florianutz / ubuntu1604-cis Goto Github PK

I can't find any tasks checking the registered vars, and yet these tasks are set to never fail. As far as I can tell these are scored rules that are being allowed to pass unchecked.

root@server-ubuntu-1604:~# ansible-playbook --version
ansible-playbook 2.0.0.2

root@log-server-ubuntu-1604:~# ansible-playbook --check /etc/ansible/roles/florianutz.ubuntu1604-cis/tasks/main.yml
 [WARNING]: provided hosts list is empty, only localhost is available

ERROR! 'fail' is not a valid attribute for a Play

The error appears to have been in '/etc/ansible/roles/florianutz.ubuntu1604-cis/tasks/main.yml': line 3, column 3, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

# tasks file for Ubuntu1604-CIS
- name: Check OS version and family
  ^ here

root@log-server-ubuntu-1604:~# ansible-playbook site.yml
 [WARNING]: provided hosts list is empty, only localhost is available

ERROR! The handlers/main.yml file for role 'florianutz.ubuntu1604-cis' must contain a list of tasks

The error appears to have been in '/etc/ansible/roles/florianutz.ubuntu1604-cis/tasks/main.yml': line 3, column 1, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

# tasks file for Ubuntu1604-CIS
- name: Check OS version and family
^ here

I was able to successfully run this on a machine the other day and on another system with the same configuration it's not failing. I doubt this is an issue with the file, as I have been able to get this to run, but I haven't the foggiest idea why it would suddenly be failing like this. Any ideas?

When running the section5 SSH tasks, the sshd configuration file is not validated. The ssh daemon may not be restarted, because not all tasks contain the notify statement and the error remains silently in the configuration file.

This can cause, that sshd configuration file is misconfigured and ssh daemon will not start after system restart.

This is major issue, since the administrator has to log into the machine via single user mode, serial console or another type of alternative access to fix the misconfigured file. This happened to me today on GCP platform, where the end of the SSH file is by default configured properly, but if another line is added to it, it breaks the syntax.

Example of valid ending of SSH config file:

# Create chrooted directory
Match Group scponly
    ChrootDirectory %h
    passwordAuthentication yes
    ForceCommand internal-sftp
    AllowTcpForwarding no
    X11Forwarding no

By adding for example line PermitUserEnvironment no, the Match block is not closed with Match all statement and the configuration file is invalid.

# Create chrooted directory
Match Group scponly
    ChrootDirectory %h
    passwordAuthentication yes
    ForceCommand internal-sftp
    AllowTcpForwarding no
PermitUserEnvironment no

Error when running sshd -t:

/etc/ssh/sshd_config line 69: Directive 'PermitUserEnvironment' is not allowed within a Match block.

As remediation I propose:

• There should be SSH validation run sshd -t after tasks or in handler
• If the validation is run on handler, all tasks, that alter sshd config file should notify for daemon restart.

due to the fact long uptimes can rotate out/overfill the dmesg log it's not reliable or accurate to check this biased on dmesg alone

This information can be gotten from the /proc/cpuinfo file that is in ubuntu by default with the following command
grep ^flags /proc/cpuinfo | head -n1 | egrep --color=auto ' (pae|nx) '
-https://wiki.ubuntu.com/Security/CPUFeatures

Currently you have version tags in GitHub, but those versions are not reflected in Ansible Galaxy. It would be very helpful for me if you would set up Galaxy to use those version tags.

The link to the CIS guide doesn't work anymore.

On their current version of this it, the ubuntu 16 guide is hidden behind an email registration here: https://www.cisecurity.org/benchmark/ubuntu_linux/

The page is branded for Ubuntu 18, and has a back link for Ubuntu 14, but if you register, you get an email with a link to a download archive where Ubuntu the Ubuntu 16 PDF is available.

HI Florian ,

1. ansible-galaxy install -p roles -r requirements.yml in this command requirement.yml is missing .

2. ERROR! 'register' is not a valid attribute for a Play

The error appears to have been in '/etc/ansible/Sango/Ubuntu1604-CIS/tasks/prelim.yml': line 2, column 3, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

• name: PRELIM | List users accounts
  ^ here

I am geeting this issue , can you please help me here .

I get this error:

RUNNING HANDLER [Ubuntu1604-CIS : generate new grub config] **************************************************************************************************
fatal: [localhost]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'grub_cfg' is undefined\n\nThe error appears to have been in '/root/smtt/ansible/Ubuntu1604-CIS/handlers/main.yml': line 29, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: generate new grub config\n ^ here\n"}

Also, the command grub2-mkconfig should be renamed to grub-mkconfig:

$ grub2-mkconfig
No command 'grub2-mkconfig' found, did you mean:
Command 'grub-mkconfig' from package 'grub-common' (main)
grub2-mkconfig: command not found

In the playbook task 1.1.1.6 is handling disabling squashfs, in the guide it handles udf, and squashfs is never disabled.

Similarly 1.1.1.8 removes FAT, which is again, not addressed in the CIS guide.

default value for ubuntu1604cis_aide_cron[aide_job] contains a wrong value
there must be /usr/bin/aide --check instead of /usr/sbin/aide --check

the password fails the dictionary check - error loading dictionary

ensure that cracklib-runtime is installed

Are lines 164-173 an incorrect duplicate of 153-162? I'm not sure why line 166 has dest: /etc/audit/audit.rules. Thanks for checking!

When running against a Ubuntu 16.04.4 machine that was upgraded from a clean 16.04.3 installation, 6.2.6 doesn't update secure path with anything. The resulting /etc/sudoers file results in this on line 11:

Defaults        secure_path=""

At this point, Ansible is unable to continue and the connection is broken.

This list syntax produce wrong output to the chrony.conf file (possible other files, that are using FOR loop). To be more precise it loops through the addresses as each letter is a separate string and this results a new row for each of them.
E.g.
server 0 minpoll 8
server . minpoll 8
server p minpoll 8
server o minpoll 8
...
etc.
This seems to occur after this commit.

ERROR: Idempotence test failed because of the following tasks:

• [instance] => Ubuntu1604-CIS : SCORED | 1.1.1.4 | PATCH | Ensure mounting of hfs filesystems is disabled
• [instance] => Ubuntu1604-CIS : SCORED | 1.1.1.5 | PATCH | Ensure mounting of hfsplus filesystems is disabled
• [instance] => Ubuntu1604-CIS : NOTSCORED | 4.3 | PATCH | Ensure logrotate.conf exists