Well.. I have installed "physically" on vm machine with AUTOFIL=Y

Detected 'w' command will not get the IP, because exist no connections/sessions active.

maybe should change this line: USERIP="$($WBIN -ih | awk '{print $3}' | head -n1)"

I was inspecting the aide logs for my server today and realised that AIDE currently runs twice a day. At midnight, and then again at 6:30am.

It seems to me that the hardening script install a service to be run at midnight, while the standard AIDE configuration adds a daily cron job

My question is, are these serving different purposes, or is one of them redundant?

Describe the bug
I am trying to use your role on an Raspbian. I experienced the following error :

TASK [konstruktoid.hardening : initialize Debian aide] ****************************************************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ImportError: No module named pexpect
fatal: [hostname]: FAILED! => {"changed": false, "msg": "Failed to import the required Python library (pexpect) on pi2's Python /usr/bin/python. Please read module documentation and install in the appropriate location. If the required library is installed, but Ansible is using the wrong Python interpreter, please consult the documentation on ansible_python_interpreter"}

You use expect directive in the task "TASK [konstruktoid.hardening : initialize Debian aide]" but sometime the package python-pexpect is missing. Install it on dependencies and all will be fine. This is a requirement according to Ansible documentation

To Reproduce
Use raspbian system

System (lsb_release -a):
lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 10 (buster)
Release: 10
Codename: buster

the variable $DISABLEMNT for the script/04_disablemnt seams missing
https://github.com/konstruktoid/hardening/search?q=DISABLEMNT&unscoped_q=DISABLEMNT

Hi,

I'm looking through some of your code now, and have some things like I'd like to address:

File: ubuntu.sh

• There are a lot of, and I'd wager the same in other scripts, redundant processes. So many process make this very inefficient and only serve to raise the dependency count. You're using Bash, so I recommend using Bash. ;) For example, printf is more than capable of telling and storing the time and date, making date redundant in most cases.

• You have a lot of error messages, but none of them seem to redirect to STDERR; is that by design? Also, since you're repeating the same code over and over, that's a good opportunity to make use of a function. For example:

die(){
  printf 'ERROR: %s\n' "$2" 1>&2
  [ $1 -gt 0 ] && exit $1
}

• You seem to be needlessly storing command locations (determined by $PATH anyway, hence command) only to go ahead and use the variables. It's a lot of work and code for no gain, at least that I can see. Am I missing something here? If it's a security issue, you're already using $PATH, as mentioned, so I don't see the gain there.

• You have 53 functions running in this file, as sourced by 53 other files. All that extra processing and hassle -- I feel like there's a better way, which will reduce the hassle. Perhaps a function library within the one file, then the main code in the other? That seems to be a fairly common approach.

• I get the impression that you're a long-time shell programmer who's got much more experience with Bourne shell programming. The reason, is because I see a lot of Bourne-isms, I guess you could say. Bash has made a lot of that stuff entirely unnecessary. For example, there's $USER, instead of using yet another process for id -un. There's $UID instead of yet another process for id -u, and one more example, there's $HOSTNAME making hostname redundant in probably most cases. I suggest you read up on the Bash manual; it'll change your world.

• Lines 88-93, you have a for loop iterating over files to be sourced, but you're only checking 'they' exist, not what they actually are; they could be directories, links, block specials, FIFOs, etc. I recommend using -f instead. It's usually good to be more specific than just -e.

• This isn't too big a deal, at least how I've seen you use echo, but I would strongly recommend you ditch echo, saving it only for quick terminal stuff, as printf is more feature-rich (especially in Bash) and far more reliable and consistent.

• While there are at least two naming conventions to things like variables and functions, there is one which is typically shunned, and that's the all-caps way. I actually did the same thing for a very long time, until I finally stopped being so stubborn. :P I'm glad I did, because ThisMethod is a lot easier to read.

Hope this helps. Let me know if you'd be interested in some pull requests.

BTW, this is some seriously awesome stuff! Must have taken a lot of research.

The system is crashing due to kernel panic when the audit logging rate exceeds some limit on both VMs and bare metal boxes.

Fix that worked for us is changing the audit rules -f parameter from 2 to 1 in /etc/audit/rules.d/hardening.rules configuration file.

Other then that great scripts, thank you!

:

I'm having a few challenges getting this to work on a VPS running on an LXC containier.

1. First auditd and app armor need to be disabled
2. Second, ssh access to the VPS stops working:

• have tried to disable f_sshconfig, f_sshdconfig, f_hosts, f_logindconf, and f_sysctl with no luck
  Any suggestions on how I might try to repurpose your repo to work on a VPS running LXC?

NTP is both an ancient and insecure protoocol.The protcol itself can be abused and cause much bigger replies than expected,thus crashing the system.This is known as an amplification attack.MOre n this here https://blog.hboeck.de/archives/863-Dont-update-NTP-stop-using-it.html and http://netpatterns.blogspot.de/2016/01/the-rising-sophistication-of-network.html
An attacker can exploit flaws in the protocol and gain access into the system.The unencrypted and unauthenticated nature of NTP makes this attack very easy. for network adversaries.More info https://blog.hboeck.de/archives/863-Dont-update-NTP-stop-using-it.html and https://www.cvedetails.com/vulnerability-list/vendor_id-2153/NTP.html.
NTP can leak host time and expose the system tyo attacks described here https://www.whonix.org/wiki/Time_Attacks.More M0re here https://trac.torproject.org/projects/tor/ticket/16659#comment:13.
\Its best fo the uses that is seek9ng high-lvel security to follow this https://www.whonix.org/wiki/Time_Attacks#GNU.2FLinux_Host.
The only two nice alternatives to NTP clients is sdwdate by Whonix or this
DO NOT use NTPsec as it is also not secure aand even its devs say so.More steps can be taken for time hardening.

You've done some great work.

Sorry if this goes beyond your original intent of your hardening scripts. I'm trying to harden a server that is running Pihole. After running your process, the DNS Service (dnsmasq) gets completely disabled somehow and prevents Pihole from working. Also, Pihole uses php7.4-fpm, which leverages a run folder (/run/php) that also disappears after hardening.

Could you point me in the right direction on debugging the part of your process "over hardens"? :)

Thanks in advance!!

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

This repository currently has no open or pending branches.

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

--- On Cli running ---

[47] Enforce apparmor profiles
.....
ERROR: /etc/apparmor.d/lxc-containers contains no profile
Setting /etc/apparmor.d/lxc-containers to enforce mode.

--- On LOG file ---

Jun 08 17:22:40 tester systemd[1]: Starting AppArmor initialization...
Jun 08 17:22:40 tester apparmor[108961]:  * Starting AppArmor profiles
Jun 08 17:22:40 tester apparmor[108961]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Jun 08 17:22:40 tester apparmor[108961]:    ...done.
Jun 08 17:22:40 tester systemd[1]: Started AppArmor initialization.

Describe the bug

during installation process the f_aptget() returns error:

Setting up grub-efi-amd64-signed (1.167.2+2.04-1ubuntu44.2) ...
mount: /var/lib/grub/esp: special device /dev/disk/by-id/mmc-S0J58X_0x158869a0-part1 does not exist.
dpkg: error processing package grub-efi-amd64-signed (--configure):
 installed grub-efi-amd64-signed package post-installation script subprocess returned error exit status 32
No apport report written because the error message indicates its a followup error from a previous failure.Setting up linux-generic (5.4.0.81.85) ...
Setting up fwupd-signed (1.27.1ubuntu5+1.5.11-0ubuntu1~20.04.2) ...
dpkg: dependency problems prevent configuration of shim-signed:
 shim-signed depends on grub-efi-amd64-signed | grub-efi-arm64-signed; however:
  Package grub-efi-amd64-signed is not configured yet.
  Package grub-efi-arm64-signed is not installed.

dpkg: error processing package shim-signed (--configure):
 dependency problems - leaving unconfigured

and after

Processing triggers for initramfs-tools (0.136ubuntu6.6) ...
update-initramfs: Generating /boot/initrd.img-5.4.0-81-generic
Errors were encountered while processing:
 grub-efi-amd64-signed
 shim-signed
E: Sub-process /usr/bin/dpkg returned an error code (1)

To Reproduce
The system uses EFI:

$ sudo lsblk
[sudo] password for tfence: 
NAME         MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
loop0          7:0    0   55M  1 loop /snap/core18/1880
loop1          7:1    0 55.4M  1 loop /snap/core18/2128
loop2          7:2    0 71.3M  1 loop /snap/lxd/16099
loop3          7:3    0 29.9M  1 loop /snap/snapd/8542
loop4          7:4    0 70.3M  1 loop /snap/lxd/21029
loop5          7:5    0 32.3M  1 loop /snap/snapd/12883
mmcblk1      179:0    0 59.3G  0 disk 
├─mmcblk1p1  179:1    0  512M  0 part /boot/efi
├─mmcblk1p2  179:2    0    1G  0 part /boot
├─mmcblk1p3  179:3    0   30G  0 part /
├─mmcblk1p4  179:4    0    5G  0 part /home
├─mmcblk1p5  179:5    0    5G  0 part /var
├─mmcblk1p6  179:6    0    5G  0 part /var/tmp
├─mmcblk1p7  179:7    0    5G  0 part /var/log
├─mmcblk1p8  259:0    0    5G  0 part /var/log/audit
└─mmcblk1p9  259:1    0  2.8G  0 part /srv
mmcblk1boot0 179:8    0 31.5M  1 disk 

I run the install script step by step, I mean function by function (f_pre () function always works). Every time I start, I change "ubuntu.sh" something like this:
Run 1:

  f_pre
  SCRIPT_COUNT=1
  f_kernel
  SCRIPT_COUNT=2
#  f_firewall
  SCRIPT_COUNT=3
#  f_disablenet
  SCRIPT_COUNT=4
# ...

Run 2:

 f_pre
  SCRIPT_COUNT=1
 # f_kernel
  SCRIPT_COUNT=2
  f_firewall
  SCRIPT_COUNT=3
#  f_disablenet
  SCRIPT_COUNT=4
# ...

So during the step 'aptget ...' :

  #  f_prelink
# ....
  SCRIPT_COUNT=12
  f_aptget_configure
SCRIPT_COUNT=13
  f_aptget
SCRIPT_COUNT=15
#  f_hosts
# ...

I have an error:
harden_install_error.txt

Expected behavior
A clear and concise description of what you expected to happen.

System (lsb_release -a):
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.3 LTS
Release: 20.04
Codename: focal

Additional context
Add any other context about the problem here.

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Error type: undefined. Note: this is a nested preset so please contact the preset author if you are unable to fix it yourself.

do_md(): open() for /var/lib/lxcfs/cgroup/blkio/blkio.reset_stats failed: Permission denied
do_md(): open() for /var/lib/lxcfs/cgroup/blkio/init.scope/blkio.reset_stats failed: Permission denied
...
I got a slew of these while running the script

Any suggestions?

Get this:

[7] Systemd/resolved.conf
Unit resolvconf.service could not be found.

Hi Thomas,
you are making a great job - thank you very much.
I have installed the version v1.0.0 on our device and now testing the
functionality of all the features under hardening. I am currently
investigating the syslog problem and cannot figure out
what is happening. I would be very grateful if you can help me with this.

Problem:

rsyslog imudp plugin can't create udp listener
/-----------------------------------------------------------------/
$ sudo systemctl status rsyslog.service
● rsyslog.service - System Logging Service
Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2021-08-26 08:06:26 UTC; 8s ago
TriggeredBy: ● syslog.socket
Docs: man:rsyslogd(8)
https://www.rsyslog.com/doc/
Main PID: 3980 (rsyslogd)
Tasks: 4 (limit: 9281)
Memory: 1.0M
CGroup: /system.slice/rsyslog.service
└─3980 /usr/sbin/rsyslogd -n -iNONE

Aug 26 08:06:26 tfence-sideB systemd[1]: Started System Logging Service.
Aug 26 08:06:26 tfence-sideB rsyslogd[3980]: create UDP socket bound to device failed: Operation not permitted [v8.2001.0]
Aug 26 08:06:26 tfence-sideB rsyslogd[3980]: create UDP socket bound to device failed: Operation not permitted [v8.2001.0]
Aug 26 08:06:26 tfence-sideB rsyslogd[3980]: No UDP socket could successfully be initialized, some functionality may be disabled. [v8.2001>
Aug 26 08:06:26 tfence-sideB rsyslogd[3980]: imudp: Could not create udp listener, ignoring port 514 bind-address (null). [v8.2001.0]
Aug 26 08:06:26 tfence-sideB rsyslogd[3980]: imudp: no listeners could be started, input not activated. [v8.2001.0]
Aug 26 08:06:26 tfence-sideB rsyslogd[3980]: activation of module imudp failed [v8.2001.0 try https://www.rsyslog.com/e/-3 ]
Aug 26 08:06:26 tfence-sideB rsyslogd[3980]: rsyslogd's groupid changed to 110
Aug 26 08:06:26 tfence-sideB rsyslogd[3980]: rsyslogd's userid changed to 104
Aug 26 08:06:26 tfence-sideB rsyslogd[3980]: [origin software="rsyslogd" swVersion="8.2001.0" x-pid="3980" x-info="https://www.rsyslog.com">
/-----------------------------------------------------------------/

Testing configuration:

  Client1       |<========== Tested Device (tgate) ========>|            SRV

syslog message -->|--> eth0 -----> use imudp ---> eth1 ----|--> syslogserver
| 10.0.0.2 172.16.1.2 | 172.16.1.50
|-------------------------------------------|

Client1 $ logger --server 10.0.0.2 --udp --port 514 "$i) udp message from Client1";

