939 lines
43 KiB
YAML
939 lines
43 KiB
YAML
---
|
|
|
|
# Some standard permissions to use
|
|
root_0000: { owner: root, group: root, mode: '0000' }
|
|
root_0444: { owner: root, group: root, mode: '0444' }
|
|
root_0600: { owner: root, group: root, mode: '0600' }
|
|
root_0640: { owner: root, group: root, mode: '0640' }
|
|
root_0644: { owner: root, group: root, mode: '0644' }
|
|
root_0700: { owner: root, group: root, mode: '0700' }
|
|
root_4755: { owner: root, group: root, mode: '4755' }
|
|
root_2755: { owner: root, group: root, mode: '2755' }
|
|
|
|
|
|
filesystems:
|
|
# CIS 1.1.2 L2 Ensure separate partition exists for /tmp
|
|
# CIS 1.1.3 L1 Ensure nodev option set on /tmp partition
|
|
# CIS 1.1.4 L1 Ensure nosuid option set on /tmp partition
|
|
# CIS 1.1.5 L1 Ensure noexec option set on /tmp partition
|
|
/tmp:
|
|
options: nodev,nosuid,noexec
|
|
size: 512M
|
|
# CIS 1.1.6 L2 Ensure separate partition exists for /var
|
|
/var:
|
|
size: 2048M
|
|
# CIS 1.1.7 L2 Ensure separate partition exists for /var/tmp
|
|
# CIS 1.1.8 L1 Ensure nodev option set on /var/tmp partition
|
|
# CIS 1.1.9 L1 Ensure nosuid option set on /var/tmp partition
|
|
# CIS 1.1.10 L1 Ensure noexec option set on /var/tmp partition
|
|
/var/tmp:
|
|
options: nodev,nosuid,noexec
|
|
size: 512M
|
|
# CIS 1.1.11 L2 Ensure separate partition exists for /var/log
|
|
/var/log:
|
|
size: 512M
|
|
# CIS 1.1.12 L2 Ensure separate partition exists for /var/log/audit
|
|
/var/log/audit:
|
|
size: 512M
|
|
# CIS 1.1.13 L2 Ensure separate partition exists for /home
|
|
# CIS 1.1.14 L1 Ensure nodev option set on /home partition
|
|
/home:
|
|
size: 2048M
|
|
options: nodev
|
|
# CIS 1.1.15 L1 Ensure nodev option set on /dev/shm partition
|
|
# CIS 1.1.16 L1 Ensure nosuid option set on /dev/shm partition
|
|
# CIS 1.1.17 L1 Ensure noexec option set on /dev/shm partition
|
|
/dev/shm:
|
|
options: nodev,nosuid,noexec
|
|
fstype: tmpfs
|
|
device: tmpfs
|
|
|
|
|
|
|
|
# CIS 1.1.18 L1 Ensure nodev option set on removable media partitions
|
|
# CIS 1.1.19 L1 Ensure nosuid option set on removable media partitions
|
|
# CIS 1.1.20 L1 Ensure noexec option set on removable media partitions
|
|
|
|
# CIS 1.1.21 L1 Ensure sticky bit is set on all world-writable directories
|
|
# CIS 1.2.1 L1 Ensure package manager repositories are configured
|
|
# CIS 1.2.2 L1 Ensure gpgcheck is globally activated
|
|
# CIS 1.2.3 L1 Ensure GPG keys are configured
|
|
# CIS 1.2.4 L1 Ensure Red Hat Subscription Manager connection is configured
|
|
# CIS 1.3.1 L1 Ensure AIDE is installed
|
|
|
|
# CIS 1.7.1.2 L1 Ensure local login warning banner is configured properly - banner text
|
|
profile::ssh::banner_content: |2+
|
|
|
|
Do not logon unless you have read and agree to the following.
|
|
|
|
By continuing to logon you are representing that you are an authorised user
|
|
and you accept and agree that:
|
|
|
|
1. use of Australia Post (AP) computers, systems, software and facilities
|
|
including email and Internet Browsing is subject to policies and guidelines issued
|
|
by Australia Post from time to time;
|
|
|
|
2. the contents of all internal, incoming and outgoing emails are the property of
|
|
Australia Post;
|
|
|
|
3. Australia Post may take disciplinary action under the AP Employee Counselling
|
|
and Disciplinary Process, and/or legal action against anyone failing to comply
|
|
with relevant policy or misusing IT facilities including email and Internet;
|
|
|
|
4. misuse includes use, access or transmission of pornographic photos, animations,
|
|
cartoons, and images (including screensavers), sexually explicit, sexist, racist
|
|
material or material that offends, embarrasses or degrades a person because of
|
|
disability, sex, religion or ethnic background, or unacceptable behaviour or
|
|
harrassment as outlined in the Code of Ethics or Harrassment Policy;
|
|
|
|
5. Australia Post may monitor or audit the use of any of its IT facilities and
|
|
any information stored or passed through these facilities including email and
|
|
Internet browsing details;
|
|
|
|
It is your responsibility to read and comply with the Group Technology Use Policy.
|
|
Should you have any questions about these conditions or the policies detailed here
|
|
please contact your line manager. For all information security related issues
|
|
contact the Information Security Office at secureatpost@auspost.com.au
|
|
|
|
I agree to these terms and conditions.
