2024-07-11 22:20:45 +02:00
---
2024-03-19 23:02:50 +01:00
- name : Configurationg System for CIS conformity
block :
- name : Disable Kernel Modules
2024-07-11 22:20:45 +02:00
ansible.builtin.copy :
2024-03-19 23:02:50 +01:00
dest : /mnt/etc/modprobe.d/cis.conf
content : |
CIS LVL 3 Restrictions
install freevxfs /bin/true
install jffs2 /bin/true
install hfs /bin/true
install hfsplus /bin/true
install squashfs /bin/true
install udf /bin/true
install usb-storage /bin/true
install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true
- name : Create USB Rules
2024-07-11 22:20:45 +02:00
ansible.builtin.copy :
2024-03-19 23:02:50 +01:00
dest : /mnt/etc/udev/rules.d/10-cis_usb_devices.sh
content : |
By default, disable all.
ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"
Enable hub devices.
ACTION=="add", ATTR{bDeviceClass}=="09", TEST=="authorized", ATTR{authorized}="1"
Enables keyboard devices
ACTION=="add", ATTR{product}=="*[Kk]eyboard*", TEST=="authorized", ATTR{authorized}="1"
PS2-USB converter
ACTION=="add", ATTR{product}=="*Thinnet TM*", TEST=="authorized", ATTR{authorized}="1"
- name : Create a consolidated sysctl configuration file
2024-07-11 22:20:45 +02:00
ansible.builtin.copy :
2024-03-19 23:02:50 +01:00
dest : /mnt/etc/sysctl.d/10-cis.conf
content : |
## CIS Sysctl configurations
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
# - name: Adjust login.defs
# replace:
# path: /mnt/etc/login.defs
# regexp: "{{ item.regexp }}"
# replace: "{{ item.replace }}"
# loop:
# - { regexp: '^PASS_MAX_DAYS.*', replace: 'PASS_MAX_DAYS 90' }
# - { regexp: '^PASS_MIN_DAYS.*', replace: 'PASS_MIN_DAYS 7' }
# - { regexp: '^UMASK.*', replace: 'UMASK 027' }
2024-04-17 14:09:32 +02:00
- name : Ensure files exist
2024-07-11 22:20:45 +02:00
ansible.builtin.file :
2024-03-19 23:02:50 +01:00
path : "{{ item }}"
state : touch
2024-07-11 22:20:45 +02:00
mode : "0600"
2024-03-19 23:02:50 +01:00
loop :
- /mnt/etc/at.allow
- /mnt/etc/cron.allow
2024-04-17 14:09:32 +02:00
- /mnt/etc/hosts.allow
- /mnt/etc/hosts.deny
2024-03-19 23:02:50 +01:00
- name : Add Security related lines into config files
2024-07-11 22:20:45 +02:00
ansible.builtin.lineinfile :
2024-03-19 23:02:50 +01:00
path : "{{ item.path }}"
line : "{{ item.content }}"
loop :
2024-07-11 22:20:45 +02:00
- { path: /mnt/etc/security/limits.conf, content : "* hard core 0" }
- { path: /mnt/etc/security/pwquality.conf, content : minlen = 14 }
- { path: /mnt/etc/security/pwquality.conf, content : dcredit = -1 }
- { path: /mnt/etc/security/pwquality.conf, content : ucredit = -1 }
- { path: /mnt/etc/security/pwquality.conf, content : ocredit = -1 }
- { path: /mnt/etc/security/pwquality.conf, content : lcredit = -1 }
- { path : '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rocky"] else "bash.bashrc" }}' , content : umask 077 }
- { path : '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rocky"] else "bash.bashrc" }}' , content : export TMOUT=3000 }
- { path : '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}' , content : Storage=persistent }
- { path: /mnt/etc/sudoers, content : Defaults logfile="/var/log/sudo.log" }
- { path: /mnt/etc/pam.d/su, content : auth required pam_wheel.so }
- path : /mnt/etc/{{ "pam.d/common-auth" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth" if os == "fedora" else "pam.d/system-auth"
}}
content : auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900
- path : /mnt/etc/{{ "pam.d/common-account" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth" if os == "fedora" else
"pam.d/system-auth" }}
content : account required pam_faillock.so
- path : /mnt/etc/pam.d/{{ "common-password" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "passwd" }}
content : password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5
- { path: /mnt/etc/hosts.deny, content : "ALL: ALL" }
- { path: /mnt/etc/hosts.allow, content : "sshd: ALL" }
2024-03-19 23:02:50 +01:00
- name : Set permissions for various files and directories
2024-07-11 22:20:45 +02:00
ansible.builtin.file :
2024-03-19 23:02:50 +01:00
path : "{{ item.path }}"
owner : "{{ item.owner | default(omit) }}"
group : "{{ item.group | default(omit) }}"
mode : "{{ item.mode }}"
loop :
2024-07-11 22:20:45 +02:00
- { path: /mnt/etc/ssh/sshd_config, mode : "0600" }
- { path: /mnt/etc/cron.hourly, mode : "0700" }
- { path: /mnt/etc/cron.daily, mode : "0700" }
- { path: /mnt/etc/cron.weekly, mode : "0700" }
- { path: /mnt/etc/cron.monthly, mode : "0700" }
- { path: /mnt/etc/cron.d, mode : "0700" }
- { path: /mnt/etc/crontab, mode : "0600" }
- { path: /mnt/etc/logrotate.conf, mode : "0644" }
- { path: /mnt/usr/sbin/pppd, mode : "754" }
- { path : '/mnt/usr/bin/{{ "fusermount3" if os in ["archlinux", "debian12", "fedora"] else "fusermount" }}' , mode : "755" }
- { path : '/mnt/usr/bin/{{ "write.ul" if os == "debian11" else "write" }}' , mode : "755" }
2024-03-19 23:02:50 +01:00
- name : Adjust SSHD config
2024-07-11 22:20:45 +02:00
ansible.builtin.lineinfile :
2024-03-19 23:02:50 +01:00
path : /mnt/etc/ssh/sshd_config
2024-07-11 22:20:45 +02:00
regexp : ^\s*#?{{ item.option }}\s+.*$
line : "{{ item.option }} {{ item.value }}"
2024-03-19 23:02:50 +01:00
with_items :
2024-07-11 22:20:45 +02:00
- { option: LogLevel, value : VERBOSE }
- { option: LoginGraceTime, value : "60" }
- { option: PermitRootLogin, value : "no" }
- { option: StrictModes, value : "yes" }
- { option: MaxAuthTries, value : "4" }
- { option: MaxSessions, value : "10" }
- { option: MaxStartups, value : 10 : 30 : 60 }
- { option: PubkeyAuthentication, value : "yes" }
- { option: HostbasedAuthentication, value : "no" }
- { option: IgnoreRhosts, value : "yes" }
- { option: PasswordAuthentication, value : "no" }
- { option: PermitEmptyPasswords, value : "no" }
- { option: KerberosAuthentication, value : "no" }
- { option: GSSAPIAuthentication, value : "no" }
- { option: GSSAPIKeyExchange, value : "no" }
- { option: AllowAgentForwarding, value : "no" }
- { option: AllowTcpForwarding, value : "no" }
- { option: ChallengeResponseAuthentication, value : "no" }
- { option: GatewayPorts, value : "no" }
- { option: X11Forwarding, value : "no" }
- { option: PermitUserEnvironment, value : "no" }
- { option: ClientAliveInterval, value : "300" }
- { option: ClientAliveCountMax, value : "0" }
- { option: PermitTunnel, value : "no" }
- { option: Banner, value : /etc/issue.net }
2024-03-19 23:02:50 +01:00
- name : Append CIS Specific configurations to sshd_config
2024-07-11 22:20:45 +02:00
ansible.builtin.lineinfile :
2024-03-19 23:02:50 +01:00
path : /mnt/etc/ssh/sshd_config
2024-07-11 22:20:45 +02:00
line : |2-
2024-03-19 23:02:50 +01:00
## CIS Specific
Protocol 2
### Ciphers and keying ###
RekeyLimit 512M 6h
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
###########################
AllowStreamLocalForwarding no
PermitUserRC no
AllowUsers svcansible
AllowGroups *
DenyUsers nobody
2024-07-11 22:20:45 +02:00
DenyGroups nobody