ansible-lockdown.amazon2023_cis

Panoramica Versioni Approfondimenti

AMAZON 2023 CIS

Set Up an Amazon 2023 Machine to Follow CIS Standards

Based on CIS Amazon 2023 Benchmark v1.0.0 - 26-06-2023

Org Stars Stars Forks followers Twitter URL

Ansible Galaxy Quality Discord Badge

Release Branch Release Tag Release Date

Main Pipeline Status

Devel Pipeline Status Devel Commits

Issues Open Issues Closed Pull Requests

License

Need Help?

Lockdown Enterprise

Ansible Support

Community

Join our Discord Server to ask questions, discuss features, or chat with other Ansible-Lockdown users.

Contributing

You can report issues and submit pull requests. Make sure to sign off all your commits and use GPG for signing. Check out the Contributing Guide.

Important Notes

This tool will change the system, which could lead to unexpected results. It is not an auditing tool but a tool for fixing issues after an audit.

Check Mode is not fully supported! It may run without errors but shouldn't be trusted fully. Use a compliance scanner instead of Check Mode for proper checking.

This tool was made for a clean install of the Operating System. If you're using it on an existing system, review the tool for specific changes needed.

To use the latest version, please point to the main branch and select the relevant version of the CIS benchmark you want to work with.

Choosing a Security Level for CIS

You can run level 1 or level 2 controls for CIS using tags:

  • level1-server
  • level2-server

Make sure to reflect this in the defaults section, as this will affect the tests performed by the audit component.

Updates from Previous Releases

CIS releases always include changes, so it’s best to check new references and variables. This version works with Python 3 if it’s set as the default interpreter, coming with some necessary configurations.

For more details, check the Changelog.

Auditing (new)

You can enable or disable auditing in the defaults/main.yml file with setup_audit and run_audit options. The default is set to false. Visit the wiki for more details. The defaults file also sets up the checks based on what controls are enabled in the Ansible role.

This new auditing method uses a small (12MB) Go binary called goss along with the necessary configurations to check without needing additional tools.

The audit checks the configuration settings and verifies if they are running as expected, aiming to reduce false positives during the process.

Check out AMAZON2023-CIS-Audit for more information.

Documentation

Requirements

Amazon 2023

  • Ability to download or add the Goss binary and content to the system if using auditing (other methods to transfer this content are available).

CentOS Stream - Generally compatible but not officially supported. Set this variable:

os_check: false

General:

  • Basic knowledge of Ansible. Here are some useful links:

  • Have Ansible and/or Tower installed and working properly, with all required settings and packages in place.

  • Review the tasks in this role to understand how each control works, as some can disrupt a live system. Also, familiarize yourself with the variables in the defaults/main.yml file.

Technical Dependencies:

  • Python 3
  • Ansible 2.10+
  • python3-libselinux (installed in prerequisites if needed)
  • Collections specified in collections/requirements.yml

Pre-commit is available for pull request testing if installed on your host.

Role Variables

This role is designed so users don’t have to edit the tasks directly. Customization should be done by changing the necessary variables in the defaults/main.yml file (e.g., using inventory, group_vars, extra_vars).

Tags

Many tags are available for more precise control. Each control has its own set of tags indicating its level, if it’s scored or not, which OS element it’s related to, if it’s a patch or audit, and its rule number.

Here's an example of the tag section from a control within this role. If you skip all controls with the tag “services,” this task won’t run. Conversely, you can choose to run only controls tagged with “services.”

      tags:
      - level1-server
      - level1-workstation
      - scored
      - avahi
      - services
      - patch
      - rule_2.2.4

Community Contribution

We welcome community contributions to this role. Please follow these rules:

  • Work in your own branch. Ensure all your commits are signed-off and GPG signed before merging.
  • All community pull requests go into the devel branch.
  • Pull requests into devel must include a GPG signature, signed-off commits, and pass a functional test before approval.
  • Once changes are merged and reviewed, an authorized member will move them to the main branch for a new release.

Known Issues

Default installations don’t have a root password set, which may cause preliminary checks to fail. Please set a root password using the correct encryption version.

CIS Documented Controls:

  • 1.2.2 and 1.2.4 relate to default repositories and may prevent patching.
  • 6.1.1 and 6.1.2 are the same. Therefore, section 6 has only 12 items compared to the documentation.

Pipeline Testing

uses:

  • Ansible core 2.12
  • Ansible collections - pulls the latest version based on the requirements file
  • Runs audits using the devel branch
  • Executes pre-commit checks on pull requests to ensure everything is set up correctly
  • Automated tests are conducted for pull requests into devel

Local Testing

  • Ansible:

    • ansible-base 2.10.17 - python 3.8
    • ansible-core 2.13.4 - python 3.10
    • ansible-core 2.15.1 - python 3.11

Additional Features

  • pre-commit can be tested and executed from within the directory:
pre-commit run
Informazioni sul progetto

Apply the Amazon 2023 CIS

role system security stig hardening benchmark compliance complianceascode disa amazonlinux ec2 cis
Installa
ansible-galaxy install ansible-lockdown.amazon2023_cis
GitHub repository
24 stelle
18 fork
11 problemi aperti
Licenza
mit
Download
679
Proprietario
Ansible Lockdown
Lockdown is a security baseline automation project sponsored by Tyto Athene.