diff --git a/roles/cis/tasks/auth.yml b/roles/cis/tasks/auth.yml index 350b03c..741136e 100644 --- a/roles/cis/tasks/auth.yml +++ b/roles/cis/tasks/auth.yml @@ -5,6 +5,7 @@ regexp: "^(\\s*)umask\\s+\\d+" line: "umask 027" +# Non-RHEL/non-Debian distros: loop evaluates to [] (intentional skip) - name: Prevent Login to Accounts With Empty Password ansible.builtin.replace: dest: "{{ item }}" diff --git a/roles/cis/tasks/crypto.yml b/roles/cis/tasks/crypto.yml index a3d58b1..94d8b9f 100644 --- a/roles/cis/tasks/crypto.yml +++ b/roles/cis/tasks/crypto.yml @@ -9,4 +9,4 @@ ansible.builtin.command: > {{ chroot_command }} systemctl mask {{ 'nftables' if system_cfg.features.firewall.toolkit == 'iptables' else 'iptables' }} bluetooth rpcbind register: cis_mask_services_result - changed_when: cis_mask_services_result.rc == 0 + changed_when: "'Created symlink' in cis_mask_services_result.stderr" diff --git a/roles/cis/tasks/modules.yml b/roles/cis/tasks/modules.yml index 21c1485..d2e48b8 100644 --- a/roles/cis/tasks/modules.yml +++ b/roles/cis/tasks/modules.yml @@ -10,6 +10,7 @@ install hfs /bin/false install hfsplus /bin/false install cramfs /bin/false + # Note: disabling squashfs breaks snap (Ubuntu). Remove for snap-dependent hosts. install squashfs /bin/false install udf /bin/false install usb-storage /bin/false diff --git a/roles/cis/tasks/security_lines.yml b/roles/cis/tasks/security_lines.yml index 46dd142..8167483 100644 --- a/roles/cis/tasks/security_lines.yml +++ b/roles/cis/tasks/security_lines.yml @@ -11,7 +11,7 @@ - { path: /mnt/etc/security/pwquality.conf, content: ocredit = -1 } - { path: /mnt/etc/security/pwquality.conf, content: lcredit = -1 } - { path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}', content: umask 077 } - - { path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}', content: export TMOUT=3000 } + - { path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}', content: export TMOUT=900 } - { path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}', content: Storage=persistent } - { path: /mnt/etc/sudoers, content: Defaults logfile="/var/log/sudo.log" } - { path: /mnt/etc/pam.d/su, content: auth required pam_wheel.so } diff --git a/roles/cis/tasks/sshd.yml b/roles/cis/tasks/sshd.yml index 6bebcc5..11f8ffd 100644 --- a/roles/cis/tasks/sshd.yml +++ b/roles/cis/tasks/sshd.yml @@ -21,7 +21,7 @@ - { option: GSSAPIAuthentication, value: "no" } - { option: AllowAgentForwarding, value: "no" } - { option: AllowTcpForwarding, value: "no" } - - { option: ChallengeResponseAuthentication, value: "no" } + - { option: KbdInteractiveAuthentication, value: "no" } - { option: GatewayPorts, value: "no" } - { option: X11Forwarding, value: "no" } - { option: PermitUserEnvironment, value: "no" } @@ -36,7 +36,6 @@ marker: "# {mark} CIS SSH HARDENING" block: |- ## CIS Specific - Protocol 2 ### Ciphers and keying ### RekeyLimit 512M 6h KexAlgorithms mlkem768x25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256 diff --git a/roles/cis/tasks/sysctl.yml b/roles/cis/tasks/sysctl.yml index e30cc14..f5d0d8c 100644 --- a/roles/cis/tasks/sysctl.yml +++ b/roles/cis/tasks/sysctl.yml @@ -5,9 +5,12 @@ mode: "0644" content: | ## CIS Sysctl configurations + fs.suid_dumpable=0 + kernel.dmesg_restrict=1 kernel.yama.ptrace_scope=1 kernel.randomize_va_space=2 # Network + # Disable forwarding; override in inventory for routers/containers net.ipv4.ip_forward=0 net.ipv4.tcp_syncookies=1 net.ipv4.icmp_echo_ignore_broadcasts=1 @@ -24,6 +27,7 @@ net.ipv4.conf.default.send_redirects=0 net.ipv4.conf.default.accept_redirects=0 net.ipv6.conf.all.accept_redirects=0 + # Disable IPv6; override in inventory if IPv6 is needed net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.accept_redirects=0 net.ipv6.conf.default.disable_ipv6=1