From 8c22ec6c0697f2bc32eca9bcf0cc6818904ccff7 Mon Sep 17 00:00:00 2001 From: Chandan Date: Fri, 29 Jun 2018 16:35:30 -0500 Subject: [PATCH 01/20] adding support for 2017.12 and Candidate --- meta/main.yml | 2 ++ vars/main.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/meta/main.yml b/meta/main.yml index ad0f691d..68a45eca 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -13,5 +13,7 @@ galaxy_info: - "2016.09" - "2017.03" - "2017.09" + - "2017.12" + - "Candidate" galaxy_tags: ['CIS','Linux','Amazon','hardening','benchmark','PCIDSS','compliance'] dependencies: [] diff --git a/vars/main.yml b/vars/main.yml index 52c7f47f..da13b1fc 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -7,6 +7,8 @@ cis_target_os_versions: - "2016.09" - "2017.03" - "2017.09" + - "2017.12" + - "Candidate" cis_modprobe_conf_filename: "/etc/modprobe.d/CIS.conf" cis_aide_database_filename: "/var/lib/aide/aide.db.gz" From 6d9d825640c1ce32f4e6a51531eecdf8cc34ee43 Mon Sep 17 00:00:00 2001 From: Chandan Date: Tue, 3 Jul 2018 10:33:01 -0500 Subject: [PATCH 02/20] removing exceptions --- .travis.yml | 19 +++++++++++++++++++ Makefile | 14 +++++++++++++- tests/container.yml | 3 ++- 3 files changed, 34 insertions(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index 897ded17..8723558a 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,5 +1,13 @@ # Standards: 0.11 --- +branches: + only: + - master + - build + +group: stable +dist: amazonlinux + language: python python: "2.7" @@ -12,6 +20,17 @@ addons: packages: - python-pip +env: + - ANSIBLE_INSTALL_VERSION=2.2.3 + - ANSIBLE_INSTALL_VERSION=2.3.3 + - ANSIBLE_INSTALL_VERSION=2.4.5 + - ANSIBLE_INSTALL_VERSION=2.5.5 + - ANSIBLE_INSTALL_VERSION=2.6.0 + +# Make sure we have the latest package list +before_install: + - sudo apt-get update + install: # Install ansible - pip install ansible ansible-review diff --git a/Makefile b/Makefile index 9d5424cb..70b7ba86 100644 --- a/Makefile +++ b/Makefile @@ -5,7 +5,7 @@ symlink-role: @mkdir -p tests/roles @rsync -a . tests/roles/anthcourtney.cis-amazon-linux --exclude 'tests/' --exclude '.git' -test: symlink-role syntax test-ansible-2.0.2 test-ansible-2.1.3 test-ansible-2.2 +test: symlink-role syntax test-ansible-2.4.5 test-ansible-2.5.5 test-ansible-2.0.2: cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.0.2" @@ -16,6 +16,18 @@ test-ansible-2.1.3: test-ansible-2.2: cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.2" +test-ansible-2.3.3: + cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.3.3" + +test-ansible-2.4.5: + cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.4.5" + +test-ansible-2.5.5: + cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.5.5" + +test-ansible-2.6: + cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.6" + syntax: cd tests && ansible-playbook --syntax-check -i localhost, $(ANSIBLE_TEST_PLAYBOOK_FILE) diff --git a/tests/container.yml b/tests/container.yml index da1a2258..0c73295d 100644 --- a/tests/container.yml +++ b/tests/container.yml @@ -33,7 +33,8 @@ - name: Test playbook within docker container docker_container: - command: "/sbin/my_init -- ansible-playbook -i localhost, --e \"cis_level_1_exclusions=['3.2.8','5.3.4']\" playbook.yml" + #command: "/sbin/my_init -- ansible-playbook -i localhost, --e \"cis_level_1_exclusions=['3.2.8','5.3.4']\" playbook.yml" + command: "/sbin/my_init -- ansible-playbook -i localhost playbook.yml" detach: false image: "{{ docker_image_name }}" name: "{{ docker_container_name }}" From 6e6afe3b9482199531e31880be577388f688c36d Mon Sep 17 00:00:00 2001 From: Chandan Date: Tue, 3 Jul 2018 10:33:59 -0500 Subject: [PATCH 03/20] Revert "removing