colin
/
UBUNTU24-CIS
mirror of https://github.com/ansible-lockdown/UBUNTU24-CIS.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

lint updates 

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-09-05 09:15:31 +01:00
parent 8e3457ee3c
commit c090ca580e
No known key found for this signature in database
GPG Key ID: 997FF7FE93AEB5B9
2 changed files with 145 additions and 148 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

277
defaults/main.yml
View File

@ -677,7 +677,6 @@ ubtu24cis_sysctl_kernel_conf: /etc/sysctl.d/98_cis_kernel.conf
# options = 1, 2 or 3
ubtu24_ptrace_value: 1
## Controls 1.6.x - Warning banners
# The controls 1.6.x set various warning banners and protect the respective files
# by tightening the access rights.
@ -718,20 +717,20 @@ ubtu24cis_time_sync_tool: "systemd-timesyncd"
# The default setting for the `options` is `iburst maxsources 4` -- please refer to the documentation
# of the time synchronization mechanism you are using.
ubtu24cis_time_pool:
- name: time.nist.gov
options: iburst maxsources 4
- name: time.nist.gov
options: iburst maxsources 4
# The following variable represents a list of of time servers used
# for configuring chrony and timesyncd
# Each list item contains two settings, `name` (the domain name of the server) and synchronization `options`.
# The default setting for the `options` is `iburst` -- please refer to the documentation
# of the time synchronization mechanism you are using.
ubtu24cis_time_servers:
- name: time-a-g.nist.gov
options: iburst
- name: time-b-g.nist.gov
options: iburst
- name: time-c-g.nist.gov
options: iburst
- name: time-a-g.nist.gov
options: iburst
- name: time-b-g.nist.gov
options: iburst
- name: time-c-g.nist.gov
options: iburst
##
## Section 3 Control Variables
@ -784,9 +783,9 @@ ubtu24cis_ufw_use_sysctl: true
# If you want to allow outbound traffic on all ports, set the variable to `all`, e.g.,
# `ubtu24cis_ufw_allow_out_ports: "all"`.
ubtu24cis_ufw_allow_out_ports:
- 53
- 80
- 443
- 53
- 80
- 443
## Controls 4.2.x - nftables
# Nftables is not supported in this role. Some tasks have parts of them commented out, this is one example
@ -810,86 +809,86 @@ ubtu24cis_sshd_default_client_alive_count_max: 3
# all Ciphers, KEX and Macs set to FIPS 140
# This will nee dto be adjusted according to your site requirements
ubtu24cis_sshd_default_ciphers:
- aes256-gcm@openssh.com
- aes128-gcm@openssh.com
- aes256-ctr
- aes192-ctr
- aes128-ctr
- aes256-gcm@openssh.com
- aes128-gcm@openssh.com
- aes256-ctr
- aes192-ctr
- aes128-ctr
ubtu24cis_sshd_default_macs:
- hmac-sha1
- hmac-sha2-256
# - hmac-sha2-384 # hashed out seen as bad ssh2 MAC
- hmac-sha2-512
- hmac-sha1
- hmac-sha2-256
# - hmac-sha2-384 # hashed out seen as bad ssh2 MAC
- hmac-sha2-512
ubtu24cis_sshd_default_kex_algorithms:
- ecdh-sha2-nistp256
- ecdh-sha2-nistp384
- ecdh-sha2-nistp521
- diffie-hellman-group-exchange-sha256
- diffie-hellman-group16-sha512
- diffie-hellman-group18-sha512
- diffie-hellman-group14-sha256
- ecdh-sha2-nistp256
- ecdh-sha2-nistp384
- ecdh-sha2-nistp521
- diffie-hellman-group-exchange-sha256
- diffie-hellman-group16-sha512
- diffie-hellman-group18-sha512
- diffie-hellman-group14-sha256
ubtu24cis_sshd:
