added 2.2.1.1 through 2.2.1.4

Signed-off-by: George Nalen <[email protected]>
ansible-lockdown · Aug 25, 2020 · 71f0b4a · 71f0b4a
1 parent 44d5f18
commit 71f0b4a
Show file tree

Hide file tree

Showing 7 changed files with 352 additions and 10 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -91,10 +91,10 @@ ubtu18cis_rule_1_6_1: true
 ubtu18cis_rule_1_6_2: true
 ubtu18cis_rule_1_6_3: true
 ubtu18cis_rule_1_6_4: true
-ubtu18cis_rule_1_7_1_1: true
-ubtu18cis_rule_1_7_1_2: true
-ubtu18cis_rule_1_7_1_3: true
-ubtu18cis_rule_1_7_1_4: true
+ubtu18cis_rule_1_7_1_1: false
+ubtu18cis_rule_1_7_1_2: false
+ubtu18cis_rule_1_7_1_3: false
+ubtu18cis_rule_1_7_1_4: false
 ubtu18cis_rule_1_8_1_1: true
 ubtu18cis_rule_1_8_1_2: true
 ubtu18cis_rule_1_8_1_3: true
@@ -108,7 +108,10 @@ ubtu18cis_rule_1_9: true
 # Section 2 is Services (inetd, special purpose, and service clients)
 ubtu18cis_rule_2_1_1: true
 ubtu18cis_rule_2_1_2: true
-ubtu18cis_rule_2_2_1: true
+ubtu18cis_rule_2_2_1_1: true
+ubtu18cis_rule_2_2_1_2: true
+ubtu18cis_rule_2_2_1_3: true
+ubtu18cis_rule_2_2_1_4: true
 ubtu18cis_rule_2_2_2: true
 ubtu18cis_rule_2_2_3: true
 ubtu18cis_rule_2_2_4: true
@@ -191,3 +194,20 @@ ubtu18cis_root_pw: "Password1"
 # \m, \r, \s, \v or references to the OS platform
 ubtu18cis_warning_banner: |
         Authorized uses only. All activity may be monitored and reported.
+
+# Section 2 Control Variables
+# Control 2.2.1.1
+# ubtu18cis_time_sync_tool is the tool in which to synchronize time
+# The two options are chrony or ntp
+ubtu18cis_time_sync_tool: "chrony"
+
+# Control 2.2.1.3
+# ubtu18cis_chrony_server_options is the server options for chrony
+ubtu18cis_chrony_server_options: "minpoll 8"
+ubtu18cis_time_synchronization_servers:
+    - 0.pool.ntp.org
+    - 1.pool.ntp.org
+    - 2.pool.ntp.org
+    - 3.pool.ntp.org
+# ubtu18cis_chrony_user will be the user to run chrony
+ubtu18cis_chrony_user: "chrony"
diff --git a/files/etc/apparmor.d/usr.bin.ssh b/files/etc/apparmor.d/usr.bin.ssh
@@ -0,0 +1,10 @@
+# Last Modified: Mon Aug 24 20:03:44 2020
+#include <tunables/global>
+
+/usr/bin/ssh {
+  #include <abstractions/base>
+
+  /lib/x86_64-linux-gnu/ld-*.so mr,
+  /usr/bin/ssh mr,
+
+}
diff --git a/tasks/prelim.yml b/tasks/prelim.yml
@@ -13,4 +13,10 @@
   changed_when: no
   check_mode: no
   tags:
-      - skip_ansible_lint
+      - skip_ansible_lint
+
+- name: "PRELIM | Run apt update"
+  apt:
+      update_cache: yes
+  when:
+      - ubtu18cis_rule_1_4_1
diff --git a/tasks/section1.yml b/tasks/section1.yml
@@ -823,10 +823,34 @@
       - rule_1.6.4
       - coredump
 
+# ---------------
+# ---------------
+# install apparmor blocks ssh. I can aa-genprof or aa-autodep from the command line to fix it but
+# doing it in the role doesn't help. 
+# ---------------
+# ---------------
 - name: "SCORED | 1.7.1.1 | PATCH | Ensure AppArmor is installed"
-  apt:
-      name: ['apparmor', 'apparmor-utils']
-      state: present
+  block:
+      - name: "SCORED | 1.7.1.1 | PATCH | Ensure AppArmor is installed | Install AppArmor"
+        apt:
+            name: ['apparmor', 'apparmor-utils', 'apparmor-profiles']
+            state: present
+
+      # - name: "SCORED | 1.7.1.1 | PATCH | Ensure AppArmor is installed | Configure SSH"
+      #   copy:
+      #       src: etc/apparmor.d/usr.bin.ssh
+      #       dest: /etc/apparmor.d/usr.bin.ssh
+      #       owner: root
+      #       group: root
+      #       mode: 0600
+
+      # - name: test
+      #   command: aa-autodep ssh
+
+      # - name: "SCORED | 1.7.1.1 | PATCH | Ensure AppArmor is installed | Reload service"
+      #   service:
+      #       name: apparmor
+      #       state: reloaded
   when:
       - ubtu18cis_rule_1_7_1_1
   tags:

