anku33/RHEL9-CIS-Audit
1
0
Fork 0
mirror of https://github.com/ansible-lockdown/RHEL9-CIS-Audit.git synced 2026-05-31 01:48:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

initial

Browse Source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
2022-01-07 09:49:14 +00:00
commit 0905e86284
200 changed files with 12387 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitattributes
+6
View File
@@ -0,0 +1,6 @@
# adding github settings to show correct language
*.sh linguist-detectable=true
*.yml linguist-detectable=true
*.ps1 linguist-detectable=true
*.j2 linguist-detectable=true
*.md linguist-documentation
.gitignore
+1
View File
@@ -0,0 +1 @@
.github/
Changelog.md
+6
View File
@@ -0,0 +1,6 @@
# Changes to RHEL9-CIS-Audit
## Initial
- Development testing only - not yet GA
- Based on RH8 CIS 1.0.1
LICENSE
+21
View File
@@ -0,0 +1,21 @@
MIT License
Copyright (c) 2022 MindPoint Group
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
README.md
+158
View File
@@ -0,0 +1,158 @@
# Development Only
## RHEL 9 CIS (predicted) - ALPHA - CIS baselines or OS not yet GA
## Testing if you have access to the RH developer branches
---
# RHEL 8 Goss config
## Overview
based on RedHat 8 CIS 1.0.1
Set of configuration files and directories to run the first stages of CIS of RHEL 9 servers
This is configured in a directory structure level.
This could do with further testing but sections 1.x should be complete
Goss is run based on the goss.yml file in the top level directory. This specifies the configuration.
## Requirements
You must have [goss](https://github.com/aelsabbahy/goss/) available to your host you would like to test.
You must have sudo/root access to the system as some commands require privilege information.
Assuming you have already clone this repository you can run goss from where you wish.
Please refer to the audit documentation for usage.
- [Audit Documents](https://github.com/ansible-lockdown/RHEL9-CIS-Audit/docs/Security_remediation_and_auditing.md)
This also works alongside the [Ansible Lockdown RHEL9-CIS role](https://github.com/ansible-lockdown/RHEL9-CIS)
Which will:
- install
- audit
- remediate
- audit
## variables
file: vars/CIS.yml
Please refer to the file for all options and their meanings
CIS listed variable for every control/benchmark can be turned on/off or section
- other controls
enable_selinux
run_heavy_tasks
- bespoke options
If a site has specific options e.g. password complexity these can also be set.
## Usage
You must have [goss](https://github.com/aelsabbahy/goss/) available to your host you would like to test.
You must have root access to the system as some commands require privilege information.
- Run as root not sudo due to sudo and shared memory access
Assuming you have already clone this repository you can run goss from where you wish.
- full check
```sh
# {{path to your goss binary}} --vars {{ path to the vars file }} -g {{path to your clone of this repo }}/goss.yml --validate
```
example:
```sh
# /usr/local/bin/goss --vars ../vars/cis.yml -g /home/bolly/rh8_cis_goss/goss.yml validate
......FF....FF................FF...F..FF.............F........................FSSSS.............FS.F.F.F.F.........FFFFF....
Failures/Skipped:
Title: 1.6.1 Ensure core dumps are restricted (Automated)_sysctl
Command: suid_dumpable_2: exit-status:
Expected
<int>: 1
to equal
<int>: 0
Command: suid_dumpable_2: stdout: patterns not found: [fs.suid_dumpable = 0]
Title: 1.4.2 Ensure filesystem integrity is regularly checked (Automated)
Service: aidecheck: enabled:
Expected
<bool>: false
to equal
<bool>: true
Service: aidecheck: running:
Expected
<bool>: false
to equal
<bool>: true
< ---------cut ------- >
Title: 1.1.22 Ensure sticky bit is set on all world-writable directories
Command: version: exit-status:
Expected
<int>: 0
to equal
<int>: 123
Total Duration: 5.102s
Count: 124, Failed: 21, Skipped: 5
```
- running a particular section of tests
```sh
# /usr/local/bin/goss -g /home/bolly/rh8_cis_goss/section_1/cis_1.1/cis_1.1.22.yml validate
............
Total Duration: 0.033s
Count: 12, Failed: 0, Skipped: 0
```
- changing the output
```sh
# /usr/local/bin/goss -g /home/bolly/rh8_cis_goss/section_1/cis_1.1/cis_1.1.22.yml validate -f documentation
Title: 1.1.20 Check for removeable media nodev
Command: floppy_nodev: exit-status: matches expectation: [0]
Command: floppy_nodev: stdout: matches expectation: [OK]
< -------cut ------- >
Title: 1.1.20 Check for removeable media noexec
Command: floppy_noexec: exit-status: matches expectation: [0]
Command: floppy_noexec: stdout: matches expectation: [OK]
Total Duration: 0.022s
Count: 12, Failed: 0, Skipped: 0
```
## Extra settings
Ability to add your own requirements is available in several sections
## further information
- [goss documentation](https://github.com/aelsabbahy/goss/blob/master/docs/manual.md#patterns)
- [CIS standards](https://www.cisecurity.org)
## Feedback required
- If using nftables or iptables rather than firewalld
docs/Security_remediation_and_auditing.md
+353
View File
File diff suppressed because it is too large Load Diff
goss.yml
+42
View File
@@ -0,0 +1,42 @@
gossfile:
{{ if .Vars.rhel9cis_section1 }}
section_1/*/*.yml: {}
{{ end }}
{{ if .Vars.rhel9cis_section2 }}
section_2/*/*.yml: {}
{{ end }}
{{ if .Vars.rhel9cis_section3 }}
