From 6e932978c20c05e0a2119525e84bd843236f8934 Mon Sep 17 00:00:00 2001 From: Ali Baker Date: Mon, 11 Jan 2021 23:34:58 +0200 Subject: [PATCH 1/4] =?UTF-8?q?Add=20chrony,=20systemd-timesyncd=20tasks?= =?UTF-8?q?=20=E2=9C=A8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- files/templates/chrony.conf.j2 | 59 +++++++++++++++++++++ files/templates/greeter.dconf-defaults.j2 | 1 + files/templates/ntp.conf.j2 | 1 + files/templates/timesyncd.conf.j2 | 4 ++ tasks/section_2_Services.yaml | 62 ++++++++++++++++++++--- 5 files changed, 120 insertions(+), 7 deletions(-) create mode 100644 files/templates/chrony.conf.j2 create mode 100644 files/templates/timesyncd.conf.j2 diff --git a/files/templates/chrony.conf.j2 b/files/templates/chrony.conf.j2 new file mode 100644 index 0000000..546da94 --- /dev/null +++ b/files/templates/chrony.conf.j2 @@ -0,0 +1,59 @@ +# {{ ansible_managed }} + +driftfile {{ chrony_driftfile }} + +{% for server in chronyservers_preferred %} +{% if server is search('pool') %} +pool {{ server }} iburst prefer +{% else %} +server {{ server }} iburst prefer +{% endif %} +{% endfor %} +{% for server in chronyservers %} +{% if server is search('pool') %} +pool {{ server }} iburst +{% else %} +server {{ server }} iburst +{% endif %} +{% endfor %} + +# Ignore stratum in source selection. +stratumweight 0 + +# Record the rate at which the system clock gains/losses time. +driftfile {{ chrony_driftfile }} + +# Enable kernel RTC synchronization. +rtcsync + +# This directive tells 'chronyd' to parse the 'adjtime' file to find out if the +# real-time clock keeps local time or UTC. It overrides the 'rtconutc' directive. +hwclockfile /etc/adjtime + +# In first three updates step the system clock instead of slew +# if the adjustment is larger than 10 seconds. +makestep 10 3 + +# Stop bad estimates upsetting machine clock. +maxupdateskew 100.0 + +# Allow NTP client access from local network. +#allow 192.168/16 + +# Listen for commands only on localhost. +bindcmdaddress 127.0.0.1 +bindcmdaddress ::1 + +# Serve time even if not synchronized to any NTP server. +#local stratum 10 + +keyfile {{ chrony_keys }} + +# Disable logging of client accesses. +noclientlog + +# Send a message to syslog if a clock adjustment is larger than 0.5 seconds. +logchange 0.5 + +logdir {{ chrony_log_dir }} +#log measurements statistics tracking diff --git a/files/templates/greeter.dconf-defaults.j2 b/files/templates/greeter.dconf-defaults.j2 index 676680c..d9ca5fa 100644 --- a/files/templates/greeter.dconf-defaults.j2 +++ b/files/templates/greeter.dconf-defaults.j2 @@ -1,3 +1,4 @@ +# {{ ansible_managed }} # These are the options for the greeter session that can be set # through GSettings. Any GSettings setting that is used by the # greeter session can be set here. diff --git a/files/templates/ntp.conf.j2 b/files/templates/ntp.conf.j2 index 9853d75..ef380c7 100644 --- a/files/templates/ntp.conf.j2 +++ b/files/templates/ntp.conf.j2 @@ -1,3 +1,4 @@ +# {{ ansible_managed }} # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help driftfile /var/lib/ntp/ntp.drift diff --git a/files/templates/timesyncd.conf.j2 b/files/templates/timesyncd.conf.j2 new file mode 100644 index 0000000..1aaa049 --- /dev/null +++ b/files/templates/timesyncd.conf.j2 @@ -0,0 +1,4 @@ +# {{ ansible_managed }} +[Time] +NTP={{ timesync_ntp_hosts | default("") | join(" ") }} +FallbackNTP={{ timesync_fallback_ntp_hosts | join(" ") }} diff --git a/tasks/section_2_Services.yaml b/tasks/section_2_Services.yaml index 644275b..1deb3e0 100644 --- a/tasks/section_2_Services.yaml +++ b/tasks/section_2_Services.yaml @@ -58,6 +58,8 @@ name: "ntp" state: started enabled: true + when: "{{enableNTP}}" + tags: - section2 - level_1_server @@ -72,8 +74,28 @@ # This recommendation only applies if timesyncd is in use on the system # Only one time synchronization method should be in use on the system - name: 2.2.1.2 Ensure systemd-timesyncd is configured - debug: - msg: Skip this, since we are using ntp + block: + - name: 2.2.1.2 Ensure systemd-timesyncd is configured | install systemd-timesyncd + apt: + name: systemd-timesyncd + state: present + - name: 2.2.1.2 Ensure systemd-timesyncd is configured | set timezone + timezone: + name: "{{ timesync_timezone }}" + - name: 2.2.1.2 Ensure systemd-timesyncd is configured | Configure systemd-timesyncd + template: + src: files/templates/timesyncd.conf.j2 + dest: /etc/systemd/timesyncd.conf + mode: 0644 + owner: root + group: root + notify: reloadTimesyncd + - name: 2.2.1.2 Ensure systemd-timesyncd is configured | Start and enable systemd-timesyncd + service: + name: systemd-timesyncd.service + enabled: yes + state: started + when: "{{enable_systemdtimesyncd}} == True" tags: - section2 - level_1_server @@ -81,8 +103,25 @@ - 2.2.1.2 # 2.2.1.3 Ensure chrony is configured - name: 2.2.1.3 Ensure chrony is configured - debug: - msg: Skip this, since we are using ntp + block: + - name: 2.2.1.3 Ensure chrony is configured | Install Chrony + apt: + name: "chrony" + state: present + - name: 2.2.1.3 Ensure chrony is configured | Start Chrony service + service: + name: "chrony" + state: started + enabled: yes + - name: 2.2.1.3 Ensure chrony is configured | Generate configuration + template: + src: files/templates/chrony.conf.j2 + dest: "/etc/chrony/chrony.conf" + owner: root + group: root + mode: 0644 + notify: RestartChronyservice + when: "{{chronyEnable}} == True" tags: - section2 - level_1_server @@ -452,9 +491,18 @@ msg: > Run the following command: $ lsof -i -P -n | grep -v "(ESTABLISHED)" - Review the output to ensure that all services listed are required on the system. If a listed - service is not required, remove the package containing the service. If the package - containing a non-essential service is required, stop and mask the non-essential service. + Review the output to ensure that all services listed are required on the system. If a listed + service is not required, remove the package containing the service. If the package + containing a non-essential service is required, stop and mask the non-essential service. + Code Meaning + S File size differs. + M File mode differs (includes permissions and file type). + 5 The MD5 checksum differs. + D The major and minor version numbers differ on a device file. + L A mismatch occurs in a link. + U The file ownership differs. + G The file group owner differs. + T The file time (mtime) differs. tags: - section2 - level_1_server From c89659db1655be62b6d15cc204161cc20067c41b Mon Sep 17 00:00:00 2001 From: Ali Baker Date: Mon, 11 Jan 2021 23:35:26 +0200 Subject: [PATCH 2/4] =?UTF-8?q?Update=20Readme=20file=20=F0=9F=93=9D?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index a3a5486..ec31b15 100644 --- a/README.md +++ b/README.md @@ -138,10 +138,14 @@ ansible-playbook -i host run.yaml -t section2 -t 6.1.1 * Note: When run an individual task be sure from the dependencies between tasks, for example, if you run tag **4.1.1.2 Ensure auditd service is enabled** before running **4.1.1.1 Ensure auditd is installed** you will get an error at the run time. -Points with ~~Tilda~~ not implemented yet, currently I'm working on it. - - +* Points with ~~Tilda~~ not implemented yet, currently I'm working on it. +* make sure to select one time service, for me I use ntp, but you can use other service such as [`systemd-timesyncd`,`ntp`,`chrony`] under the settings `defaults/main.yaml` +> Testing +> 11/1/2020 Tested on