colin
/
UBUNTU24-CIS
mirror of https://github.com/ansible-lockdown/UBUNTU24-CIS.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #18 from ansible-lockdown/Feb25_updates 

Feb25 updates
This commit is contained in:
uk-bolly 2025-02-21 15:32:43 +00:00 committed by GitHub
parent 9aa55e5616 39507838e6
commit f7b759396e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
9 changed files with 22 additions and 371 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@ -43,3 +43,6 @@ benchparse/
# GitHub Action/Workflow files # GitHub Action/Workflow files
.github/ .github/
# Precommit
.ansible/

2
handlers/main.yml
View File

@ -240,6 +240,8 @@
when: ('"No change" not in discovered_augenrules_check.stdout') or prelim_auditd_immutable_check.rc == 1 when: ('"No change" not in discovered_augenrules_check.stdout') or prelim_auditd_immutable_check.rc == 1
ansible.builtin.command: augenrules --load ansible.builtin.command: augenrules --load
changed_when: true changed_when: true
failed_when: discovered_augenrule_load.rc not in [ 0, 1 ]
register: discovered_augenrule_load
- name: Audit_immutable_fact - name: Audit_immutable_fact
when: when:

14
tasks/section_1/cis_1.2.2.x.yml
View File

@ -9,6 +9,14 @@
- rule_1.2.2.1 - rule_1.2.2.1
- NIST800-53R5_SI-2 - NIST800-53R5_SI-2
- patch - patch
ansible.builtin.package: block:
name: "*" - name: "1.2.2.1 | PATCH | Ensure updates, patches, and additional security software are installedi | Update"
state: latest ansible.builtin.package:
name: "*"
state: latest
register: discovered_pkg_updates
# Resetting connection as ssh stops if patched reset connection kickstarts it
- name: "1.2.2.1 | PATCH | Ensure updates, patches, and additional security software are installed | reset ansible connection if ssh updated"
when: "'openssh-server' in discovered_pkg_updates.stdout"
ansible.builtin.meta: reset_connection

2
tasks/section_1/cis_1.4.x.yml
View File

@ -18,7 +18,7 @@
dest: "{{ ubtu24cis_grub_user_file }}" dest: "{{ ubtu24cis_grub_user_file }}"
owner: root owner: root
group: root group: root
mode: 'go-w' mode: '0755'
notify: Grub update notify: Grub update
- name: "1.4.1 | PATCH | Ensure bootloader password is set | allow unrestricted boot" - name: "1.4.1 | PATCH | Ensure bootloader password is set | allow unrestricted boot"

