diff --git a/CIS/centos7/exceptions.yml b/CIS/centos7/exceptions.yml deleted file mode 100644 index 7b36fb9a2..000000000 --- a/CIS/centos7/exceptions.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- name: "5.5.2 | L1 | EXCEPTION | Ensure system accounts are secured | Set nologin" - user: - name: "postgres" - shell: /bin/bash - become: true - when: inventory_hostname == "scheduler" # and PBS - tags: -# - always - - rule_5.5.2 diff --git a/CIS/centos7/main.yml b/CIS/centos7/main.yml deleted file mode 100644 index 2d420ab49..000000000 --- a/CIS/centos7/main.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -- name: Apply CentOS7 CIS hardening - hosts: scheduler, ondemand, grafana, robinhood, lustre* - become: true - vars: - is_container: false - vars_files: - - vars.yml - - roles: - - role: "{{ CIS_playbook_dir }}" - - tasks: - - include: exceptions.yml - diff --git a/CIS/centos7/rules.yml b/CIS/centos7/rules.yml deleted file mode 100644 index 8502e501b..000000000 --- a/CIS/centos7/rules.yml +++ /dev/null @@ -1,100 +0,0 @@ ---- -rulesets: - - name: "audit" - rules: - - audit - - - name: "lot1" - rules: - - cramfs - - squashfs - - udf - - mounts - - banner - - rule_1.1.3 - - rule_1.1.4 - - rule_1.1.5 - - rule_1.1.6 - - rule_1.1.22 - - aide - - rule_1.4.2 - - rule_1.5.2 - - rule_1.5.3 - - - name: "lot2" - rules: - - sysctl - - rule_1.2.1 - - rule_1.2.2 - - rule_1.2.3 - - rule_1.6.1.1 - - rule_1.6.1.6 - - rule_1.6.1.7 - - rule_1.6.1.8 - - perms - - rule_2.1.1 - - rule_3.1.2 - - rule_3.4.1 - - rule_3.4.2 - - - name: "lot3" - rules: - - auditd - - journald - - rule_4.2.1.3 - - - name: "lot4" - rules: - - ssh - - - name: "lot5" - rules: - - rule_2.2.1.1 - - rule_2.2.2 - - services - - rule_2.2.16 - - rule_2.3.1 - - rule_2.3.2 - - rule_2.3.3 - - rule_2.3.4 - - rule_3.5.1.1 - - rule_3.5.1.2 - - rule_3.5.1.3 - - rule_3.5.2.11 - - - name: "lot6" - rules: - - rule_5.1.2 - - rule_5.1.3 - - rule_5.1.4 - - rule_5.1.5 - - rule_5.1.6 - - rule_5.1.7 - - rule_5.1.9 - - rule_5.2.2 - - rule_5.2.3 - - - name: "lot7" - rules: - - rule_5.4.1 - - rule_5.4.2 - - rule_5.4.4 - - rule_5.5.1.1 - - rule_5.5.1.2 - - rule_5.5.1.4 -# - rule_5.5.2 # do not applied as it breaks PBS - - rule_5.5.4 - - rule_5.5.5 - - - name: "lot8" - rules: - - rule_6.1.4 - - rule_6.1.5 - - rule_6.2.12 - - rule_6.2.13 - - - name: "debug" - rules: - - rule_1.6.1.6 - - rule_1.6.1.7 - - rule_1.6.1.8 diff --git a/CIS/centos7/vars.yml b/CIS/centos7/vars.yml deleted file mode 100755 index 0f67d56a3..000000000 --- a/CIS/centos7/vars.yml +++ /dev/null @@ -1,45 +0,0 @@ -setup_audit: true -run_audit: true -rhel7cis_firewall: firewalld # This will avoid running rules 3.5.2 for nftables and 3.5.3.1.x for iptables -# RHEL-07-4.2.1.4/4.2.1.5 remote and destation log server name -rhel7cis_remote_log_server: - -# Don't disable SE Linux as whole but instead disable only rules needed (1.6x) -#rhel7cis_selinux_disable: true -rhel7cis_rule_1_6_1_3: false # Ensure SELinux policy is configured -rhel7cis_rule_1_6_1_4: false # Ensure the SELinux state is enforcing or permissive -rhel7cis_rule_1_6_1_5: false # Ensure the SELinux state is enforcing - -rhel7cis_rule_2_2_17: false # Ensure nfs-utils is not installed or the nfs-server service is masked -rhel7cis_rule_2_2_18: false # Ensure rpcbind is not installed or the rpcbind services are masked -rhel7cis_rule_2_2_19: false # Ensure rsync is not installed or the rsyncd services are masked - -rhel7cis_rule_3_5_1_4: false # Ensure firewalld service is enabled and running -rhel7cis_rule_3_5_1_5: false -rhel7cis_rule_3_5_1_6: false -rhel7cis_rule_3_5_1_7: false - -# auditd settings -rhel7cis_auditd: - space_left_action: rotate - action_mail_acct: root - admin_space_left_action: suspend - max_log_file_action: rotate - -rhel7cis_rule_5_3_4: false # Ensure SSH access is limited -rhel7cis_rule_5_3_8: false -rhel7cis_rule_5_3_9: false -rhel7cis_rule_5_3_12: false -rhel7cis_rule_5_3_16: false -#rhel7cis_rule_5_3_17: false # Ensure SSH LoginGraceTime is set to one minute or less -rhel7cis_rule_5_3_19: false -#rhel7cis_rule_5_3_20: false # Ensure SSH AllowTcpForwarding is disabled -#rhel7cis_rule_5_3_21: false # Ensure SSH MaxStartups is configured -rhel7cis_rule_5_3_22: false - -# RHEL-07-5.5.4 -# Session timeout setting file (TMOUT setting can be set in multiple files) -# Timeout value is in seconds. (60 seconds * 30 = 900) -rhel7cis_shell_session_timeout: - file: /etc/profile.d/tmout.sh - timeout: 900 diff --git a/CIS/centos8/exceptions.yml b/CIS/centos8/exceptions.yml deleted file mode 100644 index cd21505a4..000000000 --- a/CIS/centos8/exceptions.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- - diff --git a/CIS/centos8/main.yml b/CIS/centos8/main.yml deleted file mode 100644 index 00c48a0eb..000000000 --- a/CIS/centos8/main.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -- name: Apply CentOS8 CIS hardening - hosts: ccportal - become: true - vars: - is_container: false - vars_files: - - vars.yml - - roles: - - role: "{{ CIS_playbook_dir }}" - - tasks: - - include: exceptions.yml diff --git a/CIS/centos8/rules.yml b/CIS/centos8/rules.yml deleted file mode 100644 index 6951f3427..000000000 --- a/CIS/centos8/rules.yml +++ /dev/null @@ -1,80 +0,0 @@ ---- -rulesets: - - name: "urgent" - rules: - - rule_1.1.23 - - rule_5.2.10 - - rule_5.5.1.1 - - rule_5.5.1.2 - - - name: "lot1" - rules: - - cramfs - - mounts - - aide - - rule_1.3.2 - - rule_1.3.3 - - rule_1.5.1 - - rule_1.6.1 - - rule_1.6.2 - - rule_1.8.1.2 - - rule_1.8.1.3 - - rule_1.8.2 - - - name: "lot2" - rules: - - rule_2.2.1.2 - - sysctl - - rule_3.5 - - - name: "lot3" - rules: - - auditd - - - name: "lot4" - rules: - - rsyslog - - rule_4.2.2.1 - - rule_4.2.2.2 - - rule_4.2.2.3 - - rule_4.2.3 - - - name: "lot5" - rules: - - rule_5.1.2 - - rule_5.1.3 - - rule_5.1.4 - - rule_5.1.5 - - rule_5.1.6 - - rule_5.1.7 - - rule_5.1.8 - - rule_5.1.8 - - - name: "lot6" - rules: - - rule_5.4.1 - - rule_5.4.2 - - rule_5.4.3 - - rule_5.5.1.1 - - rule_5.5.1.2 - - rule_5.5.1.4 - - rule_5.5.2 - - rule_5.5.5 - - rule_6.2.3 - - - name: "ssh" - rules: - - rule_5.2.10 - - rule_5.2.14 - - rule_5.2.15 - - rule_5.2.17 - - rule_5.2.18 - - rule_5.2.19 - - rule_5.2.3 - - rule_5.2.6 - - rule_5.2.7 - - - - name: "audit" - rules: - - audit diff --git a/CIS/centos8/vars.yml b/CIS/centos8/vars.yml deleted file mode 100755 index 9e995351a..000000000 --- a/CIS/centos8/vars.yml +++ /dev/null @@ -1,24 +0,0 @@ -setup_audit: true -run_audit: true -rhel8cis_selinux_disable: false - -# Keep crypto policy to legacy as it breaks cloning from github.com -rhel8cis_rule_1_10: false -rhel8cis_rule_1_11: false - -#rhel8cis_firewall: firewalld # This will avoid running rules 3.5.2 for nftables and 3.5.3.1.x for iptables - -# RHEL-08-4.2.1.4/4.2.1.5 remote and destation log server name -rhel8cis_remote_log_server: -# rsyslog rules -rule_4.2.1.4: false -rule_4.2.1.6: false - -rhel8cis_auditd: - space_left_action: rotate - action_mail_acct: root - admin_space_left_action: suspend - max_log_file_action: rotate - -# The max_log_file parameter should be based on your sites policy -rhel8cis_max_log_file_size: 100 \ No newline at end of file diff --git a/CIS/harden.sh b/CIS/harden.sh deleted file mode 100755 index edd62eaeb..000000000 --- a/CIS/harden.sh +++ /dev/null @@ -1,63 +0,0 @@ -#!/bin/bash -THIS_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" -os=$1 -lot=$2 -azhop_playbooks=$THIS_DIR/../playbooks - -function usage() { - echo "Usage: $0 " - echo " os: centos7 | centos8" - echo " lot: lot1 | lot2 | lot3" - exit 1 -} - -if [ -z "$os" ]; then - usage -fi - -if [ -z "$lot" ]; then - usage -fi - -var_name=CIS_PLAYBOOK_DIR_${os} -if [ -z "${!var_name}" ]; then - echo "The $var_name environment variable is not set. Please set (export $var_name=foo) it to the directory where the CIS playbooks for OS $os are stored." - exit 1 -fi - -RULES=$THIS_DIR/$os/rules.yml -echo "Using CIS playbooks from ${!var_name}" - -function appply_rules() { - lot=$1 - echo "Applying tags for lot $lot" - if [ -z "$lot" ]; then - echo "No lot to apply" - return - fi - - # Get the rules for the lot - if [ "$lot" == "all" ]; then - eval_str=".rulesets[].rules" - else - eval_str=".rulesets[] | select(.name == "\"$lot"\").rules" - fi - - readarray rules < <(yq eval "$eval_str" $RULES) - if [ -z "$rules" ]; then - echo "No rules found for lot $lot" - exit 1 - fi - - echo "Applying rules for lot $lot" - for rule in "${rules[@]}"; do - tag=$(echo "$rule" | cut -d'-' -f 2) - tags+="$tag," - done - tags+=" run_audit" - - echo "Applying tags: $tags" - ansible-playbook -i $azhop_playbooks/inventory -i $azhop_playbooks/inventory.cis.yml $THIS_DIR/$os/main.yml --tags "$tags" -e "CIS_playbook_dir=${!var_name}" #--list-tasks -} - -appply_rules $lot diff --git a/CIS/readme.md b/CIS/readme.md deleted file mode 100644 index 6ae8a861f..000000000 --- a/CIS/readme.md +++ /dev/null @@ -1,78 +0,0 @@ -# How to harden az-hop always running Virtual Machines - -The Azure marketplace images used in `az-hop` are not hardened by default. This is fine if you want to run a demo or a prototype environemnt, but it's not when moving into production. While you can use your own hardened custom images for running all the `az-hop` infrastructure images, as we don't know how you configured your OS, you may have issues when running the install playbooks or when using the environment. -The current recipes provided in this folder are based on the CIS benchmarks, implemented as ansible playbooks located here [https://github.com/ansible-lockdown](https://github.com/ansible-lockdown). It's safe and tested to apply these rules once an environment have been installed. - -## Clone repos -The `ansible-lockdown` github repos are not included in `az-hop` and need to be cloned in a dedicated folder in the deployer machine. - -- clone RHEL7-CIS and RHEL8-CIS repos, each in their own directories - -```bash -cd -git clone https://github.com/ansible-lockdown/RHEL7-CIS.git -git clone https://github.com/ansible-lockdown/RHEL8-CIS.git -``` - -## Update playbooks -> Note: These updates are now integrated in the devel branch of these repos - -Update task *Show Audit Summary* in file `/RHEL7-CIS/tasks/main.yml` as follow : - -```yml -- name: Show Audit Summary - debug: - msg: "{{ audit_results.split('\n') }}" - when: - - run_audit - tags: - - run_audit -``` - -In the file `/RHEL8-CIS/tasks/main.yml` add the `run_audit` tag on tasks : -- pre_remediation_audit.yml -- post_remediation_audit.yml -- Show Audit Summary - -For example : -```yml -- import_tasks: post_remediation_audit.yml - when: - - run_audit - tags: - - run_audit -``` - -In the file `/RHEL8-CIS/tasks/pre_remediation_audit.yml` update lines with `ansible_distribution_major_version == 7` and `ansible_distribution_major_version == 8` and add quotes around numbers `7` and `8` - -For example : - -```yml -- name: If using git for content set up - block: - - name: Install git (rh8 python3) - package: - name: git - state: present - when: ansible_distribution_major_version == '8' -``` - -## Set environment variables - -Define both environment variables `CIS_PLAYBOOK_DIR_centos7` and `CIS_PLAYBOOK_DIR_centos8` - -```bash -export CIS_PLAYBOOK_DIR_centos7=/RHEL7-CIS -export CIS_PLAYBOOK_DIR_centos8=/RHEL8-CIS -``` - -## Apply remediations -Applying remediations can be done by chuncks or all together with the helper script `harden.sh` located in the `/CIS` directory. - -To apply hardening run these commands from the azhop root dir : - -```bash -./CIS/harden.sh centos7 all -./CIS/harden.sh centos8 all -``` - diff --git a/azhop_state.sh b/azhop_state.sh index 207177006..bc2f0da24 100755 --- a/azhop_state.sh +++ b/azhop_state.sh @@ -95,7 +95,6 @@ case $COMMAND in mkdir -p $STATE_DIR/playbooks/group_vars cp playbooks/group_vars/all.yml $STATE_DIR/playbooks/group_vars cp playbooks/inventory $STATE_DIR/playbooks - cp playbooks/inventory.cis.yml $STATE_DIR/playbooks mkdir -p $STATE_DIR/tf cp tf/terraform.tfstate $STATE_DIR/tf mkdir -p $STATE_DIR/bin diff --git a/tf/outputs.tf b/tf/outputs.tf index cdd4963ab..1025c5a56 100644 --- a/tf/outputs.tf +++ b/tf/outputs.tf @@ -15,14 +15,6 @@ resource "local_file" "AnsibleInventory" { ) filename = "${local.playbook_root_dir}/inventory" } -resource "local_file" "CISInventory" { - content = templatefile("${local.playbooks_template_dir}/inventory.cis.tmpl", - { - lustre-oss-count = 0 - } - ) - filename = "${local.playbook_root_dir}/inventory.cis.yml" -} resource "local_file" "global_variables" { content = templatefile("${local.playbooks_template_dir}/global_variables.tmpl", diff --git a/tf/templates/inventory.cis.tmpl b/tf/templates/inventory.cis.tmpl deleted file mode 100644 index fda86996a..000000000 --- a/tf/templates/inventory.cis.tmpl +++ /dev/null @@ -1,15 +0,0 @@ -all: - hosts: - jumpbox: - rhel7cis_openldap_clients_required: true - rhel7cis_rule_5_3_20: false # Don't disable SSH AllowTcpForwarding - scheduler: - rhel7cis_openldap_clients_required: true - ondemand: - rhel7cis_httpd_server: true - rhel7cis_openldap_clients_required: true - rhel7cis_xwindows_required: true - grafana: - rhel7cis_openldap_clients_required: true - rhel7cis_xwindows_required: true - ccportal: