--- - name: Configurationg System for CIS conformity block: - name: Disable Kernel Modules ansible.builtin.copy: dest: /mnt/etc/modprobe.d/cis.conf mode: '0644' content: | CIS LVL 3 Restrictions install freevxfs /bin/true install jffs2 /bin/true install hfs /bin/true install hfsplus /bin/true install squashfs /bin/true install udf /bin/true install usb-storage /bin/true install dccp /bin/true install sctp /bin/true install rds /bin/true install tipc /bin/true - name: Create USB Rules ansible.builtin.copy: dest: /mnt/etc/udev/rules.d/10-cis_usb_devices.sh mode: '0644' content: | By default, disable all. ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0" Enable hub devices. ACTION=="add", ATTR{bDeviceClass}=="09", TEST=="authorized", ATTR{authorized}="1" Enables keyboard devices ACTION=="add", ATTR{product}=="*[Kk]eyboard*", TEST=="authorized", ATTR{authorized}="1" PS2-USB converter ACTION=="add", ATTR{product}=="*Thinnet TM*", TEST=="authorized", ATTR{authorized}="1" - name: Create a consolidated sysctl configuration file ansible.builtin.copy: dest: /mnt/etc/sysctl.d/10-cis.conf mode: '0644' content: | ## CIS Sysctl configurations net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.log_martians = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.accept_redirects = 0 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 # - name: Adjust login.defs # replace: # path: /mnt/etc/login.defs # regexp: "{{ item.regexp }}" # replace: "{{ item.replace }}" # loop: # - { regexp: '^PASS_MAX_DAYS.*', replace: 'PASS_MAX_DAYS 90' } # - { regexp: '^PASS_MIN_DAYS.*', replace: 'PASS_MIN_DAYS 7' } # - { regexp: '^UMASK.*', replace: 'UMASK 027' } - name: Ensure files exist ansible.builtin.file: path: "{{ item }}" state: touch mode: "0600" loop: - /mnt/etc/at.allow - /mnt/etc/cron.allow - /mnt/etc/hosts.allow - /mnt/etc/hosts.deny - name: Add Security related lines into config files ansible.builtin.lineinfile: path: "{{ item.path }}" line: "{{ item.content }}" loop: - { path: /mnt/etc/security/limits.conf, content: "* hard core 0" } - { path: /mnt/etc/security/pwquality.conf, content: minlen = 14 } - { path: /mnt/etc/security/pwquality.conf, content: dcredit = -1 } - { path: /mnt/etc/security/pwquality.conf, content: ucredit = -1 } - { path: /mnt/etc/security/pwquality.conf, content: ocredit = -1 } - { path: /mnt/etc/security/pwquality.conf, content: lcredit = -1 } - { path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rhel8", "rhel9", "rocky"] else "bash.bashrc" }}', content: umask 077 } - { path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rhel8", "rhel9", "rocky"] else "bash.bashrc" }}', content: export TMOUT=3000 } - { path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}', content: Storage=persistent } - { path: /mnt/etc/sudoers, content: Defaults logfile="/var/log/sudo.log" } - { path: /mnt/etc/pam.d/su, content: auth required pam_wheel.so } - { path: '/mnt/etc/{{ "pam.d/common-auth" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth" if os == "fedora" else "pam.d/system-auth" }}', content: auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900 } - { path: '/mnt/etc/{{ "pam.d/common-account" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth" if os == "fedora" else "pam.d/system-auth" }}', content: account required pam_faillock.so } - { path: '/mnt/etc/pam.d/{{ "common-password" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "passwd" }}', content: "password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5" } - { path: /mnt/etc/hosts.deny, content: "ALL: ALL" } - { path: /mnt/etc/hosts.allow, content: "sshd: ALL" } - name: Set permissions for various files and directories ansible.builtin.file: path: "{{ item.path }}" owner: "{{ item.owner | default(omit) }}" group: "{{ item.group | default(omit) }}" mode: "{{ item.mode }}" loop: > {{ [ { "path": "/mnt/etc/ssh/sshd_config", "mode": "0600" }, { "path": "/mnt/etc/cron.hourly", "mode": "0700" }, { "path": "/mnt/etc/cron.daily", "mode": "0700" }, { "path": "/mnt/etc/cron.weekly", "mode": "0700" }, { "path": "/mnt/etc/cron.monthly", "mode": "0700" }, { "path": "/mnt/etc/cron.d", "mode": "0700" }, { "path": "/mnt/etc/crontab", "mode": "0600" }, { "path": "/mnt/etc/logrotate.conf", "mode": "0644" }, { "path": "/mnt/usr/sbin/pppd", "mode": "0754" } if os not in ["rhel8", "rhel9"] else None, { "path": "/mnt/usr/bin/" + ("fusermount3" if os in ["almalinux", "archlinux", "debian12", "fedora", "rhel9", "rocky"] else "fusermount"), "mode": "755" }, { "path": "/mnt/usr/bin/" + ("write.ul" if os == "debian11" else "write"), "mode": "755" } ] | reject("none") }} - name: Adjust SSHD config ansible.builtin.lineinfile: path: /mnt/etc/ssh/sshd_config regexp: ^\s*#?{{ item.option }}\s+.*$ line: "{{ item.option }} {{ item.value }}" with_items: - { option: LogLevel, value: VERBOSE } - { option: LoginGraceTime, value: "60" } - { option: PermitRootLogin, value: "no" } - { option: StrictModes, value: "yes" } - { option: MaxAuthTries, value: "4" } - { option: MaxSessions, value: "10" } - { option: MaxStartups, value: 10:30:60 } - { option: PubkeyAuthentication, value: "yes" } - { option: HostbasedAuthentication, value: "no" } - { option: IgnoreRhosts, value: "yes" } - { option: PasswordAuthentication, value: "no" } - { option: PermitEmptyPasswords, value: "no" } - { option: KerberosAuthentication, value: "no" } - { option: GSSAPIAuthentication, value: "no" } - { option: AllowAgentForwarding, value: "no" } - { option: AllowTcpForwarding, value: "no" } - { option: ChallengeResponseAuthentication, value: "no" } - { option: GatewayPorts, value: "no" } - { option: X11Forwarding, value: "no" } - { option: PermitUserEnvironment, value: "no" } - { option: ClientAliveInterval, value: "300" } - { option: ClientAliveCountMax, value: "0" } - { option: PermitTunnel, value: "no" } - { option: Banner, value: /etc/issue.net } - name: Append CIS Specific configurations to sshd_config ansible.builtin.lineinfile: path: /mnt/etc/ssh/sshd_config line: |2- ## CIS Specific Protocol 2 ### Ciphers and keying ### RekeyLimit 512M 6h KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 ########################### AllowStreamLocalForwarding no PermitUserRC no AllowUsers * AllowGroups * DenyUsers nobody DenyGroups nobody