + CISv8: 3.14 + CISv8_IG1: false + CISv8_IG2: false + CISv8_IG3: true + NIST800-53R5: + - AU-2 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_6/cis_6.3.x/cis_6.3.2.yml b/section_6/cis_6.3.x/cis_6.3.2.yml new file mode 100644 index 0000000..d9d3000 --- /dev/null +++ b/section_6/cis_6.3.x/cis_6.3.2.yml @@ -0,0 +1,65 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_config_aide }} + {{ if .Vars.ubtu24cis_rule_6_3_2 }} + {{ if eq .Vars.ubtu24cis_aide_scan "cron" }} +command: + aide_cron: + title: 6.3.2 | Ensure filesystem integrity is regularly checked | aide cron + exit-status: + or: + - 0 + - 2 + exec: "grep -rs aide /etc/cron.* /etc/crontab /var/spool/cron/*" + stdout: + - '!/^#/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.3.2 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} +service: + {{ if eq .Vars.ubtu24cis_aide_scan "timer" }} + aidecheck: + title: 6.3.2 | Ensure filesystem integrity is regularly checked | aidecheck service + name: aidecheck.service + enabled: true + running: true + skip: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.3.2 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + aidecheck.timer: + title: 6.3.2 | Ensure filesystem integrity is regularly checked | aidecheck timer + name: aidecheck.timer + enabled: true + running: true + skip: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.3.2 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: NA + {{ end }} + {{ end }} + {{ end }} +{{ end }} diff --git a/section_6/cis_6.3.x/cis_6.3.3.yml b/section_6/cis_6.3.x/cis_6.3.3.yml new file mode 100644 index 0000000..092044c --- /dev/null +++ b/section_6/cis_6.3.x/cis_6.3.3.yml @@ -0,0 +1,30 @@ +--- + +{{ if .Vars.ubtu24cis_level_2 }} + {{ if .Vars.ubtu24cis_config_aide }} + {{ if .Vars.ubtu24cis_rule_6_3_3 }} +command: + audit_tools_crypto: + title: 6.3.3 | Ensure cryptographic mechanisms are used to protect the integrity of audit tools + exec: grep -P -- '(\/sbin\/(audit|au)\H*\b)' /etc/aide/aide.conf + exit-status: 0 + stdout: + - '/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512' + - '/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512' + - '/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512' + - '/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512' + - '/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512' + - '/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.3.3 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: NA + {{ end }} + {{ end }} +{{ end }} diff --git a/section_7/cis_7.1/cis_7.1.1.yml b/section_7/cis_7.1/cis_7.1.1.yml new file mode 100644 index 0000000..7392aa8 --- /dev/null +++ b/section_7/cis_7.1/cis_7.1.1.yml @@ -0,0 +1,32 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_1_1 }} +file: + passwd_perms: + title: 7.1.1 | Ensure permissions on /etc/passwd are configured + path: /etc/passwd + exists: true + owner: root + group: root + mode: + or: + - "0644" + - "0640" + - "0604" + - "0600" + - "0400" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.1.1 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.1/cis_7.1.10.yml b/section_7/cis_7.1/cis_7.1.10.yml new file mode 100644 index 0000000..065c2c9 --- /dev/null +++ b/section_7/cis_7.1/cis_7.1.10.yml @@ -0,0 +1,29 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_1_10 }} +file: + etc_security_opasswd_perms: + title: 7.1.10 | Ensure permissions on /etc/security/opasswd are configured + path: /etc/security/opasswd + exists: true + owner: root + group: root + mode: + or: + - "0600" + - "0400" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.1.10 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.1/cis_7.1.11.yml b/section_7/cis_7.1/cis_7.1.11.yml new file mode 100644 index 0000000..307434d --- /dev/null +++ b/section_7/cis_7.1/cis_7.1.11.yml @@ -0,0 +1,28 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.run_heavy_tests }} + {{ if .Vars.ubtu24cis_rule_7_1_11 }} +command: + world_writable: + title: 7.1.11 | Ensure world writable files and directories are secured + exec: "df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -o -type d \\( -perm -0002 -a ! -perm -1000 \\)" + exit-status: 0 + timeout: {{ .Vars.timeout_ms }} + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.1.11 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_7/cis_7.1/cis_7.1.12.yml b/section_7/cis_7.1/cis_7.1.12.yml new file mode 100644 index 0000000..ac408d8 --- /dev/null +++ b/section_7/cis_7.1/cis_7.1.12.yml @@ -0,0 +1,31 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.run_heavy_tests }} + {{ if .Vars.ubtu24cis_rule_7_1_12 }} +command: + unowned_dirs: + title: 7.1.12 | Ensure no files or directories without an owner and a group exist + exec: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -o -nogroup | grep -v journal-upload" + exit-status: + or: + - 0 + - 1 + timeout: {{ .Vars.timeout_ms }} + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.1.12 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_7/cis_7.1/cis_7.1.13.yml b/section_7/cis_7.1/cis_7.1.13.yml new file mode 100644 index 0000000..e3f60bc --- /dev/null +++ b/section_7/cis_7.1/cis_7.1.13.yml @@ -0,0 +1,36 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.run_heavy_tests }} + {{ if .Vars.ubtu24cis_rule_7_1_13 }} +command: + audit_sgid: + title: 7.1.13 | Ensure SUID and SGID files are reviewed | Manual + exec: "df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -02000 -o -perm -04000" + timeout: {{ .Vars.timeout_ms }} + exit-status: + or: + - 0 + - 1 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.1.13 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + - AC-3 + - MP-2 + {{ end }} + {{ end }} +{{ end }} diff --git a/section_7/cis_7.1/cis_7.1.2.yml b/section_7/cis_7.1/cis_7.1.2.yml new file mode 100644 index 0000000..b517667 --- /dev/null +++ b/section_7/cis_7.1/cis_7.1.2.yml @@ -0,0 +1,32 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_1_2 }} +file: + passwd-_perms: + title: 7.1.2 | Ensure permissions on /etc/passwd- are configured + path: /etc/passwd + exists: true + owner: root + group: root + mode: + or: + - "0644" + - "0640" + - "0604" + - "0600" + - "0400" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.1.2 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.1/cis_7.1.3.yml b/section_7/cis_7.1/cis_7.1.3.yml new file mode 100644 index 0000000..e8eafce --- /dev/null +++ b/section_7/cis_7.1/cis_7.1.3.yml @@ -0,0 +1,32 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_1_3 }} +file: + group_perms: + title: 7.1.3 | Ensure permissions on /etc/group are configured + path: /etc/group + exists: true + owner: root + group: root + mode: + or: + - "0644" + - "0640" + - "0604" + - "0600" + - "0400" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.1.3 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.1/cis_7.1.4.yml b/section_7/cis_7.1/cis_7.1.4.yml new file mode 100644 index 0000000..84ff248 --- /dev/null +++ b/section_7/cis_7.1/cis_7.1.4.yml @@ -0,0 +1,32 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_1_4 }} +file: + group-_perms: + title: 7.1.4 | Ensure permissions on /etc/group- are configured + path: /etc/group- + exists: true + owner: root + group: root + mode: + or: + - "0644" + - "0640" + - "0604" + - "0600" + - "0400" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.1.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.1/cis_7.1.5.yml b/section_7/cis_7.1/cis_7.1.5.yml new file mode 100644 index 0000000..d02a27d --- /dev/null +++ b/section_7/cis_7.1/cis_7.1.5.yml @@ -0,0 +1,33 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_1_5 }} +file: + shadow_perms: + title: 7.1.5 | Ensure permissions on /etc/shadow are configured + path: /etc/shadow + exists: true + owner: root + group: + or: + - root + - shadow + mode: + or: + - "0640" + - "0600" + - "0400" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.1.5 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.1/cis_7.1.6.yml b/section_7/cis_7.1/cis_7.1.6.yml new file mode 100644 index 0000000..46b0c01 --- /dev/null +++ b/section_7/cis_7.1/cis_7.1.6.yml @@ -0,0 +1,33 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_1_6 }} +file: + shadow-_perms: + title: 7.1.6 | Ensure permissions on /etc/shadow- are configured + path: /etc/shadow- + exists: true + owner: root + group: + or: + - root + - shadow + mode: + or: + - "0640" + - "0600" + - "0400" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.1.6 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.1/cis_7.1.7.yml b/section_7/cis_7.1/cis_7.1.7.yml new file mode 100644 index 0000000..959d021 --- /dev/null +++ b/section_7/cis_7.1/cis_7.1.7.yml @@ -0,0 +1,33 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_1_7 }} +file: + gshadow_perms: + title: 7.1.7 | Ensure permissions on /etc/gshadow are configured + path: /etc/gshadow + exists: true + owner: root + group: + or: + - root + - shadow + mode: + or: + - "0640" + - "0600" + - "0400" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.1.7 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.1/cis_7.1.8.yml b/section_7/cis_7.1/cis_7.1.8.yml new file mode 100644 index 0000000..b832558 --- /dev/null +++ b/section_7/cis_7.1/cis_7.1.8.yml @@ -0,0 +1,33 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_1_8 }} +file: + gshadow-_perms: + title: 7.1.8 | Ensure permissions on /etc/gshadow- are configured + path: /etc/gshadow- + exists: true + owner: root + group: + or: + - root + - shadow + mode: + or: + - "0640" + - "0600" + - "0400" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.1.8 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.1/cis_7.1.9.yml b/section_7/cis_7.1/cis_7.1.9.yml new file mode 100644 index 0000000..7c5fe4e --- /dev/null +++ b/section_7/cis_7.1/cis_7.1.9.yml @@ -0,0 +1,32 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_1_9 }} +file: + etc_shells_perms: + title: 7.1.9 | Ensure permissions on /etc/shells are configured + path: /etc/shells + exists: true + owner: root + group: root + mode: + or: + - "0644" + - "0640" + - "0604" + - "0600" + - "0400" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.1.9 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - AC-3 + - MP-2 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.2/cis_7.2.1.yml b/section_7/cis_7.2/cis_7.2.1.yml new file mode 100644 index 0000000..6ce81d6 --- /dev/null +++ b/section_7/cis_7.2/cis_7.2.1.yml @@ -0,0 +1,24 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_2_1 }} +file: + shadowed_passwds: + title: 7.2.1 | Ensure accounts in /etc/passwd use shadowed passwords + path: /etc/passwd + exists: true + contents: + - '/^.