362
tasks/section_4/cis_4.4.1.x.yml
View File

@ -48,365 +48,3 @@
ansible.builtin.package: ansible.builtin.package:
name: ufw name: ufw
state: absent state: absent
- name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy"
when:
- ubtu24cis_rule_4_4_1_1
- ubtu24cis_ipv4_required
- not system_is_ec2
tags:
- level1-server
- level1-workstation
- patch
- rule_4.4.1.1
- iptables
block:
- name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed in"
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: 22
jump: ACCEPT
ctstate: 'NEW,ESTABLISHED'
notify: Iptables persistent
- name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed out"
ansible.builtin.iptables:
chain: OUTPUT
protocol: tcp
source_port: 22
jump: ACCEPT
ctstate: 'NEW,ESTABLISHED'
notify: Iptables persistent
- name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy | Enable apt traffic"
ansible.builtin.iptables:
chain: INPUT
ctstate: 'ESTABLISHED'
jump: ACCEPT
notify: Iptables persistent
- name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy | Set drop items"
ansible.builtin.iptables:
policy: DROP
chain: "{{ item }}"
notify: Iptables persistent
with_items:
- INPUT
- FORWARD
- OUTPUT
- name: "4.4.1.2 | PATCH | Ensure iptables loopback traffic is configured"
when:
- ubtu24cis_rule_4_4_1_2
- ubtu24cis_firewall_package == "iptables"
- ubtu24cis_ipv4_required
tags:
- level1-server
- level1-workstation
- patch
- rule_4.4.1.2
- iptables
block:
- name: "4.4.1.2 | PATCH | Ensure iptables loopback traffic is configured | INPUT loopback ACCEPT"
ansible.builtin.iptables:
action: append
chain: INPUT
in_interface: lo
jump: ACCEPT
notify: Iptables persistent
- name: "4.4.1.2 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT"
ansible.builtin.iptables:
action: append
chain: OUTPUT
out_interface: lo
jump: ACCEPT
notify: Iptables persistent
- name: "4.4.1.2 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT"
ansible.builtin.iptables:
action: append
chain: INPUT
source: 127.0.0.0/8
jump: DROP
notify: Iptables persistent
- name: "4.4.1.3 | PATCH | Ensure iptables outbound and established connections are configured"
when:
- ubtu24cis_rule_4_4_1_3
- ubtu24cis_firewall_package == "iptables"
- ubtu24cis_ipv4_required
tags:
- level1-server
- level1-workstation
- patch
- rule_4.4.1.3
- iptables
ansible.builtin.iptables:
action: append
chain: '{{ item.chain }}'
protocol: '{{ item.protocol }}'
match: state
ctstate: '{{ item.ctstate }}'
jump: ACCEPT
notify: Iptables persistent
with_items:
- { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' }
- { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' }
- { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' }
- { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' }
- { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' }
- { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' }
- name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports"
when:
- ubtu24cis_rule_4_4_1_4
- ubtu24cis_firewall_package == "iptables"
- ubtu24cis_ipv4_required
tags:
- level1-server
- level1-workstation
- audit
- rule_4.4.1.4
- iptables
vars:
warn_control_id: '4.4.1.4'
block:
- name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of open ports"
ansible.builtin.command: ss -4tuln
changed_when: false
failed_when: false
check_mode: false
register: discovered_open_ports
- name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of rules"
ansible.builtin.command: iptables -L INPUT -v -n
changed_when: false
failed_when: false
check_mode: false
register: discovered_current_rules
- name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Warn about settings"
ansible.builtin.debug:
msg:
- "Warning!! Below is the list the open ports and current rules"
- "Please create a rule for any open port that does not have a current rule"
- "Open Ports:"
- "{{ discovered_open_ports.stdout_lines }}"
- "Current Rules:"
- "{{ discovered_current_rules.stdout_lines }}"
- name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Set warning count"
ansible.builtin.import_tasks:
file: warning_facts.yml
# ---------------
# ---------------
# This is not a control however using the iptables module only writes to memery
# if a reboot occurs that means changes can revert. This task will make the
# above iptables settings permanent
# ---------------
# ---------------
# - name: "Make IPTables persistent | Not a control"
# block:
# - name: "Make IPTables persistent | Install iptables-persistent"
# ansible.builtin.package:
# name: iptables-persistent
# state: present
# - name: "Make IPTables persistent | Save to persistent files"
# ansible.builtin.shell: bash -c "iptables-save > /etc/iptables/rules.v4"
# changed_when: discovered_iptables_save.rc == 0
# failed_when: discovered_iptables_save.rc > 0
# register: discovered_iptables_save
# when:
# - ubtu24cis_firewall_package == "iptables"
# - ubtu24cis_save_iptables_cis_rules
# - ubtu24cis_rule_4_4_1_1 or
# ubtu24cis_rule_4_4_1_2 or
# ubtu24cis_rule_4_4_1_3 or
# ubtu24cis_rule_4_4_1_4
- name: "4.4.1.1 | PATCH | Ensure ip6tables default deny firewall policy"