Tested Device (tgate) config:
/etc/rsyslog.d/10-relay.conf :
/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/
$template msg_format, "%rawmsg%\n"
module(load="builtin:omfwd" Template="msg_format")
module(load="imudp")
input(type="imudp" port="514" device="eth0" ruleset="rs1")
Ruleset(name="rs1") {
action(type="omfwd" target="172.16.1.50" port="514" protocol="udp")
& stop
}
/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/
with tcpdump I see the packages are arriving to the "eht0":
$ sudo tcpdump -i eth0 -nn -v udp and port 514
but "eth1" does not received them:
$ sudo tcpdump -i eth1 -nn -v udp and port 514

Versions:
hardening: v1.0.0 downloaded 14 apr 2021
Tested Device (tgate) OS:
tgate :$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04.2 LTS"

rsyslog verion:
rsyslogd: version 8.2001.0

If you have any ideas, suggestions, or you know another way to solve the problem, I would love to hear them.
Thank you in advance

The server installer for Ubuntu 18.04 removed the ability to set partition mount options (rw, nousid, nodev, noexec). Is this something that can be handled in the hardening scripts? Probably in 08_fstab.

This, again, likely does not need a pull request.

The default installation of Ubuntu server does not include the package net-tools so the hardening/ubuntu.sh script fails immediately. A simple apt install -y net-tools is all that is needed.

I am using a VirtualBox VM and installing from the ubuntu-20.04.1-live-server-amd64.iso disc using all defaults except for the partitioning where I use a LVM physical volume on a single disk and create logical volumes for all mounts in the readme.md ...

This can probably be added in one of the early scripts that define the functions or the main installation script.

Thanks and stay safe.

Hi

Will be add PSAD and firewall AntiDDOS Atack rules ?

Best Regards

After running scripts/14_limits on ubuntu 18.04, gdm3 would either enter an infinite loop after booting (not showing a login at all) or it would let me try to log in and then reset again after that.

After removing the nproc limits in my limits.conf, things returned to normal.

Apparently gdm3 has lots of processes!

Action failed, Wednesday, September 11th

Probably doesn't need a pull request, but /var/tmp expression needed added to line 13.

If /var/tmp is in fstab it need to be removed on line 13 else when the check and adds on lines 31-33 will result in two /var/tmp mounts in /etc/fstab

grep -v -E '[[:space:]]/boot[[:space:]]|[[:space:]]/home[[:space:]]|[[:space:]]/var/log[[:space:]]|[[:space:]]/var/log/audit[[:space:]]|[[:space:]]/var/tmp[[:space:]]' /etc/fstab > "$TMPFSTAB"

Cheers. Stay safe.
J the DBA

On same last .log

[13] Configure APT
/etc/apt/apt.conf.d/10periodic:APT::Periodic::AutocleanInterval "0";

Should not be show.

Hi, was trying to run on a clean 16/04 server installation and get failed every time
[HARDENING LOG - ubuntu - Mon Dec 17 08:50:28 PST 2018]
ESC[3;JESC[HESC[2JPlease read the code. Exiting.

dont know where to start from

What do I have to do to get a newly installed kernel to boot? I have run update-grub and it sees that new kernel, but doesn't show up on the list on boot.

Thank you!

Line 22:

sed -i 's/.*Subsystem sftp.*/Subsystem sftp \/usr\/lib\/ssh\/sftp-server -f AUTHPRIV -l INFO/' "$SSHDFILE"

On ubuntu 16.04 (not checked current) that should be openssh not ssh.
sed -i 's/.*Subsystem sftp.*/Subsystem sftp \/usr\/lib\/openssh\/sftp-server -f AUTHPRIV -l INFO/' "$SSHDFILE"

I'm wondering the efficiency of the script/43_sudo
since quite often the line includedir /etc/sudoers.d is commented in /etc/sudo ?

Have checked this two times.

Maybe a good iptables config

https://github.com/anti-ddos/Anti-DDOS/blob/master/anti-ddos.sh

Would be good to have a list of items and descriptions for all hardening performed in the script documented in README or Wiki.

Describe the bug
Running the script results in an /etc/fstab missing /var/log, /var/log/audit mount points in /etc/fstab

To Reproduce
Run the script

The script is grep'ping for the expressions for /var/log and /var/log/audit with a "0 0" after the "defaults" and modifying to secure. Since it is grep'ping from the source /etc/fstab to the temporary fstab and not making the match the mounts are missing when the final /etc/fstab is in place (for example if /var/log was mounted with defaults 0 2).

Expected behavior
The mount points being hardened if needed.

Technically, looking for defaults on it's own would also break /etc/fstab for anyone using BTRFS subvolumes.

