colin
/
UBUNTU24-CIS-Audit
mirror of https://github.com/ansible-lockdown/UBUNTU24-CIS-Audit.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

initial v1.0.0 

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-09-05 08:17:35 +01:00
commit addda5895c
No known key found for this signature in database
GPG Key ID: 997FF7FE93AEB5B9
305 changed files with 12868 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.gitattributes vendored Normal file
View File

@ -0,0 +1,6 @@
# adding github settings to show correct language
*.sh linguist-detectable=true
*.yml linguist-detectable=true
*.ps1 linguist-detectable=true
*.j2 linguist-detectable=true
*.md linguist-documentation

45
.gitignore vendored Normal file
View File

@ -0,0 +1,45 @@
.env
*.log
*.retry
.cache
.vagrant
tests/*redhat-subscription
tests/Dockerfile
*.iso
*.box
packer_cache
delete*
ignore*
# VSCode
.vscode
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class
# DS_Store
.DS_Store
._*
# Linux Editors
*~
\#*\#
/.emacs.desktop
/.emacs.desktop.lock
.elc
auto-save-list
tramp
.\#*
*.swp
*.swo
rh-creds.env
travis.env
# Lockdown-specific
benchparse/
*xccdf.xml
*.retry
# GitHub Action/Workflow files
.github/

71
CONTRIBUTING.md Normal file
View File

@ -0,0 +1,71 @@
Contributing to MindPoint Group Projects
========================================
Rules
-----
1) All commits must be GPG signed (details in Signing section)
2) All commits must have Signed-off-by (Signed-off-by: Joan Doe <joan.doe@email.com>) in the commit message (details in Signing section)
3) All work is done in your own branch or own fork
4) Pull requests
a) From within the repo: All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing
b) From a forked repo: All pull requests will go into a staging branch within the repo. There are automated checks for signed commits, signoff in commit message, and functional testing when going from staging to devel
5) All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing)
6) Be open and nice to each other
Workflow
--------
- Your work is done in your own individual branch. Make sure to to Signed-off and GPG sign all commits you intend to merge
- All community Pull Requests are into the devel branch. There are automated checks for GPG signed, Signed-off in commits, and functional tests before being approved. If your pull request comes in from outside of our repo, the pull request will go into a staging branch. There is info needed from our repo for our CI/CD testing.
- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release
Signing your contribution
-------------------------
We've chosen to use the Developer's Certificate of Origin (DCO) method
that is employed by the Linux Kernel Project, which provides a simple
way to contribute to MindPoint Group projects.
The process is to certify the below DCO 1.1 text
::
Developer's Certificate of Origin 1.1
By making a contribution to this project, I certify that:
(a) The contribution was created in whole or in part by me and I
have the right to submit it under the open source license
indicated in the file; or
(b) The contribution is based upon previous work that, to the best
of my knowledge, is covered under an appropriate open source
license and I have the right under that license to submit that
work with modifications, whether created in whole or in part
by me, under the same open source license (unless I am
permitted to submit under a different license), as indicated
in the file; or
(c) The contribution was provided directly to me by some other
person who certified (a), (b) or (c) and I have not modified
it.
(d) I understand and agree that this project and the contribution
are public and that a record of the contribution (including all
personal information I submit with it, including my sign-off) is
maintained indefinitely and may be redistributed consistent with
this project or the open source license(s) involved.
::
Then, when it comes time to submit a contribution, include the
following text in your contribution commit message:
::
Signed-off-by: Joan Doe <joan.doe@email.com>
::
This message can be entered manually, or if you have configured git
with the correct `user.name` and `user.email`, you can use the `-s`
option to `git commit` to automatically include the signoff message.

3
Changelog.md Normal file
View File

@ -0,0 +1,3 @@
# Changes to Ubuntu24-CIS-Audit
## 0.9 - based upon CIS 1.0.0 - Initial

21
LICENSE Normal file
View File

@ -0,0 +1,21 @@
MIT License
Copyright (c) 2024 MindPoint Group
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

139
README.md Normal file
View File

@ -0,0 +1,139 @@
# Ubuntu 24.04 Goss config
## Overview
### Based on CIS Ubuntu Linux 24.04 LTS Benchmark v1.0.0 [Release](https://downloads.cisecurity.org/#/)
Set of configuration files and directories to run the first stages of CIS of Ubuntu 24.04 servers
This is configured in a directory structure level.
This could do with further testing but sections 1.x should be complete
Goss is run based on the goss.yml file in the top level directory. This specifies the configuration.
## variables
file: vars/cis.yml
Please refer to the file for all options and their meanings
CIS listed variable for every control/benchmark can be turned on/off or section
- other controls
enable_selinux
run_heavy_tasks
- bespoke options
If a site has specific options e.g. password complexity these can also be set.
## Requirements
goss >= 0.4.4
root privileges
## Branches
If running as part of the ansible playbook, this will pull in the relevant branch for the version of benchmark you are remediating.
- e.g. v1.0.0 will pull in branch benchmark-v1.0.0
Devel is normally the latest benchmark version, so maybe different from the version of benchmark you wish to test.
Details will show in the README as to the benchmark for the version it is written for.
## Usage
You must have [goss](https://github.com/goss-org/goss/) available to your host you would like to test.
- Run as root not sudo due to sudo and shared memory access
Assuming you have already clone this repository you can run goss from where you wish.
- full check
```sh
# {{path to your goss binary}} --vars {{ path to the vars file }} -g {{path to your clone of this repo }}/goss.yml --validate
```
example:
```sh
# /usr/local/bin/goss --vars ../vars/cis.yml -g /home/bolly/rh8_cis_goss/goss.yml validate
......FF....FF................FF...F..FF.............F........................FSSSS.............FS.F.F.F.F.........FFFFF....
Failures/Skipped:
Title: 1.6.1 Ensure core dumps are restricted (Automated)_sysctl
Command: suid_dumpable_2: exit-status:
Expected
<int>: 1
to equal
<int>: 0
Command: suid_dumpable_2: stdout: patterns not found: [fs.suid_dumpable = 0]
Title: 1.4.2 Ensure filesystem integrity is regularly checked (Automated)
Service: aidecheck: enabled:
Expected
<bool>: false
to equal
<bool>: true
Service: aidecheck: running:
Expected
<bool>: false
to equal
<bool>: true
< ---------cut ------- >
Title: 1.1.22 Ensure sticky bit is set on all world-writable directories
Command: version: exit-status:
Expected
<int>: 0
to equal
<int>: 123
Total Duration: 5.102s
Count: 124, Failed: 21, Skipped: 5
```
- running a particular section of tests
```sh
# /usr/local/bin/goss -g /home/bolly/rh8_cis_goss/section_1/cis_1.1/cis_1.1.22.yml validate
............
Total Duration: 0.033s
Count: 12, Failed: 0, Skipped: 0
```
- changing the output
```sh
# /usr/local/bin/goss -g /home/bolly/rh8_cis_goss/section_1/cis_1.1/cis_1.1.22.yml validate -f documentation
Title: 1.1.20 Check for removeable media nodev
Command: floppy_nodev: exit-status: matches expectation: [0]
Command: floppy_nodev: stdout: matches expectation: [OK]
< -------cut ------- >
Title: 1.1.20 Check for removeable media noexec
Command: floppy_noexec: exit-status: matches expectation: [0]
Command: floppy_noexec: stdout: matches expectation: [OK]
Total Duration: 0.022s
Count: 12, Failed: 0, Skipped: 0
```
## Extra settings
Ability to add your own requirements is available in several sections
## further information
- [goss documentation](https://github.com/goss-org/goss/blob/master/README.md)
- [CIS standards](https://www.cisecurity.org)
## Feedback required

96
goss.yml Normal file
View File

@ -0,0 +1,96 @@
gossfile:
# Section 1
{{ if .Vars.ubtu24cis_section1 }}
section_1/*/*.yml: {}
{{ end }}
# Section 2
{{ if .Vars.ubtu24cis_section2 }}
# Special Services
section_2/cis_2.1/*.yml: {}
# Client Service
section_2/cis_2.2/*.yml: {}
# Time services
section_2/cis_2.3/*.yml: {}
# scheduling services
section_2/cis_2.4/*.yml: {}
{{ end }}
# Section 3
{{ if .Vars.ubtu24cis_section3 }}
section_3/cis_3.1/*.yml: {}
section_3/cis_3.2/*.yml: {}
section_3/cis_3.3/*.yml: {}
{{ if .Vars.ubtu24cis_ipv6_required }}
section_3/cis_3.3/ipv6/*.yml: {}
{{ end }}
{{ end }}
# Section 4
{{ if .Vars.ubtu24cis_section4 }}
# If ufw firewall
{{ if eq .Vars.ubtu24cis_firewall_package "ufw" }}
section_4/cis_4.2/*.yml: {}
{{ end }}
# If nftables firewall
{{ if eq .Vars.ubtu24cis_firewall_package "nftables" }}
section_4/cis_4.3/*.yml: {}
{{ end }}
# If iptables firewall
{{ if eq .Vars.ubtu24cis_firewall_package "iptables" }}
section_4/cis_4.4/*.yml: {}
{{ end }}
{{ end }}
# Section 5
{{ if .Vars.ubtu24cis_section5 }}
section_5/*/*.yml: {}
{{ end }}
# Section 6
{{ if .Vars.ubtu24cis_section6 }}
# Journald
{{ if eq .Vars.ubtu24cis_syslog_service "journald" }}
section_6/cis_6.1.1.x/*.yml: {}
section_6/cis_6.1.2.x/*.yml: {}
{{ end }}
# Rsyslog
{{ if eq .Vars.ubtu24cis_syslog_service "rsyslog" }}
section_6/cis_6.1.3.*/*.yml: {}
{{ end }}
# logrotate
section_6/cis_6.1.4.*/*.yml: {}
# Auditd and level 2
# Auditd
{{ if .Vars.ubtu24cis_level_2 }}
{{ if .Vars.ubtu24cis_auditd }}
section_6/cis_6.2.*/*.yml: {}
{{ end }}
{{ end }}
# Aide
section_6/cis_6.3.*/*.yml: {}
{{ end }}
# Section 7
{{ if .Vars.ubtu24cis_section7 }}
section_7/cis_7.*/*.yml: {}
{{ end }}
# Metadata
command:
benchmark_meta:
title: Benchmark MetaData
exec: echo BenchMark MetaData
exit-status: 0
meta:
host_machine_uuid: {{ .Vars.machine_uuid }}
host_epoch: {{ .Vars.epoch }}
host_os_locale: {{ .Vars.os_locale }}
host_os_release: {{ .Vars.os_release }}
host_os_distribution: {{ .Vars.os_distribution }}
host_automation_group: {{ .Vars.auto_group }}
host_hostname: {{ .Vars.os_hostname }}
host_system_type: {{ .Vars.system_type }}
benchmark_type: {{ .Vars.benchmark_type }}
benchmark_version: {{ .Vars.benchmark_version }}
benchmark_os: {{ .Vars.benchmark_os }}

