diff --git a/roles/cis_baseline/README.md b/roles/cis_baseline/README.md index ed97a2d..c6a40bd 100644 --- a/roles/cis_baseline/README.md +++ b/roles/cis_baseline/README.md @@ -8,7 +8,9 @@ Due to missing packages or capabilities related to Arch Linux, the following chapters and controls have not yet been implemented: * 1.3 Filesystem Integrity Checking (missing and broken AIDE packages) -* 1.4.4 Interactive Boot Disabling (not supported for systemd-boot) +* 1.4.4 Interactive Boot Deactivation (not supported for systemd-boot) +* 1.5.4 Prelink Deactivation (not available for Arch Linux) +* 1.6 Mandatory Access Control (not available for Arch Linux) ## Example Playbook @@ -47,9 +49,10 @@ cis_baseline_ignored_rules: [] cis_baseline_sections: - 1_1_filesystem - 1_2_software_updates - - 1_3_filesystem_integrity # Not implemented yet + - 1_3_filesystem_integrity # Not implemented yet - 1_4_boot_settings - 1_5_process_hardening + - 1_6_mandatory_access_control # List of mandatory repositories to verify (1.2.1) cis_baseline_repositories: diff --git a/roles/cis_baseline/defaults/main.yml b/roles/cis_baseline/defaults/main.yml index c88bd41..9a06d2e 100644 --- a/roles/cis_baseline/defaults/main.yml +++ b/roles/cis_baseline/defaults/main.yml @@ -19,6 +19,7 @@ cis_baseline_sections: - 1_3_filesystem_integrity # Not implemented yet - 1_4_boot_settings - 1_5_process_hardening + - 1_6_mandatory_access_control # List of mandatory repositories to verify (1.2.1) cis_baseline_repositories: diff --git a/roles/cis_baseline/meta/argument_specs.yml b/roles/cis_baseline/meta/argument_specs.yml index d135507..55a9500 100644 --- a/roles/cis_baseline/meta/argument_specs.yml +++ b/roles/cis_baseline/meta/argument_specs.yml @@ -74,3 +74,7 @@ argument_specs: default: - 1_1_filesystem - 1_2_software_updates + - 1_3_filesystem_integrity + - 1_4_boot_settings + - 1_5_process_hardening + - 1_6_mandatory_access_control diff --git a/roles/cis_baseline/molecule/default/tests/1_4_boot_settings.yml b/roles/cis_baseline/molecule/default/tests/1_4_boot_settings.yml index 6c3e36f..e36cc33 100644 --- a/roles/cis_baseline/molecule/default/tests/1_4_boot_settings.yml +++ b/roles/cis_baseline/molecule/default/tests/1_4_boot_settings.yml @@ -31,4 +31,4 @@ # 1.4.4 Ensure interactive boot is not enabled (Not Scored) # -# Not available for systemd-boot +# Not available for systemd-boot. diff --git a/roles/cis_baseline/molecule/default/tests/1_5_process_hardening.yml b/roles/cis_baseline/molecule/default/tests/1_5_process_hardening.yml index fc7ba49..3db76c9 100644 --- a/roles/cis_baseline/molecule/default/tests/1_5_process_hardening.yml +++ b/roles/cis_baseline/molecule/default/tests/1_5_process_hardening.yml @@ -41,3 +41,7 @@ changed_when: false failed_when: '"kernel.randomize_va_space = 2" not in out.stdout' when: ansible_connection not in ["container", "docker", "community.docker.docker"] + +# 1.5.4 Ensure prelink is disabled (Scored) +# +# Not available for Arch Linux. diff --git a/roles/cis_baseline/molecule/default/tests/1_6_mandatory_access_control.yml b/roles/cis_baseline/molecule/default/tests/1_6_mandatory_access_control.yml new file mode 100644 index 0000000..fe6bd6d --- /dev/null +++ b/roles/cis_baseline/molecule/default/tests/1_6_mandatory_access_control.yml @@ -0,0 +1,38 @@ +--- + +# 1.6.1.1 Ensure SELinux or AppArmor are installed (Scored) +# +# Not available for Arch Linux. + +# 1.6.2.1 Ensure SELinux is not disabled in bootloader configuration (Scored) +# +# Not available for Arch Linux. + +# 1.6.2.2 Ensure the SELinux state is enforcing (Scored) +# +# Not available for Arch Linux. + +# 1.6.2.3 Ensure SELinux policy is configured (Scored) +# +# Not available for Arch Linux. + +# 1.6.2.4 Ensure SETroubleshoot is not installed (Scored) +# +# Not available for Arch Linux. + +# 1.6.2.5 Ensure the MCS Translation Service (mcstrans) is not installed +# (Scored) +# +# Not available for Arch Linux. + +# 1.6.2.6 Ensure no unconfined daemons exist (Scored) +# +# Not available for Arch Linux. + +# 1.6.3.1 Ensure AppArmor is not disabled in bootloader configuration (Scored) +# +# Not available for Arch Linux. + +# 1.6.3.2 Ensure all AppArmor Profiles are enforcing (Scored) +# +# Not available for Arch Linux. diff --git a/roles/cis_baseline/tasks/1_4_boot_settings.yml b/roles/cis_baseline/tasks/1_4_boot_settings.yml index 6e774bc..305de1e 100644 --- a/roles/cis_baseline/tasks/1_4_boot_settings.yml +++ b/roles/cis_baseline/tasks/1_4_boot_settings.yml @@ -34,4 +34,4 @@ # 1.4.4 Ensure interactive boot is not enabled (Not Scored) # -# Not available for systemd-boot +# Not available for systemd-boot. diff --git a/roles/cis_baseline/tasks/1_5_process_hardening.yml b/roles/cis_baseline/tasks/1_5_process_hardening.yml index 696a370..64cb99c 100644 --- a/roles/cis_baseline/tasks/1_5_process_hardening.yml +++ b/roles/cis_baseline/tasks/1_5_process_hardening.yml @@ -69,3 +69,7 @@ group: root mode: '0644' when: not '1.5.3' in cis_baseline_ignored_rules + +# 1.5.4 Ensure prelink is disabled (Scored) +# +# Not available for Arch Linux. diff --git a/roles/cis_baseline/tasks/1_6_mandatory_access_control.yml b/roles/cis_baseline/tasks/1_6_mandatory_access_control.yml new file mode 100644 index 0000000..fe6bd6d --- /dev/null +++ b/roles/cis_baseline/tasks/1_6_mandatory_access_control.yml @@ -0,0 +1,38 @@ +--- + +# 1.6.1.1 Ensure SELinux or AppArmor are installed (Scored) +# +# Not available for Arch Linux. + +# 1.6.2.1 Ensure SELinux is not disabled in bootloader configuration (Scored) +# +# Not available for Arch Linux. + +# 1.6.2.2 Ensure the SELinux state is enforcing (Scored) +# +# Not available for Arch Linux. + +# 1.6.2.3 Ensure SELinux policy is configured (Scored) +# +# Not available for Arch Linux. + +# 1.6.2.4 Ensure SETroubleshoot is not installed (Scored) +# +# Not available for Arch Linux. + +# 1.6.2.5 Ensure the MCS Translation Service (mcstrans) is not installed +# (Scored) +# +# Not available for Arch Linux. + +# 1.6.2.6 Ensure no unconfined daemons exist (Scored) +# +# Not available for Arch Linux. + +# 1.6.3.1 Ensure AppArmor is not disabled in bootloader configuration (Scored) +# +# Not available for Arch Linux. + +# 1.6.3.2 Ensure all AppArmor Profiles are enforcing (Scored) +# +# Not available for Arch Linux.