CIS + inital

2026-01-26 21:22:41 -05:00
parent 5b6e1567f9
commit 28db1d2104
65 changed files with 4555 additions and 2 deletions
@@ -0,0 +1,128 @@
+---
+# System Hardening Role - Default Variables
+
+# SSH Configuration
+ssh_port: 22
+ssh_permit_root_login: "no"
+ssh_password_authentication: "no"
+ssh_pubkey_authentication: "yes"
+ssh_challenge_response_auth: "no"
+ssh_x11_forwarding: "no"
+ssh_max_auth_tries: 3
+ssh_client_alive_interval: 300
+ssh_client_alive_count_max: 2
+ssh_allowed_users: []  # List of users allowed to SSH
+ssh_listen_address: "0.0.0.0"
+
+# Strong SSH ciphers and algorithms
+ssh_ciphers:
+  - "chacha20-poly1305@openssh.com"
+  - "aes256-gcm@openssh.com"
+  - "aes128-gcm@openssh.com"
+ssh_macs:
+  - "hmac-sha2-512-etm@openssh.com"
+  - "hmac-sha2-256-etm@openssh.com"
+ssh_kex_algorithms:
+  - "curve25519-sha256"
+  - "curve25519-sha256@libssh.org"
+  - "diffie-hellman-group-exchange-sha256"
+
+# System packages
+hardening_install_packages:
+  - ufw
+  - fail2ban
+  - unattended-upgrades
+  - apt-listchanges
+  - auditd
+  - aide
+  - rkhunter
+  - lynis
+
+hardening_remove_packages:
+  - telnet
+  - rsh-client
+  - rsh-redone-client
+
+# Automatic security updates
+unattended_upgrades_enabled: true
+unattended_upgrades_auto_reboot: false
+unattended_upgrades_auto_reboot_time: "03:00"
+
+# Fail2ban configuration
+fail2ban_enabled: true
+fail2ban_bantime: 3600
+fail2ban_findtime: 600
+fail2ban_maxretry: 5
+fail2ban_destemail: "root@localhost"
+
+# Sysctl hardening
+sysctl_config:
+  # IP Forwarding (required for VPN)
+  net.ipv4.ip_forward: 1
+  
+  # Disable IPv6 (optional, set to 0 to enable)
+  net.ipv6.conf.all.disable_ipv6: 1
+  net.ipv6.conf.default.disable_ipv6: 1
+  
+  # Protect against SYN flood attacks
+  net.ipv4.tcp_syncookies: 1
+  net.ipv4.tcp_syn_retries: 2
+  net.ipv4.tcp_synack_retries: 2
+  net.ipv4.tcp_max_syn_backlog: 4096
+  
+  # Protect against IP spoofing
+  net.ipv4.conf.all.rp_filter: 1
+  net.ipv4.conf.default.rp_filter: 1
+  
+  # Ignore ICMP redirects
+  net.ipv4.conf.all.accept_redirects: 0
+  net.ipv4.conf.default.accept_redirects: 0
+  net.ipv4.conf.all.secure_redirects: 0
+  net.ipv4.conf.default.secure_redirects: 0
+  
+  # Do not send ICMP redirects
+  net.ipv4.conf.all.send_redirects: 0
+  net.ipv4.conf.default.send_redirects: 0
+  
+  # Ignore ICMP ping requests
+  net.ipv4.icmp_echo_ignore_all: 0
+  net.ipv4.icmp_echo_ignore_broadcasts: 1
+  
+  # Ignore bogus ICMP error responses
+  net.ipv4.icmp_ignore_bogus_error_responses: 1
+  
+  # Log martian packets
+  net.ipv4.conf.all.log_martians: 1
+  net.ipv4.conf.default.log_martians: 1
+  
+  # Disable source packet routing
+  net.ipv4.conf.all.accept_source_route: 0
+  net.ipv4.conf.default.accept_source_route: 0
+  
+  # Increase system file descriptor limit
+  fs.file-max: 65535
+  
+  # Protect against time-wait assassination
+  net.ipv4.tcp_rfc1337: 1
+  
+  # Kernel hardening
+  kernel.dmesg_restrict: 1
+  kernel.kptr_restrict: 2
+  kernel.yama.ptrace_scope: 1
+
+# Auditd configuration
+auditd_enabled: true
+auditd_rules:
+  - "-w /etc/passwd -p wa -k identity"
+  - "-w /etc/group -p wa -k identity"
+  - "-w /etc/shadow -p wa -k identity"
+  - "-w /etc/sudoers -p wa -k actions"
+  - "-w /var/log/auth.log -p wa -k auth"
+  - "-w /var/log/faillog -p wa -k logins"
+  - "-w /etc/ssh/sshd_config -p wa -k sshd"
+
+# Timezone
+system_timezone: "UTC"
+
+# Hostname
+system_hostname: ""  # Leave empty to keep current hostname
@@ -0,0 +1,19 @@
+---
+# CIS-Specific Variables for System Hardening
+
+# AppArmor (CIS 1.3.x)
+apparmor_enabled: true
+apparmor_enforce_all: true
+
+# Auditd (CIS 4.1.x)
+auditd_enabled: true
+auditd_max_log_file: 8  # MB
+
+# Network (CIS 3.x)
+disable_ipv6: true  # Set to false if IPv6 is needed
+
+# Core dumps (CIS 1.5.1)
+disable_core_dumps: true
+
+# Uncommon protocols (CIS 3.3.x)
+disable_uncommon_protocols: true
@@ -0,0 +1,16 @@
+---
+# System Hardening Role - Handlers
+
+- name: restart sshd
+  ansible.builtin.systemd:
+    name: sshd
+    state: restarted
+
+- name: restart fail2ban
+  ansible.builtin.systemd:
+    name: fail2ban
+    state: restarted
+
+- name: restart auditd
+  ansible.builtin.command: service auditd restart
+  # Note: auditd requires special restart command
@@ -0,0 +1,25 @@
+---
+galaxy_info:
+  role_name: system_hardening
+  author: Security Infrastructure Team
+  description: Comprehensive Ubuntu 24.04 server hardening following security best practices
+  company: Your Organization
+  license: MIT
+  min_ansible_version: "2.15"
+  platforms:
+    - name: Ubuntu
+      versions:
+        - noble  # 24.04
+        - jammy  # 22.04
+  galaxy_tags:
+    - security
+    - hardening
+    - ssh
+    - firewall
+    - ubuntu
+
+dependencies: []
+
+collections:
+  - community.general
+  - ansible.posix
@@ -0,0 +1,42 @@
+---
+# AppArmor Configuration (CIS 1.3.x)
+
+- name: Install AppArmor packages (CIS 1.3.1)
+  ansible.builtin.apt:
+    name:
+      - apparmor
+      - apparmor-utils
+    state: present
+    update_cache: yes
+
+- name: Enable AppArmor service (CIS 1.3.2)
+  ansible.builtin.service:
+    name: apparmor
+    state: started
+    enabled: yes
+
+- name: Check AppArmor status
+  ansible.builtin.command: aa-status --json
+  register: apparmor_status
+  changed_when: false
+  failed_when: false
+
+- name: Parse AppArmor status
+  ansible.builtin.set_fact:
+    apparmor_json: "{{ apparmor_status.stdout | from_json }}"
+  when: apparmor_status.rc == 0
+
+- name: Set all AppArmor profiles to enforce mode (CIS 1.3.3)
+  ansible.builtin.command: aa-enforce /etc/apparmor.d/*
+  register: apparmor_enforce
+  changed_when: "'Setting' in apparmor_enforce.stdout"
+  failed_when: false
+  when: apparmor_enforce_all | default(true)
+
+- name: Display AppArmor status
+  ansible.builtin.debug:
+    msg:
+      - "AppArmor status: {{ apparmor_json.apparmor if apparmor_json is defined else 'unknown' }}"
+      - "Profiles loaded: {{ apparmor_json.profiles | length if apparmor_json is defined and apparmor_json.profiles is defined else 0 }}"
+      - "Profiles in enforce mode: {{ apparmor_json.profiles | selectattr('mode', 'equalto', 'enforce') | list | length if apparmor_json is defined and apparmor_json.profiles is defined else 0 }}"
+  when: apparmor_json is defined
@@ -0,0 +1,57 @@
+---
+# Auditd Configuration Tasks (CIS 4.1.x)
+
+- name: Ensure auditd is installed (CIS 4.1.1)
+  ansible.builtin.apt:
+    name:
+      - auditd
+      - audispd-plugins
+    state: present
+
+- name: Configure auditd max log file size (CIS 4.1.3)
+  ansible.builtin.lineinfile:
+    path: /etc/audit/auditd.conf
+    regexp: '^max_log_file\s*='
+    line: "max_log_file = {{ auditd_max_log_file }}"
+    state: present
+
+- name: Configure auditd log retention (CIS 4.1.4)
+  ansible.builtin.lineinfile:
+    path: /etc/audit/auditd.conf
+    regexp: '^max_log_file_action\s*='
+    line: "max_log_file_action = keep_logs"
+    state: present
+
+- name: Configure auditd space left action (CIS 4.1.5)
+  ansible.builtin.lineinfile:
+    path: /etc/audit/auditd.conf
+    regexp: '^space_left_action\s*='
+    line: "space_left_action = email"
+    state: present
+
+- name: Configure auditd admin space left action
+  ansible.builtin.lineinfile:
+    path: /etc/audit/auditd.conf
+    regexp: '^admin_space_left_action\s*='
+    line: "admin_space_left_action = halt"
+    state: present
+
+- name: Deploy CIS-compliant audit rules
+  ansible.builtin.template:
+    src: audit.rules.j2
+    dest: /etc/audit/rules.d/cis.rules
+    owner: root
+    group: root
+    mode: '0640'
+  notify: restart auditd
+
+- name: Load audit rules
+  ansible.builtin.command: augenrules --load
+  changed_when: false
+  failed_when: false
+
+- name: Ensure auditd is started and enabled (CIS 4.1.2)
+  ansible.builtin.systemd:
+    name: auditd
+    state: started
+    enabled: yes
@@ -0,0 +1,39 @@
+---
+# Restrict Core Dumps (CIS 1.5.1)
+
+- name: Disable core dumps via limits.conf
+  ansible.builtin.lineinfile:
+    path: /etc/security/limits.conf
+    line: "* hard core 0"
+    create: yes
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Disable core dumps via sysctl (already done in sysctl_cis.yml)
+  ansible.posix.sysctl:
+    name: fs.suid_dumpable
+    value: '0'
+    state: present
+    sysctl_set: yes
+    reload: yes
+
+- name: Disable coredump in systemd
+  ansible.builtin.lineinfile:
+    path: /etc/systemd/coredump.conf
+    regexp: '^Storage='
+    line: "Storage=none"
+    create: yes
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Disable coredump processing
+  ansible.builtin.lineinfile:
+    path: /etc/systemd/coredump.conf
+    regexp: '^ProcessSizeMax='
+    line: "ProcessSizeMax=0"
+    create: yes
+    owner: root
+    group: root
+    mode: '0644'
@@ -0,0 +1,49 @@
+---
+# Disable Uncommon Network Protocols (CIS 3.3.x)
+
+- name: Disable DCCP protocol (CIS 3.3.1)
+  ansible.builtin.lineinfile:
+    path: /etc/modprobe.d/cis.conf
+    line: "install dccp /bin/true"
+    create: yes
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Disable SCTP protocol (CIS 3.3.2)
+  ansible.builtin.lineinfile:
+    path: /etc/modprobe.d/cis.conf
+    line: "install sctp /bin/true"
+    create: yes
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Disable RDS protocol (CIS 3.3.3)
+  ansible.builtin.lineinfile:
+    path: /etc/modprobe.d/cis.conf
+    line: "install rds /bin/true"
+    create: yes
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Disable TIPC protocol (CIS 3.3.4)
+  ansible.builtin.lineinfile:
+    path: /etc/modprobe.d/cis.conf
+    line: "install tipc /bin/true"
+    create: yes
