From 98296ed34b87fd52c08159c208855182e038e55a Mon Sep 17 00:00:00 2001 From: ptyang Date: Tue, 24 May 2022 11:17:10 +0800 Subject: [PATCH 01/11] Ensure PAM Enforces Password Requirements - Minimum Different Categories; --- tasks/section_5_Access_Authentication_and_Authorization.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tasks/section_5_Access_Authentication_and_Authorization.yaml b/tasks/section_5_Access_Authentication_and_Authorization.yaml index 177e0cb..01bbfa3 100644 --- a/tasks/section_5_Access_Authentication_and_Authorization.yaml +++ b/tasks/section_5_Access_Authentication_and_Authorization.yaml @@ -523,7 +523,7 @@ state: present create: yes dest: /etc/security/pwquality.conf - regexp: "^{{ item.key }}" + regexp: "^#?\\s*{{ item.key }}" line: "{{ item.key }} = {{ item.value }}" with_items: - { key: "minlen", value: "14" } @@ -531,6 +531,7 @@ - { key: "ucredit", value: "-1" } - { key: "ocredit", value: "-1" } - { key: "lcredit", value: "-1" } + - { key: "minclass", value: "4" } tags: - section5 - level_1_server From ffff5069aef4021bda1f769bbcbae778abbfc553 Mon Sep 17 00:00:00 2001 From: ptyang Date: Tue, 24 May 2022 13:41:42 +0800 Subject: [PATCH 02/11] customize configuration --- defaults/main.yml | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index c48f307..66b3969 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -99,7 +99,14 @@ enable_firewall: yes UFWEnable: yes # Running both ufw and the services included in the iptables-persistent package may lead to conflict ## 3.5.1.6 Ensure firewall rules exist for all open ports | defined ports firewall_list_of_ports_to_allow: - - { rule: "allow", port: "8080", proto: "tcp" } + - { rule: "allow", port: "22", proto: "tcp" } + - { rule: "allow", port: "80", proto: "tcp" } + - { rule: "allow", port: "81", proto: "tcp" } + - { rule: "allow", port: "443", proto: "tcp" } + - { rule: "allow", port: "1880", proto: "tcp" } + - { rule: "allow", port: "1883", proto: "tcp" } + - { rule: "allow", port: "8883", proto: "tcp" } + - { rule: "allow", port: "5432", proto: "tcp" } ## 3.5.1.6 Ensure firewall rules exist for all open ports | keep_alived firewall_allow_keep_alive: no @@ -124,14 +131,14 @@ grub_backlog_limit: 8192 # Section 5 settings ## 5.1.8 Ensure cron is restricted to authorized users -allowd_hosts: "ALL: 0.0.0.0/0.0.0.0, 192.168.2.0/255.255.255.0" +allowd_hosts: "ALL: 0.0.0.0/0.0.0.0, 10.2.0.0/255.255.0.0" ## 5.2.13 Ensure only strong MAC algorithms are used ssh_MACs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256" ## 5.2.14 Ensure only strong Key Exchange algorithms are used ssh_key_algorithms: "curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256" -ssh_ciphers: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr +ssh_ciphers: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc ## 5.2.17 Ensure SSH access is limited -allowed_users: ubuntu root #Put None or list of users space between each user +allowed_users: adminuser #Put None or list of users space between each user allowed_groups: None deny_users: None deny_groups: None @@ -148,7 +155,7 @@ pass_warn_age: 7 pass_min_days: 1 ## 5.4.1.1 Ensure password expiration is 365 days or less list_of_os_users: - - ubuntu + - adminuser ## 5.4.1.4 Ensure inactive password lock is 30 days or less ##Note: A value of -1 would disable this setting account_inactive: 30 From afad53fa7cfbcd5ce08d927a52eafca807a983ad Mon Sep 17 00:00:00 2001 From: ptyang Date: Tue, 24 May 2022 20:19:39 +0800 Subject: [PATCH 03/11] The man page sshd_config(5) contains a list of supported ciphers. The rule is parametrized to use the following ciphers: aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr. --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 66b3969..0778fa4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -136,7 +136,7 @@ allowd_hosts: "ALL: 0.0.0.0/0.0.0.0, 