forked from ansible-lockdown/RHEL9-CIS
updated controls
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
parent
19a218390d
commit
f0c4701dbd
23 changed files with 238 additions and 364 deletions
|
|
@ -281,39 +281,36 @@ rhel9cis_rule_6_2_20: {{ rhel9cis_rule_6_2_20 }}
|
|||
rhel9cis_avahi_server: {{ rhel9cis_avahi_server }}
|
||||
rhel9cis_cups_server: {{ rhel9cis_cups_server }}
|
||||
rhel9cis_dhcp_server: {{ rhel9cis_dhcp_server }}
|
||||
rhel9cis_ldap_server: {{ rhel9cis_ldap_server }}
|
||||
rhel9cis_dns_server: {{ rhel9cis_dns_server }}
|
||||
rhel9cis_ftp_server: {{ rhel9cis_ftp_server }}
|
||||
rhel9cis_vsftpd_server: {{ rhel9cis_vsftpd_server }}
|
||||
rhel9cis_tftp_server: {{ rhel9cis_tftp_server }}
|
||||
rhel9cis_httpd_server: {{ rhel9cis_httpd_server }}
|
||||
rhel9cis_nginx_server: {{ rhel9cis_nginx_server }}
|
||||
rhel9cis_dovecot_cyrus_server: {{ rhel9cis_dovecot_cyrus_server }}
|
||||
rhel9cis_samba_server: {{ rhel9cis_samba_server }}
|
||||
rhel9cis_squid_server: {{ rhel9cis_squid_server }}
|
||||
rhel9cis_snmp_server: {{ rhel9cis_snmp_server }}
|
||||
rhel9cis_nis_server: {{ rhel9cis_nis_server }}
|
||||
rhel9cis_telnet_server: {{ rhel9cis_telnet_server }}
|
||||
rhel9cis_is_mail_server: {{ rhel9cis_is_mail_server }}
|
||||
rhel9cis_nfs_server: {{ rhel9cis_nfs_server }}
|
||||
rhel9cis_rpc_server: {{ rhel9cis_rpc_server }}
|
||||
rhel9cis_ntalk_server: {{ rhel9cis_ntalk_server }}
|
||||
rhel9cis_rsyncd_server: {{ rhel9cis_rsyncd_server }}
|
||||
rhel9cis_tftp_server: {{ rhel9cis_tftp_server }}
|
||||
rhel9cis_rsh_server: {{ rhel9cis_rsh_server }}
|
||||
rhel9cis_nis_server: {{ rhel9cis_nis_server }}
|
||||
rhel9cis_snmp_server: {{ rhel9cis_snmp_server }}
|
||||
rhel9cis_squid_server: {{ rhel9cis_squid_server }}
|
||||
rhel9cis_smb_server: {{ rhel9cis_smb_server }}
|
||||
rhel9cis_dovecot_server: {{ rhel9cis_dovecot_server }}
|
||||
rhel9cis_httpd_server: {{ rhel9cis_httpd_server }}
|
||||
rhel9cis_vsftpd_server: {{ rhel9cis_vsftpd_server }}
|
||||
rhel9cis_named_server: {{ rhel9cis_named_server }}
|
||||
rhel9cis_nfs_rpc_server: {{ rhel9cis_nfs_rpc_server }}
|
||||
rhel9cis_is_mail_server: {{ rhel9cis_is_mail_server }}
|
||||
rhel9cis_bind: {{ rhel9cis_bind }}
|
||||
rhel9cis_vsftpd: {{ rhel9cis_vsftpd }}
|
||||
rhel9cis_httpd: {{ rhel9cis_httpd }}
|
||||
rhel9cis_dovecot: {{ rhel9cis_dovecot }}
|
||||
rhel9cis_samba: {{ rhel9cis_samba }}
|
||||
rhel9cis_squid: {{ rhel9cis_squid }}
|
||||
rhel9cis_net_snmp: {{ rhel9cis_net_snmp}}
|
||||
rhel9cis_rsync_server: {{ rhel9cis_rsync_server }}
|
||||
|
||||
|
||||
rhel9cis_allow_autofs: {{ rhel9cis_allow_autofs }}
|
||||
|
||||
# client services
|
||||
rhel9cis_openldap_clients_required: {{ rhel9cis_openldap_clients_required }}
|
||||
rhel9cis_telnet_required: {{ rhel9cis_telnet_required }}
|
||||
rhel9cis_talk_required: {{ rhel9cis_talk_required }}
|
||||
rhel9cis_rsh_required: {{ rhel9cis_rsh_required }}
|
||||
rhel9cis_ypbind_required: {{ rhel9cis_ypbind_required }}
|
||||
rhel9cis_rsh_required: {{ rhel9cis_rsh_required }}
|
||||
rhel9cis_talk_required: {{ rhel9cis_talk_required }}
|
||||
rhel9cis_telnet_required: {{ rhel9cis_telnet_required }}
|
||||
rhel9cis_openldap_clients_required: {{ rhel9cis_openldap_clients_required }}
|
||||
rhel9cis_tftp_client: {{ rhel9cis_tftp_client }}
|
||||
|
||||
|
||||
|
||||
|
||||
# AIDE
|
||||
rhel9cis_config_aide: {{ rhel9cis_config_aide }}
|
||||
|
|
@ -343,14 +340,12 @@ rhel9cis_crypto_policy: {{ rhel9cis_crypto_policy }}
|
|||
rhel9cis_warning_banner: {{ rhel9cis_warning_banner }}
|
||||
# End Banner
|
||||
|
||||
# Set to 'true' if X Windows is needed in your environment
|
||||
rhel9cis_xwindows_required: {{ rhel9cis_xwindows_required }}
|
||||
|
||||