213
run_audit.sh Executable file
View File

@ -0,0 +1,213 @@
#! /bin/bash
# script to run audit while populating local host data
# 13th Sept 2021 - Initial
# 9th Nov 2021 - Added root user check - more posix compliant for multiple OS types
# 10 Dec 2021 - Enhanced so more linux OS agnostic, less input required
# - added vars options for bespoke vars file
# - Ability to run as script from remediation role increased consistency
# 17 Dec 2021 - Added system_type variable - default Server will change to workstations with -w switch
# 02 Mar 2022 - Updated benchmark variable naming
# 06 Apr 2022 - Added format option in output inline with goss options e.g. json documentation this is for fault finding
# 03 May 2022 - update for audit variables improvement added by @pavloos - https://github.com/ansible-lockdown/RHEL8-CIS-Audit/pull/29
# 10 Jun 2022 - added format output for different type - supports json,documentation or rspecish
# 04 Oct 2022 - Changed default content location to /opt
# 14 Sep 2023 - Tidyup of code,
# linting (thanks to @cf-sewe)
# Oracle included by default if RHEL family
# benchmark vars moved
# December 2023 Added goss version and testing
# April 2024 Updating of OS discovery to work for all supported OSs
# Variables in upper case tend to be able to be adjusted
# lower case variables are discovered or built from other variables
# Goss benchmark variables (these should not need changing unless new release)
BENCHMARK=CIS # Benchmark Name aligns to the audit
BENCHMARK_VER=2.0.0
BENCHMARK_OS=UBUNTU24
# Goss host Variables
AUDIT_BIN="${AUDIT_BIN:-/usr/local/bin/goss}" # location of the goss executable
AUDIT_BIN_MIN_VER="0.4.4"
AUDIT_FILE="${AUDIT_FILE:-goss.yml}" # the default goss file used by the audit provided by the audit configuration
AUDIT_CONTENT_LOCATION="${AUDIT_CONTENT_LOCATION:-/opt}" # Location of the audit configuration file as available to the OS
# help output
Help()
{
# Display Help
echo "Script to run the goss audit"
echo
echo "Syntax: $0 [-f|-g|-o|-v|-w|-h]"
echo "options:"
echo "-f optional - change the format output (default value = json)"
echo "-g optional - Add a group that the server should be grouped with (default value = ungrouped)"
echo "-o optional - file to output audit data"
echo "-v optional - relative path to thevars file to load (default e.g. $AUDIT_CONTENT_LOCATION/RHEL7-$BENCHMARK/vars/$BENCHMARK.yml)"
echo "-w optional - Sets the system_type to workstation (Default - Server)"
echo "-h Print this Help."
echo
}
# Default vars that can be set
host_system_type=Server
## option statement
while getopts f:g:o:v::wh option; do
case "${option}" in
f ) FORMAT=${OPTARG} ;;
g ) GROUP=${OPTARG} ;;
o ) OUTFILE=${OPTARG} ;;
v ) VARS_PATH=${OPTARG} ;;
w ) host_system_type=Workstation ;;
h ) # display Help
Help
exit;;
? ) # Invalid option
echo "Invalid option: -${OPTARG}."
Help
exit;;
esac
done
#### Pre-Checks
# check access need to run as root or privileges due to some configuration access
if [ "$(/usr/bin/id -u)" -ne 0 ]; then
echo "Script need to run with root privileges"
exit 1
fi
#### Main Script ####
# Discover OS version aligning with audit
# Define os_vendor variable
if [ "$(uname -a | grep -c amzn)" -ge 1 ]; then
os_vendor="AMAZON"
elif [ "$(grep -Ec "rhel|oracle" /etc/os-release)" != 0 ]; then
os_vendor="RHEL"
else
os_vendor="$(hostnamectl | grep Oper | cut -d : -f2 | awk '{print toupper($1)}')"
fi
os_maj_ver="$(grep -w VERSION_ID= /etc/os-release | awk -F\" '{print $2}' | cut -d '.' -f1)"
audit_content_version=$os_vendor$os_maj_ver-$BENCHMARK-Audit
audit_content_dir=$AUDIT_CONTENT_LOCATION/$audit_content_version
audit_vars=vars/${BENCHMARK}.yml
# Set variable for format output
if [ -z "$FORMAT" ]; then
export format="json"
else
export format=$FORMAT
fi
# Set variable for autogroup
if [ -z "$GROUP" ]; then
export host_auto_group="ungrouped"
else
export host_auto_group=$GROUP
fi
# set default variable for varfile_path
if [ -z "$VARS_PATH" ]; then
export varfile_path=$audit_content_dir/$audit_vars
else
# Check -v exists fail if not
if [ -f "$VARS_PATH" ]; then
export varfile_path=$VARS_PATH
else
echo "passed option '-v' $VARS_PATH does not exist"
exit 1
fi
fi
## System variables captured for metadata
host_machine_uuid="$(if [ -f /sys/class/dmi/id/product_uuid ]; then cat /sys/class/dmi/id/product_uuid; else dmidecode -s system-uuid; fi)"
host_epoch="$(date +%s)"
host_os_locale="$(date +%Z)"
host_os_name="$(grep "^NAME=" /etc/os-release | cut -d '"' -f2 | sed 's/ //' | cut -d' ' -f1)"
host_os_version="$(grep "^VERSION_ID=" /etc/os-release | cut -d '"' -f2)"
host_os_hostname="$(hostname)"
## Set variable audit_out
if [ -z "$OUTFILE" ]; then
export audit_out=${AUDIT_CONTENT_LOCATION}/audit_${host_os_hostname}-${BENCHMARK}-${BENCHMARK_OS}_${host_epoch}.$format
else
export audit_out=${OUTFILE}
fi
## Set the AUDIT json string
audit_json_vars='{"benchmark_type":"'"$BENCHMARK"'","benchmark_os":"'"$BENCHMARK_OS"'","benchmark_version":"'"$BENCHMARK_VER"'","machine_uuid":"'"$host_machine_uuid"'","epoch":"'"$host_epoch"'","os_locale":"'"$host_os_locale"'","os_release":"'"$host_os_version"'","os_distribution":"'"$host_os_name"'","os_hostname":"'"$host_os_hostname"'","auto_group":"'"$host_auto_group"'","system_type":"'"$host_system_type"'"}'
## Run pre checks
echo
echo "## Pre-Checks Start"
echo
export FAILURE=0
if [ -s "${AUDIT_BIN}" ]; then
echo "OK - Audit binary $AUDIT_BIN is available"
goss_installed_version="$($AUDIT_BIN -v | awk '{print $NF}' | cut -dv -f2)"
newer_version=$(echo -e "$goss_installed_version\n$AUDIT_BIN_MIN_VER" | sort -V | tail -n 1)
if [ "$goss_installed_version" = "$newer_version" ] || [ "$goss_installed_version" = "$AUDIT_BIN_MIN_VER" ]; then
echo "OK - Goss is installed and version is ok ($goss_installed_version >= $AUDIT_BIN_MIN_VER)"
else
echo "WARNING - Goss installed = ${goss_installed_version}, does not met minimum of ${AUDIT_BIN_MIN_VER}"
export FAILURE=2
fi
else
echo "WARNING - The audit binary is not available at $AUDIT_BIN "
export FAILURE=1
fi
if [ -f "${audit_content_dir}/${AUDIT_FILE}" ]; then
echo "OK - ${audit_content_dir}/${AUDIT_FILE} is available"
else
echo "WARNING - the $audit_content_dir/$AUDIT_FILE is not available"; export FAILURE=3
fi
if [ "${FAILURE}" != 0 ]; then
echo "## Pre-checks failed please see output"
exit 1
else
echo
echo "## Pre-checks Successful"
echo
fi
# format output types
# json, rspecish = grep -A 4 \"summary\": $audit_out
# tap junit no output as no summary
# documentation = tail -2 $audit_out
# defaults
output_summary="tail -2 $audit_out"
format_output="-f $format"
if [ "$format" = json ]; then
format_output="-f json -o pretty"
output_summary='grep -A 4 \"summary\": $audit_out'
elif [ "$format" = junit ] || [ "$format" = tap ]; then
output_summary=""
fi
## Run commands
echo "#############"
echo "Audit Started"
echo "#############"
echo
$AUDIT_BIN -g "$audit_content_dir/$AUDIT_FILE" --vars "$varfile_path" --vars-inline "$audit_json_vars" v $format_output > "$audit_out"
# create screen output
if [ "$(grep -c $BENCHMARK "$audit_out")" != 0 ] || [ "$format" = junit ] || [ "$format" = tap ]; then
eval $output_summary
echo "Completed file can be found at $audit_out"
echo "###############"
echo "Audit Completed"
echo "###############"
else
echo -e "Fail: There were issues when running the audit please investigate $audit_out"
fi

39
section_1/cis_1.1/cis_1.1.1.1.yml Normal file
View File

@ -0,0 +1,39 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_1_1 }}
file:
cramfs_disabled:
title: 1.1.1.1 | Ensure cramfs kernel module is not available | modprobe
path: /etc/modprobe.d/CIS.conf
exists: true
contents:
- '/^install cramfs /bin/(true|false)/'
meta:
server: 1
workstation: 1
CIS_ID: 1.1.1.1
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
cramfs_blacklist:
title: 1.1.1.1 | Ensure cramfs kernel module is not available | blacklist
path: /etc/modprobe.d/blacklist.conf
exists: true
contents:
- '/^blacklist cramfs/'
meta:
server: 1
workstation: 1
CIS_ID: 1.1.1.1
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
{{ end }}
{{ end }}

39
section_1/cis_1.1/cis_1.1.1.2.yml Normal file
View File

@ -0,0 +1,39 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_1_2 }}
file:
freevxfs_disabled:
title: 1.1.1.2 | Ensure freevxfs kernel module is not available | modprobe
path: /etc/modprobe.d/CIS.conf
exists: true
contents:
- '/^install freevxfs /bin/(true|false)/'
meta:
server: 1
workstation: 1
CIS_ID: 1.1.1.2
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
freevxfs_blacklist:
title: 1.1.1.2 | Ensure freevxfs kernel module is not available | blacklist
path: /etc/modprobe.d/blacklist.conf
exists: true
contents:
- '/^blacklist freevxfs/'
meta:
server: 1
workstation: 1
CIS_ID: 1.1.1.2
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
{{ end }}
{{ end }}

39
section_1/cis_1.1/cis_1.1.1.3.yml Normal file
View File

@ -0,0 +1,39 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_1_3 }}
file:
hfs_disabled:
title: 1.1.1.3 | Ensure hfs kernel module is not available | modprobe
path: /etc/modprobe.d/CIS.conf
exists: true
contents:
- '/^install hfs /bin/(true|false)/'
meta:
server: 1
workstation: 1
CIS_ID: 1.1.1.3
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
hfs_blacklist:
title: 1.1.1.3 | Ensure hfs kernel module is not available | blacklist
path: /etc/modprobe.d/blacklist.conf
exists: true
contents:
- '/^blacklist hfs/'
meta:
server: 1
workstation: 1
CIS_ID: 1.1.1.3
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
{{ end }}
{{ end }}

