diff --git a/Makefile b/Makefile index 067711c3..a9b486a6 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,7 @@ ANSIBLE_CONTAINER_PLAYBOOK_FILE = container.yml symlink-role: @mkdir -p tests/roles - @rsync -a . tests/roles/anthcourtney.cis-amazon-linux --exclude 'tests/' --exclude '.git' + @rsync -a . tests/roles/ansible-role-cis-amazon-linux --exclude 'tests/' --exclude '.git' test: symlink-role syntax test-ansible @@ -19,6 +19,18 @@ test-ansible-2.7: test-ansible-travis: cd tests && ansible-playbook -i localhost, $(ANSIBLE_TEST_PLAYBOOK_FILE) +test-ansible-2.3.3: + cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.3.3" + +test-ansible-2.4.5: + cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.4.5" + +test-ansible-2.5.5: + cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.5.5" + +test-ansible-2.6: + cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.6" + syntax: cd tests && ansible-playbook --syntax-check -i localhost, $(ANSIBLE_TEST_PLAYBOOK_FILE) diff --git a/tasks/level-1/5.4.4.yml b/tasks/level-1/5.4.4.yml index 4a1378be..dbd06319 100644 --- a/tasks/level-1/5.4.4.yml +++ b/tasks/level-1/5.4.4.yml @@ -4,10 +4,7 @@ # 5.4.4 Ensure default user umask is 027 or more restrictive - name: 5.4.4 - Ensure default user umask is 027 or more restrictive - lineinfile: - regexp: "^umask\\s+" - line: "umask {{ cis_umask_default }}" - dest: "{{ item }}" + shell: sed -i -e "s/umask 022/umask {{ cis_umask_default }}/g" {{ item }} with_items: "{{ cis_umask_shell_files }}" tags: - level-1 diff --git a/tasks/level-2.yml b/tasks/level-2.yml index 44669377..107fbabb 100644 --- a/tasks/level-2.yml +++ b/tasks/level-2.yml @@ -29,6 +29,8 @@ when: "'4.1.1.3' not in cis_level_2_exclusions" - include: "level-2/4.1.2.yml" when: "'4.1.2' not in cis_level_2_exclusions" +- include: "level-2/4.1.3.yml" + when: "'4.1.3' not in cis_level_2_exclusions" - include: "level-2/4.1.4.yml" when: "'4.1.4' not in cis_level_2_exclusions" - include: "level-2/4.1.5.yml" diff --git a/tasks/level-2/4.1.3.yml b/tasks/level-2/4.1.3.yml new file mode 100644 index 00000000..92933db7 --- /dev/null +++ b/tasks/level-2/4.1.3.yml @@ -0,0 +1,26 @@ +# Standards: 0.11 +--- + +# 4.1.3 Ensure auditing for processes that start prior to auditd is enabled + +- name: 4.1.3 Ensure auditing for processes that start prior to auditd is enabled + shell: "grep '^\\s*kernel*audit=1' {{ cis_grub_bootloader_filename }}" + register: cis_4_1_3 + ignore_errors: true + tags: + - "4.1.3" + - level-2 + - section-4 + - scored + +- name: 4.1.3 Inform user to make the required change + debug: + msg: + - "*** ACTION REQUIRED ***" + - "Edit /boot/grub/menu.lst to include audit=1 on all kernel lines." + when: cis_4_1_3.rc > 0 + tags: + - "4.1.3" + - level-2 + - section-4 + - scored \ No newline at end of file diff --git a/tests/Vagrantfile b/tests/Vagrantfile new file mode 100644 index 00000000..3134e6ac --- /dev/null +++ b/tests/Vagrantfile @@ -0,0 +1,45 @@ +##### +# +# 1. First boot run "vagrant up" to download OS image and initial provisioning. +# 2. It will fail to mount as OS need reboot. So run "vagrant reload --provision" to reboot the OS and force provisioning again. +# 3. Run "vagrant ssh" to login to the system. +# 4. Run below commands to install ansible and run tasks +# a) pip install --upgrade --user setuptools ansible ansible-review +# b) cd /home/vagrant/ansible-role-cis-amazon-linux/tests && ansible-playbook -i localhost, playbook.yml +# +# Manual mount command: sudo mount -t vboxsf -o uid=500,gid=500 vagrant /vagrant + + +Vagrant.configure("2") do |config| + #config.vm.provider "vmware_fusion" + #config.vm.provider "virtualbox" + + config.vm.box = "mvbcoding/awslinux" + + # config.vm.network :forwarded_port, guest: 22, host: 10022, auto_correct: true + + config.vm.synced_folder "../", "/home/vagrant/ansible-role-cis-amazon-linux", create: true, group: "vagrant", owner: "vagrant" + + config.vm.provider "virtualbox" do |v| + v.name = "AWSLinux" + v.cpus = 2 + v.memory = 2048 + # Limit host CPU usage to 50% max + v.customize ["modifyvm", :id, "--cpuexecutioncap", "50"] + end + + config.vm.provision "shell", inline: <<-SCRIPT + echo I am provisioning... + whoami + + # make sure OS is up to date + sudo yum update -y + + # install pip and other required dependencies + sudo yum install python-pip libffi-devel -y + + # upgrade pip + sudo pip install --upgrade pip + SCRIPT + +end \ No newline at end of file diff --git a/tests/container.yml b/tests/container.yml index da1a2258..0c73295d 100644 --- a/tests/container.yml +++ b/tests/container.yml @@ -33,7 +33,8 @@ - name: Test playbook within docker container docker_container: - command: "/sbin/my_init -- ansible-playbook -i localhost, --e \"cis_level_1_exclusions=['3.2.8','5.3.4']\" playbook.yml" + #command: "/sbin/my_init -- ansible-playbook -i localhost, --e \"cis_level_1_exclusions=['3.2.8','5.3.4']\" playbook.yml" + command: "/sbin/my_init -- ansible-playbook -i localhost playbook.yml" detach: false image: "{{ docker_image_name }}" name: "{{ docker_container_name }}"