Skip to content

Commit

Permalink
Feature update ubuntu 20.04 (#77)
Browse files Browse the repository at this point in the history 
* updated Ubuntu 20.04 rules

* added fix for issue #76

* updated REFERENCE
  • Loading branch information
@tom-krieger
tom-krieger authored Jan 28, 2024
1 parent 8ef55c4 commit a7f2c45
Show file tree
Hide file tree
Showing 53 changed files with 545 additions and 146 deletions.
5 changes: 5 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,11 @@

All notable changes to this project will be documented in this file.

## Release 0.9.2

* Updated to Ubuntu 20.04 benchmark version 2.0.1
* fix for issue #76: umsask setting on Redhat like OSes only if authselect id not enforced

## Release 0.9.1

* Fix for issue #66
Expand Down
2 changes: 1 addition & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ The code of this security hardening module is based on the following CIS Benchma
| CentOS 7 | CIS CentOS Linux 7 Benchmark | 3.1.2 | 08-31-2021 |
| CentOS 8 | CIS CentOS Linux 8 Benchmark | 2.0.0 | 02-23-2022 |
| Ubuntu 18.04 | CIS Ubuntu Linux 18.04 LTS Benchmark | 2.0.1 | 01-03-2020 |
| Ubuntu 20.04 | CIS Ubuntu Linux 20.04 LTS Benchmark | 1.1.0 | 03-31-2021 |
| Ubuntu 20.04 | CIS Ubuntu Linux 20.04 LTS Benchmark | 2.0.1 | 06-29-2023 |
| Ubuntu 20.04 | CIS Ubuntu Linux 20.04 LTS STIG Benchmark | 1.0.0 | 26.07.2021 |
| Ubuntu 22.04 | CIS Ubuntu Linux 22.04 LTS Benchmark | 1.0.0 | 06-30-2022 |
| Debian 10 | CIS Debian Linux 10 Benchmark | 1.0.0 | 02-13-2020 |
Expand Down
33 changes: 33 additions & 0 deletions REFERENCE.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
* [`cis_security_hardening::auditd_cron`](#cis_security_hardening--auditd_cron): Create a cron job to search privileged commands for auditd
* [`cis_security_hardening::config`](#cis_security_hardening--config): Configure the module
* [`cis_security_hardening::reboot`](#cis_security_hardening--reboot): Handle necessary reboot
* [`cis_security_hardening::rules::automatic_error_reporting`](#cis_security_hardening--rules--automatic_error_reporting): Ensure Automatic Error Reporting is not enabled (Automated)
* [`cis_security_hardening::rules::dac_on_hardlinks`](#cis_security_hardening--rules--dac_on_hardlinks): Ensure the operating system is configured to enable DAC on hardlinks
* [`cis_security_hardening::rules::dac_on_symlinks`](#cis_security_hardening--rules--dac_on_symlinks): Ensure the operating system is configured to enable DAC on symlinks
* [`cis_security_hardening::rules::gdm_lock_delay`](#cis_security_hardening--rules--gdm_lock_delay): Ensure overriding the screensaver lock-delay setting is prevented
Expand Down Expand Up @@ -786,6 +787,38 @@ Reboot when necessary after `time_until_reboot` is exeeded

Default value: `$cis_security_hardening::auto_reboot`

### <a name="cis_security_hardening--rules--automatic_error_reporting"></a>`cis_security_hardening::rules::automatic_error_reporting`

The Apport Error Reporting Service automatically generates crash reports for debugging

Rationale:
Apport collects potentially sensitive data, such as core dumps, stack traces, and log files. They can contain passwords,
credit card numbers, serial numbers, and other private material.

#### Examples

#####

```puppet
class { 'cis_security_hardening::rules::automatic_error_reporting':
enforce => true,
}
```

#### Parameters

The following parameters are available in the `cis_security_hardening::rules::automatic_error_reporting` class:

* [`enforce`](#-cis_security_hardening--rules--automatic_error_reporting--enforce)

##### <a name="-cis_security_hardening--rules--automatic_error_reporting--enforce"></a>`enforce`

Data type: `Boolean`

Sets rule enforcemt. If set to true, code will be exeuted to bring the system into a comliant state.

Default value: `false`

### <a name="cis_security_hardening--rules--dac_on_hardlinks"></a>`cis_security_hardening::rules::dac_on_hardlinks`

The operating system must enable kernel parameters to enforce discretionary access control on hardlinks.
Expand Down
33 changes: 29 additions & 4 deletions data/cis/cis_Ubuntu_20.04_params.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,15 +27,24 @@ cis_security_hardening::rules::tmp_filesystem::size: 0
cis_security_hardening::rules::tmp_noexec::enforce: true
cis_security_hardening::rules::tmp_nodev::enforce: true
cis_security_hardening::rules::tmp_nosuid::enforce: true
cis_security_hardening::rules::var_nodev::enforce: true
cis_security_hardening::rules::var_nosuid::enforce: true
cis_security_hardening::rules::var_tmp_noexec::enforce: true
cis_security_hardening::rules::var_tmp_nodev::enforce: true
cis_security_hardening::rules::var_tmp_nosuid::enforce: true
cis_security_hardening::rules::var_log_nodev::enforce: true
cis_security_hardening::rules::var_log_noexec::enforce: true
cis_security_hardening::rules::var_log_nosuid::enforce: true
cis_security_hardening::rules::var_log_audit_nodev::enforce: true
cis_security_hardening::rules::var_log_audit_noexec::enforce: true
cis_security_hardening::rules::var_log_audit_nosuid::enforce: true
cis_security_hardening::rules::home_nodev::enforce: true
cis_security_hardening::rules::home_nosuid::enforce: true
cis_security_hardening::rules::dev_shm::enforce: true
cis_security_hardening::rules::dev_shm::size: 0
cis_security_hardening::rules::dev_shm_noexec::enforce: true
cis_security_hardening::rules::dev_shm_nodev::enforce: true
cis_security_hardening::rules::dev_shm_nosuid::enforce: true
cis_security_hardening::rules::var_tmp_noexec::enforce: true
cis_security_hardening::rules::var_tmp_nodev::enforce: true
cis_security_hardening::rules::var_tmp_nosuid::enforce: true
cis_security_hardening::rules::home_nodev::enforce: true
cis_security_hardening::rules::sticky_world_writeable_files::enforce: true
cis_security_hardening::rules::disable_automount::enforce: true
cis_security_hardening::rules::disable_usb_storage::enforce: true
Expand All @@ -53,8 +62,10 @@ cis_security_hardening::rules::grub_bootloader_config::enforce: true
cis_security_hardening::rules::single_user_mode::enforce: true

cis_security_hardening::rules::enable_aslr::enforce: true
cis_security_hardening::rules::ptrace_scope::enforce: true
cis_security_hardening::rules::disable_prelink::enforce: true
cis_security_hardening::rules::restrict_core_dumps::enforce: true
cis_security_hardening::rules::automatic_error_reporting::enforce: true
cis_security_hardening::rules::limits_maxlogins::enforce: true
cis_security_hardening::rules::limits_maxlogins::maxlogins: 10
cis_security_hardening::rules::kdump_service::enforce: true
Expand Down Expand Up @@ -147,6 +158,7 @@ cis_security_hardening::rules::rpcbind::enforce: true

cis_security_hardening::rules::disable_ipv6::enforce: true
cis_security_hardening::rules::disable_wireless::enforce: true
cis_security_hardening::rules::disable_bluetooth::enforce: true

cis_security_hardening::rules::disable_ip_forwarding::enforce: true
cis_security_hardening::rules::disable_packet_redirect::enforce: true
Expand Down Expand Up @@ -312,6 +324,7 @@ cis_security_hardening::rules::auditd_sudoedit_use::enforce: true
cis_security_hardening::rules::auditd_chsh_use::enforce: true
cis_security_hardening::rules::auditd_newgrp_use::enforce: true
cis_security_hardening::rules::auditd_chcon_use::enforce: true
cis_security_hardening::rules::auditd_user_emulation::enforce: true
cis_security_hardening::rules::auditd_apparmor_parser_use::enforce: true
cis_security_hardening::rules::auditd_setfacl_use::enforce: true
cis_security_hardening::rules::auditd_chacl_use::enforce: true
Expand Down Expand Up @@ -350,6 +363,15 @@ cis_security_hardening::rules::auditd_tools_perms::tools:
- /sbin/audispd
- /sbin/augenrules

cis_security_hardening::rules::aide_audit_integrity::enforce: true
cis_security_hardening::rules::aide_audit_integrity::tools:
/sbin/auditctl: p+i+n+u+g+s+b+acl+xattrs+sha512
/sbin/auditd: p+i+n+u+g+s+b+acl+xattrs+sha512
/sbin/ausearch: p+i+n+u+g+s+b+acl+xattrs+sha512
/sbin/aureport: p+i+n+u+g+s+b+acl+xattrs+sha512
/sbin/autrace: p+i+n+u+g+s+b+acl+xattrs+sha512
/sbin/augenrules: p+i+n+u+g+s+b+acl+xattrs+sha512