39
section_1/cis_1.1/cis_1.1.1.4.yml Normal file
View File

@ -0,0 +1,39 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_1_4 }}
file:
hfsplus_disabled:
title: 1.1.1.4 | Ensure hfsplus kernel module is not available | modprobe
path: /etc/modprobe.d/CIS.conf
exists: true
contents:
- '/^install hfsplus /bin/(true|false)/'
meta:
server: 1
workstation: 1
CIS_ID: 1.1.1.4
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
hfsplus_blacklist:
title: 1.1.1.4 | Ensure hfsplus kernel module is not available | blacklist
path: /etc/modprobe.d/blacklist.conf
exists: true
contents:
- '/^blacklist hfsplus/'
meta:
server: 1
workstation: 1
CIS_ID: 1.1.1.4
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
{{ end }}
{{ end }}

39
section_1/cis_1.1/cis_1.1.1.5.yml Normal file
View File

@ -0,0 +1,39 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_1_5 }}
file:
jffs2_disabled:
title: 1.1.1.5 | Ensure jffs2 kernel module is not available | modprobe
path: /etc/modprobe.d/CIS.conf
exists: true
contents:
- '/^install jffs2 /bin/(true|false)/'
meta:
server: 1
workstation: 1
CIS_ID: 1.1.1.5
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
jffs2_blacklist:
title: 1.1.1.5 | Ensure jffs2 kernel module is not available | blacklist
path: /etc/modprobe.d/blacklist.conf
exists: true
contents:
- '/^blacklist jffs2/'
meta:
server: 1
workstation: 1
CIS_ID: 1.1.1.5
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
{{ end }}
{{ end }}

39
section_1/cis_1.1/cis_1.1.1.6.yml Normal file
View File

@ -0,0 +1,39 @@
---
{{ if .Vars.ubtu24cis_level_2 }}
{{ if .Vars.ubtu24cis_rule_1_1_1_6 }}
file:
overlayfs_disabled:
title: 1.1.1.6 | Ensure overlayfs kernel module is not available | modprobe
path: /etc/modprobe.d/CIS.conf
exists: true
contents:
- '/^install overlayfs /bin/(true|false)/'
meta:
server: 2
workstation: 2
CIS_ID: 1.1.1.6
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
overlayfs_blacklist:
title: 1.1.1.6 | Ensure overlayfs kernel module is not available | blacklist
path: /etc/modprobe.d/blacklist.conf
exists: true
contents:
- '/^blacklist overlayfs/'
meta:
server: 2
workstation: 2
CIS_ID: 1.1.1.6
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
{{ end }}
{{ end }}

41
section_1/cis_1.1/cis_1.1.1.7.yml Normal file
View File

@ -0,0 +1,41 @@
---
{{ if .Vars.ubtu24cis_level_2 }}
{{ if not .Vars.ubtu24cis_squashfs_required }}
{{ if .Vars.ubtu24cis_rule_1_1_1_7 }}
file:
squashfs_disabled:
title: 1.1.1.7 | Ensure squashfs kernel module is not available | modprobe
path: /etc/modprobe.d/CIS.conf
exists: true
contents:
- '/^install squashfs /bin/(true|false)/'
meta:
server: 2
workstation: 2
CIS_ID: 1.1.1.7
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
squashfs_blacklist:
title: 1.1.1.7 | Ensure squashfs kernel module is not available | blacklist
path: /etc/modprobe.d/blacklist.conf
exists: true
contents:
- '/^blacklist squashfs/'
meta:
server: 2
workstation: 2
CIS_ID: 1.1.1.7
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
{{ end }}
{{ end }}
{{ end }}

39
section_1/cis_1.1/cis_1.1.1.8.yml Normal file
View File

@ -0,0 +1,39 @@
---
{{ if .Vars.ubtu24cis_level_2 }}
{{ if .Vars.ubtu24cis_rule_1_1_1_8 }}
file:
udf_disabled:
title: 1.1.1.8 | Ensure udf kernel module is not available | modprobe
path: /etc/modprobe.d/CIS.conf
exists: true
contents:
- '/^install udf /bin/(true|false)/'
meta:
server: 2
workstation: 2
CIS_ID: 1.1.1.8
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
udf_blacklist:
title: 1.1.1.8 | Ensure udf kernel module is not available | blacklist
path: /etc/modprobe.d/blacklist.conf
exists: true
contents:
- '/^blacklist udf/'
meta:
server: 2
workstation: 2
CIS_ID: 1.1.1.8
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
{{ end }}
{{ end }}

39
section_1/cis_1.1/cis_1.1.1.9.yml Normal file
View File

@ -0,0 +1,39 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_1_9 }}
file:
usb-storage_disabled:
title: 1.1.1.9 | Ensure usb-storage kernel module is not available | modprobe
path: /etc/modprobe.d/CIS.conf
exists: true
contents:
- '/^install usb-storage /bin/(true|false)/'
meta:
server: 1
workstation: 2
CIS_ID: 1.1.1.9
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: SI-3
usb-storage_blacklist:
title: 1.1.1.9 | Ensure usb-storage kernel module is not available | blacklist
path: /etc/modprobe.d/blacklist.conf
exists: true
contents:
- '/^blacklist usb-storage/'
meta:
server: 1
workstation: 2
CIS_ID: 1.1.1.9
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: SI-3
{{ end }}
{{ end }}

21
section_1/cis_1.1/cis_1.1.2.1.1.yml Normal file
View File

@ -0,0 +1,21 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_1_1 }}
mount:
tmp_mount:
title: 1.1.2.1.1 | Ensure /tmp is a separate partition
mountpoint: /tmp
exists: true
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.1.1
CISv8: 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
{{ end }}
{{ end }}

66
section_1/cis_1.1/cis_1.1.2.1.2_4.yml Normal file
View File

@ -0,0 +1,66 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_1_1 }}
mount:
tmp_options:
title: |
1.1.2.1.2 | Ensure nodev option set on /tmp partition
1.1.2.1.3 | Ensure nosuid option set on /tmp partition
1.1.2.1.4 | Ensure noexec option set on /tmp partition
mountpoint: /tmp
exists: true
opts:
{{ if .Vars.ubtu24cis_rule_1_1_2_1_2 }}
- nodev
{{ end }}
{{ if .Vars.ubtu24cis_rule_1_1_2_1_3 }}
- nosuid
{{ end }}
{{ if .Vars.ubtu24cis_rule_1_1_2_1_4 }}
- noexec
{{ end }}
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.1.2
- 1.1.2.1.3
- 1.1.2.1.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
tmp_fstab_options:
title: |
1.1.2.1.2 | Ensure nodev option set on /tmp partition
1.1.2.1.3 | Ensure nosuid option set on /tmp partition
1.1.2.1.4 | Ensure noexec option set on /tmp partition
exists: true
path: /etc/fstab
contents:
- '/\s\/tmp.*{{ if .Vars.ubtu24cis_rule_1_1_2_1_2 }}nodev{{ end }}/'
- '/\s\/tmp.*{{ if .Vars.ubtu24cis_rule_1_1_2_1_3 }}nosuid{{ end }}.*/'
- '/\s\/tmp.*{{ if .Vars.ubtu24cis_rule_1_1_2_1_4 }}noexec{{ end }}.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.1.2
- 1.1.2.1.3
- 1.1.2.1.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

22
section_1/cis_1.1/cis_1.1.2.2.1.yml Normal file
View File

@ -0,0 +1,22 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_2_1 }}
mount:
dev_shm_mount:
title: 1.1.2.2.1 | Ensure /dev/shm is a separate partition
mountpoint: /dev/shm
filesystem: tmpfs
exists: true
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.2.1
CISv8: 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
{{ end }}
{{ end }}

66
section_1/cis_1.1/cis_1.1.2.2.2_4.yml Normal file
View File

@ -0,0 +1,66 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_2_1 }}
mount:
dev_shm_options:
title: |
1.1.2.2.2 | Ensure nodev option set on /dev/shm partition
1.1.2.2.3 | Ensure nosuid option set on /dev/shm partition
1.1.2.2.4 | Ensure noexec option set on /dev/shm partition
mountpoint: /dev/shm
exists: true
opts:
{{ if .Vars.ubtu24cis_rule_1_1_2_2_2 }}
- nodev
{{ end }}
{{ if .Vars.ubtu24cis_rule_1_1_2_2_3 }}
- nosuid
{{ end }}
{{ if .Vars.ubtu24cis_rule_1_1_2_2_4 }}
- noexec
{{ end }}
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.2.2
- 1.1.2.2.3
- 1.1.2.2.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
dev_shm_fstab_options:
title: |
1.1.2.2.2 | Ensure nodev option set on /dev/shm partition
1.1.2.2.3 | Ensure nosuid option set on /dev/shm partition
1.1.2.2.4 | Ensure noexec option set on /dev/shm partition
exists: true
path: /etc/fstab
contents:
- '/\s\/dev\/shm.*{{ if .Vars.ubtu24cis_rule_1_1_2_2_2 }}nodev{{ end }}/'
- '/\s\/dev\/shm.*{{ if .Vars.ubtu24cis_rule_1_1_2_2_3 }}nosuid{{ end }}.*/'
- '/\s\/dev\/shm.*{{ if .Vars.ubtu24cis_rule_1_1_2_2_4 }}noexec{{ end }}.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.2.2
- 1.1.2.2.3
- 1.1.2.2.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

21
section_1/cis_1.1/cis_1.1.2.3.1.yml Normal file
View File

@ -0,0 +1,21 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_3_1 }}
mount:
home_mount:
title: 1.1.2.3.1 | Ensure separate partition exists for /home
mountpoint: /home
exists: true
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.3.1
CISv8: 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
{{ end }}
{{ end }}

58
section_1/cis_1.1/cis_1.1.2.3.2_4.yml Normal file
View File

@ -0,0 +1,58 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_3_1 }}
mount:
home_options:
title: |
1.1.2.3.2 | Ensure nodev option set on /home partition
1.1.2.3.3 | Ensure nosuid option set on /home partition
mountpoint: /home
exists: true
opts:
{{ if .Vars.ubtu24cis_rule_1_1_2_3_2 }}
- nodev
{{ end }}
{{ if .Vars.ubtu24cis_rule_1_1_2_3_3 }}
- nosuid
{{ end }}
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.3.2
- 1.1.2.3.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
home_fstab_options:
title: |
1.1.2.3.2 | Ensure nodev option set on /home partition
1.1.2.3.3 | Ensure nosuid option set on /home partition
exists: true
path: /etc/fstab
contents:
- '/\s\/home.*{{ if .Vars.ubtu24cis_rule_1_1_2_3_2 }}nodev{{ end }}/'
- '/\s\/home.*{{ if .Vars.ubtu24cis_rule_1_1_2_3_3 }}nosuid{{ end }}.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.3.2
- 1.1.2.3.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

21
section_1/cis_1.1/cis_1.1.2.4.1.yml Normal file
View File

@ -0,0 +1,21 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_4_1 }}
mount:
var_mount:
title: 1.1.2.4.1 | Ensure separate partition exists for /var
mountpoint: /var
exists: true
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.4.1
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
{{ end }}
{{ end }}

58
section_1/cis_1.1/cis_1.1.2.4.2_3.yml Normal file
View File

@ -0,0 +1,58 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_4_1 }}
mount:
var_options:
title: |
1.1.2.4.2 | Ensure nodev option set on /var partition
1.1.2.4.3 | Ensure nosuid option set on /var partition
mountpoint: '/var'
exists: true
opts:
{{ if .Vars.ubtu24cis_rule_1_1_2_4_2 }}
- nodev
{{ end }}
{{ if .Vars.ubtu24cis_rule_1_1_2_4_3 }}
- nosuid
{{ end }}
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.4.2
- 1.1.2.4.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_fstab_options:
title: |
1.1.2.4.2 | Ensure nodev option set on /var partition
1.1.2.4.3 | Ensure nosuid option set on /var partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_4_2 }}nodev{{ end }}/'
- '/\s\/var\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_4_3 }}nosuid{{ end }}.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.4.2
- 1.1.2.4.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

