radsec / centos7-cis Goto Github PK

Add workflow/actions to complete ansible-linting

Ansible version - 2.9.9
Python version = 2.7.5

Issue -
When running the playbook CentOS7-CIS_Benchmark_level1_and_level2.yml, there is execution error.

Reason -
The usage is - in the prelim.yml is invalid
register: syslog-ng_installed

Resolution -
Replace - with _ in the preim.yml file.

1. CentOS7-CIS/tasks/section6.yml

   Line 100 in e1c3814

   mode: 0600

2. CentOS7-CIS/tasks/section6.yml

   Line 114 in e1c3814

   mode: 0600

Issue -
CIS Vulnerability flagged 6.1.9 is marked fail

Reason -
The permissions are not correct as per the guidelines

Resolution -
Update the condition
/etc/group- has a permission 0644
/etc/gshadow- has a permission 0000

https://github.com/radsec/CentOS7-CIS/blob/master/tasks/section2.yml#L395

this throws the ansible execution error

in my case i added a file instead of template with default content in file

cat /etc/sysconfig/chronyd
# Command-line options for chronyd
OPTIONS=""

Is your feature request related to a problem? Please describe.
Is it possible to inlcude CIS 3.0 bechmark tests.

Describe the solution you'd like
Implementing CIS 3.0 benchmark.

Describe alternatives you've considered
Enterprise vulnerability scanners like VM Insight

Additional context
Add any other context or screenshots about the feature request here.

There is no use with this command related to CIS hardening

https://github.com/radsec/CentOS7-CIS/blob/master/tasks/section1.yml#L281

- name: "NOTSCORED | 1.1.18 | PATCH | Ensure nodev option set on removable media partitions"
  command: /bin/true
  changed_when: no
  when:
    - centos7cis_level1 is defined and centos7cis_level1
  tags:
    - level1
    - notscored
    - patch
    - rule_1.1.18

Ansible Version - 2.9.9

ISSUE

1. The umask variable centos7cis_default_user_umask changes to 023 instead of 027 when executing. (not sure if it my system specific issue)

2. The profiled_dir.files.path fails
   

   CentOS7-CIS/tasks/section5.yml

   Line 1275 in e1c3814

   with_items: profiled_dir.files.path

with error as given below

TASK [CentOS7-CIS : SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive] *********************************************************************
failed: [localhost] (item=profiled_dir.files[0].path) => {"ansible_loop_var": "item", "changed": false, "item": "profiled_dir.files[0].path", "msg": "Destination profiled_dir.files.path does not exist !", "rc": 257}
...ignoring

Workaround for centos7cis_default_user_umask changing to 023, run the ansible playbook with variables as command line argument by adding below argument
--extra-vars "centos7cis_default_user_umask=027"
which will overpower the internal variable value.

Viewpoint
The structure of the profiled_dir.files is an array of dictionaries. Not sure how to get through this one using ansible at the moment.

https://github.com/radsec/CentOS7-CIS/blob/master/tasks/section2.yml#L433

Issue -
Execution error on 2.2.2 and stops the execution.

Error -

TASK [CentOS7-CIS : SCORED | 2.2.2 | PATCH | Ensure X Window System is not installed] **********************************************************************************
[DEPRECATION WARNING]: Invoking "yum" only once while using a loop via squash_actions is deprecated. Instead of using a loop to supply multiple items and specifying
`name: "{{item}}"`, please use `name: ['xorg-x11*']` and remove the loop. This feature will be removed in version 2.11. Deprecation warnings can be disabled by setting
 deprecation_warnings=False in ansible.cfg.
fatal: [localhost]: FAILED! => {"msg": "The conditional check 'centos7cis_xwindows_required is defined not centos7cis_xwindows_required' failed. The error was: Unexpected templating type error occurred on ({% if centos7cis_xwindows_required is defined not centos7cis_xwindows_required %} True {% else %} False {% endif %}): test_defined() takes exactly 1 argument (2 given)\n\nThe error appears to be in '/etc/ansible/roles/CentOS7-CIS/tasks/section2.yml': line 427, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: \"SCORED | 2.2.2 | PATCH | Ensure X Window System is not installed\"\n  ^ here\n"}

Reason -
The when condition is broken

Resolution -
Update the condition
- centos7cis_xwindows_required is defined not centos7cis_xwindows_required

to
- centos7cis_xwindows_required is defined and not centos7cis_xwindows_required

Create workflow/actions to measure CIS compliance

==> amazon-ebs: + ansible-playbook CentOS7-CIS_Benchmark_level1.yml
==> amazon-ebs:  [WARNING]: Could not match supplied host pattern, ignoring: all
==> amazon-ebs:  [WARNING]: provided hosts list is empty, only localhost is available
==> amazon-ebs: ERROR! the role '\''CentOS7-CIS'\'' was not found in /home/centos/centos_cis/roles:/etc/ansible/roles:/usr/share/ansible/roles:/home/centos/centos_cis
==> amazon-ebs:
==> amazon-ebs: The error appears to have been in '\''/home/centos/centos_cis/CentOS7-CIS_Benchmark_level1.yml'\'': line 11, column 7, but may
==> amazon-ebs: be elsewhere in the file depending on the exact syntax problem.
==> amazon-ebs:
==> amazon-ebs: The offending line appears to be:
==> amazon-ebs:
==> amazon-ebs: # Match role folder name here - CentOS7-CIS
==> amazon-ebs:     - role: CentOS7-CIS
==> amazon-ebs:       ^ here
==> amazon-ebs: Script exited with non-zero exit status: 1.Allowed exit codes are: [0]

could be that im missing something in using this repository but there's not much for documentation and installation so I kinda need to ask here :(

Add workflow/actions to complete ansible-syntax check

Issue -
Section 3.4.3 still shows up as a vulnerability.

Reason-
centos7cis_enable_host_deny is not defined and is kept as a condition.

Resolution-
Update - centos7cis_enable_host_deny is defined to - centos7cis_enable_hosts_deny is defined

Describe the bug
The variable is not defined rhel7cis_level1 but used. Hence the execution fails.

To Reproduce
Steps to reproduce the behavior:

1. Run the script.

Expected behavior
No error should occur.

Error
TASK [CentOS7-CIS : SCORED | 2.2.1.3 | PATCH | Ensure chrony is configured] ********************************************************************************************
fatal: [localhost]: FAILED! => {"msg": "The conditional check 'centos7cis_level1 is defined and rhel7cis_level1' failed. The error was: error while evaluating conditional (centos7cis_level1 is defined and rhel7cis_level1): 'rhel7cis_level1' is undefined\n\nThe error appears to be in '/etc/ansible/roles/CentOS7-CIS/tasks/section2.yml': line 377, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: "SCORED | 2.2.1.3 | PATCH | Ensure chrony is configured"\n ^ here\n"}

Version Used
Ansible 2.9.9
Latest repository.

I deploy this playbook on my test VM and I lost login connectivity, I am not able to fix it.
I had password less communication setup between my ansible node and VM and only that is working.

Any suggestion ?