I will volunteer time to code an alternative 08_fstab script for review.

System (lsb_release -a):
Ubuntu 20.04 mini AMD 64 release with "basic server" package installed

Additional context
fstab Before:
/dev/mapper/root_vg-lv_root / ext4 errors=remount-ro 0 1
/dev/mapper/root_vg-lv_home /home ext4 defaults 0 2
/dev/mapper/root_vg-lv_var /var ext4 defaults 0 2
/dev/mapper/root_vg-lv_vlog /var/log ext4 defaults 0 2
/dev/mapper/root_vg-lv_vlaudit /var/log/audit ext4 defaults 0 2
/dev/mapper/temp_vg-lv_swap none swap sw 0 0

fstab After:
/dev/mapper/root_vg-lv_root / ext4 errors=remount-ro 0 1
/dev/mapper/root_vg-lv_var /var ext4 defaults 0 2
/dev/mapper/temp_vg-lv_swap none swap sw 0 0
none /run/shm tmpfs rw,noexec,nosuid,nodev 0 0
none /dev/shm tmpfs rw,noexec,nosuid,nodev 0 0
none /proc proc rw,nosuid,nodev,noexec,relatime,hidepid=2 0 0

Action failed, Wednesday, September 11th

Thanks for putting together these scripts; I am a *nix novice and was getting worn down trying to implement every CIS benchmark step manually. I am looking to harden my VPS starting with using a minimal install of Ubuntu 16.04. I created all of the partitions with two standard partitions (/boot and swap) and the rest I am using LVM2.

I assume that after running the scripts that the tests should run relatively error free. I have found that most in the 17_packages module fail (aide, apparmor, etc), several in 19_password, and most in 22_auditd.

It isn't clear whether the scripts are robust enough to be rerun without causing problems; can you confirm? Unfortunately I neglected to send the output of the ubuntu.sh to a file and it doesn't appear that the scripts create a log file automatically.

Any recommendations on how to proceed?

Hi,

Everything looks to install normally. I use Packet.net. When I reboot and log (via SSH of course) I get this error:

Received disconnect from 123:123:123:123: 2: Too many authentication failures

I guess there is some rule that are too severe. I looked at the scripts but didn't see how I could fix this.

Thank you!

Hi, @konstruktoid

I noticed that this project has no logo. bir logo tasarladım. I can share it with you if you want. What do you say? I'll wait for feedback.
Best regards.

Periodically within the script I get:

Preconfiguring packages ...
Can't exec "/tmp/<SOME-FILENAMEHERE>": Permission denied at /usr/share/perl/5.26/IPC/Open3.pm line 178.
open2: exec of /tmp/<SOME-FILENAMEHERE> configure  failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59.

It is not always the same file within the tmp directory, but it is always the same 2 perl scripts. Presumably this is because the noexec flag is set on the tmp partition. Is this correct?

A action failed.

Looks great. Any reason this would not work on an AWS EC2 instance? I noticed Grub/bootloading not sure how that would work on a virtual server. Thanks

I am wondering how I can prevent that I get disconnect from ssh when upgrading packages through apt upgrade. This happens when packages have not been updated for a while. Security updates are activated through this installation library, but feature/bug updates will have to be installed manually. And during this process I am disconnected before the installation was finished.

I have a hardened 18.04 machine, made more than a year ago @ commit bd559d8. Last week there were two security updates for systemd, and this caused my VMs to be rebooted. I believe it was the udev/libudev update that caused the reboot. But by what setting is getting triggered? My guess would be that is a auditd setting. Do you have any idea?

First of all, great package! I have a question around auditd. Directly after installation my VM was rebooting all the time. The reason was the audit log limit exceeded and that caused a kernel panic. I found out this was caused by our backup application that was installed before I ran the hardening script.

In order to get back control of the VM I changed the failure mode from 2 to 0 in recovery mode. Now, I want to prevent the kernel panics by adding a rule to auditd. Only I have no idea what that rule should be. I already saw in the logs that the backup program (running from /usr/sbin) was doing al kinds of operations (e.g. cp, key=tmp).

What rule should I add to prevent the Kernel panic?

Hi,
I think it would make sense to add a TIME_DATE flag in ubuntu.cfg

In my specific case it would be:

TIMEDATECTL='America/New_York'

In my setup I use this:

sudo apt-get -qqy install ntp ntpdate --no-install-recommends
sudo timedatectl set-timezone America/New_York
sudo timedatectl set-ntp yes
echo && echo -e "Verify that the timezone has been set properly"
timedatectl

Hi,

After the OS is harden and reboot. my Jenkins service never able to start up either during boot time or using systemd to start. Please see below for more information.
I did try to disable auditd, aide and apparmor but it did not help. any suggestion will much appreciate.
Thank you so much

jkwan@ubuntu:~$ ps -ef | grep -i jenkins 
jkwan     1977  1964  0 19:08 pts/0    00:00:00 grep --color=auto -i jenkins

jkwan@ubuntu:~$ uptime 
 19:08:17 up 2 min,  2 users,  load average: 0.26, 0.35, 0.16

jkwan@ubuntu:~$ uptime 
 19:08:21 up 2 min,  2 users,  load average: 0.26, 0.35, 0.16

jkwan@ubuntu:~$ ps -ef | grep -i jenkins 
jkwan     1982  1964  0 19:08 pts/0    00:00:00 grep --color=auto -i jenkins


jkwan@ubuntu:~$ sudo systemctl start jenkins.service 
[sudo] password for jkwan: 
Job for jenkins.service failed because the control process exited with error code. See "systemctl status jenkins.service" and "journalctl -xe" for details.
jkwan@ubuntu:~$ sudo systemctl status jenkins.service
● jenkins.service - LSB: Start Jenkins at boot time
   Loaded: loaded (/etc/init.d/jenkins; bad; vendor preset: enabled)
   Active: failed (Result: exit-code) since Thu 2018-04-05 19:08:44 +08; 12s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 1987 ExecStart=/etc/init.d/jenkins start (code=exited, status=7)

Apr 05 19:08:43 ubuntu jenkins[1987]:  * Starting Jenkins Automation Server jenkins
Apr 05 19:08:43 ubuntu su[2007]: pam_tally(su:account): unknown option: reset
Apr 05 19:08:43 ubuntu su[2007]: Successful su for jenkins by root
Apr 05 19:08:43 ubuntu su[2007]: + ??? root:jenkins
Apr 05 19:08:43 ubuntu su[2007]: pam_unix(su:session): session opened for user jenkins by (uid=0)
Apr 05 19:08:44 ubuntu jenkins[1987]:    ...fail!
Apr 05 19:08:44 ubuntu systemd[1]: jenkins.service: Control process exited, code=exited status=7
Apr 05 19:08:44 ubuntu systemd[1]: Failed to start LSB: Start Jenkins at boot time.
Apr 05 19:08:44 ubuntu systemd[1]: jenkins.service: Unit entered failed state.
Apr 05 19:08:44 ubuntu systemd[1]: jenkins.service: Failed with result 'exit-code'.

jkwan@ubuntu:~$ sudo journalctl -xe
Apr 05 19:08:56 ubuntu audit: PATH item=1 name="/lib64/ld-linux-x86-64.so.2" inode=390623 dev=fc:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
Apr 05 19:08:56 ubuntu audit: PROCTITLE proctitle=7375646F0073797374656D63746C00737461747573006A656E6B696E732E73657276696365
Apr 05 19:08:56 ubuntu sudo[2033]:    jkwan : TTY=pts/0 ; PWD=/home/jkwan ; USER=root ; COMMAND=/bin/systemctl status jenkins.service
Apr 05 19:08:56 ubuntu audit[2033]: USER_CMD pid=2033 uid=1000 auid=1000 ses=2 msg='cwd="/home/jkwan" cmd=73797374656D63746C20737461747573206A656E6B696E732E73657276696365 terminal=pts/0 res=success'
Apr 05 19:08:56 ubuntu audit[2033]: CRED_REFR pid=2033 uid=0 auid=1000 ses=2 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
Apr 05 19:08:56 ubuntu sudo[2033]: pam_unix(sudo:session): session opened for user root by jkwan(uid=0)
Apr 05 19:08:56 ubuntu audit[2034]: SYSCALL arch=c000003e syscall=83 success=no exit=-17 a0=40173c a1=1c9 a2=0 a3=1e5 items=1 ppid=2033 pid=2034 auid=1000 uid=0 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000
Apr 05 19:08:56 ubuntu audit: CWD cwd="/home/jkwan"
Apr 05 19:08:56 ubuntu audit: PATH item=0 name="/tmp/" inode=2 dev=00:25 mode=041777 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
Apr 05 19:08:56 ubuntu audit: PROCTITLE proctitle="/sbin/pam-tmpdir-helper"
Apr 05 19:08:56 ubuntu audit[2034]: SYSCALL arch=c000003e syscall=83 success=no exit=-17 a0=211a0b0 a1=1c0 a2=0 a3=0 items=1 ppid=2033 pid=2034 auid=1000 uid=0 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 
Apr 05 19:08:56 ubuntu audit: CWD cwd="/home/jkwan"
Apr 05 19:08:56 ubuntu audit: PATH item=0 name="/tmp/user/" inode=10 dev=00:25 mode=040711 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
Apr 05 19:08:56 ubuntu audit: PROCTITLE proctitle="/sbin/pam-tmpdir-helper"
Apr 05 19:08:56 ubuntu audit[2033]: USER_START pid=2033 uid=0 auid=1000 ses=2 msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
Apr 05 19:08:56 ubuntu audit[2035]: SYSCALL arch=c000003e syscall=59 success=yes exit=0 a0=5622c89784a8 a1=5622c896f168 a2=5622c8988aa0 a3=5622c898e000 items=2 ppid=2033 pid=2035 auid=1000 uid=0 gid=0 euid=0 sui
Apr 05 19:08:56 ubuntu audit: EXECVE argc=3 a0="systemctl" a1="status" a2="jenkins.service"
Apr 05 19:08:56 ubuntu audit: CWD cwd="/home/jkwan"
Apr 05 19:08:56 ubuntu audit: PATH item=0 name="/bin/systemctl" inode=151444 dev=fc:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
Apr 05 19:08:56 ubuntu audit: PATH item=1 name="/lib64/ld-linux-x86-64.so.2" inode=390623 dev=fc:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
Apr 05 19:08:56 ubuntu audit: PROCTITLE proctitle=73797374656D63746C00737461747573006A656E6B696E732E73657276696365
Apr 05 19:08:57 ubuntu sudo[2033]: pam_unix(sudo:session): session closed for user root
Apr 05 19:08:57 ubuntu audit[2033]: USER_END pid=2033 uid=0 auid=1000 ses=2 msg='op=PAM:session_close acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
Apr 05 19:08:57 ubuntu audit[2033]: CRED_DISP pid=2033 uid=0 auid=1000 ses=2 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
Apr 05 19:08:58 ubuntu audit[1406]: SYSCALL arch=c000003e syscall=159 success=yes exit=5 a0=7f6fd8ef2bb0 a1=0 a2=862 a3=39fe6f46d items=0 ppid=1 pid=1406 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
Apr 05 19:08:58 ubuntu audit: PROCTITLE proctitle="/usr/sbin/VBoxService"
Apr 05 19:09:08 ubuntu audit[2037]: SYSCALL arch=c000003e syscall=59 success=yes exit=0 a0=d0de48 a1=e03248 a2=de9008 a3=598 items=2 ppid=1964 pid=2037 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000
Apr 05 19:09:08 ubuntu audit: BPRM_FCAPS fver=0 fp=0000000000000000 fi=0000000000000000 fe=0 old_pp=0000000000000000 old_pi=0000000000000000 old_pe=0000000000000000 new_pp=0000003fffffffff new_pi=000000000000000
Apr 05 19:09:08 ubuntu audit: EXECVE argc=3 a0="sudo" a1="journalctl" a2="-xe"
Apr 05 19:09:08 ubuntu audit: CWD cwd="/home/jkwan"
Apr 05 19:09:08 ubuntu audit: PATH item=0 name="/usr/bin/sudo" inode=386 dev=fc:00 mode=0104755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
Apr 05 19:09:08 ubuntu audit: PATH item=1 name="/lib64/ld-linux-x86-64.so.2" inode=390623 dev=fc:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
Apr 05 19:09:08 ubuntu audit: PROCTITLE proctitle=7375646F006A6F75726E616C63746C002D7865
Apr 05 19:09:08 ubuntu sudo[2037]:    jkwan : TTY=pts/0 ; PWD=/home/jkwan ; USER=root ; COMMAND=/bin/journalctl -xe
Apr 05 19:09:08 ubuntu audit[2037]: USER_CMD pid=2037 uid=1000 auid=1000 ses=2 msg='cwd="/home/jkwan" cmd=6A6F75726E616C63746C202D7865 terminal=pts/0 res=success'
Apr 05 19:09:08 ubuntu audit[2037]: CRED_REFR pid=2037 uid=0 auid=1000 ses=2 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
Apr 05 19:09:08 ubuntu sudo[2037]: pam_unix(sudo:session): session opened for user root by jkwan(uid=0)
Apr 05 19:09:08 ubuntu audit[2038]: SYSCALL arch=c000003e syscall=83 success=no exit=-17 a0=40173c a1=1c9 a2=0 a3=1e5 items=1 ppid=2037 pid=2038 auid=1000 uid=0 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000
Apr 05 19:09:08 ubuntu audit: CWD cwd="/home/jkwan"
Apr 05 19:09:08 ubuntu audit: PATH item=0 name="/tmp/" inode=2 dev=00:25 mode=041777 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
Apr 05 19:09:08 ubuntu audit: PROCTITLE proctitle="/sbin/pam-tmpdir-helper"
Apr 05 19:09:08 ubuntu audit[2038]: SYSCALL arch=c000003e syscall=83 success=no exit=-17 a0=afd0b0 a1=1c0 a2=0 a3=0 items=1 ppid=2037 pid=2038 auid=1000 uid=0 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 f
Apr 05 19:09:08 ubuntu audit: CWD cwd="/home/jkwan"
Apr 05 19:09:08 ubuntu audit: PATH item=0 name="/tmp/user/" inode=10 dev=00:25 mode=040711 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
Apr 05 19:09:08 ubuntu audit: PROCTITLE proctitle="/sbin/pam-tmpdir-helper"
Apr 05 19:09:08 ubuntu audit[2037]: USER_START pid=2037 uid=0 auid=1000 ses=2 msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
Apr 05 19:09:08 ubuntu audit[2039]: SYSCALL arch=c000003e syscall=59 success=yes exit=0 a0=5588bd7db4a8 a1=5588bd7d2168 a2=5588bd7eba70 a3=5588bd7f1000 items=2 ppid=2037 pid=2039 auid=1000 uid=0 gid=0 euid=0 sui
Apr 05 19:09:08 ubuntu audit: EXECVE argc=2 a0="journalctl" a1="-xe"
Apr 05 19:09:08 ubuntu audit: CWD cwd="/home/jkwan"
Apr 05 19:09:08 ubuntu audit: PATH item=0 name="/bin/journalctl" inode=151439 dev=fc:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
Apr 05 19:09:08 ubuntu audit: PATH item=1 name="/lib64/ld-linux-x86-64.so.2" inode=390623 dev=fc:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
Apr 05 19:09:08 ubuntu audit: PROCTITLE proctitle=6A6F75726E616C63746C002D7865

detected this issue.

@testubuntu20:~$ sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    127.0.0.1                  (log)

should be anywhere instead 127.0.0.1 ?

Describe the bug
Apologies for this if you are not an AWS user or anti amazon, but I thought I would raise it incase the issue has been raised before somewhere else

To Reproduce
Run hardening on an AWS ubuntu based AMI either directly on host or via ansible role.

Expected behavior
AWS system manager / AWS Session Manager features work (FYI this can we away to obtain a shell on the box using AWS's SSM protocol(?) rather than using plain old SSH.

Actual behavior
AWS reports that

1 SSM Agent isn't installed on the instance. You can install the agent on both Windows instances and Linux instances.
2 Session Manager setup is incomplete. For more information, see https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-prerequisites.html

System (lsb_release -a):
Ubuntu 18.04 etc

Additional context
AWS and Ubuntu Server ship with ssm-agent installed, and a user called ssm-user - I am trying to debug this to find out which script causes the lack of functionality, but it may take me a while to pin that down.

:-) Wrong project, sorry! It was meant for the ansible-hardening one.

Original:

In Ubuntu 18.04 with aide 0.16-3 the default config is as follows:

$ sudo cat /etc/aide/aide.conf

# AIDE conf

# The daily cron job depends on these paths
database=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.new
database_new=file:/var/lib/aide/aide.db.new
gzip_dbout=yes
...

In the tasks "stat aide.db" and "initialize aide" the database file expected and created is /var/lib/aide/aide.db.gz

If one manually runs the aidecheck.service.j2 command (/usr/bin/aide.wrapper --check), a message about the lack of a database is shown.

If one stats the database, it is empty.

I can do a PR if you agree. Thank you!

Hi friend.

What is the goal of using postfix?
Just to send notifications emails? or will run a mail server?

Sorry if I'm missing something obvious here but I'm new to Ansible. I'm running into an issue doing a dry run of this role.

Describe the bug
When running the role (with --check') on a new Ubuntu 20.04 VM in Proxmox, it fails on timesyncd.confwithAnsibleUndefinedVariable: 'dict object' has no attribute 'systemd'`.

To Reproduce
Build a brand new Ubuntu 20.04 VM and do a dry run (--check) of the role on it.

Expected behavior
To run without crashing.

System (lsb_release -a):

No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04 LTS
Release:        20.04
Codename:       focal

Additional context

# playbook.yml
- name: 'Provision Image'
  hosts: all
  roles:
    - { 
      role: konstruktoid.hardening, 
      sshd_port: 56789
      }
  become: true
  remote_user: toor

Awesome work done, would help a lot if you guys can include reporting also in some html format atleast. I tested using Nessus it couldnt identify some major hardening basic issues listed in cis benchmark but your script not only identified but has taken the required action.

Is it possible do change the SSH port replacing the default 22 with a Var Defined Port?