section_3/*/*.yml: {}
{{ end }}
{{ if .Vars.rhel9cis_section4 }}
# Auditd and level 2
{{ if .Vars.rhel9cis_level_2 }}
{{ if .Vars.rhel9cis_auditd }}
section_4/cis_4.1/*.yml: {}
{{ end }}
{{ end }}
section_4/cis_4.2/*.yml: {}
{{ end }}
{{ if .Vars.rhel9cis_section5 }}
section_5/*/*.yml: {}
{{ end }}
{{ if .Vars.rhel9cis_section6 }}
section_6/*/*.yml: {}
{{ end }}
command:
benchmark_meta:
title: Benchmark MetaData
exec: echo BenchMark MetaData
exit-status: 0
meta:
benchmark_machine_uuid: {{ .Vars.machine_uuid }}
benchmark_epoch: {{ .Vars.epoch }}
benchmark_os_locale: {{ .Vars.os_locale }}
benchmark_os_release: {{ .Vars.os_release }}
benchmark_type: {{ .Vars.benchmark }}
benchmark_os_distribution: {{ .Vars.os_distribution }}
benchmark_automation_group: {{ .Vars.auto_group }}
benchmark_hostname: {{ .Vars.os_hostname }}
benchmark_version: {{ .Vars.benchmark_version }}
benchmark_system_type: {{ .Vars.system_type }}
outputs/documentation_output
+737
View File
File diff suppressed because it is too large Load Diff
outputs/json_pretty_output
+4574
View File
File diff suppressed because it is too large Load Diff
outputs/junit_output
+739
View File
File diff suppressed because it is too large Load Diff
outputs/nagios_output
+1
View File
@@ -0,0 +1 @@
GOSS CRITICAL - Count: 230, Failed: 46, Skipped: 10, Duration: 6.975s
outputs/tap_output
+231
View File
@@ -0,0 +1,231 @@
1..230
ok 1 - Command: secure_system_accts: exit-status: matches expectation: [1]
ok 2 - Command: secure_system_accts: stdout: all expectations found: [!/./]
ok 3 - Command: floppy_nodev: exit-status: matches expectation: [0]
ok 4 - Command: floppy_nodev: stdout: all expectations found: [Passed_Check]
ok 5 - Command: cdrom_noexec: exit-status: matches expectation: [0]
ok 6 - Command: cdrom_noexec: stdout: all expectations found: [Passed_Check]
ok 7 - Command: subscription: exit-status: matches expectation: [{"or":[0,127]}]
ok 8 - Command: subscription: stderr: all expectations found: [command not found]
ok 9 - Command: suid_dumpable_1: exit-status: matches expectation: [0]
ok 10 - Command: suid_dumpable_1: stdout: all expectations found: [fs.suid_dumpable = 0]
ok 11 - Command: gpg_check_global: exit-status: matches expectation: [0]
ok 12 - Command: msdos: exit-status: matches expectation: [0]
ok 13 - Command: msdos: stdout: all expectations found: [install /bin/true]
not ok 14 - Command: check_timeout: exit-status: doesn't match, expect: [0] found: [2]
ok 15 - Command: check_timeout: stdout: all expectations found: [!/./]
ok 16 - Command: auditd_grub: exit-status: matches expectation: [0]
not ok 17 - Command: auditd_grub: stdout: patterns not found: [!/./]
ok 18 - Command: inactive_passwd: exit-status: matches expectation: [0]
ok 19 - Command: inactive_passwd: stdout: all expectations found: [/^INACTIVE=[1-30]/]
ok 20 - Command: single_user_2: exit-status: matches expectation: [0]
not ok 21 - Command: aslr_enabled_2: exit-status: doesn't match, expect: [0] found: [1]
not ok 22 - Command: aslr_enabled_2: stdout: patterns not found: [kernel.randomize_va_space = 2]
ok 23 - Command: floppy_noexec: exit-status: matches expectation: [0]
ok 24 - Command: floppy_noexec: stdout: all expectations found: [Passed_Check]
ok 25 - Command: logfile_configured: exit-status: matches expectation: [0]
not ok 26 - Command: logfile_configured: stdout: patterns not found: [!/./]
ok 27 - Command: vfat: exit-status: matches expectation: [0]
ok 28 - Command: vfat: stdout: all expectations found: [install /bin/true]
ok 29 - Command: modprobe_dccp: exit-status: matches expectation: [0]
not ok 30 - Command: modprobe_dccp: stdout: patterns not found: [install /bin/true]
ok 31 - Command: squashfs: exit-status: matches expectation: [0]
ok 32 - Command: squashfs: stdout: all expectations found: [install /bin/true]
ok 33 - Command: passwd_chg_past: exit-status: matches expectation: [1]
ok 34 - Command: passwd_chg_past: stdout: all expectations found: [!Failed]
ok 35 - Command: /etc/ssh/ssh_host_key_user: exit-status: matches expectation: [0]
ok 36 - Command: /etc/ssh/ssh_host_key_user: stdout: all expectations found: [!/./]
not ok 37 - Command: suid_dumpable_2: exit-status: doesn't match, expect: [0] found: [1]
not ok 38 - Command: suid_dumpable_2: stdout: patterns not found: [fs.suid_dumpable = 0]
ok 39 - Command: iwconfig: exit-status: matches expectation: [127]
ok 40 - Command: fat: exit-status: matches expectation: [0]
ok 41 - Command: fat: stdout: all expectations found: [install /bin/true]
ok 42 - Command: aslr_enabled_1: exit-status: matches expectation: [0]
ok 43 - Command: aslr_enabled_1: stdout: all expectations found: [kernel.randomize_va_space = 2]
ok 44 - Command: mta_installed: exit-status: matches expectation: [1]
ok 45 - Command: mta_installed: stdout: all expectations found: [!/./]
ok 46 - Command: inactive_users: exit-status: matches expectation: [0]
not ok 47 - Command: inactive_users: stdout: patterns not found: [!/./]
ok 48 - Command: cdrom_nodev: exit-status: matches expectation: [0]
ok 49 - Command: cdrom_nodev: stdout: all expectations found: [Passed_Check]
ok 50 - Command: pty_sudoers_d: exit-status: matches expectation: [0]
ok 51 - Command: pty_sudoers_d: stdout: all expectations found: [/[1-99]/]
ok 52 - Command: secure_system_LK: exit-status: matches expectation: [1]
ok 53 - Command: secure_system_LK: stdout: all expectations found: [0]
ok 54 - Command: modprobe_sctp: exit-status: matches expectation: [0]
not ok 55 - Command: modprobe_sctp: stdout: patterns not found: [install /bin/true]
ok 56 - Command: gpg_keys: exit-status: matches expectation: [0]
not ok 57 - Command: core_dumps_limits: exit-status: doesn't match, expect: [0] found: [1]
not ok 58 - Command: core_dumps_limits: stdout: patterns not found: [* hard core 0]
ok 59 - Command: floppy_nosuid: exit-status: matches expectation: [0]
ok 60 - Command: floppy_nosuid: stdout: all expectations found: [Passed_Check]
ok 61 - Command: gpg_check_repo: exit-status: matches expectation: [0]
ok 62 - Command: fat_live: exit-status: matches expectation: [0]
ok 63 - Command: fat_live: stdout: all expectations found: [Passed_Check]
ok 64 - Command: cdrom_nosuid: exit-status: matches expectation: [0]
ok 65 - Command: cdrom_nosuid: stdout: all expectations found: [Passed_Check]
ok 66 - Command: cramfs: exit-status: matches expectation: [0]
ok 67 - Command: cramfs: stdout: all expectations found: [install /bin/true]
ok 68 - Command: single_user_1: exit-status: matches expectation: [0]
ok 69 - Command: /etc/ssh/ssh_host_key_perms: exit-status: matches expectation: [0]
ok 70 - Command: /etc/ssh/ssh_host_key_perms: stdout: all expectations found: [!/./]
ok 71 - Command: /etc/ssh/ssh_host_key_group: exit-status: matches expectation: [0]
ok 72 - Command: /etc/ssh/ssh_host_key_group: stdout: all expectations found: [!/./]
ok 73 - Command: log_sudoers_d: exit-status: matches expectation: [{"lt":3}]
ok 74 - Command: log_sudoers_d: stdout: all expectations found: [/[1:99]/]
ok 75 - Command: udf: exit-status: matches expectation: [0]
ok 76 - Command: udf: stdout: all expectations found: [install /bin/true]
ok 77 - Package: xorgs-x11-servers: installed: matches expectation: [false]
ok 78 - Package: setroubleshoot: installed: matches expectation: [false]
ok 79 - Package: sudo: installed: matches expectation: [true]
ok 80 - Package: bind: installed: matches expectation: [false]
ok 81 - Package: avahi: installed: matches expectation: [false]
ok 82 - Package: dovecot: installed: matches expectation: [false]
not ok 83 - Package: auditd: installed: doesn't match, expect: [true] found: [false]
ok 84 - Package: xinetd: installed: matches expectation: [false]
ok 85 - Package: ypserver: installed: matches expectation: [false]
ok 86 - Package: firewalld: installed: matches expectation: [true]
ok 87 - Package: dhcp: installed: matches expectation: [false]
ok 88 - Package: openldap-servers: installed: matches expectation: [false]
ok 89 - Package: telnet: installed: matches expectation: [false]
ok 90 - Package: openldap-clients: installed: matches expectation: [false]
ok 91 - Command: kernel_nx: exit-status: matches expectation: [0]
ok 92 - Command: kernel_nx: stdout: all expectations found: [kernel: NX (Execute Disable) protection: active]
ok 93 - Package: net-snmp: installed: matches expectation: [false]
ok 94 - Package: mcstrans: installed: matches expectation: [false]
ok 95 - Package: cups: installed: matches expectation: [false]
ok 96 - Package: iptables: installed: matches expectation: [true]
ok 97 - Package: vsftpd: installed: matches expectation: [false]
ok 98 - Package: talk: installed: matches expectation: [false]
ok 99 - Package: audit-libs: installed: matches expectation: [true]
ok 100 - Package: samba: installed: matches expectation: [false]
ok 101 - Command: sticky_bit: exit-status: matches expectation: [0]
ok 102 - Command: sticky_bit: stdout: all expectations found: [!/./]
ok 103 - Package: httpd: installed: matches expectation: [false]
ok 104 - Package: prelink: installed: matches expectation: [false]
ok 105 - Package: squid: installed: matches expectation: [false]
ok 106 - Package: chrony: installed: matches expectation: [true]
ok 107 - Package: ypbind: installed: matches expectation: [false]
ok 108 - Package: telnet-server: installed: matches expectation: [false]
ok 109 - Package: rsh: installed: matches expectation: [false]
ok 110 - Package: rsyslog: installed: matches expectation: [true]
not ok 111 - Package: crond: installed: doesn't match, expect: [true] found: [false]
ok 112 - Service: crond: enabled: matches expectation: [true]
ok 113 - Service: crond: running: matches expectation: [true]
ok 114 - Command: repos_configured: exit-status: matches expectation: [0]
ok 115 - File: /etc/cron.d: exists: matches expectation: [true]
not ok 116 - File: /etc/cron.d: mode: doesn't match, expect: ["0700"] found: ["0755"]
ok 117 - File: /etc/cron.d: owner: matches expectation: ["root"]
ok 118 - File: /etc/cron.d: group: matches expectation: ["root"]
ok 119 - File: /etc/ssh/sshd_config: exists: matches expectation: [true]
ok 120 - File: /etc/ssh/sshd_config: contains: all expectations found: [HostbasedAuthentication no, !/^HostbasedAuthentication yes/]
ok 121 - File: /etc/bashrc: exists: matches expectation: [true]
not ok 122 - File: /etc/bashrc: contains: patterns not found: [/^TMOUT=([1-8][0-9]{0,2}|900)/, /^readonly TMOUT/]
ok 123 - File: /etc/issue.net: exists: matches expectation: [true]
ok 124 - File: /etc/issue.net: mode: matches expectation: ["0644"]
ok 125 - File: /etc/issue.net: owner: matches expectation: ["root"]
ok 126 - File: /etc/issue.net: group: matches expectation: ["root"]
ok 127 - File: /etc/issue.net: contains: all expectations found: [![Cc]ent[Oo][Ss], ![Rr]hel, ![Rr]ed[Hh]at, !x86_64, ![Ll]inux]
ok 128 - File: /etc/systemd/journald.conf: exists: matches expectation: [true]
not ok 129 - File: /etc/systemd/journald.conf: contains: patterns not found: [Storage=persistent]
ok 130 - File: /etc/sudoers: exists: matches expectation: [true]
not ok 131 - File: /etc/sudoers: contains: patterns not found: [/^Defaults logfile=/var/log//, !/^#Defaults logfile=/]
not ok 132 - File: /boot/grub2/user.cfg: exists: doesn't match, expect: [true] found: [false]
ok 133 - # SKIP File: /boot/grub2/user.cfg: mode: skipped
ok 134 - # SKIP File: /boot/grub2/user.cfg: owner: skipped
ok 135 - # SKIP File: /boot/grub2/user.cfg: group: skipped
ok 136 - File: /etc/issue: exists: matches expectation: [true]
ok 137 - File: /etc/issue: mode: matches expectation: ["0644"]
ok 138 - File: /etc/issue: owner: matches expectation: ["root"]
ok 139 - File: /etc/issue: group: matches expectation: ["root"]
ok 140 - File: /etc/issue: contains: all expectations found: [![Cc]ent[Oo][Ss], ![Rr]hel, ![Rr]ed[Hh]at, !x86_64, ![Ll]inux]
ok 141 - File: /boot/grub2/grub.cfg: exists: matches expectation: [true]
not ok 142 - File: /boot/grub2/grub.cfg: contains: patterns not found: [GRUB_CMDLINE_LINUX="audit_backlog_limit=2048"]
ok 143 - File: /etc/rsyslog.conf: exists: matches expectation: [true]
not ok 144 - File: /etc/rsyslog.conf: contains: patterns not found: [$FileCreateMode 06[0:4]0]
not ok 145 - File: /etc/at.deny: exists: doesn't match, expect: [false] found: [true]
ok 146 - File: /etc/motd: exists: matches expectation: [true]
ok 147 - File: /etc/motd: mode: matches expectation: ["0644"]
ok 148 - File: /etc/motd: owner: matches expectation: ["root"]
ok 149 - File: /etc/motd: group: matches expectation: ["root"]
ok 150 - File: /etc/motd: contains: all expectations found: [![Cc]ent[Oo][Ss], ![Rr]hel, ![Rr]ed[Hh]at, !x86_64, ![Ll]inux]
not ok 151 - File: /etc/rsyslog.d/*.conf: exists: doesn't match, expect: [true] found: [false]
ok 152 - # SKIP File: /etc/rsyslog.d/*.conf: contains: skipped
ok 153 - File: /etc/security/pwquality.conf: exists: matches expectation: [true]
not ok 154 - File: /etc/security/pwquality.conf: contains: patterns not found: [dcredit = -1, ucredit = -1, lcredit = -1, ocredit = -1]
ok 155 - File: /etc/profile: exists: matches expectation: [true]
ok 156 - File: /etc/profile: contains: all expectations found: [/^TMOUT=([1-8][0-9]{0,2}|900)/, /^readonly TMOUT/]
ok 157 - File: /etc/crontab: exists: matches expectation: [true]
ok 158 - File: /etc/crontab: mode: matches expectation: ["0644"]
ok 159 - File: /etc/crontab: owner: matches expectation: ["root"]
ok 160 - File: /etc/crontab: group: matches expectation: ["root"]
ok 161 - File: /etc/pam.d/system-auth: exists: matches expectation: [true]
not ok 162 - File: /etc/pam.d/system-auth: contains: patterns not found: [/^password sufficient pam_unix.so sha512 shadow nullok try_first_pass remember=5 user_authtok/]
ok 163 - File: /etc/sysconfig/chronyd: exists: matches expectation: [true]
ok 164 - File: /etc/sysconfig/chronyd: contains: all expectations found: [OPTIONS="-u chrony"]
ok 165 - File: /etc/pam.d/password-auth: exists: matches expectation: [true]
not ok 166 - File: /etc/pam.d/password-auth: contains: patterns not found: [/^password sufficient pam_unix.so sha512 shadow nullok try_first_pass remember=5 user_authtok/]
not ok 167 - File: /etc/at.allow: exists: doesn't match, expect: [true] found: [false]
ok 168 - # SKIP File: /etc/at.allow: mode: skipped
ok 169 - # SKIP File: /etc/at.allow: owner: skipped
ok 170 - # SKIP File: /etc/at.allow: group: skipped
ok 171 - File: /etc/login.defs: exists: matches expectation: [true]
ok 172 - File: /etc/login.defs: contains: all expectations found: [/^PASS_WARN_AGE\s*7/, !/^PASS_WARN_AGE\s*[1-6]/]
ok 173 - File: /etc/chrony.conf: exists: matches expectation: [true]
ok 174 - File: /etc/chrony.conf: contains: all expectations found: [server]
ok 175 - File: /etc/audit/auditd.conf: exists: matches expectation: [true]
not ok 176 - File: /etc/audit/auditd.conf: contains: patterns not found: [space_left_action = email, /^admin_space_left_action = halt/]
not ok 177 - root: exists: Error: Missing Required Attribute
ok 178 - # SKIP User: root: uid: skipped
ok 179 - # SKIP User: root: gid: skipped
ok 180 - KernelParam: net.ipv4.tcp_syncookies: value: matches expectation: ["1"]
ok 181 - KernelParam: net.ipv6.conf.all.forwarding: value: matches expectation: ["0"]
not ok 182 - KernelParam: net.ipv4.conf.default.log_martians: value: doesn't match, expect: ["1"] found: ["0"]
ok 183 - KernelParam: net.ipv4.conf.all.rp_filter: value: matches expectation: ["1"]
not ok 184 - KernelParam: net.ipv6.conf.all.accept_ra: value: doesn't match, expect: ["0"] found: ["1"]
not ok 185 - KernelParam: net.ipv4.conf.all.send_redirects: value: doesn't match, expect: ["0"] found: ["1"]
not ok 186 - KernelParam: net.ipv4.conf.all.secure_redirects: value: doesn't match, expect: ["0"] found: ["1"]
not ok 187 - KernelParam: net.ipv4.conf.all.log_martians: value: doesn't match, expect: ["1"] found: ["0"]
ok 188 - KernelParam: net.ipv6.conf.all.accept_source_route: value: matches expectation: ["0"]
not ok 189 - KernelParam: net.ipv4.conf.default.accept_redirects: value: doesn't match, expect: ["0"] found: ["1"]
not ok 190 - KernelParam: net.ipv4.conf.default.secure_redirects: value: doesn't match, expect: ["0"] found: ["1"]
not ok 191 - KernelParam: net.ipv4.conf.default.send_redirects: value: doesn't match, expect: ["0"] found: ["1"]
ok 192 - KernelParam: net.ipv6.conf.default.accept_source_route: value: matches expectation: ["0"]
ok 193 - Service: autofs: enabled: matches expectation: [false]
ok 194 - Service: autofs: running: matches expectation: [false]
ok 195 - Command: default_zone: exit-status: matches expectation: [0]
ok 196 - Command: default_zone: stdout: all expectations found: [public]
ok 197 - KernelParam: net.ipv4.conf.all.accept_source_route: value: matches expectation: ["0"]
not ok 198 - KernelParam: net.ipv4.conf.all.accept_redirects: value: doesn't match, expect: ["0"] found: ["1"]
not ok 199 - KernelParam: net.ipv6.conf.all.accept_redirects: value: doesn't match, expect: ["0"] found: ["1"]
ok 200 - KernelParam: net.ipv4.icmp_ignore_bogus_error_responses: value: matches expectation: ["1"]
ok 201 - KernelParam: net.ipv4.conf.default.accept_source_route: value: matches expectation: ["0"]
ok 202 - KernelParam: net.ipv4.ip_forward: value: matches expectation: ["0"]
ok 203 - KernelParam: net.ipv4.icmp_echo_ignore_broadcasts: value: matches expectation: ["1"]
not ok 204 - KernelParam: net.ipv6.conf.default.accept_redirects: value: doesn't match, expect: ["0"] found: ["1"]
not ok 205 - KernelParam: net.ipv6.conf.default.accept_ra: value: doesn't match, expect: ["0"] found: ["1"]
ok 206 - Mount: /home: exists: matches expectation: [true]
ok 207 - Mount: /home: opts: matches expectation: [["nodev"]]
ok 208 - Mount: /var: exists: matches expectation: [true]
not ok 209 - Mount: /var/tmp: exists: doesn't match, expect: [true] found: [false]
ok 210 - # SKIP Mount: /var/tmp: opts: skipped
ok 211 - Mount: /tmp: exists: matches expectation: [true]
not ok 212 - Mount: /tmp: opts: doesn't match, expect: [["noexec","nodev","nosuid"]] found: [["rw","nodev","noexec","relatime"]]
ok 213 - Mount: /dev/shm: exists: matches expectation: [true]
not ok 214 - Mount: /dev/shm: opts: doesn't match, expect: [["noexec","nodev","nosuid"]] found: [["rw","nosuid","nodev"]]
ok 215 - Mount: /var/log: exists: matches expectation: [true]
not ok 216 - Mount: /var/log/audit: exists: doesn't match, expect: [true] found: [false]
ok 217 - Service: firewalld: enabled: matches expectation: [true]
ok 218 - Service: firewalld: running: matches expectation: [true]
ok 219 - Service: rhnsd: enabled: matches expectation: [false]
ok 220 - Service: rhnsd: running: matches expectation: [false]
ok 221 - Service: coredump: enabled: matches expectation: [false]
ok 222 - Service: coredump: running: matches expectation: [false]
ok 223 - Service: auditd: enabled: matches expectation: [true]
ok 224 - Service: auditd: running: matches expectation: [true]
ok 225 - Service: rsyslog: enabled: matches expectation: [true]
ok 226 - Service: rsyslog: running: matches expectation: [true]
ok 227 - Command: nic_assigned: exit-status: matches expectation: [0]
ok 228 - Command: nic_assigned: stdout: all expectations found: [ens192]
not ok 229 - Command: security-updates: exit-status: doesn't match, expect: [0] found: [100]
ok 230 - Command: security-updates: stdout: all expectations found: [![0-9].* packages available]
run_audit.sh
Executable
+174
View File
@@ -0,0 +1,174 @@
#! /bin/bash
# script to run audit while populating local host data
# 13th Sept 2021 - Initial
# 9th Nov 2021 - Added root user check - more posix compliant for multiple OS types
# 10 Dec 2021 - Enhanced so more linux OS agnostic, less input required
# - added vars options for bespoke vars file
# - Ability to run as script from remediation role increased consistency
# 17 Dec 2021 - Added system_type variable - default Server will change to workstations with -w switch
#!/bin/bash
# Variables in upper case tend to be able to be adjusted
# lower case variables are discovered or built from other variables
# Goss Variables
BENCHMARK=CIS # Benchmark Name aligns to the audit
AUDIT_BIN=/usr/local/bin/goss # location of the goss executable
AUDIT_FILE=goss.yml # the default goss file used by the audit provided by the audit configuration
AUDIT_CONTENT_LOCATION=/var/tmp # Location of the audit configuration file as available to the OS
# help output
Help()
{
# Display Help
echo "Script to run the goss audit"
echo
echo "Syntax: $0 [-g|-o|-v|-w|-h]"
echo "options:"
echo "-g optional - Add a group that the server should be grouped with (default value = ungrouped)"
echo "-o optional - file to output audit data"
echo "-v optional - relative path to thevars file to load (default e.g. $AUDIT_CONTENT_LOCATION/RHEL7-$BENCHMARK/vars/$BENCHMARK.yml)"
echo "-w optional - Sets the system_type to workstation (Default - Server)"
echo "-h Print this Help."
echo
}
# Default vars that can be set
system_type=Server
## option statement
while getopts g:o:v::wh option; do
case "${option}" in
g ) GROUP=${OPTARG} ;;
o ) OUTFILE=${OPTARG} ;;
v ) VARS_PATH=${OPTARG} ;;
w ) system_type=Workstation ;;
h ) # display Help
Help
exit;;
? ) # Invalid option
echo "Invalid option: -${OPTARG}."
Help
exit;;
esac
done
#### Pre-Checks
# check access need to run as root or privileges due to some configuration access
if [ $(/usr/bin/id -u) -ne 0 ]; then
echo "Script need to run with root privileges"
exit 1
fi
#### Main Script
# Discover OS version aligning with audit
# Define os_vendor variable
if [ `grep -c rhel /etc/os-release` != 0 ]; then
os_vendor="RHEL"
else
os_vendor=`hostnamectl | grep Oper | cut -d : -f2 | awk '{print $1}' | tr a-z A-Z`
fi
os_maj_ver=`grep -w VERSION_ID= /etc/os-release | awk -F\" '{print $2}' | cut -d '.' -f1`
audit_content_version=$os_vendor$os_maj_ver-$BENCHMARK-Audit
audit_content_dir=$AUDIT_CONTENT_LOCATION/$audit_content_version
audit_vars=vars/${BENCHMARK}.yml
# Set variable for autogroup
if [ -z $GROUP ]; then
export auto_group="ungrouped"
else
export auto_group=$GROUP
fi
# set default variable for varfile_path
if [ -z "$VARS_PATH" ]; then
export varfile_path=$audit_content_dir/$audit_vars
else
# Check -v exists fail if not
if [ -f "$VARS_PATH" ]; then
export varfile_path=$VARS_PATH
else
echo "passed option '-v' $VARS_PATH does not exist"
exit 1
fi
fi
## System variables captured for metadata
machine_uuid=`if [ ! -z /sys/class/dmi/id/product_uuid ]; then cat /sys/class/dmi/id/product_uuid; else dmidecode -s system-uuid; fi`
epoch=`date +%s`
os_locale=`date +%Z`
os_name=`grep "^NAME=" /etc/os-release | cut -d '"' -f2 | sed 's/ //' | cut -d ' ' -f1`
os_version=`grep "^VERSION_ID=" /etc/os-release | cut -d '"' -f2`
os_hostname=`hostname`
## Set variable audit_out
if [ -z $OUTFILE ]; then
export audit_out=$AUDIT_CONTENT_LOCATION/audit_$os_hostname_$epoch.json
else
export audit_out=$OUTFILE
fi
## Set the AUDIT json string
audit_json_vars='{"benchmark":"'"$BENCHMARK"'","machine_uuid":"'"$machine_uuid"'","epoch":"'"$epoch"'","os_locale":"'"$os_locale"'","os_release":"'"$os_version"'","os_distribution":"'"$os_name"'","os_hostname":"'"$os_hostname"'","auto_group":"'"$auto_group"'","system_type":"'"$system_type"'"}'
## Run pre checks
echo
echo "## Pre-Checks Start"
echo
export FAILURE=0
if [ -s "$AUDIT_BIN" ]; then
echo "OK Audit binary $AUDIT_BIN is available"
else
echo "WARNING - The audit binary is not available at $AUDIT_BIN "; export FAILURE=1
fi
if [ -f "$audit_content_dir/$AUDIT_FILE" ]; then
echo "OK $audit_content_dir/$AUDIT_FILE is available"
else
echo "WARNING - the $audit_content_dir/$AUDIT_FILE is not available"; export FAILURE=2
fi
if [ `echo $FAILURE` != 0 ]; then
echo "## Pre-checks failed please see output"
exit 1
else
echo
echo "## Pre-checks Successful"
echo
fi
## Run commands
echo "#############"
echo "Audit Started"
echo "#############"
echo
$AUDIT_BIN -g $audit_content_dir/$AUDIT_FILE --vars $varfile_path --vars-inline $audit_json_vars v -f json -o pretty > $audit_out
# create screen output
if [ `grep -c $BENCHMARK $audit_out` != 0 ]; then
echo "
`tail -7 $audit_out`
Completed file can be found at $audit_out"
echo "###############"
echo "Audit Completed"
echo "###############"
else
echo "Fail Audit - There were issues when running the audit please investigate $audit_out"
fi
section_1/cis_1.1/cis_1.1.1.1_4.yml
+73
View File
@@ -0,0 +1,73 @@
command:
{{ if .Vars.rhel9cis_rule_1_1_1_1 }}
cramfs:
title: 1.1.1.1 | L1 | Ensure mounting of cramfs filesystems is disabled
exit-status: 0
exec: "modprobe -n -v cramfs | grep -E '(cramfs|install)'"
stdout:
- install /bin/true
meta:
server: 1
workstation: 1
CIS_ID: 1.1.1.1
CISv8:
- 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ if .Vars.rhel9cis_rule_1_1_1_3 }}
squashfs:
title: 1.1.1.3 | L1 | Ensure mounting of squashfs filesystems is disabled
exit-status: 0
exec: "modprobe -n -v squashfs | grep -E '(squashfs|install)'"
stdout:
- install /bin/true
meta:
server: 1
workstation: 1
CIS_ID: 1.1.1.3
CISv8:
- 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ if .Vars.rhel9cis_rule_1_1_1_4 }}
udf:
title: 1.1.1.4 | L1 | Ensure mounting of udf filesystems is disabled
exit-status: 0
exec: "modprobe -n -v udf | grep -E '(udf|install)'"
stdout:
- install /bin/true
meta:
server: 1
workstation: 1
CIS_ID: 1.1.1.4
CISv8:
- 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ if .Vars.rhel9cis_level_2 }}
{{ if .Vars.rhel9cis_legacy_boot }}
vfat:
{{ if .Vars.rhel9cis_rule_1_1_1_2 }}
title: 1.1.1.2 | L2 | Ensure mounting of fat filesystems is disabled
exit-status: 0
exec: "modprobe -n -v vfat | grep -E '(vfat|install)'"
stdout:
- install /bin/true
meta:
server: 2
workstation: 2
CIS_ID: 1.1.1.2
CISv8:
- 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ end }}
{{ end }}
section_1/cis_1.1/cis_1.1.11_13.yml
+52
View File
@@ -0,0 +1,52 @@
{{ if .Vars.rhel9cis_level_2 }}
{{ if .Vars.rhel9cis_rule_1_1_11 }}
mount:
/var/log:
title: 1.1.11 | L2 | Ensure separate partition exists for /var/log
exists: true
meta:
server: 2
workstation: 2
CIS_ID:
- 1.1.11
CISv8:
- 4.1
- 8.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ if .Vars.rhel9cis_rule_1_1_12 }}
/var/log/audit:
title: 1.1.12 | L2 | Ensure separate partition exists for /var/log/audit
exists: true
{{ if not .Vars.rhel9cis_auditd }}
skip: true
{{ end }}
meta:
server: 2
workstation: 2
CIS_ID:
- 1.1.12
CISv8:
- 8.3
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ if .Vars.rhel9cis_rule_1_1_13 }}
/home:
title: 1.1.13 | L2 | Ensure separate partition exists for /home
exists: true
meta:
server: 2
workstation: 2
CIS_ID:
- 1.1.13
CISv8:
- 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ end }}
section_1/cis_1.1/cis_1.1.14.yml
+23
View File
@@ -0,0 +1,23 @@
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_1_1_13 }} # This L2 control is required to be enabled in order for this to run
{{ if .Vars.rhel9cis_rule_1_1_14 }}
mount:
/home:
title: 1.1.14 | L1 | Ensure nodev option set on /home partition
exists: true
opts:
- nodev
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.14
CISv8:
- 3.3
- 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ end }}
{{ end }}
section_1/cis_1.1/cis_1.1.15.yml
+21
View File
@@ -0,0 +1,21 @@
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_1_1_15 }}
mount:
/dev/shm:
title: 1.1.15 | L1 | Ensure nodev option set on /dev/shm partition
exists: true
opts:
- nodev
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.15
CISv8:
- 3.3
- 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ end }}
section_1/cis_1.1/cis_1.1.16.yml
+21
View File
@@ -0,0 +1,21 @@
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_1_1_16 }}
mount:
/dev/shm:
title: 1.1.16 | L1 | Ensure nosuid option set on /dev/shm partition
exists: true
opts:
- nosuid
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.16
CISv8:
- 3.3
- 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ end }}
section_1/cis_1.1/cis_1.1.17.yml
+20
View File
@@ -0,0 +1,20 @@
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_1_1_17 }}
mount:
/dev/shm:
title: 1.1.17 | L1 | Ensure noexec option set on /dev/shm partition
exists: true
opts:
- noexec
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.17
CISv8:
- 2.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ end }}
section_1/cis_1.1/cis_1.1.18_20.yml
+103
View File
@@ -0,0 +1,103 @@
{{ if .Vars.rhel9cis_level_1 }}
command:
{{ if .Vars.rhel9cis_rule_1_1_18 }}
floppy_noexec:
title: 1.1.18 | L1 | Check for removeable media nodev
exit-status: 0
exec: "if [ `grep -c -i floppy /etc/fstab` = 1 ] ; then if [ `grep -c -E 'floppy.*nodev' /etc/fstab` -eq 1 ]; then echo FAIL; fi; else echo Passed_Check; fi"
stdout:
- Passed_Check
meta:
server: 1
workstation: 1
CIS_ID: 1.1.18
CISv8:
- 3.3
- 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
cdrom_noexec:
title: 1.1.18 | L1 | Check for removeable media nodev
exit-status: 0
exec: "if [ `grep -c -i cdrom /etc/fstab` = 1 ] ; then if [ `grep -c -E 'cdrom.*nodev' /etc/fstab` -eq 1 ]; then echo FAIL; fi; else echo Passed_Check; fi"
stdout:
- Passed_Check
meta:
server: 1
workstation: 1
CIS_ID: 1.1.18
CISv8:
- 3.3
- 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ if .Vars.rhel9cis_rule_1_1_19 }}
floppy_nodev:
title: 1.1.19 | L1 | Check for removeable media nosuid
exit-status: 0
exec: "if [ `grep -c -i floppy /etc/fstab` = 1 ] ; then if [ `grep -c -E 'floppy.*no.suid' /etc/fstab` -eq 1 ]; then echo FAIL; fi; else echo Passed_Check; fi"
stdout:
- Passed_Check
meta:
server: 1
workstation: 1
CIS_ID: 1.1.19
CISv8:
- 3.3
- 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
cdrom_nodev:
title: 1.1.19 | L1 | Check for removeable media nosuid
exit-status: 0
exec: "if [ `grep -c -i cdrom /etc/fstab` = 1 ] ; then if [ `grep -c -E 'cdrom.*nosuid' /etc/fstab` -eq 1 ]; then echo FAIL; fi; else echo Passed_Check; fi"
stdout:
- Passed_Check
meta:
server: 1
workstation: 1
CIS_ID: 1.1.19
CISv8:
- 3.3
- 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ if .Vars.rhel9cis_rule_1_1_20 }}
floppy_nosuid:
title: 1.1.20 | L1 | Check for removeable media noexec
exit-status: 0
exec: "if [ `grep -c -i floppy /etc/fstab` = 1 ] ; then if [ `grep -c -E 'floppy.*noexec' /etc/fstab` -eq 1 ]; then echo FAIL; fi; else echo Passed_Check; fi"
stdout:
- Passed_Check
meta:
server: 1
workstation: 1
CIS_ID: 1.1.20
CISv8:
- 2.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
cdrom_nosuid:
title: 1.1.20 | L1 | Check for removeable media noexec
exit-status: 0
exec: "if [ `grep -c -i cdrom /etc/fstab` = 1 ] ; then if [ `grep -c -E 'cdrom.*noexec' /etc/fstab` -eq 1 ]; then echo FAIL; fi; else echo Passed_Check; fi"
stdout:
- Passed_Check
meta:
server: 1
workstation: 1
CIS_ID: 1.1.20
CISv8:
- 2.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ end }}
section_1/cis_1.1/cis_1.1.21.yml
+23
View File
@@ -0,0 +1,23 @@
{{ if .Vars.run_heavy_tests }}
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_1_1_21 }}
command:
sticky_bit:
title: 1.1.21 | L1 | Ensure sticky bit is set on all world-writable directories
exit-status: 0
exec: "df --local -P 2> /dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) 2>/dev/null"
timeout: {{ .Vars.timeout_ms }}
stdout: ['!/./']
meta:
server: 1
workstation: 1
CIS_ID: 1.1.21
CISv8:
- 3.3
- 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ end }}
{{ end }}
section_1/cis_1.1/cis_1.1.22.yml
+18
View File
@@ -0,0 +1,18 @@
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_1_1_22 }}
service:
autofs:
title: 1.1.22 | L1 | Disable Automounting
enabled: false
running: false
meta:
server: 1
workstation: 2
CIS_ID: 1.1.22
CISv8:
- 10.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ end }}
section_1/cis_1.1/cis_1.1.23.yml
+20
View File
@@ -0,0 +1,20 @@
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_1_1_23 }}
command:
usb-storage:
title: 1.1.23 | L1 | Ensure mounting of usb-storage is disabled
exit-status: 0
exec: "modprobe -n -v usb-storage | grep -E '(usb-storage|install)'"
stdout:
- install /bin/true
meta:
server: 1
workstation: 2
CIS_ID: 1.1.23
CISv8:
- 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ end }}
section_1/cis_1.1/cis_1.1.2_4.yml
+29
View File
@@ -0,0 +1,29 @@
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_1_1_2 }}
mount:
/tmp:
title: |
1.1.2 | L1 | Ensure /tmp is configured
1.1.3 | L1 | Ensure nodev option set on /tmp partition
1.1.4 | L1 | Ensure suid option set on /tmp partition
exists: true
opts:
{{ if .Vars.rhel9cis_rule_1_1_3 }}
- nodev
{{ end }}
{{ if .Vars.rhel9cis_rule_1_1_4 }}
- nosuid
{{ end }}
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2
- 1.1.3
- 1.1.4
CISv8: 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ end }}
section_1/cis_1.1/cis_1.1.5.yml
+19
View File
@@ -0,0 +1,19 @@
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_1_1_5 }}
mount:
/tmp:
title: 1.1.5 | L1 | Ensure noexec option set on /tmp partition
exists: true
opts:
- noexec
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.5
CISv8: 2.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ end }}
section_1/cis_1.1/cis_1.1.6.yml
+17
View File
@@ -0,0 +1,17 @@
{{ if .Vars.rhel9cis_level_2 }}
{{ if .Vars.rhel9cis_rule_1_1_6 }}
mount:
/var:
title: 1.1.6 | L2 | Ensure separate partition exists for /var
exists: true
meta:
server: 2
workstation: 2
CIS_ID:
- 1.1.6
CISv8: 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ end }}
section_1/cis_1.1/cis_1.1.7.yml
+19
View File
@@ -0,0 +1,19 @@
{{ if .Vars.rhel9cis_level_2 }}
{{ if .Vars.rhel9cis_rule_1_1_7 }}
mount:
/var/tmp:
title: 1.1.7 | L2 | Ensure separate partition exists for /var/tmp
exists: true
meta:
server: 2
workstation: 2
CIS_ID:
- 1.1.7
CISv8:
- 3.3
- 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ end }}
section_1/cis_1.1/cis_1.1.8_10.yml
+33
View File
@@ -0,0 +1,33 @@
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_1_1_7 }} # This L2 control is required to be enabled in order for this to run
mount:
/var/tmp:
title: |
1.1.8 | L1 | Ensure nodev option set on /var/tmp partition
1.1.9 | L1 | Ensure nosuid option set on /var/tmp partition
1.1.10 | L1 | Ensure noexec option set on /var/tmp partition
exists: true
opts:
{{ if .Vars.rhel9cis_rule_1_1_8 }}
- nodev
{{ end }}
{{ if .Vars.rhel9cis_rule_1_1_9 }}
- nosuid
{{ end }}
{{ if .Vars.rhel9cis_rule_1_1_10 }}
- noexec
{{ end }}
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.8
- 1.1.9
CISv8:
- 3.3
- 4.1
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ end }}
section_1/cis_1.10/cis_1.10.yml
+19
View File
@@ -0,0 +1,19 @@
{{ if .Vars.rhel9cis_rule_1_10 }}
file:
/etc/crypto-policies/config:
title: 1.10 | L1 | Ensure system-wide crypto policy is not legacy
exists: true
contains:
- '/^\s*{{ .Vars.rhel9cis_crypto_policy }}/'
- '!/^\s*LEGACY/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.10
CISv8:
- 3.10
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
section_1/cis_1.10/cis_1.11.yml
+22
View File
@@ -0,0 +1,22 @@
{{ if .Vars.rhel9cis_level_2 }}
{{ if .Vars.rhel9cis_rule_1_11 }}
{{ if eq .Vars.rhel9cis_crypto_policy "DEFAULT" }}
file:
/etc/crypto-policies/config:
title: 1.11 | L2 | Ensure system-wide crypto policy is FUTURE or FIPS
exists: true
contains:
- '/^\s{{ .Vars.rhel9cis_crypto_policy }}\s*(\s+#.*)?$/'
meta:
server: 2
workstation: 2
CIS_ID:
- 1.11
CISv8:
- 3.10
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
{{ end }}
{{ end }}
{{ end }}

Some files were not shown because too many files have changed in this diff Show More