exceptions" This reverts commit 6d9d825640c1ce32f4e6a51531eecdf8cc34ee43. --- .travis.yml | 19 ------------------- Makefile | 14 +------------- tests/container.yml | 3 +-- 3 files changed, 2 insertions(+), 34 deletions(-) diff --git a/.travis.yml b/.travis.yml index 8723558a..897ded17 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,13 +1,5 @@ # Standards: 0.11 --- -branches: - only: - - master - - build - -group: stable -dist: amazonlinux - language: python python: "2.7" @@ -20,17 +12,6 @@ addons: packages: - python-pip -env: - - ANSIBLE_INSTALL_VERSION=2.2.3 - - ANSIBLE_INSTALL_VERSION=2.3.3 - - ANSIBLE_INSTALL_VERSION=2.4.5 - - ANSIBLE_INSTALL_VERSION=2.5.5 - - ANSIBLE_INSTALL_VERSION=2.6.0 - -# Make sure we have the latest package list -before_install: - - sudo apt-get update - install: # Install ansible - pip install ansible ansible-review diff --git a/Makefile b/Makefile index 70b7ba86..9d5424cb 100644 --- a/Makefile +++ b/Makefile @@ -5,7 +5,7 @@ symlink-role: @mkdir -p tests/roles @rsync -a . tests/roles/anthcourtney.cis-amazon-linux --exclude 'tests/' --exclude '.git' -test: symlink-role syntax test-ansible-2.4.5 test-ansible-2.5.5 +test: symlink-role syntax test-ansible-2.0.2 test-ansible-2.1.3 test-ansible-2.2 test-ansible-2.0.2: cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.0.2" @@ -16,18 +16,6 @@ test-ansible-2.1.3: test-ansible-2.2: cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.2" -test-ansible-2.3.3: - cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.3.3" - -test-ansible-2.4.5: - cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.4.5" - -test-ansible-2.5.5: - cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.5.5" - -test-ansible-2.6: - cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.6" - syntax: cd tests && ansible-playbook --syntax-check -i localhost, $(ANSIBLE_TEST_PLAYBOOK_FILE) diff --git a/tests/container.yml b/tests/container.yml index 0c73295d..da1a2258 100644 --- a/tests/container.yml +++ b/tests/container.yml @@ -33,8 +33,7 @@ - name: Test playbook within docker container docker_container: - #command: "/sbin/my_init -- ansible-playbook -i localhost, --e \"cis_level_1_exclusions=['3.2.8','5.3.4']\" playbook.yml" - command: "/sbin/my_init -- ansible-playbook -i localhost playbook.yml" + command: "/sbin/my_init -- ansible-playbook -i localhost, --e \"cis_level_1_exclusions=['3.2.8','5.3.4']\" playbook.yml" detach: false image: "{{ docker_image_name }}" name: "{{ docker_container_name }}" From 648b89bf2c53c9a57e025c44ea36cfaed81a0e6a Mon Sep 17 00:00:00 2001 From: Chandan Date: Tue, 3 Jul 2018 10:34:41 -0500 Subject: [PATCH 04/20] removing exceptions --- tests/container.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/container.yml b/tests/container.yml index da1a2258..0c73295d 100644 --- a/tests/container.yml +++ b/tests/container.yml @@ -33,7 +33,8 @@ - name: Test playbook within docker container docker_container: - command: "/sbin/my_init -- ansible-playbook -i localhost, --e \"cis_level_1_exclusions=['3.2.8','5.3.4']\" playbook.yml" + #command: "/sbin/my_init -- ansible-playbook -i localhost, --e \"cis_level_1_exclusions=['3.2.8','5.3.4']\" playbook.yml" + command: "/sbin/my_init -- ansible-playbook -i localhost playbook.yml" detach: false image: "{{ docker_image_name }}" name: "{{ docker_container_name }}" From 6e2cee6f553bbcd9b43db710e28fe7ce898ecec9 Mon Sep 17 00:00:00 2001 From: Chandan Date: Tue, 3 Jul 2018 10:35:08 -0500 Subject: [PATCH 05/20] adding tests for anisble supported versions --- Makefile | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 9d5424cb..70b7ba86 100644 --- a/Makefile +++ b/Makefile @@ -5,7 +5,7 @@ symlink-role: @mkdir -p tests/roles @rsync -a . tests/roles/anthcourtney.cis-amazon-linux --exclude 'tests/' --exclude '.git' -test: symlink-role syntax test-ansible-2.0.2 test-ansible-2.1.3 test-ansible-2.2 +test: symlink-role syntax test-ansible-2.4.5 test-ansible-2.5.5 test-ansible-2.0.2: cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.0.2" @@ -16,6 +16,18 @@ test-ansible-2.1.3: test-ansible-2.2: cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.2" +test-ansible-2.3.3: + cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.3.3" + +test-ansible-2.4.5: + cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.4.5" + +test-ansible-2.5.5: + cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.5.5" + +test-ansible-2.6: + cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.6" + syntax: cd tests && ansible-playbook --syntax-check -i localhost, $(ANSIBLE_TEST_PLAYBOOK_FILE) From 78335ccc29737a9614545f7083963a36224d1b09 Mon Sep 17 00:00:00 2001 From: Chandan Date: Tue, 3 Jul 2018 10:35:44 -0500 Subject: [PATCH 06/20] adding amazonlinux docker image and supported ansible versions --- .travis.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/.travis.yml b/.travis.yml index 897ded17..8723558a 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,5 +1,13 @@ # Standards: 0.11 --- +branches: + only: + - master + - build + +group: stable +dist: amazonlinux + language: python python: "2.7" @@ -12,6 +20,17 @@ addons: packages: - python-pip +env: + - ANSIBLE_INSTALL_VERSION=2.2.3 + - ANSIBLE_INSTALL_VERSION=2.3.3 + - ANSIBLE_INSTALL_VERSION=2.4.5 + - ANSIBLE_INSTALL_VERSION=2.5.5 + - ANSIBLE_INSTALL_VERSION=2.6.0 + +# Make sure we have the latest package list +before_install: + - sudo apt-get update + install: # Install ansible - pip install ansible ansible-review From 9b75db7b47b6fc557320e4a3a7653c66875ce156 Mon Sep 17 00:00:00 2001 From: i_virus Date: Tue, 4 Sep 2018 11:53:22 -0500 Subject: [PATCH 07/20] invalid rule error in L1 5.3.2 --- tasks/level-1/5.3.2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/level-1/5.3.2.yml b/tasks/level-1/5.3.2.yml index 9a378902..2cdb37ae 100644 --- a/tasks/level-1/5.3.2.yml +++ b/tasks/level-1/5.3.2.yml @@ -70,7 +70,7 @@ type: auth control: sufficient module_path: pam_unix.so - new_control: [success=1 default=bad] + new_control: '[success=1 default=bad]' module_arguments: '' state: updated tags: From 4323de06f4016534a1dd953f8b047b8fbd14b63c Mon Sep 17 00:00:00 2001 From: i_virus Date: Tue, 4 Sep 2018 13:54:45 -0500 Subject: [PATCH 08/20] Updating role name --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 70b7ba86..67d11757 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,7 @@ ANSIBLE_CONTAINER_PLAYBOOK_FILE = container.yml symlink-role: @mkdir -p tests/roles - @rsync -a . tests/roles/anthcourtney.cis-amazon-linux --exclude 'tests/' --exclude '.git' + @rsync -a . tests/roles/ansible-role-cis-amazon-linux --exclude 'tests/' --exclude '.git' test: symlink-role syntax test-ansible-2.4.5 test-ansible-2.5.5 From 32ef7a2143abf5e35e42e08d8772aca03a309819 Mon Sep 17 00:00:00 2001 From: i_virus Date: Tue, 4 Sep 2018 14:14:16 -0500 Subject: [PATCH 09/20] minor cosmetic change and OS upgrade --- .travis.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/.travis.yml b/.travis.yml index 8723558a..ba3d2dbc 100644 --- a/.travis.yml +++ b/.travis.yml @@ -11,10 +11,11 @@ dist: amazonlinux language: python python: "2.7" -# Use the new container infrastructure +# Use the new container infrastructure instead of legacy VM based +# https://docs.travis-ci.com/user/reference/overview/#sudo-enabled sudo: false -# Install ansible +# Install python-pip addons: apt: packages: @@ -27,12 +28,12 @@ env: - ANSIBLE_INSTALL_VERSION=2.5.5 - ANSIBLE_INSTALL_VERSION=2.6.0 -# Make sure we have the latest package list +# Make sure we have the latest package list and OS before_install: - - sudo apt-get update + - sudo apt update & sudo apt upgrade install: - # Install ansible + # Install ansible and ansible-review - pip install ansible ansible-review # Check ansible version From 6b3aee4a9e67cccecaa2485b6e623c1819a9bb0d Mon Sep 17 00:00:00 2001 From: i_virus Date: Wed, 12 Sep 2018 13:12:51 -0500 Subject: [PATCH 10/20] removing apt upgrade removing apt upgrade as it is causing Travis build issues --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index ba3d2dbc..663417f4 100644 --- a/.travis.yml +++ b/.travis.yml @@ -30,7 +30,7 @@ env: # Make sure we have the latest package list and OS before_install: - - sudo apt update & sudo apt upgrade + - sudo apt update install: # Install ansible and ansible-review From 87f1328b67f8c140242859f9df458ca90affabe9 Mon Sep 17 00:00:00 2001 From: chandanchowdhury Date: Tue, 23 Oct 2018 15:16:17 -0500 Subject: [PATCH 11/20] always_run removed from ansible, changing to check_mode --- tasks/level-1/1.5.2.yml | 2 +- tasks/level-1/1.6.1.6.yml | 2 +- tasks/level-1/5.4.1.1.yml | 2 +- tasks/level-1/5.4.1.2.yml | 2 +- tasks/level-1/5.4.1.3.yml | 2 +- tasks/level-1/5.4.1.4.yml | 2 +- tasks/level-1/5.4.2.yml | 2 +- tasks/level-1/5.4.3.yml | 2 +- tasks/level-1/6.2.1.yml | 2 +- tasks/level-1/6.2.10.yml | 2 +- tasks/level-1/6.2.11.yml | 2 +- tasks/level-1/6.2.12.yml | 2 +- tasks/level-1/6.2.13.yml | 2 +- tasks/level-1/6.2.14.yml | 2 +- tasks/level-1/6.2.15.yml | 2 +- tasks/level-1/6.2.16.yml | 2 +- tasks/level-1/6.2.17.yml | 2 +- tasks/level-1/6.2.18.yml | 2 +- tasks/level-1/6.2.19.yml | 2 +- 19 files changed, 19 insertions(+), 19 deletions(-) diff --git a/tasks/level-1/1.5.2.yml b/tasks/level-1/1.5.2.yml index 3628d6eb..3b367478 100644 --- a/tasks/level-1/1.5.2.yml +++ b/tasks/level-1/1.5.2.yml @@ -6,7 +6,7 @@ - name: 1.5.2 - Check if XD/NX support is enabled shell: "dmesg | grep NX" register: dmesg_1_5_2 - always_run: yes + check_mode: no changed_when: False ignore_errors: true tags: diff --git a/tasks/level-1/1.6.1.6.yml b/tasks/level-1/1.6.1.6.yml index d16470c0..f5644bc5 100644 --- a/tasks/level-1/1.6.1.6.yml +++ b/tasks/level-1/1.6.1.6.yml @@ -5,7 +5,7 @@ - name: 1.6.1.6 Ensure no unconfined daemons exist (Scored) script: "{{ role_path }}/files/audit_1.6.1.6.sh" - always_run: yes + check_mode: no changed_when: False register: audit_1_6_1_6 tags: diff --git a/tasks/level-1/5.4.1.1.yml b/tasks/level-1/5.4.1.1.yml index 50ee1d40..e3555468 100644 --- a/tasks/level-1/5.4.1.1.yml +++ b/tasks/level-1/5.4.1.1.yml @@ -6,7 +6,7 @@ - name: 5.4.1.1 - Obtain a list of user accounts shell: "egrep ^[^:]+:[^\\!*] /etc/shadow | cut -d: -f1" register: egrep_5_4_1_1 - always_run: yes + check_mode: no changed_when: False tags: - level-1 diff --git a/tasks/level-1/5.4.1.2.yml b/tasks/level-1/5.4.1.2.yml index 9ac19095..588f92bf 100644 --- a/tasks/level-1/5.4.1.2.yml +++ b/tasks/level-1/5.4.1.2.yml @@ -6,7 +6,7 @@ - name: 5.4.1.2 - Obtain a list of user accounts shell: "egrep ^[^:]+:[^\\!*] /etc/shadow | cut -d: -f1" register: egrep_5_4_1_2 - always_run: yes + check_mode: no changed_when: False tags: - level-1 diff --git a/tasks/level-1/5.4.1.3.yml b/tasks/level-1/5.4.1.3.yml index cefd4b6f..49f5dc85 100644 --- a/tasks/level-1/5.4.1.3.yml +++ b/tasks/level-1/5.4.1.3.yml @@ -6,7 +6,7 @@ - name: 5.4.1.3 - Obtain a list of user accounts shell: "egrep ^[^:]+:[^\\!