- name: Configurationg System for CIS conformity block: - name: Disable Kernel Modules copy: dest: /mnt/etc/modprobe.d/cis.conf content: | CIS LVL 3 Restrictions install freevxfs /bin/true install jffs2 /bin/true install hfs /bin/true install hfsplus /bin/true install squashfs /bin/true install udf /bin/true install usb-storage /bin/true install dccp /bin/true install sctp /bin/true install rds /bin/true install tipc /bin/true - name: Create USB Rules copy: dest: /mnt/etc/udev/rules.d/10-cis_usb_devices.sh content: | By default, disable all. ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0" Enable hub devices. ACTION=="add", ATTR{bDeviceClass}=="09", TEST=="authorized", ATTR{authorized}="1" Enables keyboard devices ACTION=="add", ATTR{product}=="*[Kk]eyboard*", TEST=="authorized", ATTR{authorized}="1" PS2-USB converter ACTION=="add", ATTR{product}=="*Thinnet TM*", TEST=="authorized", ATTR{authorized}="1" - name: Create a consolidated sysctl configuration file copy: dest: /mnt/etc/sysctl.d/10-cis.conf content: | ## CIS Sysctl configurations net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.log_martians = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.accept_redirects = 0 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 # - name: Adjust login.defs # replace: # path: /mnt/etc/login.defs # regexp: "{{ item.regexp }}" # replace: "{{ item.replace }}" # loop: # - { regexp: '^PASS_MAX_DAYS.*', replace: 'PASS_MAX_DAYS 90' } # - { regexp: '^PASS_MIN_DAYS.*', replace: 'PASS_MIN_DAYS 7' } # - { regexp: '^UMASK.*', replace: 'UMASK 027' } - name: Ensure files exist file: path: "{{ item }}" state: touch mode: '0600' loop: - /mnt/etc/at.allow - /mnt/etc/cron.allow - /mnt/etc/hosts.allow - /mnt/etc/hosts.deny - name: Add Security related lines into config files lineinfile: path: "{{ item.path }}" line: "{{ item.content }}" loop: - { path: '/mnt/etc/security/limits.conf', content: '* hard core 0' } - { path: '/mnt/etc/security/pwquality.conf', content: 'minlen = 14' } - { path: '/mnt/etc/security/pwquality.conf', content: 'dcredit = -1' } - { path: '/mnt/etc/security/pwquality.conf', content: 'ucredit = -1' } - { path: '/mnt/etc/security/pwquality.conf', content: 'ocredit = -1' } - { path: '/mnt/etc/security/pwquality.conf', content: 'lcredit = -1' } - { path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rocky"] else "bash.bashrc" }}', content: 'umask 077' } - { path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rocky"] else "bash.bashrc" }}', content: 'export TMOUT=3000' } - { path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}', content: 'Storage=persistent' } - { path: '/mnt/etc/sudoers', content: 'Defaults logfile="/var/log/sudo.log"' } - { path: '/mnt/etc/pam.d/su', content: 'auth required pam_wheel.so' } - { path: '/mnt/etc/{{ "pam.d/common-auth" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth" if os == "fedora" else "pam.d/system-auth" }}', content: 'auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900' } - { path: '/mnt/etc/{{ "pam.d/common-account" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth" if os == "fedora" else "pam.d/system-auth" }}', content: 'account required pam_faillock.so' } - { path: '/mnt/etc/pam.d/{{ "common-password" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "passwd" }}', content: 'password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5' } - { path: '/mnt/etc/hosts.deny', content: 'ALL: ALL' } - { path: '/mnt/etc/hosts.allow', content: 'sshd: ALL' } - name: Set permissions for various files and directories file: path: "{{ item.path }}" owner: "{{ item.owner | default(omit) }}" group: "{{ item.group | default(omit) }}" mode: "{{ item.mode }}" loop: - { path: '/mnt/etc/ssh/sshd_config', mode: '0600' } - { path: '/mnt/etc/cron.hourly', mode: '0700' } - { path: '/mnt/etc/cron.daily', mode: '0700' } - { path: '/mnt/etc/cron.weekly', mode: '0700' } - { path: '/mnt/etc/cron.monthly', mode: '0700' } - { path: '/mnt/etc/cron.d', mode: '0700' } - { path: '/mnt/etc/crontab', mode: '0600' } - { path: '/mnt/etc/logrotate.conf', mode: '0644' } - { path: '/mnt/usr/sbin/pppd', mode: '754' } - { path: '/mnt/usr/bin/{{ "fusermount3" if os in ["archlinux", "debian12", "fedora"] else "fusermount" }}', mode: '755' } - { path: '/mnt/usr/bin/{{ "write.ul" if os == "debian11" else "write" }}', mode: '755' } - name: Adjust SSHD config lineinfile: path: /mnt/etc/ssh/sshd_config regexp: '^\s*#?{{ item.option }}\s+.*$' line: '{{ item.option }} {{ item.value }}' with_items: - {option: 'LogLevel', value: 'VERBOSE'} - {option: 'LoginGraceTime', value: '60'} - {option: 'PermitRootLogin', value: 'no'} - {option: 'StrictModes', value: 'yes'} - {option: 'MaxAuthTries', value: '4'} - {option: 'MaxSessions', value: '10'} - {option: 'MaxStartups', value: '10:30:60'} - {option: 'PubkeyAuthentication', value: 'yes'} - {option: 'HostbasedAuthentication', value: 'no'} - {option: 'IgnoreRhosts', value: 'yes'} - {option: 'PasswordAuthentication', value: 'no'} - {option: 'PermitEmptyPasswords', value: 'no'} - {option: 'KerberosAuthentication', value: 'no'} - {option: 'GSSAPIAuthentication', value: 'no'} - {option: 'GSSAPIKeyExchange', value: 'no'} - {option: 'AllowAgentForwarding', value: 'no'} - {option: 'AllowTcpForwarding', value: 'no'} - {option: 'ChallengeResponseAuthentication', value: 'no'} - {option: 'GatewayPorts', value: 'no'} - {option: 'X11Forwarding', value: 'no'} - {option: 'PermitUserEnvironment', value: 'no'} - {option: 'ClientAliveInterval', value: '300'} - {option: 'ClientAliveCountMax', value: '0'} - {option: 'PermitTunnel', value: 'no'} - {option: 'Banner', value: '/etc/issue.net'} - name: Append CIS Specific configurations to sshd_config lineinfile: path: /mnt/etc/ssh/sshd_config line: | ## CIS Specific Protocol 2 ### Ciphers and keying ### RekeyLimit 512M 6h KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 ########################### AllowStreamLocalForwarding no PermitUserRC no AllowUsers svcansible AllowGroups * DenyUsers nobody DenyGroups nobody