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Unload uncommon protocols if loaded
+  community.general.modprobe:
+    name: "{{ item }}"
+    state: absent
+  loop:
+    - dccp
+    - sctp
+    - rds
+    - tipc
+  failed_when: false
@@ -0,0 +1,22 @@
+---
+# Fail2ban Configuration Tasks
+
+- name: Ensure fail2ban is installed
+  ansible.builtin.apt:
+    name: fail2ban
+    state: present
+
+- name: Configure fail2ban
+  ansible.builtin.template:
+    src: fail2ban.local.j2
+    dest: /etc/fail2ban/jail.local
+    owner: root
+    group: root
+    mode: '0644'
+  notify: restart fail2ban
+
+- name: Ensure fail2ban is started and enabled
+  ansible.builtin.systemd:
+    name: fail2ban
+    state: started
+    enabled: yes
@@ -0,0 +1,121 @@
+---
+# System Hardening Role - Main Tasks
+
+- name: Set timezone
+  community.general.timezone:
+    name: "{{ system_timezone }}"
+  when: system_timezone is defined and system_timezone != ""
+
+- name: Set hostname
+  ansible.builtin.hostname:
+    name: "{{ system_hostname }}"
+  when: system_hostname is defined and system_hostname != ""
+
+- name: Update apt cache
+  ansible.builtin.apt:
+    update_cache: yes
+    cache_valid_time: 3600
+
+- name: Upgrade all packages
+  ansible.builtin.apt:
+    upgrade: dist
+    autoremove: yes
+    autoclean: yes
+
+- name: Install security packages
+  ansible.builtin.apt:
+    name: "{{ hardening_install_packages }}"
+    state: present
+
+- name: Remove insecure packages
+  ansible.builtin.apt:
+    name: "{{ hardening_remove_packages }}"
+    state: absent
+    purge: yes
+
+- name: Configure SSH hardening
+  ansible.builtin.include_tasks: ssh.yml
+
+- name: Configure sysctl parameters (basic)
+  ansible.builtin.include_tasks: sysctl.yml
+
+- name: Configure CIS-compliant sysctl parameters
+  ansible.builtin.include_tasks: sysctl_cis.yml
+
+- name: Configure AppArmor (CIS 1.3.x)
+  ansible.builtin.include_tasks: apparmor.yml
+  when: apparmor_enabled | default(true)
+
+- name: Configure fail2ban
+  ansible.builtin.include_tasks: fail2ban.yml
+  when: fail2ban_enabled | bool
+
+- name: Configure auditd (CIS 4.1.x)
+  ansible.builtin.include_tasks: audit.yml
+  when: auditd_enabled | bool
+
+- name: Configure unattended upgrades
+  ansible.builtin.include_tasks: unattended_upgrades.yml
+  when: unattended_upgrades_enabled | bool
+
+- name: Disable uncommon network protocols (CIS 3.3.x)
+  ansible.builtin.include_tasks: disable_protocols.yml
+
+- name: Configure core dumps restriction (CIS 1.5.1)
+  ansible.builtin.include_tasks: core_dumps.yml
+
+- name: Disable unnecessary services
+  ansible.builtin.systemd:
+    name: "{{ item }}"
+    state: stopped
+    enabled: no
+  loop:
+    - avahi-daemon
+    - cups
+    - isc-dhcp-server
+    - isc-dhcp-server6
+    - rpcbind
+    - rsync
+    - snmpd
+  failed_when: false  # Don't fail if service doesn't exist
+
+- name: Set secure file permissions (CIS 6.1.x)
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    mode: "{{ item.mode }}"
+  loop:
+    - { path: '/etc/passwd', mode: '0644' }
+    - { path: '/etc/shadow', mode: '0600' }
+    - { path: '/etc/group', mode: '0644' }
+    - { path: '/etc/gshadow', mode: '0600' }