*] /etc/shadow | cut -d: -f1" register: egrep_5_4_1_3 - always_run: yes + check_mode: no changed_when: False tags: - level-1 diff --git a/tasks/level-1/5.4.1.4.yml b/tasks/level-1/5.4.1.4.yml index b24b7f68..9dca96ad 100644 --- a/tasks/level-1/5.4.1.4.yml +++ b/tasks/level-1/5.4.1.4.yml @@ -6,7 +6,7 @@ - name: 5.4.1.4 - Obtain a list of user accounts shell: "egrep ^[^:]+:[^\\!*] /etc/shadow | cut -d: -f1" register: egrep_5_4_1_4 - always_run: yes + check_mode: no changed_when: False tags: - level-1 diff --git a/tasks/level-1/5.4.2.yml b/tasks/level-1/5.4.2.yml index bcdae490..b7d3da05 100644 --- a/tasks/level-1/5.4.2.yml +++ b/tasks/level-1/5.4.2.yml @@ -6,7 +6,7 @@ - name: 5.4.2 - Retrieve system accounts shell: "awk -F: '($3 < 500) {print $1 }' /etc/passwd | grep -v ^#" register: audit_5_4_2 - always_run: yes + check_mode: no changed_when: False tags: - level-1 diff --git a/tasks/level-1/5.4.3.yml b/tasks/level-1/5.4.3.yml index 0a260bc0..4399c261 100644 --- a/tasks/level-1/5.4.3.yml +++ b/tasks/level-1/5.4.3.yml @@ -6,7 +6,7 @@ - name: 5.4.3 - Check the GID of the root group shell: "cat /etc/passwd | awk -F: '($3 == 0) { print $1 }'" register: cat_5_4_3 - always_run: yes + check_mode: no changed_when: False tags: - level-1 diff --git a/tasks/level-1/6.2.1.yml b/tasks/level-1/6.2.1.yml index 4a81a41e..b27dd8f0 100644 --- a/tasks/level-1/6.2.1.yml +++ b/tasks/level-1/6.2.1.yml @@ -6,7 +6,7 @@ - name: 6.2.1 - Identify any accounts without passwords shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) { print $1 }'" register: accounts_6_2_1 - always_run: yes + check_mode: no changed_when: False tags: - level-1 diff --git a/tasks/level-1/6.2.10.yml b/tasks/level-1/6.2.10.yml index 2b209e85..3048ca2a 100644 --- a/tasks/level-1/6.2.10.yml +++ b/tasks/level-1/6.2.10.yml @@ -5,7 +5,7 @@ - name: 6.2.10 - Audit users' dot files permissions script: "{{ role_path }}/files/audit_6.2.10.sh" - always_run: yes + check_mode: no changed_when: False register: audit_6_2_10 tags: diff --git a/tasks/level-1/6.2.11.yml b/tasks/level-1/6.2.11.yml index 2797b45e..877ba3a4 100644 --- a/tasks/level-1/6.2.11.yml +++ b/tasks/level-1/6.2.11.yml @@ -5,7 +5,7 @@ - name: 6.2.11 - Audit users' forward files script: "{{ role_path }}/files/audit_6.2.11.sh" - always_run: yes + check_mode: no changed_when: False register: audit_6_2_11 tags: diff --git a/tasks/level-1/6.2.12.yml b/tasks/level-1/6.2.12.yml index 41125f6b..149a48df 100644 --- a/tasks/level-1/6.2.12.yml +++ b/tasks/level-1/6.2.12.yml @@ -5,7 +5,7 @@ - name: 6.2.12 - Audit users'.netrc files script: "{{ role_path }}/files/audit_6.2.12.sh" - always_run: yes + check_mode: no changed_when: False register: audit_6_2_12 tags: diff --git a/tasks/level-1/6.2.13.yml b/tasks/level-1/6.2.13.yml index 99adcc45..1008df8d 100644 --- a/tasks/level-1/6.2.13.yml +++ b/tasks/level-1/6.2.13.yml @@ -5,7 +5,7 @@ - name: 6.2.13 - Audit users'.netrc permissions script: "{{ role_path }}/files/audit_6.2.13.sh" - always_run: yes + check_mode: no changed_when: False register: audit_6_2_13 tags: diff --git a/tasks/level-1/6.2.14.yml b/tasks/level-1/6.2.14.yml index fc66cba3..185a511c 100644 --- a/tasks/level-1/6.2.14.yml +++ b/tasks/level-1/6.2.14.yml @@ -5,7 +5,7 @@ - name: 6.2.14 - Audit users'.rhosts files script: "{{ role_path }}/files/audit_6.2.14.sh" - always_run: yes + check_mode: no changed_when: False register: audit_6_2_14 tags: diff --git a/tasks/level-1/6.2.15.yml b/tasks/level-1/6.2.15.yml index 0c154835..26aff840 100644 --- a/tasks/level-1/6.2.15.yml +++ b/tasks/level-1/6.2.15.yml @@ -5,7 +5,7 @@ - name: 6.2.15 - Audit existence of groups listed in /etc/passwd against /etc/group script: "{{ role_path }}/files/audit_6.2.15.sh" - always_run: yes + check_mode: no changed_when: False register: audit_6_2_15 tags: diff --git a/tasks/level-1/6.2.16.yml b/tasks/level-1/6.2.16.yml index 30cffc4a..7822047f 100644 --- a/tasks/level-1/6.2.16.yml +++ b/tasks/level-1/6.2.16.yml @@ -5,7 +5,7 @@ - name: 6.2.16 - Check if duplicate UIDs exist script: "{{ role_path }}/files/audit_6.2.16.sh" - always_run: yes + check_mode: no changed_when: False register: audit_6_2_16 tags: diff --git a/tasks/level-1/6.2.17.yml b/tasks/level-1/6.2.17.yml index be7d1cc9..a0328469 100644 --- a/tasks/level-1/6.2.17.yml +++ b/tasks/level-1/6.2.17.yml @@ -5,7 +5,7 @@ - name: 6.2.17 - Check if duplicate GIDs exist script: "{{ role_path }}/files/audit_6.2.17.sh" - always_run: yes + check_mode: no changed_when: False register: audit_6_2_17 tags: diff --git a/tasks/level-1/6.2.18.yml b/tasks/level-1/6.2.18.yml index 9d8f048b..c449e9b6 100644 --- a/tasks/level-1/6.2.18.yml +++ b/tasks/level-1/6.2.18.yml @@ -5,7 +5,7 @@ - name: 6.2.18 - Check if duplicate user names exist script: "{{ role_path }}/files/audit_6.2.18.sh" - always_run: yes + check_mode: no changed_when: False register: audit_6_2_18 tags: diff --git a/tasks/level-1/6.2.19.yml b/tasks/level-1/6.2.19.yml index 0d180d1d..a61696be 100644 --- a/tasks/level-1/6.2.19.yml +++ b/tasks/level-1/6.2.19.yml @@ -5,7 +5,7 @@ - name: 6.2.19 - Check if duplicate group names exist script: "{{ role_path }}/files/audit_6.2.19.sh" - always_run: yes + check_mode: no changed_when: False register: audit_6_2_19 tags: From 8f59f70ed7e6bd245b851a94d5a3a587321040f7 Mon Sep 17 00:00:00 2001 From: chandanchowdhury Date: Tue, 23 Oct 2018 15:55:36 -0500 Subject: [PATCH 12/20] always_run removed from ansible, changing to check_mode --- tasks/level-1/6.2.5.yml | 2 +- tasks/level-1/6.2.6.yml | 2 +- tasks/level-1/6.2.7.yml | 2 +- tasks/level-1/6.2.8.yml | 2 +- tasks/level-1/6.2.9.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/tasks/level-1/6.2.5.yml b/tasks/level-1/6.2.5.yml index 1e947736..f6dba491 100644 --- a/tasks/level-1/6.2.5.yml +++ b/tasks/level-1/6.2.5.yml @@ -5,7 +5,7 @@ - name: 6.2.5 - Ensure root is the only UID 0 account shell: "cat /etc/passwd | awk -F: '($3 == 0) { print $1 }'" - always_run: yes + check_mode: no changed_when: False register: cat_6_2_5 tags: diff --git a/tasks/level-1/6.2.6.yml b/tasks/level-1/6.2.6.yml index 89280277..ef644834 100644 --- a/tasks/level-1/6.2.6.yml +++ b/tasks/level-1/6.2.6.yml @@ -5,7 +5,7 @@ - name: 6.2.6 - Audit root PATH Integrity script: "{{ role_path }}/files/audit_6.2.6.sh" - always_run: yes + check_mode: no changed_when: False register: audit_6_2_6 tags: diff --git a/tasks/level-1/6.2.7.yml b/tasks/level-1/6.2.7.yml index 8fe4461f..712afe2f 100644 --- a/tasks/level-1/6.2.7.yml +++ b/tasks/level-1/6.2.7.yml @@ -5,7 +5,7 @@ - name: 6.2.7 - Audit existence of users' home directories script: "{{ role_path }}/files/audit_6.2.7.sh" - always_run: yes + check_mode: no changed_when: False register: audit_6_2_7 tags: diff --git a/tasks/level-1/6.2.8.yml b/tasks/level-1/6.2.8.yml index 66ab7302..64f1ae9f 100644 --- a/tasks/level-1/6.2.8.yml +++ b/tasks/level-1/6.2.8.yml @@ -5,7 +5,7 @@ - name: 6.2.8 - Audit users' home directories permissions script: "{{ role_path }}/files/audit_6.2.8.sh" - always_run: yes + check_mode: no changed_when: False register: audit_6_2_8 tags: diff --git a/tasks/level-1/6.2.9.yml b/tasks/level-1/6.2.9.yml index 971d97ef..5f14db86 100644 --- a/tasks/level-1/6.2.9.yml +++ b/tasks/level-1/6.2.9.yml @@ -5,7 +5,7 @@ - name: 6.2.9 - Audit ownership of users' home directories script: "{{ role_path }}/files/audit_6.2.9.sh" - always_run: yes + check_mode: no changed_when: False register: audit_6_2_9 tags: From 387c773d75a2510dd37dfe0c2b70dc6ac7846f57 Mon Sep 17 00:00:00 2001 From: chandanchowdhury Date: Tue, 23 Oct 2018 15:55:56 -0500 Subject: [PATCH 13/20] adding ansible 2.7 --- .travis.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 663417f4..0c9babf5 100644 --- a/.travis.yml +++ b/.travis.yml @@ -13,7 +13,8 @@ python: "2.7" # Use the new container infrastructure instead of legacy VM based # https://docs.travis-ci.com/user/reference/overview/#sudo-enabled -sudo: false +#sudo: false +sudo: required # Install python-pip addons: @@ -27,6 +28,7 @@ env: - ANSIBLE_INSTALL_VERSION=2.4.5 - ANSIBLE_INSTALL_VERSION=2.5.5 - ANSIBLE_INSTALL_VERSION=2.6.0 + - ANSIBLE_INSTALL_VERSION=2.7.0 # Make sure we have the latest package list and OS before_install: From 86cf12f9fd0a3696d082602aa22d98f8b472b2bb Mon Sep 17 00:00:00 2001 From: chandanchowdhury Date: Tue, 23 Oct 2018 16:04:07 -0500 Subject: [PATCH 14/20] install specific version of ansible --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 0c9babf5..26586fd0 100644 --- a/.travis.yml +++ b/.travis.yml @@ -36,7 +36,7 @@ before_install: install: # Install ansible and ansible-review - - pip install ansible ansible-review + - pip install ansible=$ANSIBLE_INSTALL_VERSION ansible-review # Check ansible version - ansible --version From 9bf6d17e31de5262327d7f23de561e42d12ab9a1 Mon Sep 17 00:00:00 2001 From: chandanchowdhury Date: Tue, 23 Oct 2018 16:06:09 -0500 Subject: [PATCH 15/20] install specific version of ansible --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 26586fd0..23d970ff 100644 --- a/.travis.yml +++ b/.travis.yml @@ -36,7 +36,7 @@ before_install: install: # Install ansible and ansible-review - - pip install ansible=$ANSIBLE_INSTALL_VERSION ansible-review + - pip install ansible==$ANSIBLE_INSTALL_VERSION ansible-review # Check ansible version - ansible --version From 0fabd71fc5075dad3621a53bbdbd219624ab3d2c Mon Sep 17 00:00:00 2001 From: chandanchowdhury Date: Tue, 23 Oct 2018 16:20:38 -0500 Subject: [PATCH 16/20] reverting to new container infra on travis --- .travis.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index 23d970ff..9d9ec1ed 100644 --- a/.travis.yml +++ b/.travis.yml @@ -13,8 +13,7 @@ python: "2.7" # Use the new container infrastructure instead of legacy VM based # https://docs.travis-ci.com/user/reference/overview/#sudo-enabled -#sudo: false -sudo: required +sudo: false # Install python-pip addons: From 4db578cff66bd28ecbfe68f40d45262c8ea4c040 Mon Sep 17 00:00:00 2001 From: chandanchowdhury Date: Thu, 25 Oct 2018 18:27:09 -0500 Subject: [PATCH 17/20] adding 4.1.3 --- tasks/level-2.yml | 2 ++ tasks/level-2/4.1.3.yml | 26 ++++++++++++++++++++++++++ 2 files changed, 28 insertions(+) create mode 100644 tasks/level-2/4.1.3.yml diff --git a/tasks/level-2.yml b/tasks/level-2.yml index 44669377..107fbabb 100644 --- a/tasks/level-2.yml +++ b/tasks/level-2.yml @@ -29,6 +29,8 @@ when: "'4.1.1.3' not in cis_level_2_exclusions" - include: "level-2/4.1.2.yml" when: "'4.1.2' not in cis_level_2_exclusions" +- include: "level-2/4.1.3.yml" + when: "'4.1.3' not in cis_level_2_exclusions" - include: "level-2/4.1.4.yml" when: "'4.1.4' not in cis_level_2_exclusions" - include: "level-2/4.1.5.yml" diff --git a/tasks/level-2/4.1.3.yml b/tasks/level-2/4.1.3.yml new file mode 100644 index 00000000..92933db7 --- /dev/null +++ b/tasks/level-2/4.1.3.yml @@ -0,0 +1,26 @@ +# Standards: 0.11 +--- + +# 4.1.3 Ensure auditing for processes that start prior to auditd is enabled + +- name: 4.1.3 Ensure auditing for processes that start prior to auditd is enabled + shell: "grep '^\\s*kernel*audit=1' {{ cis_grub_bootloader_filename }}" + register: cis_4_1_3 + ignore_errors: true + tags: + - "4.1.3" + - level-2 + - section-4 + - scored + +- name: 4.1.3 Inform user to make the required change + debug: + msg: + - "*** ACTION REQUIRED ***" + - "Edit /boot/grub/menu.lst to include audit=1 on all kernel lines." + when: cis_4_1_3.rc > 0 + tags: + - "4.1.3" + - level-2 + - section-4 + - scored \ No newline at end of file From a5b3c5e75b7954375ef61d4b111aedcee1be5d13 Mon Sep 17 00:00:00 2001 From: i_virus Date: Sat, 17 Nov 2018 16:02:54 -0600 Subject: [PATCH 18/20] 5.4.4 change default umask to 027 --- tasks/level-1/5.4.4.