Update section 4 and regular expression of 1.6.4 (#76)

* Change handler of /boot/grub/grub.cfg permissions to 0400 according to CIS benchmarks 1.5.1. * Update 1.6.4, to integrate systemd-coredump and set hard core to 0. * Update 1.8.1.3 tag from notscored to scored. * Update handler for 1.6.4 to include daemon_reload, enabled and update to correct daemon name. * Remove trailing whitespace. * 6.1.2-9 order was changed. Changed permission of /etc/passwd- and /etc/shadow- to 0600 according to CIS. * Update section 4 to include journald * Fix regular expression for hard core 0 in 1.6.4 * Fix regular expressions for section 4.2.2.1, 4.2.2.2, 4.2.2.3 * Fix trailing whitespace * 5.1.8 had twice at.allow.j2, one of them changed to cron.allow.j2. * 4.1.2.1 is now scored. Co-authored-by: Jim Klapwijk <jim.klapwijk@sue.nl>
florianutz · Jul 8, 2020 · 50ba7bb · 50ba7bb
1 parent 918ee30
commit 50ba7bb
Show file tree

Hide file tree

Showing 5 changed files with 57 additions and 81 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -194,18 +194,16 @@ ubuntu1804cis_rule_4_1_15: true
 ubuntu1804cis_rule_4_1_16: true
 ubuntu1804cis_rule_4_1_17: true
 ubuntu1804cis_rule_4_1_18: true
-ubuntu1804cis_rule_4_2_3: true
 ubuntu1804cis_rule_4_2_1_1: true
 ubuntu1804cis_rule_4_2_1_2: true
 ubuntu1804cis_rule_4_2_1_3: true
 ubuntu1804cis_rule_4_2_1_4: true
 ubuntu1804cis_rule_4_2_1_5: true
+ubuntu1804cis_rule_4_2_1_6: true
 ubuntu1804cis_rule_4_2_2_1: true
 ubuntu1804cis_rule_4_2_2_2: true
 ubuntu1804cis_rule_4_2_2_3: true
-ubuntu1804cis_rule_4_2_2_4: true
-ubuntu1804cis_rule_4_2_2_5: true
-ubuntu1804cis_rule_4_2_4: true
+ubuntu1804cis_rule_4_2_3: true
 ubuntu1804cis_rule_4_3: true
 
 # Section 5 rules

diff --git a/handlers/main.yml b/handlers/main.yml
@@ -107,3 +107,9 @@
       daemon_reload: true
       enabled: true
       state: restarted
+
+- name: restart journald
+  become: true
+  service:
+      name: systemd-journald
+      state: restarted
diff --git a/tasks/section1.yml b/tasks/section1.yml
@@ -910,10 +910,11 @@
 - name: "SCORED | 1.6.4 | PATCH | Ensure hard core 0 is set"
   lineinfile:
     dest: /etc/security/limits.conf
-    line: '* hard core 0'
-    regexp: '(^#\s*?\*\s+hard\s+core\s+[0-9]+)'
+    line: '*                hard    core            0'
+    regexp: '(^#)?\*\s+hard\s+core\s+[0-9]+'
     state: present
     create: true
+    insertbefore: "# End of file"
   notify: restart systemd-coredump
   when:
       - ubuntu1804cis_rule_1_6_4

diff --git a/tasks/section4.yml b/tasks/section4.yml
@@ -65,7 +65,7 @@
       - auditd
       - rule_4.1.1.4
 
-- name: "NOTSCORED | 4.1.2.1 | PATCH | Ensure audit log storage size is configured"
+- name: "SCORED | 4.1.2.1 | PATCH | Ensure audit log storage size is configured"
   lineinfile:
       dest: /etc/audit/auditd.conf
       regexp: "^max_log_file( |=)"
@@ -78,7 +78,7 @@
       - restart auditd
   tags:
       - level2
-      - notscored
+      - scored
       - patch
       - auditd
       - rule_4.1.2.1
@@ -431,66 +431,54 @@
       - auditd
       - rule_4.1.18
 
-#4.2.4 is here due to dependencies to 4.2.1.x
-- name: "SCORED | 4.2.3 | PATCH | Ensure rsyslog or syslog-ng is installed"
+- name: "SCORED | 4.2.1.1 | PATCH | Ensure rsyslog or is installed"
   apt:
-      name: "{{ ubuntu1804cis_syslog }}"
+      name: rsyslog
       state: present
       install_recommends: false
   when:
-      - ubuntu1804cis_rule_4_2_3
+      - ubuntu1804cis_rule_4_2_1_1
+      - ubuntu1804cis_syslog == "rsyslog"
   tags:
       - level1
       - scored
       - patch
       - syslog
-      - rule_4.2.3
+      - rule_4.2.1.1
 
-- name: "SCORED | 4.2.1.1 | PATCH | Ensure rsyslog Service is enabled"
+- name: "SCORED | 4.2.1.2 | PATCH | Ensure rsyslog Service is enabled"
   service:
       name: rsyslog
       enabled: yes
   changed_when: false
   when:
-      - ubuntu1804cis_rule_4_2_1_1
+      - ubuntu1804cis_rule_4_2_1_2
       - ubuntu1804cis_syslog == "rsyslog"
   tags:
       - level1
       - scored
       - patch
       - syslog
-      - rule_4.2.1.1
+      - rule_4.2.1.2
 
-- name: "NOTSCORED | 4.2.1.2 | PATCH | Ensure logging is configured"
+- name: "NOTSCORED | 4.2.1.3 | PATCH | Ensure logging is configured"
   command: /bin/true
   changed_when: false
   when:
-      - ubuntu1804cis_rule_4_2_1_2
+      - ubuntu1804cis_rule_4_2_1_3
   tags:
       - level1
       - notscored
       - patch
       - syslog
-      - rule_4.2.1.2
+      - rule_4.2.1.3
       - notimplemented
 
-- name: "SCORED | 4.2.1.3 | PATCH | Ensure rsyslog default file permissions configured"
+- name: "SCORED | 4.2.1.4 | PATCH | Ensure rsyslog default file permissions configured"
   lineinfile:
       dest: /etc/rsyslog.conf
       regexp: '^\$FileCreateMode'
       line: '$FileCreateMode 0640'
-  when:
-      - ubuntu1804cis_rule_4_2_1_3
-  tags:
-      - level1
-      - scored
-      - patch
-      - syslog
-      - rule_4.2.1.3
-
-- name: "SCORED | 4.2.1.4 | PATCH | Ensure rsyslog is configured to send logs to a remote log host"
-  command: /bin/true
-  changed_when: false
   when:
       - ubuntu1804cis_rule_4_2_1_4
   tags:
@@ -499,111 +487,94 @@
       - patch
       - syslog
       - rule_4.2.1.4
-      - notimplemented
 
-- name: "NOTSCORED | 4.2.1.5 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts."
+- name: "SCORED | 4.2.1.5 | PATCH | Ensure rsyslog is configured to send logs to a remote log host"
   command: /bin/true
   changed_when: false
   when:
       - ubuntu1804cis_rule_4_2_1_5
   tags:
       - level1
-      - notscored
+      - scored
       - patch
       - syslog
       - rule_4.2.1.5
       - notimplemented
 
-- name: "NOTSCORED | 4.2.1.5 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts."
+- name: "NOTSCORED | 4.2.1.6 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts."
   command: /bin/true
   changed_when: false
   when:
-      - ubuntu1804cis_rule_4_2_1_5
+      - ubuntu1804cis_rule_4_2_1_6
   tags:
       - level1
       - notscored
       - patch
       - syslog
-      - rule_4.2.1.5
+      - rule_4.2.1.6
       - notimplemented
 
-- name: "SCORED | 4.2.2.1 | PATCH | Ensure syslog-ng service is enabled"
-  command: /bin/true
+- name: "SCORED | 4.2.2.1 | PATCH | Ensure journald is configured to send logs to rsyslog"
+  lineinfile:
+    dest: /etc/systemd/journald.conf
+    regexp: "(#)?ForwardToSyslog=(yes|no)"
+    line: ForwardToSyslog=yes
   changed_when: false
   when:
       - ubuntu1804cis_rule_4_2_2_1
+  notify:
+    - restart journald
   tags:
       - level1
       - scored
       - patch
       - syslog
       - rule_4.2.2.1
-      - notimplemented
 
-- name: "NOTSCORED | 4.2.2.2 | PATCH | Ensure logging is configured"
-  command: /bin/true
-  changed_when: false
+- name: "SCORED | 4.2.2.2 | PATCH | Ensure journald is configured to compress large log files"
+  lineinfile:
+    dest: /etc/systemd/journald.conf
+    regexp: "(#)?Compress=(yes|no)"
+    line: Compress=yes
   when:
       - ubuntu1804cis_rule_4_2_2_2
+  notify:
+    - restart journald
   tags:
       - level1
-      - notscored
+      - scored
       - patch
       - syslog
       - rule_4.2.2.2
-      - notimplemented
 
-- name: "SCORED | 4.2.2.3 | PATCH | Ensure syslog-ng default file permissions configured"
-  command: /bin/true
-  changed_when: false
+- name: "SCORED | 4.2.2.3 | PATCH | Ensure journald is configured to write logfiles to persistent disk"
+  lineinfile:
+    dest: /etc/systemd/journald.conf
+    regexp: "(#)?Storage=(auto|persistent)"
+    line: Storage=persistent
   when:
       - ubuntu1804cis_rule_4_2_2_3
+  notify:
+    - restart journald
   tags:
       - level1
       - scored
       - patch
       - syslog
       - rule_4.2.2.3
-      - notimplemented
 
-- name: "NOTSCORED | 4.2.2.4 | PATCH | Ensure syslog-ng is configured to send logs to a remote log host"
-  command: /bin/true
-  changed_when: false
-  when:
-      - ubuntu1804cis_rule_4_2_2_4
-  tags:
-      - level1
-      - notscored
-      - patch
-      - syslog
-      - rule_4.2.2.4
-      - notimplemented
-
-- name: "NOTSCORED | 4.2.2.5 | PATCH | Ensure remote syslog-ng messages are only accepted on designated log hosts"
-  command: /bin/true
-  changed_when: false
-  when:
-      - ubuntu1804cis_rule_4_2_2_5
-  tags:
-      - level1
-      - notscored
-      - patch
-      - syslog
-      - rule_4.2.2.5
-      - notimplemented
-
-- name: "SCORED | 4.2.4 | PATCH | Ensure permissions on all logfiles are configured"
+- name: "SCORED | 4.2.3 | PATCH | Ensure permissions on all logfiles are configured"
   command: find /var/log -type f -exec chmod g-wx,o-rwx {} +
   changed_when: false
   failed_when: false
   when:
-      - ubuntu1804cis_rule_4_2_4
+      - ubuntu1804cis_rule_4_2_3
   tags:
       - level1
       - scored
       - patch
       - syslog
-      - rule_4.2.4
+      - rule_4.2.3
 
 - name: "NOTSCORED | 4.3 | PATCH | Ensure logrotate is configured"
   block:

diff --git a/tasks/section5.yml b/tasks/section5.yml
@@ -129,8 +129,8 @@
 
       - name: "SCORED | 5.1.8 | PATCH | Ensure cron is restricted to authorized users"
         template:
-          src: at.allow.j2
-          dest: /etc/at.allow
+          src: cron.allow.j2
+          dest: /etc/cron.allow
           owner: root
           group: root
           mode: 0600