From cfcccbf5121106b3f9398ec4e080465501fa140d Mon Sep 17 00:00:00 2001 From: Sandwich Date: Tue, 21 Jan 2025 19:55:36 +0100 Subject: [PATCH] CIS Adjustments --- main.yml | 3 +- roles/bootstrap/vars/packages.yml | 8 ++-- roles/cis/tasks/main.yml | 73 ++++++++++++++++++++++++------ roles/configuration/tasks/main.yml | 9 +--- 4 files changed, 66 insertions(+), 27 deletions(-) diff --git a/main.yml b/main.yml index ee40ee4..73a339f 100644 --- a/main.yml +++ b/main.yml @@ -81,7 +81,7 @@ tasks: - name: Set final SSH Credentials - when: hypervisor == 'vmware' and vmware_ssh | bool + when: hypervisor != 'vmware' or (hypervisor == 'vmware' and vmware_ssh | bool) ansible.builtin.set_fact: ansible_user: "{{ user_name }}" ansible_password: "{{ user_password }}" @@ -91,3 +91,4 @@ - name: Check if VM is back and running ansible.builtin.wait_for_connection: timeout: 300 + diff --git a/roles/bootstrap/vars/packages.yml b/roles/bootstrap/vars/packages.yml index 89d29f5..8b5874d 100644 --- a/roles/bootstrap/vars/packages.yml +++ b/roles/bootstrap/vars/packages.yml @@ -16,7 +16,6 @@ almalinux: - open-vm-tools - ppp - shim - - telnet - tmux - vim - wget @@ -188,7 +187,6 @@ fedora: - ppp - ripgrep - shim - - telnet - tmux - vim-default-editor - wget @@ -200,6 +198,8 @@ rhel8: - bind-utils - dhcp-client - efibootmgr + - glibc-langpack-de + - glibc-langpack-en - grub2 - grub2-efi-x64 - lrzsz @@ -209,7 +209,6 @@ rhel8: - open-vm-tools - python - shim - - telnet - tmux - vim - zstd @@ -218,6 +217,8 @@ rhel9: - bind-utils - dhcp-client - efibootmgr + - glibc-langpack-de + - glibc-langpack-en - grub2 - grub2-efi - lrzsz @@ -227,7 +228,6 @@ rhel9: - open-vm-tools - python - shim - - telnet - tmux - vim - zram-generator diff --git a/roles/cis/tasks/main.yml b/roles/cis/tasks/main.yml index 8e29b28..efb6b35 100644 --- a/roles/cis/tasks/main.yml +++ b/roles/cis/tasks/main.yml @@ -7,18 +7,19 @@ mode: '0644' content: | CIS LVL 3 Restrictions - install freevxfs /bin/true - install jffs2 /bin/true - install hfs /bin/true - install hfsplus /bin/true - install squashfs /bin/true - install udf /bin/true - install usb-storage /bin/true + install freevxfs /bin/false + install jffs2 /bin/false + install hfs /bin/false + install hfsplus /bin/false + install cramfs /bin/false + install squashfs /bin/false + install udf /bin/false + install usb-storage /bin/false - install dccp /bin/true - install sctp /bin/true - install rds /bin/true - install tipc /bin/true + install dccp /bin/false + install sctp /bin/false + install rds /bin/false + install tipc /bin/false - name: Create USB Rules ansible.builtin.copy: @@ -43,11 +44,20 @@ mode: '0644' content: | ## CIS Sysctl configurations + kernel.yama.ptrace_scope=1 + kernel.randomize_va_space=2 + + # Network + net.ipv4.ip_forward=0 + net.ipv4.tcp_syncookies=1 + net.ipv4.icmp_echo_ignore_broadcasts=1 + net.ipv4.icmp_ignore_bogus_error_responses=1 net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.all.accept_redirects = 0 + net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.log_martians = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.secure_redirects = 0 @@ -59,6 +69,7 @@ net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 + # - name: Adjust login.defs # replace: # path: /mnt/etc/login.defs @@ -69,6 +80,31 @@ # - { regexp: '^PASS_MIN_DAYS.*', replace: 'PASS_MIN_DAYS 7' } # - { regexp: '^UMASK.*', replace: 'UMASK 027' } + - name: Ensure the Default UMASK is Set Correctly + ansible.builtin.lineinfile: + path: "/mnt/etc/profile" + regexp: "^(\\s*)umask\\s+\\d+" + line: "umask 027" + + - name: Prevent Login to Accounts With Empty Password + ansible.builtin.replace: + dest: "{{ item }}" + regexp: "nullok" + loop: + - /mnt/etc/pam.d/system-auth + - /mnt/etc/pam.d/password-auth + + - name: Configure System Cryptography Policy + when: os in ["almalinux", "fedora", "rhel8", "rhel9", "rocky"] + ansible.builtin.command: + arch-chroot /mnt /usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1 + + - name: Mask Systemd Services + ansible.builtin.command: > + arch-chroot /mnt systemctl mask nftables bluetooth rpcbind + changed_when: result.rc == 0 + register: result + - name: Ensure files exist ansible.builtin.file: path: "{{ item }}" @@ -80,6 +116,15 @@ - /mnt/etc/hosts.allow - /mnt/etc/hosts.deny + - name: Ensure files do not exist + ansible.builtin.file: + path: "{{ item }}" + state: touch + mode: "0600" + loop: + - /mnt/etc/at.deny + - /mnt/etc/cron.deny + - name: Add Security related lines into config files ansible.builtin.lineinfile: path: "{{ item.path }}" @@ -155,7 +200,7 @@ - { option: X11Forwarding, value: "no" } - { option: PermitUserEnvironment, value: "no" } - { option: ClientAliveInterval, value: "300" } - - { option: ClientAliveCountMax, value: "0" } + - { option: ClientAliveCountMax, value: "1" } - { option: PermitTunnel, value: "no" } - { option: Banner, value: /etc/issue.net } @@ -169,9 +214,9 @@ ### Ciphers and keying ### RekeyLimit 512M 6h - KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 + KexAlgorithms -diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr - MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 + MACs -hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-sha1-96,umac-64@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,umac-64-etm@openssh.com ########################### AllowStreamLocalForwarding no diff --git a/roles/configuration/tasks/main.yml b/roles/configuration/tasks/main.yml index 6e38b94..cdcc1d2 100644 --- a/roles/configuration/tasks/main.yml +++ b/roles/configuration/tasks/main.yml @@ -39,7 +39,7 @@ - "# TempFS" - tmpfs /tmp tmpfs defaults,nosuid,nodev,noexec 0 0 - tmpfs /var/tmp tmpfs defaults,nosuid,nodev,noexec 0 0 - - tmpfs /dev/shm tmpfs defaults,noexec 0 0 + - tmpfs /dev/shm tmpfs defaults,nosuid,nodev,noexec 0 0 - name: Set local timezone ansible.builtin.command: "{{ item }}" @@ -213,13 +213,6 @@ fs-type = swap mode: '0644' - - name: Copy FirstRun Script - when: os | lower != "archlinux" - ansible.builtin.template: - src: firstrun.sh.j2 - dest: /mnt/root/firstrun.sh - mode: "0755" - - name: Copy Custom Shell config ansible.builtin.template: src: custom.sh.j2