diff --git a/defaults/main.yml b/defaults/main.yml index 4f4c643..9093df1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -194,18 +194,16 @@ ubuntu1804cis_rule_4_1_15: true ubuntu1804cis_rule_4_1_16: true ubuntu1804cis_rule_4_1_17: true ubuntu1804cis_rule_4_1_18: true -ubuntu1804cis_rule_4_2_3: true ubuntu1804cis_rule_4_2_1_1: true ubuntu1804cis_rule_4_2_1_2: true ubuntu1804cis_rule_4_2_1_3: true ubuntu1804cis_rule_4_2_1_4: true ubuntu1804cis_rule_4_2_1_5: true +ubuntu1804cis_rule_4_2_1_6: true ubuntu1804cis_rule_4_2_2_1: true ubuntu1804cis_rule_4_2_2_2: true ubuntu1804cis_rule_4_2_2_3: true -ubuntu1804cis_rule_4_2_2_4: true -ubuntu1804cis_rule_4_2_2_5: true -ubuntu1804cis_rule_4_2_4: true +ubuntu1804cis_rule_4_2_3: true ubuntu1804cis_rule_4_3: true # Section 5 rules diff --git a/handlers/main.yml b/handlers/main.yml index 4de177a..0bf2109 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -107,3 +107,9 @@ daemon_reload: true enabled: true state: restarted + +- name: restart journald + become: true + service: + name: systemd-journald + state: restarted diff --git a/tasks/section1.yml b/tasks/section1.yml index 13cc3bd..fc57a57 100644 --- a/tasks/section1.yml +++ b/tasks/section1.yml @@ -910,10 +910,11 @@ - name: "SCORED | 1.6.4 | PATCH | Ensure hard core 0 is set" lineinfile: dest: /etc/security/limits.conf - line: '* hard core 0' - regexp: '(^#\s*?\*\s+hard\s+core\s+[0-9]+)' + line: '* hard core 0' + regexp: '(^#)?\*\s+hard\s+core\s+[0-9]+' state: present create: true + insertbefore: "# End of file" notify: restart systemd-coredump when: - ubuntu1804cis_rule_1_6_4 diff --git a/tasks/section4.yml b/tasks/section4.yml index 1cc69cf..91e232a 100644 --- a/tasks/section4.yml +++ b/tasks/section4.yml @@ -65,7 +65,7 @@ - auditd - rule_4.1.1.4 -- name: "NOTSCORED | 4.1.2.1 | PATCH | Ensure audit log storage size is configured" +- name: "SCORED | 4.1.2.1 | PATCH | Ensure audit log storage size is configured" lineinfile: dest: /etc/audit/auditd.conf regexp: "^max_log_file( |=)" @@ -78,7 +78,7 @@ - restart auditd tags: - level2 - - notscored + - scored - patch - auditd - rule_4.1.2.1 @@ -431,66 +431,54 @@ - auditd - rule_4.1.18 -#4.2.4 is here due to dependencies to 4.2.1.x -- name: "SCORED | 4.2.3 | PATCH | Ensure rsyslog or syslog-ng is installed" +- name: "SCORED | 4.2.1.1 | PATCH | Ensure rsyslog or is installed" apt: - name: "{{ ubuntu1804cis_syslog }}" + name: rsyslog state: present install_recommends: false when: - - ubuntu1804cis_rule_4_2_3 + - ubuntu1804cis_rule_4_2_1_1 + - ubuntu1804cis_syslog == "rsyslog" tags: - level1 - scored - patch - syslog - - rule_4.2.3 + - rule_4.2.1.1 -- name: "SCORED | 4.2.1.1 | PATCH | Ensure rsyslog Service is enabled" +- name: "SCORED | 4.2.1.2 | PATCH | Ensure rsyslog Service is enabled" service: name: rsyslog enabled: yes changed_when: false when: - - ubuntu1804cis_rule_4_2_1_1 + - ubuntu1804cis_rule_4_2_1_2 - ubuntu1804cis_syslog == "rsyslog" tags: - level1 - scored - patch - syslog - - rule_4.2.1.1 + - rule_4.2.1.2 -- name: "NOTSCORED | 4.2.1.2 | PATCH | Ensure logging is configured" +- name: "NOTSCORED | 4.2.1.3 | PATCH | Ensure logging is configured" command: /bin/true changed_when: false when: - - ubuntu1804cis_rule_4_2_1_2 + - ubuntu1804cis_rule_4_2_1_3 tags: - level1 - notscored - patch - syslog - - rule_4.2.1.2 + - rule_4.2.1.3 - notimplemented -- name: "SCORED | 4.2.1.3 | PATCH | Ensure rsyslog default file permissions configured" +- name: "SCORED | 4.2.1.4 | PATCH | Ensure rsyslog default file permissions configured" lineinfile: dest: /etc/rsyslog.conf regexp: '^\$FileCreateMode' line: '$FileCreateMode 0640' - when: - - ubuntu1804cis_rule_4_2_1_3 - tags: - - level1 - - scored - - patch - - syslog - - rule_4.2.1.3 - -- name: "SCORED | 4.2.1.4 | PATCH | Ensure rsyslog