1289 lines
49 KiB
YAML
1289 lines
49 KiB
YAML
---
|
|
|
|
## Switching on/off specific baseline sections
|
|
# These variables govern whether the tasks of a particular section are to be executed when running the role.
|
|
# E.g: If you want to execute the tasks of Section 1 you should set the "_section1" variable to true.
|
|
# to "true". If you do not want the tasks from that section to get executed you simply set the variable to "false".
|
|
ubtu24cis_section1: true
|
|
ubtu24cis_section2: true
|
|
ubtu24cis_section3: true
|
|
ubtu24cis_section4: true
|
|
ubtu24cis_section5: true
|
|
ubtu24cis_section6: true
|
|
ubtu24cis_section7: true
|
|
|
|
## Reboot system before audit
|
|
# System will reboot if false, can give better audit results
|
|
skip_reboot: true
|
|
|
|
## Benchmark name and profiles used by auditing control role
|
|
# The audit variable found at the base
|
|
benchmark: UBUNTU24-CIS
|
|
benchmark_version: v1.0.0
|
|
|
|
# Used for audit
|
|
ubtu24cis_level_1: true
|
|
ubtu24cis_level_2: true
|
|
|
|
## Possibly disruptive tasks
|
|
# This variable governs whether tasks of a potentially disruptive nature on your system
|
|
# (e.g., removing .forward and .netrc files for interactive users) are carried out.
|
|
# If you set this variable to "true", the role will carry such tasks; if you set it to
|
|
# "false", these tasks will be skipped.
|
|
ubtu24cis_disruption_high: true
|
|
|
|
## Unrestricted boot
|
|
# Setting this variable to false enables the system to
|
|
# boot *without* querying for the bootloader password.
|
|
ubtu24cis_ask_passwd_to_boot: false
|
|
|
|
## Usage on containerized images
|
|
# The role discovers dynamically (in tasks/main.yml) whether it
|
|
# is executed on a container image and sets the variable
|
|
# system_is_container the true. Otherwise, the default value
|
|
# 'false' is left unchanged.
|
|
container_vars_file: is_container.yml
|
|
|
|
## Root user used
|
|
# Root by default is not used unless setup by user
|
|
# The role will only run certain commands if set to true
|
|
# This allows the ability to skip tasks that may cause an issue
|
|
ubtu24cis_uses_root: false
|
|
|
|
###
|
|
### Settings for associated Audit role using Goss
|
|
###
|
|
|
|
###########################################
|
|
### Goss is required on the remote host ###
|
|
### vars/auditd.yml for other settings ###
|
|
|
|
# Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system)
|
|
setup_audit: false
|
|
|
|
# enable audits to run - this runs the audit and get the latest content
|
|
run_audit: false
|
|
# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system
|
|
audit_run_heavy_tests: true
|
|
|
|
## Only run Audit do not remediate
|
|
audit_only: false
|
|
### As part of audit_only ###
|
|
# This will enable files to be copied back to control node in audit_only mode
|
|
fetch_audit_files: false
|
|
# Path to copy the files to will create dir structure in audit_only mode
|
|
audit_capture_files_dir: /some/location to copy to on control node
|
|
#############################
|
|
|
|
# How to retrieve audit binary
|
|
# Options are copy or download - detailed settings at the bottom of this file
|
|
# you will need to access to either github or the file already dowmloaded
|
|
get_audit_binary_method: download
|
|
|
|
## if get_audit_binary_method - copy the following needs to be updated for your environment
|
|
## it is expected that it will be copied from somewhere accessible to the control node
|
|
## e.g copy from ansible control node to remote host
|
|
audit_bin_copy_location: /some/accessible/path
|
|
|
|
# how to get audit files onto host options
|
|
# options are git/copy/archive/get_url other e.g. if you wish to run from already downloaded conf
|
|
audit_content: git
|
|
|
|
# If using either archive, copy, get_url:
|
|
## Note will work with .tar files - zip will require extra configuration
|
|
### If using get_url this is expecting github url in tar.gz format e.g.
|
|
### https://github.com/ansible-lockdown/UBUNTU24-CIS-Audit/archive/refs/heads/benchmark-v1.0.0.tar.gz
|
|
audit_conf_source: "some path or url to copy from"
|
|
|
|
# Destination for the audit content to be placed on managed node
|
|
# note may not need full path e.g. /opt with the directory being the {{ benchmark }}-Audit directory
|
|
audit_conf_dest: "/opt"
|
|
|
|
# Where the audit logs are stored
|
|
audit_log_dir: '/opt'
|
|
|
|
### Goss Settings ##
|
|
####### END ########
|
|
|
|
## Running in EC2 pipeline
|
|
# Skip events for EC2 instance testing pipeline.
|
|
# This variable is set to true for automated tests
|
|
# carried out for this role by the role maintainers.
|
|
system_is_ec2: false
|
|
|
|
##
|
|
## Rule-specific switches
|
|
##
|
|
## Use the switches below to disable specific rules independently of the chosen profile
|
|
##
|
|
|
|
## Section 1 Fixes
|
|
# Section 1 is Initial setup (FileSystem Configuration, Configure Software Updates, Filesystem Integrity Checking, Secure Boot Settings,