10.2.0.0/255.255.0.0" ssh_MACs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256" ## 5.2.14 Ensure only strong Key Exchange algorithms are used ssh_key_algorithms: "curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256" -ssh_ciphers: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc +ssh_ciphers: aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr ## 5.2.17 Ensure SSH access is limited allowed_users: adminuser #Put None or list of users space between each user allowed_groups: None From c03734a9db026b96c9df1220779bf4381afcbb76 Mon Sep 17 00:00:00 2001 From: ptyang Date: Tue, 24 May 2022 21:05:40 +0800 Subject: [PATCH 04/11] I do not want to put CIS hardening in project folder. --- defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 0778fa4..24c37fd 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -22,13 +22,13 @@ set_root_password: yes root_password: r00tP4ssw0rd ## 1.7.1 Ensure permissions on /etc/motd are configured: allow for custom motd template (if the file doesn't exist, the ## default template in files/templates/motd.j2 will be used) -custom_motd_file_path: "{{ inventory_dir }}/custom_templates/motd_custom.txt" +# custom_motd_file_path: "{{ inventory_dir }}/custom_templates/motd_custom.txt" ## 1.7.2 Ensure permissions on /etc/issue are configured: allow for custom issue template (if the file doesn't exist, the ## default template in files/templates/issue.j2 will be used) -custom_issue_file_path: "{{ inventory_dir }}/custom_templates/issue_custom.txt" +# custom_issue_file_path: "{{ inventory_dir }}/custom_templates/issue_custom.txt" ## 1.7.3 Ensure permissions on /etc/issue.net are configured: allow for custom issue.net template (if the file doesn't exist, the ## default template in files/templates/issue.net.j2 will be used) -custom_issue_net_file_path: "{{ inventory_dir }}/custom_templates/issue_net_custom.txt" +# custom_issue_net_file_path: "{{ inventory_dir }}/custom_templates/issue_net_custom.txt" # Section 2 Settings ##Setting for systemd-timesyncd From c7f3f698edf6a9aca29283dd2fa2b74d12cc4beb Mon Sep 17 00:00:00 2001 From: ptyang Date: Tue, 24 May 2022 21:17:20 +0800 Subject: [PATCH 05/11] change location for my own project --- defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 24c37fd..a363e6b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -22,13 +22,13 @@ set_root_password: yes root_password: r00tP4ssw0rd ## 1.7.1 Ensure permissions on /etc/motd are configured: allow for custom motd template (if the file doesn't exist, the ## default template in files/templates/motd.j2 will be used) -# custom_motd_file_path: "{{ inventory_dir }}/custom_templates/motd_custom.txt" +custom_motd_file_path: "{{ inventory_dir }}/../custom_templates/motd_custom.txt" ## 1.7.2 Ensure permissions on /etc/issue are configured: allow for custom issue template (if the file doesn't exist, the ## default template in files/templates/issue.j2 will be used) -# custom_issue_file_path: "{{ inventory_dir }}/custom_templates/issue_custom.txt" +custom_issue_file_path: "../{{ inventory_dir }}/../custom_templates/issue_custom.txt" ## 1.7.3 Ensure permissions on /etc/issue.net are configured: allow for custom issue.net template (if the file doesn't exist, the ## default template in files/templates/issue.net.j2 will be used) -# custom_issue_net_file_path: "{{ inventory_dir }}/custom_templates/issue_net_custom.txt" +custom_issue_net_file_path: "../{{ inventory_dir }}/../custom_templates/issue_net_custom.txt" # Section 2 Settings ##Setting for systemd-timesyncd From 1ae37aa091ca1dacf45b8884fa5ee26ac970c847 Mon Sep 17 00:00:00 2001 From: ptyang Date: Tue, 24 May 2022 21:28:03 +0800 Subject: [PATCH 06/11] fix path error --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index a363e6b..eba47d8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -25,10 +25,10 @@ root_password: r00tP4ssw0rd custom_motd_file_path: "{{ inventory_dir }}/../custom_templates/motd_custom.txt" ## 1.7.2 Ensure permissions on /etc/issue are configured: allow for custom issue template (if the file doesn't exist, the ## default template in files/templates/issue.j2 will be used) -custom_issue_file_path: "../{{ inventory_dir }}/../custom_templates/issue_custom.txt" +custom_issue_file_path: "{{ inventory_dir }}/../custom_templates/issue_custom.txt" ## 1.7.3 Ensure permissions on /etc/issue.net are configured: allow for custom issue.net template (if the file doesn't exist, the ## default template in files/templates/issue.net.j2 will be used) -custom_issue_net_file_path: "../{{ inventory_dir }}/../custom_templates/issue_net_custom.txt" +custom_issue_net_file_path: "{{ inventory_dir }}/../custom_templates/issue_net_custom.txt" # Section 2 Settings ##Setting for systemd-timesyncd From 1be241a2f7caafef3452c7916af69291d37960af Mon Sep 17 00:00:00 2001 From: ptyang Date: Tue, 24 May 2022 23:00:25 +0800 Subject: [PATCH 07/11] ignore_errors value should be boolean true --- tasks/section_1_Initial_Setup.yaml | 2 +- ...tion_5_Access_Authentication_and_Authorization.yaml | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/tasks/section_1_Initial_Setup.yaml b/tasks/section_1_Initial_Setup.yaml index 872a2ae..3fd62f7 100644 --- a/tasks/section_1_Initial_Setup.yaml +++ b/tasks/section_1_Initial_Setup.yaml @@ -567,7 +567,7 @@ lineinfile: dest: /etc/sudoers state: present - regexp: "^Defaults logfile.*" + regexp: "^#?\\s*Defaults logfile.*" line: 'Defaults logfile="/var/log/sudo.log"' validate: "visudo -cf %s" tags: diff --git a/tasks/section_5_Access_Authentication_and_Authorization.yaml b/tasks/section_5_Access_Authentication_and_Authorization.yaml index 01bbfa3..269044c 100644 --- a/tasks/section_5_Access_Authentication_and_Authorization.yaml +++ b/tasks/section_5_Access_Authentication_and_Authorization.yaml @@ -96,7 +96,7 @@ file: path: /etc/cron.deny state: absent - ignore_errors: yes + ignore_errors: true - stat: path: /etc/cron.allow register: cfile @@ -119,7 +119,7 @@ file: path: /etc/at.deny state: absent - ignore_errors: yes + ignore_errors: true - stat: path: /etc/at.allow register: cfile @@ -635,7 +635,7 @@ - name: 5.5.1.3 Ensure password expiration warning days is 7 or more | chage --warndays command: "chage --warndays {{ pass_warn_age }} {{ item }}" with_items: "{{ list_of_os_users }}" - ignore_errors: yes + ignore_errors: true tags: - section5 - level_1_server @@ -651,7 +651,7 @@ - name: 5.5.1.4 Ensure inactive password lock is 30 days or less | useradd command: "chage --inactive {{ account_inactive }} {{ item }}" with_items: "{{ list_of_os_users }}" - ignore_errors: yes + ignore_errors: true tags: - section5 - level_1_server @@ -801,7 +801,7 @@ copy: dest: "{{ outputfiles }}/5.6" content: "{{ securetty }}" - ignore_errors: yes + ignore_errors: true tags: - section5 - level_1_server From 487c4effdcdf9e2c567f31ea0a7413e0fd1d1f98 Mon Sep 17 00:00:00 2001 From: ptyang Date: Tue, 24 May 2022 23:03:46 +0800 Subject: [PATCH 08/11] ignore_errors: true replace yes --- tasks/section_1_Initial_Setup.yaml | 14 +++++++------- tasks/section_2_Services.yaml | 2 +- tasks/section_4_Logging_and_Auditing.yaml | 2 +- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/tasks/section_1_Initial_Setup.yaml b/tasks/section_1_Initial_Setup.yaml index 3fd62f7..9eb0006 100644 --- a/tasks/section_1_Initial_Setup.yaml +++ b/tasks/section_1_Initial_Setup.yaml @@ -214,7 +214,7 @@ modprobe: name: vfat state: absent - ignore_errors: yes + ignore_errors: true when: disable_fat tags: - section1 @@ -420,7 +420,7 @@ shell: | df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null register: worldWriteableList - ignore_errors: yes + ignore_errors: true - name: 1.1.22 Ensure sticky bit is set on all world-writable directories | fix script: 1_1_22.sh when: worldWriteableList.stdout_lines |length > 0 @@ -443,7 +443,7 @@ service: name: autofs enabled: false - ignore_errors: yes + ignore_errors: true - name: 1.1.23 Disable Automounting | package remove apt: name: autofs @@ -793,7 +793,7 @@ shell: | dmesg | grep -E "NX|XD" | grep " active" register: xdnx - ignore_errors: yes + ignore_errors: true - name: 1.5.1 Ensure XD/NX support is enabled debug: msg: | @@ -802,7 +802,7 @@ If necessary configure your bootloader to load the new kernel and reboot the system. You may need to enable NX or XD support in your bios. {{ xdnx.stdout_lines }} - ignore_errors: yes + ignore_errors: true tags: - section1 - level_1_server @@ -829,7 +829,7 @@ block: - name: 1.5.3 Ensure prelink is not installed command: prelink -ua - ignore_errors: yes + ignore_errors: true - name: 1.5.3 Ensure prelink is not installed apt: name: prelink @@ -1080,7 +1080,7 @@ - name: 1.9 Ensure updates, patches, and additional security software are installed apt: upgrade: dist - ignore_errors: yes + ignore_errors: true tags: - section1 - level_1_server diff --git a/tasks/section_2_Services.yaml b/tasks/section_2_Services.yaml index 50af7c5..57cabe3 100644 --- a/tasks/section_2_Services.yaml +++ b/tasks/section_2_Services.yaml @@ -376,7 +376,7 @@ apt: name: rsync state: absent - ignore_errors: yes + ignore_errors: true when: remove_rsyncservice tags: - section2 diff --git a/tasks/section_4_Logging_and_Auditing.yaml b/tasks/section_4_Logging_and_Auditing.yaml index 15400b9..6f5a4b2 100644 --- a/tasks/section_4_Logging_and_Auditing.yaml +++ b/tasks/section_4_Logging_and_Auditing.yaml @@ -326,7 +326,7 @@ notify: - audit rules load - auditd restart - ignore_errors: yes + ignore_errors: true tags: - section4 - level_2_server From ba7d6a20e761c5627fe1cbf05a59aa216e4e2588 Mon Sep 17 00:00:00 2001 From: ptyang Date: Tue, 24 May 2022 23:19:55 +0800 Subject: [PATCH 09/11] change root_password --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index eba47d8..6106b49 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -19,7 +19,7 @@ set_bootloader_credentials: no bootloader_credentials: { user: "root", password: "b00tl04derPwd" } # 1.4.3 Ensure authentication required for single user mode set_root_password: yes -root_password: r00tP4ssw0rd +root_password: SingTel5G@SingTel5G ## 1.7.1 Ensure permissions on /etc/motd are configured: allow for custom motd template (if the file doesn't exist, the ## default template in files/templates/motd.j2 will be used) custom_motd_file_path: "{{ inventory_dir }}/../custom_templates/motd_custom.txt" From 7387bd4dca344b5db3b5251f7f54311730d5e53a Mon Sep 17 00:00:00 2001 From: ptyang Date: Tue, 24 May 2022 23:38:13 +0800 Subject: [PATCH 10/11] package_ufw_removed --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 6106b49..2538e19 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -96,7 +96,7 @@ remove_RPC: yes disable_wifi: no IPv6_is_enabled: no enable_firewall: yes -UFWEnable: yes # Running both ufw and the services included in the iptables-persistent package may lead to conflict +UFWEnable: no # Running both ufw and the services included in the iptables-persistent package may lead to conflict ## 3.5.1.6 Ensure firewall rules exist for all open ports | defined ports firewall_list_of_ports_to_allow: - { rule: "allow", port: "22", proto: "tcp" } From 7481543647368b9e4c30c655fcb11ae599fe01a0 Mon Sep 17 00:00:00 2001 From: ptyang Date: Wed, 25 May 2022 07:02:29 +0800 Subject: [PATCH 11/11] change localhost to loopback-only --- tasks/section_2_Services.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_2_Services.yaml b/tasks/section_2_Services.yaml index 57cabe3..dd886a4 100644 --- a/tasks/section_2_Services.yaml +++ b/tasks/section_2_Services.yaml @@ -363,7 +363,7 @@ lineinfile: dest: /etc/postfix/main.cf regexp: "^(#)?inet_interfaces" - line: "inet_interfaces = localhost" + line: "inet_interfaces = loopback-only" when: postfix.stat.exists tags: - section2