awailly / cis-ubuntu-ansible Goto Github PK

View Code? Open in Web Editor NEW

135.0 135.0 78.0 647 KB

Audit and modify an Ubuntu system to satisfy CIS (Center for Internet Security) rules

License: GNU General Public License v2.0

Python 71.61% Shell 28.39%

cis-ubuntu-ansible's People

Contributors

Stargazers

Watchers

Forkers

verygood-ops sabriedd paskl47 fti7 zenotech systeminsights juju4 mrlesmithjr rhidayat1980 jjediny czoellick-icf icf-orlp-cals-open asifiqbal cypherhat singleplatform-eng utas-nick-howden hungld donovan eastokes dimdung jeremymturner deje212 cestinger shadysql afaleti pdehlke kraeml vinodhalaharvi amunter mattmorganpdx girlandhercode nmarlow krisdigitx cloudneeti divergent45 kazeunmi spartantri joshavant dcallao antonioj-mattos vsajip oddsix veritone xploseof tied bnaydenov rtgibbons jmhale jeredp pmerlin amilyviju bannertech opt9 d3netxer imincik l0renz02017 nbarnum batman9326 chvindhya123 ripleyhart ramonesc3po zama-software fishong mikesouza viniciuscwa epitty1023 ghpradeep djoker0702 adil0518 qns-cloud raji999

cis-ubuntu-ansible's Issues

ansible_version.full is not supporting in 2.0.2.0

The following condition in check_requirement.yml is not working with latest version of ansible - 2.0.2.0
ansible_version.full | version_compare('1.8', '<')

12.8 Find Un-owned Files and Directories shell command issue

Hi,

I think I've found an issue in section_12_level1.yml regarding "12.8 Find Un-owned Files and Directories" section.
In the current version shell command is the following:
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls
I think it should be the following:
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls
If you check 12.8 in the official CIS benchmark they also use "-nouser" option.

Regards,
Tamas

Error when SSH server is not installed

When running on an Ubuntu Desktop 14.04.3 LTS without openssh-server installed:

TASK: [cis | 9.3.{4,7,8,9,10} Disable some SSH options (Scored)] ************** 
failed: [127.0.0.1] => (item=X11Forwarding) => {"failed": true, "item": "X11Forwarding", "rc": 257}
msg: Destination /etc/ssh/sshd_config does not exist !
failed: [127.0.0.1] => (item=HostbasedAuthentication) => {"failed": true, "item": "HostbasedAuthentication", "rc": 257}
msg: Destination /etc/ssh/sshd_config does not exist !
failed: [127.0.0.1] => (item=PermitRootLogin) => {"failed": true, "item": "PermitRootLogin", "rc": 257}
msg: Destination /etc/ssh/sshd_config does not exist !
failed: [127.0.0.1] => (item=PermitEmptyPasswords) => {"failed": true, "item": "PermitEmptyPasswords", "rc": 257}
msg: Destination /etc/ssh/sshd_config does not exist !
failed: [127.0.0.1] => (item=PermitUserEnvironment) => {"failed": true, "item": "PermitUserEnvironment", "rc": 257}
msg: Destination /etc/ssh/sshd_config does not exist !

FATAL: all hosts have already failed -- aborting

AppArmor can't start under Ubuntu 14.10

The idempotence test fails under Ubuntu Desktop 14.10 (in a VM). It looks like AppArmor can't start (after at least 3 executions):

TASK: [cis | 4.5 Activate AppArmor (start) (Scored)] ************************** 
changed: [192.168.1.20]

Here's what I get when I try to start AppArmor:

$ sudo service apparmor start 2> /dev/null ; echo $?
apparmor stop/waiting
0

AppArmor can't start under Debian 8

Under Debian 64bit 8.0.0 in a VM:

TASK: [cis | 4.5 Activate AppArmor (start) (Scored)] ************************** 
failed: [127.0.0.1] => {"failed": true}
msg: Job for apparmor.service failed. See 'systemctl status apparmor.service' and 'journalctl -xn' for details.


FATAL: all hosts have already failed -- aborting

$ systemctl status apparmor.service
● apparmor.service - LSB: AppArmor initialization
   Loaded: loaded (/etc/init.d/apparmor)
   Active: failed (Result: exit-code) since Tue 2015-05-19 14:04:11 CEST; 26min ago
  Process: 3296 ExecStart=/etc/init.d/apparmor start (code=exited, status=1/FAILURE)

Could be the same issue as #10.

Add cache_valid_time to 1.1.1

Maybe:

    apt: update_cache=yes cache_valid_time={{apt_cache_valid_time}}

With apt_cache_valid_time: 3600 in defaults/main.yml

As part of our base playbook we already update the cache. Setting a valid time in 1.1.1 would prevent from updating the cache again. I've seen lots of larger playbooks also update the cache, so this should be generally useful.

Duplicate logs in Raspbian

On a Raspbian (release 2015-05-05), after running the playbook once (with use_apparmor = False) and restarting:

in /var/log/, syslog, messages, auth.log, kern.log and user.log fill up with several warnings/messages that seem to repeat an infinite number of times.
The rsyslog daemon is using 100% of the CPU.

Missing PAM module in Raspbian

After the execution of the Ansible playbook on a Raspbian, my logs fill up with:

May 17 08:43:48 localhost sudo: pam_unix(sudo:session): session closed for user root
May 17 08:43:36 localhost sudo: PAM unable to dlopen(pam_cracklib.so): /lib/security/pam_cracklib.so: cannot open shared object file: No such file or directory
May 17 08:43:36 localhost sudo: PAM adding faulty module: pam_cracklib.so

No update for rsyslog logs location

The location of the logs isn't updated when applying the playbook twice with different settings.

I ran the playbook once with send_rsyslog_remote = True, rebooted and ran it a second time with send_rsyslog_remote = False. As a result rsyslog still tries to send the logs remotely.

Provide variables for all of 7.1

7.1.1 Disable IP Forwarding sets net.ipv4.ip_forward=0. But this pretty much breaks docker. I don't know why I just ran into this today and not many months ago (could be that I have moved running CIS at the end of playbooks):

I would really like to disable a few of the 7.1's. This exclusion really should be configured in the playbook and not left for someone to remember to add --exclude-tags. Using tags for exclusion really does not work since there is no way to set tags programmatically.

My first thought was to change from:

    tags:
      - section7
      - section7.1
      - section7.1.2
      - section7.1.2.1

    when: >-
      (section7 | default(true) | bool) and
      (section7_1 | default(true) | bool) and
      (section7_1_2 | default(true) | bool) and
      (section7_1_2_1 | default(true) | bool)

But that is really messy and a huge change. Besides the tags would still be needed.

So I guess what I want to propose is to define variables for the sysctl values with defaults as they are now:

  - name: 7.1.2.1 Disable Send Packet Redirects (Scored)
    sysctl: >
      name=net.ipv4.conf.all.send_redirects
      value="{{ net.ipv4.conf.all.send_redirects }}"
      state=present

But when the value is overridden then the node is not in compliance with CIS. But really this playbook does not actually audit anyway.

I need this change at least for some of these just to get my systems working again. Unless I am mistaken about docker needing

  $ sysctl net.ipv4.conf.all.forwarding=1

(https://docs.docker.com/engine/userguide/networking/default_network/container-communication/)

Thoughts?

Cron config file under Raspbian

Looks like the cron config file isn't at the same place in Raspbian:

TASK: [cis | 9.1.1.2 Enable cron Daemon (Scored)] ***************************** 
failed: [192.168.1.11] => {"failed": true, "rc": 257}
msg: Destination /etc/init/cron.conf does not exist !

FATAL: all hosts have already failed -- aborting

Fails to run on ansible 2.0

This fails to run with ansible 2.0. Error message below:

fatal: [localhost]: FAILED! => {"failed": true, "reason": "ERROR! this task 'debug' has extra params, which is only allowed in the following modules: command, shell, script, include, include_vars, add_host, group_by, set_fact, raw, meta\n\nThe error appears to have been in '/etc/ansible/roles/awailly.cis-ubuntu-ansible/tasks/check_requirements.yml': line 3, column 5, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n - name: Check if OS is Debian-based (we do not support others)\n ^ here\n"}

Move tests in a specific configuration file

@pchaigno suggested that code does not have to know about the testing environment, which is correct. Remove the travis_env variable and create a specific configuration file in tests. Update the .travis.yml to copy the tests/main.yml to default/main.yml in before_install.

