安全审计>> ansible-role-cis>> 返回
项目作者: robertdebock

项目描述 :
Apply and/or check recommendations from the CIS benchmarks.
高级语言:
项目地址: git://github.com/robertdebock/ansible-role-cis.git
创建时间: 2020-07-26T19:45:35Z
项目社区:https://github.com/robertdebock/ansible-role-cis
开源协议:Apache License 2.0
下载


Ansible role cis

Apply and/or check recommendations from the CIS benchmarks.

GitHub GitLab Downloads Version
github gitlab downloads Version

Example Playbook

This example is taken from molecule/default/converge.yml and is tested on each push, pull request and release.

  1. ---
  2. - name: Converge
  3.   hosts: all
  4.   become: true
  5.   gather_facts: true
  7.   vars_files:
  8.     - defaults.yml
  10.   roles:
  11.     - role: robertdebock.cis

The machine needs to be prepared. In CI this is done using molecule/default/prepare.yml:

  1. ---
  2. - name: Prepare
  3.   hosts: all
  4.   become: true
  5.   gather_facts: false
  7.   roles:
  8.     - role: robertdebock.bootstrap
  9.     - role: robertdebock.cron
  10.     - role: robertdebock.update

Also see a full explanation and example on how to use these roles.

Role Variables

The default values for the variables are set in defaults/main.yml:

  1. ---
  2. # defaults file for cis
  4. # The CIS guidelines determines many settings of a system. The values used in
  5. # this file will make a system compliant to the CIS specifications.
  6. # There are many reasons why you do not want to adhere to one or more specific
  7. # rules. You can overwrite values in you group_vars, host_vars, inventory or
  8. # playbook.
  10. # 1.1.1.1 Ensure mounting of cramfs filesystems is disabled (Scored)
  11. cis_cramfs_disabled: true
  13. # 1.1.1.2 Ensure mounting of vFAT filesystems is limited (Not Scored)
  14. cis_vfat_disabled: true
  16. # 1.1.1.3 Ensure mounting of squashfs filesystems is disabled (Scored)
  17. cis_squashfs_disabled: true
  19. # 1.1.1.4 Ensure mounting of udf filesystems is disabled (Scored)
  20. cis_udf_disabled: true
  22. # 1.1.2 Ensure /tmp is configured (Scored)
  23. cis_tmp_configured: true
  25. # 1.1.3 Ensure nodev option set on /tmp partition (Scored)
  26. cis_tmp_nodev: true
  28. # 1.1.4 Ensure nosuid option set on /tmp partition (Scored)
  29. cis_tmp_nosuid: true
  31. # 1.1.5 Ensure noexec option set on /tmp partition (Scored)
  32. cis_tmp_noexec: true
  34. # 1.1.6 Ensure separate partition exists for /var (Scored)
  35. cis_var_partition: true
  37. # 1.1.7 Ensure separate partition exists for /var/tmp (Scored)
  38. cis_var_tmp_partition: true
  40. # 1.1.8 Ensure nodev option set on /var/tmp partition (Scored)
  41. cis_var_tmp_nodev: true
  43. # 1.1.9 Ensure nosuid option set on /var/tmp partition (Scored)
  44. cis_var_tmp_nosuid: true
  46. # 1.1.10 Ensure noexec option set on /var/tmp partition (Scored)
  47. cis_var_tmp_noexec: true
  49. # 1.1.11 Ensure separate partition exists for /var/log (Scored)
  50. cis_var_log_partition: true
  52. # 1.1.12 Ensure separate partition exists for /var/log/audit (Scored)
  53. cis_var_log_audit_partition: true
  55. # 1.1.13 Ensure separate partition exists for /home (Scored)
  56. cis_home_partition: true
  58. # 1.1.14 Ensure nodev option set on /home partition (Scored)
  59. cis_home_nodev: true
  61. # 1.1.15 Ensure nodev option set on /dev/shm partition (Scored)
  62. cis_dev_shm_nodev: true
  64. # 1.1.16 Ensure nosuid option set on /dev/shm partition (Scored)
  65. cis_dev_shm_nosuid: true
  67. # 1.1.17 Ensure noexec option set on /dev/shm partition (Scored)
  68. cis_dev_shm_noexec: true
  70. # 1.1.18 Ensure nodev option set on removable media partitions (Not Scored)
  71. cis_removable_media_nodev: true
  73. # 1.1.19 Ensure nosuid option set on removable media partitions (Not Scored)
  74. cis_removable_media_nosuid: true
  76. # 1.1.20 Ensure noexec option set on removable media partitions (Not Scored)
  77. cis_removable_media_noexec: true
  79. # 1.1.21 Ensure sticky bit is set on all world-writable directories (Scored)
  80. cis_fix_sticky_bit: true
  82. # 1.1.22 Disable Automounting
  83. cis_disable_automount: true
  85. # 1.1.23 Disable USB Storage (Scored)
  86. cis_usb_storage_disabled: true
  88. # 1.2.1 Ensure GPG keys are configured (Not Scored)
  89. cis_gpg_keys_configured: true
  91. # 1.2.2 Ensure gpgcheck is globally activated (Scored)
  92. cis_gpgcheck_enabled: true
  94. # 1.2.3 Ensure package manager repositories are configured (Not Scored)
  95. cis_repositories_configured: true
  97. # 1.3.1 Ensure sudo is installed (Scored)
  98. cis_sudo_installed: true
  100. # 1.3.2 Ensure sudo commands use pty (Scored)
  101. cis_sudo_use_pty: true
  103. # 1.3.3 Ensure sudo log file exists (Scored)
  104. cis_sudo_logfile: true
  106. # 1.4.1 Ensure AIDE is installed (Scored)
  107. cis_aide_installed: true
  109. # 1.4.2 Ensure filesystem integrity is regularly checked (Scored)
  110. cis_filesystem_integrity_checked: true
  112. # 1.5.1 Ensure permissions on bootloader config are configured (Scored)
  113. cis_permissions_bootloader: true
  115. # 1.5.2 Ensure bootloader password is set (Scored)
  116. cis_bootloader_password_set: true
  117. cis_bootloader_password: changeme