|
|
# Additional Process Hardening, Mandatory Access Control, Command Line Warning Banners, and GNOME Display Manager)
|
|
|
|
# 1.1 Filesystems
|
|
# 1.1.1 Configure Filesystem Kernel Modules
|
|
ubtu24cis_rule_1_1_1_1: true
|
|
ubtu24cis_rule_1_1_1_2: true
|
|
ubtu24cis_rule_1_1_1_3: true
|
|
ubtu24cis_rule_1_1_1_4: true
|
|
ubtu24cis_rule_1_1_1_5: true
|
|
ubtu24cis_rule_1_1_1_6: true
|
|
ubtu24cis_rule_1_1_1_7: true
|
|
ubtu24cis_rule_1_1_1_8: true
|
|
ubtu24cis_rule_1_1_1_9: true
|
|
ubtu24cis_rule_1_1_1_10: true
|
|
|
|
# 1.1.2 Configure Filesystem Partitions
|
|
# /tmp
|
|
ubtu24cis_rule_1_1_2_1_1: true
|
|
ubtu24cis_rule_1_1_2_1_2: true
|
|
ubtu24cis_rule_1_1_2_1_3: true
|
|
ubtu24cis_rule_1_1_2_1_4: true
|
|
|
|
# /dev/shm
|
|
ubtu24cis_rule_1_1_2_2_1: true
|
|
ubtu24cis_rule_1_1_2_2_2: true
|
|
ubtu24cis_rule_1_1_2_2_3: true
|
|
ubtu24cis_rule_1_1_2_2_4: true
|
|
|
|
# /home
|
|
ubtu24cis_rule_1_1_2_3_1: true
|
|
ubtu24cis_rule_1_1_2_3_2: true
|
|
ubtu24cis_rule_1_1_2_3_3: true
|
|
|
|
# /var
|
|
ubtu24cis_rule_1_1_2_4_1: true
|
|
ubtu24cis_rule_1_1_2_4_2: true
|
|
ubtu24cis_rule_1_1_2_4_3: true
|
|
|
|
# /var/tmp
|
|
ubtu24cis_rule_1_1_2_5_1: true
|
|
ubtu24cis_rule_1_1_2_5_2: true
|
|
ubtu24cis_rule_1_1_2_5_3: true
|
|
ubtu24cis_rule_1_1_2_5_4: true
|
|
|
|
# /var/log
|
|
ubtu24cis_rule_1_1_2_6_1: true
|
|
ubtu24cis_rule_1_1_2_6_2: true
|
|
ubtu24cis_rule_1_1_2_6_3: true
|
|
ubtu24cis_rule_1_1_2_6_4: true
|
|
|
|
# /var/log/audit
|
|
ubtu24cis_rule_1_1_2_7_1: true
|
|
ubtu24cis_rule_1_1_2_7_2: true
|
|
ubtu24cis_rule_1_1_2_7_3: true
|
|
ubtu24cis_rule_1_1_2_7_4: true
|
|
|
|
# 1.2 Package mgmt
|
|
# 1.2.1 Configure Package repositories
|
|
ubtu24cis_rule_1_2_1_1: true
|
|
ubtu24cis_rule_1_2_1_2: true
|
|
# 1.2.2 Configure Package updates
|
|
ubtu24cis_rule_1_2_2_1: true
|
|
|
|
# 1.3 Mandatory Access Control
|
|
## 1.3.1 Configure AppArmor
|
|
ubtu24cis_rule_1_3_1_1: true
|
|
ubtu24cis_rule_1_3_1_2: true
|
|
ubtu24cis_rule_1_3_1_3: true
|
|
ubtu24cis_rule_1_3_1_4: true
|
|
|
|
# 1.4 Configure Bootloader
|
|
ubtu24cis_rule_1_4_1: true
|
|
ubtu24cis_rule_1_4_2: true
|
|
|
|
# 1.5 Configure additional Process Hardening
|
|
ubtu24cis_rule_1_5_1: true
|
|
ubtu24cis_rule_1_5_2: true
|
|
ubtu24cis_rule_1_5_3: true
|
|
ubtu24cis_rule_1_5_4: true
|
|
ubtu24cis_rule_1_5_5: true
|
|
|
|
# 1.6 Configure Command Line Warning Banners
|
|
ubtu24cis_rule_1_6_1: true
|
|
ubtu24cis_rule_1_6_2: true
|
|
ubtu24cis_rule_1_6_3: true
|
|
ubtu24cis_rule_1_6_4: true
|
|
ubtu24cis_rule_1_6_5: true
|
|
ubtu24cis_rule_1_6_6: true
|
|
|
|
# 1.7 Configure GNOME Display Manager
|
|
ubtu24cis_rule_1_7_1: true
|
|
ubtu24cis_rule_1_7_2: true
|
|
ubtu24cis_rule_1_7_3: true
|
|
ubtu24cis_rule_1_7_4: true
|
|
ubtu24cis_rule_1_7_5: true
|
|
ubtu24cis_rule_1_7_6: true
|
|
ubtu24cis_rule_1_7_7: true
|
|
ubtu24cis_rule_1_7_8: true
|
|
ubtu24cis_rule_1_7_9: true
|
|
ubtu24cis_rule_1_7_10: true
|
|
|
|
## Section 2 Fixes
|
|
# Section 2 is Services (Special Purpose Services, and service clients)
|
|
|
|
# 2.1 Configure Server Services
|
|
ubtu24cis_rule_2_1_1: true
|
|
ubtu24cis_rule_2_1_2: true
|
|
ubtu24cis_rule_2_1_3: true
|
|
ubtu24cis_rule_2_1_4: true
|
|
ubtu24cis_rule_2_1_5: true
|
|
ubtu24cis_rule_2_1_6: true
|
|
ubtu24cis_rule_2_1_7: true
|
|
ubtu24cis_rule_2_1_8: true
|
|
ubtu24cis_rule_2_1_9: true
|
|
ubtu24cis_rule_2_1_10: true
|
|
ubtu24cis_rule_2_1_11: true
|
|
ubtu24cis_rule_2_1_12: true
|
|
ubtu24cis_rule_2_1_13: true
|
|
ubtu24cis_rule_2_1_14: true
|
|
ubtu24cis_rule_2_1_15: true
|
|
ubtu24cis_rule_2_1_16: true
|
|
ubtu24cis_rule_2_1_17: true
|
|
ubtu24cis_rule_2_1_18: true
|
|
ubtu24cis_rule_2_1_19: true
|
|
ubtu24cis_rule_2_1_20: true
|
|
ubtu24cis_rule_2_1_21: true
|
|
ubtu24cis_rule_2_1_22: true
|
|
|
|
# 2.2 Configure client services
|
|
ubtu24cis_rule_2_2_1: true
|
|
ubtu24cis_rule_2_2_2: true
|
|
ubtu24cis_rule_2_2_3: true
|
|
ubtu24cis_rule_2_2_4: true
|
|
ubtu24cis_rule_2_2_5: true
|
|
ubtu24cis_rule_2_2_6: true
|
|
|
|
# Ensure time synchronization is in use
|
|
ubtu24cis_rule_2_3_1_1: true
|
|
# Configure systemd-timesyncd
|
|
ubtu24cis_rule_2_3_2_1: true
|
|
ubtu24cis_rule_2_3_2_2: true
|
|
# Configure Chrony
|
|
ubtu24cis_rule_2_3_3_1: true
|
|
ubtu24cis_rule_2_3_3_2: true
|
|
ubtu24cis_rule_2_3_3_3: true
|
|
|
|
# 2.4 Job Schedulers
|
|
# 2.4.1 Configure Cron
|
|
ubtu24cis_rule_2_4_1_1: true
|
|
ubtu24cis_rule_2_4_1_2: true
|
|
ubtu24cis_rule_2_4_1_3: true
|
|
ubtu24cis_rule_2_4_1_4: true
|
|
ubtu24cis_rule_2_4_1_5: true
|
|
ubtu24cis_rule_2_4_1_6: true
|
|
ubtu24cis_rule_2_4_1_7: true
|
|
ubtu24cis_rule_2_4_1_8: true
|
|
# Configure At
|
|
ubtu24cis_rule_2_4_2_1: true
|
|
|
|
## Section 3 Network Configuration
|
|
# 3.1 Configure Network Devices
|
|
ubtu24cis_rule_3_1_1: true
|
|
ubtu24cis_rule_3_1_2: true
|
|
ubtu24cis_rule_3_1_3: true
|
|
# 3.2 Configure Network Kernel Modules (Host Only)
|
|
ubtu24cis_rule_3_2_1: true
|
|
ubtu24cis_rule_3_2_2: true
|
|
ubtu24cis_rule_3_2_3: true
|
|
ubtu24cis_rule_3_2_4: true
|
|
# 3.3 Configure Network Kernel Parameters (Host and Router)
|
|
ubtu24cis_rule_3_3_1: true
|
|
ubtu24cis_rule_3_3_2: true
|
|
ubtu24cis_rule_3_3_3: true
|
|
ubtu24cis_rule_3_3_4: true
|
|
ubtu24cis_rule_3_3_5: true
|
|
ubtu24cis_rule_3_3_6: true
|
|
ubtu24cis_rule_3_3_7: true
|
|
ubtu24cis_rule_3_3_8: true
|
|
ubtu24cis_rule_3_3_9: true
|
|
ubtu24cis_rule_3_3_10: true
|
|
ubtu24cis_rule_3_3_11: true
|
|
|
|
## Section 4 Host Based Firewall
|
|
|
|
# 4.1 single firewall
|
|
ubtu24cis_rule_4_1_1: true
|
|
|
|
# 4.2 Configure UncomplicatedFirewall
|
|
ubtu24cis_rule_4_2_1: true
|
|
ubtu24cis_rule_4_2_2: true
|
|
ubtu24cis_rule_4_2_3: true
|
|
ubtu24cis_rule_4_2_4: true
|
|
ubtu24cis_rule_4_2_5: true
|
|
ubtu24cis_rule_4_2_6: true
|
|
ubtu24cis_rule_4_2_7: true
|
|
# 4.3 Configure nftables
|
|
ubtu24cis_rule_4_3_1: true
|
|
ubtu24cis_rule_4_3_2: true
|
|
ubtu24cis_rule_4_3_3: true
|
|
ubtu24cis_rule_4_3_4: true
|
|
ubtu24cis_rule_4_3_5: true
|
|
ubtu24cis_rule_4_3_6: true
|
|
ubtu24cis_rule_4_3_7: true
|
|
ubtu24cis_rule_4_3_8: true
|
|
ubtu24cis_rule_4_3_9: true
|
|
ubtu24cis_rule_4_3_10: true
|
|
|
|
# 4.4.1 Configure iptables software
|
|
ubtu24cis_rule_4_4_1_1: true
|
|
ubtu24cis_rule_4_4_1_2: true
|
|
ubtu24cis_rule_4_4_1_3: true
|
|
|
|
# 4.4.2 Configure IPv4 iptables
|
|
ubtu24cis_rule_4_4_2_1: true
|
|
ubtu24cis_rule_4_4_2_2: true
|
|
ubtu24cis_rule_4_4_2_3: true
|
|
ubtu24cis_rule_4_4_2_4: true
|
|
# 4.4.3 Configure IPv6 iptables
|
|
ubtu24cis_rule_4_4_3_1: true
|
|
ubtu24cis_rule_4_4_3_2: true
|
|
ubtu24cis_rule_4_4_3_3: true
|
|
ubtu24cis_rule_4_4_3_4: true
|
|
|
|
## Section 5 Access Control
|
|
# 5.1 Configure SSH Server
|
|
ubtu24cis_rule_5_1_1: true
|
|
ubtu24cis_rule_5_1_2: true
|
|
ubtu24cis_rule_5_1_3: true
|
|
ubtu24cis_rule_5_1_4: true
|
|
ubtu24cis_rule_5_1_5: true
|
|
ubtu24cis_rule_5_1_6: true
|
|
ubtu24cis_rule_5_1_7: true
|
|
ubtu24cis_rule_5_1_8: true
|
|
ubtu24cis_rule_5_1_9: true
|
|
ubtu24cis_rule_5_1_10: true
|
|
ubtu24cis_rule_5_1_11: true
|
|
ubtu24cis_rule_5_1_12: true
|
|
ubtu24cis_rule_5_1_13: true
|
|
ubtu24cis_rule_5_1_14: true
|
|
ubtu24cis_rule_5_1_15: true
|
|
ubtu24cis_rule_5_1_16: true
|
|
ubtu24cis_rule_5_1_17: true
|
|
ubtu24cis_rule_5_1_18: true
|
|
ubtu24cis_rule_5_1_19: true
|
|
ubtu24cis_rule_5_1_20: true
|
|
ubtu24cis_rule_5_1_21: true
|
|
ubtu24cis_rule_5_1_22: true
|
|
# 5.2 Configure privilege escalation
|
|
ubtu24cis_rule_5_2_1: true
|
|
ubtu24cis_rule_5_2_2: true
|
|
ubtu24cis_rule_5_2_3: true
|
|
ubtu24cis_rule_5_2_4: true
|
|
ubtu24cis_rule_5_2_5: true
|
|
ubtu24cis_rule_5_2_6: true
|
|
ubtu24cis_rule_5_2_7: true
|
|
# 5.3.1 Configure PAM software packages
|
|
ubtu24cis_rule_5_3_1_1: true
|
|
ubtu24cis_rule_5_3_1_2: true
|
|
ubtu24cis_rule_5_3_1_3: true
|
|
# 5.3.2 Configure pam-auth-update profiles
|
|
ubtu24cis_rule_5_3_2_1: true
|
|
ubtu24cis_rule_5_3_2_2: true
|
|
ubtu24cis_rule_5_3_2_3: true
|
|
ubtu24cis_rule_5_3_2_4: true
|
|
# 5.3.3.1 Configure pam_faillock module
|
|
ubtu24cis_rule_5_3_3_1_1: true
|
|
ubtu24cis_rule_5_3_3_1_2: true
|
|
ubtu24cis_rule_5_3_3_1_3: true
|
|
# 5.3.3.2 Configure pam_quality module
|
|
ubtu24cis_rule_5_3_3_2_1: true
|
|
ubtu24cis_rule_5_3_3_2_2: true
|
|
ubtu24cis_rule_5_3_3_2_3: true
|
|
ubtu24cis_rule_5_3_3_2_4: true
|
|
ubtu24cis_rule_5_3_3_2_5: true
|
|
ubtu24cis_rule_5_3_3_2_6: true
|
|
ubtu24cis_rule_5_3_3_2_7: true
|
|
ubtu24cis_rule_5_3_3_2_8: true
|
|
# 5.3.3.3 Configure pam_history module
|
|
# This are added as part of 5.3.2.4 using jinja2 template
|
|
ubtu24cis_rule_5_3_3_3_1: true
|
|
ubtu24cis_rule_5_3_3_3_2: true
|
|
ubtu24cis_rule_5_3_3_3_3: true
|
|
# 5.3.3.4 Configure pam_unix module
|
|
ubtu24cis_rule_5_3_3_4_1: true
|
|
ubtu24cis_rule_5_3_3_4_2: true
|
|
ubtu24cis_rule_5_3_3_4_3: true
|
|
ubtu24cis_rule_5_3_3_4_4: true
|
|
# 5.4 User Accounts and Environment
|
|
# 5.4.1 Configure shadow password suite parameters
|
|
ubtu24cis_rule_5_4_1_1: true
|
|
ubtu24cis_rule_5_4_1_2: true
|
|
ubtu24cis_rule_5_4_1_3: true
|
|
ubtu24cis_rule_5_4_1_4: true
|
|
ubtu24cis_rule_5_4_1_5: true
|
|
ubtu24cis_rule_5_4_1_6: true
|
|
# 5.4.2 Configure root and system accounts and environment
|
|
ubtu24cis_rule_5_4_2_1: true
|
|
ubtu24cis_rule_5_4_2_2: true
|
|
ubtu24cis_rule_5_4_2_3: true
|
|
ubtu24cis_rule_5_4_2_4: true
|
|
ubtu24cis_rule_5_4_2_5: true
|
|
ubtu24cis_rule_5_4_2_6: true
|
|
ubtu24cis_rule_5_4_2_7: true
|
|
ubtu24cis_rule_5_4_2_8: true
|
|
# 5.4.2 Configure user default environment
|
|
ubtu24cis_rule_5_4_3_1: true
|
|
ubtu24cis_rule_5_4_3_2: true
|
|
ubtu24cis_rule_5_4_3_3: true
|
|
|
|
## Section 6
|
|
|
|
# 6.2.1.x Configure systemd-journald service
|
|
ubtu24cis_rule_6_1_1_1: true
|
|
ubtu24cis_rule_6_1_1_2: true
|
|
ubtu24cis_rule_6_1_1_3: true
|
|
ubtu24cis_rule_6_1_1_4: true
|
|
# 6.1.2.1 Configure journald
|
|
ubtu24cis_rule_6_1_2_1_1: true
|
|
ubtu24cis_rule_6_1_2_1_2: true
|
|
ubtu24cis_rule_6_1_2_1_3: true
|
|
ubtu24cis_rule_6_1_2_1_4: true
|
|
ubtu24cis_rule_6_1_2_2: true
|
|
ubtu24cis_rule_6_1_2_3: true
|
|
ubtu24cis_rule_6_1_2_4: true
|
|
# 6.1.3 Configure rsyslog
|
|
ubtu24cis_rule_6_1_3_1: true
|
|
ubtu24cis_rule_6_1_3_2: true
|
|
ubtu24cis_rule_6_1_3_3: true
|
|
ubtu24cis_rule_6_1_3_4: true
|
|
ubtu24cis_rule_6_1_3_5: true
|
|
ubtu24cis_rule_6_1_3_6: true
|
|
ubtu24cis_rule_6_1_3_7: true
|
|
# 6.1.3.8 logrotate
|
|
ubtu24cis_rule_6_1_3_8: true
|
|
# 6.1.4.1 configure logfiles
|
|
ubtu24cis_rule_6_1_4_1: true
|
|
# 6.2.1 Configure auditd services
|
|
ubtu24cis_rule_6_2_1_1: true
|
|
ubtu24cis_rule_6_2_1_2: true
|
|
ubtu24cis_rule_6_2_1_3: true
|
|
ubtu24cis_rule_6_2_1_4: true
|
|
# 6.2.2 Configure auditd data retention
|
|
ubtu24cis_rule_6_2_2_1: true
|
|
ubtu24cis_rule_6_2_2_2: true
|
|
ubtu24cis_rule_6_2_2_3: true
|
|
ubtu24cis_rule_6_2_2_4: true
|
|
# 6.2.3 Configure auditd rules
|
|
ubtu24cis_rule_6_2_3_1: true
|
|
ubtu24cis_rule_6_2_3_2: true
|
|
ubtu24cis_rule_6_2_3_3: true
|
|
ubtu24cis_rule_6_2_3_4: true
|
|
ubtu24cis_rule_6_2_3_5: true
|
|
ubtu24cis_rule_6_2_3_6: true
|
|
ubtu24cis_rule_6_2_3_7: true
|
|
ubtu24cis_rule_6_2_3_8: true
|
|
ubtu24cis_rule_6_2_3_9: true
|
|
ubtu24cis_rule_6_2_3_10: true
|
|
ubtu24cis_rule_6_2_3_11: true
|
|
ubtu24cis_rule_6_2_3_12: true
|
|
ubtu24cis_rule_6_2_3_13: true
|
|
ubtu24cis_rule_6_2_3_14: true
|
|
ubtu24cis_rule_6_2_3_15: true
|
|
ubtu24cis_rule_6_2_3_16: true
|
|
ubtu24cis_rule_6_2_3_17: true
|
|
ubtu24cis_rule_6_2_3_18: true
|
|
ubtu24cis_rule_6_2_3_19: true
|
|
ubtu24cis_rule_6_2_3_20: true
|
|
ubtu24cis_rule_6_2_3_21: true
|
|
# 6.2.4 Configure audit file access
|
|
ubtu24cis_rule_6_2_4_1: true
|
|
ubtu24cis_rule_6_2_4_2: true
|
|
ubtu24cis_rule_6_2_4_3: true
|
|
ubtu24cis_rule_6_2_4_4: true
|
|
ubtu24cis_rule_6_2_4_5: true
|
|
ubtu24cis_rule_6_2_4_6: true
|
|
ubtu24cis_rule_6_2_4_7: true
|
|
ubtu24cis_rule_6_2_4_8: true
|
|
ubtu24cis_rule_6_2_4_9: true
|
|
ubtu24cis_rule_6_2_4_10: true
|
|
# 6.3 Configure Filesystem Integrity Checking
|
|
ubtu24cis_rule_6_3_1: true
|
|
ubtu24cis_rule_6_3_2: true
|
|
ubtu24cis_rule_6_3_3: true
|
|
|
|
## Section 7
|
|
# 7.1 System File Permissions
|
|
ubtu24cis_rule_7_1_1: true
|
|
ubtu24cis_rule_7_1_2: true
|
|
ubtu24cis_rule_7_1_3: true
|
|
ubtu24cis_rule_7_1_4: true
|
|
ubtu24cis_rule_7_1_5: true
|
|
ubtu24cis_rule_7_1_6: true
|
|
ubtu24cis_rule_7_1_7: true
|
|
ubtu24cis_rule_7_1_8: true
|
|
ubtu24cis_rule_7_1_9: true
|
|
ubtu24cis_rule_7_1_10: true
|
|
ubtu24cis_rule_7_1_11: true
|
|
ubtu24cis_rule_7_1_12: true
|
|
ubtu24cis_rule_7_1_13: true
|
|
# 7.2 Local User and Group Settings
|
|
ubtu24cis_rule_7_2_1: true
|
|
ubtu24cis_rule_7_2_2: true
|
|
ubtu24cis_rule_7_2_3: true
|
|
ubtu24cis_rule_7_2_4: true
|
|
ubtu24cis_rule_7_2_5: true
|
|
ubtu24cis_rule_7_2_6: true
|
|
