Initial Commit

Author: dennisotugo

.gitignore

@@ -0,0 +1,8 @@
+**/*.retry
+**/*.swp
+**/*.vagrant
+**/*.pyc
+**/*.output
+tests/tmp
+tests/roles
+.idea

ansible.cfg

@@ -0,0 +1,2 @@
+[defaults]
+roles_path = ../

defaults/main.yml

@@ -0,0 +1,117 @@
+# Standards: 0.11
+---
+
+###############################################
+# Values which modify the behaviour of the role
+###############################################
+
+cis_apply_level_1_profile: true    # Whether Level 1 of the benchmark should be applied
+cis_apply_level_2_profile: true   # Whether Level 2 of the benchmark should be applied
+
+cis_level_1_exclusions: []         # A list of Level 1 recommendations to exclude (i.e. ['1.1.1.1'])
+cis_level_2_exclusions: []         # A list of Level 2 recommendations to exclude
+
+# Whether to fail when remediation items are found for recommendations which can't be automatically fixed.
+# If false, a debug message will be generated instead, with the preface *** ACTION REQUIRED ***..
+fail_on_manual_remediation_actions: false  # True or false.
+
+###############################################
+# Check specific values which can be overridden
+###############################################
+
+# 1.3.1
+cis_aide_database_filename: "/var/lib/aide/aide.db.gz"
+cis_aide_src_database_filename: "/var/lib/aide/aide.db.new.gz"
+
+# 1.3.2
+cis_aide_cron_user: "root"
+cis_aide_cron_job: "/usr/sbin/aide --check"
+cis_aide_cron_minute: 0
+cis_aide_cron_hour: 5
+cis_aide_cron_dow: "*" # Day of week
+cis_aide_cron_dom: "*" # Day of month
+cis_aide_cron_month: "*"
+
+# 1.7.1.2
+cis_local_login_warning_banner: "Authorized uses only. All activity may be monitored and reported.\n"
+# 1.7.1.3
+cis_remote_login_warning_banner: "Authorized uses only. All activity may be monitored and reported.\n"
+
+# 2.1.1.1
+# You should only enable either ntp or chrony, but not both.
+cis_enable_ntp: true # Set to true if ntp should be enabled/configured.
+cis_enable_chrony: false # Set to true if chrony should be enabled/configured.
+
+# 3.3.2
+cis_hosts_allow_all_ips: "127.0.0.1"
+
+# 4.2.3
+# You should only enable either rsyslog or syslog-ng, but not both.
+cis_enable_rsyslog: true # Set to true if rsyslog should be enabled/configured.
+cis_enable_syslog_ng: false # Set to true if syslog_ng should be enabled/configured.
+
+# 4.2.1.4
+cis_rsyslog_remote_loghost_address: "loghost.example.com" # Can be a hostname or IP address. If no forwarding should occur, exclude this check.
+
+# 4.2.1.5
+cis_rsyslog_accept_remote_messages: false # Set to true if the host should accept remote syslog messages.
+
+# 4.2.2.3
+cis_syslog_ng_file_perms: "0640"
+
+# 5.2.7
+cis_sshd_max_auth_tries: 4
+
+# 5.2.13
+cis_sshd_ciphers: "chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com"
+
+# 5.2.14
+cis_sshd_macs: "hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512"
+
+# 5.2.15
+cis_sshd_kexs: "curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256"
+
+# 5.2.16
+cis_sshd_client_alive_interval: 300
+cis_sshd_client_alive_count_max: 0
+
+# 5.2.17
+cis_sshd_login_grace_time: 60
+
+# 5.2.18
+cis_sshd_allow_users: "" # A comma-delimited list of users to allow ssh access to
+cis_sshd_allow_groups: "" # A comma-delimited list of groups ot allow ssh access to
+cis_sshd_deny_users: "" # A comma-delimited list of users to deny ssh access for
+cis_sshd_deny_groups: "" # A comma-delimited list of groups to deny ssh access for
+
+# 5.2.19
+cis_sshd_banner: "/etc/issue.net"
+
+# 5.3.1
+cis_pwquality_minlen: "14" # Minimum number of characters required for passwords
+cis_pwquality_dcredit: "-1" # At least one digit must be provided
+cis_pwquality_ucredit: "-1" # At least one uppercase character must be provided
+cis_pwquality_ocredit: "-1" # At least one special character must be provided
+cis_pwquality_lcredit: "-1" # At least one lowercase character must be provided
+
+# 5.4.1
+cis_pass_max_days: 90
+cis_pass_min_days: 7
+cis_pass_warn_age: 7
+cis_pass_inactive_lock: 30
+
+# 5.4.2
+cis_skip_lock_users:
+  - root
+  - halt
+  - shutdown
+  - sync
+
+# 5.4.4
+cis_umask_default: "027"
+cis_umask_shell_files:
+- /etc/bashrc
+- /etc/profile
+
+# 5.5
+cis_wheel_group_members: "root"

facts/all_mounts.py

@@ -0,0 +1,75 @@
+#!/usr/bin/python
+
+##
+# all_mounts.fact
+# This is a custom fact that will gather all
+# mounts into a fact, ansible_mounts will only
+# get mounts that are tied to a physical device
+# that will leave out many mounts
+##
+
+import os
+import json
+
+##
+# get_file_content
+# gets the content of a file
+# path - the path to the file
+# default - the default return
+# strip - strip out whitespace
+##
+def get_file_content(path, default=None, strip=True):
+    data = default
+    if os.path.exists(path) and os.access(path, os.R_OK):
+        try:
+            try:
+                datafile = open(path)
+                data = datafile.read()
+                if strip:
+                    data = data.strip()
+                if len(data) == 0:
+                    data = default
+            finally:
+                datafile.close()
+        except:
+            pass
+    return data
+
+##
+# get_mtab_entries
+# gets the mtab entries to use
+##
+def get_mtab_entries():
+
+    mtab_file = '/etc/mtab'
+    if not os.path.exists(mtab_file):
+        mtab_file = '/proc/mounts'
+
+    mtab = get_file_content(mtab_file, '')
+    mtab_entries = []
+    for line in mtab.splitlines():
+        fields = line.split()
+        if len(fields) < 4:
+            continue
+        mtab_entries.append(fields)
+    return mtab_entries
+
+## Main ##
+
+mtab_entries = get_mtab_entries()
+
+mounts = []
+
+for fields in mtab_entries:
+    device, mount, fstype, options = fields[0], fields[1], fields[2], fields[3]
+
+    mount_info = {
+        'mount': mount,
+        'device': device,
+        'fstype': fstype,
+        'options': options
+    }
+
+    mounts.append(mount_info)
+
+print json.dumps(mounts)

files/audit_1.6.1.6.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+out=$(ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{
+print $NF }')
+if [[ $out ]]; then
+  echo "Investigate the unconfined daemons found during the audit action"
+  echo $out
+fi

files/audit_6.2.10.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+for dir in `cat /etc/passwd | egrep -v '^(root|sync|halt|shutdown):' | awk -F: '($7 != "/sbin/nologin") { print $6 }'`; do
+  for file in $dir/.[A-Za-z0-9]*; do
+    if [ ! -h "$file" -a -f "$file" ]; then
+      fileperm=`ls -ld $file | cut -f1 -d" "`
+
+      if [ `echo $fileperm | cut -c6 ` != "-" ]; then
+        echo "Group Write permission set on file $file"
+      fi
+      if [ `echo $fileperm | cut -c9 ` != "-" ]; then
+        echo "Other Write permission set on file $file"
+      fi
+    fi
+  done
+done

files/audit_6.2.11.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+for dir in `cat /etc/passwd |\
+  awk -F: '{ print $6 }'`; do
+  if [ ! -h "$dir/.forward" -a -f "$dir/.forward" ]; then
+    echo ".forward file $dir/.forward exists"
+  fi
+done

files/audit_6.2.12.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+for dir in `cat /etc/passwd |\
+  awk -F: '{ print $6 }'`; do
+  if [ ! -h "$dir/.netrc" -a -f "$dir/.netrc" ]; then
+    echo ".netrc file $dir/.netrc exists"
+  fi
+done

files/audit_6.2.13.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+for dir in `cat /etc/passwd | egrep -v '(root|sync|halt|shutdown)' | awk -F: '($7 != "/sbin/nologin") { print $6 }'`; do
+  for file in $dir/.netrc; do
+    if [ ! -h "$file" -a -f "$file" ]; then
+      fileperm=`ls -ld $file | cut -f1 -d" "`
+      if [ `echo $fileperm | cut -c5 ` != "-" ]; then
+        echo "Group Read set on $file"
+      fi
+      if [ `echo $fileperm | cut -c6 ` != "-" ]; then
+        echo "Group Write set on $file"
+      fi
+      if [ `echo $fileperm | cut -c7 ` != "-" ]; then
+        echo "Group Execute set on $file"
+      fi
+      if [ `echo $fileperm | cut -c8 ` != "-" ]; then
+        echo "Other Read set on $file"
+      fi
+      if [ `echo $fileperm | cut -c9 ` != "-" ]; then
+        echo "Other Write set on $file"
+      fi
+      if [ `echo $fileperm | cut -c10 ` != "-" ]; then
+        echo "Other Execute set on $file"
+      fi
+    fi
+  done
+done

files/audit_6.2.14.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+for dir in `cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7 != "/sbin/nologin") { print $6 }'`; do
+  for file in $dir/.rhosts; do
+    if [ ! -h "$file" -a -f "$file" ]; then
+      echo ".rhosts file in $dir"
+    fi
+  done
+done