+    - { path: '/etc/ssh/sshd_config', mode: '0600' }
+
+- name: Create security banners (CIS 1.4.x)
+  ansible.builtin.copy:
+    dest: "{{ item }}"
+    content: |
+      **************************************************************************
+      *                                                                        *
+      *  WARNING: Unauthorized access to this system is forbidden and will    *
+      *  be prosecuted by law. By accessing this system, you agree that your  *
+      *  actions may be monitored if unauthorized usage is suspected.         *
+      *                                                                        *
+      **************************************************************************
+    mode: '0644'
+  loop:
+    - /etc/issue
+    - /etc/issue.net
+    - /etc/motd
+
+- name: Display hardening summary
+  ansible.builtin.debug:
+    msg:
+      - "========================================="
+      - "System Hardening Complete"
+      - "========================================="
+      - "CIS Level 1 controls applied"
+      - "AppArmor: {{ 'ENABLED' if apparmor_enabled | default(true) else 'DISABLED' }}"
+      - "Auditd: {{ 'ENABLED' if auditd_enabled else 'DISABLED' }}"
+      - "Fail2ban: {{ 'ENABLED' if fail2ban_enabled else 'DISABLED' }}"
+      - "Unattended upgrades: {{ 'ENABLED' if unattended_upgrades_enabled else 'DISABLED' }}"
+      - "========================================="
@@ -0,0 +1,53 @@
+---
+# SSH Hardening Tasks
+
+- name: Backup original sshd_config
+  ansible.builtin.copy:
+    src: /etc/ssh/sshd_config
+    dest: /etc/ssh/sshd_config.backup
+    remote_src: yes
+    force: no
+
+- name: Configure SSH daemon
+  ansible.builtin.template:
+    src: sshd_config.j2
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: '0600'
+    validate: '/usr/sbin/sshd -t -f %s'
+  notify: restart sshd
+
+- name: Ensure SSH directory exists for root
+  ansible.builtin.file:
+    path: /root/.ssh
+    state: directory
+    owner: root
+    group: root
+    mode: '0700'
+
+- name: Generate strong SSH host keys
+  ansible.builtin.command: ssh-keygen -A
+  args:
+    creates: /etc/ssh/ssh_host_ed25519_key
+
+- name: Remove weak SSH host keys
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - /etc/ssh/ssh_host_dsa_key
+    - /etc/ssh/ssh_host_dsa_key.pub
+    - /etc/ssh/ssh_host_ecdsa_key
+    - /etc/ssh/ssh_host_ecdsa_key.pub
+
+- name: Set permissions on SSH host keys
+  ansible.builtin.file:
+    path: "{{ item }}"
+    owner: root
+    group: root
+    mode: '0600'
+  loop:
+    - /etc/ssh/ssh_host_rsa_key
+    - /etc/ssh/ssh_host_ed25519_key
+  when: ansible_facts['os_family'] == "Debian"
@@ -0,0 +1,12 @@
+---
+# Sysctl Hardening Tasks
+
+- name: Apply sysctl hardening parameters
+  ansible.posix.sysctl:
+    name: "{{ item.key }}"
+    value: "{{ item.value }}"
+    state: present
+    sysctl_set: yes
+    reload: yes
+  loop: "{{ sysctl_config | dict2items }}"
+  when: sysctl_config is defined
@@ -0,0 +1,157 @@
+---
+# CIS-Compliant Sysctl Parameters
+
+# CIS 3.1.1 - Disable IP forwarding (unless VPN server needs it)
+- name: Disable IPv4 forwarding
+  ansible.posix.sysctl:
+    name: net.ipv4.ip_forward
+    value: '1'  # Enabled for VPN server