ubtu24cis_rule_7_2_7: true
|
|
ubtu24cis_rule_7_2_8: true
|
|
ubtu24cis_rule_7_2_9: true
|
|
ubtu24cis_rule_7_2_10: true
|
|
|
|
##
|
|
## Service configuration variables.
|
|
##
|
|
## Set the respective variable to true to keep the service.
|
|
## otherwise the service is stopped and disabled
|
|
##
|
|
# Service configuration
|
|
# Options are
|
|
# true to leave installed if exists not changes take place
|
|
# false - this removes the package
|
|
# mask - if a dependancy for product so cannot be removed
|
|
# Server Services
|
|
ubtu24cis_autofs_services: false
|
|
ubtu24cis_autofs_mask: false
|
|
ubtu24cis_avahi_server: false
|
|
ubtu24cis_avahi_mask: false
|
|
ubtu24cis_dhcp_server: false
|
|
ubtu24cis_dhcp_mask: false
|
|
ubtu24cis_dns_server: false
|
|
ubtu24cis_dns_mask: false
|
|
ubtu24cis_dnsmasq_server: false
|
|
ubtu24cis_dnsmasq_mask: false
|
|
ubtu24cis_ftp_server: false
|
|
ubtu24cis_ftp_mask: false
|
|
ubtu24cis_ldap_server: false
|
|
ubtu24cis_ldap_mask: false
|
|
ubtu24cis_message_server: false # This is for messaging dovecot and cyrus-imap
|
|
ubtu24cis_message_mask: false
|
|
ubtu24cis_nfs_server: true
|
|
ubtu24cis_nfs_mask: true
|
|
ubtu24cis_nis_server: true # set to mask if nis client required
|
|
ubtu24cis_nis_mask: false
|
|
ubtu24cis_print_server: false # replaces cups
|
|
ubtu24cis_print_mask: false
|
|
ubtu24cis_rpc_server: true
|
|
ubtu24cis_rpc_mask: true
|
|
ubtu24cis_rsync_server: false
|
|
ubtu24cis_rsync_mask: false
|
|
ubtu24cis_samba_server: false
|
|
ubtu24cis_samba_mask: false
|
|
ubtu24cis_snmp_server: false
|
|
ubtu24cis_snmp_mask: false
|
|
ubtu24cis_telnet_server: false
|
|
ubtu24cis_telnet_mask: false
|
|
ubtu24cis_tftp_server: false
|
|
ubtu24cis_tftp_mask: false
|
|
ubtu24cis_squid_server: false
|
|
ubtu24cis_squid_mask: false
|
|
ubtu24cis_apache2_server: false
|
|
ubtu24cis_apache2_mask: false
|
|
ubtu24cis_nginx_server: false
|
|
ubtu24cis_nginx_mask: false
|
|
ubtu24cis_xinetd_server: false
|
|
ubtu24cis_xinetd_mask: false
|
|
ubtu24cis_xwindow_server: false # will remove mask not an option
|
|
ubtu24cis_is_mail_server: false
|
|
|
|
# Client Services
|
|
ubtu24cis_nis_client_required: false # Same package as NIS server
|
|
ubtu24cis_rsh_client: false
|
|
ubtu24cis_talk_client: false
|
|
ubtu24cis_telnet_required: false
|
|
ubtu24cis_ldap_clients_required: false
|
|
ubtu24cis_ftp_client: false
|
|
|
|
## System functionality configuration variables
|
|
##
|
|
## There are certain functionalities of a system
|
|
## that may require either to skip certain CIS rules
|
|
## or install certain packages.
|
|
## Set the respective variable to `true` in order to
|
|
## enable a certain functionality on the system
|
|
|
|
# This variable governs whether specific CIS rules
|
|
# concerned with acceptance and routing of packages
|
|
# are skipped.
|
|
ubtu24cis_is_router: false
|
|
|
|
## IPv4 requirement toggle
|
|
# This variable governs whether ipv4 is enabled or disabled.
|
|
ubtu24cis_ipv4_required: true
|
|
|
|
## IPv6 requirement toggle
|
|
# This variable governs whether ipv6 is enabled or disabled.
|
|
ubtu24cis_ipv6_required: false
|
|
|
|
## Desktop requirement toggle
|
|
# This variable governs, whether CIS rules regarding GDM
|
|
# and X-Windows are carried out.
|
|
ubtu24cis_desktop_required: false
|
|
|
|
## Purge apt packages
|
|
# This will allow the purging of any packages that are marked to be removed
|
|
# This will also purge any packages not removed via this playbook
|
|
ubtu24cis_purge_apt: false
|
|
|
|
##
|
|
## Section 1 Control Variables
|
|
##
|
|
|
|
## tmp mount type
|
|
# This variable determines, to which mount type
|
|
# the tmp mount type will be set, if it cannot be
|
|
# correctly discovered. will force the tmp_mnt type
|
|
# if not correctly discovered.
|
|
# Possible values are `tmp_systemd` or `fstab`-
|
|
expected_tmp_mnt: fstab
|
|
|
|
## Controls 1.3.1.x - apparmor
|
|
# AppArmor security policies define what system resources applications can access and their privileges.
|
|
# This automatically limits the damage that the software can do to files accessible by the calling user.
|
|
# The following variables are related to the set of rules from section 1.6.1.x
|
|
|
|
## Controls 1.3.1.3 and 1.3.1.4 Ensure all AppArmor Profiles are in enforce (1.3.1.3/4) or complain (1.3.1.3) mode
|
|
|
|
# This variable disables the implementation of rules 1.3.1.3 and 1.3.1.4
|
|
# regarding enforcing profiles or putting them in complain mode
|
|
ubtu24cis_apparmor_disable: false
|
|
|
|
# This variable specifies whether enforce mode or complain mode is set in Control 1.3.1.3.
|
|
# Possible values are `enforce` and `complain`.
|
|
# ATTENTION: if Control 1.3.1.4 is run (e.g., when running level 2 rules), it OVERRIDES control 1.3.1.3
|
|
# and sets `enforce` mode, no matter what this variable's value is.
|
|
ubtu24cis_apparmor_mode: complain
|
|
|
|
## Controls 1.4.x - Boot password
|
|
#
|
|
# THIS VARIABLE SHOULD BE CHANGED AND INCORPORATED INTO VAULT
|
|
# THIS VALUE IS WHAT THE ROOT PW WILL BECOME!!!!!!!!
|
|
# HAVING THAT PW EXPOSED IN RAW TEXT IS NOT SECURE!!!!
|
|
ubtu24cis_grub_user: root
|
|
ubtu24cis_set_grub_user_pass: false
|
|
ubtu24cis_grub_user_passwd: '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6' # Set to changeme
|
|
ubtu24cis_grub_user_file: /etc/grub.d/00_user
|
|
ubtu24cis_bootloader_password_hash: "grub.pbkdf2.sha512.changethispassword" # pragma: allowlist secret
|
|
ubtu24cis_set_boot_pass: false
|
|
|
|
ubtu24cis_grub_file: /boot/grub/grub.cfg
|
|
|
|
## Controls 1.5.x
|
|
# Ability to set file in which the kernel systcl changes are placed
|
|
ubtu24cis_sysctl_kernel_conf: /etc/sysctl.d/98_cis_kernel.conf
|
|
|
|
# 1.5.2 Ability to choose ptrace value
|
|
# options = 1, 2 or 3
|
|
ubtu24_ptrace_value: 1
|
|
|
|
## Controls 1.6.x - Warning banners
|
|
# The controls 1.6.x set various warning banners and protect the respective files
|
|
# by tightening the access rights.
|
|
|
|
# This variable specifies the warning banner displayed to the user
|
|
# after local login, remote login, and as motd (message of the day)
|
|
# Noe that the banner text must not contain the below items in order to be
|
|
# compliant with CIS: \m, \r, \s, \v or references to the OS platform
|
|
ubtu24cis_warning_banner: |
|
|
Authorized uses only. All activity may be monitored and reported.