Make the tool for 8.3.1 plugable (currently AIDE)

(Thoughts in progress...)

We are currently using OSSEC on all nodes. OSSEC comes with Syscheck, which I think performs the same function as AIDE. Would it be possible to factor out the bit that installs AIDE?

I'm not really sure just how this would work though. At least in our playbooks we run cis first, then ossec after. So file checking won't be installed when cis runs. I could swap the two, but I wanted to run cis as soon as possible.

Add docker information in the documentation

@pchaigno created a Dockerfile to build a secure instance of an Ubuntu container. Can you add this to the documentation @paskl47 ?

Escape variable containing quote

This line throws an error when the variable contains a single quote.
I couldn't find how to properly escape it :/

ok: [192.168.1.11] => (item= 36069  228 -rw-r--r--   1 2625     2625       230139 Feb 20  2010 /usr/share/scratch/Projects/Speak\ Up/4\ OneDay.sb) => {
    "item": " 36069  228 -rw-r--r--   1 2625     2625       230139 Feb 20  2010 /usr/share/scratch/Projects/Speak\\ Up/4\\ OneDay.sb",
    "msg": " 36069  228 -rw-r--r--   1 2625     2625       230139 Feb 20  2010 /usr/share/scratch/Projects/Speak\\ Up/4\\ OneDay.sb"
}
fatal: [192.168.1.11] => error parsing argument string 'msg=' 36067  200 -rw-r--r--   1 2625     2625       200851 Feb 20  2010 /usr/share/scratch/Projects/Speak\ Up/5\ E-Cocat'sEarthTips.sb'', try quoting the entire line.

FATAL: all hosts have already failed -- aborting

Error with new parameter in variable

On an Ubuntu Desktop 14.04 in a VM:

TASK: [cis | 8.1.12 Collect Use of Privileged Commands (infos) (Scored)] ****** 
fatal: [192.168.1.20] => A variable inserted a new parameter into the module args. Be sure to quote variables if they contain equal signs (for example: "{{var}}").

FATAL: all hosts have already failed -- aborting

The first output lines from audit_lines_for_find:

-a always,exit -F path=/bin/fusermount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/su -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/umount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/ping6 -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/mount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged

Default grub password

I have a client who ran this on their machine and has since forgotten their root password. This, along with the grub password that is now in place, effectively locks us out of the machine. Is there any way for me to find out what the grub password was set to?

2.17.2 Set Sticky Bit on All World-Writable Directories fails is no files found

If section 2.17 is skipped section 2.17.2 will result in the following error:

TASK: [cis | 2.17.2 Set Sticky Bit on All World-Writable Directories (Scored)] ***
fatal: [10.0.139.156] => with_items expects a list or a set
fatal: [10.0.136.223] => with_items expects a list or a set

This is really a general problem with ansible (at least with 1.9) in that even though a task is skipped its with_items is still evaluated.

Section 05 does not comment out the lines

After execution, the exec and login lines are still present in /etc/inetd.conf. The current lineinfile task does not work.

13.8.2 Check User Dot File Permissions fails if dot file is a link

eg,

failed: [10.0.192.55] => (item=/home/barry/.zprofile) => {"failed": true, "item": "/home/barry/.zprofile"}
msg: src and dest are required for creating links
failed: [10.0.192.55] => (item=/home/barry/.zshenv) => {"failed": true, "item": "/home/barry/.zshenv"}
msg: src and dest are required for creating links

Missing argument for mount module

When enabling partitioning:
(Ubuntu Desktop 14.04 in a VM)

TASK: [cis | 2.6 Bind Mount the /var/tmp directory to /tmp (Scored)] ********** 
failed: [127.0.0.1] => {"failed": true}
msg: missing required arguments: fstype

FATAL: all hosts have already failed -- aborting

Improve README

Creating this issue to list to different things missing in the README. I'll probably turn this into a pull request once we have a stable list of what the README should include/explain.

Link to readthedocs
Specific version of Ansible needed (1.9.0.1)
How to only perform an audit
What OS are supported
Option to add to the command line call when a sudo password is required
Requirements on the targeted machine (ssh, aptitude, python)
How to tune the stable state
How to contribute (what contributions are accepted, how to test, etc.), ie. a CONTRIBUTING.md file
Mention the license at the bottom of the README?