|
|
|
|
profile::file_ops::files:
|
|
# CIS 1.4.1 L1 Ensure permissions on bootloader config are configured - grub.cfg
|
|
/boot/grub2/grub.cfg: "%{alias('root_0640')}"
|
|
# CIS 1.4.1 L1 Ensure permissions on bootloader config are configured - user.cfg
|
|
/boot/grub2/user.cfg: "%{alias('root_0640')}"
|
|
# CIS 1.7.1.1 L1 Ensure message of the day is configured properly - banner text
|
|
# CIS 1.7.1.4 L1 Ensure permissions on /etc/motd are configured
|
|
/etc/motd:
|
|
content: ''
|
|
mode: '0644'
|
|
owner: root
|
|
group: root
|
|
# CIS 1.7.1.5 L1 Ensure permissions on /etc/issue are configured - already covered by SSH module
|
|
#/etc/issue:
|
|
#content: "%{hiera('profile::ssh::banner_content')}"
|
|
#mode: 644
|
|
#owner: root
|
|
#group: root
|
|
# CIS 1.7.1.3 L1 Ensure remote login warning banner is configured properly - banner text
|
|
# CIS 1.7.1.6 L1 Ensure permissions on /etc/issue.net are configured - already covered by SSH module
|
|
#/etc/issue.net:
|
|
#content: "%{hiera('profile::ssh::banner_content')}"
|
|
#mode: 644
|
|
#owner: root
|
|
#group: root
|
|
# CIS 3.4.2 L1 Ensure /etc/hosts.allow is configured
|
|
# CIS 3.4.4 L1 Ensure permissions on /etc/hosts.allow are configured
|
|
/etc/hosts.allow:
|
|
content: |
|
|
# File managed by Puppet
|
|
'ALL: 10.0.0.0/255.0.0.0'
|
|
mode: '0644'
|
|
owner: root
|
|
group: root
|
|
# CIS 3.4.3 L1 Ensure /etc/hosts.deny is configured
|
|
# CIS 3.4.5 L1 Ensure permissions on /etc/hosts.deny are configured
|
|
/etc/hosts.deny:
|
|
content: |
|
|
# File managed by Puppet
|
|
'ALL: ALL'
|
|
mode: '0644'
|
|
owner: root
|
|
group: root
|
|
/etc/modprobe.d/CIS.conf:
|
|
content: |
|
|
# File managed by Puppet
|
|
# CIS 1.1.1.1 L1 Ensure mounting of cramfs filesystems is disabled - modprobe
|
|
install cramfs /bin/true
|
|
# CIS 1.1.1.2 L1 Ensure mounting of freevxfs filesystems is disabled - lsmod
|
|
install freevxfs /bin/true
|
|
# CIS 1.1.1.3 L1 Ensure mounting of jffs2 filesystems is disabled - modprobe
|
|
install jffs2 /bin/true
|
|
# CIS 1.1.1.4 L1 Ensure mounting of hfs filesystems is disabled - modprobe
|
|
install hfs /bin/true
|
|
# CIS 1.1.1.5 L1 Ensure mounting of hfsplus filesystems is disabled - lsmod
|
|
install hfsplus /bin/true
|
|
# CIS 1.1.1.6 L1 Ensure mounting of squashfs filesystems is disabled - modprobe
|
|
install squashfs /bin/true
|
|
# CIS 1.1.1.7 L1 Ensure mounting of udf filesystems is disabled - lsmod
|
|
install udf /bin/true
|
|
# CIS 1.1.1.8 L2 Ensure mounting of FAT filesystems is disabled
|
|
install vfat /bin/true
|
|
|
|
# CIS 3.5.1 L1 Ensure DCCP is disabled
|
|
install dccp /bin/true
|
|
# CIS 3.5.2 L1 Ensure SCTP is disabled
|
|
install sctp /bin/true
|
|
# CIS 3.5.3 L1 Ensure RDS is disabled
|
|
install rds /bin/true
|
|
# CIS 3.5.4 L1 Ensure TIPC is disabled
|
|
install tipc /bin/true
|
|
mode: '0644'
|
|
owner: root
|
|
group: root
|
|
# CIS 5.1.2 L1 Ensure permissions on /etc/crontab are configured
|
|
/etc/crontab: "%{alias('root_0600')}"
|
|
# CIS 5.1.8 L1 Ensure at/cron is restricted to authorized users - cron.allow
|
|
/etc/cron.allow: "%{alias('root_0600')}"
|
|
# CIS 5.1.8 L1 Ensure at/cron is restricted to authorized users - cron.deny
|
|
/etc/cron.deny:
|
|
ensure: absent
|
|
# CIS 5.1.8 L1 Ensure at/cron is restricted to authorized users - at.allow
|
|
/etc/at.allow: "%{alias('root_0600')}"
|
|
# CIS 5.1.8 L1 Ensure at/cron is restricted to authorized users - at.deny
|
|
/etc/at.deny:
|
|
ensure: absent
|
|
/etc/security/pwquality.conf:
|
|
content: |
|
|
# File managed by Puppet
|
|
difok = 5
|
|
# CIS 5.3.1 L1 Ensure password creation requirements are configured - minlen
|
|
minlen = 9
|
|
# CIS 5.3.1 L1 Ensure password creation requirements are configured - dcredit
|
|
dcredit = -1
|
|
# CIS 5.3.1 L1 Ensure password creation requirements are configured - ucredit
|
|
ucredit = -1
|
|
# CIS 5.3.1 L1 Ensure password creation requirements are configured - lcredit
|
|
lcredit = -1
|
|
# CIS 5.3.1 L1 Ensure password creation requirements are configured - ocredit
|
|
ocredit = -1
|
|
# minclass = 0
|
|
# maxrepeat = 0
|
|
# maxclassrepeat = 0
|
|
# gecoscheck = 0
|
|
# dictpath =
|
|
mode: '0644'
|
|
owner: root
|
|
group: root
|
|
# CIS 5.4.4 L1 Ensure default user umask is 027 or more restrictive - /etc/profile /etc/profile.d/*.sh
|
|
/etc/profile.d/umask.sh:
|
|
content: "umask 0027\n"
|
|
/etc/profile.d/umask.csh:
|
|
content: "umask 0027\n"
|
|
# CIS 5.4.5 L2 Ensure default user shell timeout is 900 seconds or less - /etc/profile
|
|
/etc/profile.d/autologout.sh:
|
|
content: "export TMOUT=36000\n"
|
|
/etc/profile.d/tmout.csh:
|
|
content: "TMOUT=36000\n"
|
|
# CIS 6.1.2 L1 Ensure permissions on /etc/passwd are configured
|
|
/etc/passwd: "%{alias('root_0644')}"
|
|
# CIS 6.1.3 L1 Ensure permissions on /etc/shadow are configured
|
|
/etc/shadow: "%{alias('root_0000')}"
|
|
# CIS 6.1.4 L1 Ensure permissions on /etc/group are configured
|
|
/etc/group: "%{alias('root_0644')}"
|
|
# CIS 6.1.5 L1 Ensure permissions on /etc/gshadow are configured
|
|
/etc/gshadow: "%{alias('root_0000')}"
|
|
# CIS 6.1.6 L1 Ensure permissions on /etc/passwd- are configured
|
|
/etc/passwd-: "%{alias('root_0644')}"
|
|
# CIS 6.1.7 L1 Ensure permissions on /etc/shadow- are configured
|
|
/etc/shadow-: "%{alias('root_0000')}"
|
|
# CIS 6.1.8 L1 Ensure permissions on /etc/group- are configured
|
|
/etc/group-: "%{alias('root_0644')}"
|
|
# CIS 6.1.9 L1 Ensure permissions on /etc/gshadow- are configured
|
|
/etc/gshadow-: "%{alias('root_0000')}"
|
|
# CIS 2.2.1.2 L1 Ensure ntp is configured - restrict -4 - not using NTP
|
|
# CIS 2.2.1.2 L1 Ensure ntp is configured - restrict -6 - not using NTP
|
|
# CIS 2.2.1.2 L1 Ensure ntp is configured - server - not using NTP
|
|
# CIS 2.2.1.3 L1 Ensure chrony is configured - NTP server - set elsewhere in hiera
|
|
# CIS 2.2.1.3 L1 Ensure chrony is configured - OPTIONS
|
|
/etc/sysconfig/chronyd:
|
|
content: |
|
|
# File managed by Puppet
|
|
OPTIONS='-u chrony'
|
|
# CIS 4.1.1.1 L2 Ensure audit log storage size is configured
|
|
# CIS 4.1.1.2 L2 Ensure system is disabled when audit logs are full - 'space_left_action = email'
|
|
# CIS 4.1.1.2 L2 Ensure system is disabled when audit logs are full - 'action_mail_acct = root'
|
|
# CIS 4.1.1.2 L2 Ensure system is disabled when audit logs are full - 'admin_space_left_action = halt'
|
|
# CIS 4.1.1.3 L2 Ensure audit logs are not automatically deleted
|
|
# CIS 4.1.2 L2 Ensure auditd service is enabled
|
|
# CIS 4.1.3 L2 Ensure auditing for processes that start prior to auditd is enabled
|
|
# CIS 4.1.4 L2 Ensure events that modify date and time information are collected - auditctl adjtimex (32-bit)
|
|
# CIS 4.1.4 L2 Ensure events that modify date and time information are collected - adjtimex (32-bit)
|
|
# CIS 4.1.4 L2 Ensure events that modify date and time information are collected - auditctl clock_settime (32-bit)
|
|
# CIS 4.1.4 L2 Ensure events that modify date and time information are collected - clock_settime (32-bit)
|
|
# CIS 4.1.4 L2 Ensure events that modify date and time information are collected - auditctl /etc/localtime
|
|
# CIS 4.1.4 L2 Ensure events that modify date and time information are collected - /etc/localtime
|
|
# CIS 4.1.4 L2 Ensure events that modify date and time information are collected - auditctl adjtimex (64-bit)
|
|
# CIS 4.1.4 L2 Ensure events that modify date and time information are collected - auditctl clock_settime (64-bit)
|
|
# CIS 4.1.4 L2 Ensure events that modify date and time information are collected - adjtimex (64-bit)
|
|
# CIS 4.1.4 L2 Ensure events that modify date and time information are collected - clock_settime (64-bit)
|
|
# CIS 4.1.5 L2 Ensure events that modify user/group information are collected - '/etc/group'
|
|
# CIS 4.1.5 L2 Ensure events that modify user/group information are collected - auditctl '/etc/group'
|
|
# CIS 4.1.5 L2 Ensure events that modify user/group information are collected - '/etc/passwd'
|
|
# CIS 4.1.5 L2 Ensure events that modify user/group information are collected - auditctl '/etc/passwd'
|
|
# CIS 4.1.5 L2 Ensure events that modify user/group information are collected - '/etc/gshadow'
|
|
# CIS 4.1.5 L2 Ensure events that modify user/group information are collected - auditctl '/etc/gshadow'
|
|
# CIS 4.1.5 L2 Ensure events that modify user/group information are collected - '/etc/shadow'
|
|
# CIS 4.1.5 L2 Ensure events that modify user/group information are collected - auditctl '/etc/shadow'
|
|
# CIS 4.1.5 L2 Ensure events that modify user/group information are collected - '/etc/security/opasswd'
|
|
# CIS 4.1.5 L2 Ensure events that modify user/group information are collected - auditctl '/etc/security/opasswd'
|
|
# CIS 4.1.6 L2 Ensure events that modify the system's network environment are collected - sethostname (32-bit)
|
|
# CIS 4.1.6 L2 Ensure events that modify the system's network environment are collected - auditctl sethostname (32-bit)
|
|
# CIS 4.1.6 L2 Ensure events that modify the system's network environment are collected - issue
|
|
# CIS 4.1.6 L2 Ensure events that modify the system's network environment are collected - auditctl issue
|
|
# CIS 4.1.6 L2 Ensure events that modify the system's network environment are collected - issue.net
|
|
# CIS 4.1.6 L2 Ensure events that modify the system's network environment are collected - auditctl issue.net
|
|
# CIS 4.1.6 L2 Ensure events that modify the system's network environment are collected - /etc/hosts
|
|
# CIS 4.1.6 L2 Ensure events that modify the system's network environment are collected - auditctl hosts
|
|
# CIS 4.1.6 L2 Ensure events that modify the system's network environment are collected - /etc/sysconfig/network
|
|
# CIS 4.1.6 L2 Ensure events that modify the system's network environment are collected - auditctl network
|
|
# CIS 4.1.6 L2 Ensure events that modify the system's network environment are collected - /etc/sysconfig/network-scripts
|
|
# CIS 4.1.6 L2 Ensure events that modify the system's network environment are collected - auditctl network-scripts
|
|
# CIS 4.1.6 L2 Ensure events that modify the system's network environment are collected - sethostname (64-bit)
|
|
# CIS 4.1.6 L2 Ensure events that modify the system's network environment are collected - auditctl sethostname (64-bit)
|
|
# CIS 4.1.7 L2 Ensure events that modify the system's Mandatory Access Controls are collected - /etc/selinux/
|
|
# CIS 4.1.7 L2 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/selinux/
|
|
# CIS 4.1.7 L2 Ensure events that modify the system's Mandatory Access Controls are collected - /usr/share/selinux/
|
|
# CIS 4.1.7 L2 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /usr/share/selinux/
|
|
# CIS 4.1.8 L2 Ensure login and logout events are collected - /var/log/lastlog
|
|
# CIS 4.1.8 L2 Ensure login and logout events are collected - auditctl /var/log/lastlog
|
|
# CIS 4.1.8 L2 Ensure login and logout events are collected - /var/run/faillock/
|
|
# CIS 4.1.8 L2 Ensure login and logout events are collected - auditctl /var/run/faillock/
|
|
# CIS 4.1.9 L2 Ensure session initiation information is collected - utmp
|
|
# CIS 4.1.9 L2 Ensure session initiation information is collected - auditctl utmp
|
|
# CIS 4.1.9 L2 Ensure session initiation information is collected - wtmp
|
|
# CIS 4.1.9 L2 Ensure session initiation information is collected - auditctl wtmp
|
|