|
|
|
|
# This variable governs, whether dynamic motd is disabled (as required by control 1.7.1)
|
|
ubtu24cis_disable_dynamic_motd: true
|
|
|
|
## Controls 1.7.x - Settings for GDM
|
|
# This variable specifies the GNOME configuration database file to which configurations are written.
|
|
# (See https://help.gnome.org/admin/system-admin-guide/stable/dconf-keyfiles.html.en)
|
|
# The default database is `local`.
|
|
ubtu24cis_dconf_db_name: local
|
|
# This variable governs the number of seconds of inactivity before the screen goes blank.
|
|
ubtu24cis_screensaver_idle_delay: 900
|
|
# This variable governs the number of seconds the screen remains blank before it is locked.
|
|
ubtu24cis_screensaver_lock_delay: 5
|
|
|
|
##
|
|
## Section 2 Control Variables
|
|
##
|
|
|
|
## Control 2.3.1.1
|
|
# This variable choses the tool used for time synchronization
|
|
# The two options are `chrony`and `systemd-timesyncd`.
|
|
ubtu24cis_time_sync_tool: "systemd-timesyncd"
|
|
|
|
## Controls 2.3.x - Configure time pools & servers for chrony and timesyncd
|
|
# The following variable represents a list of of time server pools used
|
|
# for configuring chrony and timesyncd.
|
|
# Each list item contains two settings, `name` (the domain name of the pool) and synchronization `options`.
|
|
# The default setting for the `options` is `iburst maxsources 4` -- please refer to the documentation
|
|
# of the time synchronization mechanism you are using.
|
|
ubtu24cis_time_pool:
|
|
- name: time.nist.gov
|
|
options: iburst maxsources 4
|
|
# The following variable represents a list of of time servers used
|
|
# for configuring chrony and timesyncd
|
|
# Each list item contains two settings, `name` (the domain name of the server) and synchronization `options`.
|
|
# The default setting for the `options` is `iburst` -- please refer to the documentation
|
|
# of the time synchronization mechanism you are using.
|
|
ubtu24cis_time_servers:
|
|
- name: time-a-g.nist.gov
|
|
options: iburst
|
|
- name: time-b-g.nist.gov
|
|
options: iburst
|
|
- name: time-c-g.nist.gov
|
|
options: iburst
|
|
|
|
##
|
|
## Section 3 Control Variables
|
|
##
|
|
|
|
## Control 3.1.1 - Ensure system is checked to determine if IPv6 is enabled
|
|
# This variable governs the mechanism of how the disabling of IPV6 is carried out.
|
|
# Its possible values are `grub` and `sysctl`.
|
|
ubtu24cis_ipv6_disable: grub
|
|
|
|
## Control 3.1.2 - Ensure wireless interfaces are disabled
|
|
# This variable is used for a preliminary task regarding the installation of Network Manager
|
|
# If it is set to `true`, Network Manager is installed during the "prelim" section of
|
|
# the role. If set to `false`, Network Manager is not installed. Bear in mind that without
|
|
# it, ensuring that wireless interfaces are disabled will not be possible!
|
|
ubtu24cis_install_network_manager: true
|
|
|
|
## Control 3.1.3 - Ensure bluetooth Services are not in use
|
|
# This control managed how the bluetooth service is managaed
|
|
# Options are
|
|
# true to leave installed if exists not changes take place
|
|
# false - this removes the package
|
|
# mask - if a dependancy for product so cannot be removed
|
|
ubtu24cis_bluetooth_service: false
|
|
ubtu24cis_bluetooth_mask: false
|
|
|
|
## Control 3.3.x - Networking configuration
|
|
# This variable contains the path to the file in which, sysctl saves its configurations.
|
|
# Its default value is `/etc/sysctl.conf`.
|
|
ubtu24cis_sysctl_network_conf: /etc/sysctl.conf
|
|
|
|
##
|
|
## Section 4 Control Variables
|
|
##
|
|
|
|
## Controls 4.1.x, 4.2.x, and 4.3.x - Firewall configuration
|
|
# This variable represents the toggle for which firewall package is used.
|
|
# The options that have an effect on the system are `ufw` and `iptables`.
|
|
# The option `nftables` is also possible, but will only result in a message,
|
|
# that `nftables` has been chosen; all settings have to be carried out manually.
|
|
# Any other value, e.g. `none` will skip all firewall-related controls.
|
|
ubtu24cis_firewall_package: "ufw"
|
|
|
|
# This variable is used in a preliminary task that forces the UFW firewall to use /etc/sysctl.conf
|
|
# settings. If set to "true" the task will get done in the prelim section of the role.
|
|
ubtu24cis_ufw_use_sysctl: true
|
|
|
|
## Control 4.1.5 - Ensure ufw outbound connections are configured
|
|
# The value of this variable represents the ports for the firewall to allow oubound traffic from.
|
|
# If you want to allow outbound traffic on all ports, set the variable to `all`, e.g.,
|
|
# `ubtu24cis_ufw_allow_out_ports: "all"`.
|
|
ubtu24cis_ufw_allow_out_ports:
|
|
- 53
|
|
- 80
|
|
- 443
|
|
|
|
## Controls 4.2.x - nftables
|
|
# Nftables is not supported in this role. Some tasks have parts of them commented out, this is one example
|
|
# of such a task.
|
|
# "ubtu24cis_nftables_table_name" is the name of the table in nftables you want to create.
|
|
# The default nftables table name is "inet filter". This variable name will be the one all
|
|
# nftables configs are applied to.
|
|
# ubtu24cis_nftables_table_name: "inet filter"
|
|
|
|
##
|
|
## Section 5 Control Variables
|
|
##
|
|
## Controls 5.1.x -- various sshd settings
|
|
ubtu24cis_sshd_default_log_level: "INFO"
|
|
ubtu24cis_sshd_default_max_auth_tries: 4
|
|
ubtu24cis_sshd_default_max_sessions: 8
|
|
ubtu24cis_sshd_default_login_grace_time: 60
|
|
ubtu24cis_sshd_default_client_alive_interval: 300
|
|
ubtu24cis_sshd_default_client_alive_count_max: 3
|
|
# Removed chacha20-poly1305 due to cve2023-48795
|
|
# all Ciphers, KEX and Macs set to FIPS 140
|
|
# This will nee dto be adjusted according to your site requirements
|
|
ubtu24cis_sshd_default_ciphers:
|
|
- aes256-gcm@openssh.com
|
|
- aes128-gcm@openssh.com
|
|
- aes256-ctr
|
|
- aes192-ctr
|
|
- aes128-ctr
|
|
ubtu24cis_sshd_default_macs:
|
|
- hmac-sha1
|
|
- hmac-sha2-256
|
|
# - hmac-sha2-384 # hashed out seen as bad ssh2 MAC
|
|
- hmac-sha2-512
|
|
ubtu24cis_sshd_default_kex_algorithms:
|
|
- ecdh-sha2-nistp256
|
|
- ecdh-sha2-nistp384
|
|
- ecdh-sha2-nistp521
|
|
- diffie-hellman-group-exchange-sha256
|
|
- diffie-hellman-group16-sha512
|
|
- diffie-hellman-group18-sha512
|
|
- diffie-hellman-group14-sha256
|
|
|
|
ubtu24cis_sshd:
|
|
# This variable is used to control the verbosity of the logging produced by the SSH server.
|
|
# The options for setting it are as follows:
|
|
# - `QUIET`: Minimal logging;
|
|
# - `FATAL`: logs only fatal errors;
|
|
# - `ERROR`: logs error messages;
|
|
# - `INFO`: logs informational messages in addition to errors;
|
|
# - `VERBOSE`: logs a higher level of detail, including login attempts and key exchanges;
|
|
# - `DEBUG`: generates very detailed debugging information including sensitive information.
|
|
log_level: "{{ ubtu24cis_sshd_default_log_level }}"
|
|
# This variable specifies the maximum number of authentication attempts that are
|
|
# allowed for a single SSH session.
|
|
max_auth_tries: "{{ubtu24cis_sshd_default_max_auth_tries}}"
|
|
# This variable specifies the encryption algorithms that can be used for securing
|
|
# data transmission.
|
|
ciphers: "{{ ubtu24cis_sshd_default_ciphers }}"
|
|
# This variable specifies a list of message authentication code algorithms (MACs) that are allowed for verifying
|
|
# the integrity of data exchanged.
|
|
macs: "{{ ubtu24cis_sshd_default_macs }}"
|
|
# This variable is used to state the key exchange algorithms used to establish secure encryption
|
|
# keys during the initial connection setup.
|
|
kex_algorithms: "{{ ubtu24cis_sshd_default_kex_algorithms }}"
|
|
# This variable sets the time interval in seconds between sending "keep-alive"
|
|
# messages from the server to the client. These types of messages are intended to
|
|
# keep the connection alive and prevent it being terminated due to inactivity.
|
|
client_alive_interval: "{{ ubtu24cis_sshd_default_client_alive_interval }}"
|
|
# This variable sets the maximum number of unresponsive "keep-alive" messages
|
|
# that can be sent from the server to the client before the connection is considered
|
|
# inactive and thus, closed.
|
|
client_alive_count_max: "{{ ubtu24cis_sshd_default_client_alive_count_max }}"
|
|
# This variable specifies the amount of seconds allowed for successful authentication to
|
|
# the SSH server.
|
|
login_grace_time: "{{ ubtu24cis_sshd_default_login_grace_time }}"
|
|
# This variables is used to set the maximum number of open sessions per connection.
|
|
max_sessions: "{{ ubtu24cis_sshd_default_max_sessions }}"
|
|
# This variable, if specified, configures a list of USER name patterns, separated by spaces, to allow SSH
|
|
# access for users whose user name matches one of the patterns. This is done
|
|
# by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file.
|
|
# If an USER@HOST format will be used, the specified user will be allowed only on that particular host.
|
|
# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
|
|
# For more info, see https://linux.die.net/man/5/sshd_config
|
|
allow_users: ""
|
|
# (String) This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to allow SSH access
|
|
# for users whose primary group or supplementary group list matches one of the patterns. This is done
|
|
# by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file.
|
|
# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
|
|
# For more info, https://linux.die.net/man/5/sshd_config
|
|
allow_groups: ""
|
|
# This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access
|
|
# for users whose user name matches one of the patterns. This is done
|
|
# by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file.
|
|
# If an USER@HOST format will be used, the specified user will be restricted only on that particular host.
|
|
# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
|
|
# For more info, see https://linux.die.net/man/5/sshd_config
|
|
deny_users: ""
|
|
# This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access
|
|
# for users whose primary group or supplementary group list matches one of the patterns. This is done
|
|
# by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file.
|
|
# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
|
|
# For more info, see https://linux.die.net/man/5/sshd_config
|
|
deny_groups: ""
|
|
|
|
## Control 5.2.1
|
|
# This variable represents the name of the sudo package to install
|
|
# CIS recommends `sudo` or, if LDAP functionality is required, `sudo-ldap`.
|
|
ubtu24cis_sudo_package: "sudo"
|
|
|
|
## Control 5.2.3
|
|
# This variable defines the path and file name of the sudo log file.
|
|
ubtu24cis_sudo_logfile: "/var/log/sudo.log"
|
|
|
|
## control 5.2.4 sudoers NOPASSWD
|
|
# This will leave NOPASSWD intact for these users
|
|
ubtu24cis_sudoers_exclude_nopasswd_list:
|
|
- ec2-user
|
|
- vagrant
|
|
|
|
## Control 5.2.6
|
|
# This variable sets the duration (in minutes) during which a user's authentication credentials
|
|
# are cached after successfully authenticating using "sudo". This allows the user to execute
|
|
# multiple commands with elevated privileges without needing to re-enter their password for each
|
|
# command within the specified time period. CIS requires a value of at most 15 minutes.
|
|
ubtu24cis_sudo_timestamp_timeout: 15
|
|
## Control 5.2.7
|
|
# This variable determines the group of users that are allowed to use the su command.
|
|
# one to specify a user group that is allowed to use the "su" command.
|
|
# CIS requires that such a group be created (named according to site policy) and be kept empty.
|
|
ubtu24cis_sugroup: nosugroup
|
|
|
|
## 5.3.2.x
|
|
# Path to find templates and where to put file for pam-auth
|
|
ubtu24cis_pam_confd_dir: 'usr/share/pam-configs/'
|
|
### Note: controls also managed with disruption high due to the nature of pam changes
|
|
# Create file will create/replace with the name
|
|
|
|
# Controls 5.3.2.1 - pam_unix
|
|
# Name of file
|
|
ubtu24cis_pam_pwunix_file: 'pam_unix'
|
|
# Should NOT be enabled if allowing custom config that enabled pam_faillock
|
|
ubtu24cis_pam_create_pamunix_file: false
|
|
# Allow pam-auth-update --enable ubtu24cis_pam_pwunix_file to run
|
|
ubtu24cis_pam_auth_unix: true
|
|
|
|
# 5.3.2.2 - pam_faillock
|
|
# Name of files
|
|
ubtu24cis_pam_faillock_file: 'faillock'
|
|
ubtu24cis_pam_faillock_notify_file: 'faillock_notify'
|
|
# Allow pam-auth-update --enable ubtu24cis_pam_faillock_file
|
|
# and
|
|
# Allow pam-auth-update --enable ubtu24cis_pam_faillock_notify_file
|
|
ubtu24cis_pam_auth_faillock: true
|
|
# Allow new file to be created or overwrite existing with same name
|
|
ubtu24cis_pam_create_faillock_files: true
|
|
|
|
# 5.3.2.3 - pam_pwquality
|
|
# Name of files
|
|
ubtu24cis_pam_pwquality_file: 'pwquality'
|
|
# Allow new file to be created or overwrite existing with same name
|
|
ubtu24cis_pam_create_pwquality_files: true
|
|
# Allow pam-auth-update --enable ubtu24cis_pam_pwquality_file
|
|
ubtu24cis_pam_auth_pwquality: true
|
|
|
|
# 5.3.2.4 - pam_pwhistory
|
|
# Name of file
|
|
ubtu24cis_pam_pwhistory_file: 'pwhistory'
|
|
# Allow new file to be created or overwrite existing with same name
|
|
# filepath also affects controls 5.3.3.3.1, 5.3.3.3.2, 5.3.3.3.3
|
|
ubtu24cis_pam_create_pwhistory_files: true
|
|
# Allow pam-auth-update --enable ubtu24cis_pam_pwhistory_file
|
|
ubtu24cis_pam_auth_pwhistory: true
|
|
|
|
# 5.3.3.1.1 - faillock_deny
|
|
ubtu24cis_faillock_deny: 3
|
|
|
|
# 5.3.3.1.2 - faillock unlock time
|
|
ubtu24cis_faillock_unlock_time: 900
|
|
|
|
# 5.3.3.1.3 - lock root
|
|
# This allow optional - even_deny_root or root_unlock_time
|
|
ubtu24cis_pamroot_lock_option: even_deny_root
|
|
ubtu24cis_pamroot_lock_string: even_deny_root
|
|
|
|
# 5.3.3.2.1 - password difok
|
|
ubtu24cis_passwd_difok_file: etc/security/pwquality.conf.d/50-pwdifok.conf # pragma: allowlist secret
|
|
ubtu24cis_passwd_difok_value: 2
|
|
|
|
# 5.3.3.2.2 - password minlength
|
|
ubtu24cis_passwd_minlen_file: etc/security/pwquality.conf.d/50-pwlength.conf # pragma: allowlist secret
|
|
ubtu24cis_passwd_minlen_value: 14
|
|
|
|
# 5.3.3.2.3 - password complex
|
|
ubtu24cis_passwd_complex_file: etc/security/pwquality.conf.d/50-pwcomplexity.conf # pragma: allowlist secret
|
|
ubtu24cis_passwd_minclass: 3
|
|
ubtu24cis_passwd_dcredit: -1
|
|
ubtu24cis_passwd_ucredit: -2
|
|
ubtu24cis_passwd_ocredit: 0
|
|
ubtu24cis_passwd_lcredit: -2
|
|
|
|
# 5.3.3.2.4 - password maxrepeat
|
|
ubtu24cis_passwd_maxrepeat_file: etc/security/pwquality.conf.d/50-pwrepeat.conf # pragma: allowlist secret
|
|
ubtu24cis_passwd_maxrepeat_value: 3
|
|
|
|
# 5.3.3.2.5 - password maxsequence
|
|
ubtu24cis_passwd_maxsequence_file: etc/security/pwquality.conf.d/50-pwmaxsequence.conf # pragma: allowlist secret
|
|
ubtu24cis_passwd_maxsequence_value: 3
|
|
|
|
# 5.3.3.2.6 - password dictcheck
|
|
ubtu24cis_passwd_dictcheck_file: etc/security/pwquality.conf.d/50-pwdictcheck.conf # pragma: allowlist secret
|
|
ubtu24cis_passwd_dictcheck_value: 1
|
|
|
|
# 5.3.3.2.7 - password quality enforce
|
|
ubtu24cis_passwd_quality_enforce_file: etc/security/pwquality.conf.d/50-pwquality_enforce.conf # pragma: allowlist secret
|
|
ubtu24cis_passwd_quality_enforce_value: 1
|
|
|
|
# 5.3.3.2.8 - password quality enforce for root included with 5.3.3.2.7
|
|
ubtu24cis_passwd_quality_enforce_root_file: etc/security/pwquality.conf.d/50-pwroot.conf # pragma: allowlist secret
|
|
ubtu24cis_passwd_quality_enforce_root_value: enforce_for_root # pragma: allowlist secret
|
|
|
|
## 5.3.3.3 Configure pam_pwhistory module
|
|
# Uses value for ubtu24cis_pam_pwhistory_file in 5.3.2.4
|
|
# Control 5.3.3.3.1
|
|
# This variable represents the number of password change cycles, after which
|
|
# a user can re-use a password. # CIS requires a value of 24 or more.
|
|
ubtu24cis_pamd_pwhistory_remember: 24
|
|
|
|
## Controls 5.4.1.x - Password settings
|
|
ubtu24cis_pass:
|
|
## Control 5.4.1.1
|
|
# This variable governs after how many days a password expires.
|
|
# CIS requires a value of 365 or less.
|
|
max_days: 365
|
|
## Control 5.4.1.2
|
|
# This variable specifies the minimum number of days allowed between changing passwords.
|
|
# CIS requires a value of at least 1.
|
|
min_days: 1
|
|
## Control 5.5.1.3
|
|
# This variable governs, how many days before a password expires, the user will be warned.
|
|
# CIS requires a value of at least 7.
|
|
warn_age: 7
|
|
## Control 5.4.1.5
|
|
# This variable specifies the number of days of inactivity before an account will be locked.
|
|
# CIS requires a value of 45 days or less.
|
|
inactive: 45
|
|
|
|
# 5.4.2.6 root umask
|
|
ubtu24cis_root_umask: '0027' # 0027 or more restrictive
|
|
## Control 5.4.4
|
|
# ubtu24cis_passwd_hash_algo is the hashing algorithm used
|
|
ubtu24cis_passwd_hash_algo: yescrypt # pragma: allowlist secret
|
|
# Set pam as well as login defs if PAM is required
|
|
ubtu24cis_passwd_setpam_hash_algo: false
|
|
|
|
## Control 5.4.3 - Default user mask
|
|
# The following variable specifies the "umask" to set in the `/etc/bash.bashrc` and `/etc/profile`.
|
|
# The value needs to be `027` or more restrictive to comply with CIS standards
|
|
ubtu24cis_bash_umask: '027'
|
|
|
|
## Control 5.4.3.2 - Configuring user shell timeout
|
|
# This dictionary is related to ensuring the rule about user shell timeout
|
|
# This variable represents the amount of seconds a command or process is allowed to
|
|
# run before being forcefully terminated.
|
|
# CIS requires a value of at most 900 seconds.
|
|
ubtu24cis_shell_session_timeout: 900
|
|
# This variable specifies the path of the timeout setting file.
|
|
# (TMOUT setting can be set in multiple files, but only one is required for the
|
|
# rule to pass. Options are:
|
|
# - a file in `/etc/profile.d/` ending in `.s`,
|
|
# - `/etc/profile`, or
|
|
# - `/etc/bash.bashrc`.
|
|
ubtu24cis_shell_session_file: /etc/profile.d/tmout.sh
|
|
|
|
##
|
|
## Section 6 Control Variables
|
|
##
|
|
|
|
# Set which syslog service
|
|
# journald or rsyslog
|
|
ubtu24cis_syslog_service: 'journald'
|
|
|
|
## Controls 6.1.1.x journald
|
|
|
|
# This variable specifies the address of the remote log host where logs are being sent.
|
|
ubtu24cis_remote_log_server: 192.168.2.100
|
|
# This variable expresses whether the system is used as a log server or not.
|
|
# If set to `true`, controls that interfere with log server functionality or
|
|
# require that own system logs be sent to some other log server are skipped.
|
|
ubtu24cis_system_is_log_server: false
|
|
|
|
## Controls 6.1.1.2.x & 6.1.1.x journald
|
|
# This variable specifies the path to the private key file used by the remote journal
|
|
# server to authenticate itself to the client. This key is used alongside the server's
|
|
# public certificate to establish secure communication.
|
|
ubtu24cis_journal_upload_serverkeyfile:
|
|
# This variable specifies the path to the public certificate file of the remote journal
|
|
# server. This certificate is used to verify the authenticity of the remote server.
|
|
ubtu24cis_journal_servercertificatefile:
|
|
# This variable specifies the path to a file containing one or more public certificates
|
|
# of certificate authorities (CAs) that the client trusts. These trusted certificates are used
|
|
# to validate the authenticity of the remote server's certificate.
|
|
ubtu24cis_journal_trustedcertificatefile:
|
|
|
|
# 6.1.1.1.3
|
|
# These variable specifies how much disk space the journal may use up at most
|
|
# Specify values in bytes or use K, M, G, T, P, E as units for the specified sizes.
|
|
# See https://www.freedesktop.org/software/systemd/man/journald.conf.html for more information.
|
|
# ATTENTION: Uncomment the keyword below when values are set!
|
|
ubtu24cis_journald_systemmaxuse: "#SystemMaxUse="
|
|
ubtu24cis_journald_systemkeepfree: "#SystemKeepFree="
|
|
ubtu24cis_journald_runtimemaxuse: "#RuntimeMaxUse="
|
|
ubtu24cis_journald_runtimekeepfree: "#RuntimeKeepFree="
|
|
# This variable specifies, the maximum time to store entries in a single journal
|
|
# file before rotating to the next one. Set to 0 to turn off this feature.
|
|
# The given values is interpreted as seconds, unless suffixed with the units
|
|
# `year`, `month`, `week`, `day`, `h` or `m` to override the default time unit of seconds.
|
|
# ATTENTION: Uncomment the keyword below when values are set!
|
|
ubtu24cis_journald_maxfilesec: "#MaxFileSec="
|
|
|
|
## Controls 6.2.3.x - Audit template
|
|
# This variable is set to true by tasks 6.2.3.1 to 6.2.3.20. As a result, the
|
|
# audit settings are overwritten with the role's template. In order to exclude
|
|
# specific rules, you must set the variable of form `ubtu24cis_rule_4_1_3_x` above
|
|
# to `false`.
|
|
update_audit_template: false
|
|
|
|
## Advanced option found in auditd post
|
|
## users whose actions are not logged by auditd
|
|
ubtu24cis_allow_auditd_uid_user_exclusions: false
|
|
|
|
# add a list of uids
|
|
ubtu24cis_auditd_uid_exclude:
|
|
- 1999
|
|
|
|
# 6.1.3.8
|
|
# ubtu24cis_logrotate sets the daily, weekly, monthly, yearly value for the log rotation
|
|
# To conform to CIS standards this just needs to comply with your site policy
|
|
ubtu24cis_logrotate: "daily"
