Merge pull request #18 from jvleminc/master

(chore) [COTEF1901-104] Reorganized variables per chapter.
alivx · Jan 8, 2021 · a278a3e · a278a3e
2 parents 905ede7 + 7c75c47
commit a278a3e
Show file tree

Hide file tree

Showing 2 changed files with 127 additions and 87 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -1,6 +1,7 @@
 ---
-# defaults file for Auto-CIS-Ubuntu-Linux-20.04-LTS-Remediation
-#Section 1
+# Defaults file for Auto-CIS-Ubuntu-Linux-20.04-LTS-Remediation
+
+# Section 1
 disable_cramfs: yes
 disable_freevxfs: yes
 disable_jffs2: yes
@@ -9,65 +10,15 @@ disable_hfsplus: yes
 disable_udf: yes
 disable_fat: yes
 temp_dir_size: 1G
-# Section 6
-withoutOwnerFileDirOwner: root
-withoutGroupFilesDirGroup: root
-outputfiles: /home/ali/ #Output dir of some command
-disable_autofs: true
-disable_usb: true
-install_apparmor: true
-#Section 5
-#5.1.8 Ensure cron is restricted to authorized users
-allowd_hosts: "ALL: 0.0.0.0/0.0.0.0, 192.168.2.0/255.255.255.0"
-# 5.2.13 Ensure only strong MAC algorithms are used
-ssh_MACs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256"
-# 5.2.14 Ensure only strong Key Exchange algorithms are used
-ssh_key_algorithms: "curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256"
-# 5.2.17 Ensure SSH access is limited
-allowed_users: ali saleh baker root #Put None or list of users space between each user
-allowed_groups: None
-deny_users: None
-deny_groups: None
-## 5.2.21 Ensure SSH MaxStartups is configured
-ssh_max_startups: "10:30:100"
-# 5.2.22 Ensure SSH MaxSessions is limited
-ssh_max_sessions: 10
-# 5.4.1.1 Ensure password expiration is 365 days or less
-pass_expire_in_days: 300
-pass_warn_age: 7
-pass_min_days: 1
-# 5.4.1.1 Ensure password expiration is 365 days or less
-list_of_os_users:
-  - ali
-#5.4.1.4 Ensure inactive password lock is 30 days or less
-#Note: A value of -1 would disable this setting
-account_inactive: 30
-# 5.4.5 Ensure default user shell timeout is 900 seconds or less
-shell_timeout_sec: 900
-#Section 4 Settings
-#Ensure rsyslog is configured to send logs to a remote log host
-remoteSyslog:
-  enable: false
-  host: 192.168.2.100
-  port: 514
-  protocol: tcp
-logrotate_policy: "daily"
-# Section 4 | auditd config
-architecture: "x86_64"
-admin_space_left_action: halt
-max_log_file_action: keep_logs
-max_log_file: 10
-backlog_limit: "8192"
-space_left_action: email
-action_mail_acct: root
-grub_backlog_limit: 8192
-#Section 3 Setting
-disable_wifi: False
-IPv6_is_enabled: Yes
-enable_firewall: yes
-list_of_ports_to_allow:
-  - { rule: "allow", port: "8080", proto: "tcp" }
-#Section 2 Settings
+## 1.5.1 Ensure bootloader password is set (using grub): default is no
+set_bootloader_credentials: no
+### Update the default bootloader user and password
+bootloader_credentials: { user: "root", password: "b00tl04derPwd" }
+# 1.5.3 Ensure authentication required for single user mode
+set_root_password: yes
+root_password: r00tP4ssw0rd
+
+# Section 2 Settings
 time_synchronization_package_name: ntp
 time_synchronization_servers:
   - uri: "time1.google.com"
@@ -102,3 +53,65 @@ remove_talkclient: yes
 remove_telnetclient: yes
 remove_LDAPclient: yes
 remove_RPC: yes
+
+# Section 3 Settings
+disable_wifi: False
+IPv6_is_enabled: Yes
+enable_firewall: yes
+list_of_ports_to_allow:
+  - { rule: "allow", port: "8080", proto: "tcp" }
+
+# Section 4 Settings
+## Ensure rsyslog is configured to send logs to a remote log host
+remoteSyslog:
+  enable: false
+  host: 192.168.2.100
+  port: 514
+  protocol: tcp
+logrotate_policy: "daily"
+## auditd config
+architecture: "x86_64"
+admin_space_left_action: halt
+max_log_file_action: keep_logs
+max_log_file: 10
+backlog_limit: "8192"
+space_left_action: email
+action_mail_acct: root
+grub_backlog_limit: 8192
+
+#Section 5
+## 5.1.8 Ensure cron is restricted to authorized users
+allowd_hosts: "ALL: 0.0.0.0/0.0.0.0, 192.168.2.0/255.255.255.0"
+## 5.2.13 Ensure only strong MAC algorithms are used
+ssh_MACs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256"
+## 5.2.14 Ensure only strong Key Exchange algorithms are used
+ssh_key_algorithms: "curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256"
+## 5.2.17 Ensure SSH access is limited
+allowed_users: ali saleh baker root #Put None or list of users space between each user
+allowed_groups: None
+deny_users: None
+deny_groups: None
+## 5.2.21 Ensure SSH MaxStartups is configured
+ssh_max_startups: "10:30:100"
+## 5.2.22 Ensure SSH MaxSessions is limited
+ssh_max_sessions: 10
+## 5.4.1.1 Ensure password expiration is 365 days or less
+pass_expire_in_days: 300
+pass_warn_age: 7
+pass_min_days: 1
+## 5.4.1.1 Ensure password expiration is 365 days or less
+list_of_os_users:
+  - ali
+## 5.4.1.4 Ensure inactive password lock is 30 days or less
+##Note: A value of -1 would disable this setting
+account_inactive: 30