# Whether or not to run tasks related to auditing/patching the desktop environment
|
||||
rhel9cis_gui: {{ rhel9cis_gui }}
|
||||
|
||||
# xinetd required
|
||||
rhel9cis_xinetd_required: {{ rhel9cis_xinetd_required }}
|
||||
rhel9cis_xinetd_server: {{ rhel9cis_xinetd_server }}
|
||||
|
||||
# IPv6 required
|
||||
rhel9cis_ipv6_required: {{ rhel9cis_ipv6_required }}
|
||||
|
|
@ -358,10 +353,6 @@ rhel9cis_ipv6_required: {{ rhel9cis_ipv6_required }}
|
|||
# System network parameters (host only OR host and router)
|
||||
rhel9cis_is_router: {{ rhel9cis_is_router }}
|
||||
|
||||
# Time Synchronization
|
||||
rhel9cis_time_synchronization: {{ rhel9cis_time_synchronization }}
|
||||
|
||||
rhel9cis_varlog_location: {{ rhel9cis_varlog_location }}
|
||||
|
||||
rhel9cis_firewall: {{ rhel9cis_firewall }}
|
||||
#rhel9cis_firewall: iptables
|
||||
|
|
@ -373,7 +364,6 @@ rhel9cis_firewall_interface:
|
|||
rhel9cis_firewall_services: {{ rhel9cis_firewall_services }}
|
||||
|
||||
|
||||
|
||||
### Section 4
|
||||
## auditd settings
|
||||
rhel9cis_auditd:
|
||||
|
|
@ -395,45 +385,11 @@ rhel9cis_sshd_access:
|
|||
DenyUser:
|
||||
DenyGroup:
|
||||
|
||||
rhel9cis_ssh_strong_ciphers: Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128- gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||
rhel9cis_ssh_weak_ciphers:
|
||||
3des-cbc
|
||||
aes128-cbc
|
||||
aes192-cbc
|
||||
aes256-cbc
|
||||
arcfour
|
||||
arcfour128
|
||||
arcfour256
|
||||
blowfish-cbc
|
||||
cast128-cbc
|
||||
rijndael-cbc@lysator.liu.se
|
||||
|
||||
rhel9cis_ssh_strong_macs: MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2- 512,hmac-sha2-256
|
||||
rhel9cis_ssh_weak_macs:
|
||||
hmac-md5
|
||||
hmac-md5-96
|
||||
hmac-ripemd160
|
||||
hmac-sha1
|
||||
hmac-sha1-96
|
||||
umac-64@openssh.com
|
||||
umac-128@openssh.com
|
||||
hmac-md5-etm@openssh.com
|
||||
hmac-md5-96-etm@openssh.com
|
||||
hmac-ripemd160-etm@openssh.com
|
||||
hmac-sha1-etm@openssh.com
|
||||
hmac-sha1-96-etm@openssh.com
|
||||
umac-64-etm@openssh.com
|
||||
umac-128-etm@openssh.com
|
||||
|
||||
rhel9cis_ssh_strong_kex: KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman- group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
|
||||
rhel9cis_ssh_weak_kex:
|
||||
diffie-hellman-group1-sha1
|
||||
diffie-hellman-group14-sha1
|
||||
diffie-hellman-group-exchange-sha1
|
||||
|
||||
rhel9cis_ssh_aliveinterval: "300"
|
||||
rhel9cis_ssh_countmax: "3"
|
||||
|
||||
rhel9cis_sudolog_location: {{ rhel9cis_sudolog_location }}
|
||||
|
||||
## PAM
|
||||
rhel9cis_pam_password:
|
||||
minlen: {{ rhel9cis_pam_password.minlen }}
|
||||
|
|
|
|||
|
|
@ -1,14 +1,14 @@
|
|||
# This template will set all of the auditd configurations via a handler in the role in one task instead of individually
|
||||
{% if rhel9cis_rule_4_1_3_1 %}
|
||||
-w /etc/sudoers -p wa -k scope
|
||||
-w /etc/sudoers.d/ -p wa -k scope
|
||||
-w /etc/sudoers.d -p wa -k scope
|
||||
{% endif %}
|
||||
{% if rhel9cis_rule_4_1_3_2 %}
|
||||
-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation
|
||||
-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation
|
||||
{% endif %}
|
||||
{% if rhel9cis_rule_4_1_3_3 %}
|
||||
-w {{ rhel9cis_varlog_location }} -p wa -k sudo_log_file
|
||||
-w {{ rhel9cis_sudolog_location }} -p wa -k sudo_log_file
|
||||
{% endif %}
|
||||
{% if rhel9cis_rule_4_1_3_4 %}
|
||||
-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change
|
||||
|
|
@ -26,14 +26,14 @@
|
|||
{% endif %}
|
||||
{% if rhel9cis_rule_4_1_3_6 %}
|
||||
{% for proc in priv_procs.stdout_lines -%}
|
||||
-a always,exit -F path={{ proc }} -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k privileged
|
||||
-a always,exit -F path={{ proc }} -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k privileged