when:
- ubtu24cis_rule_4_4_1_1
- ubtu24cis_ipv6_required
tags:
- level1-server
- level1-workstation
- patch
- rule_4.4.1.1
- ip6tables
block:
- name: "4.4.1.1 | PATCH | Ensure ip6tables default deny firewall policy | Configure SSH to be allowed out"
ansible.builtin.iptables:
chain: OUTPUT
protocol: tcp
source_port: 22
jump: ACCEPT
ctstate: 'NEW,ESTABLISHED'
ip_version: ipv6
notify: Ip6tables persistent
- name: "4.4.1.1 | PATCH | Ensure ip6tables default deny firewall policy | Enable apt traffic"
ansible.builtin.iptables:
chain: INPUT
ctstate: 'ESTABLISHED'
jump: ACCEPT
ip_version: ipv6
notify: Ip6tables persistent
- name: "4.4.1.1 | PATCH | Ensure ip6tables default deny firewall policy | Set drop items"
ansible.builtin.iptables:
policy: DROP
chain: "{{ item }}"
ip_version: ipv6
notify: Ip6tables persistent
loop:
- INPUT
- FORWARD
- OUTPUT
- name: "4.4.1.2 | PATCH | Ensure ip6tables loopback traffic is configured"
when:
- ubtu24cis_rule_4_4_1_2
- ubtu24cis_firewall_package == "iptables"
- ubtu24cis_ipv6_required
- not ubtu24cis_ipv4_required
tags:
- level1-server
- level1-workstation
- patch
- rule_4.4.1.2
- ip6tables
block:
- name: "4.4.1.2 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback ACCEPT"
ansible.builtin.iptables:
action: append
chain: INPUT
in_interface: lo
jump: ACCEPT
ip_version: ipv6
notify: Ip6tables persistent
- name: "4.4.1.2 | PATCH | Ensure ip6tables loopback traffic is configured | OUTPUT loopback ACCEPT"
ansible.builtin.iptables:
action: append
chain: OUTPUT
out_interface: lo
jump: ACCEPT
ip_version: ipv6
notify: Ip6tables persistent
- name: "4.4.1.2 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback drop"
ansible.builtin.iptables:
action: append
chain: INPUT
source: ::1
jump: DROP
ip_version: ipv6
notify: Ip6tables persistent
- name: "4.4.1.3 | PATCH | Ensure ip6tables outbound and established connections are configured"
when:
- ubtu24cis_rule_4_4_1_3
- ubtu24cis_firewall_package == "iptables"
- ubtu24cis_ipv6_required
- not ubtu24cis_ipv4_required
tags:
- level1-server
- level1-workstation
- patch
- rule_4.4.1.3
- ip6tables
ansible.builtin.iptables:
action: append
chain: '{{ item.chain }}'
protocol: '{{ item.protocol }}'
match: state
ctstate: '{{ item.ctstate }}'
jump: ACCEPT
ip_version: ipv6
notify: Ip6tables persistent
loop:
- { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' }
- { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' }
- { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' }
- { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' }
- { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' }
- { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' }
- name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports"
when:
- ubtu24cis_rule_4_4_1_4
- ubtu24cis_firewall_package == "iptables"
- ubtu24cis_ipv6_required
- not ubtu24cis_ipv4_required
tags:
- level1-server
- level1-workstation
- audit
- rule_4.4.1.4
- ip6tables
vars:
warn_control_id: '4.4.1.4'
block:
- name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of open ports"
ansible.builtin.command: ss -6tuln
changed_when: false
failed_when: false
check_mode: false
register: discovered_open_ports
- name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of rules"
ansible.builtin.command: ip6tables -L INPUT -v -n
changed_when: false
failed_when: false
check_mode: false
register: discovered_current_rules
- name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Warn about settings"
ansible.builtin.debug:
msg:
- "Warning!! Below is the list the open ports and current rules"
- "Please create a rule for any open port that does not have a current rule"
- "Open Ports:"
- "{{ discovered_open_ports.stdout_lines }}"
- "Current Rules:"
- "{{ discovered_current_rules.stdout_lines }}"
- name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Set warning count"
ansible.builtin.import_tasks:
file: warning_facts.yml
# ---------------
# ---------------
# This is not a control however using the ip6tables module only writes to memery
# if a reboot occurs that means changes can revert. This task will make the
# above ip6tables settings permanent
# ---------------
# ---------------
# via handler
# - name: "Make IP6Tables persistent | Not a control"
# block:
# - name: "Make IP6Tables persistent | Install iptables-persistent"
# ansible.builtin.package:
# name: iptables-persistent
# state: present
# when: "'iptables-persistent' not in ansible_facts.packages"
# - name: "Make IP6Tables persistent | Save to persistent files"
# ansible.builtin.shell: bash -c "ip6tables-save > /etc/iptables/rules.v6"
# changed_when: discovered_ip6tables_save.rc == 0
# failed_when: discovered_ip6tables_save.rc > 0
# register: discovered_ip6tables_save
# when:
# - ubtu24cis_firewall_package == "iptables"
# - ubtu24cis_ipv6_required
# - not ubtu24cis_ipv4_required
# - ubtu24cis_save_iptables_cis_rules
# - ubtu24cis_rule_4_4_1_1 or
# ubtu24cis_rule_4_4_1_2 or
# ubtu24cis_rule_4_4_1_3 or
# ubtu24cis_rule_4_4_1_4