+    state: present
+    sysctl_set: yes
+    reload: yes
+
+# CIS 3.1.2 - Disable packet redirect sending
+- name: Disable send packet redirects
+  ansible.posix.sysctl:
+    name: "{{ item }}"
+    value: '0'
+    state: present
+    sysctl_set: yes
+    reload: yes
+  loop:
+    - net.ipv4.conf.all.send_redirects
+    - net.ipv4.conf.default.send_redirects
+
+# CIS 3.2.1 - Do not accept source routed packets
+- name: Disable source routed packets
+  ansible.posix.sysctl:
+    name: "{{ item }}"
+    value: '0'
+    state: present
+    sysctl_set: yes
+    reload: yes
+  loop:
+    - net.ipv4.conf.all.accept_source_route
+    - net.ipv4.conf.default.accept_source_route
+    - net.ipv6.conf.all.accept_source_route
+    - net.ipv6.conf.default.accept_source_route
+
+# CIS 3.2.2 - Do not accept ICMP redirects
+- name: Disable ICMP redirects
+  ansible.posix.sysctl:
+    name: "{{ item }}"
+    value: '0'
+    state: present
+    sysctl_set: yes
+    reload: yes
+  loop:
+    - net.ipv4.conf.all.accept_redirects
+    - net.ipv4.conf.default.accept_redirects
+    - net.ipv6.conf.all.accept_redirects
+    - net.ipv6.conf.default.accept_redirects
+
+# CIS 3.2.3 - Do not accept secure ICMP redirects
+- name: Disable secure ICMP redirects
+  ansible.posix.sysctl:
+    name: "{{ item }}"
+    value: '0'
+    state: present
+    sysctl_set: yes
+    reload: yes
+  loop:
+    - net.ipv4.conf.all.secure_redirects
+    - net.ipv4.conf.default.secure_redirects
+
+# CIS 3.2.4 - Log suspicious packets
+- name: Enable suspicious packet logging
+  ansible.posix.sysctl:
+    name: "{{ item }}"
+    value: '1'
+    state: present
+    sysctl_set: yes
+    reload: yes
+  loop:
+    - net.ipv4.conf.all.log_martians
+    - net.ipv4.conf.default.log_martians
+
+# CIS 3.2.5 - Ignore broadcast ICMP requests
+- name: Ignore ICMP broadcast requests
+  ansible.posix.sysctl:
+    name: net.ipv4.icmp_echo_ignore_broadcasts
+    value: '1'
+    state: present
+    sysctl_set: yes
+    reload: yes
+
+# CIS 3.2.6 - Ignore bogus ICMP responses
+- name: Ignore bogus ICMP error responses
+  ansible.posix.sysctl:
+    name: net.ipv4.icmp_ignore_bogus_error_responses
+    value: '1'
+    state: present
+    sysctl_set: yes
+    reload: yes
+
+# CIS 3.2.7 - Enable reverse path filtering
+- name: Enable reverse path filtering
+  ansible.posix.sysctl:
+    name: "{{ item }}"
+    value: '1'
+    state: present
+    sysctl_set: yes
+    reload: yes
+  loop:
+    - net.ipv4.conf.all.rp_filter
+    - net.ipv4.conf.default.rp_filter
+
+# CIS 3.2.8 - Enable TCP SYN cookies
+- name: Enable TCP SYN cookies
+  ansible.posix.sysctl:
+    name: net.ipv4.tcp_syncookies
+    value: '1'
+    state: present
+    sysctl_set: yes
+    reload: yes
+
+# CIS 3.2.9 - Do not accept IPv6 router advertisements
+- name: Disable IPv6 router advertisements
+  ansible.posix.sysctl:
+    name: "{{ item }}"
+    value: '0'
+    state: present
+    sysctl_set: yes
+    reload: yes
+  loop:
+    - net.ipv6.conf.all.accept_ra
+    - net.ipv6.conf.default.accept_ra
+
+# Additional hardening
+- name: Disable IPv6 (if not used)
+  ansible.posix.sysctl:
+    name: "{{ item }}"
+    value: '1'
+    state: present
+    sysctl_set: yes