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if rhel9cis_rule_4_1_3_7 %}
|
||||
-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access
|
||||
-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access
|
||||
-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel9cis_int_gid }} -F auid!=-4294967295 -F key=access
|
||||
-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access
|
||||
-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=unset -F key=access
|
||||
-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=unset -F key=access
|
||||
-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=-unset -F key=access
|
||||
-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=unset -F key=access
|
||||
{% endif %}
|
||||
{% if rhel9cis_rule_4_1_3_8 %}
|
||||
-w /etc/group -p wa -k identity
|
||||
|
|
@ -43,16 +43,16 @@
|
|||
-w /etc/security/opasswd -p wa -k identity
|
||||
{% endif %}
|
||||
{% if rhel9cis_rule_4_1_3_9 %}
|
||||
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod
|
||||
-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod
|
||||
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod
|
||||
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod
|
||||
-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod
|
||||
-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=perm_mod
|
||||
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod
|
||||
-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod
|
||||
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod
|
||||
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod
|
||||
-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod
|
||||
-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod
|
||||
{% endif %}
|
||||
{% if rhel9cis_rule_4_1_3_10 %}
|
||||
-a always,exit -F arch=b32 -S mount -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k mounts
|
||||
-a always,exit -F arch=b64 -S mount -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k mounts
|
||||
-a always,exit -F arch=b32 -S mount -F auid>={{ min_int_uid }} -F auid!=unset -k mounts
|
||||
-a always,exit -F arch=b64 -S mount -F auid>={{ min_int_uid }} -F auid!=unset -k mounts
|
||||
{% endif %}
|
||||
{% if rhel9cis_rule_4_1_3_11 %}
|
||||
-w /var/run/utmp -p wa -k session
|
||||
|
|
@ -64,29 +64,30 @@
|
|||
-w /var/run/faillock -p wa -k logins
|
||||
{% endif %}
|
||||
{% if rhel9cis_rule_4_1_3_13 %}
|
||||
-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=delete
|
||||
-a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=delete
|
||||
-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>={{ min_int_uid }} -F auid!=unset -F key=delete
|
||||
-a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>={{ min_int_uid }} -F auid!=unset -F key=delete
|
||||
{% endif %}
|
||||
{% if rhel9cis_rule_4_1_3_14 %}
|
||||
-w /etc/selinux/ -p wa -k MAC-policy
|
||||
-w /usr/share/selinux/ -p wa -k MAC-policy
|
||||
-w /etc/selinux -p wa -k MAC-policy
|
||||
-w /usr/share/selinux -p wa -k MAC-policy
|
||||
{% endif %}
|
||||
{% if rhel9cis_rule_4_1_3_15 %}
|
||||
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_chng
|
||||
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k perm_chng
|
||||
{% endif %}
|
||||
{% if rhel9cis_rule_4_1_3_16 %}
|
||||
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_chng
|
||||
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k perm_chng
|
||||
{% endif %}
|
||||
{% if rhel9cis_rule_4_1_3_17 %}
|
||||
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k priv_cmd
|
||||
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k priv_cmd
|
||||
{% endif %}
|
||||
{% if rhel9cis_rule_4_1_3_18 %}
|
||||
