v1.0.0 updates

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

goss.yml

@@ -20,7 +20,10 @@ gossfile:
   {{ if .Vars.rhel9cis_section4 }}
   # Auditd and level 2
     {{ if .Vars.rhel9cis_level_2 }}
-  section_4/cis_4.1/*.yml: {}
+  section_4/cis_4.1.1/*.yml: {}
+  section_4/cis_4.1.2/*.yml: {}
+  section_4/cis_4.1.3/*.yml: {}
+  section_4/cis_4.1.4/*.yml: {}
     {{ end }}
   {{ if eq .Vars.rhel9cis_syslog "rsyslog" }}
   section_4/cis_4.2.1/*.yml: {}
@@ -54,4 +57,4 @@ command:
       host_system_type: {{ .Vars.system_type }}
       benchmark_type: {{ .Vars.benchmark_type }}
       benchmark_version: {{ .Vars.benchmark_version }}
-      benchmark_os: {{ .Vars.benchmark_os }}
+      benchmark_os: {{ .Vars.benchmark_os }}

section_3/cis_3.1/cis_3.1.1.yml

@@ -25,8 +25,8 @@ command:
       - 0
       - 1
     stdout:
-      - '/.*: net.ipv6.conf.all.disable_ipv6 = 1/'
-      - '/.*: net.ipv6.conf.default.disable_ipv6 = 1/'
+    - '/.*: net.ipv6.conf.all.disable_ipv6 = 1/'
+    - '/.*: net.ipv6.conf.default.disable_ipv6 = 1/'
     meta:
       server: 1
       workstation: 1
@@ -38,7 +38,7 @@ command:
       CISv8_IG3: true
   {{ end }}
   {{ if .Vars.rhel9cis_ipv6_required }}
-   default_grub_ipv6:
+  default_grub_ipv6:
     title: 3.1.1 | Ensure IPv6 status is identified
     exec: cat /sys/module/ipv6/parameters/disable
     exit-status: 0
@@ -62,8 +62,8 @@ command:
       - 0
       - 1
     stdout:
-      - '!/.*: net.ipv6.conf.all.disable_ipv6 = 1/'
-      - '!/.*: net.ipv6.conf.default.disable_ipv6 = 1/'
+    - '!/.*: net.ipv6.conf.all.disable_ipv6 = 1/'
+    - '!/.*: net.ipv6.conf.default.disable_ipv6 = 1/'
     meta:
       server: 1
       workstation: 1

section_3/cis_3.2/cis_3.2.1.yml

@@ -43,7 +43,7 @@ command:
       CISv8_IG1: true
       CISv8_IG2: true
       CISv8_IG3: true
-   ip6_forward_conf:
+  ip6_forward_conf:
     title: 3.2.1 | Ensure IP forwarding is disabled | ipv6 conf
     exec: grep net.ipv6.conf.all.forwarding /etc/sysctl.conf /etc/sysctl.d/*
     exit-status: 0

section_3/cis_3.2/cis_3.2.2.yml

@@ -1,4 +1,4 @@
-{{ if .Vars.rhel9cis_rule_3_1_2 }}
+{{ if .Vars.rhel9cis_rule_3_2_2 }}
 kernel-param:
   net.ipv4.conf.all.send_redirects:
     title: 3.2.2 | Ensure packet redirect sending is disabled | live 
@@ -30,8 +30,8 @@ command:
     exec: grep send_redirects /etc/sysctl.conf /etc/sysctl.d/*
     exit-status: 0
     stdout:
-    - '/.*: net.ipv4.conf.all.send_redirects( |)=( |)0/'
-    - '!/.*: net.ipv4.conf.all.send_redirects( |)=( |)1/'
+    - '/.*:net.ipv4.conf.all.send_redirects( |)=( |)0/'
+    - '!/.*:net.ipv4.conf.all.send_redirects( |)=( |)1/'
     meta:
       server: 1
       workstation: 1
@@ -46,8 +46,8 @@ command:
     exec: grep send_redirects /etc/sysctl.conf /etc/sysctl.d/*
     exit-status: 0
     stdout:
-    - '/.*: net.ipv4.conf.default.send_redirects( |)=( |)0/'
-    - '!/.*: net.ipv4.conf.default.send_redirects( |)=( |)1/'
+    - '/.*:net.ipv4.conf.default.send_redirects( |)=( |)0/'
+    - '!/.*:net.ipv4.conf.default.send_redirects( |)=( |)1/'
     meta:
       server: 1
       workstation: 1

section_3/cis_3.3/cis_3.3.4.yml

@@ -32,7 +32,7 @@ command:
     stdout:
     - '/.*:net.ipv4.conf.all.log_martians( |)=( |)1/'
     - '!/.*:net.ipv4.conf.all.log_martians( |)=( |)0/'
-     meta:
+    meta:
       server: 1
       workstation: 1
       CIS_ID:
@@ -48,7 +48,7 @@ command:
     stdout:
     - '/.*:net.ipv4.conf.default.log_martians( |)=( |)1/'
     - '!/.*:net.ipv4.conf.default.log_martians( |)=( |)0/'
-     meta:
+    meta:
       server: 1
       workstation: 1
       CIS_ID:

section_3/cis_3.3/cis_3.3.5.yml

@@ -14,8 +14,8 @@ kernel-param:
       CISv8_IG3: true
 command:
   ipv4_echo_ignore_broadcasts:
-    title: 3.3.5 | Ensure suspicious packets are logged | live ipv4 all
-    exec: grep Ensure broadcast ICMP requests are ignored /etc/sysctl.conf /etc/sysctl.d/*
+    title: 3.3.5 | EEnsure broadcast ICMP requests are ignored | live ipv4 all
+    exec: grep net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d/*
     exit-status: 0
     stdout:
     - '/.*:net.ipv4.icmp_echo_ignore_broadcasts( |)=( |)1/'

section_3/cis_3.4.1/cis_3.4.1.2.yml

@@ -1,9 +1,9 @@
 {{ if .Vars.rhel9cis_rule_3_4_1_2 }}
-  {{ if eq .Vars.rhel9cis_firewall == "nftables" }}
+  {{ if eq .Vars.rhel9cis_firewall "nftables" }}
 file:
   /etc/systemd/system/firewalld.service:
     title: 3.4.1.2 | Ensure a single firewall configuration utility is in use | firewalld masked
-    file-type: symlink
+    filetype: symlink
     linked-to: /dev/null
     exists: true
     meta:
@@ -49,11 +49,11 @@ service:
       CISv8_IG2: true
       CISv8_IG3: true
   {{ end }}
-  {{ if eq .Vars.rhel9cis_firewall == "firewalld" }}
+  {{ if eq .Vars.rhel9cis_firewall "firewalld" }}
 file:
   /etc/systemd/system/nftables.service:
     title: 3.4.1.2 | Ensure a single firewall configuration utility is in use | nftables masked
-    file-type: symlink
+    filetype: symlink
     linked-to: /dev/null
     exists: true
     meta:

section_4/cis_4.1.1/cis_4.1.1.1.yml

@@ -28,5 +28,4 @@ package:
       CISv8_IG1: true
       CISv8_IG2: true
       CISv8_IG3: true
-  {{ end }}
 {{ end }}

section_4/cis_4.1.1/cis_4.1.1.2.yml

@@ -17,7 +17,7 @@ command:
       CISv8_IG3: true
   grubby_audit_1:
     title: 4.1.1.2 | Ensure auditing for processes that start prior to auditd is enabled | live
-    exec: grubby --info=ALL | grep -Po '\baudit=1\b'
+    exec: grubby --info=ALL | grep -Po 'audit=1'
     exit-status: 0
     stdout:
     - '/^saudit=1/'

section_4/cis_4.1.4/cis_4.1.4.3.yml

@@ -1,8 +1,24 @@
 {{ if .Vars.rhel9cis_rule_4_1_4_3 }}
 command:
+  audit_logfile_group_setting:
+    title: 4.1.4.3 | Ensure only authorized groups are assigned ownership of audit log files 
+    exec: grep log_group /etc/audit/audit* | awk '{ print $NF}'
+    exit-status: 0
+    stdout:
+    - '/^(adm|root)$/'
+    meta:
+      server: 2
+      workstation: 2
+      CIS_ID:
+      - 4.1.4.3
+      CISv8:
+      - 3.3
+      CISv8_IG1: true
+      CISv8_IG2: true
+      CISv8_IG3: true
   audit_logfile_group:
     title: 4.1.4.3 | Ensure only authorized groups are assigned ownership of audit log files 
-    exec: for file in `grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'`; do stat -Lc " %n _G" $file; done
+    exec: for file in `grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'`; do stat -Lc " %n_%G" $file; done
     exit-status: 0
     stdout:
     - '/.*_(adm|root)$/'

section_4/cis_4.2.1/cis_4.2.1.6.yml

@@ -1,4 +1,5 @@
 {{ if .Vars.rhel9cis_rule_4_2_1_6 }}
+  {{ if .Vars.rhel9cis_remote_log_server }}
 command:
   remote_syslog:
     title: 4.2.1.6 | Ensure rsyslog is configured to send logs to a remote host
@@ -19,4 +20,5 @@ command:
       CISv8_IG1: true
       CISv8_IG2: true
       CISv8_IG3: true
+  {{ end }}
 {{ end }}

section_4/cis_4.2.3/cis_4.2.3.yml

@@ -3,7 +3,10 @@ command:
   logfile_configured:
     title: 4.2.3 | Ensure permissions on all logfiles are configured
     exec: find /var/log/ -type f -perm /g+wx,o+rwx -exec ls -l "{}" + | grep -Ev "[b,u,w]tmp.*|lastllog"
-    exit-status: 0
+    exit-status:
+      or:
+      - 0
+      - 1
     stdout: ['!/.*/']
     meta:
       server: 1

vars/CIS.yml

@@ -268,7 +268,7 @@ rhel9cis_rule_4_2_2_7: true
 rhel9cis_rule_4_2_3: true
 
 # 4.3 Logrotate
-rhel9cis_rule_4_3_1: true
+rhel9cis_rule_4_3: true
 
 
 # Section 5
@@ -453,6 +453,9 @@ rhel9cis_nft_tables_autochaincreate: true
 
 # Section 4
 
+## Set if server is logserver
+rhel9cis_remote_log_server: false
+
 ## syslog
 ## change to rsyslog/ journald or other
 rhel9cis_syslog: rsyslog