major / cis-rhel-ansible Goto Github PK

TASK: [cis | 2.1.12 Disable chargen-dgram (disable xinetd service)] ***********
failed: [localhost] => {"failed": true}
msg: cannot find 'service' binary or init script for service, possible typo in service name?, aborting

You've created an amazing playbook. Thank you so much.

It might be beneficial to follow Ansible's "best" practices for directory layout as suggested here http://docs.ansible.com/playbooks_best_practices.html#directory-layout . At minimum I'd put cis under roles/

Everything runs well except 1.5.1, in my case. I'm running this on AWS Linux.

TASK: [cis | 1.5.1 Set User/Group Owner on /etc/grub.conf] ********************
failed: [localhost] => {"failed": true}
msg: src and dest are required for creating links

I changed:

•  path=/boot/grub/grub.conf
  

•  path=/etc/grub.conf
  

I'm hitting an error on 1.5.1. Looks like ansible can't manage permissions of a symlink without src and dest explicitly set? We can't hardcode src and dest due to #7 .

TASK: [cis | 1.5.1 Set User/Group Owner on /etc/grub.conf] ******************** 
failed: [ec2-54-165-14-20.compute-1.amazonaws.com] => {"failed": true}
msg: src and dest are required for creating links
failed: [ec2-54-218-63-216.us-west-2.compute.amazonaws.com] => {"failed": true}
msg: src and dest are required for creating links

FATAL: all hosts have already failed -- aborting

Any ideas on how to proceed?

I noted this:

ok: [localhost] => {
"msg": "*** To do later"

}

Is there a todo list of sorts; or would you welcome grep ing for the above "*** To do" and attacking in order? ;-)

Any idea when these might be ready? My team and I would be happy to help.

The logrotate config file at https://github.com/major/cis-rhel-ansible/blob/master/roles/cis/files/etc/logrotate.d/syslog appears to have been truncated at some point

CIS recommends using aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz', but in your playbook you are doing

action: shell /usr/sbin/aide --init &&
    mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
    creates=/var/lib/aide/aide.db.gz

Just wondering why the deviation from their suggestion.

Also in the same section they suggest disabling pre-linking, as it can interfere with aide. I do not see anywhere in your plays where that is being addressed. Are you disabling prelinking during kickstart?

It would be really useful if the role would be possible to run in check mode only (no action would be performed on the remote host). This would allow to find out what's not compliant and select tasks which should be applied or which should be skipped if the user is using different role to manage certain resources (e.g. ntp, yum, ssh, ...).

For the below sections one can check for ansible_os_family to take the appropriate action(s):

• name: 1.2.1 Configure connection to the RHN RPM repositories
  debug: msg="Check RHN repository setup manually. Doesn't apply to CentOS."
• name: 1.2.2 Verify Red Hat GPG key is installed
  debug: msg="Check Red Hat GPG key manually. Doesn't apply to CentOS."

[root@testvm1 cis-rhel-ansible]# ansible-playbook -i hosts -C playbook.yml
ERROR! A playbook must be a list of plays, got a <class 'ansible.parsing.yaml.objects.AnsibleMapping'> instead

The error appears to be in '/etc/ansible/cis-rhel-ansible/playbook.yml': line 18, column 3, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

hosts: all
^ here

[root@testvm1 cis-rhel-ansible]# ansible-playbook playbook.yml -i hosts --list-tags
ERROR! 'accelerate' is not a valid attribute for a Play

The error appears to be in '/etc/ansible/cis-rhel-ansible/playbook.yml': line 18, column 3, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

• hosts: all
  ^ here

You should consider creating branch names that are in the below format, since version numbers for the benchmark may change.

CIS_Red_Hat Enterprise_Linux_6_Benchmark v1.3.0

which matches the benchmark pdf files:

https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.3.0.pdf

section 6.2.1 in https://github.com/major/cis-rhel-ansible/blob/master/tasks/section_06.yml has

• name: 6.2.1 Set SSH Protocol to 2
  notify: Reload sshd

Returns:

ERROR: change handler (Reload sshd) is not defined

How does one resolve this?

