diff --git a/defaults/main.yml b/defaults/main.yml index 1db43cd..c0fdc9c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -677,7 +677,6 @@ ubtu24cis_sysctl_kernel_conf: /etc/sysctl.d/98_cis_kernel.conf # options = 1, 2 or 3 ubtu24_ptrace_value: 1 - ## Controls 1.6.x - Warning banners # The controls 1.6.x set various warning banners and protect the respective files # by tightening the access rights. @@ -718,20 +717,20 @@ ubtu24cis_time_sync_tool: "systemd-timesyncd" # The default setting for the `options` is `iburst maxsources 4` -- please refer to the documentation # of the time synchronization mechanism you are using. ubtu24cis_time_pool: - - name: time.nist.gov - options: iburst maxsources 4 + - name: time.nist.gov + options: iburst maxsources 4 # The following variable represents a list of of time servers used # for configuring chrony and timesyncd # Each list item contains two settings, `name` (the domain name of the server) and synchronization `options`. # The default setting for the `options` is `iburst` -- please refer to the documentation # of the time synchronization mechanism you are using. ubtu24cis_time_servers: - - name: time-a-g.nist.gov - options: iburst - - name: time-b-g.nist.gov - options: iburst - - name: time-c-g.nist.gov - options: iburst + - name: time-a-g.nist.gov + options: iburst + - name: time-b-g.nist.gov + options: iburst + - name: time-c-g.nist.gov + options: iburst ## ## Section 3 Control Variables @@ -784,9 +783,9 @@ ubtu24cis_ufw_use_sysctl: true # If you want to allow outbound traffic on all ports, set the variable to `all`, e.g., # `ubtu24cis_ufw_allow_out_ports: "all"`. ubtu24cis_ufw_allow_out_ports: - - 53 - - 80 - - 443 + - 53 + - 80 + - 443 ## Controls 4.2.x - nftables # Nftables is not supported in this role. Some tasks have parts of them commented out, this is one example @@ -810,86 +809,86 @@ ubtu24cis_sshd_default_client_alive_count_max: 3 # all Ciphers, KEX and Macs set to FIPS 140 # This will nee dto be adjusted according to your site requirements ubtu24cis_sshd_default_ciphers: - - aes256-gcm@openssh.com - - aes128-gcm@openssh.com - - aes256-ctr - - aes192-ctr - - aes128-ctr + - aes256-gcm@openssh.com + - aes128-gcm@openssh.com + - aes256-ctr + - aes192-ctr + - aes128-ctr ubtu24cis_sshd_default_macs: - - hmac-sha1 - - hmac-sha2-256 - # - hmac-sha2-384 # hashed out seen as bad ssh2 MAC - - hmac-sha2-512 + - hmac-sha1 + - hmac-sha2-256 + # - hmac-sha2-384 # hashed out seen as bad ssh2 MAC + - hmac-sha2-512 ubtu24cis_sshd_default_kex_algorithms: - - ecdh-sha2-nistp256 - - ecdh-sha2-nistp384 - - ecdh-sha2-nistp521 - - diffie-hellman-group-exchange-sha256 - - diffie-hellman-group16-sha512 - - diffie-hellman-group18-sha512 - - diffie-hellman-group14-sha256 + - ecdh-sha2-nistp256 + - ecdh-sha2-nistp384 + - ecdh-sha2-nistp521 + - diffie-hellman-group-exchange-sha256 + - diffie-hellman-group16-sha512 + - diffie-hellman-group18-sha512 + - diffie-hellman-group14-sha256 ubtu24cis_sshd: - # This variable is used to control the verbosity of the logging produced by the SSH server. - # The options for setting it are as follows: - # - `QUIET`: Minimal logging; - # - `FATAL`: logs only fatal errors; - # - `ERROR`: logs error messages; - # - `INFO`: logs informational messages in addition to errors; - # - `VERBOSE`: logs a higher level of detail, including login attempts and key exchanges; - # - `DEBUG`: generates very detailed debugging information including sensitive information. - log_level: "{{ ubtu24cis_sshd_default_log_level }}" - # This variable specifies the maximum number of authentication attempts that are - # allowed for a single SSH session. - max_auth_tries: "{{ubtu24cis_sshd_default_max_auth_tries}}" - # This variable specifies the encryption algorithms that can be used for securing - # data transmission. - ciphers: "{{ ubtu24cis_sshd_default_ciphers }}" - # This variable specifies a list of message authentication code algorithms (MACs) that are allowed for verifying - # the integrity of data exchanged. - macs: "{{ ubtu24cis_sshd_default_macs }}" - # This variable is used to state the key exchange algorithms used to establish secure encryption - # keys during the initial connection setup. - kex_algorithms: "{{ ubtu24cis_sshd_default_kex_algorithms }}" - # This variable sets the time interval in seconds between sending "keep-alive" - # messages from the server to the client. These types of messages are intended to - # keep the connection alive and prevent it being terminated due to inactivity. - client_alive_interval: "{{ ubtu24cis_sshd_default_client_alive_interval }}" - # This variable sets the maximum number of unresponsive "keep-alive" messages - # that can be sent from the server to the client before the connection is considered - # inactive and thus, closed. - client_alive_count_max: "{{ ubtu24cis_sshd_default_client_alive_count_max }}" - # This variable specifies the amount of seconds allowed for successful authentication to - # the SSH server. - login_grace_time: "{{ ubtu24cis_sshd_default_login_grace_time }}" - # This variables is used to set the maximum number of open sessions per connection. - max_sessions: "{{ ubtu24cis_sshd_default_max_sessions }}" - # This variable, if specified, configures a list of USER name patterns, separated by spaces, to allow SSH - # access for users whose user name matches one of the patterns. This is done - # by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file. - # If an USER@HOST format will be used, the specified user will be allowed only on that particular host. - # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. - # For more info, see https://linux.die.net/man/5/sshd_config - allow_users: "" - # (String) This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to allow SSH access - # for users whose primary group or supplementary group list matches one of the patterns. This is done - # by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file. - # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. - # For more info, https://linux.die.net/man/5/sshd_config - allow_groups: "" - # This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access - # for users whose user name matches one of the patterns. This is done - # by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file. - # If an USER@HOST format will be used, the specified user will be restricted only on that particular host. - # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. - # For more info, see https://linux.die.net/man/5/sshd_config - deny_users: "" - # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access - # for users whose primary group or supplementary group list matches one of the patterns. This is done - # by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file. - # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. - # For more info, see https://linux.die.net/man/5/sshd_config - deny_groups: "" + # This variable is used to control the verbosity of the logging produced by the SSH server. + # The options for setting it are as follows: + # - `QUIET`: Minimal logging; + # - `FATAL`: logs only fatal errors; + # - `ERROR`: logs error messages; + # - `INFO`: logs informational messages in addition to errors; + # - `VERBOSE`: logs a higher level of detail, including login attempts and key exchanges; + # - `DEBUG`: generates very detailed debugging information including sensitive information. + log_level: "{{ ubtu24cis_sshd_default_log_level }}" + # This variable specifies the maximum number of authentication attempts that are + # allowed for a single SSH session. + max_auth_tries: "{{ubtu24cis_sshd_default_max_auth_tries}}" + # This variable specifies the encryption algorithms that can be used for securing + # data transmission. + ciphers: "{{ ubtu24cis_sshd_default_ciphers }}" + # This variable specifies a list of message authentication code algorithms (MACs) that are allowed for verifying + # the integrity of data exchanged. + macs: "{{ ubtu24cis_sshd_default_macs }}" + # This variable is used to state the key exchange algorithms used to establish secure encryption + # keys during the initial connection setup. + kex_algorithms: "{{ ubtu24cis_sshd_default_kex_algorithms }}" + # This variable sets the time interval in seconds between sending "keep-alive" + # messages from the server to the client. These types of messages are intended to + # keep the connection alive and prevent it being terminated due to inactivity. + client_alive_interval: "{{ ubtu24cis_sshd_default_client_alive_interval }}" + # This variable sets the maximum number of unresponsive "keep-alive" messages + # that can be sent from the server to the client before the connection is considered + # inactive and thus, closed. + client_alive_count_max: "{{ ubtu24cis_sshd_default_client_alive_count_max }}" + # This variable specifies the amount of seconds allowed for successful authentication to + # the SSH server. + login_grace_time: "{{ ubtu24cis_sshd_default_login_grace_time }}" + # This variables is used to set the maximum number of open sessions per connection. + max_sessions: "{{ ubtu24cis_sshd_default_max_sessions }}" + # This variable, if specified, configures a list of USER name patterns, separated by spaces, to allow SSH + # access for users whose user name matches one of the patterns. This is done + # by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file. + # If an USER@HOST format will be used, the specified user will be allowed only on that particular host. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, see https://linux.die.net/man/5/sshd_config + allow_users: "" + # (String) This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to allow SSH access + # for users whose primary group or supplementary group list matches one of the patterns. This is done + # by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, https://linux.die.net/man/5/sshd_config + allow_groups: "" + # This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access + # for users whose user name matches one of the patterns. This is done + # by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file. + # If an USER@HOST format will be used, the specified user will be restricted only on that particular host. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, see https://linux.die.net/man/5/sshd_config + deny_users: "" + # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access + # for users whose primary group or supplementary group list matches one of the patterns. This is done + # by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, see https://linux.die.net/man/5/sshd_config + deny_groups: "" ## Control 5.2.1 # This variable represents the name of the sudo package to install @@ -1016,22 +1015,22 @@ ubtu24cis_pamd_pwhistory_remember: 24 ## Controls 5.4.1.x - Password settings ubtu24cis_pass: - ## Control 5.4.1.1 - # This variable governs after how many days a password expires. - # CIS requires a value of 365 or less. - max_days: 365 - ## Control 5.4.1.2 - # This variable specifies the minimum number of days allowed between changing passwords. - # CIS requires a value of at least 1. - min_days: 1 - ## Control 5.5.1.3 - # This variable governs, how many days before a password expires, the user will be warned. - # CIS requires a value of at least 7. - warn_age: 7 - ## Control 5.4.1.5 - # This variable specifies the number of days of inactivity before an account will be locked. - # CIS requires a value of 45 days or less. - inactive: 45 + ## Control 5.4.1.1 + # This variable governs after how many days a password expires. + # CIS requires a value of 365 or less. + max_days: 365 + ## Control 5.4.1.2 + # This variable specifies the minimum number of days allowed between changing passwords. + # CIS requires a value of at least 1. + min_days: 1 + ## Control 5.5.1.3 + # This variable governs, how many days before a password expires, the user will be warned. + # CIS requires a value of at least 7. + warn_age: 7 + ## Control 5.4.1.5 + # This variable specifies the number of days of inactivity before an account will be locked. + # CIS requires a value of 45 days or less. + inactive: 45 # 5.4.2.6 root umask ubtu24cis_root_umask: '0027' # 0027 or more restrictive @@ -1119,14 +1118,13 @@ ubtu24cis_allow_auditd_uid_user_exclusions: false # add a list of uids ubtu24cis_auditd_uid_exclude: - - 1999 + - 1999 # 6.1.3.8 # ubtu24cis_logrotate sets the daily, weekly, monthly, yearly value for the log rotation # To conform to CIS standards this just needs to comply with your site policy ubtu24cis_logrotate: "daily" - ## Control 6.2.1.4 - Ensure audit_backlog_limit is sufficient # This variable represents the audit backlog limit, i.e., the maximum number of audit records that the # system can buffer in memory, if the audit subsystem is unable to process them in real-time. @@ -1190,10 +1188,10 @@ ubtu24cis_config_aide: true ## When Initializing aide this can take longer on some systems # changing the values enables user to change to thier own requirements ubtu24cis_aide_init: - # Maximum