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k usermod
|
||||
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k usermod
|
||||
{% endif %}
|
||||
{% if rhel9cis_rule_4_1_3_19 %}
|
||||
-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k kernel_modules
|
||||
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k kernel_modules
|
||||
-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>={{ min_int_uid }} -F auid!=unset -k kernel_modules
|
||||
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k kernel_modules
|
||||
{% endif %}
|
||||
{% if rhel9cis_rule_4_1_3_20 %}
|
||||
-e 2
|
||||
|
||||
{% endif %}
|
||||
|
|
|
|||
|
|
@ -1,11 +0,0 @@
|
|||
#
|
||||
# hosts.allow This file contains access rules which are used to
|
||||
# allow or deny connections to network services that
|
||||
# either use the tcp_wrappers library or that have been
|
||||
# started through a tcp_wrappers-enabled xinetd.
|
||||
#
|
||||
# See 'man 5 hosts_options' and 'man 5 hosts_access'
|
||||
# for information on rule syntax.
|
||||
# See 'man tcpd' for information on tcp_wrappers
|
||||
#
|
||||
ALL: {% for iprange in rhel9cis_host_allow -%}{{ iprange }}{% if not loop.last %}, {% endif %}{% endfor %}
|
||||
|
|
@ -1,59 +0,0 @@
|
|||
# For more information about this file, see the man pages
|
||||
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
|
||||
|
||||
driftfile /var/lib/ntp/drift
|
||||
|
||||
# Permit time synchronization with our time source, but do not
|
||||
# permit the source to query or modify the service on this system.
|
||||
#restrict default nomodify notrap nopeer noquery
|
||||
restrict -4 default kod nomodify notrap nopeer noquery
|
||||
restrict -6 default kod nomodify notrap nopeer noquery
|
||||
|
||||
# Permit all access over the loopback interface. This could
|
||||
# be tightened as well, but to do so would effect some of
|
||||
# the administrative functions.
|
||||
restrict 127.0.0.1
|
||||
restrict ::1
|
||||
|
||||
# Hosts on local network are less restricted.
|
||||
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
|
||||
|
||||
# Use public servers from the pool.ntp.org project.
|
||||
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
|
||||
{% for server in rhel9cis_time_synchronization_servers -%}
|
||||
server {{ server }} {{ rhel9cis_ntp_server_options }}
|
||||
{% endfor %}
|
||||
|
||||
#broadcast 192.168.1.255 autokey # broadcast server
|
||||
#broadcastclient # broadcast client
|
||||
#broadcast 224.0.1.1 autokey # multicast server
|
||||
#multicastclient 224.0.1.1 # multicast client
|
||||
#manycastserver 239.255.254.254 # manycast server
|
||||
#manycastclient 239.255.254.254 autokey # manycast client
|
||||
|
||||
# Enable public key cryptography.
|
||||
#crypto
|
||||
|
||||
includefile /etc/ntp/crypto/pw
|
||||
|
||||
# Key file containing the keys and key identifiers used when operating
|
||||
# with symmetric key cryptography.
|
||||
keys /etc/ntp/keys
|
||||
|
||||
# Specify the key identifiers which are trusted.
|
||||
#trustedkey 4 8 42
|
||||
|
||||
# Specify the key identifier to use with the ntpdc utility.
|
||||
#requestkey 8
|
||||
|
||||
# Specify the key identifier to use with the ntpq utility.
|
||||
#controlkey 8
|
||||
|
||||
# Enable writing of statistics records.
|
||||
#statistics clockstats cryptostats loopstats peerstats
|
||||
|
||||
# Disable the monitoring facility to prevent amplification attacks using ntpdc
|
||||
# monlist command when default restrict does not include the noquery flag. See
|
||||
# CVE-2013-5211 for more details.
|
||||
# Note: Monitoring will not be disabled with the limited restriction flag.
|
||||
disable monitor
|
||||
Loading…
Add table
Add a link
Reference in a new issue