Hi,

Entry section_01_level1.yml

Exec-shield is no longer available through sysctl on RedHat 7.
https://access.redhat.com/solutions/974563

Could you please remove it.

Regards,

John

PLAY [all] *********************************************************************

TASK [setup] *******************************************************************
[DEPRECATION WARNING]: Accelerated mode is deprecated. Consider using SSH with ControlPersist and pipelining enabled instead.
This feature will be removed in a future release.
Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
[DEPRECATION WARNING]: accelerate is kept for backwards compatibility but usage is discouraged. The module documentation details page may explain more about this rationale..
This feature will be removed in a future release. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
fatal: [localhost]: FAILED! => {"failed": true, "msg": "Failed to connect to localhost on the accelerated port 5099"}
to retry, use: --limit @/home/ec2-user/cis-rhel-ansible/playbook.retry

PLAY RECAP *********************************************************************
localhost : ok=0 changed=0 unreachable=0 failed=1

So I added that line to the ansible.cfg file and ran it again but now I get:

ansible-playbook -i hosts -C playbook.yml

PLAY [all] *********************************************************************

TASK [setup] *******************************************************************
fatal: [localhost]: FAILED! => {"failed": true, "msg": "Failed to connect to localhost on the accelerated port 5099"}
to retry, use: --limit @/home/ec2-user/cis-rhel-ansible/playbook.retry

PLAY RECAP *********************************************************************
localhost : ok=0 changed=0 unreachable=0 failed=1

I'am running:

ansible --version
ansible 2.2.1.0
config file = /home/ec2-user/cis-rhel-ansible/ansible.cfg
configured module search path = Default w/o overrides

I'm not sure how to do this, but it would be very beneficial to have the number of Scored successes and Not Scored successes, and their "grades". In other words, something like this:

Scored: 101/121 [83.47%]
Not Scored: 33/41 [80.40%]
Total: 134/162 [82.70%]

How can this be done?

BTW, I think it may be beneficial to have Scored & notScored tags.

the fiel or symlink /etc/grub.conf not exist !
il have /etc/grub2.cfg

TASK [cis : 1.5.1 Set User/Group Owner on /etc/grub.conf (Scored)] *************
fatal: [localhost]: FAILED! => {"changed": false, "failed": true, "msg": "file (/etc/grub.conf) is absent, cannot continue", "path": "/etc/grub.conf", "state": "absent"}
        to retry, use: --limit @webservers.retry

here my OS :

# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.2 (Maipo)

In order to make this project compatible with Ansible Galaxy, the repository must have the role content in the root of the repository. This means that the roles/cis/* must be in in the root of the repository. Then this role can be made available in the Ansible Galaxy and people can use it via ansible-galaxy command.

do you mind if I do a pull request?

ansible, security, security-tools, security-audit, security-hardening, hardening, cis-benchmark, assessment, compliance, gdpr, hipaa, cis, forensics

I suggest that you put the caveat messages directly in the tasks so there is no ambiguity (https://github.com/major/cis-rhel-ansible/blob/master/NOTES.md), and this way user doesn't think something is wrong. It also gets logged.

Where I work the "grade" from running a CIS Benchmark is very important, so I need a clear method of capturing the pass, fail of each named task, and provide a final grade per run.

One should be able to run sections, levels, scored, not scored independently of each other. I suspect that this would only work if each named task is in it's own file and then logically aggregated into sections, levels, scored, etc.

There a few changes that should be made for full ansible 2.0 compatibility.

• Remove bare variables within with_ loops
• Replace sudo/sudo_user with become/become_user directives

Porting guide: https://docs.ansible.com/ansible/porting_guide_2.0.html

The benchmark was updated and has a new structure. Please update the role to this standard.

I initially built the role to be relative to the project root (e.g. files, tasks, etc. are top level directories) so it can be easily included in a larger ansible project. This allows the cis-rhel-ansible repository to be added as a git submodule in a 'roles' directory of a parent project. Any interest in moving back to this strategy?

For now I've symlinked things around so the parent project finds the role in the expected location. This is acceptable long term if you have a strong bias towards the current structure.