  119. # 1.5.3 Ensure authentication required for single user mode (Scored)
  120. cis_authentication_single_user_mode: true
  122. # 1.6.1 Ensure core dumps are restricted (Scored)
  123. cis_core_dumps_restricted: true
  125. # 1.6.2 Ensure address space layout randomization (ASLR) is enabled (Scored)
  126. cis_aslr_enabled: true
  128. # 1.7.1.1 Ensure SELinux is installed (Scored)
  129. cis_selinux_installed: true
  131. # 1.7.1.2 Ensure SELinux is not disabled in bootloader configuration (Scored)
  132. cis_selinux_not_disabled: true
  134. # 1.7.1.3 Ensure SELinux policy is configured (Scored)
  135. cis_selinux_policy_configured: true
  136. cis_selinux_policy: targeted
  138. # 1.7.1.4 Ensure the SELinux state is enforcing (Scored)
  139. cis_selinux_state_enforcing: true
  141. # 1.7.1.5 Ensure no unconfined services exist (Scored)
  142. cis_no_unconfined_services: true
  144. # 1.7.1.6 Ensure SETroubleshoot is not installed (Scored)
  145. cis_setroubleshoot_not_installed: true
  147. # 1.7.1.7 Ensure the MCS Translation Service (mcstrans) is not installed (Scored)
  148. cis_mcs_translation_service_not_installed: true
  150. # 1.8.1.1 Ensure message of the day is configured properly (Scored)
  151. cis_message_of_the_day_configured: true
  152. cis_message_of_the_day: |
  153.   UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
  154.   You must have explicit, authorized permission to access or configure this device. Unauthorized attempts and actions to access or use this system may result in civil and/or criminal penalties. All activities performed on this device are logged and monitored.
  156. # 1.8.1.2 Ensure local login warning banner is configured properly (Scored)
  157. cis_local_login_banner_configured: true
  159. # 1.8.1.3 Ensure remote login warning banner is configured properly (Scored)
  160. cis_remote_login_banner_configured: true
  162. # 1.8.1.4 Ensure permissions on /etc/motd are configured (Scored)
  163. cis_permissions_etc_motd: true
  165. # 1.8.1.5 Ensure permissions on /etc/issue are configured (Scored)
  166. cis_permissions_etc_issue: true
  168. # 1.8.1.6 Ensure permissions on /etc/issue.net are configured (Scored)
  169. cis_permissions_etc_issue_net: true
  171. # 1.8.2 Ensure GDM login banner is configured (Scored)
  172. cis_gdm_login_banner_configured: true
  174. # 1.9 Ensure updates, patches, and additional security software are installed (Not Scored)
  175. cis_updates_installed: true
  177. # 1.10 Ensure system-wide crypto policy is not legacy (Scored)
  178. cis_crypto_policy_not_legacy: true
  179. cis_crypto_policy: FIPS
  181. # 1.11 Ensure system-wide crypto policy is FUTURE or FIPS (Scored)
  182. cis_ensure_crypto_policy: true
  184. # 2.1.1 Ensure xinetd is not installed (Scored)
  185. cis_xinet_not_installed: true
  187. # 2.2.1.1 Ensure time synchronization is in use (Not Scored)
  188. cis_time_synchronization: true
  190. # 2.2.1.2 Ensure chrony is configured (Scored)
  191. cis_chrony_configured: true
  192. cis_chrony_servers: []
  193. cis_chrony_pools:
  194.   - name: "2.fedora.pool.ntp.org"
  195.     options: iburst
  197. # 2.2.2 Ensure X Window System is not installed (Scored)
  198. cis_x_windows_system_not_installed: true
  200. # 2.2.3 Ensure rsync service is not enabled (Scored)
  201. cis_rsync_service_not_enabled: true
  203. # 2.2.4 Ensure Avahi Server is not enabled (Scored)
  204. cis_avahi_server_not_enabled: true
  206. # 2.2.5 Ensure SNMP Server is not enabled (Scored)
  207. cis_snmp_server_not_enabled: true
  209. # 2.2.6 Ensure HTTP Proxy Server is not enabled (Scored)
  210. cis_http_proxy_server_not_enabled: true
  212. # 2.2.7 Ensure Samba is not enabled (Scored)
  213. cis_samba_server_not_enabled: true
  215. # 2.2.8 Ensure IMAP and POP3 server is not enabled (Scored)
  216. cis_imap_and_pop3_server_not_enabled: true
  218. # 2.2.9 Ensure HTTP server is not enabled (Scored)
  219. cis_http_server_not_enabled: true
  221. # 2.2.10 Ensure FTP Server is not enabled (Scored)
  222. cis_ftp_server_not_enabled: true
  224. # 2.2.11 Ensure DNS Server is not enabled (Scored)
  225. cis_dns_server_not_enabled: true
  227. # 2.2.12 Ensure NFS is not enabled (Scored)
  228. cis_nfs_server_not_enabled: true
  230. # 2.2.13 Ensure RPC is not enabled (Scored)
  231. cis_rpc_not_enabled: true
  233. # 2.2.14 Ensure LDAP server is not enabled (Scored)
  234. cis_ldap_server_not_enabled: true
  236. # 2.2.15 Ensure DHCP Server is not enabled (Scored)
  237. cis_dhcp_server_not_enabled: true
  239. # 2.2.16 Ensure CUPS is not enabled (Scored)
  240. cis_cups_not_enabled: true
  242. # 2.2.17 Ensure NIS Server is not enabled (Scored)
  243. cis_nis_server_not_enabled: true
  245. # 2.2.18 Ensure mail transfer agent is configured for local-only mode (Scored)
  246. cis_mta_local_only_mode: true
  248. # 2.3.1 Ensure NIS Client is not installed (Scored)
  249. cis_nis_client_not_installed: true
  251. # 2.3.2 Ensure telnet client is not installed (Scored)
  252. cis_telnet_client_not_installed: true
  254. # 2.3.3 Ensure LDAP client is not installed (Scored)
  255. cis_ldap_client_not_installed: true
  257. # 3.1.1 Ensure IP forwarding is disabled (Scored)
  258. cis_ip_forwarding_disabled: true
  260. # 3.1.2 Ensure packet redirect sending is disabled (Scored)
  261. cis_packet_redirect_sending_disabled: true
  263. # 3.2.1 Ensure source routed packets are not accepted (Scored)
  264. cis_source_routed_packets_not_accepted: true
  266. # 3.2.2 Ensure ICMP redirects are not accepted (Scored)
  267. cis_icmp_redirects_not_accepted: true
  269. # 3.2.3 Ensure secure ICMP redirects are not accepted (Scored)
  270. cis_secure_icmp_redirects_not_accepted: true
  272. # 3.2.4 Ensure suspicious packets are logged (Scored)
  273. cis_suspicious_packets_logged: true
  275. # 3.2.5 Ensure broadcast ICMP requests are ignored (Scored)
  276. cis_broadcast_icmp_requests_ignored: true
  278. # 3.2.6 Ensure bogus ICMP responses are ignored (Scored)
  279. cis_bogus_icmp_responses_ignored: true
  281. # 3.2.7 Ensure Reverse Path Filtering is enabled (Scored)
  282. cis_reverse_path_filtering: true
  284. # 3.2.8 Ensure TCP SYN Cookies is enabled (Scored)
  285. cis_tcp_syn_cookies_enabled: true
  287. # 3.2.9 Ensure IPv6 router advertisements are not accepted (Scored)
  288. cis_ipv6_router_advertisements_not_accepted: true
  290. # 3.3.1 Ensure DCCP is disabled (Scored)
  291. cis_dccp_disabled: true
  293. # 3.3.2 Ensure SCTP is disabled (Scored)
  294. cis_sctp_disabled: true
  296. # 3.3.3 Ensure RDS is disabled (Scored)
  297. cis_rds_disabled: true
  299. # 3.3.4 Ensure TIPC is disabled (Scored)
  300. cis_tipc_disabled: true
  302. # 3.4.1.1 Ensure a Firewall package is installed (Scored)
  303. cis_firewall_package_installed: true
  304. cis_firewall_package: firewalld
  306. # 3.4.2.1 Ensure firewalld service is enabled and running (Scored)
  307. cis_firewalld_enabled_and_running: true
  309. # 3.4.2.2 Ensure nftables is not enabled (Scored)
  310. cis_nftables_not_enabled: true
  312. # 3.4.2.3 Ensure default zone is set (Scored)
  313. cis_default_zone_set: true
  314. cis_default_zone: public
  316. # 3.4.2.4 Ensure network interfaces are assigned to appropriate zone (Not Scored)
  317. cis_firewalld_network_interface_assigned_zones: true
  318. cis_firewalld_zone_interface_mapping:
  319.   - zone: public
  320.     interface: eth0
  322. # 3.4.2.5 Ensure unnecessary services and ports are not accepted (Not Scored)
  323. cis_unnecessary_services_ports_not_accepted: true
  324. cis_unnecessary_services:
  325.   - cockpit
  326. cis_unnecessary_ports:
  327.   - 12345/tcp
  329. # 3.4.2.6 Ensure iptables is not enabled (Scored)
  330. cis_iptables_not_enabled: true
  332. # 3.4.3 Configure nftables
  333. # This section and all the subsection under 3.4.3 is skipped because section
  334. # 3.4.2 (Configure firewalld) and this section 3.4.3 (Configure nftables) are
  335. # mutually exclusive and firewalld is the default, which uses nft as a backend.
  337. # 3.4.4 Configure iptables
  338. # This section and all the subsection under 3.4.4 is skipped because section
  339. # 3.4.2 (Configure firewalld) and this section 3.4.4 (Configure iptables) are
  340. # mutually exclusive and firewalld is the default, which uses nft as a backend.
  342. # 3.5 Ensure wireless interfaces are disabled (Scored)
  343. cis_wireless_interface_disabled: true
  345. # 3.6 Disable IPv6 (Not Scored)
  346. cis_disable_ipv6: true
  348. # 4.1.1.1 Ensure auditd is installed (Scored)
  349. cis_auditd_installed: true
  351. # 4.1.1.2 Ensure auditd service is enabled (Scored)
  352. cis_auditd_service_enabled: true
  354. # 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled (Scored)
  355. cis_auditing_processes_prior_start: true
  357. # 4.1.1.4 Ensure audit_backlog_limit is sufficient (Scored)
  358. cis_audit_backlog_limit_sufficient: true
  360. # 4.1.2.1 Ensure audit log storage size is configured (Scored)
  361. cis_audit_log_storage_size_configured: true
  362. cis_audit_log_storage_size: 128
  364. # 4.1.2.2 Ensure audit logs are not automatically deleted (Scored)
  365. cis_audit_logs_no_automatically_deleted: true
  367. # 4.1.2.3 Ensure system is disabled when audit logs are full (Scored)
  368. cis_system_disabled_audit_logs_full: true
  370. # 4.1.3 Ensure changes to system administration scope (sudoers) is collected (Scored)
  371. cis_changed_to_system_administrator_scope_collected: true
  373. # 4.1.4 Ensure login and logout events are collected (Scored)
  374. cis_login_and_login_events_collected: true
  376. # 4.1.5 Ensure session initiation information is collected (Scored)
  377. cis_session_initiation_information_collected: true
  379. # 4.1.6 Ensure events that modify date and time information are collected (Scored)
  380. cis_events_modify_time_and_date_collected: true
  382. # 4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected (Scored)
  383. cis_events_modifying_mac_collected: true
  385. # 4.1.8 Ensure events that modify the system's network environment are collected (Scored)
  386. cis_events_modifying_systems_network_collected: true
  388. # 4.1.9 Ensure discretionary access control permission modification events are collected (Scored)
  389. cis_dac_permission_modification_collected: true
  391. # 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected (Scored)
  392. cis_unsuccessful_files_access_collected: true
  394. # 4.1.11 Ensure events that modify user/group information are collected (Scored)
  395. cis_events_modifying_user_group_collected: true
  397. # 4.1.12 Ensure successful file system mounts are collected (Scored)
  398. cis_successful_mounts_collected: true
  400. # 4.1.13 Ensure use of privileged commands is collected (Scored)
  401. cis_privileged_commands_collected: true
  402. # A list of partitions that will be checked. Extend this with all partitions
  403. # that could contain executables.
  404. cis_privileged_commands_collected_partitions:
  405.   - /
  407. # 4.1.14 Ensure file deletion events by users are collected (Scored)
  408. cis_file_deletion_users_collected: true
  410. # 4.1.15 Ensure kernel module loading and unloading is collected (Scored)
  411. cis_kernel_module_loading_unloading_collected: true
  413. # 4.1.16 Ensure system administrator actions (sudolog) are collected (Scored)
  414. cis_system_administrator_actions_collected: true
  416. # 4.1.17 Ensure the audit configuration is immutable (Scored)
  417. cis_audit_configuration_immutable: true
  419. # 4.2.1.1 Ensure rsyslog is installed (Scored)
  420. cis_syslog_installed: true
  422. # 4.2.1.2 Ensure rsyslog Service is enabled (Scored)
  423. cis_rsyslog_enabled: true
  425. # 4.2.1.3 Ensure rsyslog default file permissions configured (Scored)
  426. cis_rsyslog_file_permissions_configured: true
  428. # 4.2.1.4 Ensure logging is configured (Not Scored)
  429. cis_logging_configured: true
  431. cis_logging_site_policy:
  432.   - rule: |-
  433.       '*.emerg'
  434.     destination: |-
  435.       ':omusrmsg:*'
  436.   - rule: 'auth,authpriv.*'
  437.     destination: '/var/log/secure'
  438.   - rule: |-
  439.       'mail.*'
  440.     destination: '-/var/log/mail'
  441.   - rule: 'mail.info'
  442.     destination: '-/var/log/mail.info'
  443.   - rule: 'mail.warning'
  444.     destination: '-/var/log/mail.warn'
  445.   - rule: 'mail.err'
  446.     destination: '/var/log/mail.err'
  447.   - rule: 'news.crit'
  448.     destination: '-/var/log/news/news.crit'
  449.   - rule: 'news.err'
  450.     destination: '-/var/log/news/news.err'
  451.   - rule: 'news.notice'
  452.     destination: '-/var/log/news/news.notice'
  453.   - rule: |-
  454.       '*.=warning;*.=err'
  455.     destination: '-/var/log/warn'
  456.   - rule: |-
  457.       '*.crit'
  458.     destination: '/var/log/warn'
  459.   - rule: |-
  460.       '*.*;mail.none;news.none'
  461.     destination: '-/var/log/messages'
  462.   - rule: |-
  463.       'local0,local1.*'
  464.     destination: '-/var/log/localmessages'
  465.   - rule: 'local2,local3.*'
  466.     destination: '-/var/log/localmessages'
  467.   - rule: |-
  468.       'local4,local5.*'
  469.     destination: '-/var/log/localmessages'
  470.   - rule: |-
  471.       'local6,local7.*'
  472.     destination: '-/var/log/localmessages'
  474. # 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host (Scored)
  475. cis_rsyslog_configured_remote_log_host: true
  477. # 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host (Scored)
  478. cis_rsyslog_site_policy_host: loghost.example.com
  480. # 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts. (Not Scored)
  481. # This item is not implemented because it would need to run on another host.
  483. # 4.2.2.1 Ensure journald is configured to send logs to rsyslog (Scored)
  484. cis_journald_send_to_rsyslog: true
  486. # 4.2.2.2 Ensure journald is configured to compress large log files (Scored)
  487. cis_journald_compless_log_files: true
  489. # 4.2.2.3 Ensure journald is configured to write logfiles to persistent disk (Scored)
  490. cis_journald_write_logfiles_to_disk: true
  492. # 4.2.3 Ensure permissions on all logfiles are configured (Scored)
  493. cis_permissions_on_logfiles: true
  495. # 4.3 Ensure logrotate is configured (Not Scored)
  496. cis_logrotate_configured: true
  497. cis_logrotate_policy:
  498.   - name: dnf
  500. # 5.1.1 Ensure cron daemon is enabled (Scored)
  501. cis_cron_enabled: true
  503. # 5.1.2 Ensure permissions on /etc/crontab are configured (Scored)
  504. cis_cron_permissions_configured: true
  506. # 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored)
  507. cis_cron_hourly_permissions_configured: true
  509. # 5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored)
  510. cis_cron_daily_permissions_configured: true
  512. # 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored)
  513. cis_cron_weekly_permissions_configured: true
  515. # 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored)
  516. cis_cron_monthly_permissions_configured: true
  518. # 5.1.7 Ensure permissions on /etc/cron.d are configured (Scored)
  519. cis_cron_d_permissions_configured: true

Requirements

State of used roles

The following roles are used to prepare a system. You can prepare your system in another way.

Requirement GitHub GitLab
robertdebock.bootstrap Build Status GitHub Build Status GitLab
robertdebock.cron Build Status GitHub Build Status GitLab
robertdebock.update Build Status GitHub Build Status GitLab

Context

This role is a part of many compatible roles. Have a look at the documentation of these roles for further information.

Here is an overview of related roles:
dependencies

Compatibility

This role has been tested on these container images:

container tags
EL 9

The minimum version of Ansible required is 2.12, tests have been done to:

  • The previous version.
  • The current version.
  • The development version.

If you find issues, please register them in GitHub.

License

Apache-2.0.

Author Information

robertdebock

Please consider sponsoring me.