diff --git a/tasks/section2.yml b/tasks/section2.yml
@@ -25,4 +25,127 @@
       - scored
       - patch
       - rule_2.1.2
-      - openbsd-inetd
+      - openbsd-inetd
+
+- name: "SCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use"
+  apt:
+      name: "{{ ubtu18cis_time_sync_tool }}"
+      state: present
+  when:
+      - ubtu18cis_rule_2_2_1_1
+  tags:
+      - level1-server
+      - level1-workstation
+      - scored
+      - patch
+      - rule_2.2.1.1
+      - chrony
+
+- name: "NOTSCORED | 2.2.1.2 | PATCH | Ensure systemd-timesyncd is configured"
+  block:
+      - name: "NOTSCORED | 2.2.1.2 | PATCH | Ensure systemd-timesyncd is configured | Set configuration for systemd-timesyncd"
+        lineinfile:
+            path: /etc/systemd/timesyncd.conf
+            regexp: "{{ item.regexp }}"
+            line: "{{ item.line }}"
+            insertafter: "{{ item.insertafter }}"
+        with_items:
+            - { regexp: '^\[Time\]', line: '[Time]', insertafter: EOF }
+            - { regexp: '^#NTP|^NTP', line: 'NTP=0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org', insertafter: '\[Time\]' }
+            - { regexp: '^#FallbackNTP|^FallbackNTP', line: 'FallbackNTP=ntp.ubuntu.com 3.ubuntu.pool.ntp.org', insertafter: '\[Time\]' }
+            - { regexp: '^#RootDistanceMaxSec|^RootDistanceMaxSec', line: 'RootDistanceMaxSec=1', insertafter: '\[Time\]'}
+
+      - name: "NOTSCORED | 2.2.1.2 | PATCH | Ensure systemd-timesyncd is configured | Start and enable the systemd-timesyncd service"
+        service:
+            name: systemd-timesyncd.service
+            state: started
+            enabled: yes
+
+      - name: "NOTSCORED | 2.2.1.2 | PATCH | Ensure systemd-timesyncd is configured | Set timedatectl to ntp"
+        command: timedatectl set-ntp true
+  when:
+      - ubtu18cis_rule_2_2_1_2
+  tags:
+      - level1-server
+      - level1-workstation
+      - notscored
+      - patch
+      - rule_2.2.1.2
+      - systemd-timesyncd
+
+- name: "SCORED | 2.2.1.3 | PATCH | Ensure chrony is configured"
+  block:
+      - name: "SCORED | 2.2.1.3 | AUDIT | Ensure chrony is configured | Check for chrony user"
+        shell: grep chrony /etc/passwd
+        changed_when: false
+        failed_when: false
+        register: ubtu18cis_2_2_1_3_chrony_user_status
+
+      - name: "SCORED | 2.2.1.3 | PATCH | Ensure chrony is configured | Set chrony.conf file"
+        template:
+            src: chrony.conf.j2
+            dest: /etc/chrony/chrony.conf
+            owner: root
+            group: root
+            mode: 0644
+
+      - name: "SCORED | 2.2.1.3 | PATCH | Ensure chrony is configured | Create chrony user"
+        user:
+            name: chrony
+            shell: /usr/sbin/nologin
+            system: true
+        when: ubtu18cis_2_2_1_3_chrony_user_status.stdout != ""
+
+      - name: "SCORED | 2.2.1.3 | PATCH | Ensure chrony is configured | Set option to use chrony user"
+        lineinfile:
+            path: /etc/default/chrony
+            regexp: '^DAEMON_OPTS'
+            line: 'DAEMON_OPTS="-u chrony"'
+        when: "'chrony' not in ubtu18cis_2_2_1_3_chronyd_ps_user.stdout"
+  when:
+      - ubtu18cis_rule_2_2_1_3
+      - ubtu18cis_time_sync_tool == "chrony"
+  tags:
+      - level1-server
+      - level1-workstation
+      - scored
+      - patch
+      - rule_2.2.1.3
+      - chrony
+
+- name: "SCORED | 2.2.1.4 | PATCH | Ensure ntp is configured"
+  block:
+      - name: "SCORED | 2.2.1.4 | PATCH | Ensure ntp is configured | Set ntp.conf settings"
+        template:
+            src: ntp.conf.j2
+            dest: /etc/ntp.conf
+            owner: root
+            group: root
+            mode: 0644
+
+      - name: "SCORED | 2.2.1.4 | PATCH | Ensure ntp is configured | Modify sysconfig/ntpd"
+        lineinfile:
+            path: /etc/sysconfig/ntpd
+            regexp: "{{ item.regexp }}"
+            line: "{{ item. line }}"
+        with_items:
+            - { regexp: '^OPTIONS', line: 'OPTIONS="-u ntp:ntp"'}
+            - { regexp: '^NTPD_OPTIONS', line: 'NTPD_OPTIONS="-u ntp:ntp"' }
+
+      - name: "SCORED | 2.2.1.4 | PATCH | Ensure ntp is configured | Modify /etc/init.d/npt"
+        lineinfile:
+            path: /etc/init.d/ntp
+            regexp: '^RUNAUSER'
+            line: 'RUNAUSER=npt'
+  when:
+      - ubtu18cis_rule_2_2_1_4
+      - ubtu18cis_time_sync_tool == "ntp"
+  tags:
+      - level1-server
+      - level1-workstation
+      - scored
+      - patch
+      - rule_2.2.1.4
+      - ntp
+
+# - name: "SCORED | 2.2.2|"
diff --git a/templates/chrony.conf.j2 b/templates/chrony.conf.j2
@@ -0,0 +1,91 @@
+# Welcome to the chrony configuration file. See chrony.conf(5) for more
+# information about usuable directives.
+
+# This will use (up to):
+# - 4 sources from ntp.ubuntu.com which some are ipv6 enabled
+# - 2 sources from 2.ubuntu.pool.ntp.org which is ipv6 enabled as well
+# - 1 source from [01].ubuntu.pool.ntp.org each (ipv4 only atm)
+# This means by default, up to 6 dual-stack and up to 2 additional IPv4-only
+# sources will be used.
+# At the same time it retains some protection against one of the entries being
+# down (compare to just using one of the lines). See (LP: #1754358) for the
+# discussion.
+#
+# About using servers from the NTP Pool Project in general see (LP: #104525).
+# Approved by Ubuntu Technical Board on 2011-02-08.
+# See http://www.pool.ntp.org/join.html for more information.
+
+{% for server in ubtu18cis_time_synchronization_servers -%}
+server {{ server }} {{ ubtu18cis_chrony_server_options }}
+{% endfor %}
+
+# This directive specify the location of the file containing ID/key pairs for
+# NTP authentication.
+keyfile /etc/chrony/chrony.keys
+
+# Set runtime command key.  Note that if you change the key (not the
+# password) to anything other than 1 you will need to edit
+# /etc/ppp/ip-up.d/chrony, /etc/ppp/ip-down.d/chrony, /etc/init.d/chrony
+# and /etc/cron.weekly/chrony as these scripts use it to get the password.
+
+#commandkey 1
+
+# This directive specify the file into which chronyd will store the rate
+# information.
+driftfile /var/lib/chrony/chrony.drift
+
+# Uncomment the following line to turn logging on.
+#log tracking measurements statistics
+
+# Log files location.
+logdir /var/log/chrony
+
+# Stop bad estimates upsetting machine clock.
+maxupdateskew 100.0
+
+# This directive enables kernel synchronisation (every 11 minutes) of the
+# real-time clock. Note that it can’t be used along with the 'rtcfile' directive.
+rtcsync
+
+# Dump measurements when daemon exits.
+dumponexit
+
+# Specify directory for dumping measurements.
+
+dumpdir /var/lib/chrony
+
+# Let computer be a server when it is unsynchronised.
+
+local stratum 10
+
+# Allow computers on the unrouted nets to use the server.
+
+#allow 10/8
+#allow 192.168/16
+#allow 172.16/12
+
+# This directive forces `chronyd' to send a message to syslog if it
+# makes a system clock adjustment larger than a threshold value in seconds.
+
+logchange 0.5
+
+# This directive defines an email address to which mail should be sent
+# if chronyd applies a correction exceeding a particular threshold to the
+# system clock.
+
+# mailonchange root@localhost 0.5
+
+# This directive tells chrony to regulate the real-time clock and tells it
+# Where to store related data.  It may not work on some newer motherboards
+# that use the HPET real-time clock.  It requires enhanced real-time
+# support in the kernel.  I've commented it out because with certain
+# combinations of motherboard and kernel it is reported to cause lockups.
+
+# rtcfile /var/lib/chrony/chrony.rtc
+
+# If the last line of this file reads 'rtconutc' chrony will assume that
+# the CMOS clock is on UTC (GMT).  If it reads '# rtconutc' or is absent
+# chrony will assume local time.  The line (if any) was written by the
+# chrony postinst based on what it found in /etc/default/rcS.  You may
+# change it if necessary.
+rtconutc