commit 0905e862847612a95b9814134072386a65cfd75d Author: Mark Bolwell Date: Fri Jan 7 09:49:14 2022 +0000 initial Signed-off-by: Mark Bolwell diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..b2daffb --- /dev/null +++ b/.gitattributes @@ -0,0 +1,6 @@ +# adding github settings to show correct language +*.sh linguist-detectable=true +*.yml linguist-detectable=true +*.ps1 linguist-detectable=true +*.j2 linguist-detectable=true +*.md linguist-documentation diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..bb0224d --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.github/ diff --git a/Changelog.md b/Changelog.md new file mode 100644 index 0000000..30098d8 --- /dev/null +++ b/Changelog.md @@ -0,0 +1,6 @@ +# Changes to RHEL9-CIS-Audit + +## Initial + +- Development testing only - not yet GA +- Based on RH8 CIS 1.0.1 diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..afd7749 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2022 MindPoint Group + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..658a8ae --- /dev/null +++ b/README.md @@ -0,0 +1,158 @@ +# Development Only + +## RHEL 9 CIS (predicted) - ALPHA - CIS baselines or OS not yet GA + +## Testing if you have access to the RH developer branches + +--- + +# RHEL 8 Goss config + +## Overview + +based on RedHat 8 CIS 1.0.1 + +Set of configuration files and directories to run the first stages of CIS of RHEL 9 servers + +This is configured in a directory structure level. + +This could do with further testing but sections 1.x should be complete + +Goss is run based on the goss.yml file in the top level directory. This specifies the configuration. + +## Requirements + +You must have [goss](https://github.com/aelsabbahy/goss/) available to your host you would like to test. + +You must have sudo/root access to the system as some commands require privilege information. + +Assuming you have already clone this repository you can run goss from where you wish. + +Please refer to the audit documentation for usage. + +- [Audit Documents](https://github.com/ansible-lockdown/RHEL9-CIS-Audit/docs/Security_remediation_and_auditing.md) + +This also works alongside the [Ansible Lockdown RHEL9-CIS role](https://github.com/ansible-lockdown/RHEL9-CIS) + +Which will: + +- install +- audit +- remediate +- audit + +## variables + +file: vars/CIS.yml + +Please refer to the file for all options and their meanings + +CIS listed variable for every control/benchmark can be turned on/off or section + +- other controls +enable_selinux +run_heavy_tasks + +- bespoke options +If a site has specific options e.g. password complexity these can also be set. + +## Usage + +You must have [goss](https://github.com/aelsabbahy/goss/) available to your host you would like to test. + +You must have root access to the system as some commands require privilege information. + +- Run as root not sudo due to sudo and shared memory access + +Assuming you have already clone this repository you can run goss from where you wish. + +- full check + +```sh +# {{path to your goss binary}} --vars {{ path to the vars file }} -g {{path to your clone of this repo }}/goss.yml --validate + +``` + +example: + +```sh +# /usr/local/bin/goss --vars ../vars/cis.yml -g /home/bolly/rh8_cis_goss/goss.yml validate +......FF....FF................FF...F..FF.............F........................FSSSS.............FS.F.F.F.F.........FFFFF.... + +Failures/Skipped: + +Title: 1.6.1 Ensure core dumps are restricted (Automated)_sysctl +Command: suid_dumpable_2: exit-status: +Expected + : 1 +to equal + : 0 +Command: suid_dumpable_2: stdout: patterns not found: [fs.suid_dumpable = 0] + + +Title: 1.4.2 Ensure filesystem integrity is regularly checked (Automated) +Service: aidecheck: enabled: +Expected + : false +to equal + : true +Service: aidecheck: running: +Expected + : false +to equal + : true + +< ---------cut ------- > + +Title: 1.1.22 Ensure sticky bit is set on all world-writable directories +Command: version: exit-status: +Expected + : 0 +to equal + : 123 + +Total Duration: 5.102s +Count: 124, Failed: 21, Skipped: 5 + +``` + +- running a particular section of tests + +```sh +# /usr/local/bin/goss -g /home/bolly/rh8_cis_goss/section_1/cis_1.1/cis_1.1.22.yml validate +............ + +Total Duration: 0.033s +Count: 12, Failed: 0, Skipped: 0 + +``` + +- changing the output + +```sh +# /usr/local/bin/goss -g /home/bolly/rh8_cis_goss/section_1/cis_1.1/cis_1.1.22.yml validate -f documentation +Title: 1.1.20 Check for removeable media nodev +Command: floppy_nodev: exit-status: matches expectation: [0] +Command: floppy_nodev: stdout: matches expectation: [OK] +< -------cut ------- > +Title: 1.1.20 Check for removeable media noexec +Command: floppy_noexec: exit-status: matches expectation: [0] +Command: floppy_noexec: stdout: matches expectation: [OK] + + +Total Duration: 0.022s +Count: 12, Failed: 0, Skipped: 0 +``` + +## Extra settings + +Ability to add your own requirements is available in several sections + +## further information + +- [goss documentation](https://github.com/aelsabbahy/goss/blob/master/docs/manual.md#patterns) +- [CIS standards](https://www.cisecurity.org) + +## Feedback required + +- If using nftables or iptables rather than firewalld diff --git a/docs/Security_remediation_and_auditing.md b/docs/Security_remediation_and_auditing.md new file mode 100644 index 0000000..125c364 --- /dev/null +++ b/docs/Security_remediation_and_auditing.md @@ -0,0 +1,353 @@ + +# Automating Security Remediation and Auditing + + + + + +## Table of Contents + +[Overview](#overview) + +[Supported playbooks](#currently-enabled-playbooks) + +[Setup auditing - Remediation](#setup-auditing---Remediation) + +[Setup auditing - Standalone](#setup-auditing---Standalone) + +[Setup auditing - Standalone Linux](#Linux) + +[Setup auditing - Standalone Windows](#Windows) + +[Requirements](#requirements) + +[Alternate source options](#alternate-source-options) + +[Other audit settings](#other-audit-settings) + +[Assistance](#assistance) + +[Community](#community) + +[Remediation Support](#remediation-support) + +[Enhanced services](#enhanced-services) + +[Links](#links) + +# Overview + +Ansible remediation for security benchmarks now utilises an opensource +go binary called [goss](https://github.com/aelsabbahy/goss) to audit the +system. + +Enabling an alternative tool to check and ensure that the remediation +role is working as expected. + +Ensuring consistency in checks by using the same settings and controls +that have been enabled in the remediation steps, are the same ones +checked by the audit. + +It can be run in two ways: + +- Enabled to run as part of the ansible playbook and is setup to capture pre remediation and post remediation states. Using the same configured variables as used in remediation + +- Standalone script + - run_audit.sh (Linux (shell)) + - run_audit.ps1 (Windows(powershell)) + +# Currently enabled playbooks + +**CIS:** + +- RHEL 7 +- RHEL 8 +- Ubuntu 20.04 +- Windows 2016 Standalone, Member and Controller (in testing August 21) +- Windows 2019 Standalone, Member and Controller (in testing August 21) + +**STIG:** + +- RHEL 7 +- RHEL 8 + +# Setup auditing - Remediation + +By Default, this is not enabled but this can be simply setup and run. This will set the system up for you and will utilise the same variables used in the remediation steps to also run the audit. +When the audit is run, this calls the same script as the standalone method with the data populated based on the variables below. + +## Requirements + +As per the remediation playbook this requires ability to run things as +super user. + +**Recommend enable reboot.** + +There is an option to skip a reboot as part of remediation. Default +option is to not allow it to take place. + +Many checks that take place during the audit will only be available +after a reboot, this could change results. + +## All controls can be set via the defaults/main.yml + +(or relevant vars files used by your environment) + +This includes. + +Minimal setup -- needs access to github + +```setup_audit``` + +> default: false + +- enables the goss binary download and setup from github -- carries + out the checksum and places by default into /usr/local/bin (see + {{ audit_bin_path }}) + + - ```get_audit_binary_method``` + + > default: download + + - ```download``` + > default: {{ audit_bin_url }} + + This will download the binary using the {{ audit_bin_version }} settings + + - ```copy``` + + > default: {{ audit_bin_copy_location }} (not set) + + To be used to copy from the control node to the managed node + +```run_audit``` + +> default: false + +- This will carry out the steps to get the audit configuration files, + place these on the system and run the audit both pre and post. + +- This also copies over the goss control file for all the variables as + setup for each control and variables utilised for your environment + +## Alternate source options + +```audit_content``` + +> default: git + +- Where the audit content is being retrieved from options include + - git: + +```audit_file_git``` + +> default: ```https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git``` + +```audit_git_version``` + +> default: main + +With version referring to the branch or specific commit. + +**NOTE: We would recommend copying as an archive + +We have allowed two options using the same variables + +- Options + - archived + - copy (somewhere accessible on your network to copy from) + +- Settings: + + ```audit_conf_copy``` + + > default: (change accordingly for your environment) + + e.g. Path on the control node to copy path/archive from + + ```audit_conf_dir``` (change as required copy as dir or extract archive) + + > Directory on the managed node where the audit conf files will run + > from. + > + > Used for the copy and the running of the audit + +Alternate options + +```get_url``` ( to be set according to your requirements) + +- {{ audit_file_url }} -- As description + +```local or none``` + + > This assumes content is already on the system and utilises the check + > that are already there (see audit_conf_dir setting) + +## Other audit settings + +```audit_run_heavy_tests``` + +> default: true + +- These often involved working across all local file systems or + scanning content in several files, so may have an impact on a system + +Used in conjunction with: + +```audit_cmd_timeout``` + +> default: 60000ms + +- Some commands can be quite intensive on a system and take longer + that the std 10seconds to run. This enables the timeout to still be + set. + +```audit_out_dir``` + +> default: /var/tmp + +- Location to put the reports (filenames are set) + +```audit_conf_dir``` + +> default: "{{ audit_out_dir }}/{{ benchmark }}-Audit/" + +- Location for the audit configuration files to reside + +- Change these if running local + +```audit_bin_path``` + +> default: /usr/local/bin/ + +- Path for the goss binary to be stored and found + +```audit_bin``` + +> default: "{{ audit_bin_path }}goss" + +- Absolute path to the binary + +Other settings can be seen in the defaults/main.yml file, changing these +may have adverse effect on other products or services. + +# Setup auditing - Standalone + +It is assumed that as you have the script you have downloaded the audit content already from source control or your own configired location. + +The following requirements are needed OS independant + +- Super user or permissions to run privilege commands + - Linux sudo can work + - Windows ability to run security audits and query group or local policy. + +- goss binary appropriate for the OS + - Linux + - [64bit_v0.3.16_binary](https://github.com/aelsabbahy/goss/releases/download/v0.3.16/goss-linux-amd64) + - [64bit_v0.3.16_sha256](https://github.com/aelsabbahy/goss/releases/download/v0.3.16/goss-linux-amd64.sha256) + - Windows + - [64bit_v0.3.16_exe](https://github.com/aelsabbahy/goss/releases/download/v0.3.16/goss-alpha-windows-amd64.exe) + - [64bit_v0.3.16_sha256](https://github.com/aelsabbahy/goss/releases/download/v0.3.16/goss-alpha-windows-amd64.exe.sha256) + +## Defining the audit + +Each script runs against a configures variables file found in the content location in + +> {downloaded content}/vars/{benchmark}.yml + +These are the variables that configure which controls are run along with some configurable settings during an audit. + +Each script has the ability for you to set several variables depending on your environment requirements. +e.g. locations on where to find binary or output locations + +There is also switch options to allow you to run a couple of these at run time. + +Script runtime options + +- The group option allows a meta feild to be assigned against the report for use in analysis if servers can be grouped together. +If more than one group this can be comma seperated + +- The outfile is the filename and location to save the full audit report to. + +## Linux + +The run_audit.sh script + +This is written that: + +- Uppercase variable are the only ones that should need changing +- lowercase variables are the ones that are discovered or built from existing. + +script variables +example: + +```sh +BENCHMARK=CIS # Benchmark Name aligns to the audit +AUDIT_BIN=/usr/local/bin/goss # location of the goss executable +AUDIT_FILE=goss.yml # the default goss file used by the audit provided by the audit configuration +AUDIT_CONTENT_LOCATION=/var/tmp # Location of the audit configuration file as available to the OS +``` + +script help + +```sh +Script to run the goss audit + +Syntax: ./run_audit.sh [-g|-o|-v| -h] +options: + -g optional - Add a group that the server should be grouped with (default value = ungrouped) + -o optional - file to output audit data + -v optional - relative path to thevars file to load (default e.g. $AUDIT_CONTENT_LOCATION/RHEL7-$BENCHMARK/vars/$BENCHMARK.yml) + -h Print this Help. + +Other options can be assigned in the script itself +``` + +## Windows + +Similar to the Linux variables that can be set within the script + +```sh +$BENCHMARK = "CIS" +$AUDIT_BIN = "C:\vagrant\goss.exe" +$AUDIT_FILE = "goss.yml" +$AUDIT_VARS = "vars\$BENCHMARK.yml" +$AUDIT_CONTENT_LOCATION = "C:\vagrant" +$AUDIT_CONTENT_VERSION = "Win2019-$BENCHMARK-Audit" +$AUDIT_CONTENT_DIR = "$AUDIT_CONTENT_LOCATION\$AUDIT_CONTENT_VERSION" +``` + +script itself + +# Assistance + +## Remediation Support + +[LockdownEnterprise](https://www.lockdownenterprise.com) + +## Enhanced services + +[Ansible Counselor](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor) + +## Other Links + +### Community + +Being opensource via the version control issues pages for the relevant +benchmark. + +[Ansible by Red Hat](https://www.ansible.com) + +[Goss](https://github.com/aelsabbahy/goss) + +[Remediation and Audit content](https://github.com/ansible-lockdown) + +### Security benchmark remediations + +[Remediation Download](https://engage.mindpointgroup.com/download-ansible-stig-cis-baseline-automation) + +### Benchmark sites + +[CIS](https://www.cisecurity.org/cis-benchmarks/) + +[DISA/STIG](https://public.cyber.mil/stigs/) diff --git a/goss.yml b/goss.yml new file mode 100644 index 0000000..710b007 --- /dev/null +++ b/goss.yml @@ -0,0 +1,42 @@ +gossfile: + {{ if .Vars.rhel9cis_section1 }} + section_1/*/*.yml: {} + {{ end }} + {{ if .Vars.rhel9cis_section2 }} + section_2/*/*.yml: {} + {{ end }} + {{ if .Vars.rhel9cis_section3 }} + section_3/*/*.yml: {} + {{ end }} + {{ if .Vars.rhel9cis_section4 }} + # Auditd and level 2 + {{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_auditd }} + section_4/cis_4.1/*.yml: {} + {{ end }} + {{ end }} + section_4/cis_4.2/*.yml: {} + {{ end }} + {{ if .Vars.rhel9cis_section5 }} + section_5/*/*.yml: {} + {{ end }} + {{ if .Vars.rhel9cis_section6 }} + section_6/*/*.yml: {} + {{ end }} + +command: + benchmark_meta: + title: Benchmark MetaData + exec: echo BenchMark MetaData + exit-status: 0 + meta: + benchmark_machine_uuid: {{ .Vars.machine_uuid }} + benchmark_epoch: {{ .Vars.epoch }} + benchmark_os_locale: {{ .Vars.os_locale }} + benchmark_os_release: {{ .Vars.os_release }} + benchmark_type: {{ .Vars.benchmark }} + benchmark_os_distribution: {{ .Vars.os_distribution }} + benchmark_automation_group: {{ .Vars.auto_group }} + benchmark_hostname: {{ .Vars.os_hostname }} + benchmark_version: {{ .Vars.benchmark_version }} + benchmark_system_type: {{ .Vars.system_type }} \ No newline at end of file diff --git a/outputs/documentation_output b/outputs/documentation_output new file mode 100644 index 0000000..b24a876 --- /dev/null +++ b/outputs/documentation_output @@ -0,0 +1,737 @@ +Title: 1.3.3 Ensure sudo log file exists (Automated)_sudoers.d +Command: log_sudoers_d: exit-status: matches expectation: [{"lt":3}] +Command: log_sudoers_d: stdout: matches expectation: [/[1:99]/] +Title: 1.2.3 Ensure gpgcheck is globally active +Command: gpg_check_global: exit-status: matches expectation: [0] +Title: 5.4.1.4 Ensure inactive password lock is 30 days or less +Command: inactive_passwd: exit-status: matches expectation: [0] +Command: inactive_passwd: stdout: matches expectation: [/^INACTIVE=[1-30]/] +Title: 2.2.16 Ensure mail transfer agent is configured for local-only mode (Automated) +Command: mta_installed: exit-status: matches expectation: [1] +Command: mta_installed: stdout: matches expectation: [!/./] +Title: 1.5.3 Ensure authentication required for single user mode (Automated) +Command: single_user_1: exit-status: matches expectation: [0] +Title: 1.2.1 Ensure GPG keys are configured +Command: gpg_keys: exit-status: matches expectation: [0] +Title: 1.1.1.4 Ensure mounting of fat filesystems is disabled (Automated) +Command: fat_live: exit-status: matches expectation: [0] +Command: fat_live: stdout: matches expectation: [Passed_Check] +Title: 1.1.1.2 Ensure mounting of squashfs filesystems is disabled (Automated) +Command: squashfs: exit-status: matches expectation: [0] +Command: squashfs: stdout: matches expectation: [install /bin/true] +Title: 5.4.1.5 Ensure all users last password change date is in the past +Command: passwd_chg_past: exit-status: matches expectation: [1] +Command: passwd_chg_past: stdout: matches expectation: [!Failed] +Title: 1.3.2 Ensure sudo commands use pty (Automated) +Command: pty_sudoers_d: exit-status: matches expectation: [0] +Command: pty_sudoers_d: stdout: matches expectation: [/[1-99]/] +Title: 1.2.3 Ensure gpgcheck is globally active +Command: gpg_check_repo: exit-status: matches expectation: [0] +Title: 1.1.21 Check for removeable media nosuid +Command: floppy_nosuid: exit-status: matches expectation: [0] +Command: floppy_nosuid: stdout: matches expectation: [Passed_Check] +Title: 1.6.3 Ensure address space layout randomization (ASLR) is enabled (Automated) +Command: aslr_enabled_1: exit-status: matches expectation: [0] +Command: aslr_enabled_1: stdout: matches expectation: [kernel.randomize_va_space = 2] +Title: 1.1.1.3 Ensure mounting of udf filesystems is disabled (Automated) +Command: udf: exit-status: matches expectation: [0] +Command: udf: stdout: matches expectation: [install /bin/true] +Title: 1.1.19 Check for removeable media noexec +Command: cdrom_noexec: exit-status: matches expectation: [0] +Command: cdrom_noexec: stdout: matches expectation: [Passed_Check] +Title: 1.6.1 Ensure core dumps are restricted (Automated)_sysctl +Command: suid_dumpable_1: exit-status: matches expectation: [0] +Command: suid_dumpable_1: stdout: matches expectation: [fs.suid_dumpable = 0] +Title: 1.2.4 Ensure Redhat Subscription Manager connection configured +Command: subscription: exit-status: matches expectation: [{"or":[0,127]}] +Command: subscription: stderr: matches expectation: [command not found] +Title: 1.1.20 Check for removeable media nodev +Command: floppy_nodev: exit-status: matches expectation: [0] +Command: floppy_nodev: stdout: matches expectation: [Passed_Check] +Title: 1.1.1.4 Ensure mounting of fat filesystems is disabled (Automated) +Command: fat: exit-status: matches expectation: [0] +Command: fat: stdout: matches expectation: [install /bin/true] +Title: 1.1.1.4 Ensure mounting of fat filesystems is disabled (Automated) +Command: msdos: exit-status: matches expectation: [0] +Command: msdos: stdout: matches expectation: [install /bin/true] +Title: 1.6.1 Ensure core dumps are restricted (Automated)_sysctl +Command: suid_dumpable_2: exit-status: +Expected + : 1 +to equal + : 0 +Command: suid_dumpable_2: stdout: patterns not found: [fs.suid_dumpable = 0] +Title: 4.2.3 Ensure permissions on all logfiles are configured +Command: logfile_configured: exit-status: matches expectation: [0] +Command: logfile_configured: stdout: patterns not found: [!/./] +Title: 5.4.2 Ensure system accounts are secured (Automated) +Command: secure_system_accts: exit-status: matches expectation: [1] +Command: secure_system_accts: stdout: matches expectation: [!/./] +Title: 5.4.4 Ensure default user shell timeout is configured (Automated)-profile.d +Command: check_timeout: exit-status: +Expected + : 2 +to equal + : 0 +Command: check_timeout: stdout: matches expectation: [!/./] +Title: 5.4.1.4 Ensure inactive password lock is 30 days or less +Command: inactive_users: exit-status: matches expectation: [0] +Command: inactive_users: stdout: patterns not found: [!/./] +Title: 1.1.21 Check for removeable media nosuid +Command: cdrom_nosuid: exit-status: matches expectation: [0] +Command: cdrom_nosuid: stdout: matches expectation: [Passed_Check] +Title: 5.2.3 Ensure permissions on SSH private host key files are configured_group +Command: /etc/ssh/ssh_host_key_group: exit-status: matches expectation: [0] +Command: /etc/ssh/ssh_host_key_group: stdout: matches expectation: [!/./] +Title: (L2) 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled (Automated) +Command: auditd_grub: exit-status: matches expectation: [0] +Command: auditd_grub: stdout: patterns not found: [!/./] +Title: 3.1.2 Ensure wireless interfaces are disabled (Manual) +Command: iwconfig: exit-status: matches expectation: [127] +Title: 3.4.2 Ensure SCTP is disabled (Automated) +Command: modprobe_sctp: exit-status: matches expectation: [0] +Command: modprobe_sctp: stdout: patterns not found: [install /bin/true] +Title: 1.1.19 Check for removeable media noexec +Command: floppy_noexec: exit-status: matches expectation: [0] +Command: floppy_noexec: stdout: matches expectation: [Passed_Check] +Command: secure_system_LK: exit-status: matches expectation: [1] +Command: secure_system_LK: stdout: matches expectation: [0] +Title: 5.2.3 Ensure permissions on SSH pub host key files are configured_user +Command: /etc/ssh/ssh_host_key_user: exit-status: matches expectation: [0] +Command: /etc/ssh/ssh_host_key_user: stdout: matches expectation: [!/./] +Title: 3.4.1 Ensure DCCP is disabled (Automated) +Command: modprobe_dccp: exit-status: matches expectation: [0] +Command: modprobe_dccp: stdout: patterns not found: [install /bin/true] +Title: 1.1.20 Check for removeable media nodev +Command: cdrom_nodev: exit-status: matches expectation: [0] +Command: cdrom_nodev: stdout: matches expectation: [Passed_Check] +Title: 1.5.3 Ensure authentication required for single user mode (Automated) +Command: single_user_2: exit-status: matches expectation: [0] +Title: 1.6.3 Ensure address space layout randomization (ASLR) is enabled (Automated) +Command: aslr_enabled_2: exit-status: +Expected + : 1 +to equal + : 0 +Command: aslr_enabled_2: stdout: patterns not found: [kernel.randomize_va_space = 2] +Title: 1.6.1 Ensure core dumps are restricted (Automated)_security_limits +Command: core_dumps_limits: exit-status: +Expected + : 1 +to equal + : 0 +Command: core_dumps_limits: stdout: patterns not found: [* hard core 0] +Title: 1.1.1.4 Ensure mounting of fat filesystems is disabled (Automated) +Command: vfat: exit-status: matches expectation: [0] +Command: vfat: stdout: matches expectation: [install /bin/true] +Title: 5.2.3 Ensure permissions on SSH private host key files are configured_user +Command: /etc/ssh/ssh_host_key_perms: exit-status: matches expectation: [0] +Command: /etc/ssh/ssh_host_key_perms: stdout: matches expectation: [!/./] +Title: 1.1.1.1 Ensure mounting of cramfs filesystems is disabled (Automated) +Command: cramfs: exit-status: matches expectation: [0] +Command: cramfs: stdout: matches expectation: [install /bin/true] +Title: 1.7.1.8 Ensure the MCS Translation Service (mcstrans) is not installed +Package: mcstrans: installed: matches expectation: [false] +Title: 2.2.4 Ensure CUPS is not installed (Automated) +Package: cups: installed: matches expectation: [false] +Title: 4.1.1.1 Ensure auditd is installed (Automated) +Package: audit-libs: installed: matches expectation: [true] +Title: 2.2.13 Ensure Samba is not installed (Automated) +Package: samba: installed: matches expectation: [false] +Title: 4.2.1.1 Ensure rsyslog is installed (Automated) +Package: rsyslog: installed: matches expectation: [true] +Title: (L2) 4.1.1.1 Ensure auditd is installed (Automated) +Package: auditd: installed: +Expected + : false +to equal + : true +Title: 1.7.1.7 Ensure SETroubleshoot is not installed (Automated) +Package: setroubleshoot: installed: matches expectation: [false] +Title: 2.2.18 Ensure NIS server is not installed (Automated) +Package: ypserver: installed: matches expectation: [false] +Title: 1.6.4 Ensure prelink is disabled (Automated) +Package: prelink: installed: matches expectation: [false] +Title: 1.6.2 Ensure XD/NX support is enabled (Automated) +Command: kernel_nx: exit-status: matches expectation: [0] +Command: kernel_nx: stdout: matches expectation: [kernel: NX (Execute Disable) protection: active] +Title: 2.2.1 Ensure xinetd is not installed (Automated) +Package: xinetd: installed: matches expectation: [false] +Title: 2.2.9 Ensure DNS Server is not installed (Automated) +Package: bind: installed: matches expectation: [false] +Title: 2.3.3 Ensure talk client is not installed (Automated) +Package: talk: installed: matches expectation: [false] +Title: 2.3.1 Ensure NIS Client is not installed (Automated) +Package: ypbind: installed: matches expectation: [false] +Title: 3.5.1.1 Ensure FirewallD is installed (Automated) +Package: firewalld: installed: matches expectation: [true] +Title: 2.2.11 Ensure HTTP Server is not installed (Automated) +Package: httpd: installed: matches expectation: [false] +Title: 2.2.5 Ensure DHCP Server is not installed (Automated) +Package: dhcp: installed: matches expectation: [false] +Title: 2.2.6 Ensure LDAP server is not installed (Automated) +Package: openldap-servers: installed: matches expectation: [false] +Title: 2.3.2 Ensure rsh client is not installed (Automated) +Package: rsh: installed: matches expectation: [false] +Title: 3.5.1.5 Ensure default zone is set (Automated) +Command: default_zone: exit-status: matches expectation: [0] +Command: default_zone: stdout: matches expectation: [public] +Title: 2.2.10 Ensure FTP Server is not installed (Automated) +Package: vsftpd: installed: matches expectation: [false] +Title: 2.2.12 Ensure IMAP and POP3 Server is not installed (Automated) +Package: dovecot: installed: matches expectation: [false] +Title: 3.5.1.1 Ensure FirewallD is installed (Automated) +Package: iptables: installed: matches expectation: [true] +Title: 2.2.1.1 Ensure time synchronization is in use (Manual)_chrony +Package: chrony: installed: matches expectation: [true] +Title: 5.1.1 Ensure cron daemon is enabled and running (Automated) +Package: crond: installed: +Expected + : false +to equal + : true +Title: 2.3.5 Ensure LDAP client is not installed (Automated) +Package: openldap-clients: installed: matches expectation: [false] +Title: 2.2.19 Ensure telnet-server is not installed (Automated) +Package: telnet-server: installed: matches expectation: [false] +Title: 2.3.4 Ensure telnet client is not installed (Automated) +Package: telnet: installed: matches expectation: [false] +Title: 2.2.2 Ensure X11 Server components are not installed (Automated) +Package: xorgs-x11-servers: installed: matches expectation: [false] +Title: 1.3.1 Ensure sudo is installed (Automated) +Package: sudo: installed: matches expectation: [true] +Title: 2.2.14 Ensure http proxy Server is not installed (Automated) +Package: squid: installed: matches expectation: [false] +Title: 4.2.1.2 Ensure rsyslog Service is enabled and running (Automated) +Service: rsyslog: enabled: matches expectation: [true] +Service: rsyslog: running: matches expectation: [true] +Service: crond: enabled: matches expectation: [true] +Service: crond: running: matches expectation: [true] +Title: 2.2.3 Ensure Avahi Server is not installed (Automated) +Package: avahi: installed: matches expectation: [false] +Title: 1.1.23 Disable Automounting +Service: autofs: enabled: matches expectation: [false] +Service: autofs: running: matches expectation: [false] +Title: 5.4.4 Ensure default user shell timeout is configured (Automated)-bashrc +File: /etc/bashrc: exists: matches expectation: [true] +File: /etc/bashrc: contains: patterns not found: [/^TMOUT=([1-8][0-9]{0,2}|900)/, /^readonly TMOUT/] +Title: 4.2.1.3 Ensure rsyslog default file permissions configured +File: /etc/rsyslog.d/*.conf: exists: +Expected + : false +to equal + : true +File: /etc/rsyslog.d/*.conf: contains: skipped +Title: 5.1.7 Ensure permissions on /etc/cron.d are configured +File: /etc/cron.d: exists: matches expectation: [true] +File: /etc/cron.d: mode: +Expected + : 0755 +to equal + : 0700 +File: /etc/cron.d: owner: matches expectation: ["root"] +File: /etc/cron.d: group: matches expectation: ["root"] +Title: 1.8.1.1 & 4 Ensure message of the day is configured properly (Automated) +File: /etc/motd: exists: matches expectation: [true] +File: /etc/motd: mode: matches expectation: ["0644"] +File: /etc/motd: owner: matches expectation: ["root"] +File: /etc/motd: group: matches expectation: ["root"] +File: /etc/motd: contains: matches expectation: [![Cc]ent[Oo][Ss] ![Rr]hel ![Rr]ed[Hh]at !x86_64 ![Ll]inux] +Title: 5.2.9 Ensure SSH HostbasedAuthentication is disabled +File: /etc/ssh/sshd_config: exists: matches expectation: [true] +File: /etc/ssh/sshd_config: contains: matches expectation: [HostbasedAuthentication no !/^HostbasedAuthentication yes/] +Title: 5.4.4 Ensure default user shell timeout is configured (Automated)-profile +File: /etc/profile: exists: matches expectation: [true] +File: /etc/profile: contains: matches expectation: [/^TMOUT=([1-8][0-9]{0,2}|900)/ /^readonly TMOUT/] +Title: 4.2.2.3 Ensure journald is configured to write logfiles to persistent disk +File: /etc/systemd/journald.conf: exists: matches expectation: [true] +File: /etc/systemd/journald.conf: contains: patterns not found: [Storage=persistent] +Title: 5.1.9 Ensure at is restricted to authorized users +File: /etc/at.allow: exists: +Expected + : false +to equal + : true +File: /etc/at.allow: mode: skipped +File: /etc/at.allow: owner: skipped +File: /etc/at.allow: group: skipped +Title: 5.3.1 Ensure password creation requirements are configured +File: /etc/security/pwquality.conf: exists: matches expectation: [true] +File: /etc/security/pwquality.conf: contains: patterns not found: [dcredit = -1, ucredit = -1, lcredit = -1, ocredit = -1] +Title: 4.2.1.3 Ensure rsyslog default file permissions configured +File: /etc/rsyslog.conf: exists: matches expectation: [true] +File: /etc/rsyslog.conf: contains: patterns not found: [$FileCreateMode 06[0:4]0] +Title: 1.8.1.2 & 5 Ensure local login warning banner is configured properly (Automated) +File: /etc/issue: exists: matches expectation: [true] +File: /etc/issue: mode: matches expectation: ["0644"] +File: /etc/issue: owner: matches expectation: ["root"] +File: /etc/issue: group: matches expectation: ["root"] +File: /etc/issue: contains: matches expectation: [![Cc]ent[Oo][Ss] ![Rr]hel ![Rr]ed[Hh]at !x86_64 ![Ll]inux] +Title: 5.3.4 Ensure password reuse is limited +File: /etc/pam.d/system-auth: exists: matches expectation: [true] +File: /etc/pam.d/system-auth: contains: patterns not found: [/^password sufficient pam_unix.so sha512 shadow nullok try_first_pass remember=5 user_authtok/] +Title: 2.2.1.2 Ensure chrony is configured (Automated)_conf +File: /etc/chrony.conf: exists: matches expectation: [true] +File: /etc/chrony.conf: contains: matches expectation: [server] +Title: 5.1.2 Ensure permissions on /etc/crontab are configured +File: /etc/crontab: exists: matches expectation: [true] +File: /etc/crontab: mode: matches expectation: ["0644"] +File: /etc/crontab: owner: matches expectation: ["root"] +File: /etc/crontab: group: matches expectation: ["root"] +Title: (L2) 4.1.2.3 Ensure system is disabled when audit logs are full (Automated) +File: /etc/audit/auditd.conf: exists: matches expectation: [true] +File: /etc/audit/auditd.conf: contains: patterns not found: [space_left_action = email, /^admin_space_left_action = halt/] +Title: 1.5.1 Ensure bootloader password is set (Automated) and permissions +File: /boot/grub2/user.cfg: exists: +Expected + : false +to equal + : true +File: /boot/grub2/user.cfg: mode: skipped +File: /boot/grub2/user.cfg: owner: skipped +File: /boot/grub2/user.cfg: group: skipped +Title: 5.4.1.3 Ensure password expiration warning days is 7 or more +File: /etc/login.defs: exists: matches expectation: [true] +File: /etc/login.defs: contains: matches expectation: [/^PASS_WARN_AGE\s*7/ !/^PASS_WARN_AGE\s*[1-6]/] +Title: 1.3.3 Ensure sudo log file exists (Automated) +File: /etc/sudoers: exists: matches expectation: [true] +File: /etc/sudoers: contains: patterns not found: [/^Defaults logfile=/var/log//, !/^#Defaults logfile=/] +Title: 1.8.1.3 & 6 Ensure remote login warning banner is configured properly (Automated) +File: /etc/issue.net: exists: matches expectation: [true] +File: /etc/issue.net: mode: matches expectation: ["0644"] +File: /etc/issue.net: owner: matches expectation: ["root"] +File: /etc/issue.net: group: matches expectation: ["root"] +File: /etc/issue.net: contains: matches expectation: [![Cc]ent[Oo][Ss] ![Rr]hel ![Rr]ed[Hh]at !x86_64 ![Ll]inux] +Title: 5.1.9 Ensure at is restricted to authorized users +File: /etc/at.deny: exists: +Expected + : true +to equal + : false +Title: 2.2.1.2 Ensure chrony is configured (Automated)_sysconf +File: /etc/sysconfig/chronyd: exists: matches expectation: [true] +File: /etc/sysconfig/chronyd: contains: matches expectation: [OPTIONS="-u chrony"] +Title: 5.3.4 Ensure password reuse is limited +File: /etc/pam.d/password-auth: exists: matches expectation: [true] +File: /etc/pam.d/password-auth: contains: patterns not found: [/^password sufficient pam_unix.so sha512 shadow nullok try_first_pass remember=5 user_authtok/] +Title: (L2) 4.1.2.4 Ensure audit_backlog_limit is sufficient (Automated) +File: /boot/grub2/grub.cfg: exists: matches expectation: [true] +File: /boot/grub2/grub.cfg: contains: patterns not found: [GRUB_CMDLINE_LINUX="audit_backlog_limit=2048"] +Title: 5.4.3 Ensure default group for the root account is GID 0 (Automated) +root: exists: Error: Missing Required Attribute +User: root: uid: skipped +User: root: gid: skipped +Title: 3.3.1 Ensure source routed packets are not accepted (Automated)_ipv6_default +KernelParam: net.ipv6.conf.default.accept_source_route: value: matches expectation: ["0"] +Title: 3.3.9 Ensure IPv6 router advertisements are not accepted (Automated) +KernelParam: net.ipv6.conf.default.accept_ra: value: +Expected + : 1 +to equal + : 0 +Title: 3.2.2 Ensure packet redirect sending is disabled (Automated)_default +KernelParam: net.ipv4.conf.default.send_redirects: value: +Expected + : 1 +to equal + : 0 +Title: 3.3.6 Ensure bogus ICMP responses are ignored (Automated) +KernelParam: net.ipv4.icmp_ignore_bogus_error_responses: value: matches expectation: ["1"] +Title: 3.3.7 Ensure Reverse Path Filtering is enabled (Automated)_def +KernelParam: net.ipv4.conf.all.rp_filter: value: matches expectation: ["1"] +Title: 3.3.8 Ensure TCP SYN Cookies is enabled (Automated) +KernelParam: net.ipv4.tcp_syncookies: value: matches expectation: ["1"] +Title: 3.2.1 Ensure IP forwarding is disabled (Automated)_ipv4 +KernelParam: net.ipv4.ip_forward: value: matches expectation: ["0"] +Title: 3.3.1 Ensure source routed packets are not accepted (Automated)_ipv4_default +KernelParam: net.ipv4.conf.default.accept_source_route: value: matches expectation: ["0"] +Title: 3.3.3 Ensure secure ICMP redirects are not accepted (Automated)_all +KernelParam: net.ipv4.conf.all.secure_redirects: value: +Expected + : 1 +to equal + : 0 +Title: 3.2.1 Ensure IP forwarding is disabled (Automated)_ipv6 +KernelParam: net.ipv6.conf.all.forwarding: value: matches expectation: ["0"] +Title: 3.3.2 Ensure ICMP redirects are not accepted (Automated)_ipv6_def +KernelParam: net.ipv6.conf.default.accept_redirects: value: +Expected + : 1 +to equal + : 0 +Title: 3.3.4 Ensure suspicious packets are logged (Automated)_all +KernelParam: net.ipv4.conf.all.log_martians: value: +Expected + : 0 +to equal + : 1 +Title: 3.3.1 Ensure source routed packets are not accepted (Automated)_ipv4_all +KernelParam: net.ipv4.conf.all.accept_source_route: value: matches expectation: ["0"] +Title: 3.3.2 Ensure ICMP redirects are not accepted (Automated)_ipv4 +KernelParam: net.ipv4.conf.all.accept_redirects: value: +Expected + : 1 +to equal + : 0 +Title: 3.3.5 Ensure broadcast ICMP requests are ignored (Automated) +KernelParam: net.ipv4.icmp_echo_ignore_broadcasts: value: matches expectation: ["1"] +Title: 3.3.9 Ensure IPv6 router advertisements are not accepted (Automated) +KernelParam: net.ipv6.conf.all.accept_ra: value: +Expected + : 1 +to equal + : 0 +Title: 3.3.4 Ensure suspicious packets are logged (Automated)_def +KernelParam: net.ipv4.conf.default.log_martians: value: +Expected + : 0 +to equal + : 1 +Title: 3.3.1 Ensure source routed packets are not accepted (Automated)_ipv6_all +KernelParam: net.ipv6.conf.all.accept_source_route: value: matches expectation: ["0"] +Title: 3.3.2 Ensure ICMP redirects are not accepted (Automated)_ipv4_def +KernelParam: net.ipv4.conf.default.accept_redirects: value: +Expected + : 1 +to equal + : 0 +Title: 2.2.15 Ensure net-snmp is not installed (Automated) +Package: net-snmp: installed: matches expectation: [false] +Title: 3.3.2 Ensure ICMP redirects are not accepted (Automated)_ipv6 +KernelParam: net.ipv6.conf.all.accept_redirects: value: +Expected + : 1 +to equal + : 0 +Title: 3.2.2 Ensure packet redirect sending is disabled (Automated)_all +KernelParam: net.ipv4.conf.all.send_redirects: value: +Expected + : 1 +to equal + : 0 +Title: (L2) 1.1.15 Ensure separate partition exists for /var/log (Automated) +Mount: /var/log: exists: matches expectation: [true] +Title: (L2) 1.1.16 Ensure separate partition exists for /var/log/audit (Automated) +Mount: /var/log/audit: exists: +Expected + : false +to equal + : true +Title: 1.1.17 Ensure separate partition exists for /home (Automated) +Mount: /home: exists: matches expectation: [true] +Mount: /home: opts: matches expectation: [["nodev"]] +Title: 1.1.2_5 Ensure /tmp is configured (Automated) with mount options +Mount: /tmp: exists: matches expectation: [true] +Mount: /tmp: opts: +Expected + <[]string | len:4, cap:4>: ["rw", "nodev", "noexec", "relatime"] +to contain element matching + : nosuid +Title: 1.1.6_9 Ensure /dev/shm is configured +Mount: /dev/shm: exists: matches expectation: [true] +Mount: /dev/shm: opts: +Expected + <[]string | len:3, cap:3>: ["rw", "nosuid", "nodev"] +to contain element matching + : noexec +Title: (L2) 1.1.10 Ensure separate partition exists for /var (Automated) +Mount: /var: exists: matches expectation: [true] +Title: (L2) 1.1.11_14 Ensure separate partition exists for /var/tmp (Automated) +Mount: /var/tmp: exists: +Expected + : false +to equal + : true +Mount: /var/tmp: opts: skipped +Title: 3.3.3 Ensure secure ICMP redirects are not accepted (Automated)_def +KernelParam: net.ipv4.conf.default.secure_redirects: value: +Expected + : 1 +to equal + : 0 +Service: coredump: enabled: matches expectation: [false] +Service: coredump: running: matches expectation: [false] +Title: 1.2.5 Disable the rhnsd Daemon (Manual) +Service: rhnsd: enabled: matches expectation: [false] +Service: rhnsd: running: matches expectation: [false] +Title: 3.5.1.4 Ensure firewalld service is enabled and running (Automated) +Service: firewalld: enabled: matches expectation: [true] +Service: firewalld: running: matches expectation: [true] +Title: (L2) 4.1.1.2 Ensure auditd service is enabled and running (Automated) +Service: auditd: enabled: matches expectation: [true] +Service: auditd: running: matches expectation: [true] +Title: 1.1.22 Ensure sticky bit is set on all world-writable directories +Command: sticky_bit: exit-status: matches expectation: [0] +Command: sticky_bit: stdout: matches expectation: [!/./] +Title: 3.5.1.6 Ensure network interfaces are assigned to appropriate zone +Command: nic_assigned: exit-status: matches expectation: [0] +Command: nic_assigned: stdout: matches expectation: [ens192] +Title: 1.9 Ensure updates, patches, and additional security software are installed (Automated) +Command: security-updates: exit-status: +Expected + : 100 +to equal + : 0 +Command: security-updates: stdout: matches expectation: [![0-9].* packages available] +Title: 1.2.2 Ensure Package manager repositories are configured +Command: repos_configured: exit-status: matches expectation: [0] + + +Failures/Skipped: + +Title: 1.6.1 Ensure core dumps are restricted (Automated)_sysctl +Command: suid_dumpable_2: exit-status: +Expected + : 1 +to equal + : 0 +Command: suid_dumpable_2: stdout: patterns not found: [fs.suid_dumpable = 0] + +Title: 4.2.3 Ensure permissions on all logfiles are configured +Command: logfile_configured: stdout: patterns not found: [!/./] + +Title: 5.4.4 Ensure default user shell timeout is configured (Automated)-profile.d +Command: check_timeout: exit-status: +Expected + : 2 +to equal + : 0 + +Title: 5.4.1.4 Ensure inactive password lock is 30 days or less +Command: inactive_users: stdout: patterns not found: [!/./] + +Title: (L2) 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled (Automated) +Command: auditd_grub: stdout: patterns not found: [!/./] + +Title: 3.4.2 Ensure SCTP is disabled (Automated) +Command: modprobe_sctp: stdout: patterns not found: [install /bin/true] + +Title: 3.4.1 Ensure DCCP is disabled (Automated) +Command: modprobe_dccp: stdout: patterns not found: [install /bin/true] + +Title: 1.6.3 Ensure address space layout randomization (ASLR) is enabled (Automated) +Command: aslr_enabled_2: exit-status: +Expected + : 1 +to equal + : 0 +Command: aslr_enabled_2: stdout: patterns not found: [kernel.randomize_va_space = 2] + +Title: 1.6.1 Ensure core dumps are restricted (Automated)_security_limits +Command: core_dumps_limits: exit-status: +Expected + : 1 +to equal + : 0 +Command: core_dumps_limits: stdout: patterns not found: [* hard core 0] + +Title: (L2) 4.1.1.1 Ensure auditd is installed (Automated) +Package: auditd: installed: +Expected + : false +to equal + : true + +Title: 5.1.1 Ensure cron daemon is enabled and running (Automated) +Package: crond: installed: +Expected + : false +to equal + : true + +Title: 5.4.4 Ensure default user shell timeout is configured (Automated)-bashrc +File: /etc/bashrc: contains: patterns not found: [/^TMOUT=([1-8][0-9]{0,2}|900)/, /^readonly TMOUT/] + +Title: 4.2.1.3 Ensure rsyslog default file permissions configured +File: /etc/rsyslog.d/*.conf: exists: +Expected + : false +to equal + : true +File: /etc/rsyslog.d/*.conf: contains: skipped + +Title: 5.1.7 Ensure permissions on /etc/cron.d are configured +File: /etc/cron.d: mode: +Expected + : 0755 +to equal + : 0700 + +Title: 4.2.2.3 Ensure journald is configured to write logfiles to persistent disk +File: /etc/systemd/journald.conf: contains: patterns not found: [Storage=persistent] + +Title: 5.1.9 Ensure at is restricted to authorized users +File: /etc/at.allow: exists: +Expected + : false +to equal + : true +File: /etc/at.allow: mode: skipped +File: /etc/at.allow: owner: skipped +File: /etc/at.allow: group: skipped + +Title: 5.3.1 Ensure password creation requirements are configured +File: /etc/security/pwquality.conf: contains: patterns not found: [dcredit = -1, ucredit = -1, lcredit = -1, ocredit = -1] + +Title: 4.2.1.3 Ensure rsyslog default file permissions configured +File: /etc/rsyslog.conf: contains: patterns not found: [$FileCreateMode 06[0:4]0] + +Title: 5.3.4 Ensure password reuse is limited +File: /etc/pam.d/system-auth: contains: patterns not found: [/^password sufficient pam_unix.so sha512 shadow nullok try_first_pass remember=5 user_authtok/] + +Title: (L2) 4.1.2.3 Ensure system is disabled when audit logs are full (Automated) +File: /etc/audit/auditd.conf: contains: patterns not found: [space_left_action = email, /^admin_space_left_action = halt/] + +Title: 1.5.1 Ensure bootloader password is set (Automated) and permissions +File: /boot/grub2/user.cfg: exists: +Expected + : false +to equal + : true +File: /boot/grub2/user.cfg: mode: skipped +File: /boot/grub2/user.cfg: owner: skipped +File: /boot/grub2/user.cfg: group: skipped + +Title: 1.3.3 Ensure sudo log file exists (Automated) +File: /etc/sudoers: contains: patterns not found: [/^Defaults logfile=/var/log//, !/^#Defaults logfile=/] + +Title: 5.1.9 Ensure at is restricted to authorized users +File: /etc/at.deny: exists: +Expected + : true +to equal + : false + +Title: 5.3.4 Ensure password reuse is limited +File: /etc/pam.d/password-auth: contains: patterns not found: [/^password sufficient pam_unix.so sha512 shadow nullok try_first_pass remember=5 user_authtok/] + +Title: (L2) 4.1.2.4 Ensure audit_backlog_limit is sufficient (Automated) +File: /boot/grub2/grub.cfg: contains: patterns not found: [GRUB_CMDLINE_LINUX="audit_backlog_limit=2048"] + +Title: 5.4.3 Ensure default group for the root account is GID 0 (Automated) +root: exists: Error: Missing Required Attribute +User: root: uid: skipped +User: root: gid: skipped + +Title: 3.3.9 Ensure IPv6 router advertisements are not accepted (Automated) +KernelParam: net.ipv6.conf.default.accept_ra: value: +Expected + : 1 +to equal + : 0 + +Title: 3.2.2 Ensure packet redirect sending is disabled (Automated)_default +KernelParam: net.ipv4.conf.default.send_redirects: value: +Expected + : 1 +to equal + : 0 + +Title: 3.3.3 Ensure secure ICMP redirects are not accepted (Automated)_all +KernelParam: net.ipv4.conf.all.secure_redirects: value: +Expected + : 1 +to equal + : 0 + +Title: 3.3.2 Ensure ICMP redirects are not accepted (Automated)_ipv6_def +KernelParam: net.ipv6.conf.default.accept_redirects: value: +Expected + : 1 +to equal + : 0 + +Title: 3.3.4 Ensure suspicious packets are logged (Automated)_all +KernelParam: net.ipv4.conf.all.log_martians: value: +Expected + : 0 +to equal + : 1 + +Title: 3.3.2 Ensure ICMP redirects are not accepted (Automated)_ipv4 +KernelParam: net.ipv4.conf.all.accept_redirects: value: +Expected + : 1 +to equal + : 0 + +Title: 3.3.9 Ensure IPv6 router advertisements are not accepted (Automated) +KernelParam: net.ipv6.conf.all.accept_ra: value: +Expected + : 1 +to equal + : 0 + +Title: 3.3.4 Ensure suspicious packets are logged (Automated)_def +KernelParam: net.ipv4.conf.default.log_martians: value: +Expected + : 0 +to equal + : 1 + +Title: 3.3.2 Ensure ICMP redirects are not accepted (Automated)_ipv4_def +KernelParam: net.ipv4.conf.default.accept_redirects: value: +Expected + : 1 +to equal + : 0 + +Title: 3.3.2 Ensure ICMP redirects are not accepted (Automated)_ipv6 +KernelParam: net.ipv6.conf.all.accept_redirects: value: +Expected + : 1 +to equal + : 0 + +Title: 3.2.2 Ensure packet redirect sending is disabled (Automated)_all +KernelParam: net.ipv4.conf.all.send_redirects: value: +Expected + : 1 +to equal + : 0 + +Title: (L2) 1.1.16 Ensure separate partition exists for /var/log/audit (Automated) +Mount: /var/log/audit: exists: +Expected + : false +to equal + : true + +Title: 1.1.2_5 Ensure /tmp is configured (Automated) with mount options +Mount: /tmp: opts: +Expected + <[]string | len:4, cap:4>: ["rw", "nodev", "noexec", "relatime"] +to contain element matching + : nosuid + +Title: 1.1.6_9 Ensure /dev/shm is configured +Mount: /dev/shm: opts: +Expected + <[]string | len:3, cap:3>: ["rw", "nosuid", "nodev"] +to contain element matching + : noexec + +Title: (L2) 1.1.11_14 Ensure separate partition exists for /var/tmp (Automated) +Mount: /var/tmp: exists: +Expected + : false +to equal + : true +Mount: /var/tmp: opts: skipped + +Title: 3.3.3 Ensure secure ICMP redirects are not accepted (Automated)_def +KernelParam: net.ipv4.conf.default.secure_redirects: value: +Expected + : 1 +to equal + : 0 + +Title: 1.9 Ensure updates, patches, and additional security software are installed (Automated) +Command: security-updates: exit-status: +Expected + : 100 +to equal + : 0 + +Total Duration: 6.844s +Count: 230, Failed: 46, Skipped: 10 diff --git a/outputs/json_pretty_output b/outputs/json_pretty_output new file mode 100644 index 0000000..985dbfe --- /dev/null +++ b/outputs/json_pretty_output @@ -0,0 +1,4574 @@ +{ + "results": [ + { + "duration": 19350122, + "err": null, + "expected": [ + "0" + ], + "found": [ + "0" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "squashfs", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: squashfs: exit-status: matches expectation: [0]", + "test-type": 0, + "title": "1.1.1.2 Ensure mounting of squashfs filesystems is disabled (Automated)" + }, + { + "duration": 14383, + "err": null, + "expected": [ + "install /bin/true" + ], + "found": [ + "install /bin/true" + ], + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "squashfs", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: squashfs: stdout: matches expectation: [install /bin/true]", + "test-type": 2, + "title": "1.1.1.2 Ensure mounting of squashfs filesystems is disabled (Automated)" + }, + { + "duration": 29190338, + "err": null, + "expected": [ + "{\"or\":[0,127]}" + ], + "found": [ + "127" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "subscription", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: subscription: exit-status: matches expectation: [{\"or\":[0,127]}]", + "test-type": 0, + "title": "1.2.4 Ensure Redhat Subscription Manager connection configured" + }, + { + "duration": 12009, + "err": null, + "expected": [ + "command not found" + ], + "found": [ + "command not found" + ], + "human": "", + "meta": null, + "property": "stderr", + "resource-id": "subscription", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: subscription: stderr: matches expectation: [command not found]", + "test-type": 2, + "title": "1.2.4 Ensure Redhat Subscription Manager connection configured" + }, + { + "duration": 45894018, + "err": null, + "expected": [ + "1" + ], + "found": [ + "1" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "passwd_chg_past", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: passwd_chg_past: exit-status: matches expectation: [1]", + "test-type": 0, + "title": "5.4.1.5 Ensure all users last password change date is in the past" + }, + { + "duration": 7480, + "err": null, + "expected": [ + "!Failed" + ], + "found": [ + "!Failed" + ], + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "passwd_chg_past", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: passwd_chg_past: stdout: matches expectation: [!Failed]", + "test-type": 2, + "title": "5.4.1.5 Ensure all users last password change date is in the past" + }, + { + "duration": 27282309, + "err": null, + "expected": [ + "0" + ], + "found": [ + "0" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "cdrom_nodev", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: cdrom_nodev: exit-status: matches expectation: [0]", + "test-type": 0, + "title": "1.1.20 Check for removeable media nodev" + }, + { + "duration": 5272, + "err": null, + "expected": [ + "Passed_Check" + ], + "found": [ + "Passed_Check" + ], + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "cdrom_nodev", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: cdrom_nodev: stdout: matches expectation: [Passed_Check]", + "test-type": 2, + "title": "1.1.20 Check for removeable media nodev" + }, + { + "duration": 74189737, + "err": null, + "expected": [ + "0" + ], + "found": [ + "0" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "gpg_keys", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: gpg_keys: exit-status: matches expectation: [0]", + "test-type": 0, + "title": "1.2.1 Ensure GPG keys are configured" + }, + { + "duration": 104422788, + "err": null, + "expected": [ + "0" + ], + "found": [ + "0" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "single_user_2", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: single_user_2: exit-status: matches expectation: [0]", + "test-type": 0, + "title": "1.5.3 Ensure authentication required for single user mode (Automated)" + }, + { + "duration": 123842529, + "err": null, + "expected": [ + "0" + ], + "found": [ + "0" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "inactive_users", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: inactive_users: exit-status: matches expectation: [0]", + "test-type": 0, + "title": "5.4.1.4 Ensure inactive password lock is 30 days or less" + }, + { + "duration": 33276, + "err": null, + "expected": [ + "!/./" + ], + "found": null, + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "inactive_users", + "resource-type": "Command", + "result": 1, + "successful": false, + "summary-line": "Command: inactive_users: stdout: patterns not found: [!/./]", + "test-type": 2, + "title": "5.4.1.4 Ensure inactive password lock is 30 days or less" + }, + { + "duration": 122801231, + "err": null, + "expected": [ + "0" + ], + "found": [ + "1" + ], + "human": "Expected\n \u003cint\u003e: 1\nto equal\n \u003cint\u003e: 0", + "meta": null, + "property": "exit-status", + "resource-id": "suid_dumpable_2", + "resource-type": "Command", + "result": 1, + "successful": false, + "summary-line": "Command: suid_dumpable_2: exit-status:\nExpected\n \u003cint\u003e: 1\nto equal\n \u003cint\u003e: 0", + "test-type": 0, + "title": "1.6.1 Ensure core dumps are restricted (Automated)_sysctl" + }, + { + "duration": 5796, + "err": null, + "expected": [ + "fs.suid_dumpable = 0" + ], + "found": null, + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "suid_dumpable_2", + "resource-type": "Command", + "result": 1, + "successful": false, + "summary-line": "Command: suid_dumpable_2: stdout: patterns not found: [fs.suid_dumpable = 0]", + "test-type": 2, + "title": "1.6.1 Ensure core dumps are restricted (Automated)_sysctl" + }, + { + "duration": 77798433, + "err": null, + "expected": [ + "0" + ], + "found": [ + "0" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "gpg_check_repo", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: gpg_check_repo: exit-status: matches expectation: [0]", + "test-type": 0, + "title": "1.2.3 Ensure gpgcheck is globally active" + }, + { + "duration": 77647694, + "err": null, + "expected": [ + "0" + ], + "found": [ + "0" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "aslr_enabled_1", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: aslr_enabled_1: exit-status: matches expectation: [0]", + "test-type": 0, + "title": "1.6.3 Ensure address space layout randomization (ASLR) is enabled (Automated)" + }, + { + "duration": 3666, + "err": null, + "expected": [ + "kernel.randomize_va_space = 2" + ], + "found": [ + "kernel.randomize_va_space = 2" + ], + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "aslr_enabled_1", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: aslr_enabled_1: stdout: matches expectation: [kernel.randomize_va_space = 2]", + "test-type": 2, + "title": "1.6.3 Ensure address space layout randomization (ASLR) is enabled (Automated)" + }, + { + "duration": 22431729, + "err": null, + "expected": [ + "0" + ], + "found": [ + "1" + ], + "human": "Expected\n \u003cint\u003e: 1\nto equal\n \u003cint\u003e: 0", + "meta": null, + "property": "exit-status", + "resource-id": "core_dumps_limits", + "resource-type": "Command", + "result": 1, + "successful": false, + "summary-line": "Command: core_dumps_limits: exit-status:\nExpected\n \u003cint\u003e: 1\nto equal\n \u003cint\u003e: 0", + "test-type": 0, + "title": "1.6.1 Ensure core dumps are restricted (Automated)_security_limits" + }, + { + "duration": 12207, + "err": null, + "expected": [ + "* hard core 0" + ], + "found": null, + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "core_dumps_limits", + "resource-type": "Command", + "result": 1, + "successful": false, + "summary-line": "Command: core_dumps_limits: stdout: patterns not found: [* hard core 0]", + "test-type": 2, + "title": "1.6.1 Ensure core dumps are restricted (Automated)_security_limits" + }, + { + "duration": 56496602, + "err": null, + "expected": [ + "{\"lt\":3}" + ], + "found": [ + "2" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "log_sudoers_d", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: log_sudoers_d: exit-status: matches expectation: [{\"lt\":3}]", + "test-type": 0, + "title": "1.3.3 Ensure sudo log file exists (Automated)_sudoers.d" + }, + { + "duration": 34661, + "err": null, + "expected": [ + "/[1:99]/" + ], + "found": [ + "/[1:99]/" + ], + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "log_sudoers_d", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: log_sudoers_d: stdout: matches expectation: [/[1:99]/]", + "test-type": 2, + "title": "1.3.3 Ensure sudo log file exists (Automated)_sudoers.d" + }, + { + "duration": 140204913, + "err": null, + "expected": [ + "0" + ], + "found": [ + "0" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "floppy_noexec", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: floppy_noexec: exit-status: matches expectation: [0]", + "test-type": 0, + "title": "1.1.19 Check for removeable media noexec" + }, + { + "duration": 15930, + "err": null, + "expected": [ + "Passed_Check" + ], + "found": [ + "Passed_Check" + ], + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "floppy_noexec", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: floppy_noexec: stdout: matches expectation: [Passed_Check]", + "test-type": 2, + "title": "1.1.19 Check for removeable media noexec" + }, + { + "duration": 27160570, + "err": null, + "expected": [ + "0" + ], + "found": [ + "0" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "msdos", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: msdos: exit-status: matches expectation: [0]", + "test-type": 0, + "title": "1.1.1.4 Ensure mounting of fat filesystems is disabled (Automated)" + }, + { + "duration": 7224, + "err": null, + "expected": [ + "install /bin/true" + ], + "found": [ + "install /bin/true" + ], + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "msdos", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: msdos: stdout: matches expectation: [install /bin/true]", + "test-type": 2, + "title": "1.1.1.4 Ensure mounting of fat filesystems is disabled (Automated)" + }, + { + "duration": 42225374, + "err": null, + "expected": [ + "0" + ], + "found": [ + "1" + ], + "human": "Expected\n \u003cint\u003e: 1\nto equal\n \u003cint\u003e: 0", + "meta": null, + "property": "exit-status", + "resource-id": "aslr_enabled_2", + "resource-type": "Command", + "result": 1, + "successful": false, + "summary-line": "Command: aslr_enabled_2: exit-status:\nExpected\n \u003cint\u003e: 1\nto equal\n \u003cint\u003e: 0", + "test-type": 0, + "title": "1.6.3 Ensure address space layout randomization (ASLR) is enabled (Automated)" + }, + { + "duration": 13083, + "err": null, + "expected": [ + "kernel.randomize_va_space = 2" + ], + "found": null, + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "aslr_enabled_2", + "resource-type": "Command", + "result": 1, + "successful": false, + "summary-line": "Command: aslr_enabled_2: stdout: patterns not found: [kernel.randomize_va_space = 2]", + "test-type": 2, + "title": "1.6.3 Ensure address space layout randomization (ASLR) is enabled (Automated)" + }, + { + "duration": 48835881, + "err": null, + "expected": [ + "0" + ], + "found": [ + "0" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "cramfs", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: cramfs: exit-status: matches expectation: [0]", + "test-type": 0, + "title": "1.1.1.1 Ensure mounting of cramfs filesystems is disabled (Automated)" + }, + { + "duration": 7198, + "err": null, + "expected": [ + "install /bin/true" + ], + "found": [ + "install /bin/true" + ], + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "cramfs", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: cramfs: stdout: matches expectation: [install /bin/true]", + "test-type": 2, + "title": "1.1.1.1 Ensure mounting of cramfs filesystems is disabled (Automated)" + }, + { + "duration": 62024575, + "err": null, + "expected": [ + "0" + ], + "found": [ + "0" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "modprobe_sctp", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: modprobe_sctp: exit-status: matches expectation: [0]", + "test-type": 0, + "title": "3.4.2 Ensure SCTP is disabled (Automated)" + }, + { + "duration": 6605, + "err": null, + "expected": [ + "install /bin/true" + ], + "found": null, + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "modprobe_sctp", + "resource-type": "Command", + "result": 1, + "successful": false, + "summary-line": "Command: modprobe_sctp: stdout: patterns not found: [install /bin/true]", + "test-type": 2, + "title": "3.4.2 Ensure SCTP is disabled (Automated)" + }, + { + "duration": 63731109, + "err": null, + "expected": [ + "0" + ], + "found": [ + "0" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "cdrom_noexec", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: cdrom_noexec: exit-status: matches expectation: [0]", + "test-type": 0, + "title": "1.1.19 Check for removeable media noexec" + }, + { + "duration": 27236, + "err": null, + "expected": [ + "Passed_Check" + ], + "found": [ + "Passed_Check" + ], + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "cdrom_noexec", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: cdrom_noexec: stdout: matches expectation: [Passed_Check]", + "test-type": 2, + "title": "1.1.19 Check for removeable media noexec" + }, + { + "duration": 205492397, + "err": null, + "expected": [ + "0" + ], + "found": [ + "0" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "/etc/ssh/ssh_host_key_perms", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: /etc/ssh/ssh_host_key_perms: exit-status: matches expectation: [0]", + "test-type": 0, + "title": "5.2.3 Ensure permissions on SSH private host key files are configured_user" + }, + { + "duration": 14811, + "err": null, + "expected": [ + "!/./" + ], + "found": [ + "!/./" + ], + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "/etc/ssh/ssh_host_key_perms", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: /etc/ssh/ssh_host_key_perms: stdout: matches expectation: [!/./]", + "test-type": 2, + "title": "5.2.3 Ensure permissions on SSH private host key files are configured_user" + }, + { + "duration": 40235480, + "err": null, + "expected": [ + "0" + ], + "found": [ + "0" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "pty_sudoers_d", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: pty_sudoers_d: exit-status: matches expectation: [0]", + "test-type": 0, + "title": "1.3.2 Ensure sudo commands use pty (Automated)" + }, + { + "duration": 29347, + "err": null, + "expected": [ + "/[1-99]/" + ], + "found": [ + "/[1-99]/" + ], + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "pty_sudoers_d", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: pty_sudoers_d: stdout: matches expectation: [/[1-99]/]", + "test-type": 2, + "title": "1.3.2 Ensure sudo commands use pty (Automated)" + }, + { + "duration": 88864885, + "err": null, + "expected": [ + "0" + ], + "found": [ + "0" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "floppy_nosuid", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: floppy_nosuid: exit-status: matches expectation: [0]", + "test-type": 0, + "title": "1.1.21 Check for removeable media nosuid" + }, + { + "duration": 14227, + "err": null, + "expected": [ + "Passed_Check" + ], + "found": [ + "Passed_Check" + ], + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "floppy_nosuid", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: floppy_nosuid: stdout: matches expectation: [Passed_Check]", + "test-type": 2, + "title": "1.1.21 Check for removeable media nosuid" + }, + { + "duration": 60412062, + "err": null, + "expected": [ + "127" + ], + "found": [ + "127" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "iwconfig", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: iwconfig: exit-status: matches expectation: [127]", + "test-type": 0, + "title": "3.1.2 Ensure wireless interfaces are disabled (Manual)" + }, + { + "duration": 109364944, + "err": null, + "expected": [ + "0" + ], + "found": [ + "0" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "auditd_grub", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: auditd_grub: exit-status: matches expectation: [0]", + "test-type": 0, + "title": "(L2) 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled (Automated)" + }, + { + "duration": 18515, + "err": null, + "expected": [ + "!/./" + ], + "found": null, + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "auditd_grub", + "resource-type": "Command", + "result": 1, + "successful": false, + "summary-line": "Command: auditd_grub: stdout: patterns not found: [!/./]", + "test-type": 2, + "title": "(L2) 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled (Automated)" + }, + { + "duration": 127729537, + "err": null, + "expected": [ + "0" + ], + "found": [ + "0" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "fat_live", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: fat_live: exit-status: matches expectation: [0]", + "test-type": 0, + "title": "1.1.1.4 Ensure mounting of fat filesystems is disabled (Automated)" + }, + { + "duration": 7929, + "err": null, + "expected": [ + "Passed_Check" + ], + "found": [ + "Passed_Check" + ], + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "fat_live", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: fat_live: stdout: matches expectation: [Passed_Check]", + "test-type": 2, + "title": "1.1.1.4 Ensure mounting of fat filesystems is disabled (Automated)" + }, + { + "duration": 91797975, + "err": null, + "expected": [ + "0" + ], + "found": [ + "0" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "vfat", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: vfat: exit-status: matches expectation: [0]", + "test-type": 0, + "title": "1.1.1.4 Ensure mounting of fat filesystems is disabled (Automated)" + }, + { + "duration": 3403, + "err": null, + "expected": [ + "install /bin/true" + ], + "found": [ + "install /bin/true" + ], + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "vfat", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: vfat: stdout: matches expectation: [install /bin/true]", + "test-type": 2, + "title": "1.1.1.4 Ensure mounting of fat filesystems is disabled (Automated)" + }, + { + "duration": 109775822, + "err": null, + "expected": [ + "0" + ], + "found": [ + "0" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "modprobe_dccp", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: modprobe_dccp: exit-status: matches expectation: [0]", + "test-type": 0, + "title": "3.4.1 Ensure DCCP is disabled (Automated)" + }, + { + "duration": 20347, + "err": null, + "expected": [ + "install /bin/true" + ], + "found": null, + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "modprobe_dccp", + "resource-type": "Command", + "result": 1, + "successful": false, + "summary-line": "Command: modprobe_dccp: stdout: patterns not found: [install /bin/true]", + "test-type": 2, + "title": "3.4.1 Ensure DCCP is disabled (Automated)" + }, + { + "duration": 97478095, + "err": null, + "expected": [ + "0" + ], + "found": [ + "2" + ], + "human": "Expected\n \u003cint\u003e: 2\nto equal\n \u003cint\u003e: 0", + "meta": null, + "property": "exit-status", + "resource-id": "check_timeout", + "resource-type": "Command", + "result": 1, + "successful": false, + "summary-line": "Command: check_timeout: exit-status:\nExpected\n \u003cint\u003e: 2\nto equal\n \u003cint\u003e: 0", + "test-type": 0, + "title": "5.4.4 Ensure default user shell timeout is configured (Automated)-profile.d" + }, + { + "duration": 14804, + "err": null, + "expected": [ + "!/./" + ], + "found": [ + "!/./" + ], + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "check_timeout", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: check_timeout: stdout: matches expectation: [!/./]", + "test-type": 2, + "title": "5.4.4 Ensure default user shell timeout is configured (Automated)-profile.d" + }, + { + "duration": 100545804, + "err": null, + "expected": [ + "0" + ], + "found": [ + "0" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "gpg_check_global", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: gpg_check_global: exit-status: matches expectation: [0]", + "test-type": 0, + "title": "1.2.3 Ensure gpgcheck is globally active" + }, + { + "duration": 364608079, + "err": null, + "expected": [ + "0" + ], + "found": [ + "0" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "logfile_configured", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: logfile_configured: exit-status: matches expectation: [0]", + "test-type": 0, + "title": "4.2.3 Ensure permissions on all logfiles are configured" + }, + { + "duration": 16907, + "err": null, + "expected": [ + "!/./" + ], + "found": null, + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "logfile_configured", + "resource-type": "Command", + "result": 1, + "successful": false, + "summary-line": "Command: logfile_configured: stdout: patterns not found: [!/./]", + "test-type": 2, + "title": "4.2.3 Ensure permissions on all logfiles are configured" + }, + { + "duration": 150071709, + "err": null, + "expected": [ + "0" + ], + "found": [ + "0" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "floppy_nodev", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: floppy_nodev: exit-status: matches expectation: [0]", + "test-type": 0, + "title": "1.1.20 Check for removeable media nodev" + }, + { + "duration": 13555, + "err": null, + "expected": [ + "Passed_Check" + ], + "found": [ + "Passed_Check" + ], + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "floppy_nodev", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: floppy_nodev: stdout: matches expectation: [Passed_Check]", + "test-type": 2, + "title": "1.1.20 Check for removeable media nodev" + }, + { + "duration": 286618343, + "err": null, + "expected": [ + "0" + ], + "found": [ + "0" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "/etc/ssh/ssh_host_key_group", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: /etc/ssh/ssh_host_key_group: exit-status: matches expectation: [0]", + "test-type": 0, + "title": "5.2.3 Ensure permissions on SSH private host key files are configured_group" + }, + { + "duration": 49199, + "err": null, + "expected": [ + "!/./" + ], + "found": [ + "!/./" + ], + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "/etc/ssh/ssh_host_key_group", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: /etc/ssh/ssh_host_key_group: stdout: matches expectation: [!/./]", + "test-type": 2, + "title": "5.2.3 Ensure permissions on SSH private host key files are configured_group" + }, + { + "duration": 133096472, + "err": null, + "expected": [ + "0" + ], + "found": [ + "0" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "fat", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: fat: exit-status: matches expectation: [0]", + "test-type": 0, + "title": "1.1.1.4 Ensure mounting of fat filesystems is disabled (Automated)" + }, + { + "duration": 13854, + "err": null, + "expected": [ + "install /bin/true" + ], + "found": [ + "install /bin/true" + ], + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "fat", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: fat: stdout: matches expectation: [install /bin/true]", + "test-type": 2, + "title": "1.1.1.4 Ensure mounting of fat filesystems is disabled (Automated)" + }, + { + "duration": 143816865, + "err": null, + "expected": [ + "1" + ], + "found": [ + "1" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "secure_system_LK", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: secure_system_LK: exit-status: matches expectation: [1]", + "test-type": 0, + "title": "" + }, + { + "duration": 6381, + "err": null, + "expected": [ + "0" + ], + "found": [ + "0" + ], + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "secure_system_LK", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: secure_system_LK: stdout: matches expectation: [0]", + "test-type": 2, + "title": "" + }, + { + "duration": 162780781, + "err": null, + "expected": [ + "0" + ], + "found": [ + "0" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "cdrom_nosuid", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: cdrom_nosuid: exit-status: matches expectation: [0]", + "test-type": 0, + "title": "1.1.21 Check for removeable media nosuid" + }, + { + "duration": 13377, + "err": null, + "expected": [ + "Passed_Check" + ], + "found": [ + "Passed_Check" + ], + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "cdrom_nosuid", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: cdrom_nosuid: stdout: matches expectation: [Passed_Check]", + "test-type": 2, + "title": "1.1.21 Check for removeable media nosuid" + }, + { + "duration": 74180338, + "err": null, + "expected": [ + "0" + ], + "found": [ + "0" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "suid_dumpable_1", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: suid_dumpable_1: exit-status: matches expectation: [0]", + "test-type": 0, + "title": "1.6.1 Ensure core dumps are restricted (Automated)_sysctl" + }, + { + "duration": 6148, + "err": null, + "expected": [ + "fs.suid_dumpable = 0" + ], + "found": [ + "fs.suid_dumpable = 0" + ], + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "suid_dumpable_1", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: suid_dumpable_1: stdout: matches expectation: [fs.suid_dumpable = 0]", + "test-type": 2, + "title": "1.6.1 Ensure core dumps are restricted (Automated)_sysctl" + }, + { + "duration": 156278297, + "err": null, + "expected": [ + "1" + ], + "found": [ + "1" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "secure_system_accts", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: secure_system_accts: exit-status: matches expectation: [1]", + "test-type": 0, + "title": "5.4.2 Ensure system accounts are secured (Automated)" + }, + { + "duration": 13725, + "err": null, + "expected": [ + "!/./" + ], + "found": [ + "!/./" + ], + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "secure_system_accts", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: secure_system_accts: stdout: matches expectation: [!/./]", + "test-type": 2, + "title": "5.4.2 Ensure system accounts are secured (Automated)" + }, + { + "duration": 253339319, + "err": null, + "expected": [ + "0" + ], + "found": [ + "0" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "/etc/ssh/ssh_host_key_user", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: /etc/ssh/ssh_host_key_user: exit-status: matches expectation: [0]", + "test-type": 0, + "title": "5.2.3 Ensure permissions on SSH pub host key files are configured_user" + }, + { + "duration": 22843, + "err": null, + "expected": [ + "!/./" + ], + "found": [ + "!/./" + ], + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "/etc/ssh/ssh_host_key_user", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: /etc/ssh/ssh_host_key_user: stdout: matches expectation: [!/./]", + "test-type": 2, + "title": "5.2.3 Ensure permissions on SSH pub host key files are configured_user" + }, + { + "duration": 74077262, + "err": null, + "expected": [ + "0" + ], + "found": [ + "0" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "udf", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: udf: exit-status: matches expectation: [0]", + "test-type": 0, + "title": "1.1.1.3 Ensure mounting of udf filesystems is disabled (Automated)" + }, + { + "duration": 7060, + "err": null, + "expected": [ + "install /bin/true" + ], + "found": [ + "install /bin/true" + ], + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "udf", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: udf: stdout: matches expectation: [install /bin/true]", + "test-type": 2, + "title": "1.1.1.3 Ensure mounting of udf filesystems is disabled (Automated)" + }, + { + "duration": 47330192, + "err": null, + "expected": [ + "0" + ], + "found": [ + "0" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "single_user_1", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: single_user_1: exit-status: matches expectation: [0]", + "test-type": 0, + "title": "1.5.3 Ensure authentication required for single user mode (Automated)" + }, + { + "duration": 127949910, + "err": null, + "expected": [ + "0" + ], + "found": [ + "0" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "inactive_passwd", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: inactive_passwd: exit-status: matches expectation: [0]", + "test-type": 0, + "title": "5.4.1.4 Ensure inactive password lock is 30 days or less" + }, + { + "duration": 93174, + "err": null, + "expected": [ + "/^INACTIVE=[1-30]/" + ], + "found": [ + "/^INACTIVE=[1-30]/" + ], + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "inactive_passwd", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: inactive_passwd: stdout: matches expectation: [/^INACTIVE=[1-30]/]", + "test-type": 2, + "title": "5.4.1.4 Ensure inactive password lock is 30 days or less" + }, + { + "duration": 128491231, + "err": null, + "expected": [ + "1" + ], + "found": [ + "1" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "mta_installed", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: mta_installed: exit-status: matches expectation: [1]", + "test-type": 0, + "title": "2.2.16 Ensure mail transfer agent is configured for local-only mode (Automated)" + }, + { + "duration": 14930, + "err": null, + "expected": [ + "!/./" + ], + "found": [ + "!/./" + ], + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "mta_installed", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: mta_installed: stdout: matches expectation: [!/./]", + "test-type": 2, + "title": "2.2.16 Ensure mail transfer agent is configured for local-only mode (Automated)" + }, + { + "duration": 152079102, + "err": null, + "expected": [ + "false" + ], + "found": [ + "false" + ], + "human": "", + "meta": null, + "property": "installed", + "resource-id": "squid", + "resource-type": "Package", + "result": 0, + "successful": true, + "summary-line": "Package: squid: installed: matches expectation: [false]", + "test-type": 0, + "title": "2.2.14 Ensure http proxy Server is not installed (Automated)" + }, + { + "duration": 327230364, + "err": null, + "expected": [ + "false" + ], + "found": [ + "false" + ], + "human": "", + "meta": null, + "property": "installed", + "resource-id": "telnet-server", + "resource-type": "Package", + "result": 0, + "successful": true, + "summary-line": "Package: telnet-server: installed: matches expectation: [false]", + "test-type": 0, + "title": "2.2.19 Ensure telnet-server is not installed (Automated)" + }, + { + "duration": 303501908, + "err": null, + "expected": [ + "false" + ], + "found": [ + "false" + ], + "human": "", + "meta": null, + "property": "installed", + "resource-id": "net-snmp", + "resource-type": "Package", + "result": 0, + "successful": true, + "summary-line": "Package: net-snmp: installed: matches expectation: [false]", + "test-type": 0, + "title": "2.2.15 Ensure net-snmp is not installed (Automated)" + }, + { + "duration": 899594513, + "err": null, + "expected": [ + "0" + ], + "found": [ + "0" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "kernel_nx", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: kernel_nx: exit-status: matches expectation: [0]", + "test-type": 0, + "title": "1.6.2 Ensure XD/NX support is enabled (Automated)" + }, + { + "duration": 9021, + "err": null, + "expected": [ + "kernel: NX (Execute Disable) protection: active" + ], + "found": [ + "kernel: NX (Execute Disable) protection: active" + ], + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "kernel_nx", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: kernel_nx: stdout: matches expectation: [kernel: NX (Execute Disable) protection: active]", + "test-type": 2, + "title": "1.6.2 Ensure XD/NX support is enabled (Automated)" + }, + { + "duration": 399523762, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "installed", + "resource-id": "rsyslog", + "resource-type": "Package", + "result": 0, + "successful": true, + "summary-line": "Package: rsyslog: installed: matches expectation: [true]", + "test-type": 0, + "title": "4.2.1.1 Ensure rsyslog is installed (Automated)" + }, + { + "duration": 277768235, + "err": null, + "expected": [ + "false" + ], + "found": [ + "false" + ], + "human": "", + "meta": null, + "property": "installed", + "resource-id": "cups", + "resource-type": "Package", + "result": 0, + "successful": true, + "summary-line": "Package: cups: installed: matches expectation: [false]", + "test-type": 0, + "title": "2.2.4 Ensure CUPS is not installed (Automated)" + }, + { + "duration": 157164796, + "err": null, + "expected": [ + "false" + ], + "found": [ + "false" + ], + "human": "", + "meta": null, + "property": "installed", + "resource-id": "bind", + "resource-type": "Package", + "result": 0, + "successful": true, + "summary-line": "Package: bind: installed: matches expectation: [false]", + "test-type": 0, + "title": "2.2.9 Ensure DNS Server is not installed (Automated)" + }, + { + "duration": 178466017, + "err": null, + "expected": [ + "false" + ], + "found": [ + "false" + ], + "human": "", + "meta": null, + "property": "installed", + "resource-id": "ypbind", + "resource-type": "Package", + "result": 0, + "successful": true, + "summary-line": "Package: ypbind: installed: matches expectation: [false]", + "test-type": 0, + "title": "2.3.1 Ensure NIS Client is not installed (Automated)" + }, + { + "duration": 216603471, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "installed", + "resource-id": "sudo", + "resource-type": "Package", + "result": 0, + "successful": true, + "summary-line": "Package: sudo: installed: matches expectation: [true]", + "test-type": 0, + "title": "1.3.1 Ensure sudo is installed (Automated)" + }, + { + "duration": 250685318, + "err": null, + "expected": [ + "false" + ], + "found": [ + "false" + ], + "human": "", + "meta": null, + "property": "installed", + "resource-id": "vsftpd", + "resource-type": "Package", + "result": 0, + "successful": true, + "summary-line": "Package: vsftpd: installed: matches expectation: [false]", + "test-type": 0, + "title": "2.2.10 Ensure FTP Server is not installed (Automated)" + }, + { + "duration": 274718142, + "err": null, + "expected": [ + "false" + ], + "found": [ + "false" + ], + "human": "", + "meta": null, + "property": "installed", + "resource-id": "xorgs-x11-servers", + "resource-type": "Package", + "result": 0, + "successful": true, + "summary-line": "Package: xorgs-x11-servers: installed: matches expectation: [false]", + "test-type": 0, + "title": "2.2.2 Ensure X11 Server components are not installed (Automated)" + }, + { + "duration": 290326594, + "err": null, + "expected": [ + "false" + ], + "found": [ + "false" + ], + "human": "", + "meta": null, + "property": "installed", + "resource-id": "mcstrans", + "resource-type": "Package", + "result": 0, + "successful": true, + "summary-line": "Package: mcstrans: installed: matches expectation: [false]", + "test-type": 0, + "title": "1.7.1.8 Ensure the MCS Translation Service (mcstrans) is not installed" + }, + { + "duration": 275775171, + "err": null, + "expected": [ + "false" + ], + "found": [ + "false" + ], + "human": "", + "meta": null, + "property": "installed", + "resource-id": "httpd", + "resource-type": "Package", + "result": 0, + "successful": true, + "summary-line": "Package: httpd: installed: matches expectation: [false]", + "test-type": 0, + "title": "2.2.11 Ensure HTTP Server is not installed (Automated)" + }, + { + "duration": 248513947, + "err": null, + "expected": [ + "false" + ], + "found": [ + "false" + ], + "human": "", + "meta": null, + "property": "installed", + "resource-id": "avahi", + "resource-type": "Package", + "result": 0, + "successful": true, + "summary-line": "Package: avahi: installed: matches expectation: [false]", + "test-type": 0, + "title": "2.2.3 Ensure Avahi Server is not installed (Automated)" + }, + { + "duration": 249915118, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "installed", + "resource-id": "chrony", + "resource-type": "Package", + "result": 0, + "successful": true, + "summary-line": "Package: chrony: installed: matches expectation: [true]", + "test-type": 0, + "title": "2.2.1.1 Ensure time synchronization is in use (Manual)_chrony" + }, + { + "duration": 235686387, + "err": null, + "expected": [ + "false" + ], + "found": [ + "false" + ], + "human": "", + "meta": null, + "property": "installed", + "resource-id": "talk", + "resource-type": "Package", + "result": 0, + "successful": true, + "summary-line": "Package: talk: installed: matches expectation: [false]", + "test-type": 0, + "title": "2.3.3 Ensure talk client is not installed (Automated)" + }, + { + "duration": 285104141, + "err": null, + "expected": [ + "true" + ], + "found": [ + "false" + ], + "human": "Expected\n \u003cbool\u003e: false\nto equal\n \u003cbool\u003e: true", + "meta": null, + "property": "installed", + "resource-id": "crond", + "resource-type": "Package", + "result": 1, + "successful": false, + "summary-line": "Package: crond: installed:\nExpected\n \u003cbool\u003e: false\nto equal\n \u003cbool\u003e: true", + "test-type": 0, + "title": "5.1.1 Ensure cron daemon is enabled and running (Automated)" + }, + { + "duration": 237764908, + "err": null, + "expected": [ + "false" + ], + "found": [ + "false" + ], + "human": "", + "meta": null, + "property": "installed", + "resource-id": "telnet", + "resource-type": "Package", + "result": 0, + "successful": true, + "summary-line": "Package: telnet: installed: matches expectation: [false]", + "test-type": 0, + "title": "2.3.4 Ensure telnet client is not installed (Automated)" + }, + { + "duration": 214189434, + "err": null, + "expected": [ + "false" + ], + "found": [ + "false" + ], + "human": "", + "meta": null, + "property": "installed", + "resource-id": "xinetd", + "resource-type": "Package", + "result": 0, + "successful": true, + "summary-line": "Package: xinetd: installed: matches expectation: [false]", + "test-type": 0, + "title": "2.2.1 Ensure xinetd is not installed (Automated)" + }, + { + "duration": 270472323, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "installed", + "resource-id": "audit-libs", + "resource-type": "Package", + "result": 0, + "successful": true, + "summary-line": "Package: audit-libs: installed: matches expectation: [true]", + "test-type": 0, + "title": "4.1.1.1 Ensure auditd is installed (Automated)" + }, + { + "duration": 162968285, + "err": null, + "expected": [ + "false" + ], + "found": [ + "false" + ], + "human": "", + "meta": null, + "property": "installed", + "resource-id": "dhcp", + "resource-type": "Package", + "result": 0, + "successful": true, + "summary-line": "Package: dhcp: installed: matches expectation: [false]", + "test-type": 0, + "title": "2.2.5 Ensure DHCP Server is not installed (Automated)" + }, + { + "duration": 201956206, + "err": null, + "expected": [ + "false" + ], + "found": [ + "false" + ], + "human": "", + "meta": null, + "property": "installed", + "resource-id": "samba", + "resource-type": "Package", + "result": 0, + "successful": true, + "summary-line": "Package: samba: installed: matches expectation: [false]", + "test-type": 0, + "title": "2.2.13 Ensure Samba is not installed (Automated)" + }, + { + "duration": 250538765, + "err": null, + "expected": [ + "true" + ], + "found": [ + "false" + ], + "human": "Expected\n \u003cbool\u003e: false\nto equal\n \u003cbool\u003e: true", + "meta": null, + "property": "installed", + "resource-id": "auditd", + "resource-type": "Package", + "result": 1, + "successful": false, + "summary-line": "Package: auditd: installed:\nExpected\n \u003cbool\u003e: false\nto equal\n \u003cbool\u003e: true", + "test-type": 0, + "title": "(L2) 4.1.1.1 Ensure auditd is installed (Automated)" + }, + { + "duration": 252885067, + "err": null, + "expected": [ + "false" + ], + "found": [ + "false" + ], + "human": "", + "meta": null, + "property": "installed", + "resource-id": "ypserver", + "resource-type": "Package", + "result": 0, + "successful": true, + "summary-line": "Package: ypserver: installed: matches expectation: [false]", + "test-type": 0, + "title": "2.2.18 Ensure NIS server is not installed (Automated)" + }, + { + "duration": 264943890, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "installed", + "resource-id": "firewalld", + "resource-type": "Package", + "result": 0, + "successful": true, + "summary-line": "Package: firewalld: installed: matches expectation: [true]", + "test-type": 0, + "title": "3.5.1.1 Ensure FirewallD is installed (Automated)" + }, + { + "duration": 256015590, + "err": null, + "expected": [ + "false" + ], + "found": [ + "false" + ], + "human": "", + "meta": null, + "property": "installed", + "resource-id": "dovecot", + "resource-type": "Package", + "result": 0, + "successful": true, + "summary-line": "Package: dovecot: installed: matches expectation: [false]", + "test-type": 0, + "title": "2.2.12 Ensure IMAP and POP3 Server is not installed (Automated)" + }, + { + "duration": 277109662, + "err": null, + "expected": [ + "false" + ], + "found": [ + "false" + ], + "human": "", + "meta": null, + "property": "installed", + "resource-id": "openldap-servers", + "resource-type": "Package", + "result": 0, + "successful": true, + "summary-line": "Package: openldap-servers: installed: matches expectation: [false]", + "test-type": 0, + "title": "2.2.6 Ensure LDAP server is not installed (Automated)" + }, + { + "duration": 283187562, + "err": null, + "expected": [ + "false" + ], + "found": [ + "false" + ], + "human": "", + "meta": null, + "property": "installed", + "resource-id": "rsh", + "resource-type": "Package", + "result": 0, + "successful": true, + "summary-line": "Package: rsh: installed: matches expectation: [false]", + "test-type": 0, + "title": "2.3.2 Ensure rsh client is not installed (Automated)" + }, + { + "duration": 175519662, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "installed", + "resource-id": "iptables", + "resource-type": "Package", + "result": 0, + "successful": true, + "summary-line": "Package: iptables: installed: matches expectation: [true]", + "test-type": 0, + "title": "3.5.1.1 Ensure FirewallD is installed (Automated)" + }, + { + "duration": 198093037, + "err": null, + "expected": [ + "false" + ], + "found": [ + "false" + ], + "human": "", + "meta": null, + "property": "installed", + "resource-id": "openldap-clients", + "resource-type": "Package", + "result": 0, + "successful": true, + "summary-line": "Package: openldap-clients: installed: matches expectation: [false]", + "test-type": 0, + "title": "2.3.5 Ensure LDAP client is not installed (Automated)" + }, + { + "duration": 185811593, + "err": null, + "expected": [ + "false" + ], + "found": [ + "false" + ], + "human": "", + "meta": null, + "property": "installed", + "resource-id": "prelink", + "resource-type": "Package", + "result": 0, + "successful": true, + "summary-line": "Package: prelink: installed: matches expectation: [false]", + "test-type": 0, + "title": "1.6.4 Ensure prelink is disabled (Automated)" + }, + { + "duration": 70254033, + "err": null, + "expected": [ + "false" + ], + "found": [ + "false" + ], + "human": "", + "meta": null, + "property": "enabled", + "resource-id": "coredump", + "resource-type": "Service", + "result": 0, + "successful": true, + "summary-line": "Service: coredump: enabled: matches expectation: [false]", + "test-type": 0, + "title": "" + }, + { + "duration": 78113233, + "err": null, + "expected": [ + "false" + ], + "found": [ + "false" + ], + "human": "", + "meta": null, + "property": "running", + "resource-id": "coredump", + "resource-type": "Service", + "result": 0, + "successful": true, + "summary-line": "Service: coredump: running: matches expectation: [false]", + "test-type": 0, + "title": "" + }, + { + "duration": 162973629, + "err": null, + "expected": [ + "false" + ], + "found": [ + "false" + ], + "human": "", + "meta": null, + "property": "installed", + "resource-id": "setroubleshoot", + "resource-type": "Package", + "result": 0, + "successful": true, + "summary-line": "Package: setroubleshoot: installed: matches expectation: [false]", + "test-type": 0, + "title": "1.7.1.7 Ensure SETroubleshoot is not installed (Automated)" + }, + { + "duration": 23988931, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "enabled", + "resource-id": "auditd", + "resource-type": "Service", + "result": 0, + "successful": true, + "summary-line": "Service: auditd: enabled: matches expectation: [true]", + "test-type": 0, + "title": "(L2) 4.1.1.2 Ensure auditd service is enabled and running (Automated)" + }, + { + "duration": 103020195, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "running", + "resource-id": "auditd", + "resource-type": "Service", + "result": 0, + "successful": true, + "summary-line": "Service: auditd: running: matches expectation: [true]", + "test-type": 0, + "title": "(L2) 4.1.1.2 Ensure auditd service is enabled and running (Automated)" + }, + { + "duration": 55153284, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "enabled", + "resource-id": "rsyslog", + "resource-type": "Service", + "result": 0, + "successful": true, + "summary-line": "Service: rsyslog: enabled: matches expectation: [true]", + "test-type": 0, + "title": "4.2.1.2 Ensure rsyslog Service is enabled and running (Automated)" + }, + { + "duration": 107979781, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "running", + "resource-id": "rsyslog", + "resource-type": "Service", + "result": 0, + "successful": true, + "summary-line": "Service: rsyslog: running: matches expectation: [true]", + "test-type": 0, + "title": "4.2.1.2 Ensure rsyslog Service is enabled and running (Automated)" + }, + { + "duration": 263840, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "exists", + "resource-id": "/etc/pam.d/system-auth", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/pam.d/system-auth: exists: matches expectation: [true]", + "test-type": 0, + "title": "5.3.4 Ensure password reuse is limited" + }, + { + "duration": 80233, + "err": null, + "expected": [ + "/^password sufficient pam_unix.so sha512 shadow nullok try_first_pass remember=5 user_authtok/" + ], + "found": null, + "human": "", + "meta": null, + "property": "contains", + "resource-id": "/etc/pam.d/system-auth", + "resource-type": "File", + "result": 1, + "successful": false, + "summary-line": "File: /etc/pam.d/system-auth: contains: patterns not found: [/^password sufficient pam_unix.so sha512 shadow nullok try_first_pass remember=5 user_authtok/]", + "test-type": 2, + "title": "5.3.4 Ensure password reuse is limited" + }, + { + "duration": 12770, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "exists", + "resource-id": "/etc/ssh/sshd_config", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/ssh/sshd_config: exists: matches expectation: [true]", + "test-type": 0, + "title": "5.2.9 Ensure SSH HostbasedAuthentication is disabled" + }, + { + "duration": 65744, + "err": null, + "expected": [ + "HostbasedAuthentication no", + "!/^HostbasedAuthentication yes/" + ], + "found": [ + "HostbasedAuthentication no", + "!/^HostbasedAuthentication yes/" + ], + "human": "", + "meta": null, + "property": "contains", + "resource-id": "/etc/ssh/sshd_config", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/ssh/sshd_config: contains: matches expectation: [HostbasedAuthentication no !/^HostbasedAuthentication yes/]", + "test-type": 2, + "title": "5.2.9 Ensure SSH HostbasedAuthentication is disabled" + }, + { + "duration": 11516, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "exists", + "resource-id": "/etc/systemd/journald.conf", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/systemd/journald.conf: exists: matches expectation: [true]", + "test-type": 0, + "title": "4.2.2.3 Ensure journald is configured to write logfiles to persistent disk" + }, + { + "duration": 22378, + "err": null, + "expected": [ + "Storage=persistent" + ], + "found": null, + "human": "", + "meta": null, + "property": "contains", + "resource-id": "/etc/systemd/journald.conf", + "resource-type": "File", + "result": 1, + "successful": false, + "summary-line": "File: /etc/systemd/journald.conf: contains: patterns not found: [Storage=persistent]", + "test-type": 2, + "title": "4.2.2.3 Ensure journald is configured to write logfiles to persistent disk" + }, + { + "duration": 15164, + "err": null, + "expected": [ + "true" + ], + "found": [ + "false" + ], + "human": "Expected\n \u003cbool\u003e: false\nto equal\n \u003cbool\u003e: true", + "meta": null, + "property": "exists", + "resource-id": "/etc/at.allow", + "resource-type": "File", + "result": 1, + "successful": false, + "summary-line": "File: /etc/at.allow: exists:\nExpected\n \u003cbool\u003e: false\nto equal\n \u003cbool\u003e: true", + "test-type": 0, + "title": "5.1.9 Ensure at is restricted to authorized users" + }, + { + "duration": 0, + "err": null, + "expected": null, + "found": null, + "human": "", + "meta": null, + "property": "mode", + "resource-id": "/etc/at.allow", + "resource-type": "File", + "result": 2, + "successful": true, + "summary-line": "File: /etc/at.allow: mode: skipped", + "test-type": 1, + "title": "5.1.9 Ensure at is restricted to authorized users" + }, + { + "duration": 0, + "err": null, + "expected": null, + "found": null, + "human": "", + "meta": null, + "property": "owner", + "resource-id": "/etc/at.allow", + "resource-type": "File", + "result": 2, + "successful": true, + "summary-line": "File: /etc/at.allow: owner: skipped", + "test-type": 1, + "title": "5.1.9 Ensure at is restricted to authorized users" + }, + { + "duration": 0, + "err": null, + "expected": null, + "found": null, + "human": "", + "meta": null, + "property": "group", + "resource-id": "/etc/at.allow", + "resource-type": "File", + "result": 2, + "successful": true, + "summary-line": "File: /etc/at.allow: group: skipped", + "test-type": 1, + "title": "5.1.9 Ensure at is restricted to authorized users" + }, + { + "duration": 43818, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "exists", + "resource-id": "/etc/issue", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/issue: exists: matches expectation: [true]", + "test-type": 0, + "title": "1.8.1.2 \u0026 5 Ensure local login warning banner is configured properly (Automated)" + }, + { + "duration": 18381, + "err": null, + "expected": [ + "\"0644\"" + ], + "found": [ + "\"0644\"" + ], + "human": "", + "meta": null, + "property": "mode", + "resource-id": "/etc/issue", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/issue: mode: matches expectation: [\"0644\"]", + "test-type": 0, + "title": "1.8.1.2 \u0026 5 Ensure local login warning banner is configured properly (Automated)" + }, + { + "duration": 55905, + "err": null, + "expected": [ + "\"root\"" + ], + "found": [ + "\"root\"" + ], + "human": "", + "meta": null, + "property": "owner", + "resource-id": "/etc/issue", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/issue: owner: matches expectation: [\"root\"]", + "test-type": 0, + "title": "1.8.1.2 \u0026 5 Ensure local login warning banner is configured properly (Automated)" + }, + { + "duration": 44437, + "err": null, + "expected": [ + "\"root\"" + ], + "found": [ + "\"root\"" + ], + "human": "", + "meta": null, + "property": "group", + "resource-id": "/etc/issue", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/issue: group: matches expectation: [\"root\"]", + "test-type": 0, + "title": "1.8.1.2 \u0026 5 Ensure local login warning banner is configured properly (Automated)" + }, + { + "duration": 19392, + "err": null, + "expected": [ + "![Cc]ent[Oo][Ss]", + "![Rr]hel", + "![Rr]ed[Hh]at", + "!x86_64", + "![Ll]inux" + ], + "found": [ + "![Cc]ent[Oo][Ss]", + "![Rr]hel", + "![Rr]ed[Hh]at", + "!x86_64", + "![Ll]inux" + ], + "human": "", + "meta": null, + "property": "contains", + "resource-id": "/etc/issue", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/issue: contains: matches expectation: [![Cc]ent[Oo][Ss] ![Rr]hel ![Rr]ed[Hh]at !x86_64 ![Ll]inux]", + "test-type": 2, + "title": "1.8.1.2 \u0026 5 Ensure local login warning banner is configured properly (Automated)" + }, + { + "duration": 9401, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "exists", + "resource-id": "/etc/pam.d/password-auth", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/pam.d/password-auth: exists: matches expectation: [true]", + "test-type": 0, + "title": "5.3.4 Ensure password reuse is limited" + }, + { + "duration": 48925, + "err": null, + "expected": [ + "/^password sufficient pam_unix.so sha512 shadow nullok try_first_pass remember=5 user_authtok/" + ], + "found": null, + "human": "", + "meta": null, + "property": "contains", + "resource-id": "/etc/pam.d/password-auth", + "resource-type": "File", + "result": 1, + "successful": false, + "summary-line": "File: /etc/pam.d/password-auth: contains: patterns not found: [/^password sufficient pam_unix.so sha512 shadow nullok try_first_pass remember=5 user_authtok/]", + "test-type": 2, + "title": "5.3.4 Ensure password reuse is limited" + }, + { + "duration": 7182, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "exists", + "resource-id": "/etc/login.defs", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/login.defs: exists: matches expectation: [true]", + "test-type": 0, + "title": "5.4.1.3 Ensure password expiration warning days is 7 or more" + }, + { + "duration": 62333, + "err": null, + "expected": [ + "/^PASS_WARN_AGE\\s*7/", + "!/^PASS_WARN_AGE\\s*[1-6]/" + ], + "found": [ + "/^PASS_WARN_AGE\\s*7/", + "!/^PASS_WARN_AGE\\s*[1-6]/" + ], + "human": "", + "meta": null, + "property": "contains", + "resource-id": "/etc/login.defs", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/login.defs: contains: matches expectation: [/^PASS_WARN_AGE\\s*7/ !/^PASS_WARN_AGE\\s*[1-6]/]", + "test-type": 2, + "title": "5.4.1.3 Ensure password expiration warning days is 7 or more" + }, + { + "duration": 8932, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "exists", + "resource-id": "/etc/profile", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/profile: exists: matches expectation: [true]", + "test-type": 0, + "title": "5.4.4 Ensure default user shell timeout is configured (Automated)-profile" + }, + { + "duration": 147380, + "err": null, + "expected": [ + "/^TMOUT=([1-8][0-9]{0,2}|900)/", + "/^readonly TMOUT/" + ], + "found": [ + "/^TMOUT=([1-8][0-9]{0,2}|900)/", + "/^readonly TMOUT/" + ], + "human": "", + "meta": null, + "property": "contains", + "resource-id": "/etc/profile", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/profile: contains: matches expectation: [/^TMOUT=([1-8][0-9]{0,2}|900)/ /^readonly TMOUT/]", + "test-type": 2, + "title": "5.4.4 Ensure default user shell timeout is configured (Automated)-profile" + }, + { + "duration": 9404, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "exists", + "resource-id": "/etc/rsyslog.conf", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/rsyslog.conf: exists: matches expectation: [true]", + "test-type": 0, + "title": "4.2.1.3 Ensure rsyslog default file permissions configured" + }, + { + "duration": 36904, + "err": null, + "expected": [ + "$FileCreateMode 06[0:4]0", + "!$FileCreateMode 06[6:7][0:7]" + ], + "found": [ + "!$FileCreateMode 06[6:7][0:7]" + ], + "human": "", + "meta": null, + "property": "contains", + "resource-id": "/etc/rsyslog.conf", + "resource-type": "File", + "result": 1, + "successful": false, + "summary-line": "File: /etc/rsyslog.conf: contains: patterns not found: [$FileCreateMode 06[0:4]0]", + "test-type": 2, + "title": "4.2.1.3 Ensure rsyslog default file permissions configured" + }, + { + "duration": 8021, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "exists", + "resource-id": "/etc/audit/auditd.conf", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/audit/auditd.conf: exists: matches expectation: [true]", + "test-type": 0, + "title": "(L2) 4.1.2.3 Ensure system is disabled when audit logs are full (Automated)" + }, + { + "duration": 36969, + "err": null, + "expected": [ + "space_left_action = email", + "action_mail_acct = root", + "/^admin_space_left_action = halt/" + ], + "found": [ + "action_mail_acct = root" + ], + "human": "", + "meta": null, + "property": "contains", + "resource-id": "/etc/audit/auditd.conf", + "resource-type": "File", + "result": 1, + "successful": false, + "summary-line": "File: /etc/audit/auditd.conf: contains: patterns not found: [space_left_action = email, /^admin_space_left_action = halt/]", + "test-type": 2, + "title": "(L2) 4.1.2.3 Ensure system is disabled when audit logs are full (Automated)" + }, + { + "duration": 300471, + "err": null, + "expected": [ + "true" + ], + "found": [ + "false" + ], + "human": "Expected\n \u003cbool\u003e: false\nto equal\n \u003cbool\u003e: true", + "meta": null, + "property": "exists", + "resource-id": "/boot/grub2/user.cfg", + "resource-type": "File", + "result": 1, + "successful": false, + "summary-line": "File: /boot/grub2/user.cfg: exists:\nExpected\n \u003cbool\u003e: false\nto equal\n \u003cbool\u003e: true", + "test-type": 0, + "title": "1.5.1 Ensure bootloader password is set (Automated) and permissions" + }, + { + "duration": 0, + "err": null, + "expected": null, + "found": null, + "human": "", + "meta": null, + "property": "mode", + "resource-id": "/boot/grub2/user.cfg", + "resource-type": "File", + "result": 2, + "successful": true, + "summary-line": "File: /boot/grub2/user.cfg: mode: skipped", + "test-type": 1, + "title": "1.5.1 Ensure bootloader password is set (Automated) and permissions" + }, + { + "duration": 0, + "err": null, + "expected": null, + "found": null, + "human": "", + "meta": null, + "property": "owner", + "resource-id": "/boot/grub2/user.cfg", + "resource-type": "File", + "result": 2, + "successful": true, + "summary-line": "File: /boot/grub2/user.cfg: owner: skipped", + "test-type": 1, + "title": "1.5.1 Ensure bootloader password is set (Automated) and permissions" + }, + { + "duration": 0, + "err": null, + "expected": null, + "found": null, + "human": "", + "meta": null, + "property": "group", + "resource-id": "/boot/grub2/user.cfg", + "resource-type": "File", + "result": 2, + "successful": true, + "summary-line": "File: /boot/grub2/user.cfg: group: skipped", + "test-type": 1, + "title": "1.5.1 Ensure bootloader password is set (Automated) and permissions" + }, + { + "duration": 10331, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "exists", + "resource-id": "/etc/cron.d", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/cron.d: exists: matches expectation: [true]", + "test-type": 0, + "title": "5.1.7 Ensure permissions on /etc/cron.d are configured" + }, + { + "duration": 21630, + "err": null, + "expected": [ + "\"0700\"" + ], + "found": [ + "\"0755\"" + ], + "human": "Expected\n \u003cstring\u003e: 0755\nto equal\n \u003cstring\u003e: 0700", + "meta": null, + "property": "mode", + "resource-id": "/etc/cron.d", + "resource-type": "File", + "result": 1, + "successful": false, + "summary-line": "File: /etc/cron.d: mode:\nExpected\n \u003cstring\u003e: 0755\nto equal\n \u003cstring\u003e: 0700", + "test-type": 0, + "title": "5.1.7 Ensure permissions on /etc/cron.d are configured" + }, + { + "duration": 53975, + "err": null, + "expected": [ + "\"root\"" + ], + "found": [ + "\"root\"" + ], + "human": "", + "meta": null, + "property": "owner", + "resource-id": "/etc/cron.d", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/cron.d: owner: matches expectation: [\"root\"]", + "test-type": 0, + "title": "5.1.7 Ensure permissions on /etc/cron.d are configured" + }, + { + "duration": 41925, + "err": null, + "expected": [ + "\"root\"" + ], + "found": [ + "\"root\"" + ], + "human": "", + "meta": null, + "property": "group", + "resource-id": "/etc/cron.d", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/cron.d: group: matches expectation: [\"root\"]", + "test-type": 0, + "title": "5.1.7 Ensure permissions on /etc/cron.d are configured" + }, + { + "duration": 57375, + "err": null, + "expected": [ + "false" + ], + "found": [ + "true" + ], + "human": "Expected\n \u003cbool\u003e: true\nto equal\n \u003cbool\u003e: false", + "meta": null, + "property": "exists", + "resource-id": "/etc/at.deny", + "resource-type": "File", + "result": 1, + "successful": false, + "summary-line": "File: /etc/at.deny: exists:\nExpected\n \u003cbool\u003e: true\nto equal\n \u003cbool\u003e: false", + "test-type": 0, + "title": "5.1.9 Ensure at is restricted to authorized users" + }, + { + "duration": 9277, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "exists", + "resource-id": "/etc/issue.net", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/issue.net: exists: matches expectation: [true]", + "test-type": 0, + "title": "1.8.1.3 \u0026 6 Ensure remote login warning banner is configured properly (Automated)" + }, + { + "duration": 6509, + "err": null, + "expected": [ + "\"0644\"" + ], + "found": [ + "\"0644\"" + ], + "human": "", + "meta": null, + "property": "mode", + "resource-id": "/etc/issue.net", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/issue.net: mode: matches expectation: [\"0644\"]", + "test-type": 0, + "title": "1.8.1.3 \u0026 6 Ensure remote login warning banner is configured properly (Automated)" + }, + { + "duration": 44601, + "err": null, + "expected": [ + "\"root\"" + ], + "found": [ + "\"root\"" + ], + "human": "", + "meta": null, + "property": "owner", + "resource-id": "/etc/issue.net", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/issue.net: owner: matches expectation: [\"root\"]", + "test-type": 0, + "title": "1.8.1.3 \u0026 6 Ensure remote login warning banner is configured properly (Automated)" + }, + { + "duration": 39996, + "err": null, + "expected": [ + "\"root\"" + ], + "found": [ + "\"root\"" + ], + "human": "", + "meta": null, + "property": "group", + "resource-id": "/etc/issue.net", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/issue.net: group: matches expectation: [\"root\"]", + "test-type": 0, + "title": "1.8.1.3 \u0026 6 Ensure remote login warning banner is configured properly (Automated)" + }, + { + "duration": 19828, + "err": null, + "expected": [ + "![Cc]ent[Oo][Ss]", + "![Rr]hel", + "![Rr]ed[Hh]at", + "!x86_64", + "![Ll]inux" + ], + "found": [ + "![Cc]ent[Oo][Ss]", + "![Rr]hel", + "![Rr]ed[Hh]at", + "!x86_64", + "![Ll]inux" + ], + "human": "", + "meta": null, + "property": "contains", + "resource-id": "/etc/issue.net", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/issue.net: contains: matches expectation: [![Cc]ent[Oo][Ss] ![Rr]hel ![Rr]ed[Hh]at !x86_64 ![Ll]inux]", + "test-type": 2, + "title": "1.8.1.3 \u0026 6 Ensure remote login warning banner is configured properly (Automated)" + }, + { + "duration": 9988, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "exists", + "resource-id": "/etc/security/pwquality.conf", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/security/pwquality.conf: exists: matches expectation: [true]", + "test-type": 0, + "title": "5.3.1 Ensure password creation requirements are configured" + }, + { + "duration": 31292, + "err": null, + "expected": [ + "dcredit = -1", + "ucredit = -1", + "lcredit = -1", + "ocredit = -1" + ], + "found": null, + "human": "", + "meta": null, + "property": "contains", + "resource-id": "/etc/security/pwquality.conf", + "resource-type": "File", + "result": 1, + "successful": false, + "summary-line": "File: /etc/security/pwquality.conf: contains: patterns not found: [dcredit = -1, ucredit = -1, lcredit = -1, ocredit = -1]", + "test-type": 2, + "title": "5.3.1 Ensure password creation requirements are configured" + }, + { + "duration": 7304, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "exists", + "resource-id": "/etc/sysconfig/chronyd", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/sysconfig/chronyd: exists: matches expectation: [true]", + "test-type": 0, + "title": "2.2.1.2 Ensure chrony is configured (Automated)_sysconf" + }, + { + "duration": 13842, + "err": null, + "expected": [ + "OPTIONS=\"-u chrony\"" + ], + "found": [ + "OPTIONS=\"-u chrony\"" + ], + "human": "", + "meta": null, + "property": "contains", + "resource-id": "/etc/sysconfig/chronyd", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/sysconfig/chronyd: contains: matches expectation: [OPTIONS=\"-u chrony\"]", + "test-type": 2, + "title": "2.2.1.2 Ensure chrony is configured (Automated)_sysconf" + }, + { + "duration": 8191, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "exists", + "resource-id": "/etc/sudoers", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/sudoers: exists: matches expectation: [true]", + "test-type": 0, + "title": "1.3.3 Ensure sudo log file exists (Automated)" + }, + { + "duration": 78516, + "err": null, + "expected": [ + "/^Defaults logfile=/var/log//", + "!/^#Defaults logfile=/" + ], + "found": null, + "human": "", + "meta": null, + "property": "contains", + "resource-id": "/etc/sudoers", + "resource-type": "File", + "result": 1, + "successful": false, + "summary-line": "File: /etc/sudoers: contains: patterns not found: [/^Defaults logfile=/var/log//, !/^#Defaults logfile=/]", + "test-type": 2, + "title": "1.3.3 Ensure sudo log file exists (Automated)" + }, + { + "duration": 8542, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "exists", + "resource-id": "/etc/crontab", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/crontab: exists: matches expectation: [true]", + "test-type": 0, + "title": "5.1.2 Ensure permissions on /etc/crontab are configured" + }, + { + "duration": 7103, + "err": null, + "expected": [ + "\"0644\"" + ], + "found": [ + "\"0644\"" + ], + "human": "", + "meta": null, + "property": "mode", + "resource-id": "/etc/crontab", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/crontab: mode: matches expectation: [\"0644\"]", + "test-type": 0, + "title": "5.1.2 Ensure permissions on /etc/crontab are configured" + }, + { + "duration": 41507, + "err": null, + "expected": [ + "\"root\"" + ], + "found": [ + "\"root\"" + ], + "human": "", + "meta": null, + "property": "owner", + "resource-id": "/etc/crontab", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/crontab: owner: matches expectation: [\"root\"]", + "test-type": 0, + "title": "5.1.2 Ensure permissions on /etc/crontab are configured" + }, + { + "duration": 38463, + "err": null, + "expected": [ + "\"root\"" + ], + "found": [ + "\"root\"" + ], + "human": "", + "meta": null, + "property": "group", + "resource-id": "/etc/crontab", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/crontab: group: matches expectation: [\"root\"]", + "test-type": 0, + "title": "5.1.2 Ensure permissions on /etc/crontab are configured" + }, + { + "duration": 5782, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "exists", + "resource-id": "/etc/bashrc", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/bashrc: exists: matches expectation: [true]", + "test-type": 0, + "title": "5.4.4 Ensure default user shell timeout is configured (Automated)-bashrc" + }, + { + "duration": 145156, + "err": null, + "expected": [ + "/^TMOUT=([1-8][0-9]{0,2}|900)/", + "/^readonly TMOUT/" + ], + "found": null, + "human": "", + "meta": null, + "property": "contains", + "resource-id": "/etc/bashrc", + "resource-type": "File", + "result": 1, + "successful": false, + "summary-line": "File: /etc/bashrc: contains: patterns not found: [/^TMOUT=([1-8][0-9]{0,2}|900)/, /^readonly TMOUT/]", + "test-type": 2, + "title": "5.4.4 Ensure default user shell timeout is configured (Automated)-bashrc" + }, + { + "duration": 8644, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "exists", + "resource-id": "/etc/motd", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/motd: exists: matches expectation: [true]", + "test-type": 0, + "title": "1.8.1.1 \u0026 4 Ensure message of the day is configured properly (Automated)" + }, + { + "duration": 6431, + "err": null, + "expected": [ + "\"0644\"" + ], + "found": [ + "\"0644\"" + ], + "human": "", + "meta": null, + "property": "mode", + "resource-id": "/etc/motd", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/motd: mode: matches expectation: [\"0644\"]", + "test-type": 0, + "title": "1.8.1.1 \u0026 4 Ensure message of the day is configured properly (Automated)" + }, + { + "duration": 40323, + "err": null, + "expected": [ + "\"root\"" + ], + "found": [ + "\"root\"" + ], + "human": "", + "meta": null, + "property": "owner", + "resource-id": "/etc/motd", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/motd: owner: matches expectation: [\"root\"]", + "test-type": 0, + "title": "1.8.1.1 \u0026 4 Ensure message of the day is configured properly (Automated)" + }, + { + "duration": 42004, + "err": null, + "expected": [ + "\"root\"" + ], + "found": [ + "\"root\"" + ], + "human": "", + "meta": null, + "property": "group", + "resource-id": "/etc/motd", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/motd: group: matches expectation: [\"root\"]", + "test-type": 0, + "title": "1.8.1.1 \u0026 4 Ensure message of the day is configured properly (Automated)" + }, + { + "duration": 13713, + "err": null, + "expected": [ + "![Cc]ent[Oo][Ss]", + "![Rr]hel", + "![Rr]ed[Hh]at", + "!x86_64", + "![Ll]inux" + ], + "found": [ + "![Cc]ent[Oo][Ss]", + "![Rr]hel", + "![Rr]ed[Hh]at", + "!x86_64", + "![Ll]inux" + ], + "human": "", + "meta": null, + "property": "contains", + "resource-id": "/etc/motd", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/motd: contains: matches expectation: [![Cc]ent[Oo][Ss] ![Rr]hel ![Rr]ed[Hh]at !x86_64 ![Ll]inux]", + "test-type": 2, + "title": "1.8.1.1 \u0026 4 Ensure message of the day is configured properly (Automated)" + }, + { + "duration": 7773, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "exists", + "resource-id": "/etc/chrony.conf", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/chrony.conf: exists: matches expectation: [true]", + "test-type": 0, + "title": "2.2.1.2 Ensure chrony is configured (Automated)_conf" + }, + { + "duration": 15053, + "err": null, + "expected": [ + "server" + ], + "found": [ + "server" + ], + "human": "", + "meta": null, + "property": "contains", + "resource-id": "/etc/chrony.conf", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /etc/chrony.conf: contains: matches expectation: [server]", + "test-type": 2, + "title": "2.2.1.2 Ensure chrony is configured (Automated)_conf" + }, + { + "duration": 13411, + "err": null, + "expected": [ + "true" + ], + "found": [ + "false" + ], + "human": "Expected\n \u003cbool\u003e: false\nto equal\n \u003cbool\u003e: true", + "meta": null, + "property": "exists", + "resource-id": "/etc/rsyslog.d/*.conf", + "resource-type": "File", + "result": 1, + "successful": false, + "summary-line": "File: /etc/rsyslog.d/*.conf: exists:\nExpected\n \u003cbool\u003e: false\nto equal\n \u003cbool\u003e: true", + "test-type": 0, + "title": "4.2.1.3 Ensure rsyslog default file permissions configured" + }, + { + "duration": 0, + "err": null, + "expected": null, + "found": null, + "human": "", + "meta": null, + "property": "contains", + "resource-id": "/etc/rsyslog.d/*.conf", + "resource-type": "File", + "result": 2, + "successful": true, + "summary-line": "File: /etc/rsyslog.d/*.conf: contains: skipped", + "test-type": 1, + "title": "4.2.1.3 Ensure rsyslog default file permissions configured" + }, + { + "duration": 12090, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "exists", + "resource-id": "/boot/grub2/grub.cfg", + "resource-type": "File", + "result": 0, + "successful": true, + "summary-line": "File: /boot/grub2/grub.cfg: exists: matches expectation: [true]", + "test-type": 0, + "title": "(L2) 4.1.2.4 Ensure audit_backlog_limit is sufficient (Automated)" + }, + { + "duration": 38803, + "err": null, + "expected": [ + "GRUB_CMDLINE_LINUX=\"audit_backlog_limit=2048\"" + ], + "found": null, + "human": "", + "meta": null, + "property": "contains", + "resource-id": "/boot/grub2/grub.cfg", + "resource-type": "File", + "result": 1, + "successful": false, + "summary-line": "File: /boot/grub2/grub.cfg: contains: patterns not found: [GRUB_CMDLINE_LINUX=\"audit_backlog_limit=2048\"]", + "test-type": 2, + "title": "(L2) 4.1.2.4 Ensure audit_backlog_limit is sufficient (Automated)" + }, + { + "duration": 39736, + "err": {}, + "expected": null, + "found": null, + "human": "", + "meta": null, + "property": "exists", + "resource-id": "root", + "resource-type": "User", + "result": 1, + "successful": false, + "summary-line": "root: exists: Error: Missing Required Attribute", + "test-type": 1, + "title": "5.4.3 Ensure default group for the root account is GID 0 (Automated)" + }, + { + "duration": 0, + "err": null, + "expected": null, + "found": null, + "human": "", + "meta": null, + "property": "uid", + "resource-id": "root", + "resource-type": "User", + "result": 2, + "successful": true, + "summary-line": "User: root: uid: skipped", + "test-type": 1, + "title": "5.4.3 Ensure default group for the root account is GID 0 (Automated)" + }, + { + "duration": 0, + "err": null, + "expected": null, + "found": null, + "human": "", + "meta": null, + "property": "gid", + "resource-id": "root", + "resource-type": "User", + "result": 2, + "successful": true, + "summary-line": "User: root: gid: skipped", + "test-type": 1, + "title": "5.4.3 Ensure default group for the root account is GID 0 (Automated)" + }, + { + "duration": 146221, + "err": null, + "expected": [ + "\"0\"" + ], + "found": [ + "\"0\"" + ], + "human": "", + "meta": null, + "property": "value", + "resource-id": "net.ipv6.conf.all.accept_source_route", + "resource-type": "KernelParam", + "result": 0, + "successful": true, + "summary-line": "KernelParam: net.ipv6.conf.all.accept_source_route: value: matches expectation: [\"0\"]", + "test-type": 0, + "title": "3.3.1 Ensure source routed packets are not accepted (Automated)_ipv6_all" + }, + { + "duration": 35834, + "err": null, + "expected": [ + "\"1\"" + ], + "found": [ + "\"1\"" + ], + "human": "", + "meta": null, + "property": "value", + "resource-id": "net.ipv4.tcp_syncookies", + "resource-type": "KernelParam", + "result": 0, + "successful": true, + "summary-line": "KernelParam: net.ipv4.tcp_syncookies: value: matches expectation: [\"1\"]", + "test-type": 0, + "title": "3.3.8 Ensure TCP SYN Cookies is enabled (Automated)" + }, + { + "duration": 28430, + "err": null, + "expected": [ + "\"0\"" + ], + "found": [ + "\"0\"" + ], + "human": "", + "meta": null, + "property": "value", + "resource-id": "net.ipv4.ip_forward", + "resource-type": "KernelParam", + "result": 0, + "successful": true, + "summary-line": "KernelParam: net.ipv4.ip_forward: value: matches expectation: [\"0\"]", + "test-type": 0, + "title": "3.2.1 Ensure IP forwarding is disabled (Automated)_ipv4" + }, + { + "duration": 26146, + "err": null, + "expected": [ + "\"0\"" + ], + "found": [ + "\"0\"" + ], + "human": "", + "meta": null, + "property": "value", + "resource-id": "net.ipv6.conf.all.forwarding", + "resource-type": "KernelParam", + "result": 0, + "successful": true, + "summary-line": "KernelParam: net.ipv6.conf.all.forwarding: value: matches expectation: [\"0\"]", + "test-type": 0, + "title": "3.2.1 Ensure IP forwarding is disabled (Automated)_ipv6" + }, + { + "duration": 40895, + "err": null, + "expected": [ + "\"0\"" + ], + "found": [ + "\"1\"" + ], + "human": "Expected\n \u003cstring\u003e: 1\nto equal\n \u003cstring\u003e: 0", + "meta": null, + "property": "value", + "resource-id": "net.ipv4.conf.default.accept_redirects", + "resource-type": "KernelParam", + "result": 1, + "successful": false, + "summary-line": "KernelParam: net.ipv4.conf.default.accept_redirects: value:\nExpected\n \u003cstring\u003e: 1\nto equal\n \u003cstring\u003e: 0", + "test-type": 0, + "title": "3.3.2 Ensure ICMP redirects are not accepted (Automated)_ipv4_def" + }, + { + "duration": 31004, + "err": null, + "expected": [ + "\"1\"" + ], + "found": [ + "\"1\"" + ], + "human": "", + "meta": null, + "property": "value", + "resource-id": "net.ipv4.icmp_echo_ignore_broadcasts", + "resource-type": "KernelParam", + "result": 0, + "successful": true, + "summary-line": "KernelParam: net.ipv4.icmp_echo_ignore_broadcasts: value: matches expectation: [\"1\"]", + "test-type": 0, + "title": "3.3.5 Ensure broadcast ICMP requests are ignored (Automated)" + }, + { + "duration": 30061, + "err": null, + "expected": [ + "\"1\"" + ], + "found": [ + "\"0\"" + ], + "human": "Expected\n \u003cstring\u003e: 0\nto equal\n \u003cstring\u003e: 1", + "meta": null, + "property": "value", + "resource-id": "net.ipv4.conf.all.log_martians", + "resource-type": "KernelParam", + "result": 1, + "successful": false, + "summary-line": "KernelParam: net.ipv4.conf.all.log_martians: value:\nExpected\n \u003cstring\u003e: 0\nto equal\n \u003cstring\u003e: 1", + "test-type": 0, + "title": "3.3.4 Ensure suspicious packets are logged (Automated)_all" + }, + { + "duration": 35644, + "err": null, + "expected": [ + "\"0\"" + ], + "found": [ + "\"1\"" + ], + "human": "Expected\n \u003cstring\u003e: 1\nto equal\n \u003cstring\u003e: 0", + "meta": null, + "property": "value", + "resource-id": "net.ipv6.conf.all.accept_ra", + "resource-type": "KernelParam", + "result": 1, + "successful": false, + "summary-line": "KernelParam: net.ipv6.conf.all.accept_ra: value:\nExpected\n \u003cstring\u003e: 1\nto equal\n \u003cstring\u003e: 0", + "test-type": 0, + "title": "3.3.9 Ensure IPv6 router advertisements are not accepted (Automated)" + }, + { + "duration": 34265, + "err": null, + "expected": [ + "\"0\"" + ], + "found": [ + "\"1\"" + ], + "human": "Expected\n \u003cstring\u003e: 1\nto equal\n \u003cstring\u003e: 0", + "meta": null, + "property": "value", + "resource-id": "net.ipv4.conf.all.send_redirects", + "resource-type": "KernelParam", + "result": 1, + "successful": false, + "summary-line": "KernelParam: net.ipv4.conf.all.send_redirects: value:\nExpected\n \u003cstring\u003e: 1\nto equal\n \u003cstring\u003e: 0", + "test-type": 0, + "title": "3.2.2 Ensure packet redirect sending is disabled (Automated)_all" + }, + { + "duration": 32728, + "err": null, + "expected": [ + "\"0\"" + ], + "found": [ + "\"1\"" + ], + "human": "Expected\n \u003cstring\u003e: 1\nto equal\n \u003cstring\u003e: 0", + "meta": null, + "property": "value", + "resource-id": "net.ipv4.conf.default.secure_redirects", + "resource-type": "KernelParam", + "result": 1, + "successful": false, + "summary-line": "KernelParam: net.ipv4.conf.default.secure_redirects: value:\nExpected\n \u003cstring\u003e: 1\nto equal\n \u003cstring\u003e: 0", + "test-type": 0, + "title": "3.3.3 Ensure secure ICMP redirects are not accepted (Automated)_def" + }, + { + "duration": 34928, + "err": null, + "expected": [ + "\"0\"" + ], + "found": [ + "\"1\"" + ], + "human": "Expected\n \u003cstring\u003e: 1\nto equal\n \u003cstring\u003e: 0", + "meta": null, + "property": "value", + "resource-id": "net.ipv6.conf.all.accept_redirects", + "resource-type": "KernelParam", + "result": 1, + "successful": false, + "summary-line": "KernelParam: net.ipv6.conf.all.accept_redirects: value:\nExpected\n \u003cstring\u003e: 1\nto equal\n \u003cstring\u003e: 0", + "test-type": 0, + "title": "3.3.2 Ensure ICMP redirects are not accepted (Automated)_ipv6" + }, + { + "duration": 35097, + "err": null, + "expected": [ + "\"0\"" + ], + "found": [ + "\"1\"" + ], + "human": "Expected\n \u003cstring\u003e: 1\nto equal\n \u003cstring\u003e: 0", + "meta": null, + "property": "value", + "resource-id": "net.ipv6.conf.default.accept_redirects", + "resource-type": "KernelParam", + "result": 1, + "successful": false, + "summary-line": "KernelParam: net.ipv6.conf.default.accept_redirects: value:\nExpected\n \u003cstring\u003e: 1\nto equal\n \u003cstring\u003e: 0", + "test-type": 0, + "title": "3.3.2 Ensure ICMP redirects are not accepted (Automated)_ipv6_def" + }, + { + "duration": 62206, + "err": null, + "expected": [ + "\"0\"" + ], + "found": [ + "\"1\"" + ], + "human": "Expected\n \u003cstring\u003e: 1\nto equal\n \u003cstring\u003e: 0", + "meta": null, + "property": "value", + "resource-id": "net.ipv4.conf.default.send_redirects", + "resource-type": "KernelParam", + "result": 1, + "successful": false, + "summary-line": "KernelParam: net.ipv4.conf.default.send_redirects: value:\nExpected\n \u003cstring\u003e: 1\nto equal\n \u003cstring\u003e: 0", + "test-type": 0, + "title": "3.2.2 Ensure packet redirect sending is disabled (Automated)_default" + }, + { + "duration": 30527, + "err": null, + "expected": [ + "\"1\"" + ], + "found": [ + "\"1\"" + ], + "human": "", + "meta": null, + "property": "value", + "resource-id": "net.ipv4.conf.all.rp_filter", + "resource-type": "KernelParam", + "result": 0, + "successful": true, + "summary-line": "KernelParam: net.ipv4.conf.all.rp_filter: value: matches expectation: [\"1\"]", + "test-type": 0, + "title": "3.3.7 Ensure Reverse Path Filtering is enabled (Automated)_def" + }, + { + "duration": 31363, + "err": null, + "expected": [ + "\"0\"" + ], + "found": [ + "\"0\"" + ], + "human": "", + "meta": null, + "property": "value", + "resource-id": "net.ipv4.conf.default.accept_source_route", + "resource-type": "KernelParam", + "result": 0, + "successful": true, + "summary-line": "KernelParam: net.ipv4.conf.default.accept_source_route: value: matches expectation: [\"0\"]", + "test-type": 0, + "title": "3.3.1 Ensure source routed packets are not accepted (Automated)_ipv4_default" + }, + { + "duration": 31824, + "err": null, + "expected": [ + "\"0\"" + ], + "found": [ + "\"1\"" + ], + "human": "Expected\n \u003cstring\u003e: 1\nto equal\n \u003cstring\u003e: 0", + "meta": null, + "property": "value", + "resource-id": "net.ipv4.conf.all.accept_redirects", + "resource-type": "KernelParam", + "result": 1, + "successful": false, + "summary-line": "KernelParam: net.ipv4.conf.all.accept_redirects: value:\nExpected\n \u003cstring\u003e: 1\nto equal\n \u003cstring\u003e: 0", + "test-type": 0, + "title": "3.3.2 Ensure ICMP redirects are not accepted (Automated)_ipv4" + }, + { + "duration": 28096, + "err": null, + "expected": [ + "\"1\"" + ], + "found": [ + "\"1\"" + ], + "human": "", + "meta": null, + "property": "value", + "resource-id": "net.ipv4.icmp_ignore_bogus_error_responses", + "resource-type": "KernelParam", + "result": 0, + "successful": true, + "summary-line": "KernelParam: net.ipv4.icmp_ignore_bogus_error_responses: value: matches expectation: [\"1\"]", + "test-type": 0, + "title": "3.3.6 Ensure bogus ICMP responses are ignored (Automated)" + }, + { + "duration": 27227, + "err": null, + "expected": [ + "\"0\"" + ], + "found": [ + "\"0\"" + ], + "human": "", + "meta": null, + "property": "value", + "resource-id": "net.ipv4.conf.all.accept_source_route", + "resource-type": "KernelParam", + "result": 0, + "successful": true, + "summary-line": "KernelParam: net.ipv4.conf.all.accept_source_route: value: matches expectation: [\"0\"]", + "test-type": 0, + "title": "3.3.1 Ensure source routed packets are not accepted (Automated)_ipv4_all" + }, + { + "duration": 27479, + "err": null, + "expected": [ + "\"0\"" + ], + "found": [ + "\"1\"" + ], + "human": "Expected\n \u003cstring\u003e: 1\nto equal\n \u003cstring\u003e: 0", + "meta": null, + "property": "value", + "resource-id": "net.ipv4.conf.all.secure_redirects", + "resource-type": "KernelParam", + "result": 1, + "successful": false, + "summary-line": "KernelParam: net.ipv4.conf.all.secure_redirects: value:\nExpected\n \u003cstring\u003e: 1\nto equal\n \u003cstring\u003e: 0", + "test-type": 0, + "title": "3.3.3 Ensure secure ICMP redirects are not accepted (Automated)_all" + }, + { + "duration": 40485, + "err": null, + "expected": [ + "\"0\"" + ], + "found": [ + "\"1\"" + ], + "human": "Expected\n \u003cstring\u003e: 1\nto equal\n \u003cstring\u003e: 0", + "meta": null, + "property": "value", + "resource-id": "net.ipv6.conf.default.accept_ra", + "resource-type": "KernelParam", + "result": 1, + "successful": false, + "summary-line": "KernelParam: net.ipv6.conf.default.accept_ra: value:\nExpected\n \u003cstring\u003e: 1\nto equal\n \u003cstring\u003e: 0", + "test-type": 0, + "title": "3.3.9 Ensure IPv6 router advertisements are not accepted (Automated)" + }, + { + "duration": 28895, + "err": null, + "expected": [ + "\"0\"" + ], + "found": [ + "\"0\"" + ], + "human": "", + "meta": null, + "property": "value", + "resource-id": "net.ipv6.conf.default.accept_source_route", + "resource-type": "KernelParam", + "result": 0, + "successful": true, + "summary-line": "KernelParam: net.ipv6.conf.default.accept_source_route: value: matches expectation: [\"0\"]", + "test-type": 0, + "title": "3.3.1 Ensure source routed packets are not accepted (Automated)_ipv6_default" + }, + { + "duration": 28051, + "err": null, + "expected": [ + "\"1\"" + ], + "found": [ + "\"0\"" + ], + "human": "Expected\n \u003cstring\u003e: 0\nto equal\n \u003cstring\u003e: 1", + "meta": null, + "property": "value", + "resource-id": "net.ipv4.conf.default.log_martians", + "resource-type": "KernelParam", + "result": 1, + "successful": false, + "summary-line": "KernelParam: net.ipv4.conf.default.log_martians: value:\nExpected\n \u003cstring\u003e: 0\nto equal\n \u003cstring\u003e: 1", + "test-type": 0, + "title": "3.3.4 Ensure suspicious packets are logged (Automated)_def" + }, + { + "duration": 551385, + "err": null, + "expected": [ + "true" + ], + "found": [ + "false" + ], + "human": "Expected\n \u003cbool\u003e: false\nto equal\n \u003cbool\u003e: true", + "meta": null, + "property": "exists", + "resource-id": "/var/tmp", + "resource-type": "Mount", + "result": 1, + "successful": false, + "summary-line": "Mount: /var/tmp: exists:\nExpected\n \u003cbool\u003e: false\nto equal\n \u003cbool\u003e: true", + "test-type": 0, + "title": "(L2) 1.1.11_14 Ensure separate partition exists for /var/tmp (Automated)" + }, + { + "duration": 0, + "err": null, + "expected": null, + "found": null, + "human": "", + "meta": null, + "property": "opts", + "resource-id": "/var/tmp", + "resource-type": "Mount", + "result": 2, + "successful": true, + "summary-line": "Mount: /var/tmp: opts: skipped", + "test-type": 1, + "title": "(L2) 1.1.11_14 Ensure separate partition exists for /var/tmp (Automated)" + }, + { + "duration": 510512, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "exists", + "resource-id": "/var/log", + "resource-type": "Mount", + "result": 0, + "successful": true, + "summary-line": "Mount: /var/log: exists: matches expectation: [true]", + "test-type": 0, + "title": "(L2) 1.1.15 Ensure separate partition exists for /var/log (Automated)" + }, + { + "duration": 436484, + "err": null, + "expected": [ + "true" + ], + "found": [ + "false" + ], + "human": "Expected\n \u003cbool\u003e: false\nto equal\n \u003cbool\u003e: true", + "meta": null, + "property": "exists", + "resource-id": "/var/log/audit", + "resource-type": "Mount", + "result": 1, + "successful": false, + "summary-line": "Mount: /var/log/audit: exists:\nExpected\n \u003cbool\u003e: false\nto equal\n \u003cbool\u003e: true", + "test-type": 0, + "title": "(L2) 1.1.16 Ensure separate partition exists for /var/log/audit (Automated)" + }, + { + "duration": 426644, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "exists", + "resource-id": "/home", + "resource-type": "Mount", + "result": 0, + "successful": true, + "summary-line": "Mount: /home: exists: matches expectation: [true]", + "test-type": 0, + "title": "1.1.17 Ensure separate partition exists for /home (Automated)" + }, + { + "duration": 16622, + "err": null, + "expected": [ + "[\"nodev\"]" + ], + "found": [ + "[\"rw\",\"nodev\",\"relatime\"]" + ], + "human": "", + "meta": null, + "property": "opts", + "resource-id": "/home", + "resource-type": "Mount", + "result": 0, + "successful": true, + "summary-line": "Mount: /home: opts: matches expectation: [[\"nodev\"]]", + "test-type": 0, + "title": "1.1.17 Ensure separate partition exists for /home (Automated)" + }, + { + "duration": 439157, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "exists", + "resource-id": "/tmp", + "resource-type": "Mount", + "result": 0, + "successful": true, + "summary-line": "Mount: /tmp: exists: matches expectation: [true]", + "test-type": 0, + "title": "1.1.2_5 Ensure /tmp is configured (Automated) with mount options" + }, + { + "duration": 24128, + "err": null, + "expected": [ + "[\"noexec\",\"nodev\",\"nosuid\"]" + ], + "found": [ + "[\"rw\",\"nodev\",\"noexec\",\"relatime\"]" + ], + "human": "Expected\n \u003c[]string | len:4, cap:4\u003e: [\"rw\", \"nodev\", \"noexec\", \"relatime\"]\nto contain element matching\n \u003cstring\u003e: nosuid", + "meta": null, + "property": "opts", + "resource-id": "/tmp", + "resource-type": "Mount", + "result": 1, + "successful": false, + "summary-line": "Mount: /tmp: opts:\nExpected\n \u003c[]string | len:4, cap:4\u003e: [\"rw\", \"nodev\", \"noexec\", \"relatime\"]\nto contain element matching\n \u003cstring\u003e: nosuid", + "test-type": 0, + "title": "1.1.2_5 Ensure /tmp is configured (Automated) with mount options" + }, + { + "duration": 454465, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "exists", + "resource-id": "/dev/shm", + "resource-type": "Mount", + "result": 0, + "successful": true, + "summary-line": "Mount: /dev/shm: exists: matches expectation: [true]", + "test-type": 0, + "title": "1.1.6_9 Ensure /dev/shm is configured" + }, + { + "duration": 15540, + "err": null, + "expected": [ + "[\"noexec\",\"nodev\",\"nosuid\"]" + ], + "found": [ + "[\"rw\",\"nosuid\",\"nodev\"]" + ], + "human": "Expected\n \u003c[]string | len:3, cap:3\u003e: [\"rw\", \"nosuid\", \"nodev\"]\nto contain element matching\n \u003cstring\u003e: noexec", + "meta": null, + "property": "opts", + "resource-id": "/dev/shm", + "resource-type": "Mount", + "result": 1, + "successful": false, + "summary-line": "Mount: /dev/shm: opts:\nExpected\n \u003c[]string | len:3, cap:3\u003e: [\"rw\", \"nosuid\", \"nodev\"]\nto contain element matching\n \u003cstring\u003e: noexec", + "test-type": 0, + "title": "1.1.6_9 Ensure /dev/shm is configured" + }, + { + "duration": 472648, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "exists", + "resource-id": "/var", + "resource-type": "Mount", + "result": 0, + "successful": true, + "summary-line": "Mount: /var: exists: matches expectation: [true]", + "test-type": 0, + "title": "(L2) 1.1.10 Ensure separate partition exists for /var (Automated)" + }, + { + "duration": 113497121, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "enabled", + "resource-id": "firewalld", + "resource-type": "Service", + "result": 0, + "successful": true, + "summary-line": "Service: firewalld: enabled: matches expectation: [true]", + "test-type": 0, + "title": "3.5.1.4 Ensure firewalld service is enabled and running (Automated)" + }, + { + "duration": 118406116, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "running", + "resource-id": "firewalld", + "resource-type": "Service", + "result": 0, + "successful": true, + "summary-line": "Service: firewalld: running: matches expectation: [true]", + "test-type": 0, + "title": "3.5.1.4 Ensure firewalld service is enabled and running (Automated)" + }, + { + "duration": 73204752, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "enabled", + "resource-id": "crond", + "resource-type": "Service", + "result": 0, + "successful": true, + "summary-line": "Service: crond: enabled: matches expectation: [true]", + "test-type": 0, + "title": "" + }, + { + "duration": 67859216, + "err": null, + "expected": [ + "true" + ], + "found": [ + "true" + ], + "human": "", + "meta": null, + "property": "running", + "resource-id": "crond", + "resource-type": "Service", + "result": 0, + "successful": true, + "summary-line": "Service: crond: running: matches expectation: [true]", + "test-type": 0, + "title": "" + }, + { + "duration": 91479763, + "err": null, + "expected": [ + "false" + ], + "found": [ + "false" + ], + "human": "", + "meta": null, + "property": "enabled", + "resource-id": "autofs", + "resource-type": "Service", + "result": 0, + "successful": true, + "summary-line": "Service: autofs: enabled: matches expectation: [false]", + "test-type": 0, + "title": "1.1.23 Disable Automounting" + }, + { + "duration": 56958007, + "err": null, + "expected": [ + "false" + ], + "found": [ + "false" + ], + "human": "", + "meta": null, + "property": "running", + "resource-id": "autofs", + "resource-type": "Service", + "result": 0, + "successful": true, + "summary-line": "Service: autofs: running: matches expectation: [false]", + "test-type": 0, + "title": "1.1.23 Disable Automounting" + }, + { + "duration": 79686835, + "err": null, + "expected": [ + "false" + ], + "found": [ + "false" + ], + "human": "", + "meta": null, + "property": "enabled", + "resource-id": "rhnsd", + "resource-type": "Service", + "result": 0, + "successful": true, + "summary-line": "Service: rhnsd: enabled: matches expectation: [false]", + "test-type": 0, + "title": "1.2.5 Disable the rhnsd Daemon (Manual)" + }, + { + "duration": 45688929, + "err": null, + "expected": [ + "false" + ], + "found": [ + "false" + ], + "human": "", + "meta": null, + "property": "running", + "resource-id": "rhnsd", + "resource-type": "Service", + "result": 0, + "successful": true, + "summary-line": "Service: rhnsd: running: matches expectation: [false]", + "test-type": 0, + "title": "1.2.5 Disable the rhnsd Daemon (Manual)" + }, + { + "duration": 2021013020, + "err": null, + "expected": [ + "0" + ], + "found": [ + "0" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "sticky_bit", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: sticky_bit: exit-status: matches expectation: [0]", + "test-type": 0, + "title": "1.1.22 Ensure sticky bit is set on all world-writable directories" + }, + { + "duration": 22749, + "err": null, + "expected": [ + "!/./" + ], + "found": [ + "!/./" + ], + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "sticky_bit", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: sticky_bit: stdout: matches expectation: [!/./]", + "test-type": 2, + "title": "1.1.22 Ensure sticky bit is set on all world-writable directories" + }, + { + "duration": 2515682961, + "err": null, + "expected": [ + "0" + ], + "found": [ + "0" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "default_zone", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: default_zone: exit-status: matches expectation: [0]", + "test-type": 0, + "title": "3.5.1.5 Ensure default zone is set (Automated)" + }, + { + "duration": 6205, + "err": null, + "expected": [ + "public" + ], + "found": [ + "public" + ], + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "default_zone", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: default_zone: stdout: matches expectation: [public]", + "test-type": 2, + "title": "3.5.1.5 Ensure default zone is set (Automated)" + }, + { + "duration": 3152274841, + "err": null, + "expected": [ + "0" + ], + "found": [ + "0" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "nic_assigned", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: nic_assigned: exit-status: matches expectation: [0]", + "test-type": 0, + "title": "3.5.1.6 Ensure network interfaces are assigned to appropriate zone" + }, + { + "duration": 15230, + "err": null, + "expected": [ + "ens192" + ], + "found": [ + "ens192" + ], + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "nic_assigned", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: nic_assigned: stdout: matches expectation: [ens192]", + "test-type": 2, + "title": "3.5.1.6 Ensure network interfaces are assigned to appropriate zone" + }, + { + "duration": 5345698737, + "err": null, + "expected": [ + "0" + ], + "found": [ + "100" + ], + "human": "Expected\n \u003cint\u003e: 100\nto equal\n \u003cint\u003e: 0", + "meta": null, + "property": "exit-status", + "resource-id": "security-updates", + "resource-type": "Command", + "result": 1, + "successful": false, + "summary-line": "Command: security-updates: exit-status:\nExpected\n \u003cint\u003e: 100\nto equal\n \u003cint\u003e: 0", + "test-type": 0, + "title": "1.9 Ensure updates, patches, and additional security software are installed (Automated)" + }, + { + "duration": 37753, + "err": null, + "expected": [ + "![0-9].* packages available" + ], + "found": [ + "![0-9].* packages available" + ], + "human": "", + "meta": null, + "property": "stdout", + "resource-id": "security-updates", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: security-updates: stdout: matches expectation: [![0-9].* packages available]", + "test-type": 2, + "title": "1.9 Ensure updates, patches, and additional security software are installed (Automated)" + }, + { + "duration": 6063846272, + "err": null, + "expected": [ + "0" + ], + "found": [ + "0" + ], + "human": "", + "meta": null, + "property": "exit-status", + "resource-id": "repos_configured", + "resource-type": "Command", + "result": 0, + "successful": true, + "summary-line": "Command: repos_configured: exit-status: matches expectation: [0]", + "test-type": 0, + "title": "1.2.2 Ensure Package manager repositories are configured" + } + ], + "summary": { + "failed-count": 46, + "summary-line": "Count: 230, Failed: 46, Duration: 6.675s", + "test-count": 230, + "total-duration": 6674737386 + } +} diff --git a/outputs/junit_output b/outputs/junit_output new file mode 100644 index 0000000..050821a --- /dev/null +++ b/outputs/junit_output @@ -0,0 +1,739 @@ + + + +Command: gpg_check_repo: exit-status: matches expectation: [0] + + +Command: vfat: exit-status: matches expectation: [0] + + +Command: vfat: stdout: all expectations found: [install /bin/true] + + +Command: fat: exit-status: matches expectation: [0] + + +Command: fat: stdout: all expectations found: [install /bin/true] + + +Command: secure_system_LK: exit-status: matches expectation: [1] + + +Command: secure_system_LK: stdout: all expectations found: [0] + + +Command: aslr_enabled_2: exit-status: doesn't match, expect: [0] found: [1] +Command: aslr_enabled_2: exit-status: doesn't match, expect: [0] found: [1] + + +Command: aslr_enabled_2: stdout: patterns not found: [kernel.randomize_va_space = 2] +Command: aslr_enabled_2: stdout: patterns not found: [kernel.randomize_va_space = 2] + + +Command: inactive_passwd: exit-status: matches expectation: [0] + + +Command: inactive_passwd: stdout: all expectations found: [/^INACTIVE=[1-30]/] + + +Command: check_timeout: exit-status: doesn't match, expect: [0] found: [2] +Command: check_timeout: exit-status: doesn't match, expect: [0] found: [2] + + +Command: check_timeout: stdout: all expectations found: [!/./] + + +Command: cdrom_noexec: exit-status: matches expectation: [0] + + +Command: cdrom_noexec: stdout: all expectations found: [Passed_Check] + + +Command: squashfs: exit-status: matches expectation: [0] + + +Command: squashfs: stdout: all expectations found: [install /bin/true] + + +Command: gpg_check_global: exit-status: matches expectation: [0] + + +Command: inactive_users: exit-status: matches expectation: [0] + + +Command: inactive_users: stdout: patterns not found: [!/./] +Command: inactive_users: stdout: patterns not found: [!/./] + + +Command: auditd_grub: exit-status: matches expectation: [0] + + +Command: auditd_grub: stdout: patterns not found: [!/./] +Command: auditd_grub: stdout: patterns not found: [!/./] + + +Command: pty_sudoers_d: exit-status: matches expectation: [0] + + +Command: pty_sudoers_d: stdout: all expectations found: [/[1-99]/] + + +Command: /etc/ssh/ssh_host_key_user: exit-status: matches expectation: [0] + + +Command: /etc/ssh/ssh_host_key_user: stdout: all expectations found: [!/./] + + +Command: single_user_2: exit-status: matches expectation: [0] + + +Command: aslr_enabled_1: exit-status: matches expectation: [0] + + +Command: aslr_enabled_1: stdout: all expectations found: [kernel.randomize_va_space = 2] + + +Command: gpg_keys: exit-status: matches expectation: [0] + + +Command: iwconfig: exit-status: matches expectation: [127] + + +Command: mta_installed: exit-status: matches expectation: [1] + + +Command: mta_installed: stdout: all expectations found: [!/./] + + +Command: /etc/ssh/ssh_host_key_group: exit-status: matches expectation: [0] + + +Command: /etc/ssh/ssh_host_key_group: stdout: all expectations found: [!/./] + + +Command: fat_live: exit-status: matches expectation: [0] + + +Command: fat_live: stdout: all expectations found: [Passed_Check] + + +Command: cramfs: exit-status: matches expectation: [0] + + +Command: cramfs: stdout: all expectations found: [install /bin/true] + + +Command: passwd_chg_past: exit-status: matches expectation: [1] + + +Command: passwd_chg_past: stdout: all expectations found: [!Failed] + + +Command: modprobe_sctp: exit-status: matches expectation: [0] + + +Command: modprobe_sctp: stdout: patterns not found: [install /bin/true] +Command: modprobe_sctp: stdout: patterns not found: [install /bin/true] + + +Command: suid_dumpable_2: exit-status: doesn't match, expect: [0] found: [1] +Command: suid_dumpable_2: exit-status: doesn't match, expect: [0] found: [1] + + +Command: suid_dumpable_2: stdout: patterns not found: [fs.suid_dumpable = 0] +Command: suid_dumpable_2: stdout: patterns not found: [fs.suid_dumpable = 0] + + +Command: floppy_noexec: exit-status: matches expectation: [0] + + +Command: floppy_noexec: stdout: all expectations found: [Passed_Check] + + +Command: suid_dumpable_1: exit-status: matches expectation: [0] + + +Command: suid_dumpable_1: stdout: all expectations found: [fs.suid_dumpable = 0] + + +Command: single_user_1: exit-status: matches expectation: [0] + + +Command: secure_system_accts: exit-status: matches expectation: [1] + + +Command: secure_system_accts: stdout: all expectations found: [!/./] + + +Command: floppy_nosuid: exit-status: matches expectation: [0] + + +Command: floppy_nosuid: stdout: all expectations found: [Passed_Check] + + +Command: cdrom_nodev: exit-status: matches expectation: [0] + + +Command: cdrom_nodev: stdout: all expectations found: [Passed_Check] + + +Command: log_sudoers_d: exit-status: matches expectation: [{"lt":3}] + + +Command: log_sudoers_d: stdout: all expectations found: [/[1:99]/] + + +Command: modprobe_dccp: exit-status: matches expectation: [0] + + +Command: modprobe_dccp: stdout: patterns not found: [install /bin/true] +Command: modprobe_dccp: stdout: patterns not found: [install /bin/true] + + +Command: logfile_configured: exit-status: matches expectation: [0] + + +Command: logfile_configured: stdout: patterns not found: [!/./] +Command: logfile_configured: stdout: patterns not found: [!/./] + + +Command: subscription: exit-status: matches expectation: [{"or":[0,127]}] + + +Command: subscription: stderr: all expectations found: [command not found] + + +Command: msdos: exit-status: matches expectation: [0] + + +Command: msdos: stdout: all expectations found: [install /bin/true] + + +Command: cdrom_nosuid: exit-status: matches expectation: [0] + + +Command: cdrom_nosuid: stdout: all expectations found: [Passed_Check] + + +Command: core_dumps_limits: exit-status: doesn't match, expect: [0] found: [1] +Command: core_dumps_limits: exit-status: doesn't match, expect: [0] found: [1] + + +Command: core_dumps_limits: stdout: patterns not found: [* hard core 0] +Command: core_dumps_limits: stdout: patterns not found: [* hard core 0] + + +Command: udf: exit-status: matches expectation: [0] + + +Command: udf: stdout: all expectations found: [install /bin/true] + + +Command: floppy_nodev: exit-status: matches expectation: [0] + + +Command: floppy_nodev: stdout: all expectations found: [Passed_Check] + + +Package: rsh: installed: matches expectation: [false] + + +Command: /etc/ssh/ssh_host_key_perms: exit-status: matches expectation: [0] + + +Command: /etc/ssh/ssh_host_key_perms: stdout: all expectations found: [!/./] + + +Package: net-snmp: installed: matches expectation: [false] + + +Package: crond: installed: doesn't match, expect: [true] found: [false] +Package: crond: installed: doesn't match, expect: [true] found: [false] + + +Package: telnet: installed: matches expectation: [false] + + +Package: ypbind: installed: matches expectation: [false] + + +Package: squid: installed: matches expectation: [false] + + +Package: avahi: installed: matches expectation: [false] + + +Package: xorgs-x11-servers: installed: matches expectation: [false] + + +Package: auditd: installed: doesn't match, expect: [true] found: [false] +Package: auditd: installed: doesn't match, expect: [true] found: [false] + + +Package: chrony: installed: matches expectation: [true] + + +Package: setroubleshoot: installed: matches expectation: [false] + + +Package: cups: installed: matches expectation: [false] + + +Command: kernel_nx: exit-status: matches expectation: [0] + + +Command: kernel_nx: stdout: all expectations found: [kernel: NX (Execute Disable) protection: active] + + +Package: mcstrans: installed: matches expectation: [false] + + +Package: iptables: installed: matches expectation: [true] + + +Package: ypserver: installed: matches expectation: [false] + + +Command: default_zone: exit-status: matches expectation: [0] + + +Command: default_zone: stdout: all expectations found: [public] + + +Package: xinetd: installed: matches expectation: [false] + + +Package: audit-libs: installed: matches expectation: [true] + + +Package: telnet-server: installed: matches expectation: [false] + + +Package: bind: installed: matches expectation: [false] + + +Package: firewalld: installed: matches expectation: [true] + + +Package: sudo: installed: matches expectation: [true] + + +Package: prelink: installed: matches expectation: [false] + + +Package: rsyslog: installed: matches expectation: [true] + + +Package: samba: installed: matches expectation: [false] + + +Package: vsftpd: installed: matches expectation: [false] + + +Package: openldap-servers: installed: matches expectation: [false] + + +Package: httpd: installed: matches expectation: [false] + + +Package: talk: installed: matches expectation: [false] + + +Package: openldap-clients: installed: matches expectation: [false] + + +Package: dovecot: installed: matches expectation: [false] + + +Package: dhcp: installed: matches expectation: [false] + + +Service: rsyslog: enabled: matches expectation: [true] + + +Service: rsyslog: running: matches expectation: [true] + + +Service: crond: enabled: matches expectation: [true] + + +Service: crond: running: matches expectation: [true] + + +File: /etc/rsyslog.conf: exists: matches expectation: [true] + + +File: /etc/rsyslog.conf: contains: patterns not found: [$FileCreateMode 06[0:4]0] +File: /etc/rsyslog.conf: contains: patterns not found: [$FileCreateMode 06[0:4]0] + + +File: /etc/security/pwquality.conf: exists: matches expectation: [true] + + +File: /etc/security/pwquality.conf: contains: patterns not found: [dcredit = -1, ucredit = -1, lcredit = -1, ocredit = -1] +File: /etc/security/pwquality.conf: contains: patterns not found: [dcredit = -1, ucredit = -1, lcredit = -1, ocredit = -1] + + +File: /etc/login.defs: exists: matches expectation: [true] + + +File: /etc/login.defs: contains: all expectations found: [/^PASS_WARN_AGE\s*7/, !/^PASS_WARN_AGE\s*[1-6]/] + + +File: /etc/chrony.conf: exists: matches expectation: [true] + + +File: /etc/chrony.conf: contains: all expectations found: [server] + + +File: /etc/ssh/sshd_config: exists: matches expectation: [true] + + +File: /etc/ssh/sshd_config: contains: all expectations found: [HostbasedAuthentication no, !/^HostbasedAuthentication yes/] + + +File: /etc/pam.d/password-auth: exists: matches expectation: [true] + + +File: /etc/pam.d/password-auth: contains: patterns not found: [/^password sufficient pam_unix.so sha512 shadow nullok try_first_pass remember=5 user_authtok/] +File: /etc/pam.d/password-auth: contains: patterns not found: [/^password sufficient pam_unix.so sha512 shadow nullok try_first_pass remember=5 user_authtok/] + + +File: /etc/sudoers: exists: matches expectation: [true] + + +File: /etc/sudoers: contains: patterns not found: [/^Defaults logfile=/var/log//, !/^#Defaults logfile=/] +File: /etc/sudoers: contains: patterns not found: [/^Defaults logfile=/var/log//, !/^#Defaults logfile=/] + + +File: /etc/cron.d: exists: matches expectation: [true] + + +File: /etc/cron.d: mode: doesn't match, expect: ["0700"] found: ["0755"] +File: /etc/cron.d: mode: doesn't match, expect: ["0700"] found: ["0755"] + + +File: /etc/cron.d: owner: matches expectation: ["root"] + + +File: /etc/cron.d: group: matches expectation: ["root"] + + +File: /etc/systemd/journald.conf: exists: matches expectation: [true] + + +File: /etc/systemd/journald.conf: contains: patterns not found: [Storage=persistent] +File: /etc/systemd/journald.conf: contains: patterns not found: [Storage=persistent] + + +File: /etc/crontab: exists: matches expectation: [true] + + +File: /etc/crontab: mode: matches expectation: ["0644"] + + +File: /etc/crontab: owner: matches expectation: ["root"] + + +File: /etc/crontab: group: matches expectation: ["root"] + + +File: /etc/issue: exists: matches expectation: [true] + + +File: /etc/issue: mode: matches expectation: ["0644"] + + +File: /etc/issue: owner: matches expectation: ["root"] + + +File: /etc/issue: group: matches expectation: ["root"] + + +File: /etc/issue: contains: all expectations found: [![Cc]ent[Oo][Ss], ![Rr]hel, ![Rr]ed[Hh]at, !x86_64, ![Ll]inux] + + +File: /etc/sysconfig/chronyd: exists: matches expectation: [true] + + +File: /etc/sysconfig/chronyd: contains: all expectations found: [OPTIONS="-u chrony"] + + +File: /boot/grub2/user.cfg: exists: doesn't match, expect: [true] found: [false] +File: /boot/grub2/user.cfg: exists: doesn't match, expect: [true] found: [false] + + +File: /boot/grub2/user.cfg: mode: skipped + + +File: /boot/grub2/user.cfg: owner: skipped + + +File: /boot/grub2/user.cfg: group: skipped + + +File: /etc/pam.d/system-auth: exists: matches expectation: [true] + + +File: /etc/pam.d/system-auth: contains: patterns not found: [/^password sufficient pam_unix.so sha512 shadow nullok try_first_pass remember=5 user_authtok/] +File: /etc/pam.d/system-auth: contains: patterns not found: [/^password sufficient pam_unix.so sha512 shadow nullok try_first_pass remember=5 user_authtok/] + + +File: /etc/issue.net: exists: matches expectation: [true] + + +File: /etc/issue.net: mode: matches expectation: ["0644"] + + +File: /etc/issue.net: owner: matches expectation: ["root"] + + +File: /etc/issue.net: group: matches expectation: ["root"] + + +File: /etc/issue.net: contains: all expectations found: [![Cc]ent[Oo][Ss], ![Rr]hel, ![Rr]ed[Hh]at, !x86_64, ![Ll]inux] + + +File: /etc/rsyslog.d/*.conf: exists: doesn't match, expect: [true] found: [false] +File: /etc/rsyslog.d/*.conf: exists: doesn't match, expect: [true] found: [false] + + +File: /etc/rsyslog.d/*.conf: contains: skipped + + +File: /etc/motd: exists: matches expectation: [true] + + +File: /etc/motd: mode: matches expectation: ["0644"] + + +File: /etc/motd: owner: matches expectation: ["root"] + + +File: /etc/motd: group: matches expectation: ["root"] + + +File: /etc/motd: contains: all expectations found: [![Cc]ent[Oo][Ss], ![Rr]hel, ![Rr]ed[Hh]at, !x86_64, ![Ll]inux] + + +File: /etc/profile: exists: matches expectation: [true] + + +File: /etc/profile: contains: all expectations found: [/^TMOUT=([1-8][0-9]{0,2}|900)/, /^readonly TMOUT/] + + +File: /etc/at.allow: exists: doesn't match, expect: [true] found: [false] +File: /etc/at.allow: exists: doesn't match, expect: [true] found: [false] + + +File: /etc/at.allow: mode: skipped + + +File: /etc/at.allow: owner: skipped + + +File: /etc/at.allow: group: skipped + + +File: /etc/at.deny: exists: doesn't match, expect: [false] found: [true] +File: /etc/at.deny: exists: doesn't match, expect: [false] found: [true] + + +File: /boot/grub2/grub.cfg: exists: matches expectation: [true] + + +File: /boot/grub2/grub.cfg: contains: patterns not found: [GRUB_CMDLINE_LINUX="audit_backlog_limit=2048"] +File: /boot/grub2/grub.cfg: contains: patterns not found: [GRUB_CMDLINE_LINUX="audit_backlog_limit=2048"] + + +File: /etc/audit/auditd.conf: exists: matches expectation: [true] + + +File: /etc/audit/auditd.conf: contains: patterns not found: [space_left_action = email, /^admin_space_left_action = halt/] +File: /etc/audit/auditd.conf: contains: patterns not found: [space_left_action = email, /^admin_space_left_action = halt/] + + +File: /etc/bashrc: exists: matches expectation: [true] + + +File: /etc/bashrc: contains: patterns not found: [/^TMOUT=([1-8][0-9]{0,2}|900)/, /^readonly TMOUT/] +File: /etc/bashrc: contains: patterns not found: [/^TMOUT=([1-8][0-9]{0,2}|900)/, /^readonly TMOUT/] + + +root: exists: Error: Missing Required Attribute +root: exists: Error: Missing Required Attribute + + +User: root: uid: skipped + + +User: root: gid: skipped + + +KernelParam: net.ipv4.conf.all.log_martians: value: doesn't match, expect: ["1"] found: ["0"] +KernelParam: net.ipv4.conf.all.log_martians: value: doesn't match, expect: ["1"] found: ["0"] + + +KernelParam: net.ipv4.conf.all.send_redirects: value: doesn't match, expect: ["0"] found: ["1"] +KernelParam: net.ipv4.conf.all.send_redirects: value: doesn't match, expect: ["0"] found: ["1"] + + +KernelParam: net.ipv4.conf.default.send_redirects: value: doesn't match, expect: ["0"] found: ["1"] +KernelParam: net.ipv4.conf.default.send_redirects: value: doesn't match, expect: ["0"] found: ["1"] + + +KernelParam: net.ipv4.conf.all.secure_redirects: value: doesn't match, expect: ["0"] found: ["1"] +KernelParam: net.ipv4.conf.all.secure_redirects: value: doesn't match, expect: ["0"] found: ["1"] + + +KernelParam: net.ipv4.conf.all.accept_redirects: value: doesn't match, expect: ["0"] found: ["1"] +KernelParam: net.ipv4.conf.all.accept_redirects: value: doesn't match, expect: ["0"] found: ["1"] + + +KernelParam: net.ipv6.conf.all.accept_ra: value: doesn't match, expect: ["0"] found: ["1"] +KernelParam: net.ipv6.conf.all.accept_ra: value: doesn't match, expect: ["0"] found: ["1"] + + +KernelParam: net.ipv4.conf.default.log_martians: value: doesn't match, expect: ["1"] found: ["0"] +KernelParam: net.ipv4.conf.default.log_martians: value: doesn't match, expect: ["1"] found: ["0"] + + +KernelParam: net.ipv4.tcp_syncookies: value: matches expectation: ["1"] + + +KernelParam: net.ipv4.icmp_echo_ignore_broadcasts: value: matches expectation: ["1"] + + +KernelParam: net.ipv6.conf.default.accept_source_route: value: matches expectation: ["0"] + + +KernelParam: net.ipv6.conf.all.forwarding: value: matches expectation: ["0"] + + +KernelParam: net.ipv4.conf.all.accept_source_route: value: matches expectation: ["0"] + + +KernelParam: net.ipv4.conf.default.accept_source_route: value: matches expectation: ["0"] + + +KernelParam: net.ipv4.conf.default.secure_redirects: value: doesn't match, expect: ["0"] found: ["1"] +KernelParam: net.ipv4.conf.default.secure_redirects: value: doesn't match, expect: ["0"] found: ["1"] + + +KernelParam: net.ipv6.conf.all.accept_source_route: value: matches expectation: ["0"] + + +KernelParam: net.ipv6.conf.all.accept_redirects: value: doesn't match, expect: ["0"] found: ["1"] +KernelParam: net.ipv6.conf.all.accept_redirects: value: doesn't match, expect: ["0"] found: ["1"] + + +KernelParam: net.ipv4.icmp_ignore_bogus_error_responses: value: matches expectation: ["1"] + + +KernelParam: net.ipv4.conf.all.rp_filter: value: matches expectation: ["1"] + + +KernelParam: net.ipv4.ip_forward: value: matches expectation: ["0"] + + +KernelParam: net.ipv4.conf.default.accept_redirects: value: doesn't match, expect: ["0"] found: ["1"] +KernelParam: net.ipv4.conf.default.accept_redirects: value: doesn't match, expect: ["0"] found: ["1"] + + +KernelParam: net.ipv6.conf.default.accept_redirects: value: doesn't match, expect: ["0"] found: ["1"] +KernelParam: net.ipv6.conf.default.accept_redirects: value: doesn't match, expect: ["0"] found: ["1"] + + +KernelParam: net.ipv6.conf.default.accept_ra: value: doesn't match, expect: ["0"] found: ["1"] +KernelParam: net.ipv6.conf.default.accept_ra: value: doesn't match, expect: ["0"] found: ["1"] + + +Mount: /tmp: exists: matches expectation: [true] + + +Mount: /tmp: opts: doesn't match, expect: [["noexec","nodev","nosuid"]] found: [["rw","nodev","noexec","relatime"]] +Mount: /tmp: opts: doesn't match, expect: [["noexec","nodev","nosuid"]] found: [["rw","nodev","noexec","relatime"]] + + +Mount: /dev/shm: exists: matches expectation: [true] + + +Mount: /dev/shm: opts: doesn't match, expect: [["noexec","nodev","nosuid"]] found: [["rw","nosuid","nodev"]] +Mount: /dev/shm: opts: doesn't match, expect: [["noexec","nodev","nosuid"]] found: [["rw","nosuid","nodev"]] + + +Mount: /var: exists: matches expectation: [true] + + +Mount: /var/tmp: exists: doesn't match, expect: [true] found: [false] +Mount: /var/tmp: exists: doesn't match, expect: [true] found: [false] + + +Mount: /var/tmp: opts: skipped + + +Mount: /var/log: exists: matches expectation: [true] + + +Mount: /var/log/audit: exists: doesn't match, expect: [true] found: [false] +Mount: /var/log/audit: exists: doesn't match, expect: [true] found: [false] + + +Mount: /home: exists: matches expectation: [true] + + +Mount: /home: opts: matches expectation: [["nodev"]] + + +Command: sticky_bit: exit-status: matches expectation: [0] + + +Command: sticky_bit: stdout: all expectations found: [!/./] + + +Service: autofs: enabled: matches expectation: [false] + + +Service: autofs: running: matches expectation: [false] + + +Service: rhnsd: enabled: matches expectation: [false] + + +Service: rhnsd: running: matches expectation: [false] + + +Service: coredump: enabled: matches expectation: [false] + + +Service: coredump: running: matches expectation: [false] + + +Service: firewalld: enabled: matches expectation: [true] + + +Service: firewalld: running: matches expectation: [true] + + +Service: auditd: enabled: matches expectation: [true] + + +Service: auditd: running: matches expectation: [true] + + +Command: repos_configured: exit-status: matches expectation: [0] + + +Command: nic_assigned: exit-status: matches expectation: [0] + + +Command: nic_assigned: stdout: all expectations found: [ens192] + + +Command: security-updates: exit-status: doesn't match, expect: [0] found: [100] +Command: security-updates: exit-status: doesn't match, expect: [0] found: [100] + + +Command: security-updates: stdout: all expectations found: [![0-9].* packages available] + + diff --git a/outputs/nagios_output b/outputs/nagios_output new file mode 100644 index 0000000..ee78f96 --- /dev/null +++ b/outputs/nagios_output @@ -0,0 +1 @@ +GOSS CRITICAL - Count: 230, Failed: 46, Skipped: 10, Duration: 6.975s diff --git a/outputs/tap_output b/outputs/tap_output new file mode 100644 index 0000000..908d1b9 --- /dev/null +++ b/outputs/tap_output @@ -0,0 +1,231 @@ +1..230 +ok 1 - Command: secure_system_accts: exit-status: matches expectation: [1] +ok 2 - Command: secure_system_accts: stdout: all expectations found: [!/./] +ok 3 - Command: floppy_nodev: exit-status: matches expectation: [0] +ok 4 - Command: floppy_nodev: stdout: all expectations found: [Passed_Check] +ok 5 - Command: cdrom_noexec: exit-status: matches expectation: [0] +ok 6 - Command: cdrom_noexec: stdout: all expectations found: [Passed_Check] +ok 7 - Command: subscription: exit-status: matches expectation: [{"or":[0,127]}] +ok 8 - Command: subscription: stderr: all expectations found: [command not found] +ok 9 - Command: suid_dumpable_1: exit-status: matches expectation: [0] +ok 10 - Command: suid_dumpable_1: stdout: all expectations found: [fs.suid_dumpable = 0] +ok 11 - Command: gpg_check_global: exit-status: matches expectation: [0] +ok 12 - Command: msdos: exit-status: matches expectation: [0] +ok 13 - Command: msdos: stdout: all expectations found: [install /bin/true] +not ok 14 - Command: check_timeout: exit-status: doesn't match, expect: [0] found: [2] +ok 15 - Command: check_timeout: stdout: all expectations found: [!/./] +ok 16 - Command: auditd_grub: exit-status: matches expectation: [0] +not ok 17 - Command: auditd_grub: stdout: patterns not found: [!/./] +ok 18 - Command: inactive_passwd: exit-status: matches expectation: [0] +ok 19 - Command: inactive_passwd: stdout: all expectations found: [/^INACTIVE=[1-30]/] +ok 20 - Command: single_user_2: exit-status: matches expectation: [0] +not ok 21 - Command: aslr_enabled_2: exit-status: doesn't match, expect: [0] found: [1] +not ok 22 - Command: aslr_enabled_2: stdout: patterns not found: [kernel.randomize_va_space = 2] +ok 23 - Command: floppy_noexec: exit-status: matches expectation: [0] +ok 24 - Command: floppy_noexec: stdout: all expectations found: [Passed_Check] +ok 25 - Command: logfile_configured: exit-status: matches expectation: [0] +not ok 26 - Command: logfile_configured: stdout: patterns not found: [!/./] +ok 27 - Command: vfat: exit-status: matches expectation: [0] +ok 28 - Command: vfat: stdout: all expectations found: [install /bin/true] +ok 29 - Command: modprobe_dccp: exit-status: matches expectation: [0] +not ok 30 - Command: modprobe_dccp: stdout: patterns not found: [install /bin/true] +ok 31 - Command: squashfs: exit-status: matches expectation: [0] +ok 32 - Command: squashfs: stdout: all expectations found: [install /bin/true] +ok 33 - Command: passwd_chg_past: exit-status: matches expectation: [1] +ok 34 - Command: passwd_chg_past: stdout: all expectations found: [!Failed] +ok 35 - Command: /etc/ssh/ssh_host_key_user: exit-status: matches expectation: [0] +ok 36 - Command: /etc/ssh/ssh_host_key_user: stdout: all expectations found: [!/./] +not ok 37 - Command: suid_dumpable_2: exit-status: doesn't match, expect: [0] found: [1] +not ok 38 - Command: suid_dumpable_2: stdout: patterns not found: [fs.suid_dumpable = 0] +ok 39 - Command: iwconfig: exit-status: matches expectation: [127] +ok 40 - Command: fat: exit-status: matches expectation: [0] +ok 41 - Command: fat: stdout: all expectations found: [install /bin/true] +ok 42 - Command: aslr_enabled_1: exit-status: matches expectation: [0] +ok 43 - Command: aslr_enabled_1: stdout: all expectations found: [kernel.randomize_va_space = 2] +ok 44 - Command: mta_installed: exit-status: matches expectation: [1] +ok 45 - Command: mta_installed: stdout: all expectations found: [!/./] +ok 46 - Command: inactive_users: exit-status: matches expectation: [0] +not ok 47 - Command: inactive_users: stdout: patterns not found: [!/./] +ok 48 - Command: cdrom_nodev: exit-status: matches expectation: [0] +ok 49 - Command: cdrom_nodev: stdout: all expectations found: [Passed_Check] +ok 50 - Command: pty_sudoers_d: exit-status: matches expectation: [0] +ok 51 - Command: pty_sudoers_d: stdout: all expectations found: [/[1-99]/] +ok 52 - Command: secure_system_LK: exit-status: matches expectation: [1] +ok 53 - Command: secure_system_LK: stdout: all expectations found: [0] +ok 54 - Command: modprobe_sctp: exit-status: matches expectation: [0] +not ok 55 - Command: modprobe_sctp: stdout: patterns not found: [install /bin/true] +ok 56 - Command: gpg_keys: exit-status: matches expectation: [0] +not ok 57 - Command: core_dumps_limits: exit-status: doesn't match, expect: [0] found: [1] +not ok 58 - Command: core_dumps_limits: stdout: patterns not found: [* hard core 0] +ok 59 - Command: floppy_nosuid: exit-status: matches expectation: [0] +ok 60 - Command: floppy_nosuid: stdout: all expectations found: [Passed_Check] +ok 61 - Command: gpg_check_repo: exit-status: matches expectation: [0] +ok 62 - Command: fat_live: exit-status: matches expectation: [0] +ok 63 - Command: fat_live: stdout: all expectations found: [Passed_Check] +ok 64 - Command: cdrom_nosuid: exit-status: matches expectation: [0] +ok 65 - Command: cdrom_nosuid: stdout: all expectations found: [Passed_Check] +ok 66 - Command: cramfs: exit-status: matches expectation: [0] +ok 67 - Command: cramfs: stdout: all expectations found: [install /bin/true] +ok 68 - Command: single_user_1: exit-status: matches expectation: [0] +ok 69 - Command: /etc/ssh/ssh_host_key_perms: exit-status: matches expectation: [0] +ok 70 - Command: /etc/ssh/ssh_host_key_perms: stdout: all expectations found: [!/./] +ok 71 - Command: /etc/ssh/ssh_host_key_group: exit-status: matches expectation: [0] +ok 72 - Command: /etc/ssh/ssh_host_key_group: stdout: all expectations found: [!/./] +ok 73 - Command: log_sudoers_d: exit-status: matches expectation: [{"lt":3}] +ok 74 - Command: log_sudoers_d: stdout: all expectations found: [/[1:99]/] +ok 75 - Command: udf: exit-status: matches expectation: [0] +ok 76 - Command: udf: stdout: all expectations found: [install /bin/true] +ok 77 - Package: xorgs-x11-servers: installed: matches expectation: [false] +ok 78 - Package: setroubleshoot: installed: matches expectation: [false] +ok 79 - Package: sudo: installed: matches expectation: [true] +ok 80 - Package: bind: installed: matches expectation: [false] +ok 81 - Package: avahi: installed: matches expectation: [false] +ok 82 - Package: dovecot: installed: matches expectation: [false] +not ok 83 - Package: auditd: installed: doesn't match, expect: [true] found: [false] +ok 84 - Package: xinetd: installed: matches expectation: [false] +ok 85 - Package: ypserver: installed: matches expectation: [false] +ok 86 - Package: firewalld: installed: matches expectation: [true] +ok 87 - Package: dhcp: installed: matches expectation: [false] +ok 88 - Package: openldap-servers: installed: matches expectation: [false] +ok 89 - Package: telnet: installed: matches expectation: [false] +ok 90 - Package: openldap-clients: installed: matches expectation: [false] +ok 91 - Command: kernel_nx: exit-status: matches expectation: [0] +ok 92 - Command: kernel_nx: stdout: all expectations found: [kernel: NX (Execute Disable) protection: active] +ok 93 - Package: net-snmp: installed: matches expectation: [false] +ok 94 - Package: mcstrans: installed: matches expectation: [false] +ok 95 - Package: cups: installed: matches expectation: [false] +ok 96 - Package: iptables: installed: matches expectation: [true] +ok 97 - Package: vsftpd: installed: matches expectation: [false] +ok 98 - Package: talk: installed: matches expectation: [false] +ok 99 - Package: audit-libs: installed: matches expectation: [true] +ok 100 - Package: samba: installed: matches expectation: [false] +ok 101 - Command: sticky_bit: exit-status: matches expectation: [0] +ok 102 - Command: sticky_bit: stdout: all expectations found: [!/./] +ok 103 - Package: httpd: installed: matches expectation: [false] +ok 104 - Package: prelink: installed: matches expectation: [false] +ok 105 - Package: squid: installed: matches expectation: [false] +ok 106 - Package: chrony: installed: matches expectation: [true] +ok 107 - Package: ypbind: installed: matches expectation: [false] +ok 108 - Package: telnet-server: installed: matches expectation: [false] +ok 109 - Package: rsh: installed: matches expectation: [false] +ok 110 - Package: rsyslog: installed: matches expectation: [true] +not ok 111 - Package: crond: installed: doesn't match, expect: [true] found: [false] +ok 112 - Service: crond: enabled: matches expectation: [true] +ok 113 - Service: crond: running: matches expectation: [true] +ok 114 - Command: repos_configured: exit-status: matches expectation: [0] +ok 115 - File: /etc/cron.d: exists: matches expectation: [true] +not ok 116 - File: /etc/cron.d: mode: doesn't match, expect: ["0700"] found: ["0755"] +ok 117 - File: /etc/cron.d: owner: matches expectation: ["root"] +ok 118 - File: /etc/cron.d: group: matches expectation: ["root"] +ok 119 - File: /etc/ssh/sshd_config: exists: matches expectation: [true] +ok 120 - File: /etc/ssh/sshd_config: contains: all expectations found: [HostbasedAuthentication no, !/^HostbasedAuthentication yes/] +ok 121 - File: /etc/bashrc: exists: matches expectation: [true] +not ok 122 - File: /etc/bashrc: contains: patterns not found: [/^TMOUT=([1-8][0-9]{0,2}|900)/, /^readonly TMOUT/] +ok 123 - File: /etc/issue.net: exists: matches expectation: [true] +ok 124 - File: /etc/issue.net: mode: matches expectation: ["0644"] +ok 125 - File: /etc/issue.net: owner: matches expectation: ["root"] +ok 126 - File: /etc/issue.net: group: matches expectation: ["root"] +ok 127 - File: /etc/issue.net: contains: all expectations found: [![Cc]ent[Oo][Ss], ![Rr]hel, ![Rr]ed[Hh]at, !x86_64, ![Ll]inux] +ok 128 - File: /etc/systemd/journald.conf: exists: matches expectation: [true] +not ok 129 - File: /etc/systemd/journald.conf: contains: patterns not found: [Storage=persistent] +ok 130 - File: /etc/sudoers: exists: matches expectation: [true] +not ok 131 - File: /etc/sudoers: contains: patterns not found: [/^Defaults logfile=/var/log//, !/^#Defaults logfile=/] +not ok 132 - File: /boot/grub2/user.cfg: exists: doesn't match, expect: [true] found: [false] +ok 133 - # SKIP File: /boot/grub2/user.cfg: mode: skipped +ok 134 - # SKIP File: /boot/grub2/user.cfg: owner: skipped +ok 135 - # SKIP File: /boot/grub2/user.cfg: group: skipped +ok 136 - File: /etc/issue: exists: matches expectation: [true] +ok 137 - File: /etc/issue: mode: matches expectation: ["0644"] +ok 138 - File: /etc/issue: owner: matches expectation: ["root"] +ok 139 - File: /etc/issue: group: matches expectation: ["root"] +ok 140 - File: /etc/issue: contains: all expectations found: [![Cc]ent[Oo][Ss], ![Rr]hel, ![Rr]ed[Hh]at, !x86_64, ![Ll]inux] +ok 141 - File: /boot/grub2/grub.cfg: exists: matches expectation: [true] +not ok 142 - File: /boot/grub2/grub.cfg: contains: patterns not found: [GRUB_CMDLINE_LINUX="audit_backlog_limit=2048"] +ok 143 - File: /etc/rsyslog.conf: exists: matches expectation: [true] +not ok 144 - File: /etc/rsyslog.conf: contains: patterns not found: [$FileCreateMode 06[0:4]0] +not ok 145 - File: /etc/at.deny: exists: doesn't match, expect: [false] found: [true] +ok 146 - File: /etc/motd: exists: matches expectation: [true] +ok 147 - File: /etc/motd: mode: matches expectation: ["0644"] +ok 148 - File: /etc/motd: owner: matches expectation: ["root"] +ok 149 - File: /etc/motd: group: matches expectation: ["root"] +ok 150 - File: /etc/motd: contains: all expectations found: [![Cc]ent[Oo][Ss], ![Rr]hel, ![Rr]ed[Hh]at, !x86_64, ![Ll]inux] +not ok 151 - File: /etc/rsyslog.d/*.conf: exists: doesn't match, expect: [true] found: [false] +ok 152 - # SKIP File: /etc/rsyslog.d/*.conf: contains: skipped +ok 153 - File: /etc/security/pwquality.conf: exists: matches expectation: [true] +not ok 154 - File: /etc/security/pwquality.conf: contains: patterns not found: [dcredit = -1, ucredit = -1, lcredit = -1, ocredit = -1] +ok 155 - File: /etc/profile: exists: matches expectation: [true] +ok 156 - File: /etc/profile: contains: all expectations found: [/^TMOUT=([1-8][0-9]{0,2}|900)/, /^readonly TMOUT/] +ok 157 - File: /etc/crontab: exists: matches expectation: [true] +ok 158 - File: /etc/crontab: mode: matches expectation: ["0644"] +ok 159 - File: /etc/crontab: owner: matches expectation: ["root"] +ok 160 - File: /etc/crontab: group: matches expectation: ["root"] +ok 161 - File: /etc/pam.d/system-auth: exists: matches expectation: [true] +not ok 162 - File: /etc/pam.d/system-auth: contains: patterns not found: [/^password sufficient pam_unix.so sha512 shadow nullok try_first_pass remember=5 user_authtok/] +ok 163 - File: /etc/sysconfig/chronyd: exists: matches expectation: [true] +ok 164 - File: /etc/sysconfig/chronyd: contains: all expectations found: [OPTIONS="-u chrony"] +ok 165 - File: /etc/pam.d/password-auth: exists: matches expectation: [true] +not ok 166 - File: /etc/pam.d/password-auth: contains: patterns not found: [/^password sufficient pam_unix.so sha512 shadow nullok try_first_pass remember=5 user_authtok/] +not ok 167 - File: /etc/at.allow: exists: doesn't match, expect: [true] found: [false] +ok 168 - # SKIP File: /etc/at.allow: mode: skipped +ok 169 - # SKIP File: /etc/at.allow: owner: skipped +ok 170 - # SKIP File: /etc/at.allow: group: skipped +ok 171 - File: /etc/login.defs: exists: matches expectation: [true] +ok 172 - File: /etc/login.defs: contains: all expectations found: [/^PASS_WARN_AGE\s*7/, !/^PASS_WARN_AGE\s*[1-6]/] +ok 173 - File: /etc/chrony.conf: exists: matches expectation: [true] +ok 174 - File: /etc/chrony.conf: contains: all expectations found: [server] +ok 175 - File: /etc/audit/auditd.conf: exists: matches expectation: [true] +not ok 176 - File: /etc/audit/auditd.conf: contains: patterns not found: [space_left_action = email, /^admin_space_left_action = halt/] +not ok 177 - root: exists: Error: Missing Required Attribute +ok 178 - # SKIP User: root: uid: skipped +ok 179 - # SKIP User: root: gid: skipped +ok 180 - KernelParam: net.ipv4.tcp_syncookies: value: matches expectation: ["1"] +ok 181 - KernelParam: net.ipv6.conf.all.forwarding: value: matches expectation: ["0"] +not ok 182 - KernelParam: net.ipv4.conf.default.log_martians: value: doesn't match, expect: ["1"] found: ["0"] +ok 183 - KernelParam: net.ipv4.conf.all.rp_filter: value: matches expectation: ["1"] +not ok 184 - KernelParam: net.ipv6.conf.all.accept_ra: value: doesn't match, expect: ["0"] found: ["1"] +not ok 185 - KernelParam: net.ipv4.conf.all.send_redirects: value: doesn't match, expect: ["0"] found: ["1"] +not ok 186 - KernelParam: net.ipv4.conf.all.secure_redirects: value: doesn't match, expect: ["0"] found: ["1"] +not ok 187 - KernelParam: net.ipv4.conf.all.log_martians: value: doesn't match, expect: ["1"] found: ["0"] +ok 188 - KernelParam: net.ipv6.conf.all.accept_source_route: value: matches expectation: ["0"] +not ok 189 - KernelParam: net.ipv4.conf.default.accept_redirects: value: doesn't match, expect: ["0"] found: ["1"] +not ok 190 - KernelParam: net.ipv4.conf.default.secure_redirects: value: doesn't match, expect: ["0"] found: ["1"] +not ok 191 - KernelParam: net.ipv4.conf.default.send_redirects: value: doesn't match, expect: ["0"] found: ["1"] +ok 192 - KernelParam: net.ipv6.conf.default.accept_source_route: value: matches expectation: ["0"] +ok 193 - Service: autofs: enabled: matches expectation: [false] +ok 194 - Service: autofs: running: matches expectation: [false] +ok 195 - Command: default_zone: exit-status: matches expectation: [0] +ok 196 - Command: default_zone: stdout: all expectations found: [public] +ok 197 - KernelParam: net.ipv4.conf.all.accept_source_route: value: matches expectation: ["0"] +not ok 198 - KernelParam: net.ipv4.conf.all.accept_redirects: value: doesn't match, expect: ["0"] found: ["1"] +not ok 199 - KernelParam: net.ipv6.conf.all.accept_redirects: value: doesn't match, expect: ["0"] found: ["1"] +ok 200 - KernelParam: net.ipv4.icmp_ignore_bogus_error_responses: value: matches expectation: ["1"] +ok 201 - KernelParam: net.ipv4.conf.default.accept_source_route: value: matches expectation: ["0"] +ok 202 - KernelParam: net.ipv4.ip_forward: value: matches expectation: ["0"] +ok 203 - KernelParam: net.ipv4.icmp_echo_ignore_broadcasts: value: matches expectation: ["1"] +not ok 204 - KernelParam: net.ipv6.conf.default.accept_redirects: value: doesn't match, expect: ["0"] found: ["1"] +not ok 205 - KernelParam: net.ipv6.conf.default.accept_ra: value: doesn't match, expect: ["0"] found: ["1"] +ok 206 - Mount: /home: exists: matches expectation: [true] +ok 207 - Mount: /home: opts: matches expectation: [["nodev"]] +ok 208 - Mount: /var: exists: matches expectation: [true] +not ok 209 - Mount: /var/tmp: exists: doesn't match, expect: [true] found: [false] +ok 210 - # SKIP Mount: /var/tmp: opts: skipped +ok 211 - Mount: /tmp: exists: matches expectation: [true] +not ok 212 - Mount: /tmp: opts: doesn't match, expect: [["noexec","nodev","nosuid"]] found: [["rw","nodev","noexec","relatime"]] +ok 213 - Mount: /dev/shm: exists: matches expectation: [true] +not ok 214 - Mount: /dev/shm: opts: doesn't match, expect: [["noexec","nodev","nosuid"]] found: [["rw","nosuid","nodev"]] +ok 215 - Mount: /var/log: exists: matches expectation: [true] +not ok 216 - Mount: /var/log/audit: exists: doesn't match, expect: [true] found: [false] +ok 217 - Service: firewalld: enabled: matches expectation: [true] +ok 218 - Service: firewalld: running: matches expectation: [true] +ok 219 - Service: rhnsd: enabled: matches expectation: [false] +ok 220 - Service: rhnsd: running: matches expectation: [false] +ok 221 - Service: coredump: enabled: matches expectation: [false] +ok 222 - Service: coredump: running: matches expectation: [false] +ok 223 - Service: auditd: enabled: matches expectation: [true] +ok 224 - Service: auditd: running: matches expectation: [true] +ok 225 - Service: rsyslog: enabled: matches expectation: [true] +ok 226 - Service: rsyslog: running: matches expectation: [true] +ok 227 - Command: nic_assigned: exit-status: matches expectation: [0] +ok 228 - Command: nic_assigned: stdout: all expectations found: [ens192] +not ok 229 - Command: security-updates: exit-status: doesn't match, expect: [0] found: [100] +ok 230 - Command: security-updates: stdout: all expectations found: [![0-9].* packages available] diff --git a/run_audit.sh b/run_audit.sh new file mode 100755 index 0000000..908a40a --- /dev/null +++ b/run_audit.sh @@ -0,0 +1,174 @@ +#! /bin/bash +# script to run audit while populating local host data +# 13th Sept 2021 - Initial +# 9th Nov 2021 - Added root user check - more posix compliant for multiple OS types +# 10 Dec 2021 - Enhanced so more linux OS agnostic, less input required +# - added vars options for bespoke vars file +# - Ability to run as script from remediation role increased consistency +# 17 Dec 2021 - Added system_type variable - default Server will change to workstations with -w switch + +#!/bin/bash + + +# Variables in upper case tend to be able to be adjusted +# lower case variables are discovered or built from other variables + +# Goss Variables +BENCHMARK=CIS # Benchmark Name aligns to the audit +AUDIT_BIN=/usr/local/bin/goss # location of the goss executable +AUDIT_FILE=goss.yml # the default goss file used by the audit provided by the audit configuration +AUDIT_CONTENT_LOCATION=/var/tmp # Location of the audit configuration file as available to the OS + +# help output +Help() +{ + # Display Help + echo "Script to run the goss audit" + echo + echo "Syntax: $0 [-g|-o|-v|-w|-h]" + echo "options:" + echo "-g optional - Add a group that the server should be grouped with (default value = ungrouped)" + echo "-o optional - file to output audit data" + echo "-v optional - relative path to thevars file to load (default e.g. $AUDIT_CONTENT_LOCATION/RHEL7-$BENCHMARK/vars/$BENCHMARK.yml)" + echo "-w optional - Sets the system_type to workstation (Default - Server)" + echo "-h Print this Help." + echo +} + + +# Default vars that can be set +system_type=Server + +## option statement +while getopts g:o:v::wh option; do + case "${option}" in + g ) GROUP=${OPTARG} ;; + o ) OUTFILE=${OPTARG} ;; + v ) VARS_PATH=${OPTARG} ;; + w ) system_type=Workstation ;; + h ) # display Help + Help + exit;; + ? ) # Invalid option + echo "Invalid option: -${OPTARG}." + Help + exit;; + esac +done + +#### Pre-Checks + +# check access need to run as root or privileges due to some configuration access +if [ $(/usr/bin/id -u) -ne 0 ]; then + echo "Script need to run with root privileges" + exit 1 +fi + + +#### Main Script + + +# Discover OS version aligning with audit +# Define os_vendor variable +if [ `grep -c rhel /etc/os-release` != 0 ]; then + os_vendor="RHEL" +else + os_vendor=`hostnamectl | grep Oper | cut -d : -f2 | awk '{print $1}' | tr a-z A-Z` +fi + +os_maj_ver=`grep -w VERSION_ID= /etc/os-release | awk -F\" '{print $2}' | cut -d '.' -f1` +audit_content_version=$os_vendor$os_maj_ver-$BENCHMARK-Audit +audit_content_dir=$AUDIT_CONTENT_LOCATION/$audit_content_version +audit_vars=vars/${BENCHMARK}.yml + +# Set variable for autogroup +if [ -z $GROUP ]; then + export auto_group="ungrouped" +else + export auto_group=$GROUP +fi + +# set default variable for varfile_path +if [ -z "$VARS_PATH" ]; then + export varfile_path=$audit_content_dir/$audit_vars + else + # Check -v exists fail if not + if [ -f "$VARS_PATH" ]; then + export varfile_path=$VARS_PATH + else + echo "passed option '-v' $VARS_PATH does not exist" + exit 1 + fi +fi + + +## System variables captured for metadata + +machine_uuid=`if [ ! -z /sys/class/dmi/id/product_uuid ]; then cat /sys/class/dmi/id/product_uuid; else dmidecode -s system-uuid; fi` +epoch=`date +%s` +os_locale=`date +%Z` +os_name=`grep "^NAME=" /etc/os-release | cut -d '"' -f2 | sed 's/ //' | cut -d ' ' -f1` +os_version=`grep "^VERSION_ID=" /etc/os-release | cut -d '"' -f2` +os_hostname=`hostname` + +## Set variable audit_out +if [ -z $OUTFILE ]; then + export audit_out=$AUDIT_CONTENT_LOCATION/audit_$os_hostname_$epoch.json +else + export audit_out=$OUTFILE +fi + + +## Set the AUDIT json string +audit_json_vars='{"benchmark":"'"$BENCHMARK"'","machine_uuid":"'"$machine_uuid"'","epoch":"'"$epoch"'","os_locale":"'"$os_locale"'","os_release":"'"$os_version"'","os_distribution":"'"$os_name"'","os_hostname":"'"$os_hostname"'","auto_group":"'"$auto_group"'","system_type":"'"$system_type"'"}' + +## Run pre checks + +echo +echo "## Pre-Checks Start" +echo + +export FAILURE=0 +if [ -s "$AUDIT_BIN" ]; then + echo "OK Audit binary $AUDIT_BIN is available" +else + echo "WARNING - The audit binary is not available at $AUDIT_BIN "; export FAILURE=1 +fi + +if [ -f "$audit_content_dir/$AUDIT_FILE" ]; then + echo "OK $audit_content_dir/$AUDIT_FILE is available" +else + echo "WARNING - the $audit_content_dir/$AUDIT_FILE is not available"; export FAILURE=2 +fi + + +if [ `echo $FAILURE` != 0 ]; then + echo "## Pre-checks failed please see output" + exit 1 +else + echo + echo "## Pre-checks Successful" + echo +fi + + +## Run commands +echo "#############" +echo "Audit Started" +echo "#############" +echo +$AUDIT_BIN -g $audit_content_dir/$AUDIT_FILE --vars $varfile_path --vars-inline $audit_json_vars v -f json -o pretty > $audit_out + +# create screen output +if [ `grep -c $BENCHMARK $audit_out` != 0 ]; then +echo " +`tail -7 $audit_out` + +Completed file can be found at $audit_out" +echo "###############" +echo "Audit Completed" +echo "###############" + +else + echo "Fail Audit - There were issues when running the audit please investigate $audit_out" +fi \ No newline at end of file diff --git a/section_1/cis_1.1/cis_1.1.1.1_4.yml b/section_1/cis_1.1/cis_1.1.1.1_4.yml new file mode 100644 index 0000000..1c5947d --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.1.1_4.yml @@ -0,0 +1,73 @@ +command: + {{ if .Vars.rhel9cis_rule_1_1_1_1 }} + cramfs: + title: 1.1.1.1 | L1 | Ensure mounting of cramfs filesystems is disabled + exit-status: 0 + exec: "modprobe -n -v cramfs | grep -E '(cramfs|install)'" + stdout: + - install /bin/true + meta: + server: 1 + workstation: 1 + CIS_ID: 1.1.1.1 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} + {{ if .Vars.rhel9cis_rule_1_1_1_3 }} + squashfs: + title: 1.1.1.3 | L1 | Ensure mounting of squashfs filesystems is disabled + exit-status: 0 + exec: "modprobe -n -v squashfs | grep -E '(squashfs|install)'" + stdout: + - install /bin/true + meta: + server: 1 + workstation: 1 + CIS_ID: 1.1.1.3 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} + {{ if .Vars.rhel9cis_rule_1_1_1_4 }} + udf: + title: 1.1.1.4 | L1 | Ensure mounting of udf filesystems is disabled + exit-status: 0 + exec: "modprobe -n -v udf | grep -E '(udf|install)'" + stdout: + - install /bin/true + meta: + server: 1 + workstation: 1 + CIS_ID: 1.1.1.4 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_legacy_boot }} + vfat: + {{ if .Vars.rhel9cis_rule_1_1_1_2 }} + title: 1.1.1.2 | L2 | Ensure mounting of fat filesystems is disabled + exit-status: 0 + exec: "modprobe -n -v vfat | grep -E '(vfat|install)'" + stdout: + - install /bin/true + meta: + server: 2 + workstation: 2 + CIS_ID: 1.1.1.2 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.11_13.yml b/section_1/cis_1.1/cis_1.1.11_13.yml new file mode 100644 index 0000000..8f3b8a2 --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.11_13.yml @@ -0,0 +1,52 @@ +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_1_1_11 }} +mount: + /var/log: + title: 1.1.11 | L2 | Ensure separate partition exists for /var/log + exists: true + meta: + server: 2 + workstation: 2 + CIS_ID: + - 1.1.11 + CISv8: + - 4.1 + - 8.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} + {{ if .Vars.rhel9cis_rule_1_1_12 }} + /var/log/audit: + title: 1.1.12 | L2 | Ensure separate partition exists for /var/log/audit + exists: true + {{ if not .Vars.rhel9cis_auditd }} + skip: true + {{ end }} + meta: + server: 2 + workstation: 2 + CIS_ID: + - 1.1.12 + CISv8: + - 8.3 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + {{ end }} + {{ if .Vars.rhel9cis_rule_1_1_13 }} + /home: + title: 1.1.13 | L2 | Ensure separate partition exists for /home + exists: true + meta: + server: 2 + workstation: 2 + CIS_ID: + - 1.1.13 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} \ No newline at end of file diff --git a/section_1/cis_1.1/cis_1.1.14.yml b/section_1/cis_1.1/cis_1.1.14.yml new file mode 100644 index 0000000..61afa86 --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.14.yml @@ -0,0 +1,23 @@ +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_1_1_13 }} # This L2 control is required to be enabled in order for this to run + {{ if .Vars.rhel9cis_rule_1_1_14 }} +mount: + /home: + title: 1.1.14 | L1 | Ensure nodev option set on /home partition + exists: true + opts: + - nodev + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.14 + CISv8: + - 3.3 + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} + {{ end }} +{{ end }} \ No newline at end of file diff --git a/section_1/cis_1.1/cis_1.1.15.yml b/section_1/cis_1.1/cis_1.1.15.yml new file mode 100644 index 0000000..1942b71 --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.15.yml @@ -0,0 +1,21 @@ +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_1_1_15 }} +mount: + /dev/shm: + title: 1.1.15 | L1 | Ensure nodev option set on /dev/shm partition + exists: true + opts: + - nodev + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.15 + CISv8: + - 3.3 + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} \ No newline at end of file diff --git a/section_1/cis_1.1/cis_1.1.16.yml b/section_1/cis_1.1/cis_1.1.16.yml new file mode 100644 index 0000000..d381a01 --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.16.yml @@ -0,0 +1,21 @@ +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_1_1_16 }} +mount: + /dev/shm: + title: 1.1.16 | L1 | Ensure nosuid option set on /dev/shm partition + exists: true + opts: + - nosuid + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.16 + CISv8: + - 3.3 + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} \ No newline at end of file diff --git a/section_1/cis_1.1/cis_1.1.17.yml b/section_1/cis_1.1/cis_1.1.17.yml new file mode 100644 index 0000000..30b58dd --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.17.yml @@ -0,0 +1,20 @@ +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_1_1_17 }} +mount: + /dev/shm: + title: 1.1.17 | L1 | Ensure noexec option set on /dev/shm partition + exists: true + opts: + - noexec + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.17 + CISv8: + - 2.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} \ No newline at end of file diff --git a/section_1/cis_1.1/cis_1.1.18_20.yml b/section_1/cis_1.1/cis_1.1.18_20.yml new file mode 100644 index 0000000..90cde7a --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.18_20.yml @@ -0,0 +1,103 @@ +{{ if .Vars.rhel9cis_level_1 }} +command: + {{ if .Vars.rhel9cis_rule_1_1_18 }} + floppy_noexec: + title: 1.1.18 | L1 | Check for removeable media nodev + exit-status: 0 + exec: "if [ `grep -c -i floppy /etc/fstab` = 1 ] ; then if [ `grep -c -E 'floppy.*nodev' /etc/fstab` -eq 1 ]; then echo FAIL; fi; else echo Passed_Check; fi" + stdout: + - Passed_Check + meta: + server: 1 + workstation: 1 + CIS_ID: 1.1.18 + CISv8: + - 3.3 + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + cdrom_noexec: + title: 1.1.18 | L1 | Check for removeable media nodev + exit-status: 0 + exec: "if [ `grep -c -i cdrom /etc/fstab` = 1 ] ; then if [ `grep -c -E 'cdrom.*nodev' /etc/fstab` -eq 1 ]; then echo FAIL; fi; else echo Passed_Check; fi" + stdout: + - Passed_Check + meta: + server: 1 + workstation: 1 + CIS_ID: 1.1.18 + CISv8: + - 3.3 + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} + {{ if .Vars.rhel9cis_rule_1_1_19 }} + floppy_nodev: + title: 1.1.19 | L1 | Check for removeable media nosuid + exit-status: 0 + exec: "if [ `grep -c -i floppy /etc/fstab` = 1 ] ; then if [ `grep -c -E 'floppy.*no.suid' /etc/fstab` -eq 1 ]; then echo FAIL; fi; else echo Passed_Check; fi" + stdout: + - Passed_Check + meta: + server: 1 + workstation: 1 + CIS_ID: 1.1.19 + CISv8: + - 3.3 + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + cdrom_nodev: + title: 1.1.19 | L1 | Check for removeable media nosuid + exit-status: 0 + exec: "if [ `grep -c -i cdrom /etc/fstab` = 1 ] ; then if [ `grep -c -E 'cdrom.*nosuid' /etc/fstab` -eq 1 ]; then echo FAIL; fi; else echo Passed_Check; fi" + stdout: + - Passed_Check + meta: + server: 1 + workstation: 1 + CIS_ID: 1.1.19 + CISv8: + - 3.3 + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} + {{ if .Vars.rhel9cis_rule_1_1_20 }} + floppy_nosuid: + title: 1.1.20 | L1 | Check for removeable media noexec + exit-status: 0 + exec: "if [ `grep -c -i floppy /etc/fstab` = 1 ] ; then if [ `grep -c -E 'floppy.*noexec' /etc/fstab` -eq 1 ]; then echo FAIL; fi; else echo Passed_Check; fi" + stdout: + - Passed_Check + meta: + server: 1 + workstation: 1 + CIS_ID: 1.1.20 + CISv8: + - 2.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + cdrom_nosuid: + title: 1.1.20 | L1 | Check for removeable media noexec + exit-status: 0 + exec: "if [ `grep -c -i cdrom /etc/fstab` = 1 ] ; then if [ `grep -c -E 'cdrom.*noexec' /etc/fstab` -eq 1 ]; then echo FAIL; fi; else echo Passed_Check; fi" + stdout: + - Passed_Check + meta: + server: 1 + workstation: 1 + CIS_ID: 1.1.20 + CISv8: + - 2.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} \ No newline at end of file diff --git a/section_1/cis_1.1/cis_1.1.21.yml b/section_1/cis_1.1/cis_1.1.21.yml new file mode 100644 index 0000000..095a109 --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.21.yml @@ -0,0 +1,23 @@ +{{ if .Vars.run_heavy_tests }} + {{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_1_1_21 }} +command: + sticky_bit: + title: 1.1.21 | L1 | Ensure sticky bit is set on all world-writable directories + exit-status: 0 + exec: "df --local -P 2> /dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) 2>/dev/null" + timeout: {{ .Vars.timeout_ms }} + stdout: ['!/./'] + meta: + server: 1 + workstation: 1 + CIS_ID: 1.1.21 + CISv8: + - 3.3 + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.22.yml b/section_1/cis_1.1/cis_1.1.22.yml new file mode 100644 index 0000000..3929c5b --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.22.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_1_1_22 }} +service: + autofs: + title: 1.1.22 | L1 | Disable Automounting + enabled: false + running: false + meta: + server: 1 + workstation: 2 + CIS_ID: 1.1.22 + CISv8: + - 10.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.23.yml b/section_1/cis_1.1/cis_1.1.23.yml new file mode 100644 index 0000000..be61839 --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.23.yml @@ -0,0 +1,20 @@ +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_1_1_23 }} +command: + usb-storage: + title: 1.1.23 | L1 | Ensure mounting of usb-storage is disabled + exit-status: 0 + exec: "modprobe -n -v usb-storage | grep -E '(usb-storage|install)'" + stdout: + - install /bin/true + meta: + server: 1 + workstation: 2 + CIS_ID: 1.1.23 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_1/cis_1.1/cis_1.1.2_4.yml b/section_1/cis_1.1/cis_1.1.2_4.yml new file mode 100644 index 0000000..ca31901 --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.2_4.yml @@ -0,0 +1,29 @@ +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_1_1_2 }} +mount: + /tmp: + title: | + 1.1.2 | L1 | Ensure /tmp is configured + 1.1.3 | L1 | Ensure nodev option set on /tmp partition + 1.1.4 | L1 | Ensure suid option set on /tmp partition + exists: true + opts: + {{ if .Vars.rhel9cis_rule_1_1_3 }} + - nodev + {{ end }} + {{ if .Vars.rhel9cis_rule_1_1_4 }} + - nosuid + {{ end }} + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.2 + - 1.1.3 + - 1.1.4 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} \ No newline at end of file diff --git a/section_1/cis_1.1/cis_1.1.5.yml b/section_1/cis_1.1/cis_1.1.5.yml new file mode 100644 index 0000000..e2412fb --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.5.yml @@ -0,0 +1,19 @@ +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_1_1_5 }} +mount: + /tmp: + title: 1.1.5 | L1 | Ensure noexec option set on /tmp partition + exists: true + opts: + - noexec + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.5 + CISv8: 2.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} \ No newline at end of file diff --git a/section_1/cis_1.1/cis_1.1.6.yml b/section_1/cis_1.1/cis_1.1.6.yml new file mode 100644 index 0000000..2d1cbd5 --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.6.yml @@ -0,0 +1,17 @@ +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_1_1_6 }} +mount: + /var: + title: 1.1.6 | L2 | Ensure separate partition exists for /var + exists: true + meta: + server: 2 + workstation: 2 + CIS_ID: + - 1.1.6 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} \ No newline at end of file diff --git a/section_1/cis_1.1/cis_1.1.7.yml b/section_1/cis_1.1/cis_1.1.7.yml new file mode 100644 index 0000000..2956728 --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.7.yml @@ -0,0 +1,19 @@ +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_1_1_7 }} +mount: + /var/tmp: + title: 1.1.7 | L2 | Ensure separate partition exists for /var/tmp + exists: true + meta: + server: 2 + workstation: 2 + CIS_ID: + - 1.1.7 + CISv8: + - 3.3 + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} \ No newline at end of file diff --git a/section_1/cis_1.1/cis_1.1.8_10.yml b/section_1/cis_1.1/cis_1.1.8_10.yml new file mode 100644 index 0000000..e9a8ebd --- /dev/null +++ b/section_1/cis_1.1/cis_1.1.8_10.yml @@ -0,0 +1,33 @@ +{{ if .Vars.rhel9cis_level_1 }} + {{ if .Vars.rhel9cis_rule_1_1_7 }} # This L2 control is required to be enabled in order for this to run +mount: + /var/tmp: + title: | + 1.1.8 | L1 | Ensure nodev option set on /var/tmp partition + 1.1.9 | L1 | Ensure nosuid option set on /var/tmp partition + 1.1.10 | L1 | Ensure noexec option set on /var/tmp partition + exists: true + opts: + {{ if .Vars.rhel9cis_rule_1_1_8 }} + - nodev + {{ end }} + {{ if .Vars.rhel9cis_rule_1_1_9 }} + - nosuid + {{ end }} + {{ if .Vars.rhel9cis_rule_1_1_10 }} + - noexec + {{ end }} + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.1.8 + - 1.1.9 + CISv8: + - 3.3 + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} \ No newline at end of file diff --git a/section_1/cis_1.10/cis_1.10.yml b/section_1/cis_1.10/cis_1.10.yml new file mode 100644 index 0000000..efea4af --- /dev/null +++ b/section_1/cis_1.10/cis_1.10.yml @@ -0,0 +1,19 @@ +{{ if .Vars.rhel9cis_rule_1_10 }} +file: + /etc/crypto-policies/config: + title: 1.10 | L1 | Ensure system-wide crypto policy is not legacy + exists: true + contains: + - '/^\s*{{ .Vars.rhel9cis_crypto_policy }}/' + - '!/^\s*LEGACY/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.10 + CISv8: + - 3.10 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_1/cis_1.10/cis_1.11.yml b/section_1/cis_1.10/cis_1.11.yml new file mode 100644 index 0000000..b35a1ca --- /dev/null +++ b/section_1/cis_1.10/cis_1.11.yml @@ -0,0 +1,22 @@ +{{ if .Vars.rhel9cis_level_2 }} +{{ if .Vars.rhel9cis_rule_1_11 }} + {{ if eq .Vars.rhel9cis_crypto_policy "DEFAULT" }} +file: + /etc/crypto-policies/config: + title: 1.11 | L2 | Ensure system-wide crypto policy is FUTURE or FIPS + exists: true + contains: + - '/^\s{{ .Vars.rhel9cis_crypto_policy }}\s*(\s+#.*)?$/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 1.11 + CISv8: + - 3.10 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} +{{ end }} diff --git a/section_1/cis_1.2/cis_1.2.1.yml b/section_1/cis_1.2/cis_1.2.1.yml new file mode 100644 index 0000000..f7ffb39 --- /dev/null +++ b/section_1/cis_1.2/cis_1.2.1.yml @@ -0,0 +1,21 @@ +{{ if .Vars.is_redhat_os }} + {{ if .Vars.rhel9cis_rule_1_2_1 }} +command: + subscription: + title: 1.2.1 | L1 | Ensure Redhat Subscription Manager connection configured + exec: subscription-manager list --consumed | grep -A4 'Roles:\s*Red Hat Enterprise Linux Server' + exit-status: 0 + stdout: + - 'Subscription is current' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.2.1 + CISv8: + - 7.4 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_1/cis_1.2/cis_1.2.2.yml b/section_1/cis_1.2/cis_1.2.2.yml new file mode 100644 index 0000000..c57e4bf --- /dev/null +++ b/section_1/cis_1.2/cis_1.2.2.yml @@ -0,0 +1,17 @@ +{{ if .Vars.rhel9cis_rule_1_2_2 }} +service: + rhnsd: + title: 1.2.2 | L1 | Disable the rhnsd Daemon (Manual) + enabled: false + running: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.2.2 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_1/cis_1.2/cis_1.2.3.yml b/section_1/cis_1.2/cis_1.2.3.yml new file mode 100644 index 0000000..b43a889 --- /dev/null +++ b/section_1/cis_1.2/cis_1.2.3.yml @@ -0,0 +1,20 @@ +{{ if .Vars.run_heavy_tests }} + {{ if .Vars.rhel9cis_rule_1_2_3 }} +command: + gpg_keys: + title: 1.2.3 | L1 | Ensure GPG keys are configured + exit-status: 0 + exec: "rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.2.3 + CISv8: + - 7.3 + - 7.4 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_1/cis_1.2/cis_1.2.4.yml b/section_1/cis_1.2/cis_1.2.4.yml new file mode 100644 index 0000000..0df91bd --- /dev/null +++ b/section_1/cis_1.2/cis_1.2.4.yml @@ -0,0 +1,33 @@ +{{ if .Vars.rhel9cis_rule_1_2_4 }} +command: + gpg_check_global: + title: 1.2.4 | L1 | Ensure gpgcheck is globally active + exit-status: 0 + exec: "if [ `grep -c -E '^\\s*gpgcheck.*0' /etc/yum.conf` -ge 1 ]; then echo FAIL; elif [ `grep -c -E '^\\s*gpgcheck.*1' /etc/yum.conf` -ge 1 ]; then echo Passed_Check;fi" + timeout: {{ .Vars.timeout_ms }} + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.2.4 + CISv8: + - 7.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + gpg_check_repo: + title: 1.2.4 | L1 | Ensure gpgcheck is globally active + exit-status: 0 + exec: "if [ `grep -c -E '^\\s*gpgcheck.*0' /etc/yum.repos.d/*.repo` -ge 1 ]; then echo FAIL; elif [ `grep -c -E '^\\s*gpgcheck.*1' /etc/yum.repos.d/*.repo` -ge 1 ]; then echo Passed_Check;fi" + timeout: {{ .Vars.timeout_ms }} + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.2.4 + CISv8: + - 7.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_1/cis_1.2/cis_1.2.5.yml b/section_1/cis_1.2/cis_1.2.5.yml new file mode 100644 index 0000000..718b269 --- /dev/null +++ b/section_1/cis_1.2/cis_1.2.5.yml @@ -0,0 +1,20 @@ +{{ if .Vars.run_heavy_tests }} + {{ if .Vars.rhel9cis_rule_1_2_5 }} +command: + repos_configured: + title: 1.2.5 | L1 | Ensure Package manager repositories are configured + exit-status: 0 + exec: "yum repolist" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.2.5 + CISv8: + - 7.3 + - 7.4 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_1/cis_1.3/cis_1.3.1.yml b/section_1/cis_1.3/cis_1.3.1.yml new file mode 100644 index 0000000..10fa7c9 --- /dev/null +++ b/section_1/cis_1.3/cis_1.3.1.yml @@ -0,0 +1,16 @@ +{{ if .Vars.rhel9cis_rule_1_3_1 }} +package: + sudo: + title: 1.3.1 | L1 | Ensure sudo is installed (Automated) + installed: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.3.1 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_1/cis_1.3/cis_1.3.2.yml b/section_1/cis_1.3/cis_1.3.2.yml new file mode 100644 index 0000000..c9dba99 --- /dev/null +++ b/section_1/cis_1.3/cis_1.3.2.yml @@ -0,0 +1,19 @@ +{{ if .Vars.rhel9cis_rule_1_3_2 }} +command: + pty_sudoers_d: + title: 1.3.2 | L1 | Ensure sudo commands use pty + exec: export PTY=`grep -q -Ei '^\s*Defaults\s+(\[^#]+,\s*)?use_pty' /etc/sudoers /etc/sudoers.d/*; echo $?` && if [[ $PTY == 0 ]];then echo OK ;fi + exit-status: 0 + stdout: + - 'OK' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.3.2 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_1/cis_1.3/cis_1.3.3.yml b/section_1/cis_1.3/cis_1.3.3.yml new file mode 100644 index 0000000..6b9440c --- /dev/null +++ b/section_1/cis_1.3/cis_1.3.3.yml @@ -0,0 +1,19 @@ +{{ if .Vars.rhel9cis_rule_1_3_3 }} +command: + log_sudoers_d: + title: 1.3.3 | L1 | Ensure sudo log file exists | sudoers.d + exec: export PTY=`grep -q -Esi '^\s*Defaults\s+([^#]+,\s*)?logfile=' /etc/sudoers /etc/sudoers.d/*; echo $?` && if [[ $PTY == 0 ]];then echo OK ;fi + exit-status: 0 + stdout: + - 'OK' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.3.3 + CISv8: + - 8.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_1/cis_1.4/cis_1.4.1.yml b/section_1/cis_1.4/cis_1.4.1.yml new file mode 100644 index 0000000..0fbbdbe --- /dev/null +++ b/section_1/cis_1.4/cis_1.4.1.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_config_aide }} + {{ if .Vars.rhel9cis_rule_1_4_1 }} +package: + aide: + title: 1.4.1 | L1 | Ensure AIDE is installed + installed: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.4.1 + CISv8: + - 3.14 + CISv8_IG1: false + CISv8_IG2: false + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_1/cis_1.4/cis_1.4.2.yml b/section_1/cis_1.4/cis_1.4.2.yml new file mode 100644 index 0000000..10ef2af --- /dev/null +++ b/section_1/cis_1.4/cis_1.4.2.yml @@ -0,0 +1,60 @@ +{{ if .Vars.rhel9cis_config_aide }} + {{ if .Vars.rhel9cis_rule_1_4_1 }} + {{ if eq .Vars.rhel9_aide_scan "cron" }} +command: + aide_cron: + title: 1.4.2 | L1 | Ensure filesystem integrity is regularly checked + exit-status: + or: + - 0 + - 2 + exec: "grep -rs aide /etc/cron.* /etc/crontab /var/spool/cron/*" + stdout: + - '!/^#/' + {{ end }} + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.4.2 + CISv8: + - 3.14 + CISv8_IG1: false + CISv8_IG2: false + CISv8_IG3: true +# Can be enabled if using timer and service files +service: + {{ if eq .Vars.rhel9_aide_scan "timer" }} + aidecheck: + title: 1.4.2 | L1 | Ensure filesystem integrity is regularly checked + enabled: true + running: true + skip: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.4.2 + CISv8: + - 3.14 + CISv8_IG1: false + CISv8_IG2: false + CISv8_IG3: true + aidecheck.timer: + title: 1.4.2 | L1 | Ensure filesystem integrity is regularly checked + enabled: true + running: true + skip: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.4.2 + CISv8: + - 3.14 + CISv8_IG1: false + CISv8_IG2: false + CISv8_IG3: true + {{ end }} + {{ end }} +{{ end }} \ No newline at end of file diff --git a/section_1/cis_1.5/cis_1.5.1.yml b/section_1/cis_1.5/cis_1.5.1.yml new file mode 100644 index 0000000..f511940 --- /dev/null +++ b/section_1/cis_1.5/cis_1.5.1.yml @@ -0,0 +1,45 @@ +{{ if .Vars.rhel9cis_rule_1_5_1 }} +file: + {{ if .Vars.rhel9cis_legacy_boot }} + /boot/grub2/grubenv: + {{ else }} + /boot/efi/EFI/{{ .Vars.rhel9cis_os_distribution }}/grubenv: + {{ end }} + title: 1.5.1 | L1 | Ensure permissions on bootloader config are configured | file_perms + exists: true + owner: root + group: root + mode: "0600" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.5.1 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ if not .Vars.rhel9cis_legacy_boot }} +mount: + /boot/efi: + title: 1.5.1 | L1 | Ensure permissions on bootloader config are configured | /boot/efi opts + exists: true + opts: + - 'umask=0027' + - 'fmask=0077' + - 'uid=0' + - 'gid=0' + filesystem: vfat + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.5.1 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} \ No newline at end of file diff --git a/section_1/cis_1.5/cis_1.5.2.yml b/section_1/cis_1.5/cis_1.5.2.yml new file mode 100644 index 0000000..7a6c894 --- /dev/null +++ b/section_1/cis_1.5/cis_1.5.2.yml @@ -0,0 +1,23 @@ +{{ if .Vars.rhel9cis_rule_1_5_2 }} + {{ if .Vars.rhel9cis_set_boot_pass }} + /boot/grub2/user.cfg: + title: 1.5.2 | L1 | Ensure bootloader password is set and permissions + exists: true + owner: root + group: root + mode: "0600" + {{ if .Vars.rhel9cis_set_boot_pass }} + contains: [GRUB2_PASSWORD=] + {{ end }} + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.5.2 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} \ No newline at end of file diff --git a/section_1/cis_1.5/cis_1.5.3.yml b/section_1/cis_1.5/cis_1.5.3.yml new file mode 100644 index 0000000..4ab1be5 --- /dev/null +++ b/section_1/cis_1.5/cis_1.5.3.yml @@ -0,0 +1,31 @@ +{{ if .Vars.rhel9cis_rule_1_5_3 }} +command: + single_user_1: + title: 1.5.3 | L1 | Ensure authentication required for single user mode + exit-status: 0 + exec: "grep /systemd-sulogin-shell /usr/lib/systemd/system/rescue.service" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.5.3 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + single_user_2: + title: 1.5.3 | L1 | Ensure authentication required for single user mode + exit-status: 0 + exec: "grep /systemd-sulogin-shell /usr/lib/systemd/system/emergency.service" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.5.3 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_1/cis_1.6/cis_1.6.1.yml b/section_1/cis_1.6/cis_1.6.1.yml new file mode 100644 index 0000000..f3a9dba --- /dev/null +++ b/section_1/cis_1.6/cis_1.6.1.yml @@ -0,0 +1,81 @@ +{{ if .Vars.rhel9cis_rule_1_6_1 }} +command: + core_dumps_limits: + title: 1.6.1 | L1 | Ensure core dumps are restricted | security_limits + exit-status: 0 + exec: 'grep -Es "^\s*\*\s+hard\s+core" /etc/security/limits.conf /etc/security/limits.d/* | cut -f2 -d":"' + stdout: + - '/^\*.*hard.*core.*0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.6.1 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + suid_dumpable_2: + title: 1.6.1 | L1 | Ensure core dumps are restricted | suid_sysctl + exit-status: 0 + exec: 'grep "fs\.suid_dumpable" /etc/sysctl.conf /etc/sysctl.d/*' + stdout: + - fs.suid_dumpable=0 + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.6.1 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +kernel-param: + fs.suid_dumpable: + title: 1.6.1 | L1 | Ensure core dumps are restricted | fsuid_sysctl + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.6.1 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +file: + /etc/systemd/coredump.conf: + title: 1.6.1 | L1 | Ensure core dumps are restricted | systemd conf + exists: true + contains: + - '/Storage=none/' + - '/ProcessSizeMax=0/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.6.1 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +service: + coredump: + enabled: false + running: false + skip: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.6.1 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_1/cis_1.6/cis_1.6.2.yml b/section_1/cis_1.6/cis_1.6.2.yml new file mode 100644 index 0000000..7f31b29 --- /dev/null +++ b/section_1/cis_1.6/cis_1.6.2.yml @@ -0,0 +1,33 @@ +{{ if .Vars.rhel9cis_rule_1_6_2 }} +kernel-param: + kernel.randomize_va_space: + title: 1.6.2 | L1 | Ensure address space layout randomization (ASLR) is enabled | running + value: '2' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.6.2 + CISv8: + - 10.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +command: + aslr_enabled_2: + title: 1.6.2 | L1 | Ensure address space layout randomization (ASLR) is enabled | conf + exit-status: 0 + exec: 'grep "kernel\.randomize_va_space" /etc/sysctl.conf /etc/sysctl.d/*' + stdout: + - kernel.randomize_va_space=2 + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.6.2 + CISv8: + - 10.5 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_1/cis_1.7/cis_1.7.1.1_5.yml b/section_1/cis_1.7/cis_1.7.1.1_5.yml new file mode 100644 index 0000000..fedbd4f --- /dev/null +++ b/section_1/cis_1.7/cis_1.7.1.1_5.yml @@ -0,0 +1,128 @@ +{{ if .Vars.rhel9cis_level_2 }} + {{ if not .Vars.rhel9cis_selinux_disable }} +package: + {{ if .Vars.rhel9cis_rule_1_7_1_1 }} + libselinux: + title: 1.7.1.1 | L2 | Ensure SELinux is installed + installed: true + meta: + server: 2 + workstation: 2 + CIS_ID: + - 1.7.1.1 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} + +command: + {{ if .Vars.rhel9cis_rule_1_7_1_2 }} + selinux_disabled_boot: + title: 1.7.1.2 | L2 | Ensure SELinux is not disabled in bootloader configuration + exit-status: 1 + exec: 'grep "^\s*linux" /boot/grub2/grubenv | grep -E "(selinux=0|enforcing=0)"' + # looking for it not to return anything + # will error if anything is returned + stdout: ['!/./'] + meta: + server: 2 + workstation: 2 + CIS_ID: + - 1.7.1.2 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} + + {{ if .Vars.rhel9cis_rule_1_7_1_3 }} + selinux_policy: + title: 1.7.1.3 | L2 | Ensure SELinux policy is configured | config + exit-status: 0 + exec: 'grep SELINUXTYPE= /etc/selinux/config' + stdout: + - SELINUXTYPE=targeted + meta: + server: 2 + workstation: 2 + CIS_ID: + - 1.7.1.3 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + selinux_sestatus: + title: 1.7.1.3 | L2 | Ensure SELinux policy is configured | sestatus + exit-status: 0 + exec: "sestatus | grep 'Loaded policy'" + stdout: + - "Loaded policy name: targeted" + meta: + server: 2 + workstation: 2 + CIS_ID: + - 1.7.1.3 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} + + {{ if .Vars.rhel9cis_rule_1_7_1_4 }} + selinux_run_enforcing: + title: (L2) 1.7.1.4 | L2 | Ensure the SELinux mode is enforcing | running + exit-status: 0 + exec: "getenforce" + stdout: + - "Enforcing" + meta: + server: 2 + workstation: 2 + CIS_ID: + - 1.7.1.4 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + selinux_config_enforcing: + title: (L2) 1.7.1.4 | L2 | Ensure the SELinux mode is enforcing | config + exit-status: 0 + exec: 'grep -Ei "^\s*SELINUX=[Ee]nforcing" /etc/selinux/config' + stdout: + - SELINUX=enforcing + meta: + server: 2 + workstation: 2 + CIS_ID: + - 1.7.1.4 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} + {{ if .Vars.rhel9cis_rule_1_7_1_5 }} + selinux_unconfined: + title: 1.7.1.5 | L2 | Ensure no unconfined services exist + exit-status: 1 + exec: "ps -eZ | grep unconfined_service_t" + stdout: ['!/./'] + meta: + server: 2 + workstation: 2 + CIS_ID: + - 1.7.1.5 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} + {{ end }} +{{ end }} diff --git a/section_1/cis_1.7/cis_1.7.1.6_7.yml b/section_1/cis_1.7/cis_1.7.1.6_7.yml new file mode 100644 index 0000000..f5d7bff --- /dev/null +++ b/section_1/cis_1.7/cis_1.7.1.6_7.yml @@ -0,0 +1,33 @@ +{{ if .Vars.rhel9cis_level_2 }} +package: + {{ if .Vars.rhel9cis_rule_1_7_1_6 }} + setroubleshoot: + title: 1.7.1.6 | L2 | Ensure SETroubleshoot is not installed + installed: false + meta: + server: 2 + workstation: NA + CIS_ID: + - 1.7.1.6 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + {{ end }} + {{ if .Vars.rhel9cis_rule_1_7_1_7 }} + mcstrans: + title: 1.7.1.7 | L2 | Ensure the MCS Translation Service (mcstrans) is not installed + installed: false + meta: + server: 2 + workstation: 2 + CIS_ID: + - 1.7.1.7 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_1/cis_1.8/cis_1.8.1.1_6.yml b/section_1/cis_1.8/cis_1.8.1.1_6.yml new file mode 100644 index 0000000..a552497 --- /dev/null +++ b/section_1/cis_1.8/cis_1.8.1.1_6.yml @@ -0,0 +1,85 @@ +file: + {{ if .Vars.rhel9cis_rule_1_8_1_1 }} + /etc/motd: + title: | + 1.8.1.1 | L1 | Ensure message of the day is configured properly + 1.8.1.4 | L1 | Ensure permissions on /etc/motd are configured + exists: true + mode: "0644" + owner: root + group: root + contains: + - "![Cc]ent[Oo][Ss]" + - "![Rr]hel" + - "![Rr]ed[Hh]at" + - "!x86_64" + - "![Ll]inux" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.8.1.1 + - 1.8.1.4 + CISv8: + - 3.3 + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} + {{ if .Vars.rhel9cis_rule_1_8_1_2 }} + /etc/issue: + title: | + 1.8.1.2 | L1 | Ensure local login warning banner is configured properly + 1.8.1.5 | L1 | Ensure permissions on /etc/issue are configured + exists: true + mode: "0644" + owner: root + group: root + contains: + - "![Cc]ent[Oo][Ss]" + - "![Rr]hel" + - "![Rr]ed[Hh]at" + - "!x86_64" + - "![Ll]inux" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.8.1.2 + - 1.8.1.5 + CISv8: + - 3.3 + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} + {{ if .Vars.rhel9cis_rule_1_8_1_3 }} + /etc/issue.net: + title: | + 1.8.1.3 | L1 | Ensure remote login warning banner is configured properly + 1.8.1.6 | L1 | Ensure permissions on /etc/issue.net are configured + exists: true + mode: "0644" + owner: root + group: root + contains: + - "![Cc]ent[Oo][Ss]" + - "![Rr]hel" + - "![Rr]ed[Hh]at" + - "!x86_64" + - "![Ll]inux" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.8.1.3 + - 1.8.1.6 + CISv8: + - 3.3 + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} diff --git a/section_1/cis_1.8/cis_1.8.2.yml b/section_1/cis_1.8/cis_1.8.2.yml new file mode 100644 index 0000000..4dc0464 --- /dev/null +++ b/section_1/cis_1.8/cis_1.8.2.yml @@ -0,0 +1,21 @@ +{{ if .Vars.rhel9cis_rule_1_8_2 }} + {{ if .Vars.rhel9cis_gui }} +file: + /etc/gdm3/greeter.dconf-defaults: + title: 1.8.2 | L1 | Ensure GDM banner is configured + exists: true + contains: + - '/^banner-message-enable=true/' + - '/^banner-message-test=\'{{ .Vars.rhel9cis_warning_banner }}\' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.8.2 + CISv8: + - 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_1/cis_1.9/cis_1.9.yml b/section_1/cis_1.9/cis_1.9.yml new file mode 100644 index 0000000..d93f7b1 --- /dev/null +++ b/section_1/cis_1.9/cis_1.9.yml @@ -0,0 +1,23 @@ +{{ if .Vars.run_heavy_tests }} + {{ if .Vars.rhel9cis_rule_1_9 }} +command: + security-updates: + title: 1.9 | L1 | Ensure updates, patches, and additional security software are installed + exit-status: 0 + timeout: {{ .Vars.timeout_ms }} + exec: yum check-update + stdout: + - "![0-9].* packages available" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.9 + CISv8: + - 7.3 + - 7.4 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_2/cis_2.1/cis_2.1.1.yml b/section_2/cis_2.1/cis_2.1.1.yml new file mode 100644 index 0000000..87c1183 --- /dev/null +++ b/section_2/cis_2.1/cis_2.1.1.yml @@ -0,0 +1,16 @@ +{{ if not .Vars.rhel9cis_xinetd_required }} +package: + xinetd: + title: 2.2.1 | L1 | Ensure xinetd is not installed + installed: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.1.1 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.1.1_2.yml b/section_2/cis_2.2/cis_2.2.1.1_2.yml new file mode 100644 index 0000000..e45c6bd --- /dev/null +++ b/section_2/cis_2.2/cis_2.2.1.1_2.yml @@ -0,0 +1,36 @@ +{{ if .Vars.rhel9cis_rule_2_2_1_1 }} +package: + chrony: + title: 2.2.1.1 | L1 | Ensure time synchronization is in use + installed: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.2.1.1 + CISv8: + - 8.4 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true +{{ end }} +{{ if .Vars.rhel9cis_rule_2_2_1_2 }} +file: + /etc/chrony.conf: + title: 2.2.1.2 | L1 | Ensure chrony is configured + exists: true + contains: + - '/^server\s.*/' + skip: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.2.1.2 + CISv8: + - 8.4 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true +{{ end }} + diff --git a/section_2/cis_2.2/cis_2.2.10.yml b/section_2/cis_2.2/cis_2.2.10.yml new file mode 100644 index 0000000..76374c3 --- /dev/null +++ b/section_2/cis_2.2/cis_2.2.10.yml @@ -0,0 +1,19 @@ +{{ if not .Vars.rhel9cis_vsftpd_server}} + {{ if .Vars.rhel9cis_rule_2_2_10 }} +service: + vsftpd: + title: 2.2.10 | L1 | Ensure FTP Server is not enabled + enabled: {{ false }} + running: {{ false }} + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.2.10 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.11.yml b/section_2/cis_2.2/cis_2.2.11.yml new file mode 100644 index 0000000..a09332f --- /dev/null +++ b/section_2/cis_2.2/cis_2.2.11.yml @@ -0,0 +1,19 @@ +{{ if not .Vars.rhel9cis_bind }} + {{ if .Vars.rhel9cis_rule_2_2_11 }} +service: + named: + title: 2.2.11 | L1 | Ensure DNS Server is not enabled + running: false + enabled: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.2.11 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.12.yml b/section_2/cis_2.2/cis_2.2.12.yml new file mode 100644 index 0000000..2cb25ce --- /dev/null +++ b/section_2/cis_2.2/cis_2.2.12.yml @@ -0,0 +1,19 @@ +{{ if not .Vars.rhel9cis_nfs_server }} + {{ if .Vars.rhel9cis_rule_2_2_12 }} +service: + nfs: + title: 2.2.12 | L1 | Ensure NFS is not enabled + running: false + enabled: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.2.12 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.13.yml b/section_2/cis_2.2/cis_2.2.13.yml new file mode 100644 index 0000000..b7ac8c4 --- /dev/null +++ b/section_2/cis_2.2/cis_2.2.13.yml @@ -0,0 +1,19 @@ +{{ if not .Vars.rhel9cis_rpc_server }} + {{ if .Vars.rhel9cis_rule_2_2_13 }} +service: + rpcbind: + title: 2.2.13 | L1 | Ensure rpcbind is not enabled + running: false + enabled: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.2.13 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.14.yml b/section_2/cis_2.2/cis_2.2.14.yml new file mode 100644 index 0000000..a4ac63b --- /dev/null +++ b/section_2/cis_2.2/cis_2.2.14.yml @@ -0,0 +1,19 @@ +{{ if not .Vars.rhel9cis_ldap_server }} + {{ if .Vars.rhel9cis_rule_2_2_14 }} +service: + slapd: + title: 2.2.14 | L1 | Ensure LDAP server is not enabled + running: false + enabled: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.2.14 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.15.yml b/section_2/cis_2.2/cis_2.2.15.yml new file mode 100644 index 0000000..86fe6fb --- /dev/null +++ b/section_2/cis_2.2/cis_2.2.15.yml @@ -0,0 +1,19 @@ +{{ if not .Vars.rhel9cis_dhcp_server }} + {{ if .Vars.rhel9cis_rule_2_2_5 }} +service: + dhcpd: + title: 2.2.15 | L1 | Ensure DHCP Server is not enabled + running: false + enabled: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.2.15 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.16.yml b/section_2/cis_2.2/cis_2.2.16.yml new file mode 100644 index 0000000..cd8fc6d --- /dev/null +++ b/section_2/cis_2.2/cis_2.2.16.yml @@ -0,0 +1,19 @@ +{{ if not .Vars.rhel9cis_cups_server }} +service: + cups: + {{ if .Vars.rhel9cis_rule_2_2_16 }} + title: 2.2.16 | L1 | Ensure CUPS is not enabled + running: false + enabled: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.2.16 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.17.yml b/section_2/cis_2.2/cis_2.2.17.yml new file mode 100644 index 0000000..9388117 --- /dev/null +++ b/section_2/cis_2.2/cis_2.2.17.yml @@ -0,0 +1,19 @@ +{{ if not .Vars.rhel9cis_nis_server }} + {{ if .Vars.rhel9cis_rule_2_2_17 }} +service: + ypserv: + title: 2.2.17 | L1 | Ensure NIS server is not enabled + running: false + enabled: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.2.17 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.18.yml b/section_2/cis_2.2/cis_2.2.18.yml new file mode 100644 index 0000000..7a48282 --- /dev/null +++ b/section_2/cis_2.2/cis_2.2.18.yml @@ -0,0 +1,38 @@ +{{ if .Vars.rhel9cis_is_mail_server }} + {{ if .Vars.rhel9cis_rule_2_2_18 }} +command: + mta_installed: + title: 2.2.18 | L1 | Ensure mail transfer agent is configured for local-only mode + exit-status: 1 + exec: 'ss -lntu | grep -E ":25\s" | grep -E -v "\s(127.0.0.1|\[?::1\]?):25\s"' + stdout: ['!/./'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.2.18 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true +file: + /etc/postfix/main.conf: + title: 2.2.18 | L1 | Ensure mail transfer agent is configured for local-only mode + exists: true + contains: + - '/^inet_interfaces = loopback-only/' + - '!/^inet_interfaces = all/' + - '!/^inet_interfaces = [iI][pP][vV]4/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.2.18 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.2.yml b/section_2/cis_2.2/cis_2.2.2.yml new file mode 100644 index 0000000..849475c --- /dev/null +++ b/section_2/cis_2.2/cis_2.2.2.yml @@ -0,0 +1,18 @@ +{{ if not .Vars.rhel9cis_xwindows_required }} + {{ if .Vars.rhel9cis_rule_2_2_2 }} +package: + xorgs-x11-server: + title: 2.2.2 | L1 | Ensure X11 Server components are not installed + installed: false + meta: + server: 1 + workstation: NA + CIS_ID: + - 2.2.2 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.3.yml b/section_2/cis_2.2/cis_2.2.3.yml new file mode 100644 index 0000000..90b2956 --- /dev/null +++ b/section_2/cis_2.2/cis_2.2.3.yml @@ -0,0 +1,17 @@ +{{ if .Vars.rhel9cis_rule_2_2_3 }} +service: + rsync: + title: 2.2.3 | L1 | Ensure rsync service is not enabled + enabled: false + running: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.2.3 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.4.yml b/section_2/cis_2.2/cis_2.2.4.yml new file mode 100644 index 0000000..0afb5d0 --- /dev/null +++ b/section_2/cis_2.2/cis_2.2.4.yml @@ -0,0 +1,19 @@ +{{ if not .Vars.rhel9cis_avahi_server }} + {{ if .Vars.rhel9cis_rule_2_2_4 }} +service: + avahi-daemon: + title: 2.2.4 | L1 | Ensure Avahi Server is not installed + enabled: false + running: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.2.4 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.5.yml b/section_2/cis_2.2/cis_2.2.5.yml new file mode 100644 index 0000000..2a1adab --- /dev/null +++ b/section_2/cis_2.2/cis_2.2.5.yml @@ -0,0 +1,19 @@ +{{ if not .Vars.rhel9cis_snmp_server}} + {{ if .Vars.rhel9cis_rule_2_2_5 }} +service: + snmpid: + title: 2.2.5 | L1 | Ensure SNMP Server is not enabled + running: false + enabled: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.2.5 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.6.yml b/section_2/cis_2.2/cis_2.2.6.yml new file mode 100644 index 0000000..dfb55a0 --- /dev/null +++ b/section_2/cis_2.2/cis_2.2.6.yml @@ -0,0 +1,19 @@ +{{ if not .Vars.rhel9cis_squid_server}} + {{ if .Vars.rhel9cis_rule_2_2_6 }} +service: + squid: + title: 2.2.6 | L1 | Ensure HTTP proxy Server is not enabled + running: false + enabled: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.2.6 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.7.yml b/section_2/cis_2.2/cis_2.2.7.yml new file mode 100644 index 0000000..6dba5b9 --- /dev/null +++ b/section_2/cis_2.2/cis_2.2.7.yml @@ -0,0 +1,19 @@ +{{ if not .Vars.rhel9cis_smb_server}} + {{ if .Vars.rhel9cis_rule_2_2_7 }} +service: + smb: + title: 2.2.7 | L1 | Ensure Samba is not enabled + running: false + enabled: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.2.7 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.8.yml b/section_2/cis_2.2/cis_2.2.8.yml new file mode 100644 index 0000000..71eece5 --- /dev/null +++ b/section_2/cis_2.2/cis_2.2.8.yml @@ -0,0 +1,19 @@ +{{ if not .Vars.rhel9cis_dovecot_server}} + {{ if .Vars.rhel9cis_rule_2_2_8 }} +service: + dovecot: + title: 2.2.8 | L1 | Ensure IMAP and POP3 Server is not enabled + running: false + enabled: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.2.8 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.9.yml b/section_2/cis_2.2/cis_2.2.9.yml new file mode 100644 index 0000000..0fce3fc --- /dev/null +++ b/section_2/cis_2.2/cis_2.2.9.yml @@ -0,0 +1,19 @@ +{{ if not .Vars.rhel9cis_httpd_server}} + {{ if .Vars.rhel9cis_rule_2_2_9 }} +service: + httpd: + title: 2.2.9 | L1 | Ensure HTTP Server is not enabled + running: false + enabled: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 2.2.9 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_2/cis_2.3/cis_2.3.1_3.yml b/section_2/cis_2.3/cis_2.3.1_3.yml new file mode 100644 index 0000000..812b850 --- /dev/null +++ b/section_2/cis_2.3/cis_2.3.1_3.yml @@ -0,0 +1,52 @@ +package: + {{ if not .Vars.rhel9cis_ypbind_required }} + {{ if .Vars.rhel9cis_rule_2_3_1 }} + ypbind: + title: 2.3.1 | L1 | Ensure NIS Client is not installed + installed: false + meta: + server: 1 + workstation: NA + CIS_ID: + - 2.3.1 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + {{ end }} + {{ end }} + {{ if not .Vars.rhel9cis_telnet_required }} + {{ if .Vars.rhel9cis_rule_2_3_2 }} + telnet: + title: 2.3.2 | L1 | Ensure telnet client is not installed + installed: false + meta: + server: 1 + workstation: NA + CIS_ID: + - 2.3.2 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + {{ end }} + {{ end }} + {{ if not .Vars.rhel9cis_openldap_clients_required }} + {{ if .Vars.rhel9cis_rule_2_3_3 }} + openldap-clients: + title: 2.3.3 | L1 | Ensure LDAP client is not installed + installed: false + meta: + server: 1 + workstation: NA + CIS_ID: + - 2.3.3 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + {{ end }} + {{ end }} diff --git a/section_3/cis_3.1/cis_3.1.1.yml b/section_3/cis_3.1/cis_3.1.1.yml new file mode 100644 index 0000000..13fe4fd --- /dev/null +++ b/section_3/cis_3.1/cis_3.1.1.yml @@ -0,0 +1,30 @@ +{{ if not .Vars.rhel9cis_is_router }} + {{ if .Vars.rhel9cis_rule_3_1_1 }} +kernel-param: + net.ipv4.ip_forward: + title: 3.1.1 | L1 | Ensure IP forwarding is disabled + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.1.1 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + + net.ipv6.conf.all.forwarding: + title: 3.1.1 | L1 | Ensure IP forwarding is disabled + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.1.1 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_3/cis_3.1/cis_3.1.2.yml b/section_3/cis_3.1/cis_3.1.2.yml new file mode 100644 index 0000000..8b04400 --- /dev/null +++ b/section_3/cis_3.1/cis_3.1.2.yml @@ -0,0 +1,27 @@ +{{ if .Vars.rhel9cis_rule_3_1_2 }} +kernel-param: + net.ipv4.conf.all.send_redirects: + title: 3.1.2 | L1 | Ensure packet redirect sending is disabled + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.1.2 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + net.ipv4.conf.default.send_redirects: + title: 3.1.2 | L1 | Ensure packet redirect sending is disabled + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.1.2 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_3/cis_3.2/cis_3.2.1.yml b/section_3/cis_3.2/cis_3.2.1.yml new file mode 100644 index 0000000..426b85a --- /dev/null +++ b/section_3/cis_3.2/cis_3.2.1.yml @@ -0,0 +1,51 @@ +{{ if .Vars.rhel9cis_rule_3_2_1 }} +kernel-param: + net.ipv4.conf.all.accept_source_route: + title: 3.2.1 | L1 | Ensure source routed packets are not accepted + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.2.1 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + net.ipv4.conf.default.accept_source_route: + title: 3.2.1 | L1 | Ensure source routed packets are not accepted + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.2.1 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + net.ipv6.conf.all.accept_source_route: + title: 3.2.1 | L1 | Ensure source routed packets are not accepted + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.2.1 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + net.ipv6.conf.default.accept_source_route: + title: 3.2.1 | L1 | Ensure source routed packets are not accepted + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.2.1 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_3/cis_3.2/cis_3.2.2.yml b/section_3/cis_3.2/cis_3.2.2.yml new file mode 100644 index 0000000..eb00adc --- /dev/null +++ b/section_3/cis_3.2/cis_3.2.2.yml @@ -0,0 +1,52 @@ +{{ if .Vars.rhel9cis_rule_3_2_2 }} +kernel-param: + net.ipv4.conf.all.accept_redirects: + title: 3.2.2 | L1 | Ensure ICMP redirects are not accepted + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.2.1 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + net.ipv4.conf.default.accept_redirects: + title: 3.2.2 | L1 | Ensure ICMP redirects are not accepted + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.2.1 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + net.ipv6.conf.all.accept_redirects: + title: 3.2.2 | L1 | Ensure ICMP redirects are not accepted + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.2.2 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + net.ipv6.conf.default.accept_redirects: + title: 3.2.2 | L1 | Ensure ICMP redirects are not accepted + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.2.2 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} + diff --git a/section_3/cis_3.2/cis_3.2.3.yml b/section_3/cis_3.2/cis_3.2.3.yml new file mode 100644 index 0000000..039ce43 --- /dev/null +++ b/section_3/cis_3.2/cis_3.2.3.yml @@ -0,0 +1,27 @@ +{{ if .Vars.rhel9cis_rule_3_2_3 }} +kernel-param: + net.ipv4.conf.all.secure_redirects: + title: 3.2.3 | L1 | Ensure secure ICMP redirects are not accepted + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.2.3 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + net.ipv4.conf.default.secure_redirects: + title: 3.2.3 | L1 | Ensure secure ICMP redirects are not accepted + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.2.3 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_3/cis_3.2/cis_3.2.4.yml b/section_3/cis_3.2/cis_3.2.4.yml new file mode 100644 index 0000000..be7b5d5 --- /dev/null +++ b/section_3/cis_3.2/cis_3.2.4.yml @@ -0,0 +1,27 @@ +{{ if .Vars.rhel9cis_rule_3_2_4 }} +kernel-param: + net.ipv4.conf.all.log_martians: + title: 3.2.4 | L1 | Ensure suspicious packets are logged + value: '1' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.2.4 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + net.ipv4.conf.default.log_martians: + title: 3.2.4 | L1 | Ensure suspicious packets are logged + value: '1' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.2.4 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_3/cis_3.2/cis_3.2.5.yml b/section_3/cis_3.2/cis_3.2.5.yml new file mode 100644 index 0000000..821a07c --- /dev/null +++ b/section_3/cis_3.2/cis_3.2.5.yml @@ -0,0 +1,15 @@ +{{ if .Vars.rhel9cis_rule_3_2_5 }} +kernel-param: + net.ipv4.icmp_echo_ignore_broadcasts: + title: 3.2.5 | L1 | Ensure broadcast ICMP requests are ignored + value: '1' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.2.5 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_3/cis_3.2/cis_3.2.6.yml b/section_3/cis_3.2/cis_3.2.6.yml new file mode 100644 index 0000000..bfa5b2b --- /dev/null +++ b/section_3/cis_3.2/cis_3.2.6.yml @@ -0,0 +1,15 @@ +{{ if .Vars.rhel9cis_rule_3_2_6 }} +kernel-param: + net.ipv4.icmp_ignore_bogus_error_responses: + title: 3.2.6 | L1 | Ensure bogus ICMP responses are ignored + value: '1' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.2.6 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_3/cis_3.2/cis_3.2.7.yml b/section_3/cis_3.2/cis_3.2.7.yml new file mode 100644 index 0000000..1fcbe49 --- /dev/null +++ b/section_3/cis_3.2/cis_3.2.7.yml @@ -0,0 +1,27 @@ +{{ if .Vars.rhel9cis_rule_3_2_7 }} +kernel-param: + net.ipv4.conf.all.rp_filter: + title: 3.2.7 | L1 | Ensure Reverse Path Filtering is enabled + value: '1' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.2.7 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + net.ipv4.conf.all.rp_filter: + title: 3.2.7 | L1 | Ensure Reverse Path Filtering is enabled + value: '1' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.2.7 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_3/cis_3.2/cis_3.2.8.yml b/section_3/cis_3.2/cis_3.2.8.yml new file mode 100644 index 0000000..d5d9d48 --- /dev/null +++ b/section_3/cis_3.2/cis_3.2.8.yml @@ -0,0 +1,15 @@ +{{ if .Vars.rhel9cis_rule_3_2_8 }} +kernel-param: + net.ipv4.tcp_syncookies: + title: 3.2.8 | L1 | Ensure TCP SYN Cookies is enabled + value: '1' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.2.8 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_3/cis_3.2/cis_3.2.9.yml b/section_3/cis_3.2/cis_3.2.9.yml new file mode 100644 index 0000000..9aae8f8 --- /dev/null +++ b/section_3/cis_3.2/cis_3.2.9.yml @@ -0,0 +1,27 @@ +{{ if .Vars.rhel9cis_rule_3_2_9 }} +kernel-param: + net.ipv6.conf.all.accept_ra: + title: 3.2.9 | L1 | Ensure IPv6 router advertisements are not accepted + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.2.9 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + net.ipv6.conf.default.accept_ra: + title: 3.2.9 | L1 | Ensure IPv6 router advertisements are not accepted + value: '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.2.9 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_3/cis_3.3/cis_3.3.1.yml b/section_3/cis_3.3/cis_3.3.1.yml new file mode 100644 index 0000000..e8511a2 --- /dev/null +++ b/section_3/cis_3.3/cis_3.3.1.yml @@ -0,0 +1,19 @@ +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_3_3_1 }} +command: + modprobe_dccp: + title: 3.3.1 | L2 | Ensure DCCP is disabled (Automated) + exit-status: 0 + exec: 'modprobe -n -v dccp' + stdout: ['install /bin/true'] + meta: + server: 2 + workstation: 2 + CIS_ID: + - 3.3.1 + CISv8: 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_3/cis_3.3/cis_3.3.2.yml b/section_3/cis_3.3/cis_3.3.2.yml new file mode 100644 index 0000000..518ab59 --- /dev/null +++ b/section_3/cis_3.3/cis_3.3.2.yml @@ -0,0 +1,19 @@ +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_3_3_2 }} +command: + modprobe_sctp: + title: 3.3.2 | L2 | Ensure SCTP is disabled (Automated) + exit-status: 0 + exec: 'modprobe -n -v dccp' + stdout: ['install /bin/true'] + meta: + server: 2 + workstation: 2 + CIS_ID: + - 3.3.2 + CISv8: 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_3/cis_3.3/cis_3.3.3.yml b/section_3/cis_3.3/cis_3.3.3.yml new file mode 100644 index 0000000..363a344 --- /dev/null +++ b/section_3/cis_3.3/cis_3.3.3.yml @@ -0,0 +1,19 @@ +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_3_3_3 }} +command: + modprobe_rds: + title: 3.3.3 | L2 | Ensure RDS is disabled (Automated) + exit-status: 0 + exec: 'modprobe -n -v rds' + stdout: ['install /bin/true'] + meta: + server: 2 + workstation: 2 + CIS_ID: + - 3.3.3 + CISv8: 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_3/cis_3.3/cis_3.3.4.yml b/section_3/cis_3.3/cis_3.3.4.yml new file mode 100644 index 0000000..98d6b96 --- /dev/null +++ b/section_3/cis_3.3/cis_3.3.4.yml @@ -0,0 +1,19 @@ +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_3_3_4 }} +command: + modprobe_sctp: + title: 3.3.4 | L2 | Ensure TIPC is disabled (Automated) + exit-status: 0 + exec: 'modprobe -n -v tipc' + stdout: ['install /bin/true'] + meta: + server: 2 + workstation: 2 + CIS_ID: + - 3.3.4 + CISv8: 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_3/cis_3.4/cis_3.4.1.1.yml b/section_3/cis_3.4/cis_3.4.1.1.yml new file mode 100644 index 0000000..39690f3 --- /dev/null +++ b/section_3/cis_3.4/cis_3.4.1.1.yml @@ -0,0 +1,15 @@ +{{ if .Vars.rhel9cis_rule_3_4_1_1}} +package: + {{ .Vars.rhel9cis_firewall }}: + title: 3.4.1.1 | L1 | Ensure firewall package is installed + installed: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.4.1.1 + CISv8: 4.4 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_3/cis_3.4/cis_3.4.2.1.yml b/section_3/cis_3.4/cis_3.4.2.1.yml new file mode 100644 index 0000000..18022eb --- /dev/null +++ b/section_3/cis_3.4/cis_3.4.2.1.yml @@ -0,0 +1,18 @@ +{{ if eq .Vars.rhel9cis_firewall "firewalld" }} + {{ if .Vars.rhel9cis_rule_3_4_2_1 }} +service: + firewalld: + title: 3.4.2.1 | L1 | Ensure firewalld service is enabled and running + enabled: true + running: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.4.2.1 + CISv8: 4.4 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_3/cis_3.4/cis_3.4.2.2.yml b/section_3/cis_3.4/cis_3.4.2.2.yml new file mode 100644 index 0000000..e7aef5a --- /dev/null +++ b/section_3/cis_3.4/cis_3.4.2.2.yml @@ -0,0 +1,38 @@ +{{ if eq .Vars.rhel9cis_firewall "firewalld" }} + {{ if .Vars.rhel9cis_rule_3_4_2_2 }} +service: + iptables: + title: 3.4.2.2 | L1 | Ensure iptables is not enabled with firewalld + enabled: false + running: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.4.2.2 + CISv8: + - 4.4 + - 4.8 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +command: + iptables_masked: + title: 3.4.2.2 | L1 | Ensure iptables is not enabled with firewalld + exec: "systemctl is-enabled iptables" + exit-status: 0 + stdout: + - '/(disabled|masked)/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.4.2.2 + CISv8: + - 4.4 + - 4.8 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_3/cis_3.4/cis_3.4.2.3.yml b/section_3/cis_3.4/cis_3.4.2.3.yml new file mode 100644 index 0000000..e786f82 --- /dev/null +++ b/section_3/cis_3.4/cis_3.4.2.3.yml @@ -0,0 +1,38 @@ +{{ if eq .Vars.rhel9cis_firewall "firewalld" }} + {{ if .Vars.rhel9cis_rule_3_4_2_3 }} +service: + nftables: + title: 3.4.2.3 | L1 | Ensure nftables is not enabled with firewalld + enabled: false + running: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.4.2.3 + CISv8: + - 4.4 + - 4.8 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +command: + nftables_masked: + title: 3.4.2.3 | L1 | Ensure iptables is not enabled with firewalld + exec: "systemctl is-enabled nftables" + exit-status: 0 + stdout: + - '/^(masked|disabled)/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.4.2.3 + CISv8: + - 4.4 + - 4.8 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_3/cis_3.4/cis_3.4.2.4.yml b/section_3/cis_3.4/cis_3.4.2.4.yml new file mode 100644 index 0000000..90bc22a --- /dev/null +++ b/section_3/cis_3.4/cis_3.4.2.4.yml @@ -0,0 +1,20 @@ +{{ if eq .Vars.rhel9cis_firewall "firewalld" }} + {{ if .Vars.rhel9cis_rule_3_4_2_4 }} +command: + default_zone: + title: 3.4.2.4 | L1 | Ensure firewalld default zone is set + exec: firewall-cmd --get-default-zone + exit-status: 0 + stdout: + - '{{ .Vars.rhel9cis_default_firewall_zone }}' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.4.2.4 + CISv8: 4.4 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_3/cis_3.4/cis_3.4.2.5.yml b/section_3/cis_3.4/cis_3.4.2.5.yml new file mode 100644 index 0000000..3eff33f --- /dev/null +++ b/section_3/cis_3.4/cis_3.4.2.5.yml @@ -0,0 +1,22 @@ +{{ if eq .Vars.rhel9cis_firewall "firewalld" }} + {{ if .Vars.rhel9cis_rule_3_4_2_5 }} +command: + nic_assigned: + title: 3.4.2.5 | L1 | Ensure network interfaces are assigned to appropriate zone + exec: "nmcli -t connection show | awk -F ':' '{if($4){print $4}}' | while read INT; do firewall-cmd --get-active-zones | grep -B1 $INT; done" + exit-status: 0 + stdout: + {{ range .Vars.rhel9cis_firewall_interface }} + - '{{ . }}' + {{ end }} + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.4.2.5 + CISv8: 4.4 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_3/cis_3.4/cis_3.4.2.6.yml b/section_3/cis_3.4/cis_3.4.2.6.yml new file mode 100644 index 0000000..a4e0de1 --- /dev/null +++ b/section_3/cis_3.4/cis_3.4.2.6.yml @@ -0,0 +1,20 @@ +{{ if eq .Vars.rhel9cis_firewall "firewalld" }} + {{ if .Vars.rhel9cis_rule_3_4_2_6 }} +command: + fw_port_svcs: + title: 3.4.2.6 | L1 | Ensure firewalld drops unnecessary services and ports + exec: "firewall-cmd --get-active-zones | awk '!/:/ {print $1}' | while read ZN; do firewall-cmd --list-all --zone=$ZN | grep services; done" + exit-status: 0 + stdout: + - '{{ .Vars.rhel9cis_firewall_services }}' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 3.4.2.6 + CISv8: 4.4 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} \ No newline at end of file diff --git a/section_3/cis_3.5/cis_3.5.yml b/section_3/cis_3.5/cis_3.5.yml new file mode 100644 index 0000000..c9b50f1 --- /dev/null +++ b/section_3/cis_3.5/cis_3.5.yml @@ -0,0 +1,19 @@ +{{ if .Vars.rhel9cis_rule_3_5 }} +command: + wireless_disabled: + title: 3.5 | L1 | Ensure wireless interfaces are disabled (Manual) + exit-status: 0 + exec: 'nmcli radio all | tail -1' + stdout: + - '/^(enabled|disabled)\s\s(disabled)\s\s(enabled|disabled)\s\s(disabled)/' + meta: + server: 1 + workstation: 2 + CIS_ID: + - 3.5 + CISv8: 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true +{{ end }} + diff --git a/section_3/cis_3.6/cis_3.6.yml b/section_3/cis_3.6/cis_3.6.yml new file mode 100644 index 0000000..7618596 --- /dev/null +++ b/section_3/cis_3.6/cis_3.6.yml @@ -0,0 +1,35 @@ +{{ if .Vars.rhel9cis_level_2 }} + {{ if not .Vars.rhel9cis_ipv6_required }} +file: + {{ if .Vars.rhel9cis_rule_3_6 }} + /boot/grub2/grubenv: + title: 3.6 | Disable IPv6_running_check + exists: true + contains: + - '/(?=\S+\s(ipv6\.disable=1.*)$)kernelopts=/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 3.6 + CISv8: 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + /etc/default/grub: + title: 3.6 | Disable IPv6_boottime + exists: true + contains: + - '/(?=\S+\s(ipv6\.disable=1.*)$)^GRUB_CMDLINE_LINUX="/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 3.6 + CISv8: 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + {{ end }} + {{ end }} +{{ end }} diff --git a/section_4/cis_4.1/cis_4.1.1.1-2.yml b/section_4/cis_4.1/cis_4.1.1.1-2.yml new file mode 100644 index 0000000..984ea5d --- /dev/null +++ b/section_4/cis_4.1/cis_4.1.1.1-2.yml @@ -0,0 +1,43 @@ +{{ if .Vars.rhel9cis_rule_4_1_1_1 }} +package: + audit: + title: 4.1.1.1 | L2 | Ensure auditd is installed + installed: true + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.1.1 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + audit-libs: + title: 4.1.1.1 | L2 | Ensure auditd is installed + installed: true + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.1.1 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} + {{ if .Vars.rhel9cis_rule_4_1_1_2 }} +service: + auditd: + title: 4.1.1.2 | L2 | Ensure auditd service is enabled and running + enabled: true + running: true + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.1.2 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_4/cis_4.1/cis_4.1.1.3.yml b/section_4/cis_4.1/cis_4.1.1.3.yml new file mode 100644 index 0000000..8fb797d --- /dev/null +++ b/section_4/cis_4.1/cis_4.1.1.3.yml @@ -0,0 +1,31 @@ +{{ if .Vars.rhel9cis_rule_4_1_1_3 }} +file: + /boot/grub2/grubenv: + title: 4.1.1.3 | L2 | Ensure auditing for processes that start prior to auditd is enabled (Automated) + exists: true + contains: + - '/^kernelopts=.*\saudit=1.*/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.1.3 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + /etc/default/grub: + title: (L2) 4.1.1.3 | L2 | Ensure auditing for processes that start prior to auditd is enabled (Automated) + exists: true + contains: + - '/^GRUB_CMDLINE_LINUX=.*\saudit=1.*/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.1.3 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_4/cis_4.1/cis_4.1.1.4.yml b/section_4/cis_4.1/cis_4.1.1.4.yml new file mode 100644 index 0000000..e780b71 --- /dev/null +++ b/section_4/cis_4.1/cis_4.1.1.4.yml @@ -0,0 +1,31 @@ +{{ if .Vars.rhel9cis_rule_4_1_1_4 }} +file: + /boot/grub2/grubenv: + title: 4.1.1.4 | L2 | Ensure audit_backlog_limit is sufficient + exists: true + contains: + - '/^kernelopts.*\saudit_backlog_limit=8192.*/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.1.4 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + /etc/default/grub: + title: 4.1.1.4 | L2 | Ensure audit_backlog_limit is sufficient + exists: true + contains: + - '/^GRUB_CMDLINE_LINUX=.*\saudit_backlog_limit=8192.*/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.1.4 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_4/cis_4.1/cis_4.1.10.yml b/section_4/cis_4.1/cis_4.1.10.yml new file mode 100644 index 0000000..c753560 --- /dev/null +++ b/section_4/cis_4.1/cis_4.1.10.yml @@ -0,0 +1,39 @@ +{{ if .Vars.rhel9cis_rule_4_1_10 }} +command: + auditd_access_cnf: + title: 4.1.10 | L2 | Ensure unsuccessful unauthorized file access attempts are collected | conf check + exec: grep access /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access' + - '-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access' + - '-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access' + - '-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.10 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + auditd_access_live: + title: 4.1.10 | L2 | Ensure unsuccessful unauthorized file access attempts are collected | running + exec: auditctl -l | grep access + exit-status: 0 + stdout: + - '-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access' + - '-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access' + - '-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access' + - '-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.10 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true +{{ end }} \ No newline at end of file diff --git a/section_4/cis_4.1/cis_4.1.11.yml b/section_4/cis_4.1/cis_4.1.11.yml new file mode 100644 index 0000000..4135481 --- /dev/null +++ b/section_4/cis_4.1/cis_4.1.11.yml @@ -0,0 +1,41 @@ +{{ if .Vars.rhel9cis_rule_4_1_11 }} +command: + auditd_identity_cnf: + title: 4.1.11 | L2 | Ensure events that modify user/group information are collected | conf check + exec: grep identity /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '-w /etc/group -p wa -k identity' + - '-w /etc/passwd -p wa -k identity' + - '-w /etc/gshadow -p wa -k identity' + - '-w /etc/shadow -p wa -k identity' + - '-w /etc/security/opasswd -p wa -k identity' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.11 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + auditd_identity_live: + title: 4.1.11 | L2 | Ensure events that modify user/group information are collected | running + exec: auditctl -l | grep identity + exit-status: 0 + stdout: + - '-w /etc/group -p wa -k identity' + - '-w /etc/passwd -p wa -k identity' + - '-w /etc/gshadow -p wa -k identity' + - '-w /etc/shadow -p wa -k identity' + - '-w /etc/security/opasswd -p wa -k identity' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.11 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true +{{ end }} \ No newline at end of file diff --git a/section_4/cis_4.1/cis_4.1.12.yml b/section_4/cis_4.1/cis_4.1.12.yml new file mode 100644 index 0000000..3195b9b --- /dev/null +++ b/section_4/cis_4.1/cis_4.1.12.yml @@ -0,0 +1,35 @@ +{{ if .Vars.rhel9cis_rule_4_1_12 }} +command: + auditd_mounts_cnf: + title: 4.1.12 | L2 | Ensure successful file system mounts are collected | conf check + exec: grep mounts /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts' + - '-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.12 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + auditd_mounts_live: + title: 4.1.12 | L2 | Ensure successful file system mounts are collected | running + exec: auditctl -l | grep mounts + exit-status: 0 + stdout: + - '-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=-1 -F key=mounts' + - '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=-1 -F key=mounts' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.12 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true +{{ end }} \ No newline at end of file diff --git a/section_4/cis_4.1/cis_4.1.13.yml b/section_4/cis_4.1/cis_4.1.13.yml new file mode 100644 index 0000000..b7d7308 --- /dev/null +++ b/section_4/cis_4.1/cis_4.1.13.yml @@ -0,0 +1,17 @@ +{{ if .Vars.rhel9cis_rule_4_1_13 }} +command: + auditd_priv_cmds_cnf: + title: 4.1.13 | L2 | Ensure use of privileged commands is collected + exec: grep mounts /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.13 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true +{{ end }} \ No newline at end of file diff --git a/section_4/cis_4.1/cis_4.1.14.yml b/section_4/cis_4.1/cis_4.1.14.yml new file mode 100644 index 0000000..06b16ca --- /dev/null +++ b/section_4/cis_4.1/cis_4.1.14.yml @@ -0,0 +1,35 @@ +{{ if .Vars.rhel9cis_rule_4_1_14 }} +command: + auditd_delete_cnf: + title: 4.1.14 | L2 | Ensure file deletion events by users are collected | conf check + exec: grep delete /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '-a always,exit -F arch=b32 -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete' + - '-a always,exit -F arch=b64 -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.14 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + auditd_delete_live: + title: 4.1.14 | L2 | Ensure file deletion events by users are collected | running + exec: auditctl -l | grep delete + exit-status: 0 + stdout: + - '-a always,exit -F arch=b32 -S unlink,rename,rmdir,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete' + - '-a always,exit -F arch=b64 -S rename,rmdir,unlink,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.14 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true +{{ end }} \ No newline at end of file diff --git a/section_4/cis_4.1/cis_4.1.15.yml b/section_4/cis_4.1/cis_4.1.15.yml new file mode 100644 index 0000000..4d4a3c7 --- /dev/null +++ b/section_4/cis_4.1/cis_4.1.15.yml @@ -0,0 +1,39 @@ +{{ if .Vars.rhel9cis_rule_4_1_15 }} +command: + auditd_module_cnf: + title: 4.1.15 | L2 | Ensure kernel module loading and unloading is collected | conf check + exec: grep modules /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '-w /usr/sbin/insmod -p x -k modules' + - '-w /usr/sbin/rmmod -p x -k modules' + - '-w /usr/sbin/modprobe -p x -k modules' + - '-a always,exit -F arch=b64 -S init_module -S delete_module -k modules' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.15 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + auditd_admin_module_live: + title: 4.1.15 | L2 | Ensure kernel module loading and unloading is collected | running + exec: auditctl -l | grep modules + exit-status: 0 + stdout: + - '-w /usr/sbin/insmod -p x -k modules' + - '-w /usr/sbin/rmmod -p x -k modules' + - '-w /usr/sbin/modprobe -p x -k modules' + - '-a always,exit -F arch=b64 -S init_module,delete_module -F key=modules' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.15 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true +{{ end }} \ No newline at end of file diff --git a/section_4/cis_4.1/cis_4.1.16.yml b/section_4/cis_4.1/cis_4.1.16.yml new file mode 100644 index 0000000..3ed57ab --- /dev/null +++ b/section_4/cis_4.1/cis_4.1.16.yml @@ -0,0 +1,33 @@ +{{ if .Vars.rhel9cis_rule_4_1_16 }} +command: + auditd_sudolog_cnf: + title: 4.1.16 | L2 | Ensure system administrator actions (sudolog) are collected | conf check + exec: grep '^-w \/var\/log\/sudo.log -p wa -k actions$' /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '-w /var/log/sudo.log -p wa -k actions' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.16 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + auditd_sudolog_live: + title: 4.1.16 | L2 | Ensure system administrator actions (sudolog) are collected | running + exec: auditctl -l | grep actions + exit-status: 0 + stdout: + - '-w /var/log/sudo.log -p wa -k actions' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.16 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true +{{ end }} \ No newline at end of file diff --git a/section_4/cis_4.1/cis_4.1.17.yml b/section_4/cis_4.1/cis_4.1.17.yml new file mode 100644 index 0000000..7f3b859 --- /dev/null +++ b/section_4/cis_4.1/cis_4.1.17.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_4_1_17 }} +command: + auditd_immutable: + title: 4.1.17 | L2 | Ensure the audit configuration is immutable + exec: 'grep "-e 2" /etc/audit/rules.d/*.rules | tail -1' + exit-status: 0 + stdout: + - '-e 2' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.17 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_4/cis_4.1/cis_4.1.2.1.yml b/section_4/cis_4.1/cis_4.1.2.1.yml new file mode 100644 index 0000000..7d492b4 --- /dev/null +++ b/section_4/cis_4.1/cis_4.1.2.1.yml @@ -0,0 +1,17 @@ +{{ if .Vars.rhel9cis_rule_4_1_2_1 }} +file: + /etc/audit/auditd.conf: + exists: true + title: 4.1.2.1 | L2 | Ensure audit log storage size is configured + contains: + - '/^max_log_file = \d+/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.2.1 + CISv8: 8.3 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_4/cis_4.1/cis_4.1.2.2.yml b/section_4/cis_4.1/cis_4.1.2.2.yml new file mode 100644 index 0000000..26e9eac --- /dev/null +++ b/section_4/cis_4.1/cis_4.1.2.2.yml @@ -0,0 +1,17 @@ +{{ if .Vars.rhel9cis_rule_4_1_2_2 }} +file: + /etc/audit/auditd.conf: + exists: true + title: 4.1.2.2 | L2 | Ensure audit logs are not automatically deleted + contains: + - 'max_log_file_action = {{ .Vars.rhel9cis_auditd.max_log_file_action }}' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.2.2 + CISv8: 8.3 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true +{{ end }} \ No newline at end of file diff --git a/section_4/cis_4.1/cis_4.1.2.3.yml b/section_4/cis_4.1/cis_4.1.2.3.yml new file mode 100644 index 0000000..b96a248 --- /dev/null +++ b/section_4/cis_4.1/cis_4.1.2.3.yml @@ -0,0 +1,21 @@ +{{ if .Vars.rhel9cis_rule_4_1_2_3 }} +file: + /etc/audit/auditd.conf: + title: 4.1.2.3 | L2 | Ensure system is disabled when audit logs are full + exists: true + contains: + - space_left_action = email + - action_mail_acct = root + - '/^admin_space_left_action = {{ .Vars.rhel9cis_auditd.admin_space_left_action }}/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.2.3 + CISv8: + - 8.2 + - 8.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_4/cis_4.1/cis_4.1.3.yml b/section_4/cis_4.1/cis_4.1.3.yml new file mode 100644 index 0000000..54c1b9b --- /dev/null +++ b/section_4/cis_4.1/cis_4.1.3.yml @@ -0,0 +1,38 @@ +{{ if .Vars.rhel9cis_rule_4_1_3 }} +command: + auditd_admin_scope_cnf: + title: 4.1.3 | L2 | Ensure changes to system administration scope (sudoers) is collected | conf_check + exec: grep scope /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '-w /etc/sudoers -p wa -k scope' + - '-w /etc/sudoers.d/ -p wa -k scope' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.3 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + auditd_admin_scope_live: + title: 4.1.3 | L2 | Ensure changes to system administration scope (sudoers) is collected | running + exec: auditctl -l | grep scope + exit-status: 0 + stdout: + - '-w /etc/sudoers -p wa -k scope' + - '-w /etc/sudoers.d -p wa -k scope' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.3 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true +{{ end }} + + + diff --git a/section_4/cis_4.1/cis_4.1.4.yml b/section_4/cis_4.1/cis_4.1.4.yml new file mode 100644 index 0000000..52bc7e2 --- /dev/null +++ b/section_4/cis_4.1/cis_4.1.4.yml @@ -0,0 +1,35 @@ +{{ if .Vars.rhel9cis_rule_4_1_4 }} +command: + auditd_logins_cnf: + title: 4.1.4 | L2 | Ensure login and logout events are collected | conf check + exec: grep logins /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '-w /var/log/faillog -p wa -k logins' + - '-w /var/log/lastlog -p wa -k logins' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.4 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + auditd_logins_live: + title: 4.1.4 | L2 | Ensure login and logout events are collected | running + exec: auditctl -l | grep logins + exit-status: 0 + stdout: + - '-w /var/log/faillog -p wa -k logins' + - '-w /var/log/lastlog -p wa -k logins' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.4 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true +{{ end }} \ No newline at end of file diff --git a/section_4/cis_4.1/cis_4.1.5.yml b/section_4/cis_4.1/cis_4.1.5.yml new file mode 100644 index 0000000..c780216 --- /dev/null +++ b/section_4/cis_4.1/cis_4.1.5.yml @@ -0,0 +1,37 @@ +{{ if .Vars.rhel9cis_rule_4_1_5 }} +command: + auditd_sessions_cnf: + title: 4.1.5 | L2 | Ensure session initiation information is collected | conf check + exec: "grep -E '(session|logins)' /etc/audit/rules.d/*.rules" + exit-status: 0 + stdout: + - '-w /var/run/utmp -p wa -k session' + - '-w /var/log/wtmp -p wa -k logins' + - '-w /var/log/btmp -p wa -k logins' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.5 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + auditd_session_live: + title: 4.1.5 | L2 | Ensure session initiation information is collected | running + exec: "auditctl -l | grep -E '(session|logins)'" + exit-status: 0 + stdout: + - '-w /var/run/utmp -p wa -k session' + - '-w /var/log/wtmp -p wa -k logins' + - '-w /var/log/btmp -p wa -k logins' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.5 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true +{{ end }} \ No newline at end of file diff --git a/section_4/cis_4.1/cis_4.1.6.yml b/section_4/cis_4.1/cis_4.1.6.yml new file mode 100644 index 0000000..e0a640d --- /dev/null +++ b/section_4/cis_4.1/cis_4.1.6.yml @@ -0,0 +1,41 @@ +{{ if .Vars.rhel9cis_rule_4_1_6 }} +command: + auditd_time_cnf: + title: 4.1.6 | L2 | Ensure events that modify date and time information are collected | conf check + exec: grep time-change /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change' + - '-a always,exit -F arch=b32 -S clock_settime -k time-change' + - '-w /etc/localtime -p wa -k time-change' + - '-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change' + - '-a always,exit -F arch=b64 -S clock_settime -k time-change' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.6 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + auditd_time_live: + title: 4.1.6 | L2 | Ensure events that modify date and time information are collected | running + exec: auditctl -l | grep time-change + exit-status: 0 + stdout: + - '-a always,exit -F arch=b32 -S stime,settimeofday,adjtimex -F key=time-change' + - '-a always,exit -F arch=b32 -S clock_settime -F key=time-change' + - '-w /etc/localtime -p wa -k time-change' + - '-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change' + - '-a always,exit -F arch=b64 -S clock_settime -F key=time-change' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.6 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_4/cis_4.1/cis_4.1.7.yml b/section_4/cis_4.1/cis_4.1.7.yml new file mode 100644 index 0000000..de8ac88 --- /dev/null +++ b/section_4/cis_4.1/cis_4.1.7.yml @@ -0,0 +1,37 @@ +{{ if not .Vars.rhel9cis_selinux_disable }} + {{ if .Vars.rhel9cis_rule_4_1_7 }} +command: + auditd_MAC_cnf: + title: 4.1.7 | L2 | Ensure events that modify the system's Mandatory Access Controls are collected + exec: grep MAC-policy /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '-w /etc/selinux/ -p wa -k MAC-policy' + - '-w /usr/share/selinux/ -p wa -k MAC-policy' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.7 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + auditd_MAC_live: + title: 4.1.7 | L2 | Ensure events that modify the system's Mandatory Access Controls are collected + exec: auditctl -l | grep MAC-policy + exit-status: 0 + stdout: + - '-w /etc/selinux -p wa -k MAC-policy' + - '-w /usr/share/selinux -p wa -k MAC-policy' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.7 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_4/cis_4.1/cis_4.1.8.yml b/section_4/cis_4.1/cis_4.1.8.yml new file mode 100644 index 0000000..6107c72 --- /dev/null +++ b/section_4/cis_4.1/cis_4.1.8.yml @@ -0,0 +1,43 @@ +{{ if .Vars.rhel9cis_rule_4_1_8 }} +command: + auditd_locale_cnf: + title: 4.1.8 | L2 | Ensure events that modify the system's network environment are collected | conf check + exec: grep system-locale /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale' + - '-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale' + - '-w /etc/issue -p wa -k system-locale' + - '-w /etc/issue.net -p wa -k system-locale' + - '-w /etc/hosts -p wa -k system-locale' + - '-w /etc/sysconfig/network -p wa -k system-locale' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.8 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + auditd_locale_live: + title: 4.1.8 | L2 | Ensure events that modify the system's network environment are collected | running + exec: auditctl -l | grep system-locale + exit-status: 0 + stdout: + - '-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale' + - '-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale' + - '-w /etc/issue -p wa -k system-locale' + - '-w /etc/issue.net -p wa -k system-locale' + - '-w /etc/hosts -p wa -k system-locale' + - '-w /etc/sysconfig/network -p wa -k system-locale' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.8 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true +{{ end }} \ No newline at end of file diff --git a/section_4/cis_4.1/cis_4.1.9.yml b/section_4/cis_4.1/cis_4.1.9.yml new file mode 100644 index 0000000..42b259c --- /dev/null +++ b/section_4/cis_4.1/cis_4.1.9.yml @@ -0,0 +1,43 @@ +{{ if .Vars.rhel9cis_rule_4_1_9 }} +command: + auditd_perms_cnf: + title: 4.1.9 | L2 | Ensure discretionary access control permission modification events are collected | conf check + exec: grep perm_mod /etc/audit/rules.d/*.rules + exit-status: 0 + stdout: + - '-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod' + - '-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod' + - '-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod' + - '-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod' + - '-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' + - '-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.9 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + auditd_perms_live: + title: 4.1.9 | L2 | Ensure discretionary access control permission modification events are collected | running + exec: auditctl -l | grep perm_mod + exit-status: 0 + stdout: + - '-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod' + - '-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod' + - '-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod' + - '-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod' + - '-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=-1 -F key=perm_mod' + - '-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=-1 -F key=perm_mod' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 4.1.9 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true +{{ end }} \ No newline at end of file diff --git a/section_4/cis_4.2/cis_4.2.1.1.yml b/section_4/cis_4.2/cis_4.2.1.1.yml new file mode 100644 index 0000000..d2b491c --- /dev/null +++ b/section_4/cis_4.2/cis_4.2.1.1.yml @@ -0,0 +1,16 @@ +{{ if .Vars.rhel9cis_rule_4_2_1_1 }} +package: + rsyslog: + title: 4.2.1.1 | L1 | Ensure rsyslog is installed + installed: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.2.1.1 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} + diff --git a/section_4/cis_4.2/cis_4.2.1.2.yml b/section_4/cis_4.2/cis_4.2.1.2.yml new file mode 100644 index 0000000..f65127a --- /dev/null +++ b/section_4/cis_4.2/cis_4.2.1.2.yml @@ -0,0 +1,16 @@ +{{ if .Vars.rhel9cis_rule_4_2_1_2 }} +service: + rsyslog: + title: 4.2.1.2 | L1 | Ensure rsyslog Service is enabled and running + running: true + enabled: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.2.1.2 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_4/cis_4.2/cis_4.2.1.3.yml b/section_4/cis_4.2/cis_4.2.1.3.yml new file mode 100644 index 0000000..94ab769 --- /dev/null +++ b/section_4/cis_4.2/cis_4.2.1.3.yml @@ -0,0 +1,19 @@ +{{ if .Vars.rhel9cis_rule_4_2_1_3 }} +command: + perms_rsyslog_d: + title: 4.2.1.3 | L1 | Ensure rsyslog default file permissions configured + exec: 'grep -s ^\$FileCreateMode /etc/rsyslog.conf /etc/rsyslog.d/*.conf | cut -f2 -d:' + exit-status: 0 + stdout: + - '/\$FileCreateMode 06[0:4]0/' + - '!/\$FileCreateMode 06[6:7][0:7]/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.2.1.1 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_4/cis_4.2/cis_4.2.1.4.yml b/section_4/cis_4.2/cis_4.2.1.4.yml new file mode 100644 index 0000000..af73cf3 --- /dev/null +++ b/section_4/cis_4.2/cis_4.2.1.4.yml @@ -0,0 +1,30 @@ +{{ if .Vars.rhel9cis_rule_4_2_1_4 }} +file: + /etc/rsyslog.conf: + title: 4.2.1.4 | L1 | Ensure logging is configured + exists: true + contains: + - '/^mail.* -/var/log/mail/' + - '/^mail.info\s* -/var/log/mail.info/' + - '/^mail.warning\s* -/var/log/mail.warning/' + - '/^mail.err\s* /var/log/mail.err/' + - '/^news.crit\s* -/var/log/news/news.crit/' + - '/^news.notice\s* -/var/log/news/news.crit/' + - '/^*.=warning;\*.=err\s* -/var/log/warn/' + - '/^*.crit\s* /var/log/warn/' + - '/^*.*;mail.none;news.none\s* /var/log/messages/' + - '/^local0,local1.\*\s* -/var/log/localmessages/' + - '/^local2,local3.\*\s* -/var/log/localmessages/' + - '/^local4,local5.\*\s* -/var/log/localmessages/' + - '/^local6,local7.\*\s* -/var/log/localmessages/' + - '/^\*.emrg\s* :omusrmsg:\*/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.2.1.4 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_4/cis_4.2/cis_4.2.1.5.yml b/section_4/cis_4.2/cis_4.2.1.5.yml new file mode 100644 index 0000000..a0ccda4 --- /dev/null +++ b/section_4/cis_4.2/cis_4.2.1.5.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_4_2_1_5 }} +command: + remote_syslog: + title: 4.2.1.5 | L1 | Ensure rsyslog is configured to send logs to a remote host + exec: 'grep -m 1 -s "^*.*[^I][^I]*@" /etc/rsyslog.conf /etc/rsyslog.d/*.conf | cut -f2 -d:' + exit-status: 0 + stdout: + - '/\*\.\* @+.*\./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.2.1.5 + CISv8: 8.9 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_4/cis_4.2/cis_4.2.2.1.yml b/section_4/cis_4.2/cis_4.2.2.1.yml new file mode 100644 index 0000000..0f49413 --- /dev/null +++ b/section_4/cis_4.2/cis_4.2.2.1.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_4_2_2_1 }} +file: + /etc/systemd/journald.conf: + title: 4.2.2.1 | L1 | Ensure journald is configured to send logs to rsyslog + exists: true + contains: + - ForwardToSyslog=yes + - "!ForwardToSyslog=[Nn][Oo]" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.2.2.1 + CISv8: 8.9 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_4/cis_4.2/cis_4.2.2.2.yml b/section_4/cis_4.2/cis_4.2.2.2.yml new file mode 100644 index 0000000..792d494 --- /dev/null +++ b/section_4/cis_4.2/cis_4.2.2.2.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_4_2_2_2 }} +file: + /etc/systemd/journald.conf: + title: 4.2.2.2 | L1 | Ensure journald is configured to compress large log files + exists: true + contains: + - Compress=yes + - "!Compress=[Nn][Oo]" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.2.2.2 + CISv8: 8.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_4/cis_4.2/cis_4.2.2.3.yml b/section_4/cis_4.2/cis_4.2.2.3.yml new file mode 100644 index 0000000..8ae6677 --- /dev/null +++ b/section_4/cis_4.2/cis_4.2.2.3.yml @@ -0,0 +1,17 @@ +{{ if .Vars.rhel9cis_rule_4_2_2_3 }} +file: + /etc/systemd/journald.conf: + title: 4.2.2.3 | L1 | Ensure journald is configured to write logfiles to persistent disk + exists: true + contains: + - Storage=persistent + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.2.2.3 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_4/cis_4.2/cis_4.2.3.yml b/section_4/cis_4.2/cis_4.2.3.yml new file mode 100644 index 0000000..f30a170 --- /dev/null +++ b/section_4/cis_4.2/cis_4.2.3.yml @@ -0,0 +1,17 @@ +{{ if .Vars.rhel9cis_rule_4_2_3 }} +command: + logfile_configured: + title: 4.2.3 | L1 | Ensure permissions on all logfiles are configured + exec: find /var/log/ -type f -perm /g+wx,o+rwx -exec ls -l "{}""+ + exit-status: 0 + stdout: ['!/./'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 4.2.3 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.1.yml b/section_5/cis_5.1/cis_5.1.1.yml new file mode 100644 index 0000000..bbd4cf3 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.1.yml @@ -0,0 +1,31 @@ +{{ if .Vars.rhel9cis_rule_5_1_1 }} +package: + cronie: + title: 5.1.1 | L1 | Ensure cron daemon is enabled and running + installed: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.1 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +service: + crond: + title: 5.1.1 | L1 | Ensure cron daemon is enabled and running + running: true + enabled: true + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.1 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} + + diff --git a/section_5/cis_5.1/cis_5.1.2.yml b/section_5/cis_5.1/cis_5.1.2.yml new file mode 100644 index 0000000..aba79e6 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.2.yml @@ -0,0 +1,20 @@ +{{ if .Vars.rhel9cis_rule_5_1_2 }} +file: + /etc/crontab: + title: 5.1.2 | L1 | Ensure permissions on /etc/crontab are configured + exists: true + owner: root + group: root + mode: "0600" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.2 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} + + diff --git a/section_5/cis_5.1/cis_5.1.3_7.yml b/section_5/cis_5.1/cis_5.1.3_7.yml new file mode 100644 index 0000000..cb8e992 --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.3_7.yml @@ -0,0 +1,86 @@ +{{ if .Vars.rhel9cis_rule_5_1_3 }} +file: + /etc/cron.hourly: + title: 5.1.3 | L1 | Ensure permissions on /etc/cron.hourly are configured + exists: true + owner: root + group: root + mode: "0700" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.3 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} +{{ if .Vars.rhel9cis_rule_5_1_4 }} + /etc/cron.daily: + title: 5.1.4 | L1 | Ensure permissions on /etc/cron.daily are configured + exists: true + owner: root + group: root + mode: "0700" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} +{{ if .Vars.rhel9cis_rule_5_1_5 }} + /etc/cron.weekly: + title: 5.1.5 | L1 | Ensure permissions on /etc/cron.weekly are configured + exists: true + owner: root + group: root + mode: "0700" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.5 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} +{{ if .Vars.rhel9cis_rule_5_1_6 }} + /etc/cron.monthly: + title: 5.1.6 | L1 | Ensure permissions on /etc/cron.monthly are configured + exists: true + owner: root + group: root + mode: "0700" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.6 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} +{{ if .Vars.rhel9cis_rule_5_1_7 }} + /etc/cron.d: + title: 5.1.7 | L1 | Ensure permissions on /etc/cron.d are configured + exists: true + owner: root + group: root + mode: "0700" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.7 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.8_9.yml b/section_5/cis_5.1/cis_5.1.8_9.yml new file mode 100644 index 0000000..97ed14c --- /dev/null +++ b/section_5/cis_5.1/cis_5.1.8_9.yml @@ -0,0 +1,57 @@ +{{ if .Vars.rhel9cis_rule_5_1_8 }} +file: + /etc/cron.deny: + title: 5.1.8 | L1 | Ensure cron is restricted to authorized users + exists: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.8 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + /etc/cron.allow: + title: 5.1.8 | L1 | Ensure cron is restricted to authorized users + exists: true + owner: root + group: root + mode: "0600" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.8 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + /etc/at.deny: + title: 5.1.8 | L1 | Ensure at is restricted to authorized users + exists: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.8 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + /etc/at.allow: + title: 5.1.8 | L1 | Ensure at is restricted to authorized users + exists: true + owner: root + group: root + mode: "0600" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.1.8 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.1.yml b/section_5/cis_5.2/cis_5.2.1.yml new file mode 100644 index 0000000..5e8a176 --- /dev/null +++ b/section_5/cis_5.2/cis_5.2.1.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_5_2_1 }} +file: + /etc/ssh/sshd_config: + title: 5.2.1 | L1 | Ensure permissions on /etc/ssh/sshd_config are configured + exists: true + mode: "0600" + owner: root + group: root + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.1 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.10.yml b/section_5/cis_5.2/cis_5.2.10.yml new file mode 100644 index 0000000..a3cdf49 --- /dev/null +++ b/section_5/cis_5.2/cis_5.2.10.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_5_2_10 }} +file: + /etc/ssh/sshd_config: + title: 5.2.10 | L1 | Ensure SSH root login is disabled + exists: true + contains: + - '/^PermitRootLogin no/' + - '!/^PermitRootLogin yes/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.10 + CISv8: 5.4 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.11.yml b/section_5/cis_5.2/cis_5.2.11.yml new file mode 100644 index 0000000..dfbd97a --- /dev/null +++ b/section_5/cis_5.2/cis_5.2.11.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_5_2_11 }} +file: + /etc/ssh/sshd_config: + title: 5.2.11 | L1 | Ensure SSH PermitEmptyPasswords is disabled + exists: true + contains: + - '/^PermitEmptyPasswords no/' + - '!/^PermitEmptyPasswords yes/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.11 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.12.yml b/section_5/cis_5.2/cis_5.2.12.yml new file mode 100644 index 0000000..17a642c --- /dev/null +++ b/section_5/cis_5.2/cis_5.2.12.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_5_2_12 }} +file: + /etc/ssh/sshd_config: + title: 5.2.12 | L1 | Ensure SSH PermitUserEnvironment is disabled + exists: true + contains: + - '/^PermitUserEnvironment no/' + - '!/^PermitUserEnvironment yes/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.12 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.13.yml b/section_5/cis_5.2/cis_5.2.13.yml new file mode 100644 index 0000000..51f50e3 --- /dev/null +++ b/section_5/cis_5.2/cis_5.2.13.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_5_2_13 }} +file: + /etc/ssh/sshd_config: + title: 5.2.13 | L1 | Ensure SSH Idle Timeout Interval is configured + exists: true + contains: + - '/^ClientAliveInterval {{ .Vars.rhel9cis_ssh_aliveinterval }}/' + - '/^ClientAliveCountMax {{ .Vars.rhel9cis_ssh_countmax }}/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.13 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.14.yml b/section_5/cis_5.2/cis_5.2.14.yml new file mode 100644 index 0000000..8e49eb3 --- /dev/null +++ b/section_5/cis_5.2/cis_5.2.14.yml @@ -0,0 +1,17 @@ +{{ if .Vars.rhel9cis_rule_5_2_14 }} +file: + /etc/ssh/sshd_config: + title: 5.2.14 | L1 | Ensure SSH LoginGraceTime is set to one minute or less + exists: true + contains: + - '/^LoginGraceTime [1:60]/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.14 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.15.yml b/section_5/cis_5.2/cis_5.2.15.yml new file mode 100644 index 0000000..012d578 --- /dev/null +++ b/section_5/cis_5.2/cis_5.2.15.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_5_2_15 }} +file: + /etc/ssh/sshd_config: + title: 5.2.15 | L1 | Ensure SSH warning banner configured + exists: true + contains: + - '/^Banner /etc/issue.net/' + - '!/^Banner none/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.15 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.16.yml b/section_5/cis_5.2/cis_5.2.16.yml new file mode 100644 index 0000000..1b47778 --- /dev/null +++ b/section_5/cis_5.2/cis_5.2.16.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_5_2_16 }} +file: + /etc/ssh/sshd_config: + title: 5.2.16 | L1 | Ensure SSH PAM is enabled + exists: true + contains: + - '/^UsePAM yes/' + - '!/^UsePAM no/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.16 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.17.yml b/section_5/cis_5.2/cis_5.2.17.yml new file mode 100644 index 0000000..619c76f --- /dev/null +++ b/section_5/cis_5.2/cis_5.2.17.yml @@ -0,0 +1,20 @@ +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_5_2_17 }} +file: + /etc/ssh/sshd_config: + title: 5.2.17 | L2 | Ensure SSH AllowTcpForwarding is disabled + exists: true + contains: + - '/^AllowTcpForwarding no/' + - '!/^AllowTcpForwarding yes/' + meta: + server: 2 + workstation: 2 + CIS_ID: + - 5.2.17 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.18.yml b/section_5/cis_5.2/cis_5.2.18.yml new file mode 100644 index 0000000..c098216 --- /dev/null +++ b/section_5/cis_5.2/cis_5.2.18.yml @@ -0,0 +1,17 @@ +{{ if .Vars.rhel9cis_rule_5_2_18 }} +file: + /etc/ssh/sshd_config: + title: 5.2.18 | L1 | Ensure SSH MaxStartups is configured + exists: true + contains: + - "MaxStartups 10:30:60" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.18 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.19.yml b/section_5/cis_5.2/cis_5.2.19.yml new file mode 100644 index 0000000..b3e4deb --- /dev/null +++ b/section_5/cis_5.2/cis_5.2.19.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_5_2_19}} +file: + /etc/ssh/sshd_config: + title: 5.2.19 | L1 | Ensure SSH MaxSessions is limited + exists: true + contains: + - '/^MaxSessions [1:4]/' + - '!/^MaxSessions [5:9]\d/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.19 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.2.yml b/section_5/cis_5.2/cis_5.2.2.yml new file mode 100644 index 0000000..b003360 --- /dev/null +++ b/section_5/cis_5.2/cis_5.2.2.yml @@ -0,0 +1,21 @@ +{{ if .Vars.rhel9cis_rule_5_2_2 }} + {{ if .Vars.rhel9cis_sshd_limited }} +file: + /etc/ssh/sshd_config: + title: 5.2.2 | L1 | Ensure SSH access is limited + exists: true + contains: + {{ range .Vars.rhel9cis_sshd_access }} + - {{ . }} + {{ end }} + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.2 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.20.yml b/section_5/cis_5.2/cis_5.2.20.yml new file mode 100644 index 0000000..7a0079f --- /dev/null +++ b/section_5/cis_5.2/cis_5.2.20.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_5_2_20 }} +file: + /etc/sysconfig/sshd: + title: 5.2.20 | L1 | Ensure system-wide crypto policy is not overridden + exists: true + contains: + - '!/^CRYPTO_POLICY/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.20 + CISv8: 3.10 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true +{{ end }} + diff --git a/section_5/cis_5.2/cis_5.2.3.yml b/section_5/cis_5.2/cis_5.2.3.yml new file mode 100644 index 0000000..d7ba934 --- /dev/null +++ b/section_5/cis_5.2/cis_5.2.3.yml @@ -0,0 +1,45 @@ +{{ if .Vars.rhel9cis_rule_5_2_3 }} +command: + /etc/ssh/ssh_host_key_user: + title: 5.2.3 | L1 | Ensure permissions on SSH private host key files are configured_user + exec: "userkeys=$(sudo find /etc/ssh/ -name *_key -type f ! -user root ); echo $userkeys" + exit-status: 0 + stdout: ['!/./'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.3 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + /etc/ssh/ssh_host_key_group: + title: 5.2.3 | L1 | Ensure permissions on SSH private host key files are configured_group + exec: "groupkeys=$(sudo find /etc/ssh/ -name *_key -type f ! -group root ); echo $groupkeys" + exit-status: 0 + stdout: ['!/./'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.3 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + /etc/ssh/ssh_host_key_perms: + title: 5.2.3 | L1 | Ensure permissions on SSH private host key files are configured_user + exec: "keyperms=$(sudo find /etc/ssh/ -name *_key -type f -perm /137 ); echo $keyperms" + exit-status: 0 + stdout: ['!/./'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.3 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.4.yml b/section_5/cis_5.2/cis_5.2.4.yml new file mode 100644 index 0000000..4d86151 --- /dev/null +++ b/section_5/cis_5.2/cis_5.2.4.yml @@ -0,0 +1,46 @@ +{{ if .Vars.rhel9cis_rule_5_2_4 }} +command: + /etc/ssh/ssh_host_key_user: + title: 5.2.4 | L1 | Ensure permissions on SSH pub host key files are configured_user + exec: "userkeys=$(sudo find /etc/ssh/ -name *_key.pub -type f ! -user root ); echo $userkeys" + exit-status: 0 + stdout: ['!/./'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + /etc/ssh/ssh_host_key_group: + title: 5.2.4 | L1 | Ensure permissions on SSH private host key files are configured_group + exec: "groupkeys=$(sudo find /etc/ssh/ -name *_key.pub -type f ! -group root ); echo $groupkeys" + exit-status: 0 + stdout: ['!/./'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + /etc/ssh/ssh_host_key_perms: + title: 5.2.4 | L1 | Ensure permissions on SSH private host key files are configured_user + exec: "keysperm=$(sudo find /etc/ssh/ -name *_key.pub -type f -perm /137 ); echo $keyperms" + exit-status: 0 + stdout: ['!/./'] + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} + diff --git a/section_5/cis_5.2/cis_5.2.5.yml b/section_5/cis_5.2/cis_5.2.5.yml new file mode 100644 index 0000000..03a9c46 --- /dev/null +++ b/section_5/cis_5.2/cis_5.2.5.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_5_2_5 }} +file: + /etc/ssh/sshd_config: + title: 5.2.5 | L1 | Ensure SSH LogLevel is appropriate + exists: true + contains: + - '/^LogLevel\s(VERBOSE|INFO)/' + - '!/^LogLevel DEBUG/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.5 + CISv8: 8.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.6.yml b/section_5/cis_5.2/cis_5.2.6.yml new file mode 100644 index 0000000..fe6f405 --- /dev/null +++ b/section_5/cis_5.2/cis_5.2.6.yml @@ -0,0 +1,20 @@ +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.rhel9cis_rule_5_2_6 }} +file: + /etc/ssh/sshd_config: + title: 5.2.6 | L2 | Ensure SSH X11 forwarding is disabled + exists: true + contains: + - '/^X11Forwarding no/' + - '!/^X11Forwarding yes/' + meta: + server: 2 + workstation: 1 + CIS_ID: + - 5.2.6 + CISv8: 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.7.yml b/section_5/cis_5.2/cis_5.2.7.yml new file mode 100644 index 0000000..7b8ba3f --- /dev/null +++ b/section_5/cis_5.2/cis_5.2.7.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_5_2_7 }} +file: + /etc/ssh/sshd_config: + title: 5.2.7 | L1 | Ensure SSH MaxAuthTries is set to 4 or less + exists: true + contains: + - "/^MaxAuthTries [1:4]/" + - "!/^MaxAuthTries [5:9]/" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.7 + CISv8: 8.5 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.8.yml b/section_5/cis_5.2/cis_5.2.8.yml new file mode 100644 index 0000000..a2d4fe2 --- /dev/null +++ b/section_5/cis_5.2/cis_5.2.8.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_5_2_8 }} +file: + /etc/ssh/sshd_config: + title: 5.2.8 | L1 | Ensure SSH IgnoreRhosts is enabled + exists: true + contains: + - '/^IgnoreRhosts yes/' + - '!/^IgnoreRhosts no/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.8 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_5/cis_5.2/cis_5.2.9.yml b/section_5/cis_5.2/cis_5.2.9.yml new file mode 100644 index 0000000..e1df770 --- /dev/null +++ b/section_5/cis_5.2/cis_5.2.9.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_5_2_9 }} +file: + /etc/ssh/sshd_config: + title: 5.2.9 | L1 | Ensure SSH HostbasedAuthentication is disabled + exists: true + contains: + - '/^HostbasedAuthentication no/' + - '!/^HostbasedAuthentication yes/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.2.1 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_5/cis_5.3/cis_5.3.1.yml b/section_5/cis_5.3/cis_5.3.1.yml new file mode 100644 index 0000000..8f75a6a --- /dev/null +++ b/section_5/cis_5.3/cis_5.3.1.yml @@ -0,0 +1,20 @@ +{{ if .Vars.rhel9cis_authselect_custom_profile_create }} + {{ if .Vars.rhel9cis_rule_5_3_1}} +command: + custom_profile: + title: 5.3.1 | L1 | Create custom authselect profile + exec: 'authselect current | grep "Profile ID: custom"' + exit-status: 0 + stdout: + - '/^Profile ID: custom/{{ .Vars.rhel9cis_authselect.default_file_to_copy }}/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.1 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3/cis_5.3.2.yml b/section_5/cis_5.3/cis_5.3.2.yml new file mode 100644 index 0000000..fce81ad --- /dev/null +++ b/section_5/cis_5.3/cis_5.3.2.yml @@ -0,0 +1,21 @@ +{{ if .Vars.rhel9cis_authselect_custom_profile_select }} + {{ if .Vars.rhel9cis_rule_5_3_2 }} +command: + authselect_profile: + title: 5.3.2 | L1 | Select authselect profile + exec: 'authselect current' + exit-status: 0 + stdout: + - '/^Profile ID: custom/{{ .Vars.rhel9cis_authselect.custom_profile_name }}/' + - '!/No existing configuration detected/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.2 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_5/cis_5.3/cis_5.3.3.yml b/section_5/cis_5.3/cis_5.3.3.yml new file mode 100644 index 0000000..db5b41b --- /dev/null +++ b/section_5/cis_5.3/cis_5.3.3.yml @@ -0,0 +1,35 @@ +{{ if .Vars.rhel9cis_authselect_custom_profile_select }} + {{ if .Vars.rhel9cis_rule_5_3_3 }} +command: + authselect_faillock: + title: 5.3.3 | L1 | Ensure authselect includes with-faillock + exec: 'authselect current | grep with-faillock' + exit-status: 0 + stdout: + - '/^- with-faillock/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +file: + /etc/authselect/authselect.conf: + title: 5.3.3 | L1 | Ensure authselect includes with-faillock + exists: true + contains: + - '/^with-faillock/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.3.3 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4/cis_5.4.1.yml b/section_5/cis_5.4/cis_5.4.1.yml new file mode 100644 index 0000000..d9c5c1f --- /dev/null +++ b/section_5/cis_5.4/cis_5.4.1.yml @@ -0,0 +1,34 @@ +{{ if .Vars.rhel9cis_rule_5_4_1 }} +file: + /etc/security/pwquality.conf: + title: 5.4.1 | L1 | Ensure password creation requirements are configured + exists: true + contains: + - {{ .Vars.rhel9cis_pam_password.minlen }} + - {{ .Vars.rhel9cis_pam_password.minclass }} + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.1 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +command: + passwd_create: + title: 5.4.1 | L1 | Ensure password creation requirements are configured + exec: 'grep -E "password.*enforce" /etc/pam.d/password-auth /etc/pam.d/system-auth | cut -d ":" -f2' + exit-status: 0 + stdout: + - '/^password.*requisite.*pam_pwquality.so\stry_first_pass\slocal_users_only\senforce-for-root\sretry={{ .Vars.rhel9cis_pam_passwd_retry }}/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.1 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_5/cis_5.4/cis_5.4.2.yml b/section_5/cis_5.4/cis_5.4.2.yml new file mode 100644 index 0000000..b6d59d0 --- /dev/null +++ b/section_5/cis_5.4/cis_5.4.2.yml @@ -0,0 +1,33 @@ +{{ if .Vars.rhel9cis_rule_5_4_2 }} +file: + /etc/pam.d/password-auth: + title: 5.4.2 | L1 | Ensure lockout for failed password attempts is configured + exists: true + contains: + - '/^auth\s+required\s+pam_faillock.so\s+preauth\s+silent\s+deny=[0-5]\s+unlock_time=\b(0*(?:[1-9][0-9][0-9]?|900))\b/' + - '/^auth\s+required\s+pam_faillock.so\s+authfail\s+deny=[0-5]\s+unlock_time=\b(0*(?:[1-9][0-9][0-9]?|900))\b/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.2 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + /etc/pam.d/system-auth: + title: 5.4.2 | L1 | Ensure lockout for failed password attempts is configured + exists: true + contains: + - '/^auth\s+required\s+pam_faillock.so\s+preauth\s+silent\s+deny=[0:5] unlock_time=\b(0*(?:[1-9][0-9][0-9]?|900))\b/' + - '/^auth\s+required\s+pam_faillock.so\s+authfail\s+deny=[0-5]\s+unlock_time=\b(0*(?:[1-9][0-9][0-9]?|900))\b/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.2 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_5/cis_5.4/cis_5.4.3.yml b/section_5/cis_5.4/cis_5.4.3.yml new file mode 100644 index 0000000..15b4925 --- /dev/null +++ b/section_5/cis_5.4/cis_5.4.3.yml @@ -0,0 +1,20 @@ +{{ if .Vars.rhel9cis_rule_5_4_3 }} + {{ if .Vars.rhel9cis_pwhistory_so }} +file: + /etc/pam.d/system-auth: + title: 5.4.3 | L1 | Ensure password reuse is limited + exists: true + contains: + - '/^password\s+(sufficient|requisite)\s+pam_pwquality.so\stry_first_pass\slocal_users_only\senforce-for-root\sretry=3\sremember={{ .Vars.rhel9cis_passwd_remember }}/' + - '/^password\s+(sufficient|requisite)\s+pam_unix.so\ssha512\sshadow\stry_first_pass\suse_authtok\sremember={{ .Vars.rhel9cis_passwd_remember }}/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.3 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_5/cis_5.4/cis_5.4.4.yml b/section_5/cis_5.4/cis_5.4.4.yml new file mode 100644 index 0000000..832a50d --- /dev/null +++ b/section_5/cis_5.4/cis_5.4.4.yml @@ -0,0 +1,31 @@ +{{ if .Vars.rhel9cis_rule_5_4_4 }} +file: + /etc/pam.d/system-auth: + title: 5.4.4 | L1 | Ensure password hashing algorithm is SHA-512 + exists: true + contains: + - "/^password\\s+sufficient\\s+pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ .Vars.rhel9cis_passwd_remember }}/" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.4 + CISv8: 3.11 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + /etc/pam.d/password-auth: + title: 5.4.4 | L1 | Ensure password hashing algorithm is SHA-512 + exists: true + contains: + - "/^password\\s+sufficient\\s+pam_unix.so sha512 shadow try_first_pass use_authtok/" + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.4.4 + CISv8: 3.11 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_5/cis_5.5/cis_5.5.1.1.yml b/section_5/cis_5.5/cis_5.5.1.1.yml new file mode 100644 index 0000000..02fdd11 --- /dev/null +++ b/section_5/cis_5.5/cis_5.5.1.1.yml @@ -0,0 +1,19 @@ +{{ if .Vars.rhel9cis_rule_5_5_1_1 }} +file: + /etc/login.defs: + title: 5.5.1.1 | L1 | Ensure password expiration is 365 days or less + exists: true + contains: + - '/^PASS_MAX_DAYS\s*{{ .Vars.rhel9cis_pass.max_days }}/' + - '!/^PASS_MAX_DAYS\s*(36[6-9]|[4-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9])/' + - '!/^PASS_MAX_DAYS\s*-1/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.5.1.1 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_5/cis_5.5/cis_5.5.1.2.yml b/section_5/cis_5.5/cis_5.5.1.2.yml new file mode 100644 index 0000000..095d549 --- /dev/null +++ b/section_5/cis_5.5/cis_5.5.1.2.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_5_5_1_2 }} +file: + /etc/login.defs: + title: 5.5.1.2 | L1 | Ensure minimum days between password changes is configured + exists: true + contains: + - '/^PASS_MIN_DAYS\s{{ .Vars.rhel9cis_pass.min_days }}/' + - '!/^PASS_MIN_DAYS\s[0-6]/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.5.1.2 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_5/cis_5.5/cis_5.5.1.3.yml b/section_5/cis_5.5/cis_5.5.1.3.yml new file mode 100644 index 0000000..9e7b5de --- /dev/null +++ b/section_5/cis_5.5/cis_5.5.1.3.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_5_5_1_3 }} +file: + /etc/login.defs: + title: 5.5.1.3 | L1 | Ensure password expiration warning days is 7 or more + exists: true + contains: + - '/^PASS_WARN_AGE\s*{{ .Vars.rhel9cis_pass.warn_age }}/' + - '!/^PASS_WARN_AGE\s*[1-6]/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.5.1.3 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_5/cis_5.5/cis_5.5.1.4.yml b/section_5/cis_5.5/cis_5.5.1.4.yml new file mode 100644 index 0000000..7073713 --- /dev/null +++ b/section_5/cis_5.5/cis_5.5.1.4.yml @@ -0,0 +1,33 @@ +{{ if .Vars.rhel9cis_rule_5_5_1_4 }} +command: + inactive_passwd: + title: 5.5.1.4 | L1 | Ensure inactive password lock is 30 days or less + exec: useradd -D | grep INACTIVE + exit-status: 0 + stdout: + - '/^INACTIVE=[0-2][0-9]|INACTIVE=30/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.5.1.4 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + inactive_users: + title: 5.5.1.4 | L1 | Ensure inactive password lock is 30 days or less + exec: 'grep -E ^[^:]+:[^\!*] /etc/shadow | grep -vw root | cut -d : -f1,7' + stdout: + - '!/.//' + exit-status: 0 + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.5.1.4 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_5/cis_5.5/cis_5.5.1.5.yml b/section_5/cis_5.5/cis_5.5.1.5.yml new file mode 100644 index 0000000..b4cc79e --- /dev/null +++ b/section_5/cis_5.5/cis_5.5.1.5.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_5_5_1_5 }} +command: + passwd_chg_past: + title: 5.5.1.5 | L1 | Ensure all users last password change date is in the past + exec: '/for usr in `cut -d: -f1 /etc/shadow`; do [[ $(chage --list $usr | grep "^Last password change" | cut -d: -f2) > $(date) ]] && print "Failed" ; done/' + exit-status: 1 + stdout: + - '!/Failed/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.5.1.5 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_5/cis_5.5/cis_5.5.2.yml b/section_5/cis_5.5/cis_5.5.2.yml new file mode 100644 index 0000000..b219be9 --- /dev/null +++ b/section_5/cis_5.5/cis_5.5.2.yml @@ -0,0 +1,33 @@ +{{ if .Vars.rhel9cis_rule_5_5_2 }} +command: + secure_system_accts: + title: 5.5.2 | L1 | Ensure system accounts are secured + exec: "/awk -F: '$3<1000' /etc/passwd | egrep -v 'root|sync|halt|shutdown|/sbin/nologin|/bin/false'/" + exit-status: 1 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.5.2 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + secure_system_LK: + title: 5.5.2 | L1 | Ensure system accounts are secured + exec: "/awk -F: '$3<1000' /etc/passwd | egrep -wv 'root' | cut -d: -f1 | xargs -I '{}' passwd -S '{}' | egrep -cvw 'LK|L'/" + exit-status: 1 + stdout: + - '0' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.5.2 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_5/cis_5.5/cis_5.5.3.yml b/section_5/cis_5.5/cis_5.5.3.yml new file mode 100644 index 0000000..37bd90c --- /dev/null +++ b/section_5/cis_5.5/cis_5.5.3.yml @@ -0,0 +1,20 @@ +{{ if .Vars.rhel9cis_rule_5_5_3 }} +command: + check_timeout: + title: 5.5.3 | L1 | Ensure default user shell timeout is configured | profile.d + exec: 'grep TMOUT /etc/profile.d/*.sh /etc/profile /etc/bashrc | cut -d ":" -f2' + exit-status: 0 + stdout: + - '/^TMOUT=([1-8][0-9]{0,2}|900)/' + - '/^readonly TMOUT/' + - '/^export TMOUT/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.5.3 + CISv8: 4.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_5/cis_5.5/cis_5.5.4.yml b/section_5/cis_5.5/cis_5.5.4.yml new file mode 100644 index 0000000..9812265 --- /dev/null +++ b/section_5/cis_5.5/cis_5.5.4.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_5_5_4 }} +user: + root: + title: 5.5.4 | L1 | Ensure default group for the root account is GID 0 + exists: true + uid: 0 + gid: 0 + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.5.4 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} + diff --git a/section_5/cis_5.5/cis_5.5.5.yml b/section_5/cis_5.5/cis_5.5.5.yml new file mode 100644 index 0000000..e1de102 --- /dev/null +++ b/section_5/cis_5.5/cis_5.5.5.yml @@ -0,0 +1,19 @@ +{{ if .Vars.rhel9cis_rule_5_5_5 }} +command: + umask_profile_scripts: + title: 5.5.5 | L1 | Ensure default user umask is 027 or more restrictive + exec: 'grep umask /etc/bashrc /etc/profile /etc/profile.d/*.sh | cut -d ":" -f 2' + exit-status: 0 + stdout: + - '/umask 0[2-7][7]/' + - '!/umask[7][0-1][0-6]/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.5.5 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_5/cis_5.7/cis_5.7.yml b/section_5/cis_5.7/cis_5.7.yml new file mode 100644 index 0000000..4d17054 --- /dev/null +++ b/section_5/cis_5.7/cis_5.7.yml @@ -0,0 +1,35 @@ +{{ if .Vars.rhel9cis_rule_5_7 }} +file: + /etc/pam.d/su: + title: 5.7 | L1 | Ensure access to the su command is restricted + exists: true + contains: + {{ if eq .Vars.rhel9cis_sugroup "wheel" }} + - '/^auth.*required.*pam_wheel.so\suse_uid/' + {{ else }} + - '/^auth.*required.*pam_wheel.so\suse_uid$\sgroup={{ .Vars.rhel9cis_sugroup }}/' + {{ end }} + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.7 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + /etc/group: + title: 5.7 | L1 | Ensure access to the su command is restricted + exists: true + contains: + - '/^{{ .Vars.rhel9cis_sugroup }}:x:\d+:{{ .Vars.rhel9cis_sugroup_users }}/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 5.7 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_6/cis_6.1/cis_6.1.1.yml b/section_6/cis_6.1/cis_6.1.1.yml new file mode 100644 index 0000000..6832707 --- /dev/null +++ b/section_6/cis_6.1/cis_6.1.1.yml @@ -0,0 +1,23 @@ +{{ if .Vars.rhel9cis_level_2 }} + {{ if .Vars.run_heavy_tests }} + {{ if .Vars.rhel9cis_rule_6_1_1 }} +command: + rpm_filecheck: + title: 6.1.1 | L2 | Audit system file permissions + exec: rpm -Va --nomtime --nosize --nomd5 --nolinkto > /tmp/cis_rpmcheck; grep -vcw c /tmp/cis_rpmcheck + exit-status: 0 + stdout: + - '0' + timeout: {{ .Vars.timeout_ms }} + meta: + server: 2 + workstation: 2 + CIS_ID: + - 6.1.1 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1/cis_6.1.10.yml b/section_6/cis_6.1/cis_6.1.10.yml new file mode 100644 index 0000000..4fe46c1 --- /dev/null +++ b/section_6/cis_6.1/cis_6.1.10.yml @@ -0,0 +1,21 @@ +{{ if .Vars.run_heavy_tests }} +command: + {{ if .Vars.rhel9cis_rule_6_1_10 }} + world_writable: + title: 6.1.10 | L1 | Ensure no world writable files exist + exec: "df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002" + exit-status: 0 + timeout: {{ .Vars.timeout_ms }} + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.10 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1/cis_6.1.11.yml b/section_6/cis_6.1/cis_6.1.11.yml new file mode 100644 index 0000000..85e00fd --- /dev/null +++ b/section_6/cis_6.1/cis_6.1.11.yml @@ -0,0 +1,21 @@ +{{ if .Vars.run_heavy_tests }} + {{ if .Vars.rhel9cis_rule_6_1_11 }} +command: + unowned_dirs: + title: 6.1.11 | L1 | Ensure no unowned files or directories exist + exec: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser" + exit-status: 0 + timeout: {{ .Vars.timeout_ms }} + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.11 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1/cis_6.1.12.yml b/section_6/cis_6.1/cis_6.1.12.yml new file mode 100644 index 0000000..175ff61 --- /dev/null +++ b/section_6/cis_6.1/cis_6.1.12.yml @@ -0,0 +1,21 @@ +{{ if .Vars.run_heavy_tests }} + {{ if .Vars.rhel9cis_rule_6_1_12 }} +command: + no_ungrouped: + title: 6.1.12 | L1 | Ensure no ungrouped files or directories exist + exec: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup" + exit-status: 0 + timeout: {{ .Vars.timeout_ms }} + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.12 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1/cis_6.1.13.yml b/section_6/cis_6.1/cis_6.1.13.yml new file mode 100644 index 0000000..b4f48b5 --- /dev/null +++ b/section_6/cis_6.1/cis_6.1.13.yml @@ -0,0 +1,21 @@ +{{ if .Vars.run_heavy_tests }} + {{ if .Vars.rhel9cis_rule_6_1_13 }} +command: + audit_suid_exec: + title: 6.1.13 | L1 | Audit SUID executables + exec: "df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -4000" + exit-status: 0 + timeout: {{ .Vars.timeout_ms }} + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.13 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1/cis_6.1.14.yml b/section_6/cis_6.1/cis_6.1.14.yml new file mode 100644 index 0000000..a5e0343 --- /dev/null +++ b/section_6/cis_6.1/cis_6.1.14.yml @@ -0,0 +1,21 @@ +{{ if .Vars.run_heavy_tests }} + {{ if .Vars.rhel9cis_rule_6_1_14 }} +command: + audit_sgid: + title: 6.1.14 | L1 | Audit SGID executables + exec: "df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -2000" + timeout: {{ .Vars.timeout_ms }} + exit-status: 0 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.14 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true + {{ end }} +{{ end }} diff --git a/section_6/cis_6.1/cis_6.1.2.yml b/section_6/cis_6.1/cis_6.1.2.yml new file mode 100644 index 0000000..5a8fecf --- /dev/null +++ b/section_6/cis_6.1/cis_6.1.2.yml @@ -0,0 +1,19 @@ +{{ if .Vars.rhel9cis_rule_6_1_2 }} +command: + passwd_perms: + title: 6.1.2 | L1 | Ensure permissions on /etc/passwd are configured + exec: stat -L -c "%a %U %G" /etc/passwd + exit-status: 0 + stdout: + - '/6[0.4][0,4] root root/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.2 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} + diff --git a/section_6/cis_6.1/cis_6.1.3.yml b/section_6/cis_6.1/cis_6.1.3.yml new file mode 100644 index 0000000..b72c4db --- /dev/null +++ b/section_6/cis_6.1/cis_6.1.3.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_6_1_3 }} +command: + passwd-_perms: + title: 6.1.3 | L1 | Ensure permissions on /etc/passwd- are configured + exec: stat -L -c "%a %U %G" /etc/passwd- + exit-status: 0 + stdout: + - '/(0|[4,6][0,4][0,4]) root root/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.3 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_6/cis_6.1/cis_6.1.4.yml b/section_6/cis_6.1/cis_6.1.4.yml new file mode 100644 index 0000000..13cd689 --- /dev/null +++ b/section_6/cis_6.1/cis_6.1.4.yml @@ -0,0 +1,19 @@ +{{ if .Vars.rhel9cis_rule_6_1_4 }} +command: + shadow_perms: + title: 6.1.4 | L1 | Ensure permissions on /etc/shadow are configured + exec: stat -L -c "%a %U %G" /etc/shadow + exit-status: 0 + stdout: + - '/(0|000) root root/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.4 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} + diff --git a/section_6/cis_6.1/cis_6.1.5.yml b/section_6/cis_6.1/cis_6.1.5.yml new file mode 100644 index 0000000..5d58208 --- /dev/null +++ b/section_6/cis_6.1/cis_6.1.5.yml @@ -0,0 +1,19 @@ +{{ if .Vars.rhel9cis_rule_6_1_5 }} +command: + shadow-_perms: + title: 6.1.5 | L1 | Ensure permissions on /etc/shadow- are configured + exec: stat -L -c "%a %U %G" /etc/shadow- + exit-status: 0 + stdout: + - '/(0|000) root root/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.5 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} + diff --git a/section_6/cis_6.1/cis_6.1.6.yml b/section_6/cis_6.1/cis_6.1.6.yml new file mode 100644 index 0000000..2c1618a --- /dev/null +++ b/section_6/cis_6.1/cis_6.1.6.yml @@ -0,0 +1,19 @@ +{{ if .Vars.rhel9cis_rule_6_1_6 }} +command: + gshadow_perms: + title: 6.1.6 | L1 | Ensure permissions on /etc/gshadow are configured + exec: stat -L -c "%a %U %G" /etc/gshadow + exit-status: 0 + stdout: + - '/0 root root/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.6 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} + diff --git a/section_6/cis_6.1/cis_6.1.7.yml b/section_6/cis_6.1/cis_6.1.7.yml new file mode 100644 index 0000000..2c7c03c --- /dev/null +++ b/section_6/cis_6.1/cis_6.1.7.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_6_1_7 }} +command: + gshadow-_perms: + title: 6.1.7 | L1 | Ensure permissions on /etc/gshadow- are configured + exec: stat -L -c "%a %U %G" /etc/gshadow- + exit-status: 0 + stdout: + - '/0 root root/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.7 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_6/cis_6.1/cis_6.1.8.yml b/section_6/cis_6.1/cis_6.1.8.yml new file mode 100644 index 0000000..58e996b --- /dev/null +++ b/section_6/cis_6.1/cis_6.1.8.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_6_1_8 }} +command: + group_perms: + title: 6.1.8 | L1 | Ensure permissions on /etc/group are configured + exec: stat -L -c "%a %U %G" /etc/group + exit-status: 0 + stdout: + - '/6[0.4][0,4] root root/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.8 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_6/cis_6.1/cis_6.1.9.yml b/section_6/cis_6.1/cis_6.1.9.yml new file mode 100644 index 0000000..9fdb3e3 --- /dev/null +++ b/section_6/cis_6.1/cis_6.1.9.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_6_1_9 }} +command: + group-_perms: + title: 6.1.9 | L1 | Ensure permissions on /etc/group- are configured + exec: stat -L -c "%a %U %G" /etc/group- + exit-status: 0 + stdout: + - '/6[0,4][0,4] root root/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.1.9 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_6/cis_6.2/cis_6.2.1.yml b/section_6/cis_6.2/cis_6.2.1.yml new file mode 100644 index 0000000..b431d9b --- /dev/null +++ b/section_6/cis_6.2/cis_6.2.1.yml @@ -0,0 +1,17 @@ +{{ if .Vars.rhel9cis_rule_6_2_1 }} +file: + /etc/shadow: + title: 6.2.1 | L1 | Ensure /etc/shadow password fields are not empty + exists: true + contains: + - '!/^.*:(\$|\!|\*).*:/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.2.1 + CISv8: 5.2 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_6/cis_6.2/cis_6.2.10.yml b/section_6/cis_6.2/cis_6.2.10.yml new file mode 100644 index 0000000..4c8ca6a --- /dev/null +++ b/section_6/cis_6.2/cis_6.2.10.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_6_2_10 }} +command: + dot_forward_files: + title: 6.2.10 | L1 | Ensure no users have .forward files + exec: 'find /home/ -name .forward' + exit-status: 0 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.2.10 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_6/cis_6.2/cis_6.2.11.yml b/section_6/cis_6.2/cis_6.2.11.yml new file mode 100644 index 0000000..944967c --- /dev/null +++ b/section_6/cis_6.2/cis_6.2.11.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_6_2_11 }} +command: + dot_netrc_files: + title: 6.2.11 | L1 | Ensure no users have .netrc files + exec: 'find /home/ -name .netrc' + exit-status: 0 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.2.11 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_6/cis_6.2/cis_6.2.12.yml b/section_6/cis_6.2/cis_6.2.12.yml new file mode 100644 index 0000000..fcf6f44 --- /dev/null +++ b/section_6/cis_6.2/cis_6.2.12.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_6_2_12 }} +command: + dot_netrc_perms: + title: 6.2.12 | L1 | Ensure users .netrc files are not group or word accessible + exec: 'find /home/ -name .netrc -perm /g+r,o+r' + exit-status: 0 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.2.12 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_6/cis_6.2/cis_6.2.13.yml b/section_6/cis_6.2/cis_6.2.13.yml new file mode 100644 index 0000000..35fdc5d --- /dev/null +++ b/section_6/cis_6.2/cis_6.2.13.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_6_2_13 }} +command: + dot_rhosts_files: + title: 6.2.13 | L1 | Ensure no users have .rhosts files + exec: 'find /home/ -name .rhosts' + exit-status: 0 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.2.13 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_6/cis_6.2/cis_6.2.14.yml b/section_6/cis_6.2/cis_6.2.14.yml new file mode 100644 index 0000000..fd2a0c6 --- /dev/null +++ b/section_6/cis_6.2/cis_6.2.14.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_6_2_14 }} +command: + passwd_group_exist: + title: 6.2.14 | L1 | Ensure all groups in /etc/passwd exist in /etc/group + exec: "comm -23 <(awk -F: '{print $4}' /etc/passwd | sort -u) <(awk -F: '{print $3}' /etc/group | sort -u)" + exit-status: 1 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.2.14 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_6/cis_6.2/cis_6.2.15.yml b/section_6/cis_6.2/cis_6.2.15.yml new file mode 100644 index 0000000..f89c137 --- /dev/null +++ b/section_6/cis_6.2/cis_6.2.15.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_6_2_15 }} +command: + no_dup_uid: + title: 6.2.15 | L1 | Ensure no duplicate UIDs exist + exec: "cat /etc/passwd | cut -d: -f3 | uniq -d" + exit-status: 0 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.2.15 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_6/cis_6.2/cis_6.2.16.yml b/section_6/cis_6.2/cis_6.2.16.yml new file mode 100644 index 0000000..1d0fdfc --- /dev/null +++ b/section_6/cis_6.2/cis_6.2.16.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_6_2_16 }} +command: + no_dup_gid: + title: 6.2.16 | L1 | Ensure no duplicate GIDs exist + exec: "cat /etc/group | cut -d: -f3 | uniq -d" + exit-status: 0 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.2.16 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_6/cis_6.2/cis_6.2.17.yml b/section_6/cis_6.2/cis_6.2.17.yml new file mode 100644 index 0000000..5a292c8 --- /dev/null +++ b/section_6/cis_6.2/cis_6.2.17.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_6_2_17 }} +command: + no_dup_username: + title: 6.2.17 | L1 | Ensure no duplicate user names exist + exec: "cat /etc/passwd | cut -d: -f1 | uniq -d" + exit-status: 0 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.2.17 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_6/cis_6.2/cis_6.2.18.yml b/section_6/cis_6.2/cis_6.2.18.yml new file mode 100644 index 0000000..ba26b1d --- /dev/null +++ b/section_6/cis_6.2/cis_6.2.18.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_6_2_18 }} +command: + no_dup_groupname: + title: 6.2.18 | L1 | Ensure no duplicate group names exist + exec: "cat /etc/group | cut -d: -f1 | uniq -d" + exit-status: 0 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.2.18 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_6/cis_6.2/cis_6.2.19.yml b/section_6/cis_6.2/cis_6.2.19.yml new file mode 100644 index 0000000..627a02c --- /dev/null +++ b/section_6/cis_6.2/cis_6.2.19.yml @@ -0,0 +1,15 @@ +{{ if .Vars.rhel9cis_rule_6_2_19 }} +group: + shadow: + title: 6.2.19 | L1 | Ensure shadow group is empty + exists: false + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.2.19 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_6/cis_6.2/cis_6.2.2.yml b/section_6/cis_6.2/cis_6.2.2.yml new file mode 100644 index 0000000..1e9faa0 --- /dev/null +++ b/section_6/cis_6.2/cis_6.2.2.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_6_2_2 }} +file: + /etc/passwd: + title: 6.2.2 | L1 | Ensure no legacy "+" entries exist in /etc/passwd + exists: true + contains: + - '!/^\+:/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.2.2 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} + diff --git a/section_6/cis_6.2/cis_6.2.20.yml b/section_6/cis_6.2/cis_6.2.20.yml new file mode 100644 index 0000000..e7bbf10 --- /dev/null +++ b/section_6/cis_6.2/cis_6.2.20.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_6_2_20 }} +command: + home_dirs_exist: + title: 6.2.20 | L1 | Ensure all users' home directories exist + exec: pwck -r + exit-status: 1 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.2.20 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_6/cis_6.2/cis_6.2.3.yml b/section_6/cis_6.2/cis_6.2.3.yml new file mode 100644 index 0000000..4446b60 --- /dev/null +++ b/section_6/cis_6.2/cis_6.2.3.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_6_2_3 }} +command: + root_path_check: + title: 6.2.3 | L1 | Ensure root PATH Integrity + exec: "/bin/bash --login -c 'env | grep ^PATH=' | sed -e 's/PATH=//' -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'" + exit-status: 0 + stdout: + - '!/\\./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.2.3 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_6/cis_6.2/cis_6.2.4.yml b/section_6/cis_6.2/cis_6.2.4.yml new file mode 100644 index 0000000..cd38a99 --- /dev/null +++ b/section_6/cis_6.2/cis_6.2.4.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_6_2_4 }} +file: + /etc/shadow: + title: 6.2.4 | L1 | Ensure no legacy "+" entries exist in /etc/shadow + exists: true + contains: + - '!/^\+:/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.2.4 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} + diff --git a/section_6/cis_6.2/cis_6.2.5.yml b/section_6/cis_6.2/cis_6.2.5.yml new file mode 100644 index 0000000..6b4c3f7 --- /dev/null +++ b/section_6/cis_6.2/cis_6.2.5.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_6_2_5 }} +file: + /etc/group: + title: 6.2.5 | L1 | Ensure no legacy "+" entries exist in /etc/group + exists: true + contains: + - '!/^\+:/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.2.5 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} + diff --git a/section_6/cis_6.2/cis_6.2.6.yml b/section_6/cis_6.2/cis_6.2.6.yml new file mode 100644 index 0000000..3d56fd7 --- /dev/null +++ b/section_6/cis_6.2/cis_6.2.6.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_6_2_6 }} +command: + uid_0_check: + title: 6.2.6 | L1 | Ensure root is the only UID 0 account + exec: "awk -F: '($3 == 0) { print $1 }' /etc/passwd" + exit-status: 0 + stdout: + - 'root' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.2.6 + CISv8: 4.1 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_6/cis_6.2/cis_6.2.7.yml b/section_6/cis_6.2/cis_6.2.7.yml new file mode 100644 index 0000000..fa4de30 --- /dev/null +++ b/section_6/cis_6.2/cis_6.2.7.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_6_2_7 }} +command: + home_dirs_restrict: + title: 6.2.7 | L1 | Ensure all users' home directories permissions are 750 or more restrictive + exec: "for i in `getent passwd {1000..60000} | awk '{split($0,a,\":\");print a[6]}'`; do stat -c \"%a %n\" $i ; done" + exit-status: 0 + stdout: + - '/7[0,5]0\s/' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.2.7 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_6/cis_6.2/cis_6.2.8.yml b/section_6/cis_6.2/cis_6.2.8.yml new file mode 100644 index 0000000..6425d03 --- /dev/null +++ b/section_6/cis_6.2/cis_6.2.8.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_6_2_8 }} +command: + home_dirs_owned: + title: 6.2.8 | L1 | Ensure users own their home directories + exec: "getent passwd {1000..60000} | awk -F: '{ print $1 \" \" $7 }' | while read user dir; do if [ $user != 'ftpd' ]; then owner=$(stat -L -c \"%U\" \"$dir\"); if [ \"$owner\" != \"$user\" ]; then echo \"home dir for $user owned by $owner\"; fi; fi; done" + exit-status: 0 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.2.8 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/section_6/cis_6.2/cis_6.2.9.yml b/section_6/cis_6.2/cis_6.2.9.yml new file mode 100644 index 0000000..4848393 --- /dev/null +++ b/section_6/cis_6.2/cis_6.2.9.yml @@ -0,0 +1,18 @@ +{{ if .Vars.rhel9cis_rule_6_2_9 }} +command: + dot_file_perms: + title: 6.2.9 | L1 | Ensure users dot files are not group or world writable + exec: 'find /home/ -name "\.*" -perm /g+w,o+w' + exit-status: 0 + stdout: + - '!/./' + meta: + server: 1 + workstation: 1 + CIS_ID: + - 6.2.9 + CISv8: 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true +{{ end }} diff --git a/vars/CIS.yml b/vars/CIS.yml new file mode 100644 index 0000000..0617555 --- /dev/null +++ b/vars/CIS.yml @@ -0,0 +1,478 @@ +## metadata for benchmark + +## metadata for Audit benchmark +benchmark_version: '1.0' + +# Set if genuine RHEL (subscription manager check) not for derivatives e.g. CentOS +is_redhat_os: true + +rhel9cis_os_distribution: redhat # ensure this is changed accordingly for centos/rocky + +# timeout for each command to run where set - default = 10seconds/10000ms +timeout_ms: 30000 + +# Taken from LE rhel9-cis +rhel9cis_notauto: false +rhel9cis_section1: true +rhel9cis_section2: true +rhel9cis_section3: true +rhel9cis_section4: true +rhel9cis_section5: true +rhel9cis_section6: true + +rhel9cis_level_1: true +rhel9cis_level_2: true + +rhel9cis_selinux_disable: true + +# to enable rules that may have IO impact on a system e.g. full filesystem scans or CPU heavy +run_heavy_tests: true + +# True is BIOS based system else set to false +rhel9cis_legacy_boot: true + +rhel9cis_set_boot_pass: true + +# These variables correspond with the CIS rule IDs or paragraph numbers defined in +# the CIS benchmark documents. +# PLEASE NOTE: These work in coordination with the section # group variables and tags. +# You must enable an entire section in order for the variables below to take effect. +# Section 1 rules +rhel9cis_rule_1_1_1_1: true +rhel9cis_rule_1_1_1_2: true +rhel9cis_rule_1_1_1_3: true +rhel9cis_rule_1_1_1_4: true +rhel9cis_rule_1_1_2: true +rhel9cis_rule_1_1_3: true +rhel9cis_rule_1_1_4: true +rhel9cis_rule_1_1_5: true +rhel9cis_rule_1_1_6: true +rhel9cis_rule_1_1_7: true +rhel9cis_rule_1_1_8: true +rhel9cis_rule_1_1_9: true +rhel9cis_rule_1_1_10: true +rhel9cis_rule_1_1_11: true +rhel9cis_rule_1_1_12: true +rhel9cis_rule_1_1_13: true +rhel9cis_rule_1_1_14: true +rhel9cis_rule_1_1_15: true +rhel9cis_rule_1_1_16: true +rhel9cis_rule_1_1_17: true +rhel9cis_rule_1_1_18: true +rhel9cis_rule_1_1_19: true +rhel9cis_rule_1_1_20: true +rhel9cis_rule_1_1_21: true +rhel9cis_rule_1_1_22: true +rhel9cis_rule_1_1_23: true +rhel9cis_rule_1_2_1: true # if this is RHEL # change to False for RHEL derivative +rhel9cis_rule_1_2_2: true +rhel9cis_rule_1_2_3: true +rhel9cis_rule_1_2_4: true +rhel9cis_rule_1_2_5: true +rhel9cis_rule_1_3_1: true +rhel9cis_rule_1_3_2: true +rhel9cis_rule_1_3_3: true +rhel9cis_rule_1_4_1: true +rhel9cis_rule_1_4_2: true +rhel9cis_rule_1_5_1: true +rhel9cis_rule_1_5_2: true +rhel9cis_rule_1_5_3: true +rhel9cis_rule_1_6_1: true +rhel9cis_rule_1_6_2: true +rhel9cis_rule_1_7_1_1: true +rhel9cis_rule_1_7_1_2: true +rhel9cis_rule_1_7_1_3: true +rhel9cis_rule_1_7_1_4: true +rhel9cis_rule_1_7_1_5: true +rhel9cis_rule_1_7_1_6: true +rhel9cis_rule_1_7_1_7: true +rhel9cis_rule_1_8_1_1: true +rhel9cis_rule_1_8_1_2: true +rhel9cis_rule_1_8_1_3: true +rhel9cis_rule_1_8_1_4: true +rhel9cis_rule_1_8_1_5: true +rhel9cis_rule_1_8_1_6: true +rhel9cis_rule_1_8_2: true +rhel9cis_rule_1_9: true +rhel9cis_rule_1_10: true +rhel9cis_rule_1_11: true + + +# section 2 rules +rhel9cis_rule_2_1_1: true +rhel9cis_rule_2_2_1_1: true +rhel9cis_rule_2_2_1_2: true +rhel9cis_rule_2_2_2: true +rhel9cis_rule_2_2_3: true +rhel9cis_rule_2_2_4: true +rhel9cis_rule_2_2_5: true +rhel9cis_rule_2_2_6: true +rhel9cis_rule_2_2_7: true +rhel9cis_rule_2_2_8: true +rhel9cis_rule_2_2_9: true +rhel9cis_rule_2_2_10: true +rhel9cis_rule_2_2_11: true +rhel9cis_rule_2_2_12: true +rhel9cis_rule_2_2_13: true +rhel9cis_rule_2_2_14: true +rhel9cis_rule_2_2_15: true +rhel9cis_rule_2_2_16: true +rhel9cis_rule_2_2_17: true +rhel9cis_rule_2_2_18: true +rhel9cis_rule_2_3_1: true +rhel9cis_rule_2_3_2: true +rhel9cis_rule_2_3_3: true + +# Section 3 rules +rhel9cis_rule_3_1_1: true +rhel9cis_rule_3_1_2: true +rhel9cis_rule_3_2_1: true +rhel9cis_rule_3_2_2: true +rhel9cis_rule_3_2_3: true +rhel9cis_rule_3_2_4: true +rhel9cis_rule_3_2_5: true +rhel9cis_rule_3_2_6: true +rhel9cis_rule_3_2_7: true +rhel9cis_rule_3_2_8: true +rhel9cis_rule_3_2_9: true +rhel9cis_rule_3_3_1: true +rhel9cis_rule_3_3_2: true +rhel9cis_rule_3_3_3: true +rhel9cis_rule_3_3_4: true +rhel9cis_rule_3_4_1_1: true +rhel9cis_rule_3_4_2_1: true +rhel9cis_rule_3_4_2_2: true +rhel9cis_rule_3_4_2_3: true +rhel9cis_rule_3_4_2_4: true +rhel9cis_rule_3_4_2_5: true +rhel9cis_rule_3_4_2_6: true +rhel9cis_rule_3_4_3_1: true +rhel9cis_rule_3_4_3_2: true +rhel9cis_rule_3_4_3_3: true +rhel9cis_rule_3_4_3_4: true +rhel9cis_rule_3_4_3_5: true +rhel9cis_rule_3_4_3_6: true +rhel9cis_rule_3_4_3_7: true +rhel9cis_rule_3_4_3_8: true +rhel9cis_rule_3_4_4_1_1: true +rhel9cis_rule_3_4_4_1_2: true +rhel9cis_rule_3_4_4_1_3: true +rhel9cis_rule_3_4_4_1_4: true +rhel9cis_rule_3_4_4_2_1: true +rhel9cis_rule_3_4_4_2_2: true +rhel9cis_rule_3_4_4_2_3: true +rhel9cis_rule_3_4_4_2_4: true +rhel9cis_rule_3_5: true +rhel9cis_rule_3_6: true + +# Section 4 rules +rhel9cis_rule_4_1_1_1: true +rhel9cis_rule_4_1_1_2: true +rhel9cis_rule_4_1_1_3: true +rhel9cis_rule_4_1_1_4: true +rhel9cis_rule_4_1_2_1: true +rhel9cis_rule_4_1_2_2: true +rhel9cis_rule_4_1_2_3: true +rhel9cis_rule_4_1_3: true +rhel9cis_rule_4_1_4: true +rhel9cis_rule_4_1_5: true +rhel9cis_rule_4_1_6: true +rhel9cis_rule_4_1_7: true +rhel9cis_rule_4_1_8: true +rhel9cis_rule_4_1_9: true +rhel9cis_rule_4_1_10: true +rhel9cis_rule_4_1_11: true +rhel9cis_rule_4_1_12: true +rhel9cis_rule_4_1_13: true +rhel9cis_rule_4_1_14: true +rhel9cis_rule_4_1_15: true +rhel9cis_rule_4_1_16: true +rhel9cis_rule_4_1_17: true +rhel9cis_rule_4_2_1_1: true +rhel9cis_rule_4_2_1_2: true +rhel9cis_rule_4_2_1_3: true +rhel9cis_rule_4_2_1_4: true +rhel9cis_rule_4_2_1_5: true +rhel9cis_rule_4_2_1_6: true +rhel9cis_rule_4_2_2_1: true +rhel9cis_rule_4_2_2_2: true +rhel9cis_rule_4_2_2_3: true +rhel9cis_rule_4_2_3: true +rhel9cis_rule_4_3: true + +# Section 5 +rhel9cis_rule_5_1_1: true +rhel9cis_rule_5_1_2: true +rhel9cis_rule_5_1_3: true +rhel9cis_rule_5_1_4: true +rhel9cis_rule_5_1_5: true +rhel9cis_rule_5_1_6: true +rhel9cis_rule_5_1_7: true +rhel9cis_rule_5_1_8: true +rhel9cis_rule_5_2_1: true +rhel9cis_rule_5_2_2: true +rhel9cis_rule_5_2_3: true +rhel9cis_rule_5_2_4: true +rhel9cis_rule_5_2_5: true +rhel9cis_rule_5_2_6: true +rhel9cis_rule_5_2_7: true +rhel9cis_rule_5_2_8: true +rhel9cis_rule_5_2_9: true +rhel9cis_rule_5_2_10: true +rhel9cis_rule_5_2_11: true +rhel9cis_rule_5_2_12: true +rhel9cis_rule_5_2_13: true +rhel9cis_rule_5_2_14: true +rhel9cis_rule_5_2_15: true +rhel9cis_rule_5_2_16: true +rhel9cis_rule_5_2_17: true +rhel9cis_rule_5_2_18: true +rhel9cis_rule_5_2_19: true +rhel9cis_rule_5_2_20: true +rhel9cis_rule_5_3_1: true +rhel9cis_rule_5_3_2: true +rhel9cis_rule_5_3_3: true +rhel9cis_rule_5_3_4: true +rhel9cis_rule_5_4_1: true +rhel9cis_rule_5_4_2: true +rhel9cis_rule_5_4_3: true +rhel9cis_rule_5_4_4: true +rhel9cis_rule_5_5_1_1: true +rhel9cis_rule_5_5_1_2: true +rhel9cis_rule_5_5_1_3: true +rhel9cis_rule_5_5_1_4: true +rhel9cis_rule_5_5_1_5: true +rhel9cis_rule_5_5_2: true +rhel9cis_rule_5_5_3: true +rhel9cis_rule_5_5_4: true +rhel9cis_rule_5_5_5: true +rhel9cis_rule_5_6: true +rhel9cis_rule_5_7: true + +# Section 6 +rhel9cis_rule_6_1_1: true +rhel9cis_rule_6_1_2: true +rhel9cis_rule_6_1_3: true +rhel9cis_rule_6_1_4: true +rhel9cis_rule_6_1_5: true +rhel9cis_rule_6_1_6: true +rhel9cis_rule_6_1_7: true +rhel9cis_rule_6_1_8: true +rhel9cis_rule_6_1_9: true +rhel9cis_rule_6_1_10: true +rhel9cis_rule_6_1_11: true +rhel9cis_rule_6_1_12: true +rhel9cis_rule_6_1_13: true +rhel9cis_rule_6_1_14: true + +rhel9cis_rule_6_2_1: true +rhel9cis_rule_6_2_2: true +rhel9cis_rule_6_2_3: true +rhel9cis_rule_6_2_4: true +rhel9cis_rule_6_2_5: true +rhel9cis_rule_6_2_6: true +rhel9cis_rule_6_2_7: true +rhel9cis_rule_6_2_8: true +rhel9cis_rule_6_2_9: true +rhel9cis_rule_6_2_10: true +rhel9cis_rule_6_2_11: true +rhel9cis_rule_6_2_12: true +rhel9cis_rule_6_2_13: true +rhel9cis_rule_6_2_14: true +rhel9cis_rule_6_2_15: true +rhel9cis_rule_6_2_16: true +rhel9cis_rule_6_2_17: true +rhel9cis_rule_6_2_18: true +rhel9cis_rule_6_2_19: true +rhel9cis_rule_6_2_20: true + +# AIDE +rhel9cis_config_aide: false + +# aide setup via - cron, timer +rhel9_aide_scan: cron + +# AIDE cron settings +rhel9cis_aide_cron: + cron_user: root + cron_file: /etc/crontab + aide_job: '/usr/sbin/aide --check' + aide_minute: 0 + aide_hour: 5 + aide_day: '*' + aide_month: '*' + aide_weekday: '*' + +# 1.5.1 Bootloader password +rhel9cis_bootloader_password: random + +# Warning Banner Content (issue, issue.net, motd) +rhel9cis_warning_banner: Authorized uses only. All activity may be monitored and reported. +# End Banner + +# Set to 'true' if X Windows is needed in your environment +rhel9cis_xwindows_required: false + +# Whether or not to run tasks related to auditing/patching the desktop environment +rhel9cis_gui: false + +# xinetd required +rhel9cis_xinetd_required: false + +# crypto policy # can be set to DEFAULT, FUTURE or FIPS inline with site policy +rhel9cis_crypto_policy: FUTURE + +# IPv6 required +rhel9cis_ipv6_required: true + +# System network parameters (host only OR host and router) +rhel9cis_is_router: false + +# Time Synchronization +rhel9cis_time_synchronization: chrony +# rhel9cis_time_synchronization: ntp + +# Service configuration booleans set true to keep service +rhel9cis_avahi_server: false +rhel9cis_cups_server: false +rhel9cis_dhcp_server: false +rhel9cis_ldap_server: false +rhel9cis_telnet_server: false +rhel9cis_nfs_server: false +rhel9cis_rpc_server: false +rhel9cis_ntalk_server: false +rhel9cis_rsyncd_server: false +rhel9cis_tftp_server: false +rhel9cis_rsh_server: false +rhel9cis_nis_server: false +rhel9cis_snmp_server: false +rhel9cis_squid_server: false +rhel9cis_smb_server: false +rhel9cis_dovecot_server: false +rhel9cis_httpd_server: false +rhel9cis_vsftpd_server: false +rhel9cis_named_server: false +rhel9cis_nfs_rpc_server: false +rhel9cis_is_mail_server: false +rhel9cis_bind: false +rhel9cis_vsftpd: false +rhel9cis_httpd: false +rhel9cis_dovecot: false +rhel9cis_samba: false +rhel9cis_squid: false +rhel9cis_net_snmp: false +rhel9cis_allow_autofs: false + +# client services +rhel9cis_openldap_clients_required: false +rhel9cis_telnet_required: false +rhel9cis_talk_required: false +rhel9cis_rsh_required: false +rhel9cis_ypbind_required: false + +rhel9cis_firewall: firewalld +# rhel9cis_firewall: iptables +rhel9cis_default_firewall_zone: public +rhel9cis_firewall_interface: + - ['ens224'] + - ['ens192'] +rhel9cis_firewall_services: + - ssh + - dhcpv6-client + +### Section 4 +## auditd settings +rhel9cis_auditd: + admin_space_left_action: halt + max_log_file_action: keep_logs + auditd_backlog_limit: 2048 + +## syslog +rhel9_cis_rsyslog: true + +### Section 5 +rhel9cis_sshd_limited: false +# Note the following to understand precedence and layout +rhel9cis_sshd_access: + - AllowUser + - AllowGroup + - DenyUser + - DenyGroup + +rhel9cis_ssh_strong_ciphers: Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr +rhel9cis_ssh_weak_ciphers: + - 3des-cbc + - aes128-cbc + - aes192-cbc + - aes256-cbc + - arcfour + - arcfour128 + - arcfour256 + - blowfish-cbc + - cast128-cbc + - rijndael-cbc@lysator.liu.se + +rhel9cis_ssh_strong_macs: MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 +rhel9cis_ssh_weak_macs: + - hmac-md5 + - hmac-md5-96 + - hmac-ripemd160 + - hmac-sha1 + - hmac-sha1-96 + - umac-64@openssh.com + - umac-128@openssh.com + - hmac-md5-etm@openssh.com + - hmac-md5-96-etm@openssh.com + - hmac-ripemd160-etm@openssh.com + - hmac-sha1-etm@openssh.com + - hmac-sha1-96-etm@openssh.com + - umac-64-etm@openssh.com + - umac-128-etm@openssh.com + +rhel9cis_ssh_strong_kex: KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 +rhel9cis_ssh_weak_kex: + - diffie-hellman-group1-sha1 + - diffie-hellman-group14-sha1 + - diffie-hellman-group-exchange-sha1 + +rhel9cis_ssh_aliveinterval: "900" +rhel9cis_ssh_countmax: "0" + +# Authselect select false if using AD or RHEL ID mgmt +rhel9cis_authselect: + custom_profile_name: custom-profile + default_file_to_copy: sssd + options: with-sudo with-faillock without-nullok + +# 5.3.1 Enable automation to creat custom profile settings, using the setings above +rhel9cis_authselect_custom_profile_create: false + +# 5.3.2 Enable automation to select custom profile options, using the settings above +rhel9cis_authselect_custom_profile_select: false + +## PAM +rhel9cis_pam_password: + minlen: "14" + minclass: "4" + +rhel9cis_pam_passwd_retry: "3" + +# choose one of below +rhel9cis_pwhistory_so: "14" +rhel9cis_unix_so: false +rhel9cis_passwd_remember: "5" + +# logins.def password settings +rhel9cis_pass: + max_days: "365" + min_days: "1" + warn_age: "7" + +# set sugroup if differs from wheel +rhel9cis_sugroup: wheel + +# sugroup users list +rhel9cis_sugroup_users: "root" + +# var log location variable +rhel9cis_varlog_location: "/var/log/sudo.log"