ansible-role-cis copied to clipboard
Apply and/or check recommendations from the CIS benchmarks.
Ansible role cis
Apply and/or check recommendations from the CIS benchmarks.
GitHub | GitLab | Downloads | Version |
Example Playbook
This example is taken from molecule/default/converge.yml
and is tested on each push, pull request and release.
- name: Converge
hosts: all
become: true
gather_facts: true
- defaults.yml
- role: robertdebock.cis
The machine needs to be prepared. In CI this is done using molecule/default/prepare.yml
- name: Prepare
hosts: all
become: true
gather_facts: false
- role: robertdebock.bootstrap
- role: robertdebock.cron
- role: robertdebock.update
Also see a full explanation and example on how to use these roles.
Role Variables
The default values for the variables are set in defaults/main.yml
# defaults file for cis
# The CIS guidelines determines many settings of a system. The values used in
# this file will make a system compliant to the CIS specifications.
# There are many reasons why you do not want to adhere to one or more specific
# rules. You can overwrite values in you group_vars, host_vars, inventory or
# playbook.
# Ensure mounting of cramfs filesystems is disabled (Scored)
cis_cramfs_disabled: true
# Ensure mounting of vFAT filesystems is limited (Not Scored)
cis_vfat_disabled: true
# Ensure mounting of squashfs filesystems is disabled (Scored)
cis_squashfs_disabled: true
# Ensure mounting of udf filesystems is disabled (Scored)
cis_udf_disabled: true
# 1.1.2 Ensure /tmp is configured (Scored)
cis_tmp_configured: true
# 1.1.3 Ensure nodev option set on /tmp partition (Scored)
cis_tmp_nodev: true
# 1.1.4 Ensure nosuid option set on /tmp partition (Scored)
cis_tmp_nosuid: true
# 1.1.5 Ensure noexec option set on /tmp partition (Scored)
cis_tmp_noexec: true
# 1.1.6 Ensure separate partition exists for /var (Scored)
cis_var_partition: true
# 1.1.7 Ensure separate partition exists for /var/tmp (Scored)
cis_var_tmp_partition: true
# 1.1.8 Ensure nodev option set on /var/tmp partition (Scored)
cis_var_tmp_nodev: true
# 1.1.9 Ensure nosuid option set on /var/tmp partition (Scored)
cis_var_tmp_nosuid: true
# 1.1.10 Ensure noexec option set on /var/tmp partition (Scored)
cis_var_tmp_noexec: true
# 1.1.11 Ensure separate partition exists for /var/log (Scored)
cis_var_log_partition: true
# 1.1.12 Ensure separate partition exists for /var/log/audit (Scored)
cis_var_log_audit_partition: true
# 1.1.13 Ensure separate partition exists for /home (Scored)
cis_home_partition: true
# 1.1.14 Ensure nodev option set on /home partition (Scored)
cis_home_nodev: true
# 1.1.15 Ensure nodev option set on /dev/shm partition (Scored)
cis_dev_shm_nodev: true
# 1.1.16 Ensure nosuid option set on /dev/shm partition (Scored)
cis_dev_shm_nosuid: true
# 1.1.17 Ensure noexec option set on /dev/shm partition (Scored)
cis_dev_shm_noexec: true
# 1.1.18 Ensure nodev option set on removable media partitions (Not Scored)
cis_removable_media_nodev: true
# 1.1.19 Ensure nosuid option set on removable media partitions (Not Scored)
cis_removable_media_nosuid: true
# 1.1.20 Ensure noexec option set on removable media partitions (Not Scored)
cis_removable_media_noexec: true
# 1.1.21 Ensure sticky bit is set on all world-writable directories (Scored)
cis_fix_sticky_bit: true
# 1.1.22 Disable Automounting
cis_disable_automount: true
# 1.1.23 Disable USB Storage (Scored)
cis_usb_storage_disabled: true