is configured to send logs to a remote log host" - command: /bin/true - changed_when: false when: - ubuntu1804cis_rule_4_2_1_4 tags: @@ -499,111 +487,94 @@ - patch - syslog - rule_4.2.1.4 - - notimplemented -- name: "NOTSCORED | 4.2.1.5 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts." +- name: "SCORED | 4.2.1.5 | PATCH | Ensure rsyslog is configured to send logs to a remote log host" command: /bin/true changed_when: false when: - ubuntu1804cis_rule_4_2_1_5 tags: - level1 - - notscored + - scored - patch - syslog - rule_4.2.1.5 - notimplemented -- name: "NOTSCORED | 4.2.1.5 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts." +- name: "NOTSCORED | 4.2.1.6 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts." command: /bin/true changed_when: false when: - - ubuntu1804cis_rule_4_2_1_5 + - ubuntu1804cis_rule_4_2_1_6 tags: - level1 - notscored - patch - syslog - - rule_4.2.1.5 + - rule_4.2.1.6 - notimplemented -- name: "SCORED | 4.2.2.1 | PATCH | Ensure syslog-ng service is enabled" - command: /bin/true +- name: "SCORED | 4.2.2.1 | PATCH | Ensure journald is configured to send logs to rsyslog" + lineinfile: + dest: /etc/systemd/journald.conf + regexp: "(#)?ForwardToSyslog=(yes|no)" + line: ForwardToSyslog=yes changed_when: false when: - ubuntu1804cis_rule_4_2_2_1 + notify: + - restart journald tags: - level1 - scored - patch - syslog - rule_4.2.2.1 - - notimplemented -- name: "NOTSCORED | 4.2.2.2 | PATCH | Ensure logging is configured" - command: /bin/true - changed_when: false +- name: "SCORED | 4.2.2.2 | PATCH | Ensure journald is configured to compress large log files" + lineinfile: + dest: /etc/systemd/journald.conf + regexp: "(#)?Compress=(yes|no)" + line: Compress=yes when: - ubuntu1804cis_rule_4_2_2_2 + notify: + - restart journald tags: - level1 - - notscored + - scored - patch - syslog - rule_4.2.2.2 - - notimplemented -- name: "SCORED | 4.2.2.3 | PATCH | Ensure syslog-ng default file permissions configured" - command: /bin/true - changed_when: false +- name: "SCORED | 4.2.2.3 | PATCH | Ensure journald is configured to write logfiles to persistent disk" + lineinfile: + dest: /etc/systemd/journald.conf + regexp: "(#)?Storage=(auto|persistent)" + line: Storage=persistent when: - ubuntu1804cis_rule_4_2_2_3 + notify: + - restart journald tags: - level1 - scored - patch - syslog - rule_4.2.2.3 - - notimplemented -- name: "NOTSCORED | 4.2.2.4 | PATCH | Ensure syslog-ng is configured to send logs to a remote log host" - command: /bin/true - changed_when: false - when: - - ubuntu1804cis_rule_4_2_2_4 - tags: - - level1 - - notscored - - patch - - syslog - - rule_4.2.2.4 - - notimplemented - -- name: "NOTSCORED | 4.2.2.5 | PATCH | Ensure remote syslog-ng messages are only accepted on designated log hosts" - command: /bin/true - changed_when: false - when: - - ubuntu1804cis_rule_4_2_2_5 - tags: - - level1 - - notscored - - patch - - syslog - - rule_4.2.2.5 - - notimplemented - -- name: "SCORED | 4.2.4 | PATCH | Ensure permissions on all logfiles are configured" +- name: "SCORED | 4.2.3 | PATCH | Ensure permissions on all logfiles are configured" command: find /var/log -type f -exec chmod g-wx,o-rwx {} + changed_when: false failed_when: false when: - - ubuntu1804cis_rule_4_2_4 + - ubuntu1804cis_rule_4_2_3 tags: - level1 - scored - patch - syslog - - rule_4.2.4 + - rule_4.2.3 - name: "NOTSCORED | 4.3 | PATCH | Ensure logrotate is configured" block: diff --git a/tasks/section5.yml b/tasks/section5.yml index cf8c7ec..bb1b7d6 100644 --- a/tasks/section5.yml +++ b/tasks/section5.yml @@ -129,8 +129,8 @@ - name: "SCORED | 5.1.8 | PATCH | Ensure cron is restricted to authorized users" template: - src: at.allow.j2 - dest: /etc/at.allow + src: cron.allow.j2 + dest: /etc/cron.allow owner: root group: root mode: 0600