cis_security_hardening::rules::rsyslog_installed::enforce: true
cis_security_hardening::rules::rsyslog_service::enforce: true
cis_security_hardening::rules::rsyslog_default_file_perms::enforce: true
Expand Down Expand Up @@ -494,6 +516,9 @@ cis_security_hardening::rules::pam_pw_requirements::enforce: true
cis_security_hardening::rules::pam_pw_requirements::minlen: 14
cis_security_hardening::rules::pam_pw_requirements::minclass: 4
cis_security_hardening::rules::pam_pw_requirements::retry: 3
cis_security_hardening::rules::pam_pw_requirements::difok: 2
cis_security_hardening::rules::pam_pw_requirements::dictcheck: true
cis_security_hardening::rules::pam_pw_requirements::maxrepeat: 3
cis_security_hardening::rules::pam_lockout::enforce: true
cis_security_hardening::rules::pam_lockout::attempts: 3
cis_security_hardening::rules::pam_lockout::lockouttime: 300
Expand Down
24 changes: 20 additions & 4 deletions data/cis/cis_Ubuntu_20.04_rules.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,14 +14,23 @@ cis_security_hardening::benchmark::ubuntu::20:
- tmp_nodev
- tmp_nosuid
- tmp_noexec
- dev_shm
- dev_shm_nodev
- dev_shm_nosuid
- dev_shm_noexec
- var_nodev
- var_nosuid
- var_tmp_nodev
- var_tmp_nosuid
- var_tmp_noexec
- var_log_nodev
- var_log_noexec
- var_log_nosuid
- var_log_audit_nodev
- var_log_audit_noexec
- var_log_audit_nosuid
- home_nodev
- home_nosuid
- dev_shm
- dev_shm_nodev
- dev_shm_nosuid
- dev_shm_noexec
- sticky_world_writeable_files
- disable_automount
- disable_usb_storage
Expand All @@ -42,8 +51,10 @@ cis_security_hardening::benchmark::ubuntu::20:
process_hardening:
level1:
- enable_aslr
- ptrace_scope
- disable_prelink
- restrict_core_dumps
- automatic_error_reporting
stig:
- limits_maxlogins
- kdump_service
Expand Down Expand Up @@ -105,6 +116,8 @@ cis_security_hardening::benchmark::ubuntu::20:
- ldap_client
- rpcbind
unused_network_protocols:
level1:
- disable_bluetooth
level2:
- disable_ipv6
- disable_wireless
Expand Down Expand Up @@ -162,6 +175,8 @@ cis_security_hardening::benchmark::ubuntu::20:
- ip6tables_outbound_established
- ip6tables_open_ports
configure_accounting:
level1:
- aide_audit_integrity
level2:
- auditd_init
- auditd_package
Expand All @@ -185,6 +200,7 @@ cis_security_hardening::benchmark::ubuntu::20:
- auditd_scope
- auditd_actions
- auditd_modules
- auditd_user_emulation
- auditd_immutable
stig:
- auditd_remote
Expand Down
19 changes: 19 additions & 0 deletions lib/facter/cis_security_hardening/facts_ubuntu.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,25 @@ def facts_ubuntu(os, distid, release)
end
cis_security_hardening[:x11] = x11

# check for apport
apport = {}
pkgs = Facter::Core::Execution.exec('dpkg -l | grep apport| awk \'{print $2;}\'')
apport['installed'] = if pkgs.nil? || pkgs.empty?
false
else
true
end
cis_security_hardening['apport'] = apport

aide = {}
pkgs = Facter::Core::Execution.exec('dpkg -l | grep aide | awk \'{print $2;}\'')
aide['installed'] = if pkgs.nil? || pkgs.empty?
false
else
true
end
cis_security_hardening['aide'] = aide

