HarryHarcourt.Ansible-RHEL7-CIS-Benchmarks

Panoramica Versioni Approfondimenti

Harry Harcourt's Ansible Role for RHEL7 CIS Benchmarks

This project credits Anth Courtney for creating the original framework found here: GitHub Link.

This version has been adapted for Red Hat Enterprise Linux 7.X (tested versions from 7.1 to 7.7) and CentOS 7.4 (tested from 7.4 to 7.7; note that CentOS versions below 7.4 may have SSH issues).

Many parts of this implementation are idempotent, and ongoing improvements are being made.

This setup allows you to enable and configure certain services.

You can find the CIS RHEL Linux Benchmark here: CIS Benchmark Document.

The role has been tested with Red Hat Linux versions 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, and 7.7 using standard AWS AMIs, as well as with CentOS 7.4.

Why Use This Role?

If you need to comply with well-known security standards like PCI DSS, APRA, or ISO 27001, you must prove that you've applied documented security measures to all assessed systems.

If you're using Red Hat Linux, this role helps address part of that compliance challenge.

Important Note

Before applying this role to any servers, you should know about the CIS Benchmark (or similar benchmarks) and understand how it may affect your system.

Take the time to review the standard and its default settings, and consider excluding any items before applying to your system.

Some items you might want to exclude or adjust include:

  • Items 3.4.2 and 3.4.3, which by default limit access to the host (including SSH) to the local machine only.

Example Playbook

Here's a simple playbook that uses this role:

---
- hosts: localhost
  connection: local
  gather_facts: true
  become: yes

  roles:
    - Ansible-RHEL7-CIS-Benchmarks

A more advanced example, which modifies some default values and excludes unnecessary items for a fictional environment, looks like this:

---
- hosts: localhost
  connection: local
  gather_facts: true
  become: yes

  vars:
    cis_level_1_exclusions:
      - 5.4.4
      - 3.4.2
      - 3.4.3
      - 6.2.13   
    cis_pass_max_days: 45
    cis_umask_default: 002
 
  roles:
    - Ansible-RHEL7-CIS-Benchmarks

Remember, you need to use become: yes because 99% of tasks require higher privileges to run.

Role Variables

You can check defaults/main.yml for variables that you can change to fit your needs.

Options

Tags (and their combinations) can be used to run specific levels of the CIS standard, sections, or individual recommendations. For example:

  • Run only Level 1 tasks:
ansible-playbook playbook.yml -t level-1
  • Run only Section 3 tasks:
ansible-playbook playbook.yml -t section-3
  • Run tasks 1.3.1 and 2.2.10 only:
ansible-playbook playbook.yml -t 1.3.1,2.2.10
  • Run only scored tasks:
ansible-playbook playbook.yml -t scored

Limitations

Currently, only Level 1 items from the benchmark are implemented. Level 2 items will be added as time allows.

The following checks haven't been implemented yet:

  • Firewall rulesets that depend on the environment.
  • Logging configurations that depend on the environment.
  • Inline edits of the syslog-ng config file due to imprecision; it's better to provide a suitable configuration file.
  • Configuration of logrotate that is site-specific.
  • Multi-line editing of PAM config files which is risky and better handled with a supplied configuration file.

Compatibility

This role works with the following versions of Ansible:

  • 2.0.2
  • 2.1.3
  • 2.2.0
  • 2.3.0
  • 2.7.0
  • 2.8.x
  • 2.9.x

This role hasn't been tested with other versions of Ansible.

Testing

The developer uses the following testing procedures:

  • Syntax of the role is checked: use make syntax.
  • Run ansible-review against the role and fix any significant warnings: use make review.
  • The role is tested on a Docker container with Ansible versions 2.1.3 and 2.2: use make test.

Some tests are planned but not yet executed:

  • Testing the role with the Vagrant mvbcoding/awslinux image using the Ansible provisioner.

License

There was some confusion about the license for this Ansible role. The original source didn’t have a license file, but the meta/main.yml mentioned MIT while the README cited BSD. With no response from Anthony Courtney, I decided to adopt the MIT License for this role.

MIT License.

Author Information

The role was originally created by Anth Courtney and further developed by Ben Wright.

Your feedback, issues, and pull requests are welcome and appreciated.

Informazioni sul progetto

Idempotent CIS Benchmarks for RHEL/CentOS Linux V2

role benchmark compliance hardening idempotent
Installa
ansible-galaxy install HarryHarcourt.Ansible-RHEL7-CIS-Benchmarks
GitHub repository
104 stelle
73 fork
2 problemi aperti
Licenza
mit
Download
1.1k
Proprietario