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/level-1/5.4.4.yml b/tasks/level-1/5.4.4.yml index 4a1378be..db377051 100644 --- a/tasks/level-1/5.4.4.yml +++ b/tasks/level-1/5.4.4.yml @@ -5,7 +5,7 @@ - name: 5.4.4 - Ensure default user umask is 027 or more restrictive lineinfile: - regexp: "^umask\\s+" + regexp: "\\s*umask\\s+022" line: "umask {{ cis_umask_default }}" dest: "{{ item }}" with_items: "{{ cis_umask_shell_files }}" From f0306c49c4673a819dadb4188a2b68f593e2d3f3 Mon Sep 17 00:00:00 2001 From: i_virus Date: Sat, 17 Nov 2018 17:17:41 -0600 Subject: [PATCH 19/20] 5.4.4 use sed instead of lineinfile --- tasks/level-1/5.4.4.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/tasks/level-1/5.4.4.yml b/tasks/level-1/5.4.4.yml index db377051..dbd06319 100644 --- a/tasks/level-1/5.4.4.yml +++ b/tasks/level-1/5.4.4.yml @@ -4,10 +4,7 @@ # 5.4.4 Ensure default user umask is 027 or more restrictive - name: 5.4.4 - Ensure default user umask is 027 or more restrictive - lineinfile: - regexp: "\\s*umask\\s+022" - line: "umask {{ cis_umask_default }}" - dest: "{{ item }}" + shell: sed -i -e "s/umask 022/umask {{ cis_umask_default }}/g" {{ item }} with_items: "{{ cis_umask_shell_files }}" tags: - level-1 From b2f7b6a9d693ec4ced5418c3863385320ce02c69 Mon Sep 17 00:00:00 2001 From: i_virus Date: Sun, 18 Nov 2018 00:12:26 -0600 Subject: [PATCH 20/20] adding Vagrantfile --- tests/Vagrantfile | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 tests/Vagrantfile diff --git a/tests/Vagrantfile b/tests/Vagrantfile new file mode 100644 index 00000000..3134e6ac --- /dev/null +++ b/tests/Vagrantfile @@ -0,0 +1,45 @@ +##### +# +# 1. First boot run "vagrant up" to download OS image and initial provisioning. +# 2. It will fail to mount as OS need reboot. So run "vagrant reload --provision" to reboot the OS and force provisioning again. +# 3. Run "vagrant ssh" to login to the system. +# 4. Run below commands to install ansible and run tasks +# a) pip install --upgrade --user setuptools ansible ansible-review +# b) cd /home/vagrant/ansible-role-cis-amazon-linux/tests && ansible-playbook -i localhost, playbook.yml +# +# Manual mount command: sudo mount -t vboxsf -o uid=500,gid=500 vagrant /vagrant + + +Vagrant.configure("2") do |config| + #config.vm.provider "vmware_fusion" + #config.vm.provider "virtualbox" + + config.vm.box = "mvbcoding/awslinux" + + # config.vm.network :forwarded_port, guest: 22, host: 10022, auto_correct: true + + config.vm.synced_folder "../", "/home/vagrant/ansible-role-cis-amazon-linux", create: true, group: "vagrant", owner: "vagrant" + + config.vm.provider "virtualbox" do |v| + v.name = "AWSLinux" + v.cpus = 2 + v.memory = 2048 + # Limit host CPU usage to 50% max + v.customize ["modifyvm", :id, "--cpuexecutioncap", "50"] + end + + config.vm.provision "shell", inline: <<-SCRIPT + echo I am provisioning... + whoami + + # make sure OS is up to date + sudo yum update -y + + # install pip and other required dependencies + sudo yum install python-pip libffi-devel -y + + # upgrade pip + sudo pip install --upgrade pip + SCRIPT + +end \ No newline at end of file