AWS EC2 ubuntu 20.04 LTS [Pass] +> 11/1/2020 Tested on local Ubuntu 20.04 LTS server [Pass] +* Before run make sure to update user list under `defaults/main.yaml` on `list_of_os_users` + `allowed_users` +* `Make` sure to set the right subnet under `defaults/main.yaml` on `allowd_hosts` _________________ @@ -200,9 +204,9 @@ _________________ **1.5 Secure Boot Settings** - - ~~1.5.1 Ensure bootloader password is set (Automated)~~ + - 1.5.1 Ensure bootloader password is set (Automated) - 1.5.2 Ensure permissions on bootloader config are configured - (Automated) - - ~~1.5.3 Ensure authentication required for single user mode (Automated)~~ + - 1.5.3 Ensure authentication required for single user mode (Automated) **1.6 Additional Process Hardening** - 1.6.1 Ensure XD/NX support is enabled (Automated) @@ -235,8 +239,8 @@ _________________ - 2.2 Special Purpose Services - 2.2.1 Time Synchronization - 2.2.1.1 Ensure time synchronization is in use (Automated) - - ~~2.2.1.2 Ensure systemd-timesyncd is configured (Manual)~~ - - ~~2.2.1.3 Ensure chrony is configured (Automated)~~ + - 2.2.1.2 Ensure systemd-timesyncd is configured (Manual) + - 2.2.1.3 Ensure chrony is configured (Automated) - 2.2.1.4 Ensure ntp is configured (Automated) - 2.2.2 Ensure X Window System is not installed (Automated) - 2.2.3 Ensure Avahi Server is not installed (Automated) From d35edf41aa4b49a078665266bc859e9e200c8b77 Mon Sep 17 00:00:00 2001 From: Ali Baker Date: Mon, 11 Jan 2021 23:35:57 +0200 Subject: [PATCH 3/4] =?UTF-8?q?Remove=20follow=20option=20since=20(follow?= =?UTF-8?q?=20has=20been=20removed=20in=20version=202.5,=20because=20this?= =?UTF-8?q?=20module=20modifies=20the=20contents=20of=20the=20file=20so=20?= =?UTF-8?q?follow=3Dno=20doesn=E2=80=99t=20make=20sense.)=20=F0=9F=94=A5?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- defaults/main.yml | 31 +++++++++++++++++++++++++++--- handlers/main.yml | 8 ++++++++ tasks/section_1_Initial_Setup.yaml | 11 +++++------ 3 files changed, 41 insertions(+), 9 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 2bd3b9c..30530fa 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -19,6 +19,18 @@ set_root_password: yes root_password: r00tP4ssw0rd # Section 2 Settings + +#Setting for systemd-timesyncd +enable_systemdtimesyncd: yes #If you enable this make sure to disable NTP below, only one time service must be run in the server +timesync_timezone: Etc/UTC +timesync_fallback_ntp_hosts: + - 0.pool.ntp.org + - 1.pool.ntp.org + - 2.pool.ntp.org + - 3.pool.ntp.org + +#Setting for NTP +enableNTP: no time_synchronization_package_name: ntp time_synchronization_servers: - uri: "time1.google.com" @@ -29,6 +41,19 @@ time_synchronization_servers: config: "iburst" - uri: "time4.google.com" config: "iburst" + +# Setting for chrony +chronyEnable: yes +chrony_driftfile: /var/lib/chrony/chrony.drift +chronyservers_preferred: [] +chronyservers: + - 0.pool.ntp.org + - 1.pool.ntp.org + - 2.pool.ntp.org + - 3.pool.ntp.org +chrony_keys: /etc/chrony/chrony.keys +chrony_log_dir: /var/log/chrony + web_server_name: nginx remove_HTTPserver: no remove_xinetd: yes @@ -87,7 +112,7 @@ ssh_MACs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2 ## 5.2.14 Ensure only strong Key Exchange algorithms are used ssh_key_algorithms: "curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256" ## 5.2.17 Ensure SSH access is limited -allowed_users: ali saleh baker root #Put None or list of users space between each user +allowed_users: ubuntu root #Put None or list of users space between each user allowed_groups: None deny_users: None deny_groups: None @@ -101,7 +126,7 @@ pass_warn_age: 7 pass_min_days: 1 ## 5.4.1.1 Ensure password expiration is 365 days or less list_of_os_users: - - ali + - ubuntu ## 5.4.1.4 Ensure inactive password lock is 30 days or less ##Note: A value of -1 would disable this setting account_inactive: 30 @@ -111,7 +136,7 @@ shell_timeout_sec: 900 # Section 6 withoutOwnerFileDirOwner: root withoutGroupFilesDirGroup: root -outputfiles: /home/ali/ #Output dir of some command +outputfiles: /root/ #Output dir of some command disable_autofs: true disable_usb: true install_apparmor: true diff --git a/handlers/main.yml b/handlers/main.yml index ee0932a..c8acacd 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -22,3 +22,11 @@ service: name: rsyslog state: restarted +- name: RestartChronyservice + service: + name: "chrony" + state: restarted +- name: reloadTimesyncd + service: + name: systemd-timesyncd + state: restarted \ No newline at end of file diff --git a/tasks/section_1_Initial_Setup.yaml b/tasks/section_1_Initial_Setup.yaml index 2cd69dc..8e4dd5a 100644 --- a/tasks/section_1_Initial_Setup.yaml +++ b/tasks/section_1_Initial_Setup.yaml @@ -748,7 +748,7 @@ # overridden by the user. - name: 1.6.4 Ensure core dumps are restricted block: - - name: 1.6.4 Ensure core dumps are restricted + - name: 1.6.4 Ensure core dumps are restricted | sysctl sysctl: name: fs.suid_dumpable value: "0" @@ -756,7 +756,7 @@ reload: true sysctl_set: true ignoreerrors: true - - name: 1.6.4 Ensure core dumps are restricted + - name: 1.6.4 Ensure core dumps are restricted | limits.conf lineinfile: dest: /etc/security/limits.conf line: "* hard core 0" @@ -764,11 +764,11 @@ state: present create: true insertbefore: "# End of file" - - name: 1.6.4 Ensure core dumps are restricted + - name: 1.6.4 Ensure core dumps are restricted | apt apt: name: systemd-coredump state: present - - name: 1.6.4 Ensure core dumps are restricted + - name: 1.6.4 Ensure core dumps are restricted | coredump.conf lineinfile: dest: /etc/systemd/coredump.conf line: "Storage=none" @@ -776,7 +776,7 @@ state: present create: true insertbefore: "# End of file" - - name: 1.6.4 Ensure core dumps are restricted + - name: 1.6.4 Ensure core dumps are restricted | coredump.conf lineinfile: dest: /etc/systemd/coredump.conf line: "ProcessSizeMax=0" @@ -824,7 +824,6 @@ dest: /etc/default/grub regexp: '^(GRUB_CMDLINE_LINUX=(?!.*apparmor)\"[^\"]*)(\".*)' replace: '\1 apparmor=1 security=apparmor\2' - follow: true register: output_1_7_1_2 - name: 1.7.1.2 Ensure AppArmor is enabled in the bootloader configuration | reload shell: | From f6e3080ef956e15eeade70457dcdd6ca64ecc3fa Mon Sep 17 00:00:00 2001 From: Ali Baker Date: Mon, 11 Jan 2021 23:37:05 +0200 Subject: [PATCH 4/4] =?UTF-8?q?Update=20config=20chrony,=20systemd-timesyn?= =?UTF-8?q?cd=20tasks=20=E2=9C=A8,=20+=20add=20default=20user=20under=20th?= =?UTF-8?q?e=20configs?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 30530fa..750cf2d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -21,7 +21,7 @@ root_password: r00tP4ssw0rd # Section 2 Settings #Setting for systemd-timesyncd -enable_systemdtimesyncd: yes #If you enable this make sure to disable NTP below, only one time service must be run in the server +enable_systemdtimesyncd: no #If you enable this make sure to disable NTP below, only one time service must be run in the server timesync_timezone: Etc/UTC timesync_fallback_ntp_hosts: - 0.pool.ntp.org @@ -30,7 +30,7 @@ timesync_fallback_ntp_hosts: - 3.pool.ntp.org #Setting for NTP -enableNTP: no +enableNTP: yes time_synchronization_package_name: ntp time_synchronization_servers: - uri: "time1.google.com" @@ -43,7 +43,7 @@ time_synchronization_servers: config: "iburst" # Setting for chrony -chronyEnable: yes +chronyEnable: no chrony_driftfile: /var/lib/chrony/chrony.drift chronyservers_preferred: [] chronyservers: