README.md

Ansible CIS Debian 12 Hardening

Purpose

Configure Debian 12 machines to be CIS compliant.

Note: this role will make changes to the system that could break things. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted.

CIS hardened Debian: cyber attack and malware prevention for mission-critical systems CIS benchmarks lock down your systems by removing:

1. non-secure programs.
2. disabling unused filesystems.
3. disabling unnecessary ports or services.
4. auditing privileged operations.
5. restricting administrative privileges.

CIS benchmark recommendations are adopted in virtual machines in public and private clouds. They are also used to secure on-premises deployments. For some industries, hardening a system against a publicly known standard is a criteria auditors look for. CIS benchmarks are often a system hardening choice recommended by auditors for industries requiring PCI-DSS and HIPPA compliance, such as banking, telecommunications and healthcare. If you are attempting to obtain compliance against an industry-accepted security standard, like PCI DSS, APRA or ISO 27001, then you need to demonstrate that you have applied documented hardening standards against all systems within the scope of assessment.

The Debian CIS benchmarks are organised into different profiles, namely ‘Level 1’ and ‘Level 2’ intended for server and workstation environments.

A Level 1 profile is intended to be a practical and prudent way to secure a system without too much performance impact.

• Disabling unneeded filesystems,
• Restricting user permissions to files and directories,
• Disabling unneeded services.
• Configuring network firewalls.

A Level 2 profile is used where security is considered very important and it may have a negative impact on the performance of the system.

• Creating separate partitions,
• Auditing privileged operations

The Debian CIS hardening tool allows you to select the desired level of hardening against a profile (Level1 or Level 2) and the work environment (server or workstation) for a system. For example:

ansible-playbook -i inventory cis-Debian-20.yaml --tags="level_1_server"

You can list all tags by running the below command:

ansible-playbook -i host run.yaml --list-tags

Based on

CIS Debian Linux 12 Benchmark
v1.0.0 - 02-13-2020

Check Example dir

---

Requirements

You should carefully read through the tasks to make sure these changes will not break your systems before running this playbook.

You can download Free CIS Benchmark book from this URL Free Benchmark

To start working in this Role you just need to install Ansible. Installing Ansible

---

Role Variables

You have to review all default configuration before running this playbook, there are many role variables defined in defaults/main.yml.

• If you are considering applying this role to any servers, you should have a basic familiarity with the CIS Benchmark and an appreciation for the impact that it may have on a system.
• Read and change configurable default values.

Examples of config that should be immediately considered for exclusion:

5.2.18 Ensure SSH access is limited, which by default effectively limit access to the host (including via ssh).

For example:

• CIS-Debian12-Ansible/defaults/main.yml

#Section 5
# 5.2.18 Ensure SSH access is limited
allowed_users: pippo #Put None or list of users space between each user

Also consider skipping tag 1.1.1.7 (Ensure mounting of FAT filesystems is limited): the FAT filesystem format is used by UEFI systems for the EFI boot partition.

If you need you to change file templates, you can find it under templates/* directory If you need to change banner, edit banner file in files/* directory

---

Dependencies

• Ansible version >= 2.9

---

Example Playbook

Below an example of a playbook

---
- hosts: host1
  become: yes
  remote_user: root
  gather_facts: yes
  roles:
    - { role: "CIS-Debian12-Ansible",}

Run all

If you want to run all tags use the below command:

ansible-playbook -i [inventoryfile] [playbook].yaml

Dry Run

ansible-playbook -i host -C playbook.yaml 

Run specfic section

ansible-playbook -i host playbook.yaml -t section2

Run multi sections

ansible-playbook -i host playbook.yaml -t section2 -t 6.1.1

• Note: When run an individual task be sure from the dependencies between tasks, for example, if you run tag 4.1.1.2 Ensure auditd service is enabled before running 4.1.1.1 Ensure auditd is installed you will get an error at the run time.

---

Table of Roles:

1. Initial Setup

• 1.1.1.1 Ensure cramfs kernel module is not available
• 1.1.1.2 Ensure freevxfs kernel module is not available
• 1.1.1.3 Ensure hfs kernel module is not available
• 1.1.1.4 Ensure hfsplus kernel module is not available
• 1.1.1.5 Ensure jffs2 kernel module is not available
• 1.1.1.6 Ensure squashfs kernel module is not available
• 1.1.1.7 Ensure udf kernel module is not available
• 1.1.1.8 Ensure usb-storage kernel module is not available
• 1.1.2.1.1 Ensure /tmp is a separate partition
• 1.1.2.1.2 Ensure nodev option set on /tmp partition
• 1.1.2.1.3 Ensure nosuid option set on /tmp partition
• 1.1.2.1.4 Ensure noexec option set on /tmp partition
• 1.1.2.2.1 Ensure /dev/shm is a separate partition
• 1.1.2.2.2 Ensure nodev option set on /dev/shm partition
• 1.1.2.2.3 Ensure nosuid option set on /dev/shm partition
• 1.1.2.2.4 Ensure noexec option set on /dev/shm partition
• 1.1.2.3.1 Ensure separate partition exists for /home
• 1.1.2.3.2 Ensure nodev option set on /home partition
• 1.1.2.3.3 Ensure nosuid option set on /home partition
• 1.1.2.4.1 Ensure separate partition exists for /var
• 1.1.2.4.2 Ensure nodev option set on /var partition
• 1.1.2.4.3 Ensure nosuid option set on /var partition
• 1.1.2.5.1 Ensure separate partition exists for /var/tmp
• 1.1.2.5.2 Ensure nodev option set on /var/tmp partition
• 1.1.2.5.3 Ensure nosuid option set on /var/tmp partition
• 1.1.2.5.4 Ensure noexec option set on /var/tmp partition
• 1.1.2.6.1 Ensure separate partition exists for /var/log
• 1.1.2.6.2 Ensure nodev option set on /var/log partition
• 1.1.2.6.3 Ensure nosuid option set on /var/log partition
• 1.1.2.6.4 Ensure noexec option set on /var/log partition
• 1.1.2.7.1 Ensure separate partition exists for /var/log/audit
• 1.1.2.7.2 Ensure nodev option set on /var/log/audit partition
• 1.1.2.7.3 Ensure nosuid option set on /var/log/audit partition
• 1.1.2.7.4 Ensure noexec option set on /var/log/audit partition
• 1.3.1.1 Ensure AppArmor is installed
• 1.3.1.3 Ensure all AppArmor Profiles are in enforce or complain mode
• 1.3.1.4 Ensure all AppArmor Profiles are enforcing
• 1.4.1 Ensure bootloader password is set
• 1.4.2 Ensure access to bootloader config is configured
• 1.5.1 Ensure address space layout randomization is enabled
• 1.5.2 Ensure ptrace_scope is restricted
• 1.5.3 Ensure core dumps are restricted
• 1.5.4 Ensure prelink is not installed
• 1.6.1 Ensure message of the day is configured properly
• 1.6.2 Ensure local login warning banner is configured properly
• 1.6.3 Ensure remote login warning banner is configured properly
• 1.6.4 Ensure access to /etc/motd is configured
• 1.6.5 Ensure access to /etc/issue is configured
• 1.6.6 Ensure access to /etc/issue.net is configured
• 1.7.1 Ensure GDM is removed
• 1.7.2 Ensure GDM login banner is configured
• 1.7.3 Ensure GDM disable-user-list option is enabled
• 1.7.4 Ensure GDM screen locks when the user is idle
• 1.7.5 Ensure GDM screen locks cannot be overridden
• 1.7.6 Ensure GDM automatic mounting of removable media is disabled
• 1.7.7 Ensure GDM disabling automatic mounting of removable media is not overridden
• 1.7.8 Ensure GDM autorun-never is enabled
• 1.7.9 Ensure GDM autorun-never is not overridden
• 1.7.10 Ensure XDCMP is not enabled

2. Services

• 2.1.1 Ensure autofs services are not in use
• 2.1.2 Ensure avahi daemon services are not in use
• 2.1.3 Ensure dhcp server services are not in use
• 2.1.4 Ensure dns server services are not in use
• 2.1.5 Ensure dnsmasq services are not in use
• 2.1.6 Ensure ftp server services are not in use
• 2.1.7 Ensure ldap server services are not in use
• 2.1.8 Ensure message access server services are not in use
• 2.1.9 Ensure network file system services are not in use
• 2.1.10 Ensure nis server services are not in use
• 2.1.11 Ensure print server services are not in use
• 2.1.12 Ensure rpcbind services are not in use
• 2.1.13 Ensure rsync services are not in use
• 2.1.14 Ensure samba file server services are not in use
• 2.1.15 Ensure snmp services are not in use
• 2.1.16 Ensure tftp server services are not in use
• 2.1.17 Ensure web proxy server services are not in use
• 2.1.18 Ensure web server services are not in use
• 2.1.19 Ensure xinetd services are not in use
• 2.1.20 Ensure X window server services are not in use
• 2.1.21 Ensure mail transfer agent is configured for local-only mode
• 2.2.1 Ensure NIS Client is not installed
• 2.2.2 Ensure rsh client is not installed
• 2.2.3 Ensure talk client is not installed
• 2.2.4 Ensure telnet client is not installed
• 2.2.5 Ensure ldap client is not installed
• 2.2.6 Ensure ftp client is not installed
• 2.3.1.1 Ensure a single time synchronization daemon is in use
• 2.3.2.1 Ensure systemd-timesyncd configured with authorized timeserver
• 2.3.2.2 Ensure systemd-timesyncd is enabled and running
• 2.3.3.1 Ensure chrony is configured with authorized timeserver
• 2.3.3.2 Ensure chrony is running as user _chrony
• 2.3.3.3 Ensure chrony is enabled and running
• 2.4.1.1 Ensure cron daemon is enabled and active
• 2.4.1.2 Ensure permissions on /etc/crontab are configured
• 2.4.1.3 Ensure permissions on /etc/cron.hourly are configured
• 2.4.1.4 Ensure permissions on /etc/cron.daily are configured
• 2.4.1.5 Ensure permissions on /etc/cron.weekly are configured
• 2.4.1.6 Ensure permissions on /etc/cron.monthly are configured
• 2.4.1.7 Ensure permissions on /etc/cron.d are configured
• 2.4.1.8 Ensure crontab is restricted to authorized users
• 2.4.2.1 Ensure at is restricted to authorized users

3. Network

• 3.1.1 Ensure IPv6 status is identified
• 3.1.2 Ensure wireless interfaces are disabled
• 3.1.3 Ensure bluetooth services are not in use
• 3.2.1 Ensure dccp kernel module is not available
• 3.2.2 Ensure tipc kernel module is not available
• 3.2.3 Ensure rds kernel module is not available
• 3.2.4 Ensure sctp kernel module is not available
• 3.3.1 Ensure ip forwarding is disabled
• 3.3.2 Ensure packet redirect sending is disabled
• 3.3.3 Ensure bogus icmp responses are ignored
• 3.3.4 Ensure broadcast icmp requests are ignored
• 3.3.5 Ensure icmp redirects are not accepted
• 3.3.6 Ensure secure icmp redirects are not accepted
• 3.3.7 Ensure reverse path filtering is enabled
• 3.3.8 Ensure source routed packets are not accepted
• 3.3.9 Ensure suspicious packets are logged
• 3.3.10 Ensure tcp syn cookies is enabled
• 3.3.11 Ensure ipv6 router advertisements are not accepted

4. Host-based firewall

• 4.1.1 Ensure ufw is installed
• 4.1.2 Ensure iptables-persistent is not installed with ufw
• 4.1.3 Ensure ufw service is enabled
• 4.1.4 Ensure ufw loopback traffic is configured
• 4.1.6 Ensure ufw firewall rules exist for all open ports
• 4.1.7 Ensure ufw default deny firewall policy
• 4.2.1 Ensure nftables is installed
• 4.2.2 Ensure ufw is uninstalled or disabled with nftables
• 4.2.4 Ensure a nftables table exists
• 4.2.5 Ensure nftables base chains exist
• 4.2.6 Ensure nftables loopback traffic is configured
• 4.2.8 Ensure nftables default deny firewall policy
• 4.2.9 Ensure nftables service is enabled
• 4.2.10 Ensure nftables rules are permanent
• 4.3.1.1 Ensure iptables packages are installed
• 4.3.1.2 Ensure nftables is not installed with iptables
• 4.3.1.3 Ensure ufw is uninstalled or disabled with iptables
• 4.3.2.1 Ensure iptables default deny firewall policy
• 4.3.2.2 Ensure iptables loopback traffic is configured
• 4.3.2.4 Ensure iptables firewall rules exist for all open ports
• 4.3.3.1 Ensure ip6tables default deny firewall policy
• 4.3.3.2 Ensure ip6tables loopback traffic is configured
• 4.3.3.4 Ensure ip6tables firewall rules exist for all open ports

5. Access control

• 5.1.1 Ensure permissions on /etc/ssh/sshd_config are configured
• 5.1.2 Ensure permissions on SSH private host key files are configured
• 5.1.3 Ensure permissions on SSH public host key files are configured
• 5.1.4 Ensure sshd access is configured
• 5.1.5 Ensure sshd Banner is configured
• 5.1.6 Ensure sshd Ciphers are configured
• 5.1.7 Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured
• 5.1.8 Ensure sshd DisableForwarding is enabled
• 5.1.9 Ensure sshd GSSAPIAuthentication is disabled
• 5.1.10 Ensure sshd HostbasedAuthentication is disabled
• 5.1.11 Ensure sshd IgnoreRhosts is enabled
• 5.1.12 Ensure sshd KexAlgorithms is configured
• 5.1.13 Ensure sshd LoginGraceTime is configured
• 5.1.14 Ensure sshd LogLevel is configured
• 5.1.15 Ensure sshd MACs are configured
• 5.1.16 Ensure sshd MaxAuthTries is configured
• 5.1.17 Ensure sshd MaxSessions is configured
• 5.1.18 Ensure sshd MaxStartups is configured
• 5.1.19 Ensure sshd PermitEmptyPasswords is disabled
• 5.1.20 Ensure sshd PermitRootLogin is disabled
• 5.1.21 Ensure sshd PermitUserEnvironment is disabled
• 5.1.22 Ensure sshd UsePAM is enabled
• 5.2.1 Ensure sudo is installed
• 5.2.2 Ensure sudo commands use pty
• 5.2.3 Ensure sudo log file exists
• 5.2.4 Ensure users must provide password for privilege escalation
• 5.2.5 Ensure re-authentication for privilege escalation is not disabled globally
• 5.2.6 Ensure sudo authentication timeout is configured correctly
• 5.2.7 Ensure access to the su command is restricted
• 5.3.1.1 Ensure latest version of pam is installed
• 5.3.1.2 Ensure libpam-modules is installed
• 5.3.1.3 Ensure libpam-pwquality is installed
• 5.3.2.1 Ensure pam_unix module is enabled
• 5.3.2.2 Ensure pam_faillock module is enabled
• 5.3.2.3 Ensure pam_pwquality module is enabled
• 5.3.2.4 Ensure pam_pwhistory module is enabled
• 5.3.3.1.1 Ensure password failed attempts lockout is configured
• 5.3.3.1.2 Ensure password unlock time is configured
• 5.3.3.1.3 Ensure password failed attempts lockout includes root account
• 5.3.3.2.1 Ensure password number of changed characters is configured
• 5.3.3.2.3 Ensure password complexity is configured
• 5.3.3.2.4 Ensure password same consecutive characters is configured
• 5.3.3.2.5 Ensure password maximum sequential characters is configured
• 5.3.3.2.6 Ensure password dictionary check is enabled
• 5.3.3.2.7 Ensure password quality checking is enforced
• 5.3.3.2.8 Ensure password quality is enforced for the root user
• 5.3.3.3.1 Ensure password history remember is configured
• 5.3.3.3.2 Ensure password history is enforced for the root user
• 5.3.3.3.3 Ensure pam_pwhistory includes use_authtok
• 5.3.3.4.1 Ensure pam_unix does not include nullok
• 5.3.3.4.2 Ensure pam_unix does not include remember
• 5.3.3.4.3 Ensure pam_unix includes a strong password hashing algorithm
• 5.3.3.4.4 Ensure pam_unix includes use_authtok
• 5.4.1.4 Ensure strong password hashing algorithm is configured
• 5.4.1.6 Ensure all users last password change date is in the past
• 5.4.2.1 Ensure root is the only UID 0 account
• 5.4.2.2 Ensure root is the only GID 0 account
• 5.4.2.3 Ensure group root is the only GID 0 group
• 5.4.2.5 Ensure root path integrity
• 5.4.2.6 Ensure root user umask is configured
• 5.4.2.7 Ensure system accounts do not have a valid login shell
• 5.4.2.8 Ensure accounts without a valid login shell are locked
• 5.4.3.1 Ensure nologin is not listed in /etc/shells
• 5.4.3.2 Ensure default user shell timeout is configured
• 5.4.3.3 Ensure default user umask is configured

6. Logging and auditing

• 6.1.1 Ensure AIDE is installed
• 6.1.2 Ensure filesystem integrity is regularly checked
• 6.2.1.1.1 Ensure journald service is enabled and active
• 6.2.1.1.4 Ensure journald ForwardToSyslog is disabled
• 6.2.1.1.5 Ensure journald Storage is configured
• 6.2.1.1.6 Ensure journald Compress is configured
• 6.2.1.2.1 Ensure systemd-journal-remote is installed
• 6.2.1.2.3 Ensure systemd-journal-upload is enabled and active
• 6.2.1.2.4 Ensure systemd-journal-remote service is not in use
• 6.2.2.1 Ensure access to all logfiles has been configured
• 6.3.1.1 Ensure auditd is installed
• 6.3.1.2 Ensure auditd service is enabled and active
• 6.3.1.3 Ensure auditing for processes that start prior to auditd is enabled
• 6.3.1.4 Ensure audit_backlog_limit is sufficient
• 6.3.2.1 Ensure audit log storage size is configured
• 6.3.2.2 Ensure audit logs are not automatically deleted
• 6.3.2.3 Ensure system is disabled when audit logs are full
• 6.3.2.4 Ensure system warns when audit logs are low on space
• 6.3.3.1 Ensure changes to system administration scope (sudoers) is collected
• 6.3.3.2 Ensure actions as another user are always logged
• 6.3.3.3 Ensure events that modify the sudo log file are collected
• 6.3.3.4 Ensure events that modify date and time information are collected
• 6.3.3.5 Ensure events that modify the system's network environment are collected
• 6.3.3.6 Ensure use of privileged commands are collected
• 6.3.3.7 Ensure unsuccessful file access attempts are collected
• 6.3.3.8 Ensure events that modify user/group information are collected
• 6.3.3.9 Ensure discretionary access control permission modification events are collected
• 6.3.3.10 Ensure successful file system mounts are collected
• 6.3.3.11 Ensure session initiation information is collected
• 6.3.3.12 Ensure login and logout events are collected
• 6.3.3.13 Ensure file deletion events by users are collected
• 6.3.3.14 Ensure events that modify the system's Mandatory Access Controls are collected
• 6.3.3.15 Ensure successful and unsuccessful attempts to use the chcon command are recorded
• 6.3.3.16 Ensure successful and unsuccessful attempts to use the setfacl command are recorded
• 6.3.3.17 Ensure successful and unsuccessful attempts to use the chacl command are recorded
• 6.3.3.18 Ensure successful and unsuccessful attempts to use the usermod command are recorded
• 6.3.3.19 Ensure kernel module loading unloading and modification is collected
• 6.3.3.20 Ensure the audit configuration is immutable
• 6.3.4.1 Ensure audit log files mode is configured
• 6.3.4.2 Ensure only authorized users own audit log files
• 6.3.4.3 Ensure only authorized groups are assigned ownership of audit log files
• 6.3.4.4 Ensure the audit log directory mode is configured
• 6.3.4.5 Ensure audit configuration files mode is configured
• 6.3.4.6 Ensure audit configuration files are owned by root
• 6.3.4.7 Ensure audit configuration files belong to group root
• 6.3.4.8 Ensure audit tools mode is configured
• 6.3.4.9 Ensure audit tools are owned by root
• 6.3.4.10 Ensure audit tools belong to group root

7. System maintenance

• 7.1.1 Ensure permissions on /etc/passwd are configured
• 7.1.2 Ensure permissions on /etc/passwd- are configured
• 7.1.3 Ensure permissions on /etc/group are configured
• 7.1.4 Ensure permissions on /etc/group- are configured
• 7.1.5 Ensure permissions on /etc/shadow are configured
• 7.1.6 Ensure permissions on /etc/shadow- are configured
• 7.1.7 Ensure permissions on /etc/gshadow are configured
• 7.1.8 Ensure permissions on /etc/gshadow- are configured
• 7.1.9 Ensure permissions on /etc/shells are configured
• 7.1.10 Ensure permissions on /etc/security/opasswd are configured
• 7.1.11 Ensure world writable files and directories are secured
• 7.1.12 Ensure no files or directories without an owner and a group exist
• 7.2.1 Ensure accounts in /etc/passwd use shadowed passwords
• 7.2.2 Ensure /etc/shadow password fields are not empty
• 7.2.3 Ensure all groups in /etc/passwd exist in /etc/group
• 7.2.4 Ensure shadow group is empty
• 7.2.5 Ensure no duplicate UIDs exist
• 7.2.6 Ensure no duplicate GIDs exist
• 7.2.7 Ensure no duplicate user names exist
• 7.2.8 Ensure no duplicate group names exist
• 7.2.9 Ensure local interactive user home directories are configured
• 7.2.10 Ensure local interactive user dot files access is configured

---

License

Licensed under the GPLv3: http://www.gnu.org/licenses/gpl-3.0.html

Author Information

Denis Bernacci

This repository is a migration from Ubuntu 20.04 (https://github.com/alivx/CIS-Ubuntu-20.04-Ansible/).

Pull requests and GitHub issues are welcome!