21
section_1/cis_1.1/cis_1.1.2.5.1.yml Normal file
View File

@ -0,0 +1,21 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_5_1 }}
mount:
var_tmp_mount:
title: 1.1.2.5.1 | Ensure separate partition exists for /var/tmp
mountpoint: /var/tmp
exists: true
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.5.1
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R4: CM-7
{{ end }}
{{ end }}

66
section_1/cis_1.1/cis_1.1.2.5.2_4.yml Normal file
View File

@ -0,0 +1,66 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_5_1 }}
mount:
var_tmp_options:
title: |
1.1.2.5.2 | Ensure nodev option set on /var/tmp partition
1.1.2.5.3 | Ensure nosuid option set on /var/tmp partition
1.1.2.5.4 | Ensure noexec option set on /var/tmp partition
mountpoint: '/var/tmp'
exists: true
opts:
{{ if .Vars.ubtu24cis_rule_1_1_2_5_2 }}
- nodev
{{ end }}
{{ if .Vars.ubtu24cis_rule_1_1_2_5_3 }}
- nosuid
{{ end }}
{{ if .Vars.ubtu24cis_rule_1_1_2_5_4 }}
- noexec
{{ end }}
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.5.2
- 1.1.2.5.3
- 1.1.2.5.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_tmp_fstab_options:
title: |
1.1.2.5.2 | Ensure nodev option set on /var/tmp partition
1.1.2.5.3 | Ensure nosuid option set on /var/tmp partition
1.1.2.5.4 | Ensure noexec option set on /var/tmp partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\/tmp\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_5_2 }}nodev{{ end }}/'
- '/\s\/var\/tmp\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_5_3 }}nosuid{{ end }}.*/'
- '/\s\/var\/tmp\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_5_4 }}noexec{{ end }}.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.5.2
- 1.1.2.5.3
- 1.1.2.5.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

21
section_1/cis_1.1/cis_1.1.2.6.1.yml Normal file
View File

@ -0,0 +1,21 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_6_1 }}
mount:
var_log_mount:
title: 1.1.2.6.1 | Ensure separate partition exists for /var/log
mountpoint: /var/log
exists: true
meta:
server: 2
workstation: 2
CIS_ID:
- 1.1.2.6.1
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
{{ end }}
{{ end }}

66
section_1/cis_1.1/cis_1.1.2.6.2_4.yml Normal file
View File

@ -0,0 +1,66 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_6_1 }}
mount:
var_log_options:
title: |
1.1.2.6.2 | Ensure nodev option set on /var/log partition
1.1.2.6.3 | Ensure nosuid option set on /var/log partition
1.1.2.6.4 | Ensure noexec option set on /var/log partition
mountpoint: '/var/log'
exists: true
opts:
{{ if .Vars.ubtu24cis_rule_1_1_2_6_2 }}
- nodev
{{ end }}
{{ if .Vars.ubtu24cis_rule_1_1_2_6_3 }}
- nosuid
{{ end }}
{{ if .Vars.ubtu24cis_rule_1_1_2_6_4 }}
- noexec
{{ end }}
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.6.2
- 1.1.2.6.3
- 1.1.2.6.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_log_fstab_options:
title: |
1.1.2.6.2 | Ensure nodev option set on /var/log partition
1.1.2.6.3 | Ensure nosuid option set on /var/log partition
1.1.2.6.4 | Ensure noexec option set on /var/log partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\/log\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_6_2 }}nodev{{ end }}/'
- '/\s\/var\/log\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_6_3 }}nosuid{{ end }}.*/'
- '/\s\/var\/log\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_6_4 }}noexec{{ end }}.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.6.2
- 1.1.2.6.3
- 1.1.2.6.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

21
section_1/cis_1.1/cis_1.1.2.7.1.yml Normal file
View File

@ -0,0 +1,21 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_7_1 }}
mount:
var_log_audit_mount:
title: 1.1.2.7.1 | Ensure separate partition exists for /var/log/audit
mountpoint: /var/log/audit
exists: true
meta:
server: 2
workstation: 2
CIS_ID:
- 1.1.2.7.1
CISv8: 8.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-7
{{ end }}
{{ end }}

66
section_1/cis_1.1/cis_1.1.2.7.2_4.yml Normal file
View File

@ -0,0 +1,66 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_7_1 }}
mount:
var_log_audit_options:
title: |
1.1.2.7.2 | Ensure nodev option set on /var/log/audit partition
1.1.2.7.3 | Ensure nosuid option set on /var/log/audit partition
1.1.2.7.4 | Ensure noexec option set on /var/log/audit partition
mountpoint: '/var/log/audit'
exists: true
opts:
{{ if .Vars.ubtu24cis_rule_1_1_2_7_2 }}
- nodev
{{ end }}
{{ if .Vars.ubtu24cis_rule_1_1_2_7_3 }}
- nosuid
{{ end }}
{{ if .Vars.ubtu24cis_rule_1_1_2_7_4 }}
- noexec
{{ end }}
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.7.2
- 1.1.2.7.3
- 1.1.2.7.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_log_audit_fstab_options:
title: |
1.1.2.7.2 | Ensure nodev option set on /var/log/audit partition
1.1.2.7.3 | Ensure nosuid option set on /var/log/audit partition
1.1.2.7.4 | Ensure noexec option set on /var/log/audit partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\/log\/audit\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_7_2 }}nodev{{ end }}/'
- '/\s\/var\/log\/audit\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_7_3 }}nosuid{{ end }}.*/'
- '/\s\/var\/log\/audit\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_7_4 }}noexec{{ end }}.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.7.2
- 1.1.2.7.3
- 1.1.2.7.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

27
section_1/cis_1.2.1/cis_1.2.1.1.yml Normal file
View File

@ -0,0 +1,27 @@
---
{{ if .Vars.run_heavy_tests }}
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_2_1_1 }}
command:
gpg_keys_list:
title: 1.2.1.1 | Ensure GPG keys are configured | Manual
exit-status: 0
exec: echo "MANUAL - Please check manually for gpg keys"
stdout:
- '!/^MANUAL.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.2.1.1
CISv8:
- 7.3
- 7.4
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: SI-2
{{ end }}
{{ end }}
{{ end }}

22
section_1/cis_1.2.1/cis_1.2.1.2.yml Normal file
View File

@ -0,0 +1,22 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_2_1_2}}
command:
gpg_configd:
title: 1.2.1.2 | Ensure package manager repositories are configured | Manual
exec: echo "MANUAL - Please check manually that repositories are configured as expected"
exit-status: 0
stdout:
- '!/^MANUAL.*/'
meta:
server: 1
workstation: 2
CIS_ID: 1.2.1.2
CISv8: 7.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: SI-2
{{ end }}
{{ end }}

25
section_1/cis_1.2.2/cis_1.2.2.1.yml Normal file
View File

@ -0,0 +1,25 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_2_2_1 }}
command:
check_updates:
title: 1.2.2.1 | Ensure updates, patches, and additional security software are installed
exec: apt update | tail -1
exit-status: 0
timeout: {{ .Vars.timeout_ms }}
stdout:
- '!/^[1-9]{0,4}$ packages can be upgraded/'
- '/^All packages are up to date/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.2.2.1
CISv8: 7.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: SI-2
{{ end }}
{{ end }}

21
section_1/cis_1.3.1/cis_1.3.1.1.yml Normal file
View File

@ -0,0 +1,21 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_3_1_1 }}
package:
apparmor:
title: 1.3.1.1 | Ensure AppArmor is installed
installed: true
name: apparmor
meta:
server: 1
workstation: 1
CIS_ID:
- 1.3.1.1
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: AC-3
{{ end }}
{{ end }}

43
section_1/cis_1.3.1/cis_1.3.1.2.yml Normal file
View File

@ -0,0 +1,43 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_3_1_2 }}
file:
apparmor_boot_grub:
title: 1.3.1.2 | Ensure AppArmor is enabled in the bootloader configuration | running grub
path: /boot/grub/grub.cfg
exists: true
contents:
- '/apparmor=1/'
- '/security=apparmor/'
- '!/apparmor=0/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.3.1.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: AC-3
grub_app_armor:
title: 1.3.1.2 | Ensure AppArmor is enabled in the bootloader configuration | default grub
exists: true
path: /etc/default/grub
contents:
- '/^GRUB_CMDLINE_LINUX.*apparmor=1/'
- '/^GRUB_CMDLINE_LINUX.*security=apparmor/'
- '!/apparmor=0/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.3.1.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: AC-3
{{ end }}
{{ end }}

25
section_1/cis_1.3.1/cis_1.3.1.3.yml Normal file
View File

@ -0,0 +1,25 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if not .Vars.ubtu24cis_apparmor_disable }}
{{ if .Vars.ubtu24cis_rule_1_3_1_3 }}
command:
apparmor_enf_or_comp:
title: 1.3.1.3 | Ensure all AppArmor Profiles are in enforce or complain mode | profile
exec: LOADED=`apparmor_status | grep 'profiles are loaded' | awk '{print $1}'` && ENFORCE=`apparmor_status | grep 'profiles are in enforce mode.' | awk '{print $1}'` && COMPLAIN=`apparmor_status | grep 'profiles are in complain mode.' | awk '{print $1}'` && if [ $((LOADED + COMPLAIN)) != "$ENFORCE" ]; then echo "Profiles Error";fi
exit-status: 0
stdout:
- '!/Profiles Error/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.3.1.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: AC-3
{{ end }}
{{ end }}
{{ end }}

25
section_1/cis_1.3.1/cis_1.3.1.4.yml Normal file
View File

@ -0,0 +1,25 @@
---
{{ if .Vars.ubtu24cis_level_2 }}
{{ if not .Vars.ubtu24cis_apparmor_disable }}
{{ if .Vars.ubtu24cis_rule_1_3_1_4 }}
command:
apparmor_enf_only:
title: 1.3.1.4 | Ensure all AppArmor Profiles are enforcing
exec: if [ `apparmor_status | grep 'profiles are in complain mode.' | awk '{print $1}'` == 0 ]; then echo "Not Enforcing" ;fi
exit-status: 0
stdout:
- '!/Not Enforcing/'
meta:
server: 2
workstation: 2
CIS_ID:
- 1.3.1.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: AC-3
{{ end }}
{{ end }}
{{ end }}

24
section_1/cis_1.4/cis_1.4.1.yml Normal file
View File

@ -0,0 +1,24 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_4_1 }}
file:
bootloader_password_set:
title: 1.4.1 | Ensure bootloader password is set
path: /etc/grub.d/00_user
exists: true
contents:
- '/set superusers="{{ .Vars.ubtu24cis_grub_user }}"/'
- '/password_pbkdf2 {{ .Vars.ubtu24cis_grub_user }} {{ .Vars.ubtu24cis_bootloader_password_hash }}/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.4.1
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: AC-3
{{ end }}
{{ end }}

27
section_1/cis_1.4/cis_1.4.2.yml Normal file
View File

@ -0,0 +1,27 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_4_2 }}
file:
default_grub_perms:
title: 1.4.2 | Ensure access to bootloader if configured
exists: true
path: /boot/grub/grub.cfg
owner: root
group: root
mode:
or:
- "0400"
- "0600"
meta:
server: 1
workstation: 1
CIS_ID:
- 1.4.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: AC-3
{{ end }}
{{ end }}

40
section_1/cis_1.5/cis_1.5.1.yml Normal file
View File

@ -0,0 +1,40 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_5_1 }}
kernel-param:
kernel.randomize_va_space:
title: 1.5.1 | Ensure address space layout randomization (ASLR) is enabled | sysctl_live
value: '2'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.5.1
CISv8: 10.5
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-6
command:
aslr_enabled_2:
title: 1.5.1 | Ensure address space layout randomization (ASLR) is enabled | sysctl_configured
exit-status:
or:
- 0
- 2
exec: 'grep "^kernel\.randomize_va_space" /etc/sysctl.conf /etc/sysctl.d/* | cut -d ":" -f2'
stdout:
- '/kernel.randomize_va_space(\s|)=(\s|)2/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.5.1
CISv8: 10.5
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-6
{{ end }}
{{ end }}

40
section_1/cis_1.5/cis_1.5.2.yml Normal file
View File

@ -0,0 +1,40 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_5_2 }}
kernel-param:
kernel.yama.ptrace_scope:
title: 1.5.2 | Ensure ptrace_scope is restricted | sysctl_live
value: '1'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.5.1
CISv8: 10.5
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-6
command:
ptrace_restrict_2:
title: 1.5.1 | Ensure ptrace_scope is restricted | sysctl_configured
exit-status:
or:
- 0
- 2
exec: 'grep "^kernel\.yama.ptrace_scope" /etc/sysctl.conf /etc/sysctl.d/* | cut -d ":" -f2'
stdout:
- '/kernel.yama.ptrace_scope\s*=\s*1/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.5.1
CISv8: 10.5
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-6
{{ end }}
{{ end }}

94
section_1/cis_1.5/cis_1.5.3.yml Normal file
View File

@ -0,0 +1,94 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_5_3 }}
command:
core_dumps_limits:
title: 1.5.3 | Ensure core dumps are restricted | security/limits.conf
exit-status:
or:
- 0
- 2
exec: 'grep -E "\*.*hard.*core.*0" /etc/security/limits.conf /etc/security/limits.d/*'
stdout:
- '/^\/*.*\shard.*core.*0/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.5.3
CISv8: NA
CISv8_IG1: NA
CISv8_IG2: NA
CISv8_IG3: NA
Mitre_Techniques:
- T1005
- T1005.000
Mitre_Tactics: TA0007
Mitre_Mitigations: NA
suid_dumpable_2:
title: 1.5.3 | Ensure core dumps are restricted | sysctl.conf
exit-status: 0
exec: 'grep "fs\.suid_dumpable" /etc/sysctl.conf /etc/sysctl.d/*'
stdout:
- fs.suid_dumpable=0
meta:
server: 1
workstation: 1
CIS_ID:
- 1.5.3
CISv8: NA
CISv8_IG1: NA
CISv8_IG2: NA
CISv8_IG3: NA
NIST800-53R5: CM-6
kernel-param:
fs.suid_dumpable:
title: 1.5.3 | Ensure core dumps are restricted | kernel_sysctl
value: '0'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.5.3
CISv8: NA
CISv8_IG1: NA
CISv8_IG2: NA
CISv8_IG3: NA
NIST800-53R5: CM-6
service:
coredump:
title: 1.5.3 | Ensure core dumps are restricted | coredump service
enabled: false
running: false
skip: false
meta:
server: 1
workstation: 1
CIS_ID:
- 1.5.3
CISv8: NA
CISv8_IG1: NA
CISv8_IG2: NA
CISv8_IG3: NA
NIST800-53R5: CM-6
file:
coredump_restricted_conf:
title: 1.5.3 | Ensure core dumps are restricted | coredump.conf
exists: true
path: /etc/systemd/coredump.conf
contents:
- '/^Storage=none/'
- '/^ProcessSizeMax=0/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.5.3
CISv8: NA
CISv8_IG1: NA
CISv8_IG2: NA
CISv8_IG3: NA
NIST800-53R5: CM-6
{{ end }}
{{ end }}

23
section_1/cis_1.5/cis_1.5.4.yml Normal file
View File

@ -0,0 +1,23 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_5_4 }}
package:
prelink:
title: 1.5.4 | Ensure prelink is not installed
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 1.5.4
CISv8: 3.14
CISv8_IG1: false
CISv8_IG2: false
CISv8_IG3: true
NIST800-53R5:
- CM-6
- CM-1
- CM-3
{{ end }}
{{ end }}

36
section_1/cis_1.5/cis_1.5.5.yml Normal file
View File

@ -0,0 +1,36 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_5_5 }}
package:
apport:
title: 1.5.5 | Ensure Automatic Error Reporting is not enabled | Package
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 1.5.5
CISv8: 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
file:
error_report_apport_disable:
title: 1.5.5 | Ensure Automatic Error Reporting is not enabled | disabled
exists: true
path: /etc/default/apport
contents:
- 'enabled=0'
- '!/enabled=1/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.5.5
CISv8: 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ end }}

69
section_1/cis_1.6/cis_1.6.1.yml Normal file
View File

@ -0,0 +1,69 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_6_1 }}
file:
etc_motd_content:
title: 1.6.1 | Ensure message of the day is configured properly | motd file correct
path: /etc/motd
exists: true
contents:
- {{ .Vars.ubtu24cis_warning_banner }}
- '!/(\\v|\\r|\\m|\\s)/'
- '!/\/etc\/os-release/'
- '!/(?i)ubuntu/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.6.1
CISv8: NA
CISv8_IG1: NA
CISv8_IG2: NA
CISv8_IG3: NA
NIST800-53R5:
- CM-6
- CM-1
- CM-3
{{ if .Vars.ubtu24cis_disable_dynamic_motd }}
disable_dyn_motd:
title: 1.6.1 | Ensure message of the day is configured properly | stop dynamic load
path: /etc/pam.d/sshd
exists: true
contents:
- '/#\s*session\s+optional\s+pam_motd.so\s+motd=/run/motd.dynamic/'
- '/#\s*session\s+optional\s+pam_motd.so noupdate/'
- '!/^session\s+optional\s+pam_motd.so noupdate/'
- '!/^session\s+optional\s+pam_motd.so\s+motd=/run/motd.dynamic/'
{{ end }}
{{ if not .Vars.ubtu24cis_disable_dynamic_motd }}
command:
check_motd_files:
title: 1.6.1 | Ensure message of the day is configured properly | dynamic motd files
exec: "grep -Eis \"(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/\"//g'))\" /etc/update-motd.d/*"
exit-status:
or:
- 0
- 1
- 2
stdout:
- '!/.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.6.1
CISv8: NA
CISv8_IG1: NA
CISv8_IG2: NA
CISv8_IG3: NA
Mitre_Techniques:
- T1082
- T1082.000
- T1592
- T1592.004
Mitre_Tactics: TA0007
Mitre_Mitigations: NA
{{ end }}
{{ end }}
{{ end }}

29
section_1/cis_1.6/cis_1.6.2.yml Normal file
View File

@ -0,0 +1,29 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_6_2 }}
command:
local_login_banner:
title: 1.6.2 | Ensure local login warning banner is configured properly
exec: grep -Eis "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/issue
exit-status:
or:
- 0
- 1
stdout:
- '!/.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.6.2
CISv8: NA
CISv8_IG1: NA
CISv8_IG2: NA
CISv8_IG3: NA
NIST800-53R5:
- CM-6
- CM-1
- CM-3
{{ end }}
{{ end }}

29
section_1/cis_1.6/cis_1.6.3.yml Normal file
View File

@ -0,0 +1,29 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_6_3 }}
command:
cremote_login_banner:
title: 1.6.3 | Ensure remote login warning banner is configured properly
exec: grep -Eis "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/issue.net
exit-status:
or:
- 0
- 1
stdout:
- '!/.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.6.3
CISv8: NA
CISv8_IG1: NA
CISv8_IG2: NA
CISv8_IG3: NA
NIST800-53R5:
- CM-6
- CM-1
- CM-3
{{ end }}
{{ end }}

26
section_1/cis_1.6/cis_1.6.4.yml Normal file
View File

@ -0,0 +1,26 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_6_4 }}
exec:
motd_permissions:
title: 1.6.4 | Ensure access to /etc/motd is configured
exec: FILE=/etc/motd && if [ -f $FILE ]; then PERMS=`stat -c '%U %G %a' $FILE`; if [ "$PERMS" != "root root 644" ]; then echo "Permissions Incorrect"; fi; fi
exit-status: 0
stdout:
- '!/^Permissions Incorrect/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.6.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-6
- CM-1
- CM-3
{{ end }}
{{ end }}

27
section_1/cis_1.6/cis_1.6.5.yml Normal file
View File

@ -0,0 +1,27 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_6_5 }}
file:
etc_issue_perms:
title: 1.6.5 | Ensure acces to /etc/issue is configured
exists: true
path: /etc/issue
owner: root
group: root
mode: '0644'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.6.5
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-6
- CM-1
- CM-3
{{ end }}
{{ end }}

27
section_1/cis_1.6/cis_1.6.6.yml Normal file
View File

@ -0,0 +1,27 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_6_6 }}
file:
etc_issue_net_perms:
title: 1.6.6 | Ensure access to /etc/issue.net is configured
path: /etc/issue.net
exists: true
owner: root
group: root
mode: '0644'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.6.6
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-6
- CM-1
- CM-3
{{ end }}
{{ end }}

22
section_1/cis_1.7/cis_1.7.1.yml Normal file
View File

@ -0,0 +1,22 @@
---
{{ if .Vars.ubtu24cis_level_2 }}
{{ if not .Vars.ubtu24cis_desktop_required }}
{{ if .Vars.ubtu24cis_rule_1_7_1 }}
package:
gdm3:
title: 1.7.1 | Ensure GNOME Display Manager is removed
installed: false
meta:
server: 2
workstation: NA
CIS_ID:
- 1.7.1
CISv8: 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-11
{{ end }}
{{ end }}
{{ end }}

25
section_1/cis_1.7/cis_1.7.10.yml Normal file
View File

@ -0,0 +1,25 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_desktop_required }}
{{ if .Vars.ubtu24cis_rule_1_7_10 }}
file:
gdm_xdcmp:
title: 1.7.10 | Ensure XDCMP is not enabled
path: /etc/gdm3/custom.conf
exists: true
contents:
- '!/^Enable=true/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.7.10
CISv8: 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: SI-4
{{ end }}
{{ end }}
{{ end }}

32
section_1/cis_1.7/cis_1.7.2.yml Normal file
View File

@ -0,0 +1,32 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_desktop_required }}
{{ if .Vars.ubtu24cis_rule_1_7_2 }}
file:
gdm_banner:
title: 1.7.2 | Ensure GDM login banner is configured
path: /etc/gdm3/greeter.dconf-defaults
exists: true
contents:
- '/^[org/gnome/login-screen]/'
- '/^banner-message-enable=true/'
- '/^banner-message-text='{{ .Vars.ubtu24cis_warning_banner }}'/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.7.2
CISv8: NA
CISv8_IG1: NA
CISv8_IG2: NA
CISv8_IG3: NA
NIST800-53R5:
- CM-1
- CM-2
- CM-6
- CM-7
- IA-5
{{ end }}
{{ end }}
{{ end }}

31
section_1/cis_1.7/cis_1.7.3.yml Normal file
View File

@ -0,0 +1,31 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_desktop_required }}
{{ if .Vars.ubtu24cis_rule_1_7_3 }}
command:
gdm_disable_user:
title: 1.7.3 | Ensure disable-user-list is enabled
exec: grep -E "^disable-user-list" /etc/gdm3/greeter.dconf-defaults
exit-status: 0
stdout:
- '/^disable-user-list=true/'
- '!/^disable-user-list=false/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.7.3
CISv8: NA
CISv8_IG1: NA
CISv8_IG2: NA
CISv8_IG3: NA
NIST800-53R5:
- CM-1
- CM-2
- CM-6
- CM-7
- IA-5
{{ end }}
{{ end }}
{{ end }}

27
section_1/cis_1.7/cis_1.7.4.yml Normal file
View File

@ -0,0 +1,27 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_desktop_required }}
{{ if .Vars.ubtu24cis_rule_1_7_4 }}
file:
gdm_screensaver:
title: 1.7.4 | Ensure GDM screen locks when the user is idle
path: /etc/dconf/db/local.d/00-screensaver
exists: true
contents:
- '/^[org/gnome/desktop/session]/'
- '/^idle-delay=uint32 (1|[1-9]|[1-7][0-9]{1,2}|900)$/'
- '/^lock-delay=uint32 [0-5]$/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.7.4
CISv8: 4.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: NA
{{ end }}
{{ end }}
{{ end }}

26
section_1/cis_1.7/cis_1.7.5.yml Normal file
View File

@ -0,0 +1,26 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_desktop_required }}
{{ if .Vars.ubtu24cis_rule_1_7_5 }}
file:
screensaver_lock_file:
title: 1.7.5 | Ensure GDM screen locks cannot be overridden
path: /etc/dconf/db/local.d/locks/00-screensave_lock
exists: true
contents:
- '^\/org\/gnome\/desktop\/session\/idle-delay/'
- '^/\/org\/gnome\/desktop\/screensaver\/lock-delay/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.7.5
CISv8: 4.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: CM-11
{{ end }}
{{ end }}
{{ end }}

32
section_1/cis_1.7/cis_1.7.6.yml Normal file
View File

@ -0,0 +1,32 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_desktop_required }}
{{ if .Vars.ubtu24cis_rule_1_7_6 }}
file:
gnome_automount_disable:
title: 1.7.6 | Ensure GDM automatic mounting of removable media is disabled
path: /etc/dconf/db/local.d/00-media-automount
exists: true
contents:
- '/^[org/gnome/desktop/media-handling]/'
- '/^automount=false/'
- '/^automount-open=false/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.7.6
CISv8: 10.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-1
- CM-2
- CM-6
- CM-7
- IA-5
{{ end }}
{{ end }}
{{ end }}

31
section_1/cis_1.7/cis_1.7.7.yml Normal file
View File

@ -0,0 +1,31 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_desktop_required }}
{{ if .Vars.ubtu24cis_rule_1_7_7 }}
file:
gnome_automount_lock:
title: 1.7.7 | Ensure GDM disabling automatic mounting of removable media is not overridden
path: /etc/dconf/db/local.d/locks/00-automount_lock
exists: true
contents:
- '^/\/org\/gnome\/desktop\/media-handling\/automount/'
- '^/\/org\/gnome\/desktop\/media-handling\/automount-open/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.7.7
CISv8: NA
CISv8_IG1: NA
CISv8_IG2: NA
CISv8_IG3: NA
NIST800-53R5:
- CM-1
- CM-2
- CM-6
- CM-7
- IA-5
{{ end }}
{{ end }}
{{ end }}

31
section_1/cis_1.7/cis_1.7.8.yml Normal file
View File

@ -0,0 +1,31 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_desktop_required }}
{{ if .Vars.ubtu24cis_rule_1_7_8 }}
file:
gdm_autorun_never:
title: 1.7.8 | Ensure GDM autorun-never is enabled
path: /etc/dconf/db/local.d/00-media-autorun
exists: true
contents:
- '/^[org/gnome/desktop/media-handling]/'
- '/^autrun-never=true/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.7.8
CISv8: 10.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-1
- CM-2
- CM-6
- CM-7
- IA-5
{{ end }}
{{ end }}
{{ end }}

30
section_1/cis_1.7/cis_1.7.9.yml Normal file
View File

@ -0,0 +1,30 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_desktop_required }}
{{ if .Vars.ubtu24cis_rule_1_7_9 }}
file:
gdm_autorun_lock:
title: 1.7.9 | Ensure GDM autorun-never is not overridden
path: /etc/dconf/db/local.d/locks/00-autorun_lock
exists: true
contents:
- '^/\/org\/gnome\/desktop\/media-handling\/autorun-never/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.7.9
CISv8: 10.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-1
- CM-2
- CM-6
- CM-7
- IA-5
{{ end }}
{{ end }}
{{ end }}

50
section_2/cis_2.1/cis_2.1.1.yml Normal file
View File

@ -0,0 +1,50 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_1_1 }}
{{ if not .Vars.ubtu24cis_autofs_services }}
{{ if not .Vars.ubtu24cis_autofs_mask }}
package:
autofs_pkg:
title: 2.1.1 | Ensure autofs services are not in use | pkg removed
name: autofs
installed: false
meta:
server: 1
workstation: 2
CIS_ID:
- 2.1.1
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- SI-3
- MP-7
{{ end }}
{{ if .Vars.ubtu24cis_autofs_mask }}
file:
autofs_masked:
title: 2.1.1 | Ensure autofs services are not in use | masked
path: /etc/systemd/system/autofs.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 2
CIS_ID:
- 2.1.1
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- SI-3
- MP-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}

48
section_2/cis_2.1/cis_2.1.10.yml Normal file
View File

@ -0,0 +1,48 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_1_10 }}
{{ if not .Vars.ubtu24cis_nis_server }}
{{ if not .Vars.ubtu24cis_nis_mask }}
package:
ypserv_pkg:
title: 2.1.10 | Ensure nis server services are not in use | pkg removed
name: ypserv
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.10
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ if .Vars.ubtu24cis_nis_mask }}
file:
ypserv_service_masked:
title: 2.1.10 | Ensure nis server services are not in use | masked
path: /etc/systemd/system/ypserv-server.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.10
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}

66
section_2/cis_2.1/cis_2.1.11.yml Normal file
View File

@ -0,0 +1,66 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_1_11 }}
{{ if not .Vars.ubtu24cis_print_server }}
{{ if not .Vars.ubtu24cis_print_mask }}
package:
cups_pkg:
title: 2.1.11 | Ensure print server services are not in use | pkg removed
name: cups
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.11
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ if .Vars.ubtu24cis_print_mask }}
file:
cups_service_masked:
title: 2.1.11 | Ensure print server services are not in use | masked
path: /etc/systemd/system/cups.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.11
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
cups_socket_masked:
title: 2.1.11 | Ensure print server services are not in use | masked
path: /etc/systemd/system/cups.socket
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.11
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}

69
section_2/cis_2.1/cis_2.1.12.yml Normal file
View File

@ -0,0 +1,69 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_1_12 }}
{{ if not .Vars.ubtu24cis_rpc_server }}
{{ if not .Vars.ubtu24cis_rpc_mask }}
package:
rpcbind_pkg:
title: 2.1.12 | Ensure rpcbind services are not in use | pkg removed
name: rpcbind
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.12
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-6
- CM-7
{{ end }}
{{ if .Vars.ubtu24cis_rpc_mask }}
file:
rpcbind_service_masked:
title: 2.1.12 | Ensure rpc services are not in use | masked
path: /etc/systemd/system/rpcbind.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.12
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-6
- CM-7
rpcbind_socket_masked:
title: 2.1.12 | Ensure rpc services are not in use | masked
path: /etc/systemd/system/rpcbind.socket
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.12
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-6
- CM-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}

50
section_2/cis_2.1/cis_2.1.13.yml Normal file
View File

@ -0,0 +1,50 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_1_13 }}
{{ if not .Vars.ubtu24cis_rsync_server }}
{{ if not .Vars.ubtu24cis_rsync_mask }}
package:
rsync_pkg:
title: 2.1.13 | Ensure rsync services are not in use | pkg removed
name: rsync
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.13
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-6
- CM-7
{{ end }}
{{ if .Vars.ubtu24cis_rsync_mask }}
file:
rsync_service_masked:
title: 2.1.13 | Ensure rsync services are not in use | masked
path: /etc/systemd/system/rsync.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.13
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-6
- CM-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}

50
section_2/cis_2.1/cis_2.1.14.yml Normal file
View File

@ -0,0 +1,50 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_1_14 }}
{{ if not .Vars.ubtu24cis_samba_server }}
{{ if not .Vars.ubtu24cis_samba_mask }}
package:
samba_pkg:
title: 2.1.14 | Ensure samba file server services are not in use | pkg removed
name: samba
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.14
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-6
- CM-7
{{ end }}
{{ if .Vars.ubtu24cis_samba_mask }}
file:
samba_service_masked:
title: 2.1.14 | Ensure samba server services are not in use | masked
path: /etc/systemd/system/smbd.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.14
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-6
- CM-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}

48
section_2/cis_2.1/cis_2.1.15.yml Normal file
View File

@ -0,0 +1,48 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_1_15 }}
{{ if not .Vars.ubtu24cis_snmp_server }}
{{ if not .Vars.ubtu24cis_snmp_mask }}
package:
snmp_pkg:
title: 2.1.15 | Ensure snmp services are not in use | pkg removed
name: snmpd
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.15
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ if .Vars.ubtu24cis_snmp_mask }}
file:
snmp_service_masked:
title: 2.1.15 | Ensure snmp services are not in use | masked
path: /etc/systemd/system/snmpd.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.15
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}

66
section_2/cis_2.1/cis_2.1.16.yml Normal file
View File

@ -0,0 +1,66 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_1_16 }}
{{ if not .Vars.ubtu24cis_tftp_server }}
{{ if not .Vars.ubtu24cis_tftp_mask }}
package:
tftp_pkg:
title: 2.1.16 | Ensure tftp server services are not in use | pkg removed
name: tftpd-hpa
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.16
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ if .Vars.ubtu24cis_tftp_mask }}
file:
tftp_service_masked:
title: 2.1.16 | Ensure tftp server services are not in use | masked
path: /etc/systemd/system/tftpd-hpa.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.16
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
tftp_socket_masked:
title: 2.1.16 | Ensure tftp server services are not in use | masked
path: /etc/systemd/system/tftp.socket
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.16
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}

50
section_2/cis_2.1/cis_2.1.17.yml Normal file
View File

@ -0,0 +1,50 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_1_17 }}
{{ if not .Vars.ubtu24cis_squid_server }}
{{ if not .Vars.ubtu24cis_squid_mask }}
package:
squid_pkg:
title: 2.1.17 | Ensure web proxy server services are not in use | pkg removed
name: squid
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.17
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-6
- CM-7
{{ end }}
{{ if .Vars.ubtu24cis_squid_mask }}
file:
squid_service_masked:
title: 2.1.17 | Ensure web proxy server services are not in use | masked
path: /etc/systemd/system/squid.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.17
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-6
- CM-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}

66
section_2/cis_2.1/cis_2.1.18_apache2.yml Normal file
View File

@ -0,0 +1,66 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_1_18 }}
{{ if not .Vars.ubtu24cis_apache2_server }}
{{ if not .Vars.ubtu24cis_apache2_mask }}
package:
apache2_pkg:
title: 2.1.18 | Ensure web server services are not in use | pkg removed
name: apache2
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.18
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ if .Vars.ubtu24cis_apache2_mask }}
file:
apache2_service_masked:
title: 2.1.18 | Ensure web server services are not in use | masked
path: /etc/systemd/system/apache2.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.18
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
apache2_socket_masked:
title: 2.1.18 | Ensure web server services are not in use | masked
path: /etc/systemd/system/apache2.socket
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.18
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}

48
section_2/cis_2.1/cis_2.1.18_nginx.yml Normal file
View File

@ -0,0 +1,48 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_1_18 }}
{{ if not .Vars.ubtu24cis_nginx_server }}
{{ if not .Vars.ubtu24cis_nginx_mask }}
package:
nginx_pkg:
title: 2.1.18 | Ensure web server services are not in use | pkg removed
name: nginx
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.18
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ if .Vars.ubtu24cis_nginx_mask }}
file:
nginx_service_masked:
title: 2.1.18 | Ensure web server services are not in use | masked
path: /etc/systemd/system/nginx.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.18
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}

48
section_2/cis_2.1/cis_2.1.19.yml Normal file
View File

@ -0,0 +1,48 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_1_19 }}
{{ if not .Vars.ubtu24cis_xinetd_server }}
{{ if not .Vars.ubtu24cis_xinetd_mask }}
package:
xinetd_pkg:
title: 2.1.19 | Ensure xinetd services are not in use | pkg removed
name: xinetd
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.19
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ if .Vars.ubtu24cis_xinetd_mask }}
file:
xinetd_service_masked:
title: 2.1.19 | Ensure xinetd services are not in use | masked
path: /etc/systemd/system/xinetd.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.19
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}

66
section_2/cis_2.1/cis_2.1.2.yml Normal file
View File

@ -0,0 +1,66 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_1_2 }}
{{ if not .Vars.ubtu24cis_avahi_server }}
{{ if not .Vars.ubtu24cis_avahi_mask }}
package:
avahi_pkg:
title: 2.1.2 | Ensure avahi daemon services are not in use | pkg removed
name: avahi
installed: false
meta:
server: 1
workstation: 2
CIS_ID:
- 2.1.2
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- SI-4
{{ end }}
{{ if .Vars.ubtu24cis_avahi_mask }}
file:
avahi_socket_masked:
title: 2.1.2 | Ensure avahi daemon services are not in use | masked
path: /etc/systemd/system/avahi-daemon.socket
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 2
CIS_ID:
- 2.1.2
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- SI-4
avahi_service_masked:
title: 2.1.2 | Ensure avahi daemon services are not in use | masked
path: /etc/systemd/system/avahi-daemon.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 2
CIS_ID:
- 2.1.2
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- SI-4
{{ end }}
{{ end }}
{{ end }}
{{ end }}

25
section_2/cis_2.1/cis_2.1.20.yml Normal file
View File

@ -0,0 +1,25 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_1_20 }}
{{ if not .Vars.ubtu24cis_xwindow_server }}
package:
xwindow_pkg:
title: 2.1.20 | Ensure X window server services are not in use | pkg removed
name: xserver-common
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.20
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-11
{{ end }}
{{ end }}
{{ end }}

46
section_2/cis_2.1/cis_2.1.21.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_is_mail_server }}
{{ if .Vars.ubtu24cis_rule_2_1_21 }}
command:
mta_listening_port25:
title: 2.1.21 Ensure mail transfer agent is configured for local-only mode
exit-status: 1
exec: 'ss -lntu | grep -E ":25\s" | grep -E -v "\s(127.0.0.1|\[?::1\]?):25\s"'
stdout: ['!/./']
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.21
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
file:
/etc/postfix/main.conf:
title: 2.1.21 | Ensure mail transfer agent is configured for local-only mode
exists: true
contents:
- '/^inet_interfaces\s*=\s*loopback-only/'
- '!/^inet_interfaces\s*=\s*all/'
- '!/^(?i)inet_interfaces\s*=\s*ipv4/'
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.21
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ end }}
{{ end }}

25
section_2/cis_2.1/cis_2.1.22.yml Normal file
View File

@ -0,0 +1,25 @@
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_1_22 }}
command:
manual_listening_ports:
title: 2.1.22 | Ensure only approved services are listening on a network interface | Manual Check required
exit-status:
or:
- 0
- 1
exec: echo "Manual!! - Please check only approved services are listening"
stdout: ['!/./']
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.22
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ end }}

66
section_2/cis_2.1/cis_2.1.3.yml Normal file
View File

@ -0,0 +1,66 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_1_3 }}
{{ if not .Vars.ubtu24cis_dhcp_server }}
{{ if not .Vars.ubtu24cis_dhcp_mask }}
package:
dhcp_pkg:
title: 2.1.3 | Ensure dhcp server services are not in use | pkg removed
name: isc-dhcp-server
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.3
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ if .Vars.ubtu24cis_dhcp_mask }}
file:
dhcp_service_masked:
title: 2.1.3 | Ensure dhcp server services are not in use | masked
path: /etc/systemd/system/isc-dhcp-server.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.3
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
dhcp6_service_masked:
title: 2.1.3 | Ensure dhcp server services are not in use | masked
path: /etc/systemd/system/isc-dhcp-server6.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.3
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}

48
section_2/cis_2.1/cis_2.1.4.yml Normal file
View File

@ -0,0 +1,48 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_1_4 }}
{{ if not .Vars.ubtu24cis_dns_server }}
{{ if not .Vars.ubtu24cis_dns_mask }}
package:
dns_pkg:
title: 2.1.4 | Ensure dns server services are not in use | pkg removed
name: bind9
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.4
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ if .Vars.ubtu24cis_dns_mask }}
file:
dns_service_masked:
title: 2.1.4 | Ensure dns server services are not in use | masked
path: /etc/systemd/system/bind9.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.4
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}

48
section_2/cis_2.1/cis_2.1.5.yml Normal file
View File

@ -0,0 +1,48 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_1_5 }}
{{ if not .Vars.ubtu24cis_dnsmasq_server }}
{{ if not .Vars.ubtu24cis_dnsmasq_mask }}
package:
dnsmasq_pkg:
title: 2.1.5 | Ensure dnsmasq server services are not in use | pkg removed
name: dnsmasq
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.5
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ if .Vars.ubtu24cis_dnsmasq_mask }}
file:
dnsmasq_service_masked:
title: 2.1.5 | Ensure dnsmasq server services are not in use | masked
path: /etc/systemd/system/dnsmasq.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.5
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}

48
section_2/cis_2.1/cis_2.1.6.yml Normal file
View File

@ -0,0 +1,48 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_1_6 }}
{{ if not .Vars.ubtu24cis_ftp_server }}
{{ if not .Vars.ubtu24cis_ftp_mask }}
package:
ftp_pkg:
title: 2.1.6 | Ensure ftp server services are not in use | pkg removed
name: vsftp
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.6
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ if .Vars.ubtu24cis_ftp_mask }}
file:
ftp_service_masked:
title: 2.1.6 | Ensure ftp server services are not in use | masked
path: /etc/systemd/system/vsftpd.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.6
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}

48
section_2/cis_2.1/cis_2.1.7.yml Normal file
View File

@ -0,0 +1,48 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_1_7 }}
{{ if not .Vars.ubtu24cis_ldap_server }}
{{ if not .Vars.ubtu24cis_ldap_mask }}
package:
ldap_pkg:
title: 2.1.7 | Ensure ldap server services are not in use | pkg removed
name: slapd
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.7
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ if .Vars.ubtu24cis_ldap_mask }}
file:
ldap_service_masked:
title: 2.1.7 | Ensure ldap server services are not in use | masked
path: /etc/systemd/system/slapd.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.7
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}

82
section_2/cis_2.1/cis_2.1.8.yml Normal file
View File

@ -0,0 +1,82 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_1_8 }}
{{ if not .Vars.ubtu24cis_message_server }}
{{ if not .Vars.ubtu24cis_message_mask }}
package:
dovecot_imapd_pkg:
title: 2.1.8 | Ensure message access server services are not in use | pkg removed
name: dovecot-imapd
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.8
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
dovecot_pop3d_pkg:
title: 2.1.8 | Ensure message access server services are not in use | pkg removed
name: dovecot-pop3d
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.8
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ if .Vars.ubtu24cis_message_mask }}
file:
dovecot_service_masked:
title: 2.1.8 | Ensure message access server services are not in use | masked
path: /etc/systemd/system/dovecot.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.8
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
dovecot_socket_masked:
title: 2.1.8 | Ensure message access server services are not in use | masked
path: /etc/systemd/system/dovecot.socket
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.8
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}

50
section_2/cis_2.1/cis_2.1.9.yml Normal file
View File

@ -0,0 +1,50 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_1_9 }}
{{ if not .Vars.ubtu24cis_nfs_server }}
{{ if not .Vars.ubtu24cis_nfs_mask }}
package:
nfs_pkg:
title: 2.1.9 | Ensure network file system services are not in use | pkg removed
name: nfs-kernel-server
installed: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.9
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-6
- CM-7
{{ end }}
{{ if .Vars.ubtu24cis_nfs_mask }}
file:
nfs_service_masked:
title: 2.1.9 | Ensure network file system services are not in use | masked
path: /etc/systemd/system/nfs-server.service
exists: true
filetype: symlink
linked-to: /dev/null
meta:
server: 1
workstation: 1
CIS_ID:
- 2.1.9
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-6
- CM-7
{{ end }}
{{ end }}
{{ end }}
{{ end }}

25
section_2/cis_2.2/cis_2.2.1.yml Normal file
View File

@ -0,0 +1,25 @@
---
{{ if not .Vars.ubtu24cis_nis_client_required }}
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_2_1 }}
package:
nis_client:
title: 2.2.1 | Ensure NIS Client is not installed
installed: false
name: nis
meta:
server: 1
workstation: 1
CIS_ID: 2.2.1
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- CM-11
{{ end }}
{{ end }}
{{ end }}

24
section_2/cis_2.2/cis_2.2.2.yml Normal file
View File

@ -0,0 +1,24 @@
---
{{ if not .Vars.ubtu24cis_rsh_client }}
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_2_2 }}
package:
rsh-client:
title: 2.2.2 | Ensure rsh client is not installed
name: rsh-client
installed: false
meta:
server: 1
workstation: 1
CIS_ID: 2.2.2
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ end }}
{{ end }}

23
section_2/cis_2.2/cis_2.2.3.yml Normal file
View File

@ -0,0 +1,23 @@
---
{{ if not .Vars.ubtu24cis_talk_client }}
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_2_3 }}
package:
talk:
title: 2.2.3 | Ensure talk client is not installed
installed: false
meta:
server: 1
workstation: 1
CIS_ID: 2.2.3
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ end }}
{{ end }}

24
section_2/cis_2.2/cis_2.2.4.yml Normal file
View File

@ -0,0 +1,24 @@
---
{{ if not .Vars.ubtu24cis_telnet_required }}
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_2_4 }}
package:
telnet:
title: 2.2.4 | Ensure telnet client is not installed
installed: false
meta:
server: 1
workstation: 1
CIS_ID: 2.2.4
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- CM-11
{{ end }}
{{ end }}
{{ end }}

24
section_2/cis_2.2/cis_2.2.5.yml Normal file
View File

@ -0,0 +1,24 @@
---
{{ if not .Vars.ubtu24cis_ldap_clients_required }}
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_2_5 }}
package:
ldap-utils:
title: 2.2.5 | Ensure LDAP client is not installed
installed: false
name: ldap-utils
meta:
server: 1
workstation: 1
CIS_ID: 2.2.5
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
{{ end }}
{{ end }}
{{ end }}

25
section_2/cis_2.2/cis_2.2.6.yml Normal file
View File

@ -0,0 +1,25 @@
---
{{ if not .Vars.ubtu24cis_ftp_client }}
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_2_6 }}
package:
ftp_client:
title: 2.2.6 | Ensure ftp client is not installed
installed: false
name: ftp
meta:
server: 1
workstation: 1
CIS_ID: 2.2.6
CISv8:
- 4.8
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- CM-11
{{ end }}
{{ end }}
{{ end }}

75
section_2/cis_2.3/cis_2.3.1.1.yml Normal file
View File

@ -0,0 +1,75 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_3_1_1 }}
package:
{{ .Vars.ubtu24cis_time_sync_tool }}:
title: 2.3.1.1 | Ensure a single time synchronization daemon is in use
installed: true
meta:
server: 1
workstation: 1
CIS_ID: 2.3.1.1
CISv8:
- 8.4
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- AU-3
- AU-12
{{ if eq .Vars.ubtu24cis_time_sync_tool "systemd-timesyncd" }}
ntp:
title: 2.3.1.1 | Ensure time synchronization is in use | ntp service
installed: false
meta:
server: 1
workstation: 1
CIS_ID: 2.3.1.1
CISv8:
- 8.4
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- AU-3
- AU-12
chrony:
title: 2.3.1.1 | Ensure time synchronization is in use | chrony service
installed: false
meta:
server: 1
workstation: 1
CIS_ID: 2.3.1.1
CISv8:
- 8.4
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- AU-3
- AU-12
{{ end }}
{{ if ne .Vars.ubtu24cis_time_sync_tool "systemd-timesyncd" }}
file:
timesync_masked:
title: 2.3.1.1 | Ensure time synchronization is in use | systemd-timesyncd masked
path: /etc/systemd/system/systemd-timesyncd.service
filetype: symlink
linked-to: /dev/null
exists: true
meta:
server: 1
workstation: 1
CIS_ID: 2.3.1.1
CISv8:
- 8.4
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- AU-3
- AU-12
{{ end }}
{{ end }}
{{ end }}

28
section_2/cis_2.3/cis_2.3.2.1.yml Normal file
View File

@ -0,0 +1,28 @@
---
{{ if eq .Vars.ubtu24cis_time_sync_tool "systemd-timesyncd" }}
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_3_2_1 }}
file:
timesynd_timeservers:
title: 2.3.2.1 | Ensure systemd-timesyncd configured with authorized timeserver
path: /etc/systemd/timesyncd.conf.d/50-timesyncd.conf
exists: true
contents:
- '/^NTP={{ .Vars.ubtu24cis_time_pool_name }}/'
- '/^FallbackNTP={{- range .Vars.ubtu24cis_time_servers }}{{ .name }} {{ end }}/'
meta:
server: 1
workstation: 1
CIS_ID: 2.3.2.1
CISv8:
- 8.4
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- AU-7
- AU-8
{{ end }}
{{ end }}
{{ end }}

26
section_2/cis_2.3/cis_2.3.2.2.yml Normal file
View File

@ -0,0 +1,26 @@
---
{{ if eq .Vars.ubtu24cis_time_sync_tool "systemd-timesyncd" }}
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_3_2_2 }}
service:
timesyncd:
title: 2.3.2.2 | Ensure systemd-timesyncd is enabled and running
enabled: true
running: true
name: systemd-timesyncd
meta:
server: 1
workstation: 1
CIS_ID: 2.3.2.2
CISv8:
- 8.4
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- AU-7
- AU-8
{{ end }}
{{ end }}
{{ end }}

49
section_2/cis_2.3/cis_2.3.3.1.yml Normal file
View File

@ -0,0 +1,49 @@
---
{{ if eq .Vars.ubtu24cis_time_sync_tool "chrony" }}
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_3_3_1 }}
file:
chrony_pool:
title: 2.3.3.1 | Ensure chrony is configured with authorized timeserver | timeserver pool
path: /etc/chrony/sources.d/pool.source
exists: true
contents:
{{- range .Vars.ubtu24cis_time_pool }}
- '/^pool {{ .name }} {{ .options }}/'
{{ end }}
meta:
server: 1
workstation: 1
CIS_ID: 2.3.3.1
CISv8:
- 8.4
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- AU-3
- AU-12
chrony_timeservers:
title: 2.3.3.1 | Ensure chrony is configured with authorized timeserver | timeserver servers
path: /etc/chrony/sources.d/server.source
exists: true
contents:
{{- range .Vars.ubtu24cis_time_servers }}
- '/^server {{ .name }} {{ .options }}/'
{{ end }}
meta:
server: 1
workstation: 1
CIS_ID: 2.3.3.1
CISv8:
- 8.4
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- AU-3
- AU-12
{{ end }}
{{ end }}
{{ end }}

26
section_2/cis_2.3/cis_2.3.3.2.yml Normal file
View File

@ -0,0 +1,26 @@
---
{{ if eq .Vars.ubtu24cis_time_sync_tool "chrony" }}
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_1_2_2 }}
file:
chrony_user:
title: 2.3.3.2 | Ensure chrony is running as user _chrony
path: /etc/chrony/chrony.conf
exists: true
contents:
- '/^user _chrony/'
meta:
server: 1
workstation: 1
CIS_ID: 2.3.3.2
CISv8:
- 8.4
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- AU-8
{{ end }}
{{ end }}
{{ end }}

24
section_2/cis_2.3/cis_2.3.3.3.yml Normal file
View File

@ -0,0 +1,24 @@
---
{{ if eq .Vars.ubtu24cis_time_sync_tool "chrony" }}
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_3_3_3 }}
service:
chronyd:
title: 2.3.3.3 | Ensure chrony is enabled and running
enabled: true
running: true
meta:
server: 1
workstation: 1
CIS_ID: 2.3.3.3
CISv8:
- 8.4
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- AU-8
{{ end }}
{{ end }}
{{ end }}

46
section_2/cis_2.4/cis_2.4.1.1.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_4_1_1 }}
package:
cron:
title: 2.4.1.1 | Ensure cron daemon is enabled and active | pkg
installed: true
name: cron
meta:
server: 1
workstation: 1
CIS_ID:
- 2.4.1.1
CISv8: NA
CISv8_IG1: NA
CISv8_IG2: NA
CISv8_IG3: NA
NIST800-53R5:
- CM-1
- CM-2
- CM-6
- CM-7
- IA-5
service:
cron:
title: 2.4.1.1 | Ensure cron daemon is enabled and running | service
running: true
enabled: true
meta:
server: 1
workstation: 1
CIS_ID:
- 2.4.1.1
CISv8: NA
CISv8_IG1: NA
CISv8_IG2: NA
CISv8_IG3: NA
NIST800-53R5:
- CM-1
- CM-2
- CM-6
- CM-7
- IA-5
{{ end }}
{{ end }}

26
section_2/cis_2.4/cis_2.4.1.2.yml Normal file
View File

@ -0,0 +1,26 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_4_1_2 }}
file:
crontab_perms:
title: 2.4.1.2 | Ensure permissions on /etc/crontab are configured
path: /etc/crontab
exists: true
owner: root
group: root
mode: "0600"
meta:
server: 1
workstation: 1
CIS_ID:
- 2.4.1.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- AC-3
- MP-2
{{ end }}
{{ end }}

110
section_2/cis_2.4/cis_2.4.1.3_7.yml Normal file
View File

@ -0,0 +1,110 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_4_1_3 }}
file:
cron_hourly_perms:
title: 2.4.1.3 | Ensure permissions on /etc/cron.hourly are configured
path: /etc/cron.hourly
exists: true
owner: root
group: root
mode: "0700"
meta:
server: 1
workstation: 1
CIS_ID:
- 2.4.1.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- AC-3
- MP-2
{{ end }}
{{ if .Vars.ubtu24cis_rule_2_4_1_4 }}
cron_daily_perms:
title: 2.4.1.4 | Ensure permissions on /etc/cron.daily are configured
path: /etc/cron.daily
exists: true
owner: root
group: root
mode: "0700"
meta:
server: 1
workstation: 1
CIS_ID:
- 2.4.1.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- AC-3
- MP-2
{{ end }}
{{ if .Vars.ubtu24cis_rule_2_4_1_5 }}
cron_weekly_perms:
title: 2.4.1.5 | Ensure permissions on /etc/cron.weekly are configured
path: /etc/cron.weekly
exists: true
owner: root
group: root
mode: "0700"
meta:
server: 1
workstation: 1
CIS_ID:
- 2.4.1.5
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- AC-3
- MP-2
{{ end }}
{{ if .Vars.ubtu24cis_rule_2_4_1_6 }}
cron_monthly_perms:
title: 2.4.1.6 | Ensure permissions on /etc/cron.monthly are configured
path: /etc/cron.monthly
exists: true
owner: root
group: root
mode: "0700"
meta:
server: 1
workstation: 1
CIS_ID:
- 2.4.1.6
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- AC-3
- MP-2
{{ end }}
{{ if .Vars.ubtu24cis_rule_2_4_1_7 }}
cron_d_perms:
title: 2.4.1.7 | Ensure permissions on /etc/cron.d are configured
path: /etc/cron.d
exists: true
owner: root
group: root
mode: "0700"
meta:
server: 1
workstation: 1
CIS_ID:
- 2.4.1.7
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- AC-3
- MP-2
{{ end }}
{{ end }}

42
section_2/cis_2.4/cis_2.4.1.8.yml Normal file
View File

@ -0,0 +1,42 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_4_1_8 }}
file:
cron_deny_absent:
title: 2.4.1.8 | Ensure cron is restricted to authorized users
path: /etc/cron.deny
exists: false
meta:
server: 1
workstation: 1
CIS_ID:
- 2.4.1.8
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- AC-3
- MP-2
/etc/cron.allow:
title: 2.4.1.8 | Ensure cron is restricted to authorized users
exists: true
owner: root
group: root
mode: "0640"
meta:
server: 1
workstation: 1
CIS_ID:
- 2.4.1.8
- 2.4.1.8
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- AC-3
- MP-2
{{ end }}
{{ end }}

Some files were not shown because too many files have changed in this diff Show More