# 1.2.1 Ensure GPG keys are configured (Not Scored)
cis_gpg_keys_configured: true
# 1.2.2 Ensure gpgcheck is globally activated (Scored)
cis_gpgcheck_enabled: true
# 1.2.3 Ensure package manager repositories are configured (Not Scored)
cis_repositories_configured: true
# 1.3.1 Ensure sudo is installed (Scored)
cis_sudo_installed: true
# 1.3.2 Ensure sudo commands use pty (Scored)
cis_sudo_use_pty: true
# 1.3.3 Ensure sudo log file exists (Scored)
cis_sudo_logfile: true
# 1.4.1 Ensure AIDE is installed (Scored)
cis_aide_installed: true
# 1.4.2 Ensure filesystem integrity is regularly checked (Scored)
cis_filesystem_integrity_checked: true
# 1.5.1 Ensure permissions on bootloader config are configured (Scored)
cis_permissions_bootloader: true
# 1.5.2 Ensure bootloader password is set (Scored)
cis_bootloader_password_set: true
cis_bootloader_password: changeme
# 1.5.3 Ensure authentication required for single user mode (Scored)
cis_authentication_single_user_mode: true
# 1.6.1 Ensure core dumps are restricted (Scored)
cis_core_dumps_restricted: true
# 1.6.2 Ensure address space layout randomization (ASLR) is enabled (Scored)
cis_aslr_enabled: true
# Ensure SELinux is installed (Scored)
cis_selinux_installed: true
# Ensure SELinux is not disabled in bootloader configuration (Scored)
cis_selinux_not_disabled: true
# Ensure SELinux policy is configured (Scored)
cis_selinux_policy_configured: true
cis_selinux_policy: targeted
# Ensure the SELinux state is enforcing (Scored)
cis_selinux_state_enforcing: true
# Ensure no unconfined services exist (Scored)
cis_no_unconfined_services: true
# Ensure SETroubleshoot is not installed (Scored)
cis_setroubleshoot_not_installed: true
# Ensure the MCS Translation Service (mcstrans) is not installed (Scored)
cis_mcs_translation_service_not_installed: true
# Ensure message of the day is configured properly (Scored)
cis_message_of_the_day_configured: true
cis_message_of_the_day: |
You must have explicit, authorized permission to access or configure this device. Unauthorized attempts and actions to access or use this system may result in civil and/or criminal penalties. All activities performed on this device are logged and monitored.
# Ensure local login warning banner is configured properly (Scored)
cis_local_login_banner_configured: true
# Ensure remote login warning banner is configured properly (Scored)
cis_remote_login_banner_configured: true
# Ensure permissions on /etc/motd are configured (Scored)
cis_permissions_etc_motd: true
# Ensure permissions on /etc/issue are configured (Scored)
cis_permissions_etc_issue: true
# Ensure permissions on /etc/ are configured (Scored)
cis_permissions_etc_issue_net: true
# 1.8.2 Ensure GDM login banner is configured (Scored)
cis_gdm_login_banner_configured: true
# 1.9 Ensure updates, patches, and additional security software are installed (Not Scored)
cis_updates_installed: true
# 1.10 Ensure system-wide crypto policy is not legacy (Scored)
cis_crypto_policy_not_legacy: true
cis_crypto_policy: FIPS
# 1.11 Ensure system-wide crypto policy is FUTURE or FIPS (Scored)
cis_ensure_crypto_policy: true
# 2.1.1 Ensure xinetd is not installed (Scored)
cis_xinet_not_installed: true
# Ensure time synchronization is in use (Not Scored)
cis_time_synchronization: true
# Ensure chrony is configured (Scored)
cis_chrony_configured: true
cis_chrony_servers: []
- name: ""
options: iburst
# 2.2.2 Ensure X Window System is not installed (Scored)
cis_x_windows_system_not_installed: true
# 2.2.3 Ensure rsync service is not enabled (Scored)
cis_rsync_service_not_enabled: true
# 2.2.4 Ensure Avahi Server is not enabled (Scored)
cis_avahi_server_not_enabled: true
# 2.2.5 Ensure SNMP Server is not enabled (Scored)
cis_snmp_server_not_enabled: true
# 2.2.6 Ensure HTTP Proxy Server is not enabled (Scored)
cis_http_proxy_server_not_enabled: true
# 2.2.7 Ensure Samba is not enabled (Scored)
cis_samba_server_not_enabled: true
# 2.2.8 Ensure IMAP and POP3 server is not enabled (Scored)
cis_imap_and_pop3_server_not_enabled: true
# 2.2.9 Ensure HTTP server is not enabled (Scored)
cis_http_server_not_enabled: true
# 2.2.10 Ensure FTP Server is not enabled (Scored)
cis_ftp_server_not_enabled: true
# 2.2.11 Ensure DNS Server is not enabled (Scored)
cis_dns_server_not_enabled: true
# 2.2.12 Ensure NFS is not enabled (Scored)
cis_nfs_server_not_enabled: true
# 2.2.13 Ensure RPC is not enabled (Scored)
cis_rpc_not_enabled: true
# 2.2.14 Ensure LDAP server is not enabled (Scored)
cis_ldap_server_not_enabled: true
# 2.2.15 Ensure DHCP Server is not enabled (Scored)
cis_dhcp_server_not_enabled: true
# 2.2.16 Ensure CUPS is not enabled (Scored)
cis_cups_not_enabled: true
# 2.2.17 Ensure NIS Server is not enabled (Scored)
cis_nis_server_not_enabled: true
# 2.2.18 Ensure mail transfer agent is configured for local-only mode (Scored)
cis_mta_local_only_mode: true
# 2.3.1 Ensure NIS Client is not installed (Scored)
cis_nis_client_not_installed: true
# 2.3.2 Ensure telnet client is not installed (Scored)
cis_telnet_client_not_installed: true
# 2.3.3 Ensure LDAP client is not installed (Scored)
cis_ldap_client_not_installed: true
# 3.1.1 Ensure IP forwarding is disabled (Scored)
cis_ip_forwarding_disabled: true
# 3.1.2 Ensure packet redirect sending is disabled (Scored)
cis_packet_redirect_sending_disabled: true
# 3.2.1 Ensure source routed packets are not accepted (Scored)
cis_source_routed_packets_not_accepted: true
# 3.2.2 Ensure ICMP redirects are not accepted (Scored)
cis_icmp_redirects_not_accepted: true
# 3.2.3 Ensure secure ICMP redirects are not accepted (Scored)
cis_secure_icmp_redirects_not_accepted: true
# 3.2.4 Ensure suspicious packets are logged (Scored)
cis_suspicious_packets_logged: true
# 3.2.5 Ensure broadcast ICMP requests are ignored (Scored)
cis_broadcast_icmp_requests_ignored: true
# 3.2.6 Ensure bogus ICMP responses are ignored (Scored)
cis_bogus_icmp_responses_ignored: true
# 3.2.7 Ensure Reverse Path Filtering is enabled (Scored)
cis_reverse_path_filtering: true
# 3.2.8 Ensure TCP SYN Cookies is enabled (Scored)
cis_tcp_syn_cookies_enabled: true
# 3.2.9 Ensure IPv6 router advertisements are not accepted (Scored)
cis_ipv6_router_advertisements_not_accepted: true
# 3.3.1 Ensure DCCP is disabled (Scored)
cis_dccp_disabled: true
# 3.3.2 Ensure SCTP is disabled (Scored)
cis_sctp_disabled: true
# 3.3.3 Ensure RDS is disabled (Scored)
cis_rds_disabled: true
# 3.3.4 Ensure TIPC is disabled (Scored)
cis_tipc_disabled: true
# Ensure a Firewall package is installed (Scored)
cis_firewall_package_installed: true
cis_firewall_package: firewalld
# Ensure firewalld service is enabled and running (Scored)
cis_firewalld_enabled_and_running: true
# Ensure nftables is not enabled (Scored)
cis_nftables_not_enabled: true
# Ensure default zone is set (Scored)
cis_default_zone_set: true
cis_default_zone: public
# Ensure network interfaces are assigned to appropriate zone (Not Scored)
cis_firewalld_network_interface_assigned_zones: true
- zone: public
interface: eth0
# Ensure unnecessary services and ports are not accepted (Not Scored)
cis_unnecessary_services_ports_not_accepted: true
- cockpit
- 12345/tcp
# Ensure iptables is not enabled (Scored)
cis_iptables_not_enabled: true
# 3.4.3 Configure nftables
# This section and all the subsection under 3.4.3 is skipped because section
# 3.4.2 (Configure firewalld) and this section 3.4.3 (Configure nftables) are
# mutually exclusive and firewalld is the default, which uses nft as a backend.
# 3.4.4 Configure iptables
# This section and all the subsection under 3.4.4 is skipped because section
# 3.4.2 (Configure firewalld) and this section 3.4.4 (Configure iptables) are
# mutually exclusive and firewalld is the default, which uses nft as a backend.
# 3.5 Ensure wireless interfaces are disabled (Scored)
cis_wireless_interface_disabled: true
# 3.6 Disable IPv6 (Not Scored)
cis_disable_ipv6: true
# Ensure auditd is installed (Scored)
cis_auditd_installed: true
# Ensure auditd service is enabled (Scored)
cis_auditd_service_enabled: true
# Ensure auditing for processes that start prior to auditd is enabled (Scored)
cis_auditing_processes_prior_start: true
# Ensure audit_backlog_limit is sufficient (Scored)
cis_audit_backlog_limit_sufficient: true
# Ensure audit log storage size is configured (Scored)
cis_audit_log_storage_size_configured: true
cis_audit_log_storage_size: 128
# Ensure audit logs are not automatically deleted (Scored)
cis_audit_logs_no_automatically_deleted: true
# Ensure system is disabled when audit logs are full (Scored)
cis_system_disabled_audit_logs_full: true
# 4.1.3 Ensure changes to system administration scope (sudoers) is collected (Scored)
cis_changed_to_system_administrator_scope_collected: true
# 4.1.4 Ensure login and logout events are collected (Scored)
cis_login_and_login_events_collected: true
# 4.1.5 Ensure session initiation information is collected (Scored)
cis_session_initiation_information_collected: true
# 4.1.6 Ensure events that modify date and time information are collected (Scored)
cis_events_modify_time_and_date_collected: true
# 4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected (Scored)
cis_events_modifying_mac_collected: true
# 4.1.8 Ensure events that modify the system's network environment are collected (Scored)
cis_events_modifying_systems_network_collected: true
# 4.1.9 Ensure discretionary access control permission modification events are collected (Scored)
cis_dac_permission_modification_collected: true
# 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected (Scored)
cis_unsuccessful_files_access_collected: true
# 4.1.11 Ensure events that modify user/group information are collected (Scored)
cis_events_modifying_user_group_collected: true
# 4.1.12 Ensure successful file system mounts are collected (Scored)
cis_successful_mounts_collected: true
# 4.1.13 Ensure use of privileged commands is collected (Scored)
cis_privileged_commands_collected: true
# A list of partitions that will be checked. Extend this with all partitions
# that could contain executables.
- /
# 4.1.14 Ensure file deletion events by users are collected (Scored)
cis_file_deletion_users_collected: true
# 4.1.15 Ensure kernel module loading and unloading is collected (Scored)
cis_kernel_module_loading_unloading_collected: true
# 4.1.16 Ensure system administrator actions (sudolog) are collected (Scored)
cis_system_administrator_actions_collected: true
# 4.1.17 Ensure the audit configuration is immutable (Scored)
cis_audit_configuration_immutable: true
# Ensure rsyslog is installed (Scored)
cis_syslog_installed: true
# Ensure rsyslog Service is enabled (Scored)
cis_rsyslog_enabled: true
# Ensure rsyslog default file permissions configured (Scored)
cis_rsyslog_file_permissions_configured: true
# Ensure logging is configured (Not Scored)
cis_logging_configured: true
- rule: |-
destination: |-
- rule: 'auth,authpriv.*'
destination: '/var/log/secure'
- rule: |-
destination: '-/var/log/mail'
- rule: ''
destination: '-/var/log/'
- rule: 'mail.warning'
destination: '-/var/log/mail.warn'
- rule: 'mail.err'
destination: '/var/log/mail.err'
- rule: 'news.crit'
destination: '-/var/log/news/news.crit'
- rule: 'news.err'
destination: '-/var/log/news/news.err'
- rule: 'news.notice'
destination: '-/var/log/news/news.notice'
- rule: |-
destination: '-/var/log/warn'
- rule: |-
destination: '/var/log/warn'
- rule: |-
destination: '-/var/log/messages'
- rule: |-
destination: '-/var/log/localmessages'
- rule: 'local2,local3.*'
destination: '-/var/log/localmessages'
- rule: |-
destination: '-/var/log/localmessages'
- rule: |-
destination: '-/var/log/localmessages'
# Ensure rsyslog is configured to send logs to a remote log host (Scored)
cis_rsyslog_configured_remote_log_host: true
# Ensure rsyslog is configured to send logs to a remote log host (Scored)
# Ensure remote rsyslog messages are only accepted on designated log hosts. (Not Scored)
# This item is not implemented because it would need to run on another host.
# Ensure journald is configured to send logs to rsyslog (Scored)
cis_journald_send_to_rsyslog: true
# Ensure journald is configured to compress large log files (Scored)
cis_journald_compless_log_files: true
# Ensure journald is configured to write logfiles to persistent disk (Scored)
cis_journald_write_logfiles_to_disk: true
# 4.2.3 Ensure permissions on all logfiles are configured (Scored)
cis_permissions_on_logfiles: true
# 4.3 Ensure logrotate is configured (Not Scored)
cis_logrotate_configured: true
- name: dnf
# 5.1.1 Ensure cron daemon is enabled (Scored)
cis_cron_enabled: true
# 5.1.2 Ensure permissions on /etc/crontab are configured (Scored)
cis_cron_permissions_configured: true
# 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored)
cis_cron_hourly_permissions_configured: true
# 5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored)
cis_cron_daily_permissions_configured: true
# 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored)
cis_cron_weekly_permissions_configured: true
# 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored)
cis_cron_monthly_permissions_configured: true
# 5.1.7 Ensure permissions on /etc/cron.d are configured (Scored)
cis_cron_d_permissions_configured: true
- pip packages listed in requirements.txt.
State of used roles
The following roles are used to prepare a system. You can prepare your system in another way.
Requirement | GitHub | GitLab |
robertdebock.bootstrap | ||
robertdebock.cron | ||
robertdebock.update |
This role is a part of many compatible roles. Have a look at the documentation of these roles for further information.
Here is an overview of related roles:
This role has been tested on these container images:
container | tags |
EL | 8, 9 |
The minimum version of Ansible required is 2.12, tests have been done to:
- The previous version.
- The current version.
- The development version.
If you find issues, please register them in GitHub.
Author Information
Please consider sponsoring me.