Feature update ubuntu 20.04

CHANGELOG.md

@@ -2,6 +2,11 @@
 
 All notable changes to this project will be documented in this file.
 
+## Release 0.9.2
+
+* Updated to Ubuntu 20.04 benchmark version 2.0.1
+* fix for issue #76: umsask setting on Redhat like OSes only if authselect id not enforced
+
 ## Release 0.9.1
 
 * Fix for issue #66

README.md

@@ -55,7 +55,7 @@ The code of this security hardening module is based on the following CIS Benchma
 | CentOS 7     | CIS CentOS Linux 7 Benchmark                                 | 3.1.2   | 08-31-2021 |
 | CentOS 8     | CIS CentOS Linux 8 Benchmark                                 | 2.0.0   | 02-23-2022 |
 | Ubuntu 18.04 | CIS Ubuntu Linux 18.04 LTS Benchmark                         | 2.0.1   | 01-03-2020 |
-| Ubuntu 20.04 | CIS Ubuntu Linux 20.04 LTS Benchmark                         | 1.1.0   | 03-31-2021 |
+| Ubuntu 20.04 | CIS Ubuntu Linux 20.04 LTS Benchmark                         | 2.0.1   | 06-29-2023 |
 | Ubuntu 20.04 | CIS Ubuntu Linux 20.04 LTS STIG Benchmark                    | 1.0.0   | 26.07.2021 |
 | Ubuntu 22.04 | CIS Ubuntu Linux 22.04 LTS Benchmark                         | 1.0.0   | 06-30-2022 |
 | Debian 10    | CIS Debian Linux 10 Benchmark                                | 1.0.0   | 02-13-2020 |

REFERENCE.md

@@ -12,6 +12,7 @@
 * [`cis_security_hardening::auditd_cron`](#cis_security_hardening--auditd_cron): Create a cron job to search privileged commands for auditd
 * [`cis_security_hardening::config`](#cis_security_hardening--config): Configure the module
 * [`cis_security_hardening::reboot`](#cis_security_hardening--reboot): Handle necessary reboot
+* [`cis_security_hardening::rules::automatic_error_reporting`](#cis_security_hardening--rules--automatic_error_reporting): Ensure Automatic Error Reporting is not enabled (Automated)
 * [`cis_security_hardening::rules::dac_on_hardlinks`](#cis_security_hardening--rules--dac_on_hardlinks): Ensure the operating system is configured to enable DAC on hardlinks
 * [`cis_security_hardening::rules::dac_on_symlinks`](#cis_security_hardening--rules--dac_on_symlinks): Ensure the operating system is configured to enable DAC on symlinks
 * [`cis_security_hardening::rules::gdm_lock_delay`](#cis_security_hardening--rules--gdm_lock_delay): Ensure overriding the screensaver lock-delay setting is prevented
@@ -786,6 +787,38 @@ Reboot when necessary after `time_until_reboot` is exeeded
 
 Default value: `$cis_security_hardening::auto_reboot`
 
+### <a name="cis_security_hardening--rules--automatic_error_reporting"></a>`cis_security_hardening::rules::automatic_error_reporting`
+
+The Apport Error Reporting Service automatically generates crash reports for debugging
+
+Rationale:
+Apport collects potentially sensitive data, such as core dumps, stack traces, and log files. They can contain passwords,
+credit card numbers, serial numbers, and other private material.
+
+#### Examples
+
+##### 
+
+```puppet
+class { 'cis_security_hardening::rules::automatic_error_reporting':
+          enforce => true,
+}
+```
+
+#### Parameters
+
+The following parameters are available in the `cis_security_hardening::rules::automatic_error_reporting` class:
+
+* [`enforce`](#-cis_security_hardening--rules--automatic_error_reporting--enforce)
+
+##### <a name="-cis_security_hardening--rules--automatic_error_reporting--enforce"></a>`enforce`
+
+Data type: `Boolean`
+
+Sets rule enforcemt. If set to true, code will be exeuted to bring the system into a comliant state.
+
+Default value: `false`
+
 ### <a name="cis_security_hardening--rules--dac_on_hardlinks"></a>`cis_security_hardening::rules::dac_on_hardlinks`
 
 The operating system must enable kernel parameters to enforce discretionary access control on hardlinks.