|
|
|
|
## Control 6.2.1.4 - Ensure audit_backlog_limit is sufficient
|
|
# This variable represents the audit backlog limit, i.e., the maximum number of audit records that the
|
|
# system can buffer in memory, if the audit subsystem is unable to process them in real-time.
|
|
# Buffering in memory is useful in situations, where the audit system is overwhelmed
|
|
# with incoming audit events, and needs to temporarily store them until they can be processed.
|
|
# This variable should be set to a sufficient value. The CIS baseline recommends at least `8192` as value.
|
|
ubtu24cis_audit_back_log_limit: 8192
|
|
|
|
## Controls 6.2.2.x - What to do when log files fill up
|
|
## Control 6.2.2.1 - Ensure audit log storage size is configured
|
|
# This variable specifies the maximum size in MB that an audit log file can reach
|
|
# before it is archived or deleted to make space for the new audit data.
|
|
# This should be set based on your sites policy. CIS does not provide a specific value.
|
|
ubtu24cis_max_log_file_size: 10
|
|
|
|
## Control 6.2.3.2
|
|
# This variable determines what action the audit system should take when the maximum
|
|
# size of a log file is reached.
|
|
# The options for setting this variable are as follows:
|
|
# - `ignore`: the system does nothing when the size of a log file is full;
|
|
# - `syslog`: a message is sent to the system log indicating the problem;
|
|
# - `suspend`: the system suspends recording audit events until the log file is cleared or rotated;
|
|
# - `rotate`: the log file is rotated (archived) and a new empty log file is created;
|
|
# - `keep_logs`: the system attempts to keep as many logs as possible without violating disk space constraints.
|
|
# CIS prescribes the value `keep_logs`.
|
|
ubtu24cis_auditd_max_log_file_action: keep_logs
|
|
|
|
## Control 6.2.3.3
|
|
# This variable determines how the system should act in case of issues with disk
|
|
# The disk_full_action parameter tells the system what action to take when no free space is available on the partition that holds the audit log files.
|
|
# Valid values are ignore, syslog, rotate, exec, suspend, single, and halt.
|
|
#
|
|
# The disk_error_action parameter tells the system what action to take when an error is detected on the partition that holds the audit log files.
|
|
# Valid values are ignore, syslog, exec, suspend, single, and halt.
|
|
#
|
|
# CIS prescribes
|
|
# disk_full_action parameter:
|
|
# Set to halt - the auditd daemon will shutdown the system when the disk partition containing the audit logs becomes full.
|
|
# Set to single - the auditd daemon will put the computer system in single user mode when the disk partition containing the audit logs becomes full.
|
|
#
|
|
# disk_error_action parameter:
|
|
# Set to halt - the auditd daemon will shutdown the system when an error is detected on the partition that holds the audit log files.
|
|
# Set to single - the auditd daemon will put the computer system in single user mode when an error is detected on the partition that holds the audit log files.
|
|
# Set to syslog - the auditd daemon will issue no more than 5 consecutive warnings to syslog when an error is detected on the partition that holds the audit log files.
|
|
ubtu24cis_auditd_disk_full_action: halt
|
|
ubtu24cis_auditd_disk_error_action: syslog
|
|
|
|
# Control 6.2.2.4
|
|
# Wait to do when space left is low.
|
|
ubtu24cis_auditd_space_left_action: email
|
|
ubtu24cis_auditd_admin_space_left_action: halt
|
|
|
|
## Control 6.2.x - allow aide to be configured
|
|
# AIDE is a file integrity checking tool, similar in nature to Tripwire.
|
|
# While it cannot prevent intrusions, it can detect unauthorized changes
|
|
# to configuration files by alerting when the files are changed. Review
|
|
# the AIDE quick start guide and AIDE documentation before proceeding.
|
|
# By setting this variable to `true`, all of the settings related to AIDE will be applied!
|
|
ubtu24cis_config_aide: true
|
|
|
|
## When Initializing aide this can take longer on some systems
|
|
# changing the values enables user to change to thier own requirements
|
|
ubtu24cis_aide_init:
|
|
# Maximum Time in seconds
|
|
async: 45
|
|
# Polling Interval in seconds
|
|
poll: 0
|
|
|
|
## Control 6.3
|
|
# Set how aide is scanned either cron or timer
|
|
ubtu24cis_aide_scan: cron
|
|
# These are the crontab settings for periodical checking of the filesystem's integrity using AIDE.
|
|
# The sub-settings of this variable provide the parameters required to configure
|
|
# the cron job on the target system.
|
|
# Cron is a time-based job scheduling program in Unix OS, which allows tasks to be scheduled
|
|
# and executed automatically at a certain point in time.
|
|
ubtu24cis_aide_cron:
|
|
# This variable represents the user account under which the cron job for AIDE will run.
|
|
cron_user: root
|
|
# This variable represents the path to the AIDE crontab file.
|
|
cron_file: /etc/cron.d/aide_cron
|
|
# This variable represents the actual command or script that the cron job
|
|
# will execute for running AIDE.
|
|
aide_job: '/usr/bin/aide --config /etc/aide/aide.conf --check'
|
|
# These variables define the schedule for the cron job
|
|
# This variable governs the minute of the time of day when the AIDE cronjob is run.
|
|
# It must be in the range `0-59`.
|
|
aide_minute: 0
|
|
# This variable governs the hour of the time of day when the AIDE cronjob is run.
|
|
# It must be in the range `0-23`.
|
|
aide_hour: 5
|
|
# This variable governs the day of the month when the AIDE cronjob is run.
|
|
# `*` signifies that the job is run on all days; furthermore, specific days
|
|
# can be given in the range `1-31`; several days can be concatenated with a comma.
|
|
# The specified day(s) can must be in the range `1-31`.
|
|
aide_day: '*'
|
|
# This variable governs months when the AIDE cronjob is run.
|
|
# `*` signifies that the job is run in every month; furthermore, specific months
|
|
# can be given in the range `1-12`; several months can be concatenated with commas.
|
|
# The specified month(s) can must be in the range `1-12`.
|
|
aide_month: '*'
|
|
# This variable governs the weekdays, when the AIDE cronjob is run.
|
|
# `*` signifies that the job is run on all weekdays; furthermore, specific weekdays
|
|
# can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays
|
|
# can be concatenated with commas.
|
|
aide_weekday: '*'
|
|
|
|
##
|
|
## Section 7 Control Variables
|
|
##
|
|
|
|
## Controls 6.2.11 & 6.2.12
|
|
# The minimum and maximum UIDs to be used when enforcing
|
|
# and checking controls 6.2.11 and 6.2.12 can either be
|
|
# discovered automatically via logins.def or set manually
|
|
# in this file
|
|
# If min/maxx UIDs are to be discovered automatically,
|
|
# set this variable to `true`, otherwise to `false`.
|
|
discover_int_uid: false
|
|
# This variable sets the minimum number from which to search for UID
|
|
# Note that the value will be dynamically overwritten if variable `dicover_int_uid` has
|
|
# been set to `true`.
|
|
min_int_uid: 1000
|
|
|
|
# This variable sets the maximum number at which the search stops for UID
|
|
# Note that the value will be dynamically overwritten if variable `dicover_int_uid` has
|
|
# been set to `true`.
|
|
max_int_uid: 65533
|
|
|
|
## Control 6.1.9
|
|
# The following variable is a toggle for enabling/disabling the automated
|
|
# removal of world-writable permissions from all files.
|
|
# Possible values are `true` and `false`.
|
|
ubtu24cis_no_world_write_adjust: true
|
|
|
|
## Control 6.2.7
|
|
# This variable is a toggle foe enabling/disabling the automated modification of
|
|
# permissions on dot files.
|
|
# Possible values are `true` and `false`.
|
|
ubtu24cis_dotperm_ansiblemanaged: true
|
|
|
|
## Section 7
|
|
|
|
# 7.1.12 Ensure no files or directories without an owner and a group exist
|
|
ubtu24cis_exclude_unowned_search_path: (! -path "/run/user/*" -a ! -path "/proc/*" -a ! -path "*/containerd/*" -a ! -path "*/kubelet/pods/*" -a ! -path "*/kubelet/plugins/*" -a ! -path "/sys/fs/cgroup/memory/*" -a ! -path "/var/*/private/*")
|
|
|
|
# Control 7.1.12
|
|
# The value of this variable specifies the owner that will be set for unowned files and directories.
|
|
ubtu24cis_unowned_owner: root
|
|
ubtu24cis_ungrouped_group: root
|
|
# This variable is a toggle for enabling/disabling the automated
|
|
# setting of an owner (specified in variable `ubtu24cis_unowned_owner`)
|
|
# for all unowned files and directories.
|
|
# Possible values are `true` and `false`.
|
|
ubtu24cis_ownership_adjust: true
|
|
|
|
## Control 7.1.13
|
|
# This variable is a toggle for enabling/disabling the automated removal
|
|
# of the SUID bit from all files on all mounts.
|
|
# Possible values are `true` and `false`.
|
|
ubtu24cis_suid_sgid_adjust: false
|