The problem with tags... (question really)

I have certainly playbooks that need (ok want) to skip some checks. For example, 12.8 which checks for un-owned files when I am rebuilding an elasticsearch node and reattaching an existing EBS volume. When CIS runs, the elasticsearch user has not been created yet and the elasticsearch role that will set the owner of the data files on the EBS has not run yet. So the gazillion elasticsearch files on the EBS are not yet owned, which generates a gazillion errors.

What I really want to say -- in that specific playbook -- don't run 12.8. But I can't because the only way to turn off bits of CIS is via tags. And tags can only be set on the command line.

So what do others do? Do you just ignore that you get a 10k errors when provisioning a new node. Or do you always the run the CIS role last in the playbook. (I have considered this, but I want to create a base image with CIS configured since it takes so long.)

AppArmor activation error during second execution

On an Ubuntu 14.04 Desktop in a VM, when running the playbook for the second time:

TASK: [cis | 4.5 Activate AppArmor (Scored)]
**********************************
failed: [192.168.1.20] => {"changed": false, "cmd": ["apparmor_status"],
"delta": "0:00:00.290396", "end": "2015-05-12 21:43:08.904776",
"failed": true, "failed_when_result": true, "rc": 0, "start": 
"2015-05-12 21:43:08.614380", "stdout_lines": ["apparmor module is loaded.", "26 profiles are loaded.", "26 profiles are in enforce mode.", 
"   /sbin/dhclient", "   /usr/bin/evince", " /usr/bin/evince-previewer", 
" /usr/bin/evince-previewer//sanitized_helper", " 
/usr/bin/evince-thumbnailer", " 
/usr/bin/evince-thumbnailer//sanitized_helper", " 
/usr/bin/evince//sanitized_helper", " 
/usr/lib/NetworkManager/nm-dhcp-client.action", " 
/usr/lib/connman/scripts/dhclient-script", " 
/usr/lib/cups/backend/cups-pdf", " 
/usr/lib/firefox/firefox{,*[^s][^h]}", " 
/usr/lib/firefox/firefox{,*[^s][^h]}//browser_java", " 
/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk", " 
/usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper", " 
/usr/lib/lightdm/lightdm-guest-session", " 
/usr/lib/lightdm/lightdm-guest-session//chromium", " 
/usr/lib/telepathy/mission-control-5", " 
/usr/lib/telepathy/telepathy-*", " 
/usr/lib/telepathy/telepathy-*//pxgsettings", " 
/usr/lib/telepathy/telepathy-*//sanitized_helper", " 
/usr/lib/telepathy/telepathy-ofono", "   /usr/sbin/cups-browsed", "   
/usr/sbin/cupsd", "   /usr/sbin/ntpd", "   /usr/sbin/rsyslogd", "   
/usr/sbin/tcpdump", "0 profiles are in complain mode.", "9 processes 
have profiles defined.", "8 processes are in enforce mode.", "   
/sbin/dhclient (707) ", " /usr/lib/telepathy/mission-control-5 (2196) ", 
" /usr/sbin/cups-browsed (26564) ", "   /usr/sbin/cupsd (26826) ", " 
/usr/sbin/cupsd (26829) ", "   /usr/sbin/cupsd (26830) ", " 
/usr/sbin/cupsd (26831) ", "   /usr/sbin/ntpd (21635) ", "0 processes 
are in complain mode.", "1 processes are unconfined but have a profile 
defined.", "   /usr/sbin/rsyslogd (10302) "], "warnings": []}
stdout: apparmor module is loaded.
26 profiles are loaded.
26 profiles are in enforce mode.
    /sbin/dhclient
    /usr/bin/evince
    /usr/bin/evince-previewer
    /usr/bin/evince-previewer//sanitized_helper
    /usr/bin/evince-thumbnailer
    /usr/bin/evince-thumbnailer//sanitized_helper
    /usr/bin/evince//sanitized_helper
    /usr/lib/NetworkManager/nm-dhcp-client.action
    /usr/lib/connman/scripts/dhclient-script
    /usr/lib/cups/backend/cups-pdf
    /usr/lib/firefox/firefox{,*[^s][^h]}
    /usr/lib/firefox/firefox{,*[^s][^h]}//browser_java
    /usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk
    /usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper
    /usr/lib/lightdm/lightdm-guest-session
    /usr/lib/lightdm/lightdm-guest-session//chromium
    /usr/lib/telepathy/mission-control-5
    /usr/lib/telepathy/telepathy-*
    /usr/lib/telepathy/telepathy-*//pxgsettings
    /usr/lib/telepathy/telepathy-*//sanitized_helper
    /usr/lib/telepathy/telepathy-ofono
    /usr/sbin/cups-browsed
    /usr/sbin/cupsd
    /usr/sbin/ntpd
    /usr/sbin/rsyslogd
    /usr/sbin/tcpdump
0 profiles are in complain mode.
9 processes have profiles defined.
8 processes are in enforce mode.
    /sbin/dhclient (707)
    /usr/lib/telepathy/mission-control-5 (2196)
    /usr/sbin/cups-browsed (26564)
    /usr/sbin/cupsd (26826)
    /usr/sbin/cupsd (26829)
    /usr/sbin/cupsd (26830)
    /usr/sbin/cupsd (26831)
    /usr/sbin/ntpd (21635)
0 processes are in complain mode.
1 processes are unconfined but have a profile defined.
    /usr/sbin/rsyslogd (10302)

FATAL: all hosts have already failed -- aborting

PLAY RECAP
********************************************************************
            to retry, use: --limit @/home/paul/playbook.retry

192.168.1.20               : ok=41   changed=0    unreachable=0 failed=1

Dangerous behavior if one passwd daemon contains the root directory

Section 13.7.2 performs g-w,o-rwx and may completely lock the system while applied on /
Maybe add "false" to egrep

question: What might be blocking UDP outbound?

I find that after running the playbook the OSSEC agent on the node can no longer contact the OSSEC server on UDP port 1514.

I'm digging thru all the controls, but if anybody can help me along I would really appreciate it.

2.17.2 can fail if no files are found in 2.17.1

TASK: [cis | 2.17.1 Set Sticky Bit on All World-Writable Directories (preparation) (Scored)] ***
skipping: [x.x.x.x]

TASK: [cis | 2.17.2 Set Sticky Bit on All World-Writable Directories (Scored)] ***
fatal: [x.x.x.x] => with_items expects a list or a set

But I don't see why 2.17.1 was skipped. I certainly had no skip-tags specified.

Add lines to audit for 8.1.12 Collect Use of Privileged Commands (infos)

Move from comments to file feeding

No warning for the tests "Create Seperate Partition"

For the tests "Create Seperate Partition..." only a message is return, but no test in fstab is performed.
Add a test in fsab and create a warning in logs.

Add readthedocs badge in README

@paskl47 Can you add the badge in the README? We need to check if everything is good quickly, and have the exact URL.

Create separate defaults configuration file for each test environment

PR #26 underlined how not to configure a new environment. We have to move the tests/main.yml to tests/travis_defaults.yml and update the travis before_install accordingly. I let @pchaigno update the new tests/drone_defaults.yml file for its tests.

Check the Operating System

We could check the Operating System (in our case Debian-based) before running the playbook to prevent the user from running it against an unsupported OS.

Test Coverage

Currently code coverage is low because Travis test build is very limited (that's mainly the reason why it's so easy to find bugs :p). Some tasks can't be tested because of Travis limitations but many other tasks could be tested if the Travis VM had more "issues".

For instance, Travis didn't find the issue with quotes (#13) because it simply didn't have any unowned file.

So, maybe there should be some first script to add stuff to be fixed to the VM (as in 6f6c6e8). This would insure that Travis does run all the commands it can run from the playbook.

Ansible seems a little light on the testing side but maybe there is a way to check the code coverage of a playbook...?

Create variable for default ntp server (section6.5.4)

Depending on where the instance is located, France may not be the closest or best ntp server.

(I will submit a PR shortly)

Invalid literal for int() error

On a new Ubuntu 14.04 in a VM:

TASK: [cis | 2.17.2 Set Sticky Bit on All World-Writable Directories (Scored)] *** 
failed: [192.168.1.20] => (item=/var/metrics) => {"details": "invalid literal for int() with base 8: 'a+t'", "failed": true, "gid": 116, "group": "whoopsie", "item": "/var/metrics", "mode": "03777", "owner": "root", "path": "/var/metrics", "size": 4096, "state": "directory", "uid": 0}
msg: mode needs to be something octalish
failed: [192.168.1.20] => (item=/var/crash) => {"details": "invalid literal for int() with base 8: 'a+t'", "failed": true, "gid": 116, "group": "whoopsie", "item": "/var/crash", "mode": "03777", "owner": "root", "path": "/var/crash", "size": 4096, "state": "directory", "uid": 0}
msg: mode needs to be something octalish
failed: [192.168.1.20] => (item=/var/tmp) => {"details": "invalid literal for int() with base 8: 'a+t'", "failed": true, "gid": 0, "group": "root", "item": "/var/tmp", "mode": "01777", "owner": "root", "path": "/var/tmp", "size": 4096, "state": "directory", "uid": 0}
msg: mode needs to be something octalish
failed: [192.168.1.20] => (item=/tmp) => {"details": "invalid literal for int() with base 8: 'a+t'", "failed": true, "gid": 0, "group": "root", "item": "/tmp", "mode": "01777", "owner": "root", "path": "/tmp", "size": 4096, "state": "directory", "uid": 0}
msg: mode needs to be something octalish
failed: [192.168.1.20] => (item=/tmp/.X11-unix) => {"details": "invalid literal for int() with base 8: 'a+t'", "failed": true, "gid": 0, "group": "root", "item": "/tmp/.X11-unix", "mode": "01777", "owner": "root", "path": "/tmp/.X11-unix", "size": 4096, "state": "directory", "uid": 0}
msg: mode needs to be something octalish
failed: [192.168.1.20] => (item=/tmp/.ICE-unix) => {"details": "invalid literal for int() with base 8: 'a+t'", "failed": true, "gid": 0, "group": "root", "item": "/tmp/.ICE-unix", "mode": "01777", "owner": "root", "path": "/tmp/.ICE-unix", "size": 4096, "state": "directory", "uid": 0}
msg: mode needs to be something octalish
failed: [192.168.1.20] => (item=/run/shm) => {"details": "invalid literal for int() with base 8: 'a+t'", "failed": true, "gid": 0, "group": "root", "item": "/run/shm", "mode": "01777", "owner": "root", "path": "/run/shm", "size": 140, "state": "directory", "uid": 0}
msg: mode needs to be something octalish
failed: [192.168.1.20] => (item=/run/lock) => {"details": "invalid literal for int() with base 8: 'a+t'", "failed": true, "gid": 0, "group": "root", "item": "/run/lock", "mode": "01777", "owner": "root", "path": "/run/lock", "size": 80, "state": "directory", "uid": 0}
msg: mode needs to be something octalish
failed: [192.168.1.20] => (item=/run/lock) => {"details": "invalid literal for int() with base 8: 'a+t'", "failed": true, "gid": 0, "group": "root", "item": "/run/lock", "mode": "01777", "owner": "root", "path": "/run/lock", "size": 80, "state": "directory", "uid": 0}
msg: mode needs to be something octalish
failed: [192.168.1.20] => (item=/run/shm) => {"details": "invalid literal for int() with base 8: 'a+t'", "failed": true, "gid": 0, "group": "root", "item": "/run/shm", "mode": "01777", "owner": "root", "path": "/run/shm", "size": 140, "state": "directory", "uid": 0}
msg: mode needs to be something octalish

FATAL: all hosts have already failed -- aborting

8.2.4.3 ower/permission change causes auth.log and syslog to not be written to

On allI CIS'ed systems I find that /var/log/auth.log and /var/log/syslog are empty. If I change the owner of these files to 'syslog' and restart rsyslog then logs are written.

The task is clearly consistent with the benchmark. So I am confused as to what is missing on my systems.

Change minimum ansible version for galaxy

We need at least ansible 1.8, galaxy says 1.6.

Cannot install via ansible galaxy

I added this to my requirements.yml:

  - src: [email protected]:awailly/cis-ubuntu-ansible.git
    version: 1aabf4353ba2c5c5e6d2bac41b4eaf5ea5cb1edc

and then tried to install via ansible-galaxy install -r requirements.yml -p $(pwd)/roles --force

- cis-ubuntu-ansible was installed successfully
Traceback (most recent call last):
  File "/Users/marshall/.virtualenvs/vg-vault/bin/ansible-galaxy", line 957, in <module>
    main()
  File "/Users/marshall/.virtualenvs/vg-vault/bin/ansible-galaxy", line 951, in main
    fn(args, options, parser)
  File "/Users/marshall/.virtualenvs/vg-vault/bin/ansible-galaxy", line 848, in execute_install
    for dep in role_dependencies:
TypeError: 'NoneType' object is not iterable

I suspect the issue is the empty dependencies here. this should be - dependencies: []

Warn about large amout of generated logs

The auditd configuration may generate a large amount of logs locally if no remote server log is configured. Add an option to warn about that.

Role fails to run if skipped

When the role is skipped, eg

  - role: cis
    when: some_variable_that_is_false

A 13.18 fails with

TASK: [cis | 13.18 Check for Presence of User .netrc Files (stat) (Scored)] ***
fatal: [10.0.139.165] => with_items expects a list or a set
fatal: [10.0.136.68] => with_items expects a list or a set
fatal: [10.0.137.117] => with_items expects a list or a set

This may or not be problem with ansible 2.0, but it is with 1.9.x.

To handle this case the two 13.8 with_item values need to be changed to

    with_items: '{{ home_users.stdout_lines | default([]) }}'
    ...
    with_items: '{{ netrc_files.results | default([]) }}'

Why ever skip cis? When adding new nodes a cluster (eg, a new mesos-slave node) I will run the entire cluster playbook. The new node gets created and provisioned, but all the other nodes run too. Of course with good playbooks that's just a bunch of 'oks'.

But with some type of nodes, for some of the cis tasks that check files or permissions, there are so many files to check that the playbook can take hours to complete. The mesos-slave for example, is runnign lots of docker containers and other mesos containers and will have a gazzilion data files. For these nodes, I set a value in /etc/ansible/facts.d/cis_ubuntu.fact indicating that cis has already run and not to do it again.

PR on the way.

AppArmor not available on Raspbian

Here's what happen with a Raspbian:

TASK: [cis | 4.5 Activate AppArmor (Scored)] ********************************** 
failed: [192.168.1.11] => {"changed": false, "cmd": ["apparmor_status"], "delta": "0:00:00.280982", "end": "2015-05-13 23:39:45.443618", "failed": true, "failed_when_result": true, "rc": 1, "start": "2015-05-13 23:39:45.162636", "stdout_lines": [], "warnings": []}
stderr: AppArmor not available in kernel.

FATAL: all hosts have already failed -- aborting

Good luck fixing this one! 😝

TCP Syncookies support

When I launch the playbook on an Ubuntu 14.04 in Docker:

TASK: [cis-ubuntu-ansible | 7.2.8 Enable TCP SYN Cookies (Scored)] ************ 
failed: [localhost] => {"failed": true}
msg: Failed to reload sysctl: sysctl: setting key "fs.suid_dumpable": Read-only file system
sysctl: setting key "kernel.randomize_va_space": Read-only file system
sysctl: setting key "net.ipv4.ip_forward": Read-only file system
sysctl: setting key "net.ipv4.conf.all.send_redirects": Read-only file system
sysctl: sett
ing key "net.ipv4.conf.default.send_redirects": Read-only file system
sysctl: setting key "net.ipv4.conf.all.accept_source_route": Read-only file system
sysctl: setting key "net.ipv4.conf.default.accept_source_route": Read-only file system
sysctl: setting key "net.ipv4.conf.all.accept_redirects": Read-only file system
sysctl: setting key "net.ipv4.conf.default.accept_redirects": Read-only file system
sysctl: setting key "net.ipv4.conf.all.secure_redirects": Read-only file system
sysctl: setting key "net.ipv4.conf.default.secure_redirects": Read-only file system
sysctl: setting key "net.ipv4.conf.all.log_martians": Read-only file system
sysctl: setting key "net.ipv4.conf.default.log_martians": Read-only file system
sysctl: setting key "net.ipv4.icmp_echo_ignore_broadcasts": Read-only file system
sysctl: setting key "net.ipv4.icmp_ignore_bogus_error_responses": Read-only file system
sysctl: setting key "net.ipv4.conf.all.rp_filter": Read-only file system
sysctl: setting key "net.ipv4.conf.default.rp_filter": Read-only file system
sysctl: cannot stat /proc/sys/net/ipv4/tcp_syncookies: No such file or directory

Looks like there is no TCP syncookies support in the kernel. Is it mandatory for the CIS rules? If it is, we'll probably need to add an option to skip it in Docker. Otherwise, it should detect that the kernel doesn't support it and skip this task automatically...

