anthcourtney.cis-amazon-linux
anthcourtney.cis-amazon-linux
Build Status
| Branch | Status |
|---|---|
| Master |  |
| Build |  |
Development
We will only use the "master" branch for fully tested changes.
Please send your pull requests to the "build" branch moving forward.
We need more community help to make changes and especially to test and review them. If you're interested in contributing, please reach out to Anth or Chandan.
The main tasks ahead include:
- Updating to CIS Benchmark v2.2.0
- Supporting Ansible 2.5 and later
- Ensuring compatibility with Amazon Linux 2 LTS
Introduction
This Ansible role applies version 2.0.0 of the CIS Amazon Linux Benchmark. More details can be found here.
This role has been developed and successfully tested with Amazon Linux 2016.03 and 2016.09.
Why Use This Role?
If you need to comply with security standards like PCI DSS, APRA, or ISO 27001, you need to show that you have applied recognized security practices to relevant systems.
If you're using Amazon Linux, this role helps you meet part of those compliance requirements.
Important Note
If you plan to use this role on servers, you should be familiar with the CIS Benchmark (or similar benchmarks) and understand the possible effects on your systems.
Take time to understand the standards and default settings, and consider excluding anything that might not be suitable for your system.
Some items to consider excluding or modifying include:
- 3.4.2 and 3.4.3 that limit access to the host to localhost only (including ssh).
Amazon Linux and SELinux
By default, SELinux is disabled in Amazon Linux.
To enable it, edit:
/boot/grub/menu.lst
Change selinux=0 to selinux=1.
Then, create the following file:
touch /etc/selinux/config
Also, install this package so the Ansible SELinux module works:
yum install libselinux-python
A reboot is necessary for the changes to take effect.
Example Playbook
Here’s a basic example of a playbook that uses this role:
---
- hosts: localhost
connection: local
gather_facts: true
become: yes
roles:
- anthcourtney.cis-amazon-linux
A more advanced example with some modified defaults is:
---
- hosts: localhost
connection: local
gather_facts: true
become: yes
vars:
cis_level_1_exclusions:
- 5.4.4
- 3.4.2
- 3.4.3
- 6.2.13
cis_pass_max_days: 45
cis_umask_default: 002
roles:
- anthcourtney.cis-amazon-linux
Note: Using become: yes is necessary for most tasks that need elevated privileges.
Role Variables
Refer to defaults/main.yml for variable options you can change based on your needs.
Options
You can use tags to run specific levels of the CIS standards, sections, or individual recommendations. For example:
- To run only Level 1 tasks:
ansible-playbook playbook.yml -t level-1
- To run only Section 3 tasks:
ansible-playbook playbook.yml -t section-3
- To run specific tasks like 1.3.1 and 2.2.10:
ansible-playbook playbook.yml -t 1.3.1,2.2.10
- To run only scored tasks:
ansible-playbook playbook.yml -t scored
Limitations
Currently, only Level 1 items from the benchmark are implemented. Level 2 items will be added when possible.
Some checks not yet implemented:
- Firewall rules are environment specific.
- Logging decisions are environment specific.
- In-line editing of certain config files is avoided for precision.
Compatibility
This role works with Ansible versions:
- 2.3
- 2.4
- 2.5
- 2.6
- 2.7
It has not been tested on other versions.
Testing
The developer applies these testing methods:
- Check syntax:
make syntax - Run ansible review:
make review - Test against Docker containers with different Ansible versions:
make test
Pending tests:
- Test on Vagrant images using the ansible provisioner.
Lint
Run make lint to ensure compliance with Ansible standards.
License
MIT License.
Author Information
This role was developed by Anth Courtney.
Feedback, issues, and pull requests are welcomed and appreciated.
Implement CIS Amazon Linux V2 Benchmark
ansible-galaxy install anthcourtney.cis-amazon-linux