- ๐ Hi, Iโm @florianutz
- ๐ Iโm interested in automation and secure operation
florianutz / ubuntu1604-cis Goto Github PK
View Code? Open in Web Editor NEWUbuntu CIS Hardening Ansible Role
License: MIT License
Ubuntu CIS Hardening Ansible Role
License: MIT License
I can't find any tasks checking the registered vars, and yet these tasks are set to never fail. As far as I can tell these are scored rules that are being allowed to pass unchecked.
Ubuntu1604-CIS/tasks/section1.yml
Lines 313 to 339 in 8b12f24
Ubuntu1604-CIS/tasks/section1.yml
Lines 363 to 403 in 8b12f24
root@server-ubuntu-1604:~# ansible-playbook --version
ansible-playbook 2.0.0.2
root@log-server-ubuntu-1604:~# ansible-playbook --check /etc/ansible/roles/florianutz.ubuntu1604-cis/tasks/main.yml
[WARNING]: provided hosts list is empty, only localhost is available
ERROR! 'fail' is not a valid attribute for a Play
The error appears to have been in '/etc/ansible/roles/florianutz.ubuntu1604-cis/tasks/main.yml': line 3, column 3, but may
be elsewhere in the file depending on the exact syntax problem.
The offending line appears to be:
# tasks file for Ubuntu1604-CIS
- name: Check OS version and family
^ here
root@log-server-ubuntu-1604:~# ansible-playbook site.yml
[WARNING]: provided hosts list is empty, only localhost is available
ERROR! The handlers/main.yml file for role 'florianutz.ubuntu1604-cis' must contain a list of tasks
The error appears to have been in '/etc/ansible/roles/florianutz.ubuntu1604-cis/tasks/main.yml': line 3, column 1, but may
be elsewhere in the file depending on the exact syntax problem.
The offending line appears to be:
# tasks file for Ubuntu1604-CIS
- name: Check OS version and family
^ here
I was able to successfully run this on a machine the other day and on another system with the same configuration it's not failing. I doubt this is an issue with the file, as I have been able to get this to run, but I haven't the foggiest idea why it would suddenly be failing like this. Any ideas?
Ubuntu1604-CIS/defaults/main.yml
Line 165 in 8b12f24
When running the section5 SSH tasks, the sshd configuration file is not validated. The ssh daemon may not be restarted, because not all tasks contain the notify
statement and the error remains silently in the configuration file.
This can cause, that sshd configuration file is misconfigured and ssh daemon will not start after system restart.
This is major issue, since the administrator has to log into the machine via single user mode, serial console or another type of alternative access to fix the misconfigured file. This happened to me today on GCP platform, where the end of the SSH file is by default configured properly, but if another line is added to it, it breaks the syntax.
Example of valid ending of SSH config file:
# Create chrooted directory
Match Group scponly
ChrootDirectory %h
passwordAuthentication yes
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
By adding for example line PermitUserEnvironment no
, the Match block is not closed with Match all
statement and the configuration file is invalid.
# Create chrooted directory
Match Group scponly
ChrootDirectory %h
passwordAuthentication yes
ForceCommand internal-sftp
AllowTcpForwarding no
PermitUserEnvironment no
Error when running sshd -t
:
/etc/ssh/sshd_config line 69: Directive 'PermitUserEnvironment' is not allowed within a Match block.
As remediation I propose:
sshd -t
after tasks or in handlerdue to the fact long uptimes can rotate out/overfill the dmesg log it's not reliable or accurate to check this biased on dmesg alone
This information can be gotten from the /proc/cpuinfo file that is in ubuntu by default with the following command
grep ^flags /proc/cpuinfo | head -n1 | egrep --color=auto ' (pae|nx) '
-https://wiki.ubuntu.com/Security/CPUFeatures
Currently you have version tags in GitHub, but those versions are not reflected in Ansible Galaxy. It would be very helpful for me if you would set up Galaxy to use those version tags.
The link to the CIS guide doesn't work anymore.
On their current version of this it, the ubuntu 16 guide is hidden behind an email registration here: https://www.cisecurity.org/benchmark/ubuntu_linux/
The page is branded for Ubuntu 18, and has a back link for Ubuntu 14, but if you register, you get an email with a link to a download archive where Ubuntu the Ubuntu 16 PDF is available.
HI Florian ,
ansible-galaxy install -p roles -r requirements.yml in this command requirement.yml is missing .
ERROR! 'register' is not a valid attribute for a Play
The error appears to have been in '/etc/ansible/Sango/Ubuntu1604-CIS/tasks/prelim.yml': line 2, column 3, but may
be elsewhere in the file depending on the exact syntax problem.
The offending line appears to be:
I am geeting this issue , can you please help me here .
I get this error:
RUNNING HANDLER [Ubuntu1604-CIS : generate new grub config] **************************************************************************************************
fatal: [localhost]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'grub_cfg' is undefined\n\nThe error appears to have been in '/root/smtt/ansible/Ubuntu1604-CIS/handlers/main.yml': line 29, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: generate new grub config\n ^ here\n"}
Also, the command grub2-mkconfig
should be renamed to grub-mkconfig
:
$ grub2-mkconfig
No command 'grub2-mkconfig' found, did you mean:
Command 'grub-mkconfig' from package 'grub-common' (main)
grub2-mkconfig: command not found
In the playbook task 1.1.1.6 is handling disabling squashfs, in the guide it handles udf, and squashfs is never disabled.
Similarly 1.1.1.8 removes FAT, which is again, not addressed in the CIS guide.
default value for ubuntu1604cis_aide_cron[aide_job] contains a wrong value
there must be /usr/bin/aide --check
instead of /usr/sbin/aide --check
the password fails the dictionary check - error loading dictionary
ensure that cracklib-runtime
is installed
Ubuntu1604-CIS/tasks/section4.yml
Line 166 in c6daa60
Are lines 164-173 an incorrect duplicate of 153-162? I'm not sure why line 166 has dest: /etc/audit/audit.rules
. Thanks for checking!
When running against a Ubuntu 16.04.4 machine that was upgraded from a clean 16.04.3 installation, 6.2.6 doesn't update secure path with anything. The resulting /etc/sudoers file results in this on line 11:
Defaults secure_path=""
At this point, Ansible is unable to continue and the connection is broken.
This list syntax produce wrong output to the chrony.conf file (possible other files, that are using FOR loop). To be more precise it loops through the addresses as each letter is a separate string and this results a new row for each of them.
E.g.
server 0 minpoll 8
server . minpoll 8
server p minpoll 8
server o minpoll 8
...
etc.
This seems to occur after this commit.
ERROR: Idempotence test failed because of the following tasks:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.