*:x:/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.2.1 + CISv8: 3.11 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - IA-5 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.2/cis_7.2.10.yml b/section_7/cis_7.2/cis_7.2.10.yml new file mode 100644 index 0000000..74128ab --- /dev/null +++ b/section_7/cis_7.2/cis_7.2.10.yml @@ -0,0 +1,73 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_2_10 }} +command: + bad_dot_files: + title: 7.2.10 | Ensure local interactive user dot files access is configured | bad dot files + exec: 'find /home/ -name "\.forward" -o -name "\.netrc" -o -name "\.rhosts"' + exit-status: 0 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.2.10 + CISv8: 3.3 + CISv8_IG1: True + CISv8_IG2: True + CISv8_IG3: True + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + dot_file_perms: + title: 7.2.10 | Ensure local interactive user dot files access is configured | dot files permissions + exec: 'find /home/ -name "\.*" -perm /g+w,o+w | grep -v .bash_history' + exit-status: + or: + - 0 + - 1 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.2.10 + CISv8: 3.3 + CISv8_IG1: True + CISv8_IG2: True + CISv8_IG3: True + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + dot_file_bash_history: + title: 7.2.10 | Ensure local interactive user dot files access is configured | bash_history files permissions + exec: 'find /home/ -name "\.bash_history" -perm /go+rwx' + exit-status: 0 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.2.10 + CISv8: 3.3 + CISv8_IG1: True + CISv8_IG2: True + CISv8_IG3: True + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.2/cis_7.2.2.yml b/section_7/cis_7.2/cis_7.2.2.yml new file mode 100644 index 0000000..53ef4d2 --- /dev/null +++ b/section_7/cis_7.2/cis_7.2.2.yml @@ -0,0 +1,24 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_2_2 }} +file: + passwd_fields_not_empty_shadow: + title: 7.2.2 | Ensure password fields are not empty + path: /etc/shadow + exists: true + contents: + - '!/^*.[a-z]::/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.2.2 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - IA-5 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.2/cis_7.2.3.yml b/section_7/cis_7.2/cis_7.2.3.yml new file mode 100644 index 0000000..056c23b --- /dev/null +++ b/section_7/cis_7.2/cis_7.2.3.yml @@ -0,0 +1,31 @@ +--- + +{{ if .Vars.ubtu24cis_rule_7_2_3 }} + {{ if .Vars.ubtu24cis_level_1 }} +command: + passwd_group_exist: + title: 7.2.3 | Ensure all groups in /etc/passwd exist in /etc/group + exec: "awk -F: '{print $4}' /etc/passwd |sort -u > /tmp/uid && awk -F: '{print $3}' /etc/group| sort -u> /tmp/gid && comm -23 /tmp/uid /tmp/gid && rm -f /tmp/uid /tmp/gid" + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.2.3 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.2/cis_7.2.4.yml b/section_7/cis_7.2/cis_7.2.4.yml new file mode 100644 index 0000000..eadcbc4 --- /dev/null +++ b/section_7/cis_7.2/cis_7.2.4.yml @@ -0,0 +1,25 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_2_4 }} +file: + shadow_group_empty: + title: 7.2.4 | Ensure shadow group is empty + path: /etc/group + exists: true + contents: + - '/^shadow:x:\d{2,}:$/' + - '!/^shadow:x:\d{2,}:./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.2.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + NIST800-53R5: + - IA-5 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.2/cis_7.2.5.yml b/section_7/cis_7.2/cis_7.2.5.yml new file mode 100644 index 0000000..3cd1bc0 --- /dev/null +++ b/section_7/cis_7.2/cis_7.2.5.yml @@ -0,0 +1,28 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_2_5 }} +command: + no_dup_uid: + title: 7.2.5 | Ensure no duplicate UIDs exist + exec: "cat /etc/passwd | cut -d: -f3 | uniq -d" + exit-status: 0 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.2.5 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.2/cis_7.2.6.yml b/section_7/cis_7.2/cis_7.2.6.yml new file mode 100644 index 0000000..3af78ac --- /dev/null +++ b/section_7/cis_7.2/cis_7.2.6.yml @@ -0,0 +1,28 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_2_6 }} +command: + no_dup_gid: + title: 7.2.6 | Ensure no duplicate GIDs exist + exec: "cat /etc/group | cut -d: -f3 | uniq -d" + exit-status: 0 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.2.6 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.2/cis_7.2.7.yml b/section_7/cis_7.2/cis_7.2.7.yml new file mode 100644 index 0000000..41eb888 --- /dev/null +++ b/section_7/cis_7.2/cis_7.2.7.yml @@ -0,0 +1,28 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_2_7 }} +command: + no_dup_username: + title: 7.2.7 | Ensure no duplicate user names exist + exec: "cat /etc/passwd | cut -d: -f1 | uniq -d" + exit-status: 0 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.2.7 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.2/cis_7.2.8.yml b/section_7/cis_7.2/cis_7.2.8.yml new file mode 100644 index 0000000..e4ef614 --- /dev/null +++ b/section_7/cis_7.2/cis_7.2.8.yml @@ -0,0 +1,28 @@ +--- + +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_2_8 }} +command: + no_dup_groupname: + title: 7.2.8 | Ensure no duplicate group names exist + exec: "cat /etc/group | cut -d: -f1 | uniq -d" + exit-status: 0 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.2.8 + CISv8: NA + CISv8_IG1: NA + CISv8_IG2: NA + CISv8_IG3: NA + NIST800-53R5: + - CM-1 + - CM-2 + - CM-6 + - CM-7 + - IA-5 + {{ end }} +{{ end }} diff --git a/section_7/cis_7.2/cis_7.2.9.yml b/section_7/cis_7.2/cis_7.2.9.yml new file mode 100644 index 0000000..4449720 --- /dev/null +++ b/section_7/cis_7.2/cis_7.2.9.yml @@ -0,0 +1,64 @@ +{{ if .Vars.ubtu24cis_level_1 }} + {{ if .Vars.ubtu24cis_rule_7_2_9 }} +command: + home_dirs_exist: + title: 7.2.9 | Ensure local interactive user home directories are configured | Directories exist + exec: for i in `cat /etc/passwd | grep -Ev "halt|sync|shutdown|nfsnobody|nologin|false" | cut -d ':' -f6`; do if [ ! -d $i ]; then echo "homedir missing $i"; fi; done + exit-status: + or: + - 0 + - 1 + - 2 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.2.9 + CISv8: 3.3 + CISv8_IG1: True + CISv8_IG2: True + CISv8_IG3: True + NIST800-53R5: NA + home_dirs_ownership: + title: 7.2.9 | Ensure local interactive user home directories are configured | Directory ownership + exec: "getent passwd {1000..60000} | awk -F: '{ print $1 \" \" $7 }' | while read user dir; do if [ $user != 'ftpd' ]; then owner=$(stat -L -c \"%U\" \"$dir\"); if [ \"$owner\" != \"$user\" ]; then echo \"home dir for $user owned by $owner\"; fi; fi; done" + exit-status: + or: + - 0 + - 1 + - 2 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.2.9 + CISv8: 3.3 + CISv8_IG1: True + CISv8_IG2: True + CISv8_IG3: True + NIST800-53R5: NA + home_dirs_permissions: + title: 7.2.9 | Ensure local interactive user home directories are configured | Directory permissions + exec: export def_home=`grep "^HOME=" /etc/default/useradd |cut -d= -f2` && for i in `ls $def_home`; do stat -c "%a %n" $def_home/$i | grep -Ev "7[0-5]0|syslog"; done + exit-status: + or: + - 0 + - 1 + stdout: + - '!/.*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 7.2.9 + CISv8: 3.3 + CISv8_IG1: True + CISv8_IG2: True + CISv8_IG3: True + NIST800-53R5: NA + {{ end }} +{{ end }} diff --git a/vars/CIS.yml b/vars/CIS.yml new file mode 100644 index 0000000..20126ec --- /dev/null +++ b/vars/CIS.yml @@ -0,0 +1,744 @@ +--- + +## metadata for Audit benchmark +benchmark_version: '2.0.0' + + +# timeout for each command to run where set - default = 10seconds/10000ms +timeout_ms: 120000 + +ubtu24cis_section1: true +ubtu24cis_section2: true +ubtu24cis_section3: true +ubtu24cis_section4: true +ubtu24cis_section5: true +ubtu24cis_section6: true +ubtu24cis_section7: true + +ubtu24cis_level_1: true +ubtu24cis_level_2: true + + +# to enable rules that may have IO impact on a system e.g. full filesystem scans or CPU heavy +run_heavy_tests: true + +# True is BIOS based system else set to false +ubtu24cis_legacy_boot: true + +## +## Rule-specific switches +## +## Use the switches below to disable specific rules independently of the chosen profile +## + +## Section 1 Fixes +# Section 1 is Initial setup (FileSystem Configuration, Configure Software Updates, Filesystem Integrity Checking, Secure Boot Settings, +# Additional Process Hardening, Mandatory Access Control, Command Line Warning Banners, and GNOME Display Manager) + +# 1.1 Filesystems +# 1.1.1 Configure Filesystem Kernel Modules +ubtu24cis_rule_1_1_1_1: true +ubtu24cis_rule_1_1_1_2: true +ubtu24cis_rule_1_1_1_3: true +ubtu24cis_rule_1_1_1_4: true +ubtu24cis_rule_1_1_1_5: true +ubtu24cis_rule_1_1_1_6: true +ubtu24cis_rule_1_1_1_7: true +ubtu24cis_rule_1_1_1_8: true +ubtu24cis_rule_1_1_1_9: true +ubtu24cis_rule_1_1_1_10: true + +# 1.1.2 Configure Filesystem Partitions +# /tmp +ubtu24cis_rule_1_1_2_1_1: true +ubtu24cis_rule_1_1_2_1_2: true +ubtu24cis_rule_1_1_2_1_3: true +ubtu24cis_rule_1_1_2_1_4: true + +# /dev/shm +ubtu24cis_rule_1_1_2_2_1: true +ubtu24cis_rule_1_1_2_2_2: true +ubtu24cis_rule_1_1_2_2_3: true +ubtu24cis_rule_1_1_2_2_4: true + +# /home +ubtu24cis_rule_1_1_2_3_1: true +ubtu24cis_rule_1_1_2_3_2: true +ubtu24cis_rule_1_1_2_3_3: true + +# /var +ubtu24cis_rule_1_1_2_4_1: true +ubtu24cis_rule_1_1_2_4_2: true +ubtu24cis_rule_1_1_2_4_3: true + +# /var/tmp +ubtu24cis_rule_1_1_2_5_1: true +ubtu24cis_rule_1_1_2_5_2: true +ubtu24cis_rule_1_1_2_5_3: true +ubtu24cis_rule_1_1_2_5_4: true + +# /var/log +ubtu24cis_rule_1_1_2_6_1: true +ubtu24cis_rule_1_1_2_6_2: true +ubtu24cis_rule_1_1_2_6_3: true +ubtu24cis_rule_1_1_2_6_4: true + +# /var/log/audit +ubtu24cis_rule_1_1_2_7_1: true +ubtu24cis_rule_1_1_2_7_2: true +ubtu24cis_rule_1_1_2_7_3: true +ubtu24cis_rule_1_1_2_7_4: true + +# 1.2 Package mgmt +# 1.2.1 Configure Package repositories +ubtu24cis_rule_1_2_1_1: true +ubtu24cis_rule_1_2_1_2: true +# 1.2.2 Configure Package updates +ubtu24cis_rule_1_2_2_1: true + +# 1.3 Mandatory Access Control +## 1.3.1 Configure AppArmor +ubtu24cis_rule_1_3_1_1: true +ubtu24cis_rule_1_3_1_2: true +ubtu24cis_rule_1_3_1_3: true +ubtu24cis_rule_1_3_1_4: true + +# 1.4 Configure Bootloader +ubtu24cis_rule_1_4_1: true +ubtu24cis_rule_1_4_2: true + +# 1.5 Configure additional Process Hardening +ubtu24cis_rule_1_5_1: true +ubtu24cis_rule_1_5_2: true +ubtu24cis_rule_1_5_3: true +ubtu24cis_rule_1_5_4: true +ubtu24cis_rule_1_5_5: true + +# 1.6 Configure Command Line Warning Banners +ubtu24cis_rule_1_6_1: true +ubtu24cis_rule_1_6_2: true +ubtu24cis_rule_1_6_3: true +ubtu24cis_rule_1_6_4: true +ubtu24cis_rule_1_6_5: true +ubtu24cis_rule_1_6_6: true + +# 1.7 Configure GNOME Display Manager +ubtu24cis_rule_1_7_1: true +ubtu24cis_rule_1_7_2: true +ubtu24cis_rule_1_7_3: true +ubtu24cis_rule_1_7_4: true +ubtu24cis_rule_1_7_5: true +ubtu24cis_rule_1_7_6: true +ubtu24cis_rule_1_7_7: true +ubtu24cis_rule_1_7_8: true +ubtu24cis_rule_1_7_9: true +ubtu24cis_rule_1_7_10: true + +## Section 2 Fixes +# Section 2 is Services (Special Purpose Services, and service clients) + +# 2.1 Configure Server Services +ubtu24cis_rule_2_1_1: true +ubtu24cis_rule_2_1_2: true +ubtu24cis_rule_2_1_3: true +ubtu24cis_rule_2_1_4: true +ubtu24cis_rule_2_1_5: true +ubtu24cis_rule_2_1_6: true +ubtu24cis_rule_2_1_7: true +ubtu24cis_rule_2_1_8: true +ubtu24cis_rule_2_1_9: true +ubtu24cis_rule_2_1_10: true +ubtu24cis_rule_2_1_11: true +ubtu24cis_rule_2_1_12: true +ubtu24cis_rule_2_1_13: true +ubtu24cis_rule_2_1_14: true +ubtu24cis_rule_2_1_15: true +ubtu24cis_rule_2_1_16: true +ubtu24cis_rule_2_1_17: true +ubtu24cis_rule_2_1_18: true +ubtu24cis_rule_2_1_19: true +ubtu24cis_rule_2_1_20: true +ubtu24cis_rule_2_1_21: true +ubtu24cis_rule_2_1_22: true + +# 2.2 Configure client services +ubtu24cis_rule_2_2_1: true +ubtu24cis_rule_2_2_2: true +ubtu24cis_rule_2_2_3: true +ubtu24cis_rule_2_2_4: true +ubtu24cis_rule_2_2_5: true +ubtu24cis_rule_2_2_6: true + +# Ensure time synchronization is in use +ubtu24cis_rule_2_3_1_1: true +# Configure systemd-timesyncd +ubtu24cis_rule_2_3_2_1: true +ubtu24cis_rule_2_3_2_2: true +# Configure Chrony +ubtu24cis_rule_2_3_3_1: true +ubtu24cis_rule_2_3_3_2: true +ubtu24cis_rule_2_3_3_3: true + +# 2.4 Job Schedulers +# 2.4.1 Configure Cron +ubtu24cis_rule_2_4_1_1: true +ubtu24cis_rule_2_4_1_2: true +ubtu24cis_rule_2_4_1_3: true +ubtu24cis_rule_2_4_1_4: true +ubtu24cis_rule_2_4_1_5: true +ubtu24cis_rule_2_4_1_6: true +ubtu24cis_rule_2_4_1_7: true +ubtu24cis_rule_2_4_1_8: true +# Configure At +ubtu24cis_rule_2_4_2_1: true + +## Section 3 Network Configuration +# 3.1 Configure Network Devices +ubtu24cis_rule_3_1_1: true +ubtu24cis_rule_3_1_2: true +ubtu24cis_rule_3_1_3: true +# 3.2 Configure Network Kernel Modules (Host Only) +ubtu24cis_rule_3_2_1: true +ubtu24cis_rule_3_2_2: true +ubtu24cis_rule_3_2_3: true +ubtu24cis_rule_3_2_4: true +# 3.3 Configure Network Kernel Parameters (Host and Router) +ubtu24cis_rule_3_3_1: true +ubtu24cis_rule_3_3_2: true +ubtu24cis_rule_3_3_3: true +ubtu24cis_rule_3_3_4: true +ubtu24cis_rule_3_3_5: true +ubtu24cis_rule_3_3_6: true +ubtu24cis_rule_3_3_7: true +ubtu24cis_rule_3_3_8: true +ubtu24cis_rule_3_3_9: true +ubtu24cis_rule_3_3_10: true +ubtu24cis_rule_3_3_11: true + +## Section 4 Host Based Firewall + +# 4.1 single firewall +ubtu24cis_rule_4_1_1: true + +# 4.2 Configure UncomplicatedFirewall +ubtu24cis_rule_4_2_1: true +ubtu24cis_rule_4_2_2: true +ubtu24cis_rule_4_2_3: true +ubtu24cis_rule_4_2_4: true +ubtu24cis_rule_4_2_5: true +ubtu24cis_rule_4_2_6: true +ubtu24cis_rule_4_2_7: true +# 4.3 Configure nftables +ubtu24cis_rule_4_3_1: true +ubtu24cis_rule_4_3_2: true +ubtu24cis_rule_4_3_3: true +ubtu24cis_rule_4_3_4: true +ubtu24cis_rule_4_3_5: true +ubtu24cis_rule_4_3_6: true +ubtu24cis_rule_4_3_7: true +ubtu24cis_rule_4_3_8: true +ubtu24cis_rule_4_3_9: true +ubtu24cis_rule_4_3_10: true + +# 4.4.1 Configure iptables software +ubtu24cis_rule_4_4_1_1: true +ubtu24cis_rule_4_4_1_2: true +ubtu24cis_rule_4_4_1_3: true + +# 4.4.2 Configure IPv4 iptables +ubtu24cis_rule_4_4_2_1: true +ubtu24cis_rule_4_4_2_2: true +ubtu24cis_rule_4_4_2_3: true +ubtu24cis_rule_4_4_2_4: true +# 4.4.3 Configure IPv6 iptables +ubtu24cis_rule_4_4_3_1: true +ubtu24cis_rule_4_4_3_2: true +ubtu24cis_rule_4_4_3_3: true +ubtu24cis_rule_4_4_3_4: true + +## Section 5 Access Control +# 5.1 Configure SSH Server +ubtu24cis_rule_5_1_1: true +ubtu24cis_rule_5_1_2: true +ubtu24cis_rule_5_1_3: true +ubtu24cis_rule_5_1_4: true +ubtu24cis_rule_5_1_5: true +ubtu24cis_rule_5_1_6: true +ubtu24cis_rule_5_1_7: true +ubtu24cis_rule_5_1_8: true +ubtu24cis_rule_5_1_9: true +ubtu24cis_rule_5_1_10: true +ubtu24cis_rule_5_1_11: true +ubtu24cis_rule_5_1_12: true +ubtu24cis_rule_5_1_13: true +ubtu24cis_rule_5_1_14: true +ubtu24cis_rule_5_1_15: true +ubtu24cis_rule_5_1_16: true +ubtu24cis_rule_5_1_17: true +ubtu24cis_rule_5_1_18: true +ubtu24cis_rule_5_1_19: true +ubtu24cis_rule_5_1_20: true +ubtu24cis_rule_5_1_21: true +ubtu24cis_rule_5_1_22: true +# 5.2 Configure privilege escalation +ubtu24cis_rule_5_2_1: true +ubtu24cis_rule_5_2_2: true +ubtu24cis_rule_5_2_3: true +ubtu24cis_rule_5_2_4: true +ubtu24cis_rule_5_2_5: true +ubtu24cis_rule_5_2_6: true +ubtu24cis_rule_5_2_7: true +# 5.3.1 Configure PAM software packages +ubtu24cis_rule_5_3_1_1: true +ubtu24cis_rule_5_3_1_2: true +ubtu24cis_rule_5_3_1_3: true +# 5.3.2 Configure pam-auth-update profiles +ubtu24cis_rule_5_3_2_1: true +ubtu24cis_rule_5_3_2_2: true +ubtu24cis_rule_5_3_2_3: true +ubtu24cis_rule_5_3_2_4: true +# 5.3.3.1 Configure pam_faillock module +ubtu24cis_rule_5_3_3_1_1: true +ubtu24cis_rule_5_3_3_1_2: true +ubtu24cis_rule_5_3_3_1_3: true +# 5.3.3.2 Configure pam_quality module +ubtu24cis_rule_5_3_3_2_1: true +ubtu24cis_rule_5_3_3_2_2: true +ubtu24cis_rule_5_3_3_2_3: true +ubtu24cis_rule_5_3_3_2_4: true +ubtu24cis_rule_5_3_3_2_5: true +ubtu24cis_rule_5_3_3_2_6: true +ubtu24cis_rule_5_3_3_2_7: true +ubtu24cis_rule_5_3_3_2_8: true +# 5.3.3.3 Configure pam_history module +# This are added as part of 5.3.2.4 using jinja2 template +ubtu24cis_rule_5_3_3_3_1: true +ubtu24cis_rule_5_3_3_3_2: true +ubtu24cis_rule_5_3_3_3_3: true +# 5.3.3.4 Configure pam_unix module +ubtu24cis_rule_5_3_3_4_1: true +ubtu24cis_rule_5_3_3_4_2: true +ubtu24cis_rule_5_3_3_4_3: true +ubtu24cis_rule_5_3_3_4_4: true +# 5.4 User Accounts and Environment +# 5.4.1 Configure shadow password suite parameters +ubtu24cis_rule_5_4_1_1: true +ubtu24cis_rule_5_4_1_2: true +ubtu24cis_rule_5_4_1_3: true +ubtu24cis_rule_5_4_1_4: true +ubtu24cis_rule_5_4_1_5: true +ubtu24cis_rule_5_4_1_6: true +# 5.4.2 Configure root and system accounts and environment +ubtu24cis_rule_5_4_2_1: true +ubtu24cis_rule_5_4_2_2: true +ubtu24cis_rule_5_4_2_3: true +ubtu24cis_rule_5_4_2_4: true +ubtu24cis_rule_5_4_2_5: true +ubtu24cis_rule_5_4_2_6: true +ubtu24cis_rule_5_4_2_7: true +ubtu24cis_rule_5_4_2_8: true +# 5.4.2 Configure user default environment +ubtu24cis_rule_5_4_3_1: true +ubtu24cis_rule_5_4_3_2: true +ubtu24cis_rule_5_4_3_3: true + +## Section 6 + +# 6.2.1.x Configure systemd-journald service +ubtu24cis_rule_6_1_1_1: true +ubtu24cis_rule_6_1_1_2: true +ubtu24cis_rule_6_1_1_3: true +ubtu24cis_rule_6_1_1_4: true +# 6.1.2.1 Configure journald +ubtu24cis_rule_6_1_2_1_1: true +ubtu24cis_rule_6_1_2_1_2: true +ubtu24cis_rule_6_1_2_1_3: true +ubtu24cis_rule_6_1_2_1_4: true +ubtu24cis_rule_6_1_2_2: true +ubtu24cis_rule_6_1_2_3: true +ubtu24cis_rule_6_1_2_4: true +# 6.1.3 Configure rsyslog +ubtu24cis_rule_6_1_3_1: true +ubtu24cis_rule_6_1_3_2: true +ubtu24cis_rule_6_1_3_3: true +ubtu24cis_rule_6_1_3_4: true +ubtu24cis_rule_6_1_3_5: true +ubtu24cis_rule_6_1_3_6: true +ubtu24cis_rule_6_1_3_7: true +# 6.1.3.8 logrotate +ubtu24cis_rule_6_1_3_8: true +# 6.1.4.1 configure logfiles +ubtu24cis_rule_6_1_4_1: true +# 6.2.1 Configure auditd services +ubtu24cis_rule_6_2_1_1: true +ubtu24cis_rule_6_2_1_2: true +ubtu24cis_rule_6_2_1_3: true +ubtu24cis_rule_6_2_1_4: true +# 6.2.2 Configure auditd data retention +ubtu24cis_rule_6_2_2_1: true +ubtu24cis_rule_6_2_2_2: true +ubtu24cis_rule_6_2_2_3: true +ubtu24cis_rule_6_2_2_4: true +# 6.2.3 Configure auditd rules +ubtu24cis_rule_6_2_3_1: true +ubtu24cis_rule_6_2_3_2: true +ubtu24cis_rule_6_2_3_3: true +ubtu24cis_rule_6_2_3_4: true +ubtu24cis_rule_6_2_3_5: true +ubtu24cis_rule_6_2_3_6: true +ubtu24cis_rule_6_2_3_7: true +ubtu24cis_rule_6_2_3_8: true +ubtu24cis_rule_6_2_3_9: true +ubtu24cis_rule_6_2_3_10: true +ubtu24cis_rule_6_2_3_11: true +ubtu24cis_rule_6_2_3_12: true +ubtu24cis_rule_6_2_3_13: true +ubtu24cis_rule_6_2_3_14: true +ubtu24cis_rule_6_2_3_15: true +ubtu24cis_rule_6_2_3_16: true +ubtu24cis_rule_6_2_3_17: true +ubtu24cis_rule_6_2_3_18: true +ubtu24cis_rule_6_2_3_19: true +ubtu24cis_rule_6_2_3_20: true +ubtu24cis_rule_6_2_3_21: true +# 6.2.4 Configure audit file access +ubtu24cis_rule_6_2_4_1: true +ubtu24cis_rule_6_2_4_2: true +ubtu24cis_rule_6_2_4_3: true +ubtu24cis_rule_6_2_4_4: true +ubtu24cis_rule_6_2_4_5: true +ubtu24cis_rule_6_2_4_6: true +ubtu24cis_rule_6_2_4_7: true +ubtu24cis_rule_6_2_4_8: true +ubtu24cis_rule_6_2_4_9: true +ubtu24cis_rule_6_2_4_10: true +# 6.3 Configure Filesystem Integrity Checking +ubtu24cis_rule_6_3_1: true +ubtu24cis_rule_6_3_2: true +ubtu24cis_rule_6_3_3: true + +## Section 7 +# 7.1 System File Permissions +ubtu24cis_rule_7_1_1: true +ubtu24cis_rule_7_1_2: true +ubtu24cis_rule_7_1_3: true +ubtu24cis_rule_7_1_4: true +ubtu24cis_rule_7_1_5: true +ubtu24cis_rule_7_1_6: true +ubtu24cis_rule_7_1_7: true +ubtu24cis_rule_7_1_8: true +ubtu24cis_rule_7_1_9: true +ubtu24cis_rule_7_1_10: true +ubtu24cis_rule_7_1_11: true +ubtu24cis_rule_7_1_12: true +ubtu24cis_rule_7_1_13: true +# 7.2 Local User and Group Settings +ubtu24cis_rule_7_2_1: true +ubtu24cis_rule_7_2_2: true +ubtu24cis_rule_7_2_3: true +ubtu24cis_rule_7_2_4: true +ubtu24cis_rule_7_2_5: true +ubtu24cis_rule_7_2_6: true +ubtu24cis_rule_7_2_7: true +ubtu24cis_rule_7_2_8: true +ubtu24cis_rule_7_2_9: true +ubtu24cis_rule_7_2_10: true + +## System functionality configuration variables +## +## There are certain functionalities of a system +## that may require either to skip certain CIS rules +## or install certain packages. +## Set the respective variable to `true` in order to +## enable a certain functionality on the system + +# This variable governs whether specific CIS rules +# concerned with acceptance and routing of packages +# are skipped. +ubtu24cis_is_router: false + +## IPv4 requirement toggle +# This variable governs whether ipv4 is enabled or disabled. +ubtu24cis_ipv4_required: true + +## IPv6 requirement toggle +# This variable governs whether ipv6 is enabled or disabled. +ubtu24cis_ipv6_required: false + +## Desktop requirement toggle +# This variable governs, whether CIS rules regarding GDM +# and X-Windows are carried out. +ubtu24cis_desktop_required: false + +## Section 1 + +# If system uses squahshfs e.gf. snap package manager set true +ubtu24cis_squashfs_required: true + +## Controls 1.3.1.3 and 1.3.1.4 Ensure all AppArmor Profiles are in enforce (1.3.1.3/4) or complain (1.3.1.3) mode + +# This variable disables the implementation of rules 1.3.1.3 and 1.3.1.4 +# regarding enforcing profiles or putting them in complain mode +ubtu24cis_apparmor_disable: false + +## Controls 1.4.x - Boot password +# +# THIS VARIABLE SHOULD BE CHANGED AND INCORPORATED INTO VAULT +# THIS VALUE IS WHAT THE ROOT PW WILL BECOME!!!!!!!! +# HAVING THAT PW EXPOSED IN RAW TEXT IS NOT SECURE!!!! +ubtu24cis_grub_user: root +ubtu24cis_bootloader_password_hash: "grub.pbkdf2.sha512.changethispassword" # pragma: allowlist secret + +## Controls 1.5.x + +## Controls 1.6.x - Warning banners +# The controls 1.6.x set various warning banners and protect the respective files +# by tightening the access rights. + +# This variable specifies the warning banner displayed to the user +# after local login, remote login, and as motd (message of the day) +# Noe that the banner text must not contain the below items in order to be +# compliant with CIS: \m, \r, \s, \v or references to the OS platform +ubtu24cis_warning_banner: | + Authorized uses only. All activity may be monitored and reported. + +# This variable governs, whether dynamic motd is disabled (as required by control 1.7.1) +ubtu24cis_disable_dynamic_motd: true + +## Controls 1.7.x - Settings for GDM +# This variable specifies the GNOME configuration database file to which configurations are written. +# (See https://help.gnome.org/admin/system-admin-guide/stable/dconf-keyfiles.html.en) +# The default database is `local`. +ubtu24cis_dconf_db_name: local + +## +# Section 2 +## + +## +## Service configuration variables. +## +## Set the respective variable to true to keep the service. +## otherwise the service is stopped and disabled +## +# Service configuration +# Options are +# true to leave installed if exists not changes take place +# false - this removes the package +# mask - if a dependancy for product so cannot be removed +# Server Services +ubtu24cis_autofs_services: false +ubtu24cis_autofs_mask: false +ubtu24cis_avahi_server: false +ubtu24cis_avahi_mask: false +ubtu24cis_dhcp_server: false +ubtu24cis_dhcp_mask: false +ubtu24cis_dns_server: false +ubtu24cis_dns_mask: false +ubtu24cis_dnsmasq_server: false +ubtu24cis_dnsmasq_mask: false +ubtu24cis_ftp_server: false +ubtu24cis_ftp_mask: false +ubtu24cis_ldap_server: false +ubtu24cis_ldap_mask: false +ubtu24cis_message_server: false # This is for messaging dovecot and dovecot-pop3 +ubtu24cis_message_mask: false +ubtu24cis_nfs_server: true +ubtu24cis_nfs_mask: true +ubtu24cis_nis_server: true # set to mask if nis client required +ubtu24cis_nis_mask: false +ubtu24cis_print_server: false # replaces cups +ubtu24cis_print_mask: false +ubtu24cis_rpc_server: true +ubtu24cis_rpc_mask: true +ubtu24cis_rsync_server: false +ubtu24cis_rsync_mask: false +ubtu24cis_samba_server: false +ubtu24cis_samba_mask: false +ubtu24cis_snmp_server: false +ubtu24cis_snmp_mask: false +ubtu24cis_telnet_server: false +ubtu24cis_telnet_mask: false +ubtu24cis_tftp_server: false +ubtu24cis_tftp_mask: false +ubtu24cis_squid_server: false +ubtu24cis_squid_mask: false +ubtu24cis_apache2_server: false +ubtu24cis_apache2_mask: false +ubtu24cis_nginx_server: false +ubtu24cis_nginx_mask: false +ubtu24cis_xinetd_server: false +ubtu24cis_xinetd_mask: false +ubtu24cis_xwindow_server: false # will remove mask not an option +ubtu24cis_is_mail_server: false + +# Client Services +ubtu24cis_nis_client_required: false # Same package as NIS server +ubtu24cis_rsh_client: false +ubtu24cis_talk_client: false +ubtu24cis_telnet_required: false +ubtu24cis_ldap_clients_required: false +ubtu24cis_ftp_client: false + +## Control 2.3.1.1 +# This variable choses the tool used for time synchronization +# The two options are `chrony`and `systemd-timesyncd`. +ubtu24cis_time_sync_tool: "systemd-timesyncd" + +## Controls 2.3.x - Configure time pools & servers for chrony and timesyncd +# The following variable represents a list of of time server pools used +# for configuring chrony and timesyncd. +# Each list item contains two settings, `name` (the domain name of the pool) and synchronization `options`. +# The default setting for the `options` is `iburst maxsources 4` -- please refer to the documentation +# of the time synchronization mechanism you are using. +ubtu24cis_time_pool_name: time.nist.gov + +# The following variable represents a list of of time servers used +# for configuring chrony and timesyncd +# Each list item contains two settings, `name` (the domain name of the server) and synchronization `options`. +# The default setting for the `options` is `iburst` -- please refer to the documentation +# of the time synchronization mechanism you are using. +ubtu24cis_time_servers: +- name: time-a-g.nist.gov + options: iburst +- name: time-b-g.nist.gov + options: iburst +- name: time-c-g.nist.gov + options: iburst + +# Section 3 +## Control 3.1.1 - Ensure system is checked to determine if IPv6 is enabled +# This variable governs the mechanism of how the disabling of IPV6 is carried out. +# Its possible values are `grub` and `sysctl`. +ubtu24cis_ipv6_disable: grub + +## Control 3.1.3 - Ensure bluetooth Services are not in use +# This control managed how the bluetooth service is managaed +# Options are +# true to leave installed if exists not changes take place +# false - this removes the package +# mask - if a dependancy for product so cannot be removed +ubtu24cis_bluetooth_service: false +ubtu24cis_bluetooth_mask: false + +## Control 3.3.x - Networking configuration +# This variable contains the path to the file in which, sysctl saves its configurations. +# Its default value is `/etc/sysctl.conf`. +ubtu24cis_sysctl_network_conf: /etc/sysctl.conf + +# +### Section 4 +# +## Controls 4.1.x, 4.2.x, and 4.3.x - Firewall configuration +# This variable represents the toggle for which firewall package is used. +# The options that have an effect on the system are `ufw` and `iptables`. +# The option `nftables` is also possible, but will only result in a message, +# that `nftables` has been chosen; all settings have to be carried out manually. +# Any other value, e.g. `none` will skip all firewall-related controls. +ubtu24cis_firewall_package: "ufw" + +## auditd settings +ubtu24cis_auditd: + space_left_action: email + action_mail_acct: root + admin_space_left_action: halt + max_log_file_action: keep_logs + auditd_backlog_limit: 8192 + +## syslog +# Set which syslog service +# journald or rsyslog +ubtu24cis_syslog_service: 'journald' +ubtu24cis_is_syslog_server: false + +### Section 5 +# Note the following to understand precedence and layout +ubtu24cis_sshd_access: + - AllowUser + - AllowGroup + - DenyUser + - DenyGroup + +ubtu24cis_ssh_strong_ciphers: + - aes256-gcm@openssh.com + - aes128-gcm@openssh.com + - aes256-ctr + - aes192-ctr + - aes128-ctr +ubtu24cis_ssh_weak_ciphers: + - 3des-cbc + - aes128-cbc + - aes192-cbc + - aes256-cbc + - arcfour + - chacha20-poly1305@openssh.com + - arcfour128 + - arcfour256 + - blowfish-cbc + - cast128-cbc + - rijndael-cbc@lysator.liu.se + +ubtu24cis_ssh_strong_macs: + - HMAC-SHA1 + - hmac-sha2-256 + - hmac-sha2-512 +ubtu24cis_ssh_weak_macs: + - hmac-md5 + - hmac-md5-96 + - hmac-ripemd160 + - hmac-sha1-96 + - umac-64@openssh.com + - umac-128@openssh.com + - hmac-md5-etm@openssh.com + - hmac-md5-96-etm@openssh.com + - hmac-ripemd160-etm@openssh.com + - hmac-sha1-etm@openssh.com + - hmac-sha1-96-etm@openssh.com + - umac-64-etm@openssh.com + - umac-128-etm@openssh.com + - hmac-sha2-512-etm@openssh.com + - hmac-sha2-256-etm@openssh.com + +ubtu24cis_ssh_strong_kex: + - ecdh-sha2-nistp256 + - ecdh-sha2-nistp521 + - diffie-hellman-group-exchange-sha256 + - diffie-hellman-group14-sha256 + - diffie-hellman-group16-sha512 + - diffie-hellman-group18-sha512 +ubtu24cis_ssh_weak_kex: + - diffie-hellman-group1-sha1 + - diffie-hellman-group14-sha1 + - diffie-hellman-group-exchange-sha1 + +ubtu24cis_ssh_aliveinterval: 300 +ubtu24cis_ssh_countmax: 3 +## PAM +ubtu24cis_pam_password: + minlen: "14" + minclass: "4" + +ubtu24cis_pam_passwd_retry: "3" + +# choose one of below +ubtu24cis_pwhistory_so: "14" +ubtu24cis_passwd_remember: "5" + +# logins.def password settings +ubtu24cis_pass: + max_days: "365" + min_days: "1" + warn_age: "7" + +# set sugroup if differs from wheel +ubtu24cis_sugroup: nosugroup + +# var log location variable +ubtu24cis_varlog_location: "/var/log/sudo.log" + +# Section 6 +ubtu24cis_config_aide: true + +# 6.1.2 +# aide setup via - cron, timer +ubtu24cis_aide_scan: cron