Skip to content

Commit

Permalink
Merge pull request #64 from alivx/update_v1.1.0
Browse files Browse the repository at this point in the history
Update v1.1.0
  • Loading branch information
alivx authored Nov 25, 2021
2 parents 2dd1ea2 + ba52ac9 commit d537155
Show file tree
Hide file tree
Showing 10 changed files with 1,221 additions and 599 deletions.
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
env
11 changes: 10 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ ansible-playbook -i host run.yaml --list-tags
I wrote all roles based on
```Text
CIS Ubuntu Linux 20.04 LTS Benchmark
v1.0.0 - 07-21-2020
v1.1.0 - 07-21-2020
```


Expand Down Expand Up @@ -483,6 +483,15 @@ TASK [CIS-Ubuntu-20.04-Ansible : 5.4.1.1 Ensure password expiration is 365 days
```
* Make sure you set the right user under defaults/main.yaml


```
TASK [CIS-Ubuntu-20.04-Ansible : Creating users without admin access] ***************************************************************************************************************
fatal: [golden]: FAILED! => {"msg": "crypt.crypt not supported on Mac OS X/Darwin, install passlib python module"}
```

Install `pip install passlib`

_________________


Expand Down
1 change: 1 addition & 0 deletions _config.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
theme: jekyll-theme-slate
9 changes: 7 additions & 2 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ disable_hfsplus: yes
disable_udf: yes
disable_fat: yes
temp_dir_size: 1G
disable_squashfs: no #Disabling squashfs will prevent the use of snap
## 1.5.1 Ensure bootloader password is set (using grub): default is no
set_bootloader_credentials: no
### Update the default bootloader user and password
Expand Down Expand Up @@ -65,12 +66,13 @@ remove_AvahiServer: yes
remove_CUPS: yes
remove_DHCPServer: yes
remove_LDAPserver: yes
remove_NFS: yes
remove_NFS: no
remove_DNSServer: yes
remove_FTPServer: yes
remove_IMAPandPOP3server: yes
remove_Samba: yes
remove_HTTPProxyServer: yes
HTTPProxyServer: squid
remove_SNMPServer: yes
remove_rsyncservice: yes
remove_NISServer: yes
Expand All @@ -84,8 +86,9 @@ remove_RPC: yes

# Section 3 Settings
disable_wifi: no
IPv6_is_enabled: yes
IPv6_is_enabled: no
enable_firewall: yes
UFWEnable: yes # Running both ufw and the services included in the iptables-persistent package may lead to conflict
## 3.5.1.6 Ensure firewall rules exist for all open ports | defined ports
firewall_list_of_ports_to_allow:
- { rule: "allow", port: "8080", proto: "tcp" }
Expand Down Expand Up @@ -118,11 +121,13 @@ allowd_hosts: "ALL: 0.0.0.0/0.0.0.0, 192.168.2.0/255.255.255.0"
ssh_MACs: "[email protected],[email protected],hmac-sha2-512,hmac-sha2-256"
## 5.2.14 Ensure only strong Key Exchange algorithms are used
ssh_key_algorithms: "curve25519-sha256,[email protected],diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256"
ssh_ciphers: [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
## 5.2.17 Ensure SSH access is limited
allowed_users: ubuntu root #Put None or list of users space between each user
allowed_groups: None
deny_users: None
deny_groups: None
max_auth_tries: 4
## 5.2.21 Ensure SSH MaxStartups is configured
ssh_max_startups: "10:30:100"
## 5.2.22 Ensure SSH MaxSessions is limited
Expand Down
Loading

0 comments on commit d537155

Please sign in to comment.