2
tasks/section_4/main.yml
View File

@ -15,7 +15,7 @@
file: cis_4.3.x.yml file: cis_4.3.x.yml
- name: "SECTION | 4.4.1.x | Configure iptables software" - name: "SECTION | 4.4.1.x | Configure iptables software"
when: ubtu24cis_firewall_package == "nftables" when: ubtu24cis_firewall_package == "iptables"
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: cis_4.4.1.x.yml file: cis_4.4.1.x.yml

2
tasks/section_5/cis_5.1.x.yml
View File

@ -187,7 +187,7 @@
- NIST800-53R5_CM-6 - NIST800-53R5_CM-6
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
- NIST800-53R5_IA-5 - NIST800-53R5_IA-5
- sshdd - sshd
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config path: /etc/ssh/sshd_config
regexp: "{{ item.regexp }}" regexp: "{{ item.regexp }}"

2
tasks/section_6/cis_6.2.1.x.yml
View File

@ -30,7 +30,7 @@
- NIST800-53R5_AU-3 - NIST800-53R5_AU-3
- NIST800-53R5_AU-12 - NIST800-53R5_AU-12
- auditd - auditd
ansible.builtin.service: ansible.builtin.systemd_service:
name: auditd name: auditd
state: started state: started
enabled: true enabled: true

4
tasks/section_7/cis_7.2.x.yml
View File

@ -309,7 +309,7 @@
warn_control_id: '7.2.10' warn_control_id: '7.2.10'
block: block:
- name: "7.2.10 | AUDIT | Ensure local interactive user dot files access is configured | Check for files" - name: "7.2.10 | AUDIT | Ensure local interactive user dot files access is configured | Check for files"
ansible.builtin.shell: find /home/ -name "\.*" -perm /g+w,o+w ansible.builtin.shell: find /home/ /root/ -name "\.*" -type f -perm /u+x,g+wx,o+wx
changed_when: false changed_when: false
failed_when: discovered_homedir_dot_files.rc not in [ 0, 1 ] failed_when: discovered_homedir_dot_files.rc not in [ 0, 1 ]
check_mode: false check_mode: false
@ -336,5 +336,5 @@
- ubtu24cis_dotperm_ansiblemanaged - ubtu24cis_dotperm_ansiblemanaged
ansible.builtin.file: ansible.builtin.file:
path: '{{ item }}' path: '{{ item }}'
mode: 'go-w' mode: 'u-x,go-wx'
with_items: "{{ discovered_homedir_dot_files.stdout_lines }}" with_items: "{{ discovered_homedir_dot_files.stdout_lines }}"