data/cis/cis_Ubuntu_20.04_params.yaml

@@ -27,15 +27,24 @@ cis_security_hardening::rules::tmp_filesystem::size: 0
 cis_security_hardening::rules::tmp_noexec::enforce: true
 cis_security_hardening::rules::tmp_nodev::enforce: true
 cis_security_hardening::rules::tmp_nosuid::enforce: true
+cis_security_hardening::rules::var_nodev::enforce: true
+cis_security_hardening::rules::var_nosuid::enforce: true
+cis_security_hardening::rules::var_tmp_noexec::enforce: true
+cis_security_hardening::rules::var_tmp_nodev::enforce: true
+cis_security_hardening::rules::var_tmp_nosuid::enforce: true
+cis_security_hardening::rules::var_log_nodev::enforce: true
+cis_security_hardening::rules::var_log_noexec::enforce: true
+cis_security_hardening::rules::var_log_nosuid::enforce: true
+cis_security_hardening::rules::var_log_audit_nodev::enforce: true
+cis_security_hardening::rules::var_log_audit_noexec::enforce: true
+cis_security_hardening::rules::var_log_audit_nosuid::enforce: true
+cis_security_hardening::rules::home_nodev::enforce: true
+cis_security_hardening::rules::home_nosuid::enforce: true
 cis_security_hardening::rules::dev_shm::enforce: true
 cis_security_hardening::rules::dev_shm::size: 0
 cis_security_hardening::rules::dev_shm_noexec::enforce: true
 cis_security_hardening::rules::dev_shm_nodev::enforce: true
 cis_security_hardening::rules::dev_shm_nosuid::enforce: true
-cis_security_hardening::rules::var_tmp_noexec::enforce: true
-cis_security_hardening::rules::var_tmp_nodev::enforce: true
-cis_security_hardening::rules::var_tmp_nosuid::enforce: true
-cis_security_hardening::rules::home_nodev::enforce: true
 cis_security_hardening::rules::sticky_world_writeable_files::enforce: true
 cis_security_hardening::rules::disable_automount::enforce: true
 cis_security_hardening::rules::disable_usb_storage::enforce: true
@@ -53,8 +62,10 @@ cis_security_hardening::rules::grub_bootloader_config::enforce: true
 cis_security_hardening::rules::single_user_mode::enforce: true
 
 cis_security_hardening::rules::enable_aslr::enforce: true
+cis_security_hardening::rules::ptrace_scope::enforce: true
 cis_security_hardening::rules::disable_prelink::enforce: true
 cis_security_hardening::rules::restrict_core_dumps::enforce: true
+cis_security_hardening::rules::automatic_error_reporting::enforce: true
 cis_security_hardening::rules::limits_maxlogins::enforce: true
 cis_security_hardening::rules::limits_maxlogins::maxlogins: 10
 cis_security_hardening::rules::kdump_service::enforce: true
@@ -147,6 +158,7 @@ cis_security_hardening::rules::rpcbind::enforce: true
 
 cis_security_hardening::rules::disable_ipv6::enforce: true
 cis_security_hardening::rules::disable_wireless::enforce: true
+cis_security_hardening::rules::disable_bluetooth::enforce: true
 
 cis_security_hardening::rules::disable_ip_forwarding::enforce: true
 cis_security_hardening::rules::disable_packet_redirect::enforce: true
@@ -312,6 +324,7 @@ cis_security_hardening::rules::auditd_sudoedit_use::enforce: true
 cis_security_hardening::rules::auditd_chsh_use::enforce: true
 cis_security_hardening::rules::auditd_newgrp_use::enforce: true
 cis_security_hardening::rules::auditd_chcon_use::enforce: true
+cis_security_hardening::rules::auditd_user_emulation::enforce: true
 cis_security_hardening::rules::auditd_apparmor_parser_use::enforce: true
 cis_security_hardening::rules::auditd_setfacl_use::enforce: true
 cis_security_hardening::rules::auditd_chacl_use::enforce: true
@@ -350,6 +363,15 @@ cis_security_hardening::rules::auditd_tools_perms::tools:
   - /sbin/audispd 
   - /sbin/augenrules
 
+cis_security_hardening::rules::aide_audit_integrity::enforce: true
+cis_security_hardening::rules::aide_audit_integrity::tools:
+  /sbin/auditctl: p+i+n+u+g+s+b+acl+xattrs+sha512
+  /sbin/auditd: p+i+n+u+g+s+b+acl+xattrs+sha512
+  /sbin/ausearch: p+i+n+u+g+s+b+acl+xattrs+sha512
+  /sbin/aureport: p+i+n+u+g+s+b+acl+xattrs+sha512
+  /sbin/autrace: p+i+n+u+g+s+b+acl+xattrs+sha512
+  /sbin/augenrules: p+i+n+u+g+s+b+acl+xattrs+sha512
+
 cis_security_hardening::rules::rsyslog_installed::enforce: true
 cis_security_hardening::rules::rsyslog_service::enforce: true
 cis_security_hardening::rules::rsyslog_default_file_perms::enforce: true
@@ -494,6 +516,9 @@ cis_security_hardening::rules::pam_pw_requirements::enforce: true
 cis_security_hardening::rules::pam_pw_requirements::minlen: 14
 cis_security_hardening::rules::pam_pw_requirements::minclass: 4
 cis_security_hardening::rules::pam_pw_requirements::retry: 3
+cis_security_hardening::rules::pam_pw_requirements::difok: 2
+cis_security_hardening::rules::pam_pw_requirements::dictcheck: true
+cis_security_hardening::rules::pam_pw_requirements::maxrepeat: 3
 cis_security_hardening::rules::pam_lockout::enforce: true
 cis_security_hardening::rules::pam_lockout::attempts: 3
 cis_security_hardening::rules::pam_lockout::lockouttime: 300

data/cis/cis_Ubuntu_20.04_rules.yaml

@@ -14,14 +14,23 @@ cis_security_hardening::benchmark::ubuntu::20:
         - tmp_nodev
         - tmp_nosuid
         - tmp_noexec
-        - dev_shm
-        - dev_shm_nodev
-        - dev_shm_nosuid
-        - dev_shm_noexec
+        - var_nodev
+        - var_nosuid
         - var_tmp_nodev
         - var_tmp_nosuid
         - var_tmp_noexec
+        - var_log_nodev
+        - var_log_noexec
+        - var_log_nosuid
+        - var_log_audit_nodev
+        - var_log_audit_noexec
+        - var_log_audit_nosuid
         - home_nodev
+        - home_nosuid
+        - dev_shm
+        - dev_shm_nodev
+        - dev_shm_nosuid
+        - dev_shm_noexec
         - sticky_world_writeable_files
         - disable_automount
         - disable_usb_storage
@@ -42,8 +51,10 @@ cis_security_hardening::benchmark::ubuntu::20:
     process_hardening:
       level1:
         - enable_aslr
+        - ptrace_scope
         - disable_prelink
         - restrict_core_dumps
+        - automatic_error_reporting
       stig:
         - limits_maxlogins
         - kdump_service
@@ -105,6 +116,8 @@ cis_security_hardening::benchmark::ubuntu::20:
         - ldap_client
         - rpcbind
     unused_network_protocols:
+      level1:
+        - disable_bluetooth
       level2:
         - disable_ipv6
         - disable_wireless
@@ -162,6 +175,8 @@ cis_security_hardening::benchmark::ubuntu::20:
         - ip6tables_outbound_established
         - ip6tables_open_ports
     configure_accounting:
+      level1: 
+        - aide_audit_integrity
       level2:
         - auditd_init
         - auditd_package
@@ -185,6 +200,7 @@ cis_security_hardening::benchmark::ubuntu::20:
         - auditd_scope
         - auditd_actions
         - auditd_modules
+        - auditd_user_emulation
         - auditd_immutable
       stig:
         - auditd_remote

lib/facter/cis_security_hardening/facts_ubuntu.rb

@@ -49,6 +49,25 @@ def facts_ubuntu(os, distid, release)
                      end
   cis_security_hardening[:x11] = x11
 
+  # check for apport
+  apport = {}
+  pkgs = Facter::Core::Execution.exec('dpkg -l | grep apport| awk \'{print $2;}\'')
+  apport['installed'] = if pkgs.nil? || pkgs.empty?
+                          false
+                        else
+                          true
+                        end
+  cis_security_hardening['apport'] = apport
+
+  aide = {}
+  pkgs = Facter::Core::Execution.exec('dpkg -l | grep aide | awk \'{print $2;}\'')
+  aide['installed'] = if pkgs.nil? || pkgs.empty?
+                        false
+                      else
+                        true
+                      end
+  cis_security_hardening['aide'] = aide
+
   # check for xdmcp
   cis_security_hardening['xdcmp'] = File.exist?('/etc/gdm3/custom.conf')
 

manifests/rules/aide_audit_integrity.pp

@@ -42,23 +42,33 @@
         $conffile = '/etc/aide.conf'
       }
       'ubuntu': {
-        if $facts['os']['release']['major'] >= '22' {
-          $conffile = '/etc/aide/aide.conf'
+        $aide = fact('cis_security_hardening.aide.installed') ? {
+          undef   => false,
+          default => fact('cis_security_hardening.aide.installed'),
+        }
+        if $aide {
+          if $facts['os']['release']['major'] >= '20' {
+            $conffile = '/etc/aide/aide.conf'
+          } else {
+            $conffile = '/etc/aide.conf'
+          }
         } else {
-          $conffile = '/etc/aide.conf'
+          $conffile = ''
         }
       }
       default: {
         $conffile = '/etc/aide.conf'
       }
     }
-    $tools.each |$tool, $data| {
-      file_line { "aide tool ${tool}":
-        ensure             => present,
-        append_on_no_match => true,
-        path               => $conffile,
-        line               => "${tool} ${data}",
-        match              => "^${tool}",
+    unless empty($conffile) {
+      $tools.each |$tool, $data| {
+        file_line { "aide tool ${tool}":
+          ensure             => present,
+          append_on_no_match => true,
+          path               => $conffile,
+          line               => "${tool} ${data}",
+          match              => "^${tool}",
+        }
       }
     }
   }

manifests/rules/auditd_access.pp

@@ -60,6 +60,19 @@
           $content_rule4 = "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=${uid} -F auid!=${auid} -k access" #lint:ignore:140chars
         }
       }
+      'ubuntu': {
+        if $facts['os']['release']['major'] >= '20' {
+          $content_rule1 = "-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=${uid} -F auid!=${auid} -k access" #lint:ignore:140chars
+          $content_rule2 = "-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=${uid} -F auid!=${auid} -k access" #lint:ignore:140chars
+          $content_rule3 = "-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=${uid} -F auid!=${auid} -k access" #lint:ignore:140chars
+          $content_rule4 = "-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=${uid} -F auid!=${auid} -k access"  #lint:ignore:140chars
+        } else {
+          $content_rule1 = "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=${uid} -F auid!=${auid} -k access" #lint:ignore:140chars
+          $content_rule2 = "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=${uid} -F auid!=${auid} -k access" #lint:ignore:140chars
+          $content_rule3 = "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=${uid} -F auid!=${auid} -k access" #lint:ignore:140chars
+          $content_rule4 = "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=${uid} -F auid!=${auid} -k access" #lint:ignore:140chars
+        }
+      }
       default: {
         $content_rule1 = "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=${uid} -F auid!=${auid} -k access" #lint:ignore:140chars
         $content_rule2 = "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=${uid} -F auid!=${auid} -k access" #lint:ignore:140chars

manifests/rules/auditd_actions.pp

@@ -54,7 +54,7 @@
         }
       }
       'ubuntu': {
-        if $facts['os']['release']['major'] >= '22' {
+        if $facts['os']['release']['major'] >= '20' {
           concat::fragment { 'watch admin actions rule 1':
             order   => 21,
             target  => $cis_security_hardening::rules::auditd_init::rules_file,

manifests/rules/auditd_kernel_modules.pp

@@ -35,6 +35,7 @@
       'rocky'     => 'unset',
       'almalinux' => 'unset',
       'debian'    => 'unset',
+      'ubuntu'    => 'unset',
       default     => '4294967295',
     }
     $uid = fact('cis_security_hardening.auditd.uid_min') ? {

manifests/rules/automatic_error_reporting.pp

@@ -0,0 +1,33 @@
+# @summary
+#    Ensure Automatic Error Reporting is not enabled (Automated)
+#
+# The Apport Error Reporting Service automatically generates crash reports for debugging
+#
+# Rationale:
+# Apport collects potentially sensitive data, such as core dumps, stack traces, and log files. They can contain passwords, 
+# credit card numbers, serial numbers, and other private material.
+#
+# @param enforce
+#    Sets rule enforcemt. If set to true, code will be exeuted to bring the system into a comliant state.
+#
+#
+# @example
+#   class { 'cis_security_hardening::rules::automatic_error_reporting':   
+#             enforce => true,
+#   }
+#
+class cis_security_hardening::rules::automatic_error_reporting (
+  Boolean $enforce = false,
+) {
+  $apport = fact('cis_security_hardening.apport.installed')
+  if $enforce and $apport {
+    $ensure = $facts['os']['family'].downcase() ? {
+      'suse'  => 'absent',
+      default => 'purged',
+    }
+
+    ensure_packages(['apport'], {
+        ensure => $ensure,
+    })
+  }
+}

manifests/rules/cramfs.pp

@@ -53,7 +53,7 @@
         }
       }
       'ubuntu': {
-        if $facts['os']['release']['major'] >= '22' {
+        if $facts['os']['release']['major'] >= '20' {
           kmod::install { 'cramfs':
             command => '/bin/false',
           }

manifests/rules/disable_bluetooth.pp

@@ -34,8 +34,15 @@
   Boolean $enforce = false,
 ) {
   if $enforce {
-    kmod::install { 'bluetooth':
-      command => '/bin/true',
+    if $facts['os']['name'].downcase() == 'ubuntu' and $facts['os']['release']['major'] >= '20' {
+      service { 'bluetooth.service':
+        ensure => 'stopped',
+        enable => false,
+      }
+    } else {
+      kmod::install { 'bluetooth':
+        command => '/bin/true',
+      }
     }
   }
 }

manifests/rules/disable_dccp.pp

@@ -26,7 +26,7 @@
     if ($facts['os']['name'].downcase() == 'debian' and
     $facts['os']['release']['major'] > '10') or
     ($facts['os']['name'].downcase() == 'ubuntu' and
-    $facts['os']['release']['major'] >= '22') {
+    $facts['os']['release']['major'] >= '20') {
       $command = '/bin/false'
       kmod::blacklist { 'dccp': }
     } else {