# CIS 4.1.9 L2 Ensure session initiation information is collected - btmp
|
|
# CIS 4.1.9 L2 Ensure session initiation information is collected - auditctl btmp
|
|
# CIS 4.1.10 L2 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat
|
|
# CIS 4.1.10 L2 Ensure discretionary access control permission modification events are collected - auditctl chmod/fchmod/fchmodat
|
|
# CIS 4.1.10 L2 Ensure discretionary access control permission modification events are collected - chown/fchown/fchownat/lchown
|
|
# CIS 4.1.10 L2 Ensure discretionary access control permission modification events are collected - auditctl chown/fchown/fchownat/lchown
|
|
# CIS 4.1.10 L2 Ensure discretionary access control permission modification events are collected - setxattr/lsetxattr/fsetxattr/removexattr
|
|
# CIS 4.1.10 L2 Ensure discretionary access control permission modification events are collected - auditctl setxattr/lsetxattr/fsetxattr/removexattr
|
|
# CIS 4.1.10 L2 Ensure discretionary access control permission modification events are collected - chmod/fchmod/fchmodat (64-bit)
|
|
# CIS 4.1.10 L2 Ensure discretionary access control permission modification events are collected - auditctl chmod/fchmod/fchmodat (64-bit)
|
|
# CIS 4.1.10 L2 Ensure discretionary access control permission modification events are collected - chown/fchown/fchownat/lchown (64-bit)
|
|
# CIS 4.1.10 L2 Ensure discretionary access control permission modification events are collected - auditctl chown/fchown/fchownat/lchown (64-bit)
|
|
# CIS 4.1.10 L2 Ensure discretionary access control permission modification events are collected - xattr (64-bit)
|
|
# CIS 4.1.10 L2 Ensure discretionary access control permission modification events are collected - auditctl xattr (64-bit)
|
|
# CIS 4.1.11 L2 Ensure unsuccessful unauthorized file access attempts are collected - EACCES
|
|
# CIS 4.1.11 L2 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EACCES
|
|
# CIS 4.1.11 L2 Ensure unsuccessful unauthorized file access attempts are collected - EPERM
|
|
# CIS 4.1.11 L2 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EPERM
|
|
# CIS 4.1.11 L2 Ensure unsuccessful unauthorized file access attempts are collected - EACCES (64-bit)
|
|
# CIS 4.1.11 L2 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EACCES (64-bit)
|
|
# CIS 4.1.11 L2 Ensure unsuccessful unauthorized file access attempts are collected - EPERM (64-bit)
|
|
# CIS 4.1.11 L2 Ensure unsuccessful unauthorized file access attempts are collected - auditctl EPERM (64-bit)
|
|
# CIS 4.1.12 L2 Ensure use of privileged commands is collected
|
|
# CIS 4.1.13 L2 Ensure successful file system mounts are collected
|
|
# CIS 4.1.13 L2 Ensure successful file system mounts are collected - auditctl
|
|
# CIS 4.1.13 L2 Ensure successful file system mounts are collected - b64
|
|
# CIS 4.1.13 L2 Ensure successful file system mounts are collected - auditctl (64-bit)
|
|
# CIS 4.1.14 L2 Ensure file deletion events by users are collected
|
|
# CIS 4.1.14 L2 Ensure file deletion events by users are collected - auditctl
|
|
# CIS 4.1.14 L2 Ensure file deletion events by users are collected - b64
|
|
# CIS 4.1.14 L2 Ensure file deletion events by users are collected - auditctl (64-bit)
|
|
# CIS 4.1.15 L2 Ensure changes to system administration scope (sudoers) is collected - sudoers
|
|
# CIS 4.1.15 L2 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers
|
|
# CIS 4.1.15 L2 Ensure changes to system administration scope (sudoers) is collected - sudoers.d
|
|
# CIS 4.1.15 L2 Ensure changes to system administration scope (sudoers) is collected - auditctl sudoers.d
|
|
# CIS 4.1.16 L2 Ensure system administrator actions (sudolog) are collected
|
|
# CIS 4.1.16 L2 Ensure system administrator actions (sudolog) are collected - auditctl
|
|
# CIS 4.1.17 L2 Ensure kernel module loading and unloading is collected - insmod
|
|
# CIS 4.1.17 L2 Ensure kernel module loading and unloading is collected - auditctl insmod
|
|
# CIS 4.1.17 L2 Ensure kernel module loading and unloading is collected - rmmod
|
|
# CIS 4.1.17 L2 Ensure kernel module loading and unloading is collected - auditctl rmmod
|
|
# CIS 4.1.17 L2 Ensure kernel module loading and unloading is collected - modprobe
|
|
# CIS 4.1.17 L2 Ensure kernel module loading and unloading is collected - auditctl modprobe
|
|
# CIS 4.1.17 L2 Ensure kernel module loading and unloading is collected - init_module/delete_module
|
|
# CIS 4.1.17 L2 Ensure kernel module loading and unloading is collected - auditctl init_module/delete_module
|
|
# CIS 4.1.17 L2 Ensure kernel module loading and unloading is collected - init_module/delete_module
|
|
# CIS 4.1.17 L2 Ensure kernel module loading and unloading is collected - auditctl init_module/delete_module
|
|
# CIS 4.1.18 L2 Ensure the audit configuration is immutable
|
|
/etc/audit/auditd.conf:
|
|
content: |
|
|
# File managed by Puppet
|
|
#
|
|
# This file controls the configuration of the audit daemon
|
|
#
|
|
local_events = yes
|
|
write_logs = yes
|
|
log_file = /var/log/audit/audit.log
|
|
log_group = root
|
|
log_format = RAW
|
|
flush = INCREMENTAL_ASYNC
|
|
freq = 50
|
|
max_log_file = 8
|
|
num_logs = 5
|
|
priority_boost = 4
|
|
disp_qos = lossy
|
|
dispatcher = /sbin/audispd
|
|
name_format = NONE
|
|
##name = mydomain
|
|
max_log_file_action = ROTATE
|
|
space_left = 75
|
|
space_left_action = SYSLOG
|
|
verify_email = yes
|
|
action_mail_acct = root
|
|
admin_space_left = 50
|
|
admin_space_left_action = SUSPEND
|
|
disk_full_action = SUSPEND
|
|
disk_error_action = SUSPEND
|
|
use_libwrap = yes
|
|
##tcp_listen_port = 60
|
|
tcp_listen_queue = 5
|
|
tcp_max_per_addr = 1
|
|
##tcp_client_ports = 1024-65535
|
|
tcp_client_max_idle = 0
|
|
enable_krb5 = no
|
|
krb5_principal = auditd
|
|
##krb5_key_file = /etc/audit/audit.key
|
|
distribute_network = no
|
|
|
|
|
|
profile::file_ops::directories:
|
|
# CIS 5.1.3 L1 Ensure permissions on /etc/cron.hourly are configured
|
|
/etc/cron.hourly: "%{alias('root_0700')}"
|
|
# CIS 5.1.4 L1 Ensure permissions on /etc/cron.daily are configured
|
|
/etc/cron.daily: "%{alias('root_0700')}"
|
|
# CIS 5.1.5 L1 Ensure permissions on /etc/cron.weekly are configured
|
|
/etc/cron.weekly: "%{alias('root_0700')}"
|
|
# CIS 5.1.6 L1 Ensure permissions on /etc/cron.monthly are configured
|
|
/etc/cron.monthly: "%{alias('root_0700')}"
|
|
# CIS 5.1.7 L1 Ensure permissions on /etc/cron.d are configured
|
|
/etc/cron.d: "%{alias('root_0700')}"
|
|
|
|
# CIS 5.3.1 L1 Ensure password creation requirements are configured - password-auth try_first_pass
|
|
# CIS 5.3.1 L1 Ensure password creation requirements are configured - system-auth try_first_pass
|
|
# CIS 5.3.1 L1 Ensure password creation requirements are configured - password-auth retry=3
|
|
# CIS 5.3.1 L1 Ensure password creation requirements are configured - system-auth retry=3
|
|
central_auth::pam::dfok: 5
|
|
central_auth::pam::minlen: 9
|
|
central_auth::pam::dcredit: -1
|
|
central_auth::pam::ucredit: -1
|
|
central_auth::pam::ocredit: -1
|
|
central_auth::pam::lcredit: -1
|
|
|
|
|
|
# CIS 1.4.2 L1 Ensure bootloader password is set
|
|
# CIS 1.4.3 L1 Ensure authentication required for single user mode - rescue.service
|
|
# CIS 1.4.3 L1 Ensure authentication required for single user mode - emergency.service
|
|
|
|
# CIS 1.5.1 L1 Ensure core dumps are restricted - limits.conf limits.d
|
|
security::limits::limits_hash:
|
|
"*/hard/core":
|
|
value: '0'
|
|
# CIS 1.5.1 L1 Ensure core dumps are restricted - sysctl
|
|
# CIS 1.5.1 L1 Ensure core dumps are restricted - sysctl.conf sysctl.d
|
|
profile::kernel::sysctl:
|
|
fs.suid_dumpable: 0
|
|
# CIS 1.5.3 L1 Ensure address space layout randomization (ASLR) is enabled - sysctl
|
|
# CIS 1.5.3 L1 Ensure address space layout randomization (ASLR) is enabled - sysctl.conf sysctl.d
|
|
kernel.randomize_va_space: 2
|
|
# CIS 3.1.1 L1 Ensure IP forwarding is disabled - sysctl
|
|
# CIS 3.1.1 L1 Ensure IP forwarding is disabled - sysctlc.conf sysctl.d
|
|
net.ipv4.ip_forward: 0
|
|
# CIS 3.1.2 L1 Ensure packet redirect sending is disabled - 'net.ipv4.conf.all.send_redirects = 0'
|
|
# CIS 3.1.2 L1 Ensure packet redirect sending is disabled - 'net.ipv4.conf.default.send_redirects = 0'
|
|
net.ipv4.conf.all.send_redirects: 0
|
|
net.ipv4.conf.default.send_redirects: 0
|
|
# CIS 3.2.1 L1 Ensure source routed packets are not accepted - 'net.ipv4.conf.default.accept_source_route = 0'
|
|
# CIS 3.2.1 L1 Ensure source routed packets are not accepted - 'net.ipv4.conf.all.accept_source_route = 0'
|
|
net.ipv4.conf.all.accept_source_route: 0
|
|
net.ipv4.conf.default.accept_source_route: 0
|
|
# CIS 3.2.2 L1 Ensure ICMP redirects are not accepted - 'net.ipv4.conf.all.accept_redirects = 0'
|
|
# CIS 3.2.2 L1 Ensure ICMP redirects are not accepted - 'net.ipv4.conf.default.accept_redirects = 0'
|
|
net.ipv4.conf.all.accept_redirects: 0
|
|
net.ipv4.conf.default.accept_redirects: 0
|
|
# CIS 3.2.3 L1 Ensure secure ICMP redirects are not accepted - 'net.ipv4.conf.default.secure_redirects = 0'
|
|
# CIS 3.2.3 L1 Ensure secure ICMP redirects are not accepted - 'net.ipv4.conf.all.secure_redirects = 0'
|
|
net.ipv4.conf.all.secure_redirects: 0
|
|
net.ipv4.conf.default.secure_redirects: 0
|
|
# CIS 3.2.4 L1 Ensure suspicious packets are logged - 'net.ipv4.conf.all.log_martians = 1'
|
|
# CIS 3.2.4 L1 Ensure suspicious packets are logged - 'net.ipv4.conf.default.log_martians = 1'
|
|
net.ipv4.conf.all.log_martians: 1
|
|
net.ipv4.conf.default.log_martians: 1
|
|
# CIS 3.2.5 L1 Ensure broadcast ICMP requests are ignored - sysctl
|
|
# CIS 3.2.5 L1 Ensure broadcast ICMP requests are ignored - sysctl.conf sysctl.d
|
|
net.ipv4.icmp_echo_ignore_broadcasts: 1
|
|
# CIS 3.2.6 L1 Ensure bogus ICMP responses are ignored - sysctl
|
|
# CIS 3.2.6 L1 Ensure bogus ICMP responses are ignored - sysctl.conf sysctl.d
|
|
net.ipv4.icmp_ignore_bogus_error_responses: 1
|
|
# CIS 3.2.7 L1 Ensure Reverse Path Filtering is enabled - 'net.ipv4.conf.default.rp_filter = 1'
|
|
# CIS 3.2.7 L1 Ensure Reverse Path Filtering is enabled - 'net.ipv4.conf.all.rp_filter = 1'
|
|
net.ipv4.conf.all.rp_filter: 1
|
|
net.ipv4.conf.default.rp_filter: 1
|
|
# CIS 3.2.8 L1 Ensure TCP SYN Cookies is enabled - sysctl
|
|
# CIS 3.2.8 L1 Ensure TCP SYN Cookies is enabled - sysctl.conf sysctl.d
|
|
net.ipv4.tcp_syncookies: 1
|
|
# CIS 3.3.1 L1 Ensure IPv6 router advertisements are not accepted - 'net.ipv6.conf.all.accept_ra = 0'
|
|
# CIS 3.3.1 L1 Ensure IPv6 router advertisements are not accepted - 'net.ipv6.conf.default.accept_ra = 0'
|
|
# CIS 3.3.1 L1 Ensure IPv6 router advertisements are not accepted - files 'net.ipv6.conf.all.accept_ra = 0'
|
|
# CIS 3.3.1 L1 Ensure IPv6 router advertisements are not accepted - files 'net.ipv6.conf.default.accept_ra = 0'
|
|
net.ipv6.conf.all.accept_ra: 0
|
|
net.ipv6.conf.default.accept_ra: 0
|
|
# CIS 3.3.2 L1 Ensure IPv6 redirects are not accepted - 'net.ipv6.conf.default.accept_redirects = 0'
|
|
# CIS 3.3.2 L1 Ensure IPv6 redirects are not accepted - 'net.ipv6.conf.all.accept_redirects = 0'
|
|
# CIS 3.3.2 L1 Ensure IPv6 redirects are not accepted - files 'net.ipv6.conf.default.accept_redirects = 0'
|
|
# CIS 3.3.2 L1 Ensure IPv6 redirects are not accepted - files 'net.ipv6.conf.all.accept_redirects = 0'
|
|
net.ipv6.conf.all.accept_redirects: 0
|
|
net.ipv6.conf.default.accept_redirects: 0
|
|
|
|
# CIS 1.5.2 L1 Ensure XD/NX support is enabled (32 bit only)
|
|
# CIS 1.8 L1 Ensure updates, patches, and additional security software are installed
|
|
|
|
# CIS 2.2.15 L1 Ensure mail transfer agent is configured for local-only mode
|
|
networking::mailclient::inet_interfaces: 'localhost'
|
|
|
|
packages::remove:
|
|
RedHat:
|
|
# CIS 1.1.22 L1 Disable Automounting
|
|
- autofs
|
|
# CIS 1.5.4 L1 Ensure prelink is disabled
|
|
- prelink
|
|
# CIS 1.6.1.4 L2 Ensure SETroubleshoot is not installed
|
|
- setroubleshoot
|
|
# CIS 1.6.1.5 L2 Ensure the MCS Translation Service (mcstrans) is not installed
|
|
- mcstrans
|
|
# CIS 1.7.2 L1 Ensure GDM login banner is configured - user-db
|
|
# CIS 1.7.2 L1 Ensure GDM login banner is configured - system-db
|
|
# CIS 1.7.2 L1 Ensure GDM login banner is configured - file-db
|
|
# CIS 1.7.2 L1 Ensure GDM login banner is configured - banner message enabled
|
|
# CIS 1.7.2 L1 Ensure GDM login banner is configured - banner message text
|
|
- gdm
|
|
# CIS 2.1.1 L1 Ensure chargen services are not enabled - dgram
|
|
# CIS 2.1.1 L1 Ensure chargen services are not enabled - stream
|
|
# CIS 2.1.2 L1 Ensure daytime services are not enabled - dgram
|
|
# CIS 2.1.2 L1 Ensure daytime services are not enabled - stream
|
|
# CIS 2.1.3 L1 Ensure discard services are not enabled - dgram
|
|
# CIS 2.1.3 L1 Ensure discard services are not enabled - stream
|
|
# CIS 2.1.4 L1 Ensure echo services are not enabled - dgram
|
|
# CIS 2.1.4 L1 Ensure echo services are not enabled - stream
|
|
# CIS 2.1.5 L1 Ensure time services are not enabled - dgram
|
|
# CIS 2.1.5 L1 Ensure time services are not enabled - stream
|
|
# CIS 2.1.7 L1 Ensure xinetd is not enabled
|
|
- xinetd
|
|
# CIS 2.1.6 L1 Ensure tftp server is not enabled
|
|
# CIS 2.2.20 L1 Ensure tftp server is not enabled
|
|
- tftp-server
|
|
# CIS 2.2.2 L1 Ensure X Window System is not installed
|
|
# CIS 2.2.3 L1 Ensure Avahi Server is not enabled
|
|
- avahi
|
|
# CIS 2.2.4 L1 Ensure CUPS is not enabled
|
|
- cups
|
|
# CIS 2.2.5 L1 Ensure DHCP Server is not enabled
|
|
- dhcp
|
|
- dnsmasq
|
|
# CIS 2.2.6 L1 Ensure LDAP server is not enabled
|
|
- openldap-servers
|
|
# CIS 2.2.7 L1 Ensure NFS and RPC are not enabled - nfs
|
|
# CIS 2.2.7 L1 Ensure NFS and RPC are not enabled - nfs-server
|
|
# CIS 2.2.7 L1 Ensure NFS and RPC are not enabled - rpcbind
|
|
# CIS 2.2.8 L1 Ensure DNS Server is not enabled
|
|
- bind
|
|
- pdns
|
|
# CIS 2.2.9 L1 Ensure FTP Server is not enabled
|
|
- vsftpd
|
|
- pure-ftpd
|
|
- perl-ftpd
|
|
- proftpd
|
|
# CIS 2.2.10 L1 Ensure HTTP server is not enabled
|
|
- caddy
|
|
- httpd
|
|
- lighttpd
|
|
- nginx
|
|
- nginx14-nginx
|
|
- nginx16-nginx
|
|
- nodejs-ws
|
|
- xbean
|
|
- rubygem-thin
|
|
# CIS 2.2.11 L1 Ensure IMAP and POP3 server is not enabled
|
|
- dovecot
|
|
- cyrus-imapd
|
|
# CIS 2.2.12 L1 Ensure Samba is not enabled
|
|
- samba
|
|
- samba-dc
|
|
# CIS 2.2.13 L1 Ensure HTTP Proxy Server is not enabled
|
|
- squid
|
|
# CIS 2.2.14 L1 Ensure SNMP Server is not enabled
|
|
- net-snmp
|
|
# CIS 2.2.16 L1 Ensure NIS Server is not enabled
|
|
# CIS 2.3.1 L1 Ensure NIS Client is not installed
|
|
- ypserv
|
|
- ypbind
|
|
# CIS 2.2.17 L1 Ensure rsh server is not enabled - rexec
|
|
# CIS 2.2.17 L1 Ensure rsh server is not enabled - rlogin
|
|
# CIS 2.2.17 L1 Ensure rsh server is not enabled - rsh
|
|
# CIS 2.3.2 L1 Ensure rsh client is not installed
|
|
- rsh-server
|
|
- rsh
|
|
# CIS 2.2.18 L1 Ensure talk server is not enabled
|
|
# CIS 2.3.3 L1 Ensure talk client is not installed
|
|
- ntalk
|
|
- talk
|
|
# CIS 2.2.19 L1 Ensure telnet server is not enabled
|
|
- telnet-server
|
|
profile::services:
|
|
# CIS 1.2.5 L2 Disable the rhnsd Daemon
|
|
rhnsd:
|
|
ensure: stopped
|
|
enable: false
|
|
# CIS 2.2.21 L1 Ensure rsync service is not enabled
|
|
rsyncd:
|
|
ensure: stopped
|
|
enable: false
|
|
# CIS 5.1.1 L1 Ensure cron daemon is enabled
|
|
crond:
|
|
ensure: running
|
|
enable: true
|
|
|
|
# CIS 2.3.4 L1 Ensure telnet client is not installed - disputed
|
|
# CIS 2.3.5 L1 Ensure LDAP client is not installed - disputed
|
|
|
|
packages::add:
|
|
RedHat:
|
|
# CIS 3.4.1 L1 Ensure TCP Wrappers is installed
|
|
- tcp_wrappers
|
|
# CIS 1.6.2 L2 Ensure SELinux is installed
|
|
- libselinux
|
|
|
|
# CIS 3.6.1 L1 Ensure iptables is installed
|
|
profile::firewall::enable: true
|
|
profile::firewall::chains:
|
|
# CIS 3.6.2 L1 Ensure default deny firewall policy - Chain INPUT
|
|
INPUT:filter:IPv4:
|
|
policy: drop
|
|
INPUT:filter:IPv6:
|
|
policy: drop
|
|
# CIS 3.6.2 L1 Ensure default deny firewall policy - Chain FORWARD
|
|
FORWARD:filter:IPv4:
|
|
policy: drop
|
|
FORWARD:filter:IPv6:
|
|
policy: drop
|
|
# CIS 3.6.2 L1 Ensure default deny firewall policy - Chain OUTPUT
|
|
OUTPUT:filter:IPv4:
|
|
policy: drop
|
|
OUTPUT:filter:IPv6:
|
|
policy: drop
|
|
# CIS 3.6.3 L1 Ensure loopback traffic is configured
|
|
# Configured in code
|
|
# CIS 3.6.4 L1 Ensure outbound and established connections are configured
|
|
# Configured in code
|
|
# CIS 3.6.5 L1 Ensure firewall rules exist for all open ports
|
|
profile::firewall::inbound:
|
|
'101 DHCP Server':
|
|
sport: 67
|
|
proto: udp
|
|
'110 SSH Access':
|
|
dport: 22
|
|
'161 NetBackup Server':
|
|
dport: [ 1556, 13724 ]
|
|
profile::firewall::outbound:
|
|
'101 DHCP Client':
|
|
sport: 68
|
|
proto: udp
|
|
'120 SSH Access':
|
|
sport: 22
|
|
'130 Puppet Server Access':
|
|
dport: [8140,8142]
|
|
destination: 10.5.162.0/24
|
|
'102 Network Time Protocol':
|
|
dport: 123
|
|
proto: udp
|
|
'103 Name Resolution TCP':
|
|
dport: 53
|
|
proto: tcp
|
|
'103 Name Resolution UDP':
|
|
dport: 53
|
|
proto: udp
|
|
'104 AD Authentication TCP':
|
|
dport: [ 88, 389, 445, 464, 3268 ]
|
|
'104 AD Authentication UDP':
|
|
dport: [ 88, 137, 389 ]
|
|
proto: udp
|
|
'140 RightLink Agent':
|
|
# From here: https://docs.rightscale.com/faq/Firewall_Configuration_Ruleset.html
|
|
dport: 443
|
|
destination:
|
|
- 54.225.248.128/27
|
|
- 54.244.88.96/27
|
|
- 54.86.63.128/26
|
|
- 54.187.254.128/26
|
|
- 54.246.247.16/28
|
|
- 54.248.220.128/28
|
|
- 54.255.255.208/28
|
|
- 52.65.255.224/28
|
|
'141 AWS Instance Data':
|
|
dport: 80
|
|
destination: 169.254.169.254/32
|
|
'145 Sumo Logic Monitoring':
|
|
# Unfortunately SUMO runs on AWS randomly, so we need to open up access to the whole of AWS EC2 for our region ap-southeast-2
|
|
# https://help.sumologic.com/APIs/General-API-Information/Sumo-Logic-Endpoints-and-Firewall-Security
|
|
dport: 443
|
|
destination:
|
|
- 13.210.0.0/15
|
|
- 13.236.0.0/14
|
|
- 13.54.0.0/15
|
|
- 15.193.3.0/24
|
|
- 3.104.0.0/14
|
|
- 3.24.0.0/14
|
|
- 52.62.0.0/15
|
|
- 52.64.0.0/17
|
|
- 52.64.128.0/17
|
|
- 52.65.0.0/16
|
|
- 52.94.248.64/28
|
|
- 52.95.241.0/24
|
|
- 52.95.255.16/28
|
|
- 54.153.128.0/17
|
|
- 54.206.0.0/16
|
|
- 54.252.0.0/16
|
|
- 54.253.0.0/16
|
|
- 54.66.0.0/16
|
|
- 54.79.0.0/16
|
|
- 99.77.144.0/24
|
|
# Currently some sumo installations are trying to hit the US AWS site us-east-1, hopefully we can delete these after getting the
|
|
# sumo agent to just point to AU
|
|
- 100.24.0.0/13
|
|
- 107.20.0.0/14
|
|
- 15.193.6.0/24
|
|
- 162.250.236.0/24
|
|
- 162.250.237.0/24
|
|
- 162.250.238.0/23
|
|
- 174.129.0.0/16
|
|
- 18.204.0.0/14
|
|
- 18.208.0.0/13
|
|
- 18.232.0.0/14
|
|
- 184.72.128.0/17
|
|
- 184.72.64.0/18
|
|
- 184.73.0.0/16
|
|
- 204.236.192.0/18
|
|
- 208.86.88.0/23
|
|
- 216.182.224.0/21
|
|
- 216.182.232.0/22
|
|
- 216.182.238.0/23
|
|
- 23.20.0.0/14
|
|
- 3.208.0.0/12
|
|
- 3.224.0.0/12
|
|
- 3.80.0.0/12
|
|
- 34.192.0.0/12
|
|
- 34.224.0.0/12
|
|
- 35.153.0.0/16
|
|
- 35.168.0.0/13
|
|
- 44.192.0.0/11
|
|
- 50.16.0.0/15
|
|
- 50.19.0.0/16
|
|
- 52.0.0.0/15
|
|
- 52.2.0.0/15
|
|
- 52.20.0.0/14
|
|
- 52.200.0.0/13
|
|
- 52.4.0.0/14
|
|
- 52.44.0.0/15
|
|
- 52.54.0.0/15
|
|
- 52.70.0.0/15
|
|
- 52.72.0.0/15
|
|
- 52.86.0.0/15
|
|
- 52.90.0.0/15
|
|
- 52.94.201.0/26
|
|
- 52.94.248.0/28
|
|
- 52.95.245.0/24
|
|
- 52.95.255.80/28
|
|
- 54.144.0.0/14
|
|
- 54.152.0.0/16
|
|
- 54.156.0.0/14
|
|
- 54.160.0.0/13
|
|
- 54.172.0.0/15
|
|
- 54.174.0.0/15
|
|
- 54.196.0.0/15
|
|
- 54.198.0.0/16
|
|
- 54.204.0.0/15
|
|
- 54.208.0.0/15
|
|
- 54.210.0.0/15
|
|
- 54.221.0.0/16
|
|
- 54.224.0.0/15
|
|
- 54.226.0.0/15
|
|
- 54.234.0.0/15
|
|
- 54.236.0.0/15
|
|
- 54.242.0.0/15
|
|
- 54.80.0.0/13
|
|
- 54.88.0.0/14
|
|
- 54.92.128.0/17
|
|
- 67.202.0.0/18
|
|
- 72.44.32.0/19
|
|
- 75.101.128.0/17
|
|
- 99.77.128.0/24
|
|
- 99.77.129.0/24
|
|
- 99.77.191.0/24
|
|
- 99.77.254.0/24
|
|
'150 Telegraf Monitoring':
|
|
dport: 80
|
|
destination: [ 10.212.82.107/32, 10.212.85.6/32 ]
|
|
'160 YUM Server':
|
|
dport: [ 80, 443 ]
|
|
destination: "%{::yum_server}"
|
|
'161 NetBackup Server':
|
|
dport: [ 1556, 13724 ]
|
|
'162 Mail Server':
|
|
dport: 25
|
|
destination: "%{hiera('networking::mailclient::relayhost')}"
|
|
'163 Log Server':
|
|
dport: [ 5514, 6514 ]
|
|
destination:
|
|
- "%{hiera('profile::nxlog_client::logserver1')}"
|
|
- "%{hiera('profile::nxlog_client::logserver2')}"
|
|
# CIS 3.7 L1 Ensure wireless interfaces are disabled
|
|
|
|
|
|
# CIS 4.2.1.1 L1 Ensure rsyslog Service is enabled
|
|
# CIS 4.2.1.3 L1 Ensure rsyslog default file permissions configured
|
|
# CIS 4.2.1.4 L1 Ensure rsyslog is configured to send logs to a remote log host
|
|
# CIS 4.2.1.5 L1 Ensure remote rsyslog messages are only accepted on designated log hosts. - imtcp.so
|
|
# CIS 4.2.1.5 L1 Ensure remote rsyslog messages are only accepted on designated log hosts. - InputTCPServerRun 514
|
|
# CIS 4.2.2.1 L1 Ensure syslog-ng service is enabled
|
|
# CIS 4.2.2.3 L1 Ensure syslog-ng default file permissions configured
|
|
# CIS 4.2.2.4 L1 Ensure syslog-ng is configured to send logs to a remote log host - destination logserver
|
|
# CIS 4.2.2.4 L1 Ensure syslog-ng is configured to send logs to a remote log host - log src
|
|
# CIS 4.2.2.5 L1 Ensure remote syslog-ng messages are only accepted on designated log hosts
|
|
# CIS 4.2.4 L1 Ensure permissions on all logfiles are configured
|
|
|
|
|
|
# CIS 5.2.1 L1 Ensure permissions on /etc/ssh/sshd_config are configured
|
|
# Set to 600 by SSH server module
|
|
profile::ssh::options_hash:
|
|
# CIS 5.2.2 L1 Ensure SSH Protocol is set to 2
|
|
Protocol: '2'
|
|
# CIS 5.2.3 L1 Ensure SSH LogLevel is set to INFO
|
|
LogLevel: INFO
|
|
# CIS 5.2.4 L1 Ensure SSH X11 forwarding is disabled
|
|
X11Forwarding: no
|
|
# CIS 5.2.5 L1 Ensure SSH MaxAuthTries is set to 4 or less
|
|
MaxAuthTries: '4'
|
|
# CIS 5.2.6 L1 Ensure SSH IgnoreRhosts is enabled
|
|
IgnoreRhosts: yes
|
|
# CIS 5.2.7 L1 Ensure SSH HostbasedAuthentication is disabled
|
|
HostbasedAuthentication: no
|
|
# CIS 5.2.8 L1 Ensure SSH root login is disabled
|
|
PermitRootLogin: no
|
|
# CIS 5.2.9 L1 Ensure SSH PermitEmptyPasswords is disabled
|
|
PermitEmptyPasswords: no
|
|
# CIS 5.2.10 L1 Ensure SSH PermitUserEnvironment is disabled
|
|
PermitUserEnvironment: no
|
|
# CIS 5.2.11 L1 Ensure only approved MAC algorithms are used
|
|
MACs: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
|
# CIS 5.2.12 L1 Ensure SSH Idle Timeout Interval is configured - ClientAliveInterval - setting to an hour to balance productivity
|
|
ClientAliveInterval: '3600'
|
|
# CIS 5.2.12 L1 Ensure SSH Idle Timeout Interval is configured - ClientAliveCountMax
|
|
ClientAliveCountMax: '0'
|
|
# CIS 5.2.13 L1 Ensure SSH LoginGraceTime is set to one minute or less
|
|
LoginGraceTime: 60
|
|
# CIS 5.2.15 L1 Ensure SSH warning banner is configured
|
|
Banner: /etc/issue
|
|
# CIS 5.2.14 L1 Ensure SSH access is limited
|
|
profile::ssh::allowed_groups:
|
|
- gg_linux_admins
|
|
|
|
# CIS 5.3.2 L1 Ensure lockout for failed password attempts is configured - system-auth 'auth required pam_faillock.so'
|
|
# CIS 5.3.2 L1 Ensure lockout for failed password attempts is configured - system-auth 'auth [success=1 default=bad] pam_unix.so'
|
|
# CIS 5.3.2 L1 Ensure lockout for failed password attempts is configured - system-auth 'auth [default=die] pam_faillock.so'
|
|
# CIS 5.3.2 L1 Ensure lockout for failed password attempts is configured - system-auth 'auth sufficient pam_faillock.so'
|
|
# CIS 5.3.2 L1 Ensure lockout for failed password attempts is configured - password-auth 'auth required pam_faillock.so'
|
|
# CIS 5.3.2 L1 Ensure lockout for failed password attempts is configured - password-auth 'auth [success=1 default=bad] pam_unix.so'
|
|
# CIS 5.3.2 L1 Ensure lockout for failed password attempts is configured - password-auth 'auth [default=die] pam_faillock.so'
|
|
# CIS 5.3.2 L1 Ensure lockout for failed password attempts is configured - password-auth 'auth sufficient pam_faillock.so'
|
|
|
|
# CIS 5.3.3 L1 Ensure password reuse is limited - system-auth
|
|
# CIS 5.3.3 L1 Ensure password reuse is limited - password-auth
|
|
|
|
# CIS 5.3.4 L1 Ensure password hashing algorithm is SHA-512 - system-auth
|
|
# CIS 5.3.4 L1 Ensure password hashing algorithm is SHA-512 - password-auth
|
|
# Set via the central_auth module
|
|
|
|
# CIS 5.4.1.1 L1 Ensure password expiration is 365 days or less
|
|
# CIS 5.4.1.2 L1 Ensure minimum days between password changes is 7 or more
|
|
# CIS 5.4.1.3 L1 Ensure password expiration warning days is 7 or more
|
|
# CIS 5.4.1.4 L1 Ensure inactive password lock is 30 days or less
|
|
# CIS 5.4.1.5 L1 Ensure all users last password change date is in the past
|
|
|
|
# CIS 5.4.2 L1 Ensure system accounts are non-login
|
|
|
|
local_users::add::users:
|
|
root:
|
|
uid: 0
|
|
# CIS 5.4.3 L1 Ensure default group for the root account is GID 0
|
|
gid: 0
|
|
# CIS 5.6 L1 Ensure access to the su command is restricted - wheel group contains root
|
|
groups: [ wheel ]
|
|
|
|
profile::file_ops::file_lines:
|
|
/etc/bashrc:
|
|
# CIS 5.4.5 L2 Ensure default user shell timeout is 900 seconds or less - /etc/bashrc - setting to an hour to balance productivity
|
|
- line : 'TMOUT=3600'
|
|
match : 'TMOUT='
|
|
# CIS 5.4.4 L1 Ensure default user umask is 027 or more restrictive - /etc/bashrc
|
|
- line : ' umask 027'
|
|
match : ' umask 0\d\d'
|
|
multiple : true
|
|
# CIS 5.6 L1 Ensure access to the su command is restricted - pam_wheel.so
|
|
/etc/pam.d/su:
|
|
line : 'auth required pam_wheel.so use_uid'
|
|
match : '#auth required pam_wheel.so use_uid'
|
|
# CIS 3.3.3 L1 Ensure IPv6 is disabled
|
|
/etc/default/grub:
|
|
line: GRUB_CMDLINE_LINUX='ipv6.disable=1'
|
|
match: GRUB_CMDLINE_LINUX
|
|
# CIS 6.2.2 L1 Ensure no legacy '+' entries exist in /etc/passwd
|
|
/etc/passwd:
|
|
ensure: absent
|
|
line: '+'
|
|
# CIS 6.2.3 L1 Ensure no legacy '+' entries exist in /etc/shadow
|
|
/etc/shadow:
|
|
ensure: absent
|
|
line: '+'
|
|
# CIS 6.2.4 L1 Ensure no legacy '+' entries exist in /etc/group
|
|
/etc/group:
|
|
ensure: absent
|
|
line: '+'
|
|
|
|
# CIS 5.5 L1 Ensure root login is restricted to system console - TBD
|
|
# CIS 6.1.10 L1 Ensure no world writable files exist
|
|
# CIS 6.1.11 L1 Ensure no unowned files or directories exist
|
|
# CIS 6.1.12 L1 Ensure no ungrouped files or directories exist
|
|
# CIS 6.1.13 L1 Audit SUID executables
|
|
# CIS 6.1.14 L1 Audit SGID executables
|
|
# CIS 6.2.1 L1 Ensure password fields are not empty
|
|
|
|
# CIS 6.2.5 L1 Ensure root is the only UID 0 account
|
|
# CIS 6.2.6 L1 Ensure root PATH Integrity
|
|
# CIS 6.2.7 L1 Ensure all users' home directories exist
|
|
# CIS 6.2.8 L1 Ensure users' home directories permissions are 750 or more restrictive
|
|
# CIS 6.2.9 L1 Ensure users own their home directories
|
|
# CIS 6.2.10 L1 Ensure users' dot files are not group or world writable
|
|
# CIS 6.2.11 L1 Ensure no users have .forward files
|
|
# CIS 6.2.12 L1 Ensure no users have .netrc files
|
|
# CIS 6.2.13 L1 Ensure users' .netrc Files are not group or world accessible
|
|
# CIS 6.2.14 L1 Ensure no users have .rhosts files
|
|
# CIS 6.2.15 L1 Ensure all groups in /etc/passwd exist in /etc/group
|
|
# CIS 6.2.16 L1 Ensure no duplicate UIDs exist
|
|
# CIS 6.2.17 L1 Ensure no duplicate GIDs exist
|
|
# CIS 6.2.18 L1 Ensure no duplicate user names exist
|
|
# CIS 6.2.19 L1 Ensure no duplicate group names exist
|
|
|
|
# CIS 1.6.1.1 L2 Ensure SELinux is not disabled in bootloader configuration - selinux = 0
|
|
# CIS 1.6.1.1 L2 Ensure SELinux is not disabled in bootloader configuration - enforcing = 0
|
|
|
|
profile::file_ops::templates:
|
|
# CIS 1.6.1.2 L2 Ensure the SELinux state is enforcing
|
|
# CIS 1.6.1.3 L2 Ensure SELinux policy is configured
|
|
/etc/selinux/config:
|
|
data:
|
|
setting: permissive
|
|
type: targeted
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
content: |
|
|
# This file controls the state of SELinux on the system.
|
|
# SELINUX= can take one of these three values:
|
|
# enforcing - SELinux security policy is enforced.
|
|
# permissive - SELinux prints warnings instead of enforcing.
|
|
# disabled - No SELinux policy is loaded.
|
|
SELINUX=<%= $setting %>
|
|
# SELINUXTYPE= can take one of these two values:
|
|
# targeted - Targeted processes are protected,
|
|
# mls - Multi Level Security protection.
|
|
SELINUXTYPE=<%= $type %>
|
|
|
|
# CIS 1.6.1.6 L2 Ensure no unconfined daemons exist
|
|
|
|
# CIS 6.1.1 L2 Audit system file permissions
|