-
Notifications
You must be signed in to change notification settings - Fork 10
/
lynis.yml
181 lines (180 loc) · 7.57 KB
/
lynis.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
# https://packages.cisofy.com/community/#debian-ubuntu
- name: Install Lynis into Debian
become: true
tags:
- packages
- lynis
- debian
when: ansible_distribution == "Debian" or ansible_distribution == "Kali" or ansible_distribution == "Ubuntu"
block:
- name: Install apt-transport-https & gnupg2
ansible.builtin.apt:
name: ['apt-transport-https', 'gnupg2']
update_cache: true
- name: Add Lynis signing key (Debian)
ansible.builtin.get_url:
url: https://packages.cisofy.com/keys/cisofy-software-public.key
dest: "{{ cisofy_keyring }}"
owner: root
group: root
mode: '0644'
- name: Add Lynis repository (Debian)
ansible.builtin.apt_repository:
repo: "deb [signed-by={{ cisofy_keyring }}] https://packages.cisofy.com/community/lynis/deb/ stable main"
state: present
- name: Install Lynis (Debian)
ansible.builtin.apt:
name: lynis
update_cache: true
# As we install Lynis directly from CISOfy we need to get this separately
- name: Download Debian plugin for Lynis
ansible.builtin.get_url:
url: https://salsa.debian.org/debian/lynis/-/raw/master/debian/plugin_debian_phase1
dest: /usr/share/lynis/plugins/plugin_debian_phase1
owner: root
group: root
mode: '0600'
- name: Install Lynis into CentOS
when: ansible_distribution == "CentOS"
become: true
tags:
- packages
- lynis
- centos
block:
- name: Add Lynis repository (RH)
ansible.builtin.yum_repository:
name: lynis
description: CISOfy Software - Lynis package
baseurl: https://packages.cisofy.com/community/lynis/rpm/
gpgkey: https://packages.cisofy.com/keys/cisofy-software-rpms-public.key
gpgcheck: true
priority: 2
enabled: true
- name: Install Lynis (RH)
ansible.builtin.yum:
name: lynis
update_cache: true
- name: Configure Lynis
tags:
- configuration
- lynis
become: true
block:
- name: Configure Lynis to skip certain tests
ansible.builtin.blockinfile: # noqa yaml[line-length]
path: /etc/lynis/custom.prf
create: true
owner: root
group: root
mode: '0644'
block: |
# Changing port number is just security through obscurity
skip-test=SSH-7408:port
# Pre-authentication compression was removed from OpenSSH 7.4 (https://www.openssh.com/txt/release-7.4)
# and Lynis accepts "delayed", which was an option to use compression only after authentication.
skip-test=SSH-7408:compression
# These aren't security issues
# Also SSHD_CONFIG(5): "Note that disabling agent forwarding does not improve security unless users are also denied shell access,
# as they can always install their own forwarders."
skip-test=SSH-7408:tcpkeepalive
skip-test=SSH-7408:allowagentforwarding
# Even though this is true, partitioning is usually done during install and not necessarily that easy afterwards
skip-test=FILE-6310
# Attackers can get their tools into hosts in any case
skip-test=HRDN-7220
skip-test=HRDN-7222
# We have tooling and it's called Ansible :)
skip-test=TOOL-5002
# Locked accounts are perfectly normal and removing users might introduce unowned files and dirs
skip-test=AUTH-9284
# Allow SAK
config-data=sysctl;kernel.sysrq;4;1;Disable magic SysRQ;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
# 2 should be enough as the kernel documentation doesn't even have >= 3 documented
config-data=sysctl;kernel.perf_event_paranoid;2;1;Restrict unprivileged access to the perf_event_open() system call.;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
# https://github.com/CISOfy/lynis/issues/967
- name: Configure /etc/cron.{allow,deny} permissions in /etc/lynis/default.prf
when: ansible_distribution == "Debian" or ansible_distribution == "Kali"
tags: debian
ansible.builtin.replace:
path: /etc/lynis/default.prf
regexp: '^(permfile=/etc/{{ item.key }}):rw-------:root:-:WARN:'
replace: '\g<1>:{{ item.value }}:WARN:'
validate: '/bin/grep "^permfile=/etc/{{ item.key }}:{{ item.value }}:WARN:$" %s'
with_dict:
cron.allow: rw-r-----:root:crontab
cron.deny: rw-r-----:root:crontab
- name: Configure /etc/at.{allow,deny} permissions in /etc/lynis/default.prf
when: ansible_distribution == "Debian" or ansible_distribution == "Kali" or ansible_distribution == "Slackware"
ansible.builtin.replace:
path: /etc/lynis/default.prf
regexp: '^(permfile=/etc/{{ item.key }}):rw-------:root:-:WARN:'
replace: '\g<1>:{{ item.value }}:WARN:'
validate: '/bin/grep "^permfile=/etc/{{ item.key }}:{{ item.value }}:WARN:$" %s'
with_dict:
at.allow: rw-r-----:root:daemon
at.deny: rw-r-----:root:daemon
- name: Configure Lynis to skip RPM related tests
ansible.builtin.blockinfile:
path: /etc/lynis/custom.prf
marker: "# {mark} ANSIBLE MANAGED BLOCK - Skip RPM related tests"
block: |
skip-test=PKGS-7308
skip-test=PKGS-7383
skip-test=PKGS-7384
skip-test=PKGS-7386
skip-test=PKGS-7387
when: ansible_os_family != "RedHat"
- name: Configure Slackware specific tests to skip
ansible.builtin.blockinfile:
path: /etc/lynis/custom.prf
marker: "# {mark} ANSIBLE MANAGED BLOCK - Slackware"
block: |
skip-test=PKGS-7398
when: ansible_distribution == "Slackware"
tags: slackware
- name: Lynis systemd service
when: ansible_distribution == "Debian" or ansible_distribution == "Kali" or ansible_os_family == "RedHat"
tags: services
block:
- name: Download lynis.{service,timer}
ansible.builtin.get_url:
url: https://raw.githubusercontent.com/CISOfy/lynis/master/extras/systemd/{{ item }}
dest: /etc/systemd/system/
owner: root
group: root
mode: '0644'
with_items:
- lynis.service
- lynis.timer
- name: Fix Lynis path into lynis.service
ansible.builtin.replace:
path: /etc/systemd/system/lynis.service
regexp: '^(ExecStart=)/path/to/lynis( audit system --cronjob)$'
replace: '\g<1>{{ lynis_location }}\g<2>'
- name: Enable Lynis systemd unit
ansible.builtin.systemd:
name: lynis.timer
daemon_reload: true
enabled: true
state: started
- name: Create daily cron job to run Lynis
when: ansible_distribution == "Slackware"
tags: slackware
ansible.builtin.copy:
dest: /etc/cron.daily/run_lynis
owner: root
group: root
mode: '0700'
content: |
#!/bin/bash
set -e
if ! hash lynis 2>/dev/null
then
exit 1
fi
lynis audit system -Q -q --slow-warning 200
tests_performed="$(gawk '/Tests performed:/{print$5}' /var/log/lynis.log)"
hardening_index="$(sed -n 's/^.\+\(Hardening index : .\+\)$/\1/p' /var/log/lynis.log)"
lynis_version="$(gawk '$3=="Lynis" && $4 ~ /^[0-9.]+$/{print$4}' /var/log/lynis.log)"
/usr/bin/logger -t lynis "Lynis ${lynis_version} Tests performed: ${tests_performed} ${hardening_index}"