From 71f0b4a7cd0d1b025816b437f5de99f974055f40 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 25 Aug 2020 14:08:29 -0400 Subject: [PATCH] added 2.2.1.1 through 2.2.1.4 Signed-off-by: George Nalen --- defaults/main.yml | 30 ++++++-- files/etc/apparmor.d/usr.bin.ssh | 10 +++ tasks/prelim.yml | 8 +- tasks/section1.yml | 30 +++++++- tasks/section2.yml | 125 ++++++++++++++++++++++++++++++- templates/chrony.conf.j2 | 91 ++++++++++++++++++++++ templates/ntp.conf.j2 | 68 +++++++++++++++++ 7 files changed, 352 insertions(+), 10 deletions(-) create mode 100644 files/etc/apparmor.d/usr.bin.ssh create mode 100644 templates/chrony.conf.j2 create mode 100644 templates/ntp.conf.j2 diff --git a/defaults/main.yml b/defaults/main.yml index 6b2bf26..0169d53 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -91,10 +91,10 @@ ubtu18cis_rule_1_6_1: true ubtu18cis_rule_1_6_2: true ubtu18cis_rule_1_6_3: true ubtu18cis_rule_1_6_4: true -ubtu18cis_rule_1_7_1_1: true -ubtu18cis_rule_1_7_1_2: true -ubtu18cis_rule_1_7_1_3: true -ubtu18cis_rule_1_7_1_4: true +ubtu18cis_rule_1_7_1_1: false +ubtu18cis_rule_1_7_1_2: false +ubtu18cis_rule_1_7_1_3: false +ubtu18cis_rule_1_7_1_4: false ubtu18cis_rule_1_8_1_1: true ubtu18cis_rule_1_8_1_2: true ubtu18cis_rule_1_8_1_3: true @@ -108,7 +108,10 @@ ubtu18cis_rule_1_9: true # Section 2 is Services (inetd, special purpose, and service clients) ubtu18cis_rule_2_1_1: true ubtu18cis_rule_2_1_2: true -ubtu18cis_rule_2_2_1: true +ubtu18cis_rule_2_2_1_1: true +ubtu18cis_rule_2_2_1_2: true +ubtu18cis_rule_2_2_1_3: true +ubtu18cis_rule_2_2_1_4: true ubtu18cis_rule_2_2_2: true ubtu18cis_rule_2_2_3: true ubtu18cis_rule_2_2_4: true @@ -191,3 +194,20 @@ ubtu18cis_root_pw: "Password1" # \m, \r, \s, \v or references to the OS platform ubtu18cis_warning_banner: | Authorized uses only. All activity may be monitored and reported. + +# Section 2 Control Variables +# Control 2.2.1.1 +# ubtu18cis_time_sync_tool is the tool in which to synchronize time +# The two options are chrony or ntp +ubtu18cis_time_sync_tool: "chrony" + +# Control 2.2.1.3 +# ubtu18cis_chrony_server_options is the server options for chrony +ubtu18cis_chrony_server_options: "minpoll 8" +ubtu18cis_time_synchronization_servers: + - 0.pool.ntp.org + - 1.pool.ntp.org + - 2.pool.ntp.org + - 3.pool.ntp.org +# ubtu18cis_chrony_user will be the user to run chrony +ubtu18cis_chrony_user: "chrony" \ No newline at end of file diff --git a/files/etc/apparmor.d/usr.bin.ssh b/files/etc/apparmor.d/usr.bin.ssh new file mode 100644 index 0000000..380a218 --- /dev/null +++ b/files/etc/apparmor.d/usr.bin.ssh @@ -0,0 +1,10 @@ +# Last Modified: Mon Aug 24 20:03:44 2020 +#include + +/usr/bin/ssh { + #include + + /lib/x86_64-linux-gnu/ld-*.so mr, + /usr/bin/ssh mr, + +} \ No newline at end of file diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 872d72c..ba0a772 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -13,4 +13,10 @@ changed_when: no check_mode: no tags: - - skip_ansible_lint \ No newline at end of file + - skip_ansible_lint + +- name: "PRELIM | Run apt update" + apt: + update_cache: yes + when: + - ubtu18cis_rule_1_4_1 \ No newline at end of file diff --git a/tasks/section1.yml b/tasks/section1.yml index 17d5e93..70828e3 100644 --- a/tasks/section1.yml +++ b/tasks/section1.yml @@ -823,10 +823,34 @@ - rule_1.6.4 - coredump +# --------------- +# --------------- +# install apparmor blocks ssh. I can aa-genprof or aa-autodep from the command line to fix it but +# doing it in the role doesn't help. +# --------------- +# --------------- - name: "SCORED | 1.7.1.1 | PATCH | Ensure AppArmor is installed" - apt: - name: ['apparmor', 'apparmor-utils'] - state: present + block: + - name: "SCORED | 1.7.1.1 | PATCH | Ensure AppArmor is installed | Install AppArmor" + apt: + name: ['apparmor', 'apparmor-utils', 'apparmor-profiles'] + state: present + + # - name: "SCORED | 1.7.1.1 | PATCH | Ensure AppArmor is installed | Configure SSH" + # copy: + # src: etc/apparmor.d/usr.bin.ssh + # dest: /etc/apparmor.d/usr.bin.ssh + # owner: root + # group: root + # mode: 0600 + + # - name: test + # command: aa-autodep ssh + + # - name: "SCORED | 1.7.1.1 | PATCH | Ensure AppArmor is installed | Reload service" + # service: + # name: apparmor + # state: reloaded when: - ubtu18cis_rule_1_7_1_1 tags: diff --git a/tasks/section2.yml b/tasks/section2.yml index da6518b..76953b6 100644 --- a/tasks/section2.yml +++ b/tasks/section2.yml @@ -25,4 +25,127 @@ - scored - patch - rule_2.1.2 - - openbsd-inetd \ No newline at end of file + - openbsd-inetd + +- name: "SCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use" + apt: + name: "{{ ubtu18cis_time_sync_tool }}" + state: present + when: + - ubtu18cis_rule_2_2_1_1 + tags: + - level1-server + - level1-workstation + - scored + - patch + - rule_2.2.1.1 + - chrony + +- name: "NOTSCORED | 2.2.1.2 | PATCH | Ensure systemd-timesyncd is configured" + block: + - name: "NOTSCORED | 2.2.1.2 | PATCH | Ensure systemd-timesyncd is configured | Set configuration for systemd-timesyncd" + lineinfile: + path: /etc/systemd/timesyncd.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + with_items: + - { regexp: '^\[Time\]', line: '[Time]', insertafter: EOF } + - { regexp: '^#NTP|^NTP', line: 'NTP=0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org', insertafter: '\[Time\]' } + - { regexp: '^#FallbackNTP|^FallbackNTP', line: 'FallbackNTP=ntp.ubuntu.com 3.ubuntu.pool.ntp.org', insertafter: '\[Time\]' } + - { regexp: '^#RootDistanceMaxSec|^RootDistanceMaxSec', line: 'RootDistanceMaxSec=1', insertafter: '\[Time\]'} + + - name: "NOTSCORED | 2.2.1.2 | PATCH | Ensure systemd-timesyncd is configured | Start and enable the systemd-timesyncd service" + service: + name: systemd-timesyncd.service + state: started + enabled: yes + + - name: "NOTSCORED | 2.2.1.2 | PATCH | Ensure systemd-timesyncd is configured | Set timedatectl to ntp" + command: timedatectl set-ntp true + when: + - ubtu18cis_rule_2_2_1_2 + tags: + - level1-server + - level1-workstation + - notscored + - patch + - rule_2.2.1.2 + - systemd-timesyncd + +- name: "SCORED | 2.2.1.3 | PATCH | Ensure chrony is configured" + block: + - name: "SCORED | 2.2.1.3 | AUDIT | Ensure chrony is configured | Check for chrony user" + shell: grep chrony /etc/passwd + changed_when: false + failed_when: false + register: ubtu18cis_2_2_1_3_chrony_user_status + + - name: "SCORED | 2.2.1.3 | PATCH | Ensure chrony is configured | Set chrony.conf file" + template: + src: chrony.conf.j2 + dest: /etc/chrony/chrony.conf + owner: root + group: root + mode: 0644 + + - name: "SCORED | 2.2.1.3 | PATCH | Ensure chrony is configured | Create chrony user" + user: + name: chrony + shell: /usr/sbin/nologin + system: true + when: ubtu18cis_2_2_1_3_chrony_user_status.stdout != "" + + - name: "SCORED | 2.2.1.3 | PATCH | Ensure chrony is configured | Set option to use chrony user" + lineinfile: + path: /etc/default/chrony + regexp: '^DAEMON_OPTS' + line: 'DAEMON_OPTS="-u chrony"' + when: "'chrony' not in ubtu18cis_2_2_1_3_chronyd_ps_user.stdout" + when: + - ubtu18cis_rule_2_2_1_3 + - ubtu18cis_time_sync_tool == "chrony" + tags: + - level1-server + - level1-workstation + - scored + - patch + - rule_2.2.1.3 + - chrony + +- name: "SCORED | 2.2.1.4 | PATCH | Ensure ntp is configured" + block: + - name: "SCORED | 2.2.1.4 | PATCH | Ensure ntp is configured | Set ntp.conf settings" + template: + src: ntp.conf.j2 + dest: /etc/ntp.conf + owner: root + group: root + mode: 0644 + + - name: "SCORED | 2.2.1.4 | PATCH | Ensure ntp is configured | Modify sysconfig/ntpd" + lineinfile: + path: /etc/sysconfig/ntpd + regexp: "{{ item.regexp }}" + line: "{{ item. line }}" + with_items: + - { regexp: '^OPTIONS', line: 'OPTIONS="-u ntp:ntp"'} + - { regexp: '^NTPD_OPTIONS', line: 'NTPD_OPTIONS="-u ntp:ntp"' } + + - name: "SCORED | 2.2.1.4 | PATCH | Ensure ntp is configured | Modify /etc/init.d/npt" + lineinfile: + path: /etc/init.d/ntp + regexp: '^RUNAUSER' + line: 'RUNAUSER=npt' + when: + - ubtu18cis_rule_2_2_1_4 + - ubtu18cis_time_sync_tool == "ntp" + tags: + - level1-server + - level1-workstation + - scored + - patch + - rule_2.2.1.4 + - ntp + +# - name: "SCORED | 2.2.2|" \ No newline at end of file diff --git a/templates/chrony.conf.j2 b/templates/chrony.conf.j2 new file mode 100644 index 0000000..348ec9d --- /dev/null +++ b/templates/chrony.conf.j2 @@ -0,0 +1,91 @@ +# Welcome to the chrony configuration file. See chrony.conf(5) for more +# information about usuable directives. + +# This will use (up to): +# - 4 sources from ntp.ubuntu.com which some are ipv6 enabled +# - 2 sources from 2.ubuntu.pool.ntp.org which is ipv6 enabled as well +# - 1 source from [01].ubuntu.pool.ntp.org each (ipv4 only atm) +# This means by default, up to 6 dual-stack and up to 2 additional IPv4-only +# sources will be used. +# At the same time it retains some protection against one of the entries being +# down (compare to just using one of the lines). See (LP: #1754358) for the +# discussion. +# +# About using servers from the NTP Pool Project in general see (LP: #104525). +# Approved by Ubuntu Technical Board on 2011-02-08. +# See http://www.pool.ntp.org/join.html for more information. + +{% for server in ubtu18cis_time_synchronization_servers -%} +server {{ server }} {{ ubtu18cis_chrony_server_options }} +{% endfor %} + +# This directive specify the location of the file containing ID/key pairs for +# NTP authentication. +keyfile /etc/chrony/chrony.keys + +# Set runtime command key. Note that if you change the key (not the +# password) to anything other than 1 you will need to edit +# /etc/ppp/ip-up.d/chrony, /etc/ppp/ip-down.d/chrony, /etc/init.d/chrony +# and /etc/cron.weekly/chrony as these scripts use it to get the password. + +#commandkey 1 + +# This directive specify the file into which chronyd will store the rate +# information. +driftfile /var/lib/chrony/chrony.drift + +# Uncomment the following line to turn logging on. +#log tracking measurements statistics + +# Log files location. +logdir /var/log/chrony + +# Stop bad estimates upsetting machine clock. +maxupdateskew 100.0 + +# This directive enables kernel synchronisation (every 11 minutes) of the +# real-time clock. Note that it can’t be used along with the 'rtcfile' directive. +rtcsync + +# Dump measurements when daemon exits. +dumponexit + +# Specify directory for dumping measurements. + +dumpdir /var/lib/chrony + +# Let computer be a server when it is unsynchronised. + +local stratum 10 + +# Allow computers on the unrouted nets to use the server. + +#allow 10/8 +#allow 192.168/16 +#allow 172.16/12 + +# This directive forces `chronyd' to send a message to syslog if it +# makes a system clock adjustment larger than a threshold value in seconds. + +logchange 0.5 + +# This directive defines an email address to which mail should be sent +# if chronyd applies a correction exceeding a particular threshold to the +# system clock. + +# mailonchange root@localhost 0.5 + +# This directive tells chrony to regulate the real-time clock and tells it +# Where to store related data. It may not work on some newer motherboards +# that use the HPET real-time clock. It requires enhanced real-time +# support in the kernel. I've commented it out because with certain +# combinations of motherboard and kernel it is reported to cause lockups. + +# rtcfile /var/lib/chrony/chrony.rtc + +# If the last line of this file reads 'rtconutc' chrony will assume that +# the CMOS clock is on UTC (GMT). If it reads '# rtconutc' or is absent +# chrony will assume local time. The line (if any) was written by the +# chrony postinst based on what it found in /etc/default/rcS. You may +# change it if necessary. +rtconutc diff --git a/templates/ntp.conf.j2 b/templates/ntp.conf.j2 new file mode 100644 index 0000000..fd5eafe --- /dev/null +++ b/templates/ntp.conf.j2 @@ -0,0 +1,68 @@ +# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help + +driftfile /var/lib/ntp/ntp.drift + +# Leap seconds definition provided by tzdata +leapfile /usr/share/zoneinfo/leap-seconds.list + +# Enable this if you want statistics to be logged. +#statsdir /var/log/ntpstats/ + +statistics loopstats peerstats clockstats +filegen loopstats file loopstats type day enable +filegen peerstats file peerstats type day enable +filegen clockstats file clockstats type day enable + +# Specify one or more NTP servers. + +# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board +# on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for +# more information. +{% for server in ubtu18cis_time_synchronization_servers -%} +server {{ server }} {{ ubtu18cis_ntp_server_options }} +{% endfor %} + +# Use Ubuntu's ntp server as a fallback. +pool ntp.ubuntu.com + +# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for +# details. The web page +# might also be helpful. +# +# Note that "restrict" applies to both servers and clients, so a configuration +# that might be intended to block requests from certain clients could also end +# up blocking replies from your own upstream servers. + +# By default, exchange time with everybody, but don't allow configuration. +restrict -4 default kod notrap nomodify nopeer noquery +restrict -6 default kod notrap nomodify nopeer noquery + +# Local users may interrogate the ntp server more closely. +restrict 127.0.0.1 +restrict ::1 + +# Needed for adding pool entries +restrict source notrap nomodify noquery + +# Clients from this (example!) subnet have unlimited access, but only if +# cryptographically authenticated. +#restrict 192.168.123.0 mask 255.255.255.0 notrust + + +# If you want to provide time to your local subnet, change the next line. +# (Again, the address is an example only.) +#broadcast 192.168.123.255 + +# If you want to listen to time broadcasts on your local subnet, de-comment the +# next lines. Please do this only if you trust everybody on the network! +#disable auth +#broadcastclient + +#Changes recquired to use pps synchonisation as explained in documentation: +#http://www.ntp.org/ntpfaq/NTP-s-config-adv.htm#AEN3918 + +#server 127.127.8.1 mode 135 prefer # Meinberg GPS167 with PPS +#fudge 127.127.8.1 time1 0.0042 # relative to PPS for my hardware + +#server 127.127.22.1 # ATOM(PPS) +#fudge 127.127.22.1 flag3 1 # enable PPS API \ No newline at end of file