CIS + inital
This commit is contained in:
@@ -0,0 +1,4 @@
|
||||
APT::Periodic::Update-Package-Lists "1";
|
||||
APT::Periodic::Unattended-Upgrade "1";
|
||||
APT::Periodic::Download-Upgradeable-Packages "1";
|
||||
APT::Periodic::AutocleanInterval "7";
|
||||
@@ -0,0 +1,22 @@
|
||||
Unattended-Upgrade::Allowed-Origins {
|
||||
"${distro_id}:${distro_codename}";
|
||||
"${distro_id}:${distro_codename}-security";
|
||||
"${distro_id}ESMApps:${distro_codename}-apps-security";
|
||||
"${distro_id}ESM:${distro_codename}-infra-security";
|
||||
};
|
||||
|
||||
Unattended-Upgrade::Package-Blacklist {
|
||||
};
|
||||
|
||||
Unattended-Upgrade::DevRelease "false";
|
||||
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
|
||||
Unattended-Upgrade::MinimalSteps "true";
|
||||
Unattended-Upgrade::InstallOnShutdown "false";
|
||||
Unattended-Upgrade::Mail "{{ fail2ban_destemail }}";
|
||||
Unattended-Upgrade::MailReport "on-change";
|
||||
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
|
||||
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
|
||||
Unattended-Upgrade::Remove-Unused-Dependencies "true";
|
||||
Unattended-Upgrade::Automatic-Reboot "{{ unattended_upgrades_auto_reboot | lower }}";
|
||||
Unattended-Upgrade::Automatic-Reboot-Time "{{ unattended_upgrades_auto_reboot_time }}";
|
||||
Unattended-Upgrade::SyslogEnable "true";
|
||||
@@ -0,0 +1,86 @@
|
||||
# CIS-Compliant Audit Rules for Ubuntu 24.04
|
||||
# Generated by Ansible - Do not edit manually
|
||||
|
||||
# Remove any existing rules
|
||||
-D
|
||||
|
||||
# Buffer Size
|
||||
-b 8192
|
||||
|
||||
# Failure Mode (0=silent 1=printk 2=panic)
|
||||
-f 1
|
||||
|
||||
# CIS 4.1.6 - Audit time changes
|
||||
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
|
||||
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
|
||||
-a always,exit -F arch=b64 -S clock_settime -k time-change
|
||||
-a always,exit -F arch=b32 -S clock_settime -k time-change
|
||||
-w /etc/localtime -p wa -k time-change
|
||||
|
||||
# CIS 4.1.7 - Audit user/group changes
|
||||
-w /etc/group -p wa -k identity
|
||||
-w /etc/passwd -p wa -k identity
|
||||
-w /etc/gshadow -p wa -k identity
|
||||
-w /etc/shadow -p wa -k identity
|
||||
-w /etc/security/opasswd -p wa -k identity
|
||||
|
||||
# CIS 4.1.8 - Audit network environment
|
||||
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
|
||||
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
|
||||
-w /etc/issue -p wa -k system-locale
|
||||
-w /etc/issue.net -p wa -k system-locale
|
||||
-w /etc/hosts -p wa -k system-locale
|
||||
-w /etc/network -p wa -k system-locale
|
||||
|
||||
# CIS 4.1.9 - Audit AppArmor changes
|
||||
-w /etc/apparmor/ -p wa -k MAC-policy
|
||||
-w /etc/apparmor.d/ -p wa -k MAC-policy
|
||||
|
||||
# CIS 4.1.10 - Audit login/logout events
|
||||
-w /var/log/faillog -p wa -k logins
|
||||
-w /var/log/lastlog -p wa -k logins
|
||||
-w /var/log/tallylog -p wa -k logins
|
||||
|
||||
# CIS 4.1.11 - Audit session initiation
|
||||
-w /var/run/utmp -p wa -k session
|
||||
-w /var/log/wtmp -p wa -k logins
|
||||
-w /var/log/btmp -p wa -k logins
|
||||
|
||||
# CIS 4.1.12 - Audit permission changes
|
||||
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
|
||||
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
|
||||
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
|
||||
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
|
||||
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
|
||||
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
|
||||
|
||||
# CIS 4.1.13 - Audit unsuccessful file access attempts
|
||||
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
|
||||
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
|
||||
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
|
||||
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
|
||||
|
||||
# CIS 4.1.14 - Audit file deletion events
|
||||
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
|
||||
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
|
||||
|
||||
# CIS 4.1.15 - Audit sudoers changes
|
||||
-w /etc/sudoers -p wa -k scope
|
||||
-w /etc/sudoers.d/ -p wa -k scope
|
||||
|
||||
# CIS 4.1.16 - Audit sudo usage
|
||||
-w /var/log/sudo.log -p wa -k actions
|
||||
|
||||
# CIS 4.1.17 - Audit kernel module loading/unloading
|
||||
-w /sbin/insmod -p x -k modules
|
||||
-w /sbin/rmmod -p x -k modules
|
||||
-w /sbin/modprobe -p x -k modules
|
||||
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
|
||||
|
||||
# Additional security-relevant events
|
||||
-w /etc/ssh/sshd_config -p wa -k sshd
|
||||
-w /etc/pam.d/ -p wa -k pam
|
||||
-w /etc/security/ -p wa -k security
|
||||
|
||||
# Make configuration immutable
|
||||
-e 2
|
||||
@@ -0,0 +1,14 @@
|
||||
[DEFAULT]
|
||||
bantime = {{ fail2ban_bantime }}
|
||||
findtime = {{ fail2ban_findtime }}
|
||||
maxretry = {{ fail2ban_maxretry }}
|
||||
destemail = {{ fail2ban_destemail }}
|
||||
sendername = Fail2Ban
|
||||
action = %(action_mwl)s
|
||||
|
||||
[sshd]
|
||||
enabled = true
|
||||
port = {{ ssh_port }}
|
||||
filter = sshd
|
||||
logpath = /var/log/auth.log
|
||||
maxretry = {{ fail2ban_maxretry }}
|
||||
@@ -0,0 +1,44 @@
|
||||
# Hardened SSH Configuration
|
||||
# Generated by Ansible - Do not edit manually
|
||||
|
||||
# Network
|
||||
Port {{ ssh_port }}
|
||||
AddressFamily inet
|
||||
ListenAddress {{ ssh_listen_address }}
|
||||
|
||||
# Authentication
|
||||
PermitRootLogin {{ ssh_permit_root_login }}
|
||||
PubkeyAuthentication {{ ssh_pubkey_authentication }}
|
||||
PasswordAuthentication {{ ssh_password_authentication }}
|
||||
ChallengeResponseAuthentication {{ ssh_challenge_response_auth }}
|
||||
UsePAM yes
|
||||
MaxAuthTries {{ ssh_max_auth_tries }}
|
||||
|
||||
{% if ssh_allowed_users | length > 0 %}
|
||||
AllowUsers {{ ssh_allowed_users | join(' ') }}
|
||||
{% endif %}
|
||||
|
||||
# Cryptography
|
||||
Ciphers {{ ssh_ciphers | join(',') }}
|
||||
MACs {{ ssh_macs | join(',') }}
|
||||
KexAlgorithms {{ ssh_kex_algorithms | join(',') }}
|
||||
|
||||
# Features
|
||||
X11Forwarding {{ ssh_x11_forwarding }}
|
||||
PrintMotd no
|
||||
PrintLastLog yes
|
||||
TCPKeepAlive yes
|
||||
PermitUserEnvironment no
|
||||
Compression no
|
||||
ClientAliveInterval {{ ssh_client_alive_interval }}
|
||||
ClientAliveCountMax {{ ssh_client_alive_count_max }}
|
||||
UseDNS no
|
||||
PermitTunnel no
|
||||
Banner /etc/issue.net
|
||||
|
||||
# Subsystems
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
|
||||
|
||||
# Logging
|
||||
SyslogFacility AUTH
|
||||
LogLevel VERBOSE
|
||||
Reference in New Issue
Block a user