anku33/RHEL9-CIS-Audit
1
0
Fork 0
mirror of https://github.com/ansible-lockdown/RHEL9-CIS-Audit.git synced 2026-06-01 02:20:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

fixed tests

Browse Source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
2025-02-26 11:59:35 +00:00
parent b75de8d5a1
commit 7bcabcbcf2
5 changed files with 19 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files
section_6/cis_6.3.2.x/cis_6.3.2.3.yml
+1 -1
View File
@@ -5,7 +5,7 @@
command:
logs_full_auditd_conf:
title: 6.3.2.3 | Ensure system is disabled when audit logs are full
exec: grep disk_full_action /etc/audit/auditd.conf
exec: grep -E "disk.*action" /etc/audit/auditd.conf
exit-status: 0
stdout:
- '/disk_full_action\s*=\s*(halt|single)/'
section_6/cis_6.3.3.x/cis_6.3.3.13.yml
+2 -2
View File
@@ -8,8 +8,8 @@ command:
exec: grep delete /etc/audit/rules.d/*.rules
exit-status: 0
stdout:
- '/[^#]-a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -F key=delete/'
- '/[^#]-a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -F key=delete/'
- '/[^#]-a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -k delete/'
- '/[^#]-a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -k delete/'
meta:
server: 2
workstation: 2
section_6/cis_6.3.3.x/cis_6.3.3.4.yml
+8 -4
View File
@@ -8,9 +8,11 @@ command:
exec: grep time-change /etc/audit/rules.d/*.rules
exit-status: 0
stdout:
- '-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change'
- '-a always,exit -F arch=b32 -S adjtimex,settimeofday -k time-change'
- '-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -k time-change'
- '-a always,exit -F arch=b64 -S adjtimex,settimeofday -k time-change'
- '-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -k time-change'
- '-w /etc/localtime -p wa -k time-change'
- '-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change'
meta:
server: 2
workstation: 2
@@ -28,9 +30,11 @@ command:
exec: auditctl -l | grep time-change
exit-status: 0
stdout:
- '-a always,exit -F arch=b32 -S settimeofday,adjtimex,clock_settime -F key=time-change'
- '-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change'
- '-a always,exit -F arch=b32 -S settimeofday,adjtimex -F key=time-change'
- '-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change'
- '-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change'
- '-w /etc/localtime -p wa -k time-change'
- '-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -F key=time-change'
meta:
server: 2
workstation: 2
section_6/cis_6.3.3.x/cis_6.3.3.5.yml
+2 -2
View File
@@ -8,8 +8,8 @@ command:
exec: grep system-locale /etc/audit/rules.d/*.rules
exit-status: 0
stdout:
- '-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale'
- '-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale'
- '-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale'
- '-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale'
- '-w /etc/issue -p wa -k system-locale'
- '-w /etc/issue.net -p wa -k system-locale'
- '-w /etc/hosts -p wa -k system-locale'
section_6/cis_6.3.3.x/cis_6.3.3.9.yml
+6 -6
View File
@@ -8,12 +8,12 @@ command:
exec: grep perm_mod /etc/audit/rules.d/*.rules
exit-status: 0
stdout:
- '/[^#]-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -F key=perm_mod/'
- '/[^#]-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -F key=perm_mod/'
- '/[^#]-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -F key=perm_mod/'
- '/[^#]-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -F key=perm_mod/'
- '/[^#]-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -F key=perm_mod/'
- '/[^#]-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -F key=perm_mod/'
- '/[^#]-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -k perm_mod/'
- '/[^#]-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -k perm_mod/'
- '/[^#]-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -k perm_mod/'
- '/[^#]-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -k perm_mod/'
- '/[^#]-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -k perm_mod/'
- '/[^#]-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=(unset|-1|auid!=4294967295) -k perm_mod/'
meta:
server: 2
workstation: 2