+    reload: yes
+  loop:
+    - net.ipv6.conf.all.disable_ipv6
+    - net.ipv6.conf.default.disable_ipv6
+  when: disable_ipv6 | default(false)
+
+# CIS 1.5.2 - Enable ASLR
+- name: Enable address space layout randomization
+  ansible.posix.sysctl:
+    name: kernel.randomize_va_space
+    value: '2'
+    state: present
+    sysctl_set: yes
+    reload: yes
+
+# CIS 1.5.1 - Restrict core dumps
+- name: Restrict core dumps
+  ansible.posix.sysctl:
+    name: fs.suid_dumpable
+    value: '0'
+    state: present
+    sysctl_set: yes
+    reload: yes
@@ -0,0 +1,25 @@
+---
+# Unattended Upgrades Configuration Tasks
+
+- name: Ensure unattended-upgrades is installed
+  ansible.builtin.apt:
+    name:
+      - unattended-upgrades
+      - apt-listchanges
+    state: present
+
+- name: Configure unattended-upgrades
+  ansible.builtin.template:
+    src: 50unattended-upgrades.j2
+    dest: /etc/apt/apt.conf.d/50unattended-upgrades
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Enable automatic updates
+  ansible.builtin.template:
+    src: 20auto-upgrades.j2
+    dest: /etc/apt/apt.conf.d/20auto-upgrades
+    owner: root
+    group: root
+    mode: '0644'
@@ -0,0 +1,4 @@
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Unattended-Upgrade "1";
+APT::Periodic::Download-Upgradeable-Packages "1";
+APT::Periodic::AutocleanInterval "7";
@@ -0,0 +1,22 @@
+Unattended-Upgrade::Allowed-Origins {
+    "${distro_id}:${distro_codename}";
+    "${distro_id}:${distro_codename}-security";
+    "${distro_id}ESMApps:${distro_codename}-apps-security";
+    "${distro_id}ESM:${distro_codename}-infra-security";
+};
+
+Unattended-Upgrade::Package-Blacklist {
+};
+
+Unattended-Upgrade::DevRelease "false";
+Unattended-Upgrade::AutoFixInterruptedDpkg "true";
+Unattended-Upgrade::MinimalSteps "true";
+Unattended-Upgrade::InstallOnShutdown "false";
+Unattended-Upgrade::Mail "{{ fail2ban_destemail }}";
+Unattended-Upgrade::MailReport "on-change";
+Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
+Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
+Unattended-Upgrade::Remove-Unused-Dependencies "true";
+Unattended-Upgrade::Automatic-Reboot "{{ unattended_upgrades_auto_reboot | lower }}";
+Unattended-Upgrade::Automatic-Reboot-Time "{{ unattended_upgrades_auto_reboot_time }}";
+Unattended-Upgrade::SyslogEnable "true";
@@ -0,0 +1,86 @@
+# CIS-Compliant Audit Rules for Ubuntu 24.04
+# Generated by Ansible - Do not edit manually
+
+# Remove any existing rules
+-D
+
+# Buffer Size
+-b 8192
+
+# Failure Mode (0=silent 1=printk 2=panic)
+-f 1
+
+# CIS 4.1.6 - Audit time changes
+-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
+-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
+-a always,exit -F arch=b64 -S clock_settime -k time-change
+-a always,exit -F arch=b32 -S clock_settime -k time-change
+-w /etc/localtime -p wa -k time-change
+
+# CIS 4.1.7 - Audit user/group changes
+-w /etc/group -p wa -k identity
+-w /etc/passwd -p wa -k identity
+-w /etc/gshadow -p wa -k identity
+-w /etc/shadow -p wa -k identity
+-w /etc/security/opasswd -p wa -k identity
+
+# CIS 4.1.8 - Audit network environment
+-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
+-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
