Merge pull request #30 from ansible-lockdown/devel

goss version update
2026-06-02 02:51:02 +00:00 · 2023-09-18 15:55:03 +01:00
parent 306164f50b 0ab56082f2
commit 2028c0bd24
52 changed files with 208 additions and 216 deletions
@@ -1,6 +1,11 @@
 # Changes to RHEL9-CIS-Audit

-## 1.0.4 updates and script
+## 1.0.5 updated to use goss > 0.4. - based on CIS v1.0.0
+
+- updated ssh config to use more file module
+- all file module test set to use new layout with path
+
+## 1.0.4 updates and script - based on CIS v1.0.0

 - multiple tests updates
 - linting on spaces
@@ -1,14 +1,15 @@
 {{ if .Vars.rhel9cis_rule_1_4_1 }}
  {{ if .Vars.rhel9cis_set_boot_pass }}
  file:
-    /boot/grub2/user.cfg:
+    grub_bootloader_passwd:
      title: 1.4.1 | Ensure bootloader password is set
+      path: /boot/grub2/user.cfg
      exists: true
      owner: root
      group: root
      mode: "0600"
      {{ if .Vars.rhel9cis_set_boot_pass }}
-      contains:
+      contents:
        - '/GRUB2_PASSWORD=grub.pbkdf2.sha512.*/'
      {{ end }}
      meta:
@@ -1,7 +1,8 @@
 {{ if .Vars.rhel9cis_rule_1_4_2 }}
 file:
-  /boot/grub2/grub.cfg:
+  grub_bootloaders_perms:
    title: 1.4.2 | Ensure permissions on bootloader config are configured | file_perms | grub.cfg
+    path: /boot/grub2/grub.cfg
    exists: true
    owner: root
    group: root
@@ -16,8 +17,9 @@ file:
      CISv8_IG1: true
      CISv8_IG2: true
      CISv8_IG3: true
-  /boot/grub2/grubenv:
+  grubenv_perms:
    title: 1.4.2 | Ensure permissions on bootloader config are configured | file_perms | grubenv
+    path: /boot/grub2/grubenv
    exists: true
    owner: root
    group: root
@@ -32,8 +34,9 @@ file:
      CISv8_IG1: true
      CISv8_IG2: true
      CISv8_IG3: true
-  /boot/grub2/user.cfg:
+  grub_user_perms:
    title: 1.4.2 | Ensure permissions on bootloader config are configured | file_perms | user.cfg
+    path: /boot/grub2/user.cfg
    exists: true
    owner: root
    group: root
@@ -22,7 +22,7 @@ file:
  /etc/selinux/config:
    title: 1.6.1.5 | Ensure the SELinux mode is enforcing | config
    exists: true
-    contains:
+    contents:
    - '/^SELINUX( |)=( |)enforcing/'
    meta:
      server: 2
@@ -1,14 +1,15 @@
 file:
  {{ if .Vars.rhel9cis_rule_1_7_1 }}
-  /etc/motd:
+  motd_config :
    title: |
          1.7.1 | Ensure message of the day is configured properly
          1.7.4 | Ensure permissions on /etc/motd are configured
+    path: /etc/motd
    exists: true
    mode: "0644"
    owner: root
    group: root
-    contains:
+    contents:
    - '!/[Cc]ent[Oo][Ss].*/'
    - '!/[Rr]hel.*/'
    - '!/[Rr]ed[Hh]at.*/'
@@ -30,15 +31,16 @@ file:
      CISv8_IG3: true
  {{ end }}
  {{ if .Vars.rhel9cis_rule_1_7_2 }}
-  /etc/issue:
+  etc_issue_config:
    title: |
          1.7.2 | Ensure local login warning banner is configured properly
          1.7.5 | Ensure permissions on /etc/issue are configured
+    path: /etc/issue
    exists: true
    mode: "0644"
    owner: root
    group: root
-    contains:
+    contents:
    - '!/[Cc]ent[Oo][Ss].*/'
    - '!/[Rr]hel.*/'
    - '!/[Rr]ed[Hh]at.*/'
@@ -61,15 +63,16 @@ file:
      CISv8_IG3: true
  {{ end }}
  {{ if .Vars.rhel9cis_rule_1_7_3 }}
-  /etc/issue.net:
+  etc_issue_net_config:
    title: |
         1.7.3 | Ensure remote login warning banner is configured properly
         1.7.6 | Ensure permissions on /etc/issue.net are configured
+    path: /etc/issue.net
    exists: true
    mode: "0644"
    owner: root
    group: root
-    contains:
+    contents:
    - '!/[Cc]ent[Oo][Ss].*/'
    - '!/[Rr]hel.*/'
    - '!/[Rr]ed[Hh]at.*/'
@@ -4,7 +4,7 @@ file:
  /etc/gdm/custom.conf:
    title: 1.8.10 | Ensure XDMCP is not enabled
    exists: true
-    contains:
+    contents:
    - '!/^Enable( |)=( |)true/'
    meta:
      server: 1
@@ -4,7 +4,7 @@ file:
  /etc/dconf/db/{ .Vars.rhel9cis_dconf_db_name }.d/00-screensaver:
    title: 1.8.4 | Ensure GDM screen locks when the user is idle
    exists: true
-    contains:
+    contents:
    - '/^[org/gnome/desktop/session]/'
    - '/^idle-delay=uint32 (1|[1-9]|[1-8][0-9]{1,2}|900)$/'
    - '!/^idle-delay=uint32 (90[1-9]|9[1-9][0-9]|1[0-9]{3,})$/'
@@ -4,7 +4,7 @@ file:
  /etc/dconf/db/{ .Vars.rhel9cis_dconf_db_name }.d/locks/00-screensaver_lock:
    title: 1.8.5 | Ensure GDM screen locks cannot be overridden
    exists: true
-    contains:
+    contents:
    - '^\/org\/gnome\/desktop\/session\/idle-delay/'
    - '^/\/org\/gnome\/desktop\/screensaver\/lock-delay/'
    meta:
@@ -4,7 +4,7 @@ file:
  /etc/dconf/db/{ .Vars.rhel9cis_dconf_db_name }.d/00-media-automount:
    title: 1.8.6 | Ensure GDM automatic mounting of removable media is disabled
    exists: true
-    contains:
+    contents:
    - '/^[org/gnome/desktop/media-handling]/'
    - '/^automount=false/'
    - '/^automount-open=false/'
@@ -4,7 +4,7 @@ file:
  /etc/dconf/db/{ .Vars.rhel9cis_dconf_db_name }.d/locks/00-automount_lock:
    title: 1.8.7 | Ensure GDM disabling automatic mounting of removable media is not overridden
    exists: true
-    contains:
+    contents:
    - '^/\/org\/gnome\/desktop\/media-handling\/automount/'
    - '^/\/org\/gnome\/desktop\/media-handling\/automount-open/'
    meta:
@@ -4,7 +4,7 @@ file:
  /etc/dconf/db/{ .Vars.rhel9cis_dconf_db_name }.d/00-media-autorun:
    title: 1.8.8 | Ensure GDM autorun-never is enabled
    exists: true
-    contains:
+    contents:
    - '/^[org/gnome/desktop/media-handling]/'
    - '/^autorun-never=true/'
    meta:
@@ -4,7 +4,7 @@ file:
  /etc/dconf/db/{ .Vars.rhel9cis_dconf_db_name }.d/locks/00-autorun_lock:
    title: 1.8.9 | Ensure GDM autorun-never is not overridden
    exists: true
-    contains:
+    contents:
    - '^/\/org\/gnome\/desktop\/media-handling\/autorun-never/'
    meta:
      server: 1
@@ -1,9 +1,10 @@
 {{ if .Vars.rhel9cis_rule_2_1_2 }}
 file:
-  /etc/chrony.conf:
+  chrony_servers_pools:
    title: 2.1.2 | Ensure chrony is configured | server
+    path: /etc/chrony.conf
    exists: true
-    contains:
+    contents:
    - '/^(server|pool)\s.*/'
    skip: false
    meta:
@@ -16,10 +17,11 @@ file:
      CISv8_IG1: false
      CISv8_IG2: true
      CISv8_IG3: true
-  /etc/sysconfig/chronyd:
+  chrony_sysconfig:
    title: 2.1.2 | Ensure chrony is configured | sysconfig
+    path: /etc/sysconfig/chronyd
    exists: true
-    contains:
+    contents:
    - '/^OPTIONS="-u chrony"/'
    skip: false
    meta:
@@ -17,10 +17,11 @@ command:
      CISv8_IG2: true
      CISv8_IG3: true
 file:
-  /etc/postfix/main.conf:
+  postfix_local:
    title: 2.2.15 | Ensure mail transfer agent is configured for local-only mode
+    path: /etc/postfix/main.conf
    exists: true
-    contains:
+    contents:
    - '/^inet_interfaces = loopback-only/'
    - '!/^inet_interfaces = all/'
    - '!/^inet_interfaces = [iI][pP][vV]4/'
@@ -1,8 +1,9 @@
 {{ if .Vars.rhel9cis_rule_3_4_1_2 }}
  {{ if eq .Vars.rhel9cis_firewall "nftables" }}
 file:
-  /etc/systemd/system/firewalld.service:
+  firewalld_masked:
    title: 3.4.1.2 | Ensure a single firewall configuration utility is in use | firewalld masked
+    path: /etc/systemd/system/firewalld.service
    filetype: symlink
    linked-to: /dev/null
    exists: true
@@ -51,8 +52,9 @@ service:
  {{ end }}
  {{ if eq .Vars.rhel9cis_firewall "firewalld" }}
 file:
-  /etc/systemd/system/nftables.service:
+  nftables_masked:
    title: 3.4.1.2 | Ensure a single firewall configuration utility is in use | nftables masked
+    path: /etc/systemd/system/nftables.service
    filetype: symlink
    linked-to: /dev/null
    exists: true
@@ -1,9 +1,10 @@
 {{ if .Vars.rhel9cis_rule_4_2_1_3 }}
 file:
-  /etc/systemd/journald.conf:
+  journald_syslog:
    title: 4.2.1.3 | Ensure journald is configured to send logs to rsyslog
+    path: /etc/systemd/journald.conf
    exists: true
-    contains:
+    contents:
    - '/^ForwardToSyslog=yes/'
    - '!/ForwardToSyslog=[Nn][Oo]/'
    meta:
@@ -3,7 +3,7 @@ file:
  /etc/rsyslog.conf:
    title: 4.2.1.5 | Ensure logging is configured
    exists: true
-    contains:
+    contents:
    - '/^\*.emerg\s+:omusrmsg:\*/'
    - '/auth,authpriv.\*\s+/var/log/secure/'
    - '/^mail.\*\s+-/var/log/mail/'
@@ -1,9 +1,10 @@
 {{ if .Vars.rhel9cis_rule_4_2_2_1_2 }}
 file:
-  /etc/systemd/journal-upload.conf:
+  journald_remote_config:
    title: 4.2.2.1.2 | Ensure systemd-journal-remote is configured
+    path: /etc/systemd/journal-upload.conf
    exists: true
-    contains:
+    contents:
    - '/^URL=/'
    - '/ServerKeyFile=.*.pem'
    - '/ServerCertificateFile=.*.pem'
@@ -1,7 +1,8 @@
 {{ if .Vars.rhel9cis_rule_5_1_2 }}
 file:
-  /etc/crontab:
+  crontab_perms:
    title: 5.1.2 | Ensure permissions on /etc/crontab are configured
+    path: /etc/crontab
    exists: true
    owner: root
    group: root
@@ -1,10 +1,11 @@
 {{ if .Vars.rhel9cis_rule_5_1_3 }}
 file:
-  /etc/cron.hourly:
+  cron_hourly_perms:
    title: 5.1.3 | Ensure permissions on /etc/cron.hourly are configured
+    path: /etc/cron.hourly
    exists: true
    owner: root
-    group: root    
+    group: root
    mode: "0700"
    meta:
      server: 1
@@ -17,11 +18,12 @@ file:
      CISv8_IG3: true
 {{ end }}
 {{ if .Vars.rhel9cis_rule_5_1_4 }}
-  /etc/cron.daily:
+  cron_daily_perms:
    title: 5.1.4 | Ensure permissions on /etc/cron.daily are configured
+    path: /etc/cron.daily
    exists: true
    owner: root
-    group: root    
+    group: root
    mode: "0700"
    meta:
      server: 1
@@ -34,11 +36,12 @@ file:
      CISv8_IG3: true
 {{ end }}
 {{ if .Vars.rhel9cis_rule_5_1_5 }}
-  /etc/cron.weekly:
+  cron_weekly_perms:
    title: 5.1.5 | Ensure permissions on /etc/cron.weekly are configured
+    path: /etc/cron.weekly
    exists: true
    owner: root
-    group: root    
+    group: root
    mode: "0700"
    meta:
      server: 1
@@ -51,11 +54,12 @@ file:
      CISv8_IG3: true
 {{ end }}
 {{ if .Vars.rhel9cis_rule_5_1_6 }}
-  /etc/cron.monthly:
+  cron_month_perms:
    title: 5.1.6 | Ensure permissions on /etc/cron.monthly are configured
+    path: /etc/cron.monthly
    exists: true
    owner: root
-    group: root    
+    group: root
    mode: "0700"
    meta:
      server: 1
@@ -68,11 +72,12 @@ file:
      CISv8_IG3: true
 {{ end }}
 {{ if .Vars.rhel9cis_rule_5_1_7 }}
-  /etc/cron.d:
+  crond_perms:
    title: 5.1.7 | Ensure permissions on /etc/cron.d are configured
+    path: /etc/cron.d
    exists: true
    owner: root
-    group: root    
+    group: root
    mode: "0700"
    meta:
      server: 1
@@ -1,7 +1,8 @@
 {{ if .Vars.rhel9cis_rule_5_1_8 }}
 file:
-  /etc/cron.deny:
+  cron_deny_users:
    title: 5.1.8 | Ensure cron is restricted to authorized users
+    path: /etc/cron.deny
    exists: false
    meta:
      server: 1
@@ -12,8 +13,9 @@ file:
      CISv8_IG1: true
      CISv8_IG2: true
      CISv8_IG3: true
-  /etc/cron.allow:
+  cron_allow_users:
    title: 5.1.8 | Ensure cron is restricted to authorized users
+    path: /etc/cron.allow
    exists: true
    owner: root
    group: root
@@ -29,8 +31,9 @@ file:
      CISv8_IG3: true
 {{ end }}
 {{ if .Vars.rhel9cis_rule_5_1_9 }}
-  /etc/at.deny:
+  at_deny_users:
    title: 5.1.9 | Ensure at is restricted to authorized users
+    path: /etc/at.deny
    exists: false
    meta:
      server: 1
@@ -41,8 +44,9 @@ file:
      CISv8_IG1: true
      CISv8_IG2: true
      CISv8_IG3: true
-  /etc/at.allow:
+  at_allow_users:
    title: 5.1.9 | Ensure at is restricted to authorized users
+    path: /etc/at.allow
    exists: true
    owner: root
    group: root
@@ -1,7 +1,8 @@
 {{ if .Vars.rhel9cis_rule_5_2_1 }}
 file:
-  /etc/ssh/sshd_config:
+  sshd_config_perms:
    title: 5.2.1 | Ensure permissions on /etc/ssh/sshd_config are configured
+    path: /etc/ssh/sshd_config
    exists: true
    mode: "0600"
    owner: root
@@ -1,13 +1,10 @@
 {{ if .Vars.rhel9cis_rule_5_2_10 }}
-command:
-  ssh_userenv:
+file:
+  sshd_userenv:
    title: 5.2.10 | Ensure SSH PermitUserEnvironment is disabled | config
-    exec: grep -Ei "PermitUserEnvironment" {{ .Vars.rhel9_cis_sshd_config_file }}
-    exit-status:
-      or:
-      - 0
-      - 1
-    stdout:
+    path: /etc/ssh/sshd_config
+    exists: true
+    contents:
    - '/^PermitUserEnvironment no/'
    - '!/^PermitUserEnvironment yes/'
    meta:
@@ -19,6 +16,7 @@ command:
      CISv8_IG1: true
      CISv8_IG2: true
      CISv8_IG3: true
+command:
  ssh_userenv_live:
    title: 5.2.10 | Ensure SSH PermitUserEnvironment is disabled | live
    exec: sshd -T | grep permituserenvironment
@@ -1,13 +1,10 @@
 {{ if .Vars.rhel9cis_rule_5_2_11 }}
-command:
+file:
  ssh_rhosts:
    title: 5.2.11 | Ensure SSH IgnoreRhosts is enabled | config
-    exec: grep -Ei "Ignorerhosts" {{ .Vars.rhel9_cis_sshd_config_file }}
-    exit-status:
-      or:
-      - 0
-      - 1
-    stdout:
+    path: /etc/ssh/sshd_config
+    exists: true
+    contents:
    - '/^IgnoreRhosts yes/'
    - '!/^IgnoreRhosts no/'
    meta:
@@ -19,6 +16,7 @@ command:
      CISv8_IG1: true
      CISv8_IG2: true
      CISv8_IG3: true
+command:
  ssh_rhosts_live:
    title: 5.2.11 | Ensure SSH IgnoreRhosts is enabled | live
    exec: sshd -T | grep ignorerhosts
@@ -1,14 +1,11 @@
 {{ if .Vars.rhel9cis_level_2 }}
  {{ if .Vars.rhel9cis_rule_5_2_12 }}
-command:
-  ssh_x11:
+file:
+  sshd_x11:
    title: 5.2.12 | Ensure SSH X11 forwarding is disabled | config
-    exec: grep -Ei "X11forwarding" {{ .Vars.rhel9_cis_sshd_config_file }}
-    exit-status:
-      or:
-      - 0
-      - 1
-    stdout:
+    path: /etc/ssh/sshd_config
+    exists: true
+    contents:
    - '/^X11Forwarding no/'
    - '!/^X11Forwarding yes/'
    meta:
@@ -20,6 +17,7 @@ command:
      CISv8_IG1: false
      CISv8_IG2: true
      CISv8_IG3: true
+command:
  ssh_x11_live:
    title: 5.2.12 | Ensure SSH X11 forwarding is disabled | live
    exec: sshd -T | grep x11forwarding
@@ -1,14 +1,11 @@
 {{ if .Vars.rhel9cis_level_2 }}
  {{ if .Vars.rhel9cis_rule_5_2_13 }}
-command:
+file:
  sshd_tcpforwarding:
    title: 5.2.13 | Ensure SSH AllowTcpForwarding is disabled
-    exec: grep -Ei "^allowtcpforward" {{ .Vars.rhel9_cis_sshd_config_file }}
-    exit-status:
-      or:
-      - 0
-      - 1
-    stdout:
+    path: /etc/ssh/sshd_config
+    exists: true
+    contents:
    - '/^AllowTcpForwarding no/'
    - '!/^AllowTcpForwarding yes/'
    meta:
@@ -20,6 +17,7 @@ command:
      CISv8_IG1: true
      CISv8_IG2: true
      CISv8_IG3: true
+command:
  sshd_tcpforwarding_live:
    title: 5.2.13 | Ensure SSH AllowTcpForwarding is disabled | live
    exec: sshd -T | grep allowtcpforward
@@ -1,13 +1,10 @@
 {{ if .Vars.rhel9cis_rule_5_2_14 }}
-command:
+file:
  sshd_crypto:
    title: 5.2.14 | Ensure system-wide crypto policy is not over-ridden
-    exec: grep -Ei "^Crypto_policy" /etc/sysconfig/sshd
-    exit-status:
-      or:
-      - 0
-      - 1
-    stdout:
+    path: /etc/ssh/sshd_config
+    exists: true
+    contents:
    - '!/^CRYPTO_POLICY/'
    meta:
      server: 1
@@ -1,13 +1,10 @@
 {{ if .Vars.rhel9cis_rule_5_2_15 }}
-command:
-  ssh_banner:
+file:
+  sshd_banner:
    title: 5.2.15 | Ensure SSH warning banner configured | sshd_default
-    exec: grep -Ei "^banner" {{ .Vars.rhel9_cis_sshd_config_file }}
-    exit-status:
-      or:
-      - 0
-      - 1
-    stdout:
+    path: /etc/ssh/sshd_config
+    exists: true
+    contents:
    - '/^Banner /etc/issue.net/'
    - '!/^Banner none/'
    meta:
@@ -19,6 +16,7 @@ command:
      CISv8_IG1: true
      CISv8_IG2: true
      CISv8_IG3: true
+command:
  ssh_configd_banner:
    title: 5.3.15 | Ensure SSH warning banner configured | conf.d banner settings
    exec: grep -Eis '^\s*Banner\s+"?none\b'/etc/ssh/sshd_config.d/*.conf
@@ -1,13 +1,10 @@
 {{ if .Vars.rhel9cis_rule_5_2_16 }}
-command:
+path:
  sshd_authtries:
    title: 5.2.16 | Ensure SSH MaxAuthTries is set to 4 or less
-    exec: grep -Ei "maxauthtries" {{ .Vars.rhel9_cis_sshd_config_file }}
-    exit-status:
-      or:
-      - 0
-      - 1
-    stdout:
+    path: /etc/ssh/sshd_config
+    exists: true
+    contents:
    - "/^MaxAuthTries [1-4]/"
    - "!/^MaxAuthTries [5-9]/"
    meta:
@@ -19,6 +16,7 @@ command:
      CISv8_IG1: false
      CISv8_IG2: true
      CISv8_IG3: true
+command:
  sshd_authtries_live:
    title: 5.2.16 | Ensure SSH MaxAuthTries is set to 4 or less | live
    exec: sshd -T | grep maxauthtries
@@ -1,13 +1,10 @@
 {{ if .Vars.rhel9cis_rule_5_2_17 }}
-command:
-  ssh_maxstartups:
+file:
+  sshd_maxstartups:
    title: 5.2.17 | Ensure SSH MaxStartups is configured
-    exec: grep -Ei "^MaxStartups" {{ .Vars.rhel9_cis_sshd_config_file }}
-    exit-status:
-      or:
-      - 0
-      - 1
-    stdout:
+    path: /etc/ssh/sshd_config
+    exists: true
+    contents:
    - "MaxStartups 10:30:60"
    meta:
      server: 1
@@ -18,6 +15,7 @@ command:
      CISv8_IG1: true
      CISv8_IG2: true
      CISv8_IG3: true
+command:
  ssh_maxstartups_live:
    title: 5.2.17 | Ensure SSH MaxStartups is configured | live
    exec: sshd -T | grep maxstartups
--- a/Show More
+++ b/Show More