From 5e68fdfd83e9048577817abd03ffbc9ebf20b09e Mon Sep 17 00:00:00 2001 From: MVladislav Date: Sat, 7 Sep 2024 18:00:18 +0200 Subject: [PATCH] refactor: improve variables and comments --- README.md | 99 ++++++++++++++++++-------------- defaults/main.yml | 12 ++-- molecule/ubuntu2404/converge.yml | 3 +- tasks/section1.yml | 12 ++-- tasks/section5.yml | 4 +- 5 files changed, 70 insertions(+), 60 deletions(-) diff --git a/README.md b/README.md index f159e17..eb30956 100644 --- a/README.md +++ b/README.md @@ -4,15 +4,16 @@ [![Ansible Molecule Test](https://github.com/MVladislav/ansible-cis-ubuntu-2404/actions/workflows/ci.yml/badge.svg)](https://github.com/MVladislav/ansible-cis-ubuntu-2404/actions/workflows/ci.yml) - [CIS - Ubuntu 24.04](#cis---ubuntu-2404) + - [Disclaimer](#disclaimer) - [Notes](#notes) - [Requirements](#requirements) - [Role Variables](#role-variables) - - [run only setup per section](#run-only-setup-per-section) - - [variables not included in CIS as additional extend](#variables-not-included-in-cis-as-additional-extend) - - [variables which are recommended by CIS, but disable in this role by default](#variables-which-are-recommended-by-cis-but-disable-in-this-role-by-default) - - [variable special usable between server and client](#variable-special-usable-between-server-and-client) - - [variables to check and set for own purpose](#variables-to-check-and-set-for-own-purpose) - - [variable rules implemented, but only print information for manual check](#variable-rules-implemented-but-only-print-information-for-manual-check) + - [Run only setup per section](#run-only-setup-per-section) + - [Variables not included in CIS as additional extend](#variables-not-included-in-cis-as-additional-extend) + - [Variables which are recommended by CIS, but disable in this role by default](#variables-which-are-recommended-by-cis-but-disable-in-this-role-by-default) + - [Variable for special usage between server and client](#variable-for-special-usage-between-server-and-client) + - [Variables to check and set for own purpose](#variables-to-check-and-set-for-own-purpose) + - [Variable rules implemented, but only print information for manual check](#variable-rules-implemented-but-only-print-information-for-manual-check) - [Dependencies](#dependencies) - [Example Playbook](#example-playbook) - [Definitions](#definitions) @@ -23,19 +24,26 @@ --- -Configure Ubuntu 24.04 to be CIS compliant. +This Ansible role is designed to configure **Ubuntu 24.04** to **comply** with the **CIS Ubuntu Linux Benchmark v1.0.0**. \ +It automates the application of hardening recommendations to enhance system security. \ +While this role can help mitigate common security risks, it is essential to tailor the configurations to your specific environment. + +Based on **[CIS Ubuntu Linux 24.04 LTS Benchmark v1.0.0](https://downloads.cisecurity.org/#/)**. Tested with: - Ubuntu 24.04 -This role **will make changes to the system** that could break things. \ -This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted. +## Disclaimer + +This role makes **significant changes to your system** that **could break functionality**. \ +This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted. \ +While based on industry-standard security guidelines (CIS), it is recommended to review these changes, especially when applied to existing systems. This role was **developed against a clean install** of the Operating System. \ -If you are **implementing to an existing system** please **review** this role for any **site specific changes** that are needed. +If you are **implementing to an existing system** please **review thoroughly** this role for any **site specific changes** before applying them to production systems. -Based on **[CIS Ubuntu Linux 24.04 LTS Benchmark v1.0.0](https://downloads.cisecurity.org/#/)**. +Strongly advise testing in a staging environment before applying in production. ## Notes @@ -52,30 +60,30 @@ Based on **[CIS Ubuntu Linux 24.04 LTS Benchmark v1.0.0](https://downloads.cisec ## Requirements -You should **carefully read** through the tasks -to **make sure these changes will not break your systems** -before running this playbook. +Before using this role, ensure that your system meets the following requirements: + +- Python >= 3.11 +- Ansible >= 2.16 +- SSH access to the target machine. -To start working in this Role you just need to **install** **Python** and **Ansible**: +Install required tools and libraries: ```sh $sudo apt install python3 python3-pip sshpass -# if python >= 3.11 used, add also '--break-system-packages' -$python3 -m pip install ansible ansible-lint yamllint +$python3 -m pip install ansible ansible-lint yamllint --break-system-packages ``` For run **tests** with **molecule**, you need also to **install**: ```sh -# if python >= 3.11 used, add also '--break-system-packages' -$python3 -m pip install molecule molecule-plugins[docker] +$python3 -m pip install molecule molecule-plugins[docker] --break-system-packages ``` ## Role Variables -### run only setup per section +### Run only setup per section -> _default all section are active and will performed_ +> _Default all section are active and will performed_ ```yaml cis_ubuntu2404_section1: true @@ -87,27 +95,32 @@ cis_ubuntu2404_section6: true cis_ubuntu2404_section7: true ``` -### variables not included in CIS as additional extend +### Variables not included in CIS as additional extend ```yaml -# additional configs for remove all comments in /etc/ssh/sshd_config +# Extend the default sshd_config hardening to remove unnecessary comments and empty lines. +# 'true' by default. cis_ubuntu2404_rule_5_1_0: true -# additional configs for ssh which not defined set by CIS +# Extend the default sshd_config hardening, which not defined within CIS, +# by include more configuration based on https://infosec.mozilla.org/guidelines/openssh.html. +# 'true' by default. cis_ubuntu2404_rule_5_1_23: true -# the rules 'cis_ubuntu2404_rule_5_1_19', 'cis_ubuntu2404_rule_5_1_20', 'cis_ubuntu2404_rule_5_1_23' -# disable ssh login by password, to avoid block login when no public key was added this rule is extended -# it is 'false' by default +# Avoid SSH login lockout by specifying the user and public key for SSH access. +# Lockout will happen when 'cis_ubuntu2404_rule_5_1_19', 'cis_ubuntu2404_rule_5_1_20' and 'cis_ubuntu2404_rule_5_1_23' are used. +# Ensure that a valid SSH public key is provided, or set this rule to false. +# 'false' by default, when 'cis_ubuntu2404_rule_5_1_24_ssh_pub_key' not defined. cis_ubuntu2404_rule_5_1_24: true cis_ubuntu2404_rule_5_1_24_ssh_user: "{{ ansible_user }}" cis_ubuntu2404_rule_5_1_24_ssh_pub_key: "" -# set auditd log_file as needed to be save in other configs +# Set for auditd inside auditd.conf the key for 'log_file' to be save in upcoming configurations +# 'true' by default. cis_ubuntu2404_rule_6_2_4_0: true ``` -### variables which are recommended by CIS, but disable in this role by default +### Variables which are recommended by CIS, but disable in this role by default > _change default configured values, to be CIS recommended if needed_ @@ -117,24 +130,23 @@ cis_ubuntu2404_rule_6_2_4_0: true cis_ubuntu2404_rule_1_3_1_4: false # Ensure bootloader password is set -cis_ubuntu2404_rule_1_4_1: false cis_ubuntu2404_set_boot_pass: false cis_ubuntu2404_disable_boot_pass: true -# active journal send logs to a remote log host +# Active journal send logs to a remote log host # do not forget set related variables 'cis_ubuntu2404_set_journal_upload_*' cis_ubuntu2404_set_journal_upload: false cis_ubuntu2404_set_journal_upload_url: -# active rsyslog upload to remote log collection +# Active rsyslog upload to remote log collection # do not forget set related variables 'cis_ubuntu2404_set_rsyslog_remote_*' cis_ubuntu2404_set_rsyslog_remote: false cis_ubuntu2404_set_rsyslog_remote_target: ``` -### variable special usable between server and client +### Variable for special usage between server and client -> _check services which will removed or disabled, +> _Check services which will removed or disabled, > which maybe needed, for example especial for client usage_ ```yaml @@ -163,7 +175,7 @@ cis_ubuntu2404_install_aide: true cis_ubuntu2404_config_aide: true ``` -### variables to check and set for own purpose +### Variables to check and set for own purpose ```yaml # choose time synchronization (cis_ubuntu2404_rule_2_3_1_1) @@ -232,7 +244,7 @@ cis_ubuntu2404_journald_runtime_keep_free: 512M cis_ubuntu2404_journald_max_file_sec: 1month ``` -### variable rules implemented, but only print information for manual check +### Variable rules implemented, but only print information for manual check ```yaml # SECTION1 | 1.2.1.1 | Ensure GPG keys are configured @@ -262,11 +274,11 @@ cis_ubuntu2404_rule_7_2_8: true ## Dependencies -Developed and testes with Ansible 2.14.4 +Developed and testes with Ansible 2.16 ## Example Playbook -example usage you can find also [here](https://github.com/MVladislav/ansible-env-setup). +Example usage can be found also [here](https://github.com/MVladislav/ansible-env-setup). ```yaml - name: CIS | install on clients @@ -291,9 +303,8 @@ example usage you can find also [here](https://github.com/MVladislav/ansible-env cis_ubuntu2404_rule_1_3_1_3: true # AppArmor complain mode cis_ubuntu2404_rule_1_3_1_4: false # AppArmor enforce mode # ------------------------- - cis_ubuntu2404_rule_1_4_1: false # bootloader password (disabled) cis_ubuntu2404_set_boot_pass: false # bootloader password (disabled) - cis_ubuntu2404_disable_boot_pass: true # bootloader password (disabled) + cis_ubuntu2404_disable_boot_pass: true # bootloader password (disabled with cis_ubuntu2404_set_boot_pass) # ------------------------- cis_ubuntu2404_rule_3_1_3: false # bluetooth service cis_ubuntu2404_rule_3_1_3_remove: false # bluetooth service @@ -376,11 +387,11 @@ For more specific description see the **CIS pdf** file on **page 18**. | Key | Count | | :--------------------------------------------------- | :---- | -| 🟢 Implemented | 268 | +| 🟢 Implemented | 280 | | 🟡 Partly Implemented or print info for manual check | 13 | | 🔴 Not Implemented | 20 | -| Total | 301 | -| Coverage (Implemented/Partly vs Total) | 93.35 | +| Total | 313 | +| Coverage (Implemented/Partly vs Total) | 93.61 | | ID | CIS Benchmark Recommendation Set | Yes | Y/N | No | | :-------- | :----------------------------------------------------------------------------------------------- | :-: | :-: | :-: | @@ -779,4 +790,4 @@ MIT ## Resources - -- +- diff --git a/defaults/main.yml b/defaults/main.yml index 4b298ba..598c165 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -38,11 +38,11 @@ cis_ubuntu2404_rule_1_1_2_2: true # /dev/shm # cis_ubuntu2404_rule_1_1_2_2_2: true # NOTE: implicit in 'cis_ubuntu2404_rule_1_1_2_2' # cis_ubuntu2404_rule_1_1_2_2_3: true # NOTE: implicit in 'cis_ubuntu2404_rule_1_1_2_2' # cis_ubuntu2404_rule_1_1_2_2_4: true # NOTE: implicit in 'cis_ubuntu2404_rule_1_1_2_2' -# cis_ubuntu2404_rule_1_1_2_3: false # NOTE: not implemented, separate partition not created -# cis_ubuntu2404_rule_1_1_2_4: false # NOTE: not implemented, separate partition not created -# cis_ubuntu2404_rule_1_1_2_5: false # NOTE: not implemented, separate partition not created -# cis_ubuntu2404_rule_1_1_2_6: false # NOTE: not implemented, separate partition not created -# cis_ubuntu2404_rule_1_1_2_7: false # NOTE: not implemented, separate partition not created +# cis_ubuntu2404_rule_1_1_2_3: true # NOTE: not implemented, separate partition not created +# cis_ubuntu2404_rule_1_1_2_4: true # NOTE: not implemented, separate partition not created +# cis_ubuntu2404_rule_1_1_2_5: true # NOTE: not implemented, separate partition not created +# cis_ubuntu2404_rule_1_1_2_6: true # NOTE: not implemented, separate partition not created +# cis_ubuntu2404_rule_1_1_2_7: true # NOTE: not implemented, separate partition not created cis_ubuntu2404_rule_1_2_1_1: true cis_ubuntu2404_rule_1_2_1_2: true cis_ubuntu2404_rule_1_2_2_1: true @@ -50,7 +50,7 @@ cis_ubuntu2404_rule_1_3_1_1: true cis_ubuntu2404_rule_1_3_1_2: true cis_ubuntu2404_rule_1_3_1_3: true # NOTE: will run to have all in complain-mode, for enforce use 'cis_ubuntu2404_rule_1_3_1_4' cis_ubuntu2404_rule_1_3_1_4: false # NOTE: disabled -cis_ubuntu2404_rule_1_4_1: false # NOTE: depends also on 'cis_ubuntu2404_set_boot_pass' and 'cis_ubuntu2404_disable_boot_pass' +cis_ubuntu2404_rule_1_4_1: true # NOTE: depends also on 'cis_ubuntu2404_set_boot_pass' and 'cis_ubuntu2404_disable_boot_pass' cis_ubuntu2404_rule_1_4_2: true cis_ubuntu2404_rule_1_5_1: true cis_ubuntu2404_rule_1_5_2: true diff --git a/molecule/ubuntu2404/converge.yml b/molecule/ubuntu2404/converge.yml index 4059ed9..57f00ba 100644 --- a/molecule/ubuntu2404/converge.yml +++ b/molecule/ubuntu2404/converge.yml @@ -18,9 +18,8 @@ cis_ubuntu2404_rule_1_3_1_3: true # AppArmor complain mode cis_ubuntu2404_rule_1_3_1_4: true # AppArmor enforce mode # ------------------------- - cis_ubuntu2404_rule_1_4_1: false # bootloader password (disabled) cis_ubuntu2404_set_boot_pass: false # bootloader password (disabled) - cis_ubuntu2404_disable_boot_pass: true # bootloader password (disabled) + cis_ubuntu2404_disable_boot_pass: true # bootloader password (disabled with cis_ubuntu2404_set_boot_pass) # ------------------------- cis_ubuntu2404_rule_3_1_3: true # bluetooth service cis_ubuntu2404_rule_3_1_3_remove: true # bluetooth service diff --git a/tasks/section1.yml b/tasks/section1.yml index e7be2ec..521e37c 100644 --- a/tasks/section1.yml +++ b/tasks/section1.yml @@ -652,8 +652,8 @@ - name: "SECTION1 | 1.4.1 | Ensure bootloader password is set" when: - - cis_ubuntu2404_set_boot_pass - cis_ubuntu2404_rule_1_4_1 + - cis_ubuntu2404_set_boot_pass tags: - rule_1_4 - server_l1 @@ -669,22 +669,22 @@ PASSWORD='{{ cis_ubuntu2404_bootloader_password }}' fi echo -e "$PASSWORD\n$PASSWORD" | grub-mkpasswd-pbkdf2 --iteration-count=600000 --salt=64 | awk '/grub.pbkdf/{print$NF}' - register: cis_grub_bootloader_password + register: cis_ubuntu2404_grub_bootloader_password args: executable: "{{ cis_ubuntu2404_shell_executable }}" changed_when: false - name: "SECTION1 | 1.4.1 | Ensure bootloader password is set | generate config" ansible.builtin.copy: dest: /etc/grub.d/00_password - content: "cat << EOF\nexec tail -n +2 $0\nset superusers=\"root\"\npassword_pbkdf2 root {{ cis_grub_bootloader_password.stdout }}\nEOF" + content: "cat << EOF\nexec tail -n +2 $0\nset superusers=\"root\"\npassword_pbkdf2 root {{ cis_ubuntu2404_grub_bootloader_password.stdout }}\nEOF" owner: "{{ cis_ubuntu2404_section1_owner_default }}" group: "{{ cis_ubuntu2404_section1_group_default }}" mode: "{{ cis_ubuntu2404_section1_mode_etc_grub_d }}" notify: Generate new grub config when: - - cis_grub_bootloader_password is defined - - cis_grub_bootloader_password.stdout is defined - - cis_grub_bootloader_password.stdout | length > 0 + - cis_ubuntu2404_grub_bootloader_password is defined + - cis_ubuntu2404_grub_bootloader_password.stdout is defined + - cis_ubuntu2404_grub_bootloader_password.stdout | length > 0 - name: "SECTION1 | 1.4.1 | Ensure bootloader password is set | disable password for system boot" ansible.builtin.replace: path: /etc/grub.d/10_linux diff --git a/tasks/section5.yml b/tasks/section5.yml index ec1ac6d..64b93ee 100644 --- a/tasks/section5.yml +++ b/tasks/section5.yml @@ -3,10 +3,10 @@ # ------------------------------------------------------------------------------ -- name: "SECTION5 | 5.1.0 | Ensure on /etc/ssh/sshd_config comments are removed" +- name: "SECTION5 | 5.1.0 | Ensure on /etc/ssh/sshd_config comments and empty lines are removed" ansible.builtin.lineinfile: dest: /etc/ssh/sshd_config - regexp: "^#" + regexp: "^#|^$" state: absent when: - cis_ubuntu2404_rule_5_1_0