Merge pull request #2 from pbokeefe1027/master

100% coverage of all Level 1 CIS Benchmark controls. Assumes AWS CW Agent is installed.

Author: dennisotugo

README.md

@@ -106,6 +106,12 @@ A more advanced example, which includes modifications to the default values used
   roles:
     - ansible-role-cis-amazon-linux-2.cis-amazon-linux
 
+  environment:
+      http_proxy:  http://yourproxy.yourorg.com:8080
+      https_proxy: http://yourproxy.yourorg.com:8080
+#if you have VPC endpoints defined, add them on the noproxy line below to use them
+#don't forget to noproxy the metadata service if you define proxies at 169.254.169.254
+      no_proxy:    169.254.169.254
 ```
 
 Note that the use of ```become: yes``` is required as 99% of tasks require privileged access to execute.

facts/all_mounts.py

@@ -72,4 +72,4 @@ def get_mtab_entries():
 
     mounts.append(mount_info)
 
-print json.dumps(mounts)
+print (json.dumps(mounts))

files/00-firewall.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+iptables -F

files/cloud-init-log-permissions.service

@@ -0,0 +1,17 @@
+# /etc/systemd/system/cloud-init-log-permissions.service 
+[Unit]
+Description=Correct cloud-init's logfile permissions
+
+# We want to start *AFTER* cloud-init has opened its log files:
+After=cloud-init.service
+
+# We want to restart any time cloud-init is restarted (requires RemainAfterExit below):
+PartOf=cloud-init.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/bin/chmod u=rw,g=r,o= /var/log/cloud-init.log /var/log/cloud-init-output.log
+
+[Install]
+WantedBy=multi-user.target

files/cloudwatch.conf

@@ -0,0 +1,12 @@
+# in support of 4.2.4 - least privilege logs
+# Paul O'Keefe - paul@megabelle.net
+
+f /opt/aws/amazon-cloudwatch-agent/logs/state/_opt_aws_amazon-cloudwatch-agent_logs_amazon-cloudwatch-agent.log 0640 - - -
+f /opt/aws/amazon-cloudwatch-agent/logs/state/_var_log_audit_audit.log 0640 - - -
+f /opt/aws/amazon-cloudwatch-agent/logs/state/_var_log_cron 0640 - - -
+f /opt/aws/amazon-cloudwatch-agent/logs/state/_var_log_maillog 0640 - - -
+f /opt/aws/amazon-cloudwatch-agent/logs/state/_var_log_messages 0640 - - -
+d /opt/aws/amazon-cloudwatch-agent/logs/state 0640 - - -
+d /opt/aws/amazon-cloudwatch-agent/logs 0740 - - -
+d /opt/aws/amazon-cloudwatch-agent/cwagent-otel-collector/logs 0740 - - -
+d /var/log/amazon 0740 - - -

files/copy_system_auth.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+cd /etc/pam.d
+mv system-auth system-auth-local
+ln -s system-auth-local system-auth
+

files/etc_iptables

@@ -0,0 +1,20 @@
+# Generated by Ansible
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [1:285]
+-A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
+-A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
+-A INPUT -p udp --dport 68 -m state --state NEW -j ACCEPT
+-A INPUT -p udp --dport 323 -m state --state NEW -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -s 127.0.0.0/8 -j DROP
+-A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
+-A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
+-A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT
+-A OUTPUT -o lo -j ACCEPT
+-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
+-A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
+-A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
+COMMIT
+# end of file

files/ssm.conf

@@ -0,0 +1,13 @@
+# in support of 4.2.4 - least privilege logs
+# Paul O'Keefe - paul@megabelle.net
+
+d /var/log/amazon/ssm 0740 - - -
+f /var/log/amazon/ssm/amazon-ssm-agent.log 640 - - -
+f /var/log/amazon/ssm/AmazonSSMAgent-update.txt 640 - - -
+f /var/log/amazon/ssm/errors.log 640 - - -
+f /var/log/amazon/amazon-cloudwatch-agent/state/_var_log_secure 640 - - -
+f /var/log/lastlog 640 - - -
+f /var/log/btmp 640 - - -
+f /var/log/sa/sa15 640 - - -
+f /var/log/amazon/ssm/patch-configuration/patch-states-configuration.json 640 - - -
+f /var/log/amazon/ssm/patch-configuration/patch-inventory-from-last-operation.json 640 - - -

tasks/level-1/3.5.1.1.yml

@@ -1,17 +1,40 @@
 # Standards: 0.11
+
 ---
 
 # 3.5.1.1 Ensure default deny firewall policy
+# do this in a more cloudy way through cloud-init scripts
+- name: 3.5.1.1 - Ensure default deny firewall policy(DROP INPUT)
+  copy:
+      dest: /var/lib/cloud/scripts/per-once/00-firewall.sh
+      src: "{{ role_path }}/files/00-firewall.sh"
+  tags:
+    - level-1
+    - section-3
+    - "3.5.1.1"
+    - scored
+
+# 3.5.1.1 Ensure default deny firewall policy
+# do this in a more cloudy way through cloud-init scripts
+- name: 3.5.1.1 - Ensure default deny firewall policy(DROP INPUT)
+  copy:
+      dest: /var/lib/cloud/scripts/per-once/00-firewall.sh
+      content:
+        iptables -P INPUT DROP
+        iptables -P OUTPUT DROP
+        iptables -P FORWARD DROP
+  tags:
+    - level-1
+    - section-3
+    - "3.5.1.1"
+    - scored
 
+# make the file executable
 - name: 3.5.1.1 - Ensure default deny firewall policy(DROP INPUT)
-  iptables:
-    chain: "{{item}}"
-    policy: DROP
-  become: yes
-  with_items:
-    - INPUT
-    - FORWARD
-    - OUTPUT
+  file:
+      path: /var/lib/cloud/scripts/per-once/00-firewall.sh
+      mode: u=rwx,g=r,o=r
+      state: touch
   tags:
     - level-1
     - section-3

tasks/level-1/3.5.1.2.yml

@@ -2,39 +2,53 @@
 ---
 
 # 3.5.1.2 Ensure loopback traffic is configured
-
+# use cloud init way to do this
 - name: 3.5.1.2 - Ensure loopback traffic is configured(-i lo)
-  iptables:
-    chain: INPUT
-    in_interface: "lo"
-    jump: ACCEPT
-  become: yes
+  lineinfile:
+      path: /var/lib/cloud/scripts/per-once/00-firewall.sh
+      line: iptables -A INPUT -i lo -j ACCEPT
+      insertafter: EOF
   tags:
     - level-1
     - section-3
-    - "3.5.1.2"
+    - "3.5.1.1"
     - scored
 
-- name: 3.5.1.2 - Ensure loopback traffic is configured(-o lo)
-  iptables:
-    chain: OUTPUT
-    out_interface: "lo"
-    jump: ACCEPT
-  become: yes
+# 3.5.1.2 Ensure loopback traffic is configured
+# use cloud init way to do this
+- name: 3.5.1.2 - Ensure loopback traffic is configured(-i lo)
+  lineinfile:
+      path: /var/lib/cloud/scripts/per-once/00-firewall.sh
+      line: iptables -A OUTPUT -o lo -j ACCEPT
+      insertafter: EOF
   tags:
     - level-1
     - section-3
-    - "3.5.1.2"
+    - "3.5.1.1"
     - scored
 
-- name: 3.5.1.2 - Ensure loopback traffic is configured(-i 127.0.0.1/8)
-  iptables:
-    chain: INPUT
-    source: 127.0.0.0/8
-    jump: DROP
-  become: yes
+# 3.5.1.2 Ensure loopback traffic is configured
+# use cloud init way to do this
+- name: 3.5.1.2 - Ensure loopback traffic is configured(-i lo)
+  lineinfile:
+      path: /var/lib/cloud/scripts/per-once/00-firewall.sh
+      line: iptables -A INPUT -s 127.0.0.0/8 -j DROP
+      insertafter: EOF
   tags:
     - level-1
     - section-3
-    - "3.5.1.2"
+    - "3.5.1.1"
     - scored
+      
+# make the file executable
+- name: 3.5.1.1 - Ensure default deny firewall policy(DROP INPUT)
+  file:
+      path: /var/lib/cloud/scripts/per-once/00-firewall.sh
+      mode: u=rwx,g=r,o=r
+      state: touch
+  tags:
+    - level-1
+    - section-3
+    - "3.5.1.1"
+    - scored
+