radsec / centos7-cis Goto Github PK
View Code? Open in Web Editor NEWAnsible CentOS 7 - CIS Benchmark Hardening Script
License: Other
Ansible CentOS 7 - CIS Benchmark Hardening Script
License: Other
CentOS7-CIS/tasks/section6.yml
Line 100 in e1c3814
CentOS7-CIS/tasks/section6.yml
Line 114 in e1c3814
Issue -
CIS Vulnerability flagged 6.1.9 is marked fail
Reason -
The permissions are not correct as per the guidelines
Resolution -
Update the condition
/etc/group-
has a permission 0644
/etc/gshadow-
has a permission 0000
https://github.com/radsec/CentOS7-CIS/blob/master/tasks/section2.yml#L395
this throws the ansible execution error
in my case i added a file instead of template with default content in file
cat /etc/sysconfig/chronyd
# Command-line options for chronyd
OPTIONS=""
Is your feature request related to a problem? Please describe.
Is it possible to inlcude CIS 3.0 bechmark tests.
Describe the solution you'd like
Implementing CIS 3.0 benchmark.
Describe alternatives you've considered
Enterprise vulnerability scanners like VM Insight
Additional context
Add any other context or screenshots about the feature request here.
Line 55 in a2e8fa8
Ansible version - 2.9.9
Python version = 2.7.5
Issue -
When running the playbook CentOS7-CIS_Benchmark_level1_and_level2.yml, there is execution error.
Reason -
The usage is -
in the prelim.yml is invalid
register: syslog-ng_installed
Resolution -
Replace -
with _
in the preim.yml file.
Add workflow/actions to complete ansible-linting
There is no use with this command related to CIS hardening
https://github.com/radsec/CentOS7-CIS/blob/master/tasks/section1.yml#L281
- name: "NOTSCORED | 1.1.18 | PATCH | Ensure nodev option set on removable media partitions"
command: /bin/true
changed_when: no
when:
- centos7cis_level1 is defined and centos7cis_level1
tags:
- level1
- notscored
- patch
- rule_1.1.18
I deploy this playbook on my test VM and I lost login connectivity, I am not able to fix it.
I had password less communication setup between my ansible node and VM and only that is working.
Any suggestion ?
Create workflow/actions to measure CIS compliance
Ansible Version - 2.9.9
ISSUE
centos7cis_default_user_umask
changes to 023 instead of 027 when executing. (not sure if it my system specific issue)CentOS7-CIS/tasks/section5.yml
Line 1228 in e1c3814
CentOS7-CIS/tasks/section5.yml
Line 1243 in e1c3814
CentOS7-CIS/tasks/section5.yml
Line 1275 in e1c3814
with error as given below
TASK [CentOS7-CIS : SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive] *********************************************************************
failed: [localhost] (item=profiled_dir.files[0].path) => {"ansible_loop_var": "item", "changed": false, "item": "profiled_dir.files[0].path", "msg": "Destination profiled_dir.files.path does not exist !", "rc": 257}
...ignoring
Workaround for centos7cis_default_user_umask
changing to 023, run the ansible playbook with variables as command line argument by adding below argument
--extra-vars "centos7cis_default_user_umask=027"
which will overpower the internal variable value.
Viewpoint
The structure of the profiled_dir.files is an array of dictionaries. Not sure how to get through this one using ansible at the moment.
Describe the bug
The variable is not defined rhel7cis_level1 but used. Hence the execution fails.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
No error should occur.
Error
TASK [CentOS7-CIS : SCORED | 2.2.1.3 | PATCH | Ensure chrony is configured] ********************************************************************************************
fatal: [localhost]: FAILED! => {"msg": "The conditional check 'centos7cis_level1 is defined and rhel7cis_level1' failed. The error was: error while evaluating conditional (centos7cis_level1 is defined and rhel7cis_level1): 'rhel7cis_level1' is undefined\n\nThe error appears to be in '/etc/ansible/roles/CentOS7-CIS/tasks/section2.yml': line 377, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: "SCORED | 2.2.1.3 | PATCH | Ensure chrony is configured"\n ^ here\n"}
Version Used
Ansible 2.9.9
Latest repository.
CentOS7-CIS/tasks/section3.yml
Line 304 in a2e8fa8
Issue -
Section 3.4.3 still shows up as a vulnerability.
Reason-
centos7cis_enable_host_deny is not defined and is kept as a condition.
Resolution-
Update - centos7cis_enable_host_deny is defined
to - centos7cis_enable_hosts_deny is defined
https://github.com/radsec/CentOS7-CIS/blob/master/tasks/section2.yml#L433
Issue -
Execution error on 2.2.2 and stops the execution.
Error -
TASK [CentOS7-CIS : SCORED | 2.2.2 | PATCH | Ensure X Window System is not installed] **********************************************************************************
[DEPRECATION WARNING]: Invoking "yum" only once while using a loop via squash_actions is deprecated. Instead of using a loop to supply multiple items and specifying
`name: "{{item}}"`, please use `name: ['xorg-x11*']` and remove the loop. This feature will be removed in version 2.11. Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.
fatal: [localhost]: FAILED! => {"msg": "The conditional check 'centos7cis_xwindows_required is defined not centos7cis_xwindows_required' failed. The error was: Unexpected templating type error occurred on ({% if centos7cis_xwindows_required is defined not centos7cis_xwindows_required %} True {% else %} False {% endif %}): test_defined() takes exactly 1 argument (2 given)\n\nThe error appears to be in '/etc/ansible/roles/CentOS7-CIS/tasks/section2.yml': line 427, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: \"SCORED | 2.2.2 | PATCH | Ensure X Window System is not installed\"\n ^ here\n"}
Reason -
The when condition is broken
Resolution -
Update the condition
- centos7cis_xwindows_required is defined not centos7cis_xwindows_required
to
- centos7cis_xwindows_required is defined and not centos7cis_xwindows_required
Add workflow/actions to complete ansible-syntax check
==> amazon-ebs: + ansible-playbook CentOS7-CIS_Benchmark_level1.yml
==> amazon-ebs: [WARNING]: Could not match supplied host pattern, ignoring: all
==> amazon-ebs: [WARNING]: provided hosts list is empty, only localhost is available
==> amazon-ebs: ERROR! the role '\''CentOS7-CIS'\'' was not found in /home/centos/centos_cis/roles:/etc/ansible/roles:/usr/share/ansible/roles:/home/centos/centos_cis
==> amazon-ebs:
==> amazon-ebs: The error appears to have been in '\''/home/centos/centos_cis/CentOS7-CIS_Benchmark_level1.yml'\'': line 11, column 7, but may
==> amazon-ebs: be elsewhere in the file depending on the exact syntax problem.
==> amazon-ebs:
==> amazon-ebs: The offending line appears to be:
==> amazon-ebs:
==> amazon-ebs: # Match role folder name here - CentOS7-CIS
==> amazon-ebs: - role: CentOS7-CIS
==> amazon-ebs: ^ here
==> amazon-ebs: Script exited with non-zero exit status: 1.Allowed exit codes are: [0]
could be that im missing something in using this repository but there's not much for documentation and installation so I kinda need to ask here :(
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.