+## 5.4.5 Ensure default user shell timeout is 900 seconds or less
+shell_timeout_sec: 900
+
+# Section 6
+withoutOwnerFileDirOwner: root
+withoutGroupFilesDirGroup: root
+outputfiles: /home/ali/ #Output dir of some command
+disable_autofs: true
+disable_usb: true
+install_apparmor: true
diff --git a/tasks/section_1_Initial_Setup.yaml b/tasks/section_1_Initial_Setup.yaml
@@ -594,26 +594,52 @@
 # Note: This recommendation is designed around the grub bootloader, if LILO or another
 # bootloader is in use in your environment enact equivalent settings. Replace
 # /boot/grub/grub.cfg with the appropriate grub configuration file for your environment.
-- name: 1.5.1 Ensure bootloader password is set | DIY
-  debug:
-    msg: |
-      Create an encrypted password with grub-mkpasswd-pbkdf2 :
-      # grub-mkpasswd-pbkdf2
-      Enter password: <password>
-      Reenter password: <password>
-      PBKDF2 hash of your password is <encrypted-password>
-      Add the following into a custom /etc/grub.d configuration file:
-      cat <<EOF
-      set superusers="<username>"
-      password_pbkdf2 <username> <encrypted-password>
-      EOF
-      More info: https://help.ubuntu.com/community/Grub2/Passwords
+- name: 1.5.1 Ensure bootloader password is set
+  block:
+    - name: 1.5.1 Ensure bootloader password is set - step 1 - check if it isn't already set up
+      shell: /bin/grep -e "^[\s]*password" /boot/grub/grub.cfg | /usr/bin/awk '{print} END {if (NR == 0) print "continue" ; else print "stop"}'
+      register: result
+      ignore_errors: true
+
+    - name: 1.5.1 Ensure bootloader password is set - step 2 - create bootloader password hash
+      # bash -c must be used in this strange way or mysterious errors are thrown
+      shell: /bin/bash -c "echo -e '{{ bootloader_credentials.password }}\n{{ bootloader_credentials.password }}' | grub-mkpasswd-pbkdf2" | /bin/grep 'hash of your password' | /usr/bin/awk '{print $7}'
+      register: password
+      when:
+        - result.stdout == "continue"
+        - bootloader_credentials.user
+        - bootloader_credentials.password
+
+    - name: 1.5.1 Ensure bootloader password is set - step 3 - create custom grub configuration file
+      blockinfile:
+        dest: /etc/grub.d/99_custom
+        create: yes
+        mode: 0700
+        block: |
+          #!/bin/sh
+          cat <<EOF
+          set superusers='{{ bootloader_credentials.user }}'
+          password_pbkdf2 {{ bootloader_credentials.user }} {{ password.stdout }}
+          EOF
+        state: present
+      when:
+        - result.stdout == "continue"
+        - bootloader_credentials.user
+        - bootloader_credentials.password
+
+    - name: 1.5.1 Ensure bootloader password is set - step 4 - update grub
+      shell: update-grub
+      when:
+        - result.stdout == "continue"
+        - bootloader_credentials.user
+        - bootloader_credentials.password
+  when: set_bootloader_credentials
   tags:
     - section1
     - level_1_server
     - level_1_workstation
     - 1.5.1
-    - diy
+
 # 1.5.2 Ensure permissions on bootloader config are configured
 # The grub configuration file contains information on boot settings and passwords for
 # unlocking boot options. The grub configuration is usually grub.cfg stored in /boot/grub/ .
@@ -634,22 +660,23 @@
 # 1.5.3 Ensure authentication required for single user mode
 # Single user mode is used for recovery when the system detects an issue during boot or by
 # manual selection from the bootloader.
-- name: 1.5.3 Ensure authentication required for single user mode | DYI
-  debug:
-    msg: |
-      Audit:
-      Perform the following to determine if a password is set for the root user:
-      # grep ^root:[*\!]: /etc/shadow
-      No results should be returned.
-      Remediation:
-      Run the following command and follow the prompts to set a password for the root user:
-      # passwd root
+- name: 1.5.3 Ensure authentication required for single user mode
+  block:
+    - name: 1.5.3 Ensure authentication required for single user mode - check if a root password already exists
+      shell: /bin/grep -e "^root:[\*]:" /etc/shadow | /usr/bin/awk 'END {if (NR != 0) print "continue" ; else print "stop"}'
+      register: result
+      ignore_errors: true
+
+    - name: 1.5.3 Ensure authentication required for single user mode - create a root password
+      # bash must be used or mysterious errors are thrown
+      shell: /bin/bash -c "echo -e '{{ root_password }}\n{{ root_password }}' | passwd root"
+      when: result.stdout == "continue"
+  when: set_root_password and root_password
   tags:
     - section1
     - level_1_server
     - level_1_workstation
     - 1.5.3
-    - diy
 # 1.6 Additional Process Hardening
 # 1.6.1 Ensure XD/NX support is enabled
 # Recent processors in the x86 family support the ability to prevent code execution on a per