+-w /etc/issue -p wa -k system-locale
+-w /etc/issue.net -p wa -k system-locale
+-w /etc/hosts -p wa -k system-locale
+-w /etc/network -p wa -k system-locale
+
+# CIS 4.1.9 - Audit AppArmor changes
+-w /etc/apparmor/ -p wa -k MAC-policy
+-w /etc/apparmor.d/ -p wa -k MAC-policy
+
+# CIS 4.1.10 - Audit login/logout events
+-w /var/log/faillog -p wa -k logins
+-w /var/log/lastlog -p wa -k logins
+-w /var/log/tallylog -p wa -k logins
+
+# CIS 4.1.11 - Audit session initiation
+-w /var/run/utmp -p wa -k session
+-w /var/log/wtmp -p wa -k logins
+-w /var/log/btmp -p wa -k logins
+
+# CIS 4.1.12 - Audit permission changes
+-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
+
+# CIS 4.1.13 - Audit unsuccessful file access attempts
+-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
+-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
+-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
+-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
+
+# CIS 4.1.14 - Audit file deletion events
+-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
+-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
+
+# CIS 4.1.15 - Audit sudoers changes
+-w /etc/sudoers -p wa -k scope
+-w /etc/sudoers.d/ -p wa -k scope
+
+# CIS 4.1.16 - Audit sudo usage
+-w /var/log/sudo.log -p wa -k actions
+
+# CIS 4.1.17 - Audit kernel module loading/unloading
+-w /sbin/insmod -p x -k modules
+-w /sbin/rmmod -p x -k modules
+-w /sbin/modprobe -p x -k modules
+-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
+
+# Additional security-relevant events
+-w /etc/ssh/sshd_config -p wa -k sshd
+-w /etc/pam.d/ -p wa -k pam
+-w /etc/security/ -p wa -k security
+
+# Make configuration immutable
+-e 2
@@ -0,0 +1,14 @@
+[DEFAULT]
+bantime = {{ fail2ban_bantime }}
+findtime = {{ fail2ban_findtime }}
+maxretry = {{ fail2ban_maxretry }}
+destemail = {{ fail2ban_destemail }}
+sendername = Fail2Ban
+action = %(action_mwl)s
+
+[sshd]
+enabled = true
+port = {{ ssh_port }}
+filter = sshd
+logpath = /var/log/auth.log
+maxretry = {{ fail2ban_maxretry }}
@@ -0,0 +1,44 @@
+# Hardened SSH Configuration
+# Generated by Ansible - Do not edit manually
+
+# Network
+Port {{ ssh_port }}
+AddressFamily inet
+ListenAddress {{ ssh_listen_address }}
+
+# Authentication
+PermitRootLogin {{ ssh_permit_root_login }}
+PubkeyAuthentication {{ ssh_pubkey_authentication }}
+PasswordAuthentication {{ ssh_password_authentication }}
+ChallengeResponseAuthentication {{ ssh_challenge_response_auth }}
+UsePAM yes
+MaxAuthTries {{ ssh_max_auth_tries }}
+
+{% if ssh_allowed_users | length > 0 %}
+AllowUsers {{ ssh_allowed_users | join(' ') }}
+{% endif %}
+
+# Cryptography
+Ciphers {{ ssh_ciphers | join(',') }}
+MACs {{ ssh_macs | join(',') }}
+KexAlgorithms {{ ssh_kex_algorithms | join(',') }}
+
+# Features
+X11Forwarding {{ ssh_x11_forwarding }}
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+PermitUserEnvironment no
+Compression no
+ClientAliveInterval {{ ssh_client_alive_interval }}
+ClientAliveCountMax {{ ssh_client_alive_count_max }}
+UseDNS no
+PermitTunnel no
+Banner /etc/issue.net
+
+# Subsystems
+Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
+
+# Logging
+SyslogFacility AUTH
+LogLevel VERBOSE