Update benchmarks (#22)

* updated main and section1 * updated prelim, section3 and section4 * fix rsyslog * update rsyslog * update section 5 * update readme * update section2 * updated 2.1.6 (block) * updated section2 * small syntax update
florianutz · May 14, 2019 · 2f87cd1 · 2f87cd1
1 parent 43f290e
commit 2f87cd1
Show file tree

Hide file tree

Showing 8 changed files with 174 additions and 205 deletions.
diff --git a/README.md b/README.md
@@ -189,6 +189,15 @@ Example Playbook
     - Ubuntu1804-CIS
 ```
 
+To run the tasks in this repository, first create this file one level above the repository
+(i.e. the playbook .yml and the directory `Ubuntu1804-CIS` should be next to each other),
+then review the file `defaults/main.yml` and disable any rule/section you do not wish to execute.
+
+Assuming you named the file `site.yml`, run it with:
+```bash
+ansible-playbook site.yml
+```
+
 Tags
 ----
 Many tags are available for precise control of what is and is not changed.

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -26,8 +26,6 @@ ubuntu1804cis_rule_1_1_1_3: true
 ubuntu1804cis_rule_1_1_1_4: true
 ubuntu1804cis_rule_1_1_1_5: true
 ubuntu1804cis_rule_1_1_1_6: true
-ubuntu1804cis_rule_1_1_1_7: true
-ubuntu1804cis_rule_1_1_1_8: true
 ubuntu1804cis_rule_1_1_2: true
 ubuntu1804cis_rule_1_1_3: true
 ubuntu1804cis_rule_1_1_4: true
@@ -48,12 +46,8 @@ ubuntu1804cis_rule_1_1_18: true
 ubuntu1804cis_rule_1_1_19: true
 ubuntu1804cis_rule_1_1_20: true
 ubuntu1804cis_rule_1_1_21: true
-ubuntu1804cis_rule_1_1_22: true
 ubuntu1804cis_rule_1_2_1: true
 ubuntu1804cis_rule_1_2_2: true
-ubuntu1804cis_rule_1_2_3: true
-ubuntu1804cis_rule_1_2_4: true
-ubuntu1804cis_rule_1_2_5: true
 ubuntu1804cis_rule_1_3_1: true
 ubuntu1804cis_rule_1_3_2: true
 ubuntu1804cis_rule_1_4_1: true
@@ -86,6 +80,10 @@ ubuntu1804cis_rule_2_1_4: true
 ubuntu1804cis_rule_2_1_5: true
 ubuntu1804cis_rule_2_1_6: true
 ubuntu1804cis_rule_2_1_7: true
+ubuntu1804cis_rule_2_1_8: true
+ubuntu1804cis_rule_2_1_9: true
+ubuntu1804cis_rule_2_1_10: true
+ubuntu1804cis_rule_2_1_11: true
 ubuntu1804cis_rule_2_2_1_1: true
 ubuntu1804cis_rule_2_2_1_2: true
 ubuntu1804cis_rule_2_2_1_3: true
@@ -105,10 +103,6 @@ ubuntu1804cis_rule_2_2_14: true
 ubuntu1804cis_rule_2_2_15: true
 ubuntu1804cis_rule_2_2_16: true
 ubuntu1804cis_rule_2_2_17: true
-ubuntu1804cis_rule_2_2_18: true
-ubuntu1804cis_rule_2_2_19: true
-ubuntu1804cis_rule_2_2_20: true
-ubuntu1804cis_rule_2_2_21: true
 ubuntu1804cis_rule_2_3_1: true
 ubuntu1804cis_rule_2_3_2: true
 ubuntu1804cis_rule_2_3_3: true
@@ -393,7 +387,7 @@ ubuntu1804cis_pwquality:
     value: '-1'
 
 ubuntu1804cis_pass:
-  max_days: 90
+  max_days: 365
   min_days: 7
   warn_age: 7
 

diff --git a/tasks/prelim.yml b/tasks/prelim.yml
@@ -70,6 +70,18 @@
   changed_when: false
   check_mode: false
 
+- name: "PRELIM | Check for openbsd-inetd service"
+  shell: "dpkg -s openbsd-inetd | grep -o 'ok installed'; true"
+  register: openbsd_inetd_service_status
+  changed_when: false
+  check_mode: false
+
+- name: "PRELIM | Check for rsyslog service"
+  shell: "systemctl is-enabled rsyslog; true"
+  register: rsyslog_service_status
+  changed_when: false
+  check_mode: false
+
 - name: "PRELIM | Check for ntpd service"
   shell: "set -o pipefail
       systemctl show {{ ntp_service[ansible_os_family] }} | grep LoadState | cut -d = -f 2"
@@ -299,3 +311,21 @@
   stat:
     path: /boot/grub/grub.cfg
   register: grub_cfg
+
+- name: "PRELIM | Check that system accounts are non-login #1"
+  shell: >
+    egrep -v "^\+" /etc/passwd | awk -F: '($1!="root" && $1!="sync" &&
+    $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" &&
+    $7!="/bin/false") {print}'
+  register: system_accounts_non_login_1
+  changed_when: false
+  check_mode: false
+
+
+- name: "PRELIM | Check that system accounts are non-login #2"
+  shell: >
+    for user in `awk -F: '($1!="root" && $3 < 1000) {print $1 }' /etc/passwd`; do
+    passwd -S $user | awk -F ' ' '($2!="L") {print $1}'; done
+  register: system_accounts_non_login_2
+  changed_when: false
+  check_mode: false
diff --git a/tasks/section1.yml b/tasks/section1.yml
@@ -157,98 +157,36 @@
       - filesystems
       - rule_1.1.1.5
 
-- name: "SCORED | 1.1.1.6 | PATCH | Ensure mounting of squashfs filesystems is disabled"
-  lineinfile:
-      dest: /etc/modprobe.d/CIS.conf
-      regexp: "^(#)?install squashfs(\\s|$)"
-      line: "install squashfs /bin/true"
-      state: present
-      create: true
-  when:
-      - ubuntu1804cis_rule_1_1_1_6
-  tags:
-      - level1
-      - scored
-      - patch
-      - squashfs
-      - filesystems
-      - rule_1.1.1.6
-
-- name: "SCORED | 1.1.1.6 | PATCH | Remove squashfs module"
-  modprobe:
-      name: squashfs
-      state: absent
-  when:
-      - ubuntu1804cis_rule_1_1_1_6
-  tags:
-      - level1
-      - scored
-      - patch
-      - squashfs
-      - filesystems
-      - rule_1.1.1.6
-
-- name: "SCORED | 1.1.1.7 | PATCH | Ensure mounting of udf filesystems is disabled"
+- name: "SCORED | 1.1.1.6 | PATCH | Ensure mounting of udf filesystems is disabled"
   lineinfile:
       dest: /etc/modprobe.d/CIS.conf
       regexp: "^(#)?install udf(\\s|$)"
       line: "install udf /bin/true"
       state: present
       create: true
   when:
-      - ubuntu1804cis_rule_1_1_1_7
+      - ubuntu1804cis_rule_1_1_1_6
   tags:
       - level1
       - scored
       - patch
       - udf
       - filesystems
-      - rule_1.1.1.7
+      - rule_1.1.1.6
 
-- name: "SCORED | 1.1.1.7 | PATCH | Remove udf module"
+- name: "SCORED | 1.1.1.6 | PATCH | Remove udf module"
   modprobe:
       name: udf
       state: absent
   when:
-      - ubuntu1804cis_rule_1_1_1_7
+      - ubuntu1804cis_rule_1_1_1_6
   tags:
       - level1
       - scored
       - patch
       - udf
       - filesystems
-      - rule_1.1.1.7
-
-- name: "SCORED | 1.1.1.8 | PATCH | Ensure mounting of FAT filesystems is disabled"
-  lineinfile:
-      dest: /etc/modprobe.d/CIS.conf
-      regexp: "^(#)?install vfat(\\s|$)"
-      line: "install vfat /bin/true"
-      state: present
-      create: true
-  when:
-      - ubuntu1804cis_rule_1_1_1_8
-  tags:
-      - level1
-      - scored
-      - patch
-      - vfat
-      - filesystems
-      - rule_1.1.1.8
-
-- name: "SCORED | 1.1.1.8 | PATCH | Remove FAT module"
-  modprobe:
-      name: vfat
-      state: absent
-  when:
-      - ubuntu1804cis_rule_1_1_1_8
-  tags:
-      - level2
-      - scored
-      - patch
-      - vfat
-      - filesystems
-      - rule_1.1.1.8
+      - rule_1.1.1.6
 
 - name: "SCORED | 1.1.2 | PATCH | Ensure separate partition exists for /tmp | enable and start/restart tmp.mount"
   copy:
@@ -520,16 +458,16 @@
       - rule_1.2.1
 
 
-- name: "NOTSCORED | 1.2.3 | PATCH | Ensure GPG keys are configured"
+- name: "NOTSCORED | 1.2.2 | PATCH | Ensure GPG keys are configured"
   command: /bin/true
   changed_when: false
   when:
-      - ubuntu1804cis_rule_1_2_3
+      - ubuntu1804cis_rule_1_2_2
   tags:
       - level1
       - notscored
       - patch
-      - rule_1.2.3
+      - rule_1.2.2
       - notimplemented
 
 - name: "SCORED | 1.3.1 | PATCH | Ensure AIDE is installed (install nullmailer instead of postfix)"