# This variable is used to control the verbosity of the logging produced by the SSH server.
# The options for setting it are as follows:
# - `QUIET`: Minimal logging;
# - `FATAL`: logs only fatal errors;
# - `ERROR`: logs error messages;
# - `INFO`: logs informational messages in addition to errors;
# - `VERBOSE`: logs a higher level of detail, including login attempts and key exchanges;
# - `DEBUG`: generates very detailed debugging information including sensitive information.
log_level: "{{ ubtu24cis_sshd_default_log_level }}"
# This variable specifies the maximum number of authentication attempts that are
# allowed for a single SSH session.
max_auth_tries: "{{ubtu24cis_sshd_default_max_auth_tries}}"
# This variable specifies the encryption algorithms that can be used for securing
# data transmission.
ciphers: "{{ ubtu24cis_sshd_default_ciphers }}"
# This variable specifies a list of message authentication code algorithms (MACs) that are allowed for verifying
# the integrity of data exchanged.
macs: "{{ ubtu24cis_sshd_default_macs }}"
# This variable is used to state the key exchange algorithms used to establish secure encryption
# keys during the initial connection setup.
kex_algorithms: "{{ ubtu24cis_sshd_default_kex_algorithms }}"
# This variable sets the time interval in seconds between sending "keep-alive"
# messages from the server to the client. These types of messages are intended to
# keep the connection alive and prevent it being terminated due to inactivity.
client_alive_interval: "{{ ubtu24cis_sshd_default_client_alive_interval }}"
# This variable sets the maximum number of unresponsive "keep-alive" messages
# that can be sent from the server to the client before the connection is considered
# inactive and thus, closed.
client_alive_count_max: "{{ ubtu24cis_sshd_default_client_alive_count_max }}"
# This variable specifies the amount of seconds allowed for successful authentication to
# the SSH server.
login_grace_time: "{{ ubtu24cis_sshd_default_login_grace_time }}"
# This variables is used to set the maximum number of open sessions per connection.
max_sessions: "{{ ubtu24cis_sshd_default_max_sessions }}"
# This variable, if specified, configures a list of USER name patterns, separated by spaces, to allow SSH
# access for users whose user name matches one of the patterns. This is done
# by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file.
# If an USER@HOST format will be used, the specified user will be allowed only on that particular host.
# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
# For more info, see https://linux.die.net/man/5/sshd_config
allow_users: ""
# (String) This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to allow SSH access
# for users whose primary group or supplementary group list matches one of the patterns. This is done
# by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file.
# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
# For more info, https://linux.die.net/man/5/sshd_config
allow_groups: ""
# This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access
# for users whose user name matches one of the patterns. This is done
# by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file.
# If an USER@HOST format will be used, the specified user will be restricted only on that particular host.
# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
# For more info, see https://linux.die.net/man/5/sshd_config
deny_users: ""
# This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access
# for users whose primary group or supplementary group list matches one of the patterns. This is done
# by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file.
# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
# For more info, see https://linux.die.net/man/5/sshd_config
deny_groups: ""
# This variable is used to control the verbosity of the logging produced by the SSH server.
# The options for setting it are as follows:
# - `QUIET`: Minimal logging;
# - `FATAL`: logs only fatal errors;
# - `ERROR`: logs error messages;
# - `INFO`: logs informational messages in addition to errors;
# - `VERBOSE`: logs a higher level of detail, including login attempts and key exchanges;
# - `DEBUG`: generates very detailed debugging information including sensitive information.
log_level: "{{ ubtu24cis_sshd_default_log_level }}"
# This variable specifies the maximum number of authentication attempts that are
# allowed for a single SSH session.
max_auth_tries: "{{ubtu24cis_sshd_default_max_auth_tries}}"
# This variable specifies the encryption algorithms that can be used for securing
# data transmission.
ciphers: "{{ ubtu24cis_sshd_default_ciphers }}"
# This variable specifies a list of message authentication code algorithms (MACs) that are allowed for verifying
# the integrity of data exchanged.
macs: "{{ ubtu24cis_sshd_default_macs }}"