# check for xdmcp
cis_security_hardening['xdcmp'] = File.exist?('/etc/gdm3/custom.conf')

Expand Down
30 changes: 20 additions & 10 deletions manifests/rules/aide_audit_integrity.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,23 +42,33 @@
$conffile = '/etc/aide.conf'
}
'ubuntu': {
if $facts['os']['release']['major'] >= '22' {
$conffile = '/etc/aide/aide.conf'
$aide = fact('cis_security_hardening.aide.installed') ? {
undef => false,
default => fact('cis_security_hardening.aide.installed'),
}
if $aide {
if $facts['os']['release']['major'] >= '20' {
$conffile = '/etc/aide/aide.conf'
} else {
$conffile = '/etc/aide.conf'
}
} else {
$conffile = '/etc/aide.conf'
$conffile = ''
}
}
default: {
$conffile = '/etc/aide.conf'
}
}
$tools.each |$tool, $data| {
file_line { "aide tool ${tool}":
ensure => present,
append_on_no_match => true,
path => $conffile,
line => "${tool} ${data}",
match => "^${tool}",
unless empty($conffile) {
$tools.each |$tool, $data| {
file_line { "aide tool ${tool}":
ensure => present,
append_on_no_match => true,
path => $conffile,
line => "${tool} ${data}",
match => "^${tool}",
}
}
}
}
Expand Down
13 changes: 13 additions & 0 deletions manifests/rules/auditd_access.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,19 @@
$content_rule4 = "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=${uid} -F auid!=${auid} -k access" #lint:ignore:140chars
}
}
'ubuntu': {
if $facts['os']['release']['major'] >= '20' {
$content_rule1 = "-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=${uid} -F auid!=${auid} -k access" #lint:ignore:140chars
$content_rule2 = "-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=${uid} -F auid!=${auid} -k access" #lint:ignore:140chars
$content_rule3 = "-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=${uid} -F auid!=${auid} -k access" #lint:ignore:140chars
$content_rule4 = "-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=${uid} -F auid!=${auid} -k access" #lint:ignore:140chars
} else {
$content_rule1 = "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=${uid} -F auid!=${auid} -k access" #lint:ignore:140chars
$content_rule2 = "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=${uid} -F auid!=${auid} -k access" #lint:ignore:140chars
$content_rule3 = "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=${uid} -F auid!=${auid} -k access" #lint:ignore:140chars
$content_rule4 = "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=${uid} -F auid!=${auid} -k access" #lint:ignore:140chars
}
}
default: {
$content_rule1 = "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=${uid} -F auid!=${auid} -k access" #lint:ignore:140chars
$content_rule2 = "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=${uid} -F auid!=${auid} -k access" #lint:ignore:140chars
Expand Down
2 changes: 1 addition & 1 deletion manifests/rules/auditd_actions.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@
}
}
'ubuntu': {
if $facts['os']['release']['major'] >= '22' {
if $facts['os']['release']['major'] >= '20' {
concat::fragment { 'watch admin actions rule 1':
order => 21,
target => $cis_security_hardening::rules::auditd_init::rules_file,
Expand Down
1 change: 1 addition & 0 deletions manifests/rules/auditd_kernel_modules.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@
'rocky' => 'unset',
'almalinux' => 'unset',
'debian' => 'unset',
'ubuntu' => 'unset',
default => '4294967295',
}
$uid = fact('cis_security_hardening.auditd.uid_min') ? {
Expand Down
33 changes: 33 additions & 0 deletions manifests/rules/automatic_error_reporting.pp
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# @summary
# Ensure Automatic Error Reporting is not enabled (Automated)
#
# The Apport Error Reporting Service automatically generates crash reports for debugging
#
# Rationale:
# Apport collects potentially sensitive data, such as core dumps, stack traces, and log files. They can contain passwords,
# credit card numbers, serial numbers, and other private material.
#
# @param enforce
# Sets rule enforcemt. If set to true, code will be exeuted to bring the system into a comliant state.
#
#
# @example
# class { 'cis_security_hardening::rules::automatic_error_reporting':
# enforce => true,
# }
#
class cis_security_hardening::rules::automatic_error_reporting (
Boolean $enforce = false,
) {
$apport = fact('cis_security_hardening.apport.installed')
if $enforce and $apport {
$ensure = $facts['os']['family'].downcase() ? {
'suse' => 'absent',
default => 'purged',
}

ensure_packages(['apport'], {
ensure => $ensure,
})
}
}
2 changes: 1 addition & 1 deletion manifests/rules/cramfs.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@
}
}
'ubuntu': {
if $facts['os']['release']['major'] >= '22' {
if $facts['os']['release']['major'] >= '20' {
kmod::install { 'cramfs':
command => '/bin/false',
}
Expand Down
11 changes: 9 additions & 2 deletions manifests/rules/disable_bluetooth.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,8 +34,15 @@
Boolean $enforce = false,
) {
if $enforce {
kmod::install { 'bluetooth':
command => '/bin/true',
if $facts['os']['name'].downcase() == 'ubuntu' and $facts['os']['release']['major'] >= '20' {
service { 'bluetooth.service':
ensure => 'stopped',
enable => false,
}
} else {
kmod::install { 'bluetooth':
command => '/bin/true',
}
}
}
}
2 changes: 1 addition & 1 deletion manifests/rules/disable_dccp.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
if ($facts['os']['name'].downcase() == 'debian' and
$facts['os']['release']['major'] > '10') or
($facts['os']['name'].downcase() == 'ubuntu' and
$facts['os']['release']['major'] >= '22') {
$facts['os']['release']['major'] >= '20') {
$command = '/bin/false'
kmod::blacklist { 'dccp': }
} else {
Expand Down
Loading

0 comments on commit a7f2c45

Please sign in to comment.