144 lines
3.9 KiB
YAML
144 lines
3.9 KiB
YAML
---
|
|
|
|
- name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled | Set active kernel parameter"
|
|
when: ubtu24cis_rule_1_5_1
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_1.5.1
|
|
- NIST800-53R5_CM-6
|
|
- aslr
|
|
ansible.posix.sysctl:
|
|
name: kernel.randomize_va_space
|
|
value: '2'
|
|
state: present
|
|
sysctl_file: "{{ ubtu24cis_sysctl_kernel_conf }}"
|
|
reload: true
|
|
sysctl_set: true
|
|
ignoreerrors: true
|
|
|
|
- name: "1.5.2 | PATCH | Ensure ptrace_scope is restricted"
|
|
when: ubtu24cis_rule_1_5_2
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_1.5.2
|
|
- NIST800-53R5_CM-6
|
|
- ptrace
|
|
ansible.posix.sysctl:
|
|
name: kernel.yama.ptrace_scope
|
|
value: "{{ ubtu24_ptrace_value }}"
|
|
state: present
|
|
sysctl_file: "{{ ubtu24cis_sysctl_kernel_conf }}"
|
|
reload: true
|
|
sysctl_set: true
|
|
ignoreerrors: true
|
|
|
|
- name: "1.5.3 | PATCH | Ensure core dumps are restricted"
|
|
when: ubtu24cis_rule_1_5_3
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_1.5.3
|
|
- NIST800-53R5_CM-6
|
|
- coredump
|
|
block:
|
|
- name: "1.5.3 | PATCH | Ensure core dumps are restricted | kernel sysctl"
|
|
ansible.posix.sysctl:
|
|
name: fs.suid_dumpable
|
|
value: '0'
|
|
state: present
|
|
sysctl_file: "{{ ubtu24cis_sysctl_kernel_conf }}"
|
|
reload: true
|
|
sysctl_set: true
|
|
ignoreerrors: true
|
|
|
|
- name: "1.5.3 | PATCH | Ensure core dumps are restricted | security limits"
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/security/limits.d/99_zero_core.conf
|
|
regexp: '^\* hard core'
|
|
line: '* hard core 0'
|
|
create: true
|
|
owner: root
|
|
group: root
|
|
mode: 'go-r'
|
|
|
|
- name: "1.5.3 | PATCH | Ensure core dumps are restricted | sysctl.conf"
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/sysctl.conf
|
|
regexp: '^fs.suid_dumpable'
|
|
line: fs.suid_dumpable=0
|
|
owner: root
|
|
group: root
|
|
mode: 'go-r'
|
|
notify: Reload systemctl
|
|
|
|
- name: "1.5.3 | PATCH | Ensure core dumps are restricted | coredump.conf"
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/systemd/coredump.conf
|
|
regexp: "{{ item.regexp }}"
|
|
line: "{{ item.line }}"
|
|
create: true
|
|
owner: root
|
|
group: root
|
|
mode: 'go-r'
|
|
loop:
|
|
- { regexp: '^Storage', line: 'Storage=none' }
|
|
- { regexp: '^ProcessSizeMax', line: 'ProcessSizeMax=0' }
|
|
|
|
- name: "1.5.4 | PATCH | Ensure prelink is not installed"
|
|
when:
|
|
- ubtu24cis_rule_1_5_4
|
|
- "'prelink' in ansible_facts.packages"
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_1.5.4
|
|
- NIST800-53R5_CM-1
|
|
- NIST800-53R5_CM-3
|
|
- NIST800-53R5_CM-6
|
|
- prelink
|
|
block:
|
|
- name: "1.5.4 | PATCH | Ensure prelink is not installed | Restore binaries to normal"
|
|
ansible.builtin.command: prelink -ua
|
|
changed_when: false
|
|
failed_when: false
|
|
|
|
- name: "1.5.4 | PATCH | Ensure prelink is not installed| Remove prelink package"
|
|
ansible.builtin.package:
|
|
name: prelink
|
|
state: absent
|
|
purge: "{{ ubtu24cis_purge_apt }}"
|
|
|
|
- name: "1.5.5 | PATCH | Ensure Automatic Error Reporting is not enabled"
|
|
when: ubtu24cis_rule_1_5_5
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_1.5.5
|
|
- NIST800-53R5_NA
|
|
- apport
|
|
block:
|
|
- name: "1.5.5 | PATCH | Ensure Automatic Error Reporting is not enabled | disable"
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/default/apport
|
|
regexp: ^enabled
|
|
line: enabled=0
|
|
create: true
|
|
owner: root
|
|
group: root
|
|
mode: 'go-r'
|
|
|
|
- name: "1.5.5 | PATCH | Ensure Automatic Error Reporting is not enabled | remove package"
|
|
when:
|
|
- "'apport' in ansible_facts.packages"
|
|
ansible.builtin.package:
|
|
name: apport
|
|
state: absent
|
|
purge: "{{ ubtu24cis_purge_apt }}"
|