EDIT: Docker build: https://registry.hub.docker.com/u/pchaigno/cis-ubuntu-ansible/build_id/63371/code/bzpufxc6renmdzgkhyrdy7b/

Consider submitting as submodule to official ansible repo

To add to the existing RedHat lockdown.

https://github.com/ansible/ansible-lockdown

Auditd denying access to rsyslogd

On an Ubuntu 14.04.02, after running the playbook once and restarting:

/var/log/audit/audit.log fills up with type=AVC msg=audit(1434557031.321:238105): apparmor="DENIED" operation="open" profile="/usr/sbin/rsyslogd" name="/run/utmp" pid=1033 comm=72733A6D61696E20513A526567 requested_mask="r" denied_mask="r" fsuid=101 ouid=0 lines.
The rsyslog daemon is using 100% of one core.

/cc @paskl47 (who found the bug and left the dirty job of reporting it to the intern... 😜 )

Error when partitioning with tmp not in a separate partition

When partitioning with /tmp in a shared partition. Should we leave it like this or should it skip this one?

TASK: [cis | 2.2 - 4 Set nodev, nosuid, noexec option for /tmp Partition (Scored)] *** 
failed: [127.0.0.1] => {"failed": true}
msg: Error mounting /tmp: mount: /tmp is not a block device


FATAL: all hosts have already failed -- aborting

8.2.4.1 creates invalid file list for certain rsyslog configs

I have the config

$ cat /etc/rsyslog.d/30-marathon.conf
if $programname == 'marathon' then {
  action(type="omfile" asyncWriting="on" file="/var/log/marathon.log")
  stop
}

This puts the value file="/var/log/marathon.log" in results, which ends up failing 8.2.4.3 since that is not a simple file name.

I'm a bit of novice when it comes to syslog configs -- I just copied the above from somewhere and made it part of my marathon install role.

Is this is case that should be handled? Or should I have a different form in the config?

Section 02-14 bad mount remediation (may lock the system)

The current mount service only provide session-wide settings, we have to feed the /etc/fstab rather than configuring mount options.

AppArmor activation error

On a new Ubuntu 14.04 in a VM, it runs okay until:

TASK: [cis | 4.5 Activate AppArmor (enforce) (Scored)] ************************ 
failed: [192.168.1.13] => {"changed": false, "cmd": "aa-enforce /etc/apparmor.d/*", "delta": "0:00:01.333396", "end": "2015-05-02 16:02:57.457397", "failed": true, "failed_when_result": true, "rc": 1, "start": "2015-05-02 16:02:56.124001", "stdout_lines": ["Profile for /etc/apparmor.d/abstractions not found, skipping"], "warnings": []}
stderr: Traceback (most recent call last):
  File "/usr/sbin/aa-enforce", line 30, in <module>
    tool.cmd_enforce()
  File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 153, in cmd_enforce
    apparmor.read_profiles()
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2564, in read_profiles
    read_profile(profile_dir + '/' + file, True)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2590, in read_profile
    profile_data = parse_profile_data(data, file, 0)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 2843, in parse_profile_data
    store_list_var(filelist[file]['lvar'], list_var, value, var_operation)
  File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 3274, in store_list_var
    raise AppArmorException(_('An existing variable redefined: %s') % list_var)
apparmor.common.AppArmorException: 'An existing variable redefined: @{MOZ_LIBDIR}'
stdout: Profile for /etc/apparmor.d/abstractions not found, skipping

FATAL: all hosts have already failed -- aborting

PLAY RECAP ******************************************************************** 
           to retry, use: --limit @/home/paul/playbook.retry

192.168.1.13               : ok=43   changed=0    unreachable=0    failed=1

Remove code-coverage-branch

I am not the creator, please remove it if not used anymore!