Time in seconds - async: 45 - # Polling Interval in seconds - poll: 0 + # Maximum Time in seconds + async: 45 + # Polling Interval in seconds + poll: 0 ## Control 6.3 # Set how aide is scanned either cron or timer @@ -1204,36 +1202,35 @@ ubtu24cis_aide_scan: cron # Cron is a time-based job scheduling program in Unix OS, which allows tasks to be scheduled # and executed automatically at a certain point in time. ubtu24cis_aide_cron: - # This variable represents the user account under which the cron job for AIDE will run. - cron_user: root - # This variable represents the path to the AIDE crontab file. - cron_file: /etc/cron.d/aide_cron - # This variable represents the actual command or script that the cron job - # will execute for running AIDE. - aide_job: '/usr/bin/aide --config /etc/aide/aide.conf --check' - # These variables define the schedule for the cron job - # This variable governs the minute of the time of day when the AIDE cronjob is run. - # It must be in the range `0-59`. - aide_minute: 0 - # This variable governs the hour of the time of day when the AIDE cronjob is run. - # It must be in the range `0-23`. - aide_hour: 5 - # This variable governs the day of the month when the AIDE cronjob is run. - # `*` signifies that the job is run on all days; furthermore, specific days - # can be given in the range `1-31`; several days can be concatenated with a comma. - # The specified day(s) can must be in the range `1-31`. - aide_day: '*' - # This variable governs months when the AIDE cronjob is run. - # `*` signifies that the job is run in every month; furthermore, specific months - # can be given in the range `1-12`; several months can be concatenated with commas. - # The specified month(s) can must be in the range `1-12`. - aide_month: '*' - # This variable governs the weekdays, when the AIDE cronjob is run. - # `*` signifies that the job is run on all weekdays; furthermore, specific weekdays - # can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays - # can be concatenated with commas. - aide_weekday: '*' - + # This variable represents the user account under which the cron job for AIDE will run. + cron_user: root + # This variable represents the path to the AIDE crontab file. + cron_file: /etc/cron.d/aide_cron + # This variable represents the actual command or script that the cron job + # will execute for running AIDE. + aide_job: '/usr/bin/aide --config /etc/aide/aide.conf --check' + # These variables define the schedule for the cron job + # This variable governs the minute of the time of day when the AIDE cronjob is run. + # It must be in the range `0-59`. + aide_minute: 0 + # This variable governs the hour of the time of day when the AIDE cronjob is run. + # It must be in the range `0-23`. + aide_hour: 5 + # This variable governs the day of the month when the AIDE cronjob is run. + # `*` signifies that the job is run on all days; furthermore, specific days + # can be given in the range `1-31`; several days can be concatenated with a comma. + # The specified day(s) can must be in the range `1-31`. + aide_day: '*' + # This variable governs months when the AIDE cronjob is run. + # `*` signifies that the job is run in every month; furthermore, specific months + # can be given in the range `1-12`; several months can be concatenated with commas. + # The specified month(s) can must be in the range `1-12`. + aide_month: '*' + # This variable governs the weekdays, when the AIDE cronjob is run. + # `*` signifies that the job is run on all weekdays; furthermore, specific weekdays + # can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays + # can be concatenated with commas. + aide_weekday: '*' ## ## Section 7 Control Variables diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 05bfaa1..6b150e3 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -128,15 +128,15 @@ - name: "5.2.7 | PATCH | Ensure access to the su command is restricted" when: - - ubtu24cis_rule_5_2_7 + - ubtu24cis_rule_5_2_7 tags: - - level1-server - - level1-workstation - - patch - - sudo - - rule_5.2.7 - - NIST800-53R5_AC-3 - - NIST800-53R5_MP-2 + - level1-server + - level1-workstation + - patch + - sudo + - rule_5.2.7 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 block: - name: "5.2.7 | PATCH | Ensure access to the su command is restricted | Ensure sugroup exists" ansible.builtin.group: