updated tests

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

section_3/cis_3.1/cis_3.1.1.yml

@@ -1,10 +1,11 @@
 {{ if not .Vars.rhel9cis_ipv6_required }}
   {{ if .Vars.rhel9cis_rule_3_1_1 }}
-file:
-  /etc/default/grub:
-    title: 3.1.1 | Verify if IPv6 is enabled on the system
-    exists: true
-    contains:
+command:
+  default_grub_ipv6:
+    title: 3.1.1 |Verify if IPv6 is enabled on the system
+    exec: grep ipv6 /etc/default/grub.conf
+    exit-status: 0
+    stdout:
     - '/(?=\S+\s(ipv6\.disable=1.*)$)^GRUB_CMDLINE_LINUX="/'
     meta:
       server: 1
@@ -15,7 +16,6 @@ file:
       CISv8_IG1: false
       CISv8_IG2: true
       CISv8_IG3: true
-command:
   sysctl_ipv6_disable:
     title: 3.1.1 | Verify if IPv6 is enabled on the system
     exec: grep disable_ipv6 /etc/sysctl.conf /etc/sysctl.d/*

section_4/cis_4.1/cis_4.1.1.3.yml

@@ -1,9 +1,10 @@
 {{ if .Vars.rhel9cis_rule_4_1_1_3 }}
-file:
-  /boot/grub2/grubenv:
+command:
+  audit_grubenv:
     title: 4.1.1.3 | Ensure auditing for processes that start prior to auditd is enabled
-    exists:  true
-    contains:
+    exec: grep audit= /boot/grub2/grubenv
+    exit-status: 0
+    stdout:
     - '/^kernelopts=.*\saudit=1.*/'
     meta:
       server: 2
@@ -14,10 +15,11 @@ file:
       CISv8_IG1: true
       CISv8_IG2: true
       CISv8_IG3: true
-  /etc/default/grub:
+  audit_default_grub:
     title: 4.1.1.3 | Ensure auditing for processes that start prior to auditd is enabled
-    exists:  true
-    contains: 
+    exec: grep audit= /etc/default/grub
+    exit-status: 0
+    stdout:
     - '/^GRUB_CMDLINE_LINUX=.*\saudit=1.*/'
     meta:
       server: 2

section_4/cis_4.1/cis_4.1.1.4.yml

@@ -1,9 +1,10 @@
 {{ if .Vars.rhel9cis_rule_4_1_1_4 }}
-file:
-  /etc/default/grub:
+command:
+  audit_backlog_default_grub:
     title: 4.1.1.4 | Ensure audit_backlog_limit is sufficient | default
-    exists:  true
-    contains: 
+    exec: grep audit_backlog /etc/default/grub
+    exit-status: 0
+    stdout:
     - '/^GRUB_CMDLINE_LINUX=.*\saudit_backlog_limit=(8192|819[3-9]|8[2-9]{,2}|9[0-9]{3,9}|[1-9]{5,9}).*/'
     meta:
       server: 2

section_4/cis_4.1/cis_4.1.2.1.yml

@@ -1,9 +1,10 @@
 {{ if .Vars.rhel9cis_rule_4_1_2_1 }}
-file:
-  /etc/audit/auditd.conf:
-    exists: true
+command:
+  max_log_auditd_conf:
     title: 4.1.2.1 | Ensure audit log storage size is configured
-    contains:
+    exec: grep max_log_file /etc/audit/auditd.conf
+    exit-status: 0
+    stdout:
     - '/^max_log_file = \d\d\d\d+/'
     meta:
       server: 2

section_4/cis_4.1/cis_4.1.2.2.yml

@@ -1,9 +1,11 @@
 {{ if .Vars.rhel9cis_rule_4_1_2_2 }}
-file:
-  /etc/audit/auditd.conf:
+command:
+  max_log_action_auditd_conf:
     exists: true
     title: 4.1.2.2 | Ensure audit logs are not automatically deleted
-    contains: 
+    exec: grep max_log_file_action /etc/audit/auditd.conf
+    exit-status: 0
+    stdout:
     - 'max_log_file_action = keep_logs'
     meta:
       server: 2

section_4/cis_4.1/cis_4.1.2.3.yml

@@ -1,9 +1,10 @@
 {{ if .Vars.rhel9cis_rule_4_1_2_3 }}
-file:
-  /etc/audit/auditd.conf:
+command:
+  logs_full_auditd_conf:
     title: 4.1.2.3 | Ensure system is disabled when audit logs are full
-    exists: true
-    contains:
+    exec: grep -E "space" /etc/audit/auditd.conf
+    exit-status: 0
+    stdout:
     - space_left_action = email
     - action_mail_acct = root
     - '/^admin_space_left_action = (halt|single)/'

section_4/cis_4.2.2/cis_4.2.2.3.yml

@@ -1,9 +1,10 @@
 {{ if .Vars.rhel9cis_rule_4_2_2_3 }}
-file:
-  /etc/systemd/journald.conf:
+command:
+  compress_journald_conf:
     title: 4.2.2.3 | Ensure journald is configured to compress large log files
-    exists: true
-    contains:
+    exec: grep -i compress /etc/systemd/journald.conf
+    exit-status: 0
+    stdout:
     - '/Compress=yes/'
     - '/!Compress=[Nn][Oo]/'
     meta:

section_4/cis_4.2.2/cis_4.2.2.4.yml

@@ -1,9 +1,10 @@
 {{ if .Vars.rhel9cis_rule_4_2_2_4 }}
-file:
-  /etc/systemd/journald.conf:
+command:
+  storage_journald_conf:
     title: 4.2.2.4 | Ensure journald is configured to write logfiles to persistent disk
-    exists: true
-    contains:
+    exec: grep -i storage /etc/systemd/journald.conf
+    exit-status: 0
+    stdout:
     - '/^Storage=persistent/'
     meta:
       server: 1

section_4/cis_4.2.2/cis_4.2.2.5.yml

@@ -1,9 +1,10 @@
 {{ if .Vars.rhel9cis_rule_4_2_2_5 }}
-file:
-  /etc/systemd/journald.conf:
+command:
+  forward_journald_conf:
     title: 4.2.2.5 | Ensure journald is not configured to send logs to rsyslog
-    exists: true
-    contains:
+    exec: grep -i forward /etc/systemd/journald.conf
+    exit-status: 0
+    stdout:
     - '!/^\s*ForwardToSyslog/'
     meta:
       server: 1

section_4/cis_4.2.2/cis_4.2.2.6.yml

@@ -1,9 +1,10 @@
 {{ if .Vars.rhel9cis_rule_4_2_2_6 }}
-file:
-  /etc/systemd/journald.conf:
+command:
+  log_rotate_journald_conf:
     title: 4.2.2.6 | Ensure journald log rotation is configured per site policy
-    exists: true
-    contains:
+    exec: grep -Ei "max|keep" /etc/systemd/journald.conf
+    exit-status: 0
+    stdout:
     - '/^SystemMaxUse=/'
     - '/^SystemKeepFree=/' 
     - '/^RuntimeMaxUse=/'