# This variable is used to state the key exchange algorithms used to establish secure encryption
# keys during the initial connection setup.
kex_algorithms: "{{ ubtu24cis_sshd_default_kex_algorithms }}"
# This variable sets the time interval in seconds between sending "keep-alive"
# messages from the server to the client. These types of messages are intended to
# keep the connection alive and prevent it being terminated due to inactivity.
client_alive_interval: "{{ ubtu24cis_sshd_default_client_alive_interval }}"
# This variable sets the maximum number of unresponsive "keep-alive" messages
# that can be sent from the server to the client before the connection is considered
# inactive and thus, closed.
client_alive_count_max: "{{ ubtu24cis_sshd_default_client_alive_count_max }}"
# This variable specifies the amount of seconds allowed for successful authentication to
# the SSH server.
login_grace_time: "{{ ubtu24cis_sshd_default_login_grace_time }}"
# This variables is used to set the maximum number of open sessions per connection.
max_sessions: "{{ ubtu24cis_sshd_default_max_sessions }}"
# This variable, if specified, configures a list of USER name patterns, separated by spaces, to allow SSH
# access for users whose user name matches one of the patterns. This is done
# by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file.
# If an USER@HOST format will be used, the specified user will be allowed only on that particular host.
# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
# For more info, see https://linux.die.net/man/5/sshd_config
allow_users: ""
# (String) This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to allow SSH access
# for users whose primary group or supplementary group list matches one of the patterns. This is done
# by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file.
# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
# For more info, https://linux.die.net/man/5/sshd_config
allow_groups: ""
# This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access
# for users whose user name matches one of the patterns. This is done
# by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file.
# If an USER@HOST format will be used, the specified user will be restricted only on that particular host.
# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
# For more info, see https://linux.die.net/man/5/sshd_config
deny_users: ""
# This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access
# for users whose primary group or supplementary group list matches one of the patterns. This is done
# by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file.
# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
# For more info, see https://linux.die.net/man/5/sshd_config
deny_groups: ""
## Control 5.2.1
# This variable represents the name of the sudo package to install
@ -1016,22 +1015,22 @@ ubtu24cis_pamd_pwhistory_remember: 24
## Controls 5.4.1.x - Password settings
ubtu24cis_pass:
## Control 5.4.1.1
# This variable governs after how many days a password expires.
# CIS requires a value of 365 or less.
max_days: 365
## Control 5.4.1.2
# This variable specifies the minimum number of days allowed between changing passwords.
# CIS requires a value of at least 1.
min_days: 1
## Control 5.5.1.3
# This variable governs, how many days before a password expires, the user will be warned.
# CIS requires a value of at least 7.
warn_age: 7
## Control 5.4.1.5
# This variable specifies the number of days of inactivity before an account will be locked.
# CIS requires a value of 45 days or less.
inactive: 45
## Control 5.4.1.1
# This variable governs after how many days a password expires.
# CIS requires a value of 365 or less.
max_days: 365
## Control 5.4.1.2
# This variable specifies the minimum number of days allowed between changing passwords.
# CIS requires a value of at least 1.
min_days: 1
## Control 5.5.1.3
# This variable governs, how many days before a password expires, the user will be warned.
# CIS requires a value of at least 7.
warn_age: 7
## Control 5.4.1.5
# This variable specifies the number of days of inactivity before an account will be locked.
# CIS requires a value of 45 days or less.
inactive: 45
# 5.4.2.6 root umask
ubtu24cis_root_umask: '0027' # 0027 or more restrictive
@ -1119,14 +1118,13 @@ ubtu24cis_allow_auditd_uid_user_exclusions: false
# add a list of uids
ubtu24cis_auditd_uid_exclude:
- 1999
- 1999
# 6.1.3.8
# ubtu24cis_logrotate sets the daily, weekly, monthly, yearly value for the log rotation
# To conform to CIS standards this just needs to comply with your site policy
ubtu24cis_logrotate: "daily"
## Control 6.2.1.4 - Ensure audit_backlog_limit is sufficient
# This variable represents the audit backlog limit, i.e., the maximum number of audit records that the
# system can buffer in memory, if the audit subsystem is unable to process them in real-time.
@ -1190,10 +1188,10 @@ ubtu24cis_config_aide: true
## When Initializing aide this can take longer on some systems
# changing the values enables user to change to thier own requirements
ubtu24cis_aide_init:
# Maximum Time in seconds
async: 45
# Polling Interval in seconds
poll: 0
# Maximum Time in seconds
async: 45
# Polling Interval in seconds
poll: 0
## Control 6.3
# Set how aide is scanned either cron or timer
@ -1204,36 +1202,35 @@ ubtu24cis_aide_scan: cron
# Cron is a time-based job scheduling program in Unix OS, which allows tasks to be scheduled
# and executed automatically at a certain point in time.
ubtu24cis_aide_cron:
# This variable represents the user account under which the cron job for AIDE will run.
cron_user: root
# This variable represents the path to the AIDE crontab file.
cron_file: /etc/cron.d/aide_cron
# This variable represents the actual command or script that the cron job
# will execute for running AIDE.
aide_job: '/usr/bin/aide --config /etc/aide/aide.conf --check'
# These variables define the schedule for the cron job
# This variable governs the minute of the time of day when the AIDE cronjob is run.
# It must be in the range `0-59`.
aide_minute: 0
# This variable governs the hour of the time of day when the AIDE cronjob is run.
# It must be in the range `0-23`.
aide_hour: 5
# This variable governs the day of the month when the AIDE cronjob is run.
# `*` signifies that the job is run on all days; furthermore, specific days
# can be given in the range `1-31`; several days can be concatenated with a comma.
# The specified day(s) can must be in the range `1-31`.
aide_day: '*'
# This variable governs months when the AIDE cronjob is run.
# `*` signifies that the job is run in every month; furthermore, specific months
# can be given in the range `1-12`; several months can be concatenated with commas.
# The specified month(s) can must be in the range `1-12`.
aide_month: '*'
# This variable governs the weekdays, when the AIDE cronjob is run.
# `*` signifies that the job is run on all weekdays; furthermore, specific weekdays
# can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays
# can be concatenated with commas.
aide_weekday: '*'
# This variable represents the user account under which the cron job for AIDE will run.
cron_user: root
# This variable represents the path to the AIDE crontab file.
cron_file: /etc/cron.d/aide_cron
# This variable represents the actual command or script that the cron job
# will execute for running AIDE.
aide_job: '/usr/bin/aide --config /etc/aide/aide.conf --check'
# These variables define the schedule for the cron job
# This variable governs the minute of the time of day when the AIDE cronjob is run.
# It must be in the range `0-59`.
aide_minute: 0
# This variable governs the hour of the time of day when the AIDE cronjob is run.
# It must be in the range `0-23`.
aide_hour: 5
# This variable governs the day of the month when the AIDE cronjob is run.
# `*` signifies that the job is run on all days; furthermore, specific days
# can be given in the range `1-31`; several days can be concatenated with a comma.
# The specified day(s) can must be in the range `1-31`.
aide_day: '*'
# This variable governs months when the AIDE cronjob is run.
# `*` signifies that the job is run in every month; furthermore, specific months
# can be given in the range `1-12`; several months can be concatenated with commas.
# The specified month(s) can must be in the range `1-12`.
aide_month: '*'
# This variable governs the weekdays, when the AIDE cronjob is run.
# `*` signifies that the job is run on all weekdays; furthermore, specific weekdays
# can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays
# can be concatenated with commas.
aide_weekday: '*'
##
## Section 7 Control Variables

16
tasks/section_5/cis_5.2.x.yml
View File

@ -128,15 +128,15 @@
- name: "5.2.7 | PATCH | Ensure access to the su command is restricted"
when:
- ubtu24cis_rule_5_2_7
- ubtu24cis_rule_5_2_7
tags:
- level1-server
- level1-workstation
- patch
- sudo
- rule_5.2.7
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
- level1-server
- level1-workstation
- patch
- sudo
- rule_5.2.7
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
block:
- name: "5.2.7 | PATCH | Ensure access to the su command is restricted | Ensure sugroup exists"
ansible.builtin.group: