From f90a78b71bbceceb50f5aed5373f89096bcc071c Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Fri, 9 Aug 2024 11:22:48 +0100
Subject: [PATCH] test and var improvements

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 section_5/cis_5.1/cis_5.1.7.yml         | 11 +++---
 section_5/cis_5.3.2/cis_5.3.2.1.yml     |  4 +-
 section_5/cis_5.3.3.2/cis_5.3.3.2.3.yml |  4 +-
 section_5/cis_5.4.1/cis_5.4.1.1.yml     |  2 +-
 section_5/cis_5.4.1/cis_5.4.1.3.yml     |  2 +-
 section_6/cis_6.1/cis_6.1.2.yml         |  4 +-
 section_7/cis_7.1/cis_7.1.12.yml        |  2 +-
 vars/CIS.yml                            | 50 +++++++++----------------
 8 files changed, 32 insertions(+), 47 deletions(-)

diff --git a/section_5/cis_5.1/cis_5.1.7.yml b/section_5/cis_5.1/cis_5.1.7.yml
index 7b5e5fd..bcb2cf2 100644
--- a/section_5/cis_5.1/cis_5.1.7.yml
+++ b/section_5/cis_5.1/cis_5.1.7.yml
@@ -2,19 +2,19 @@
 
 {{ if .Vars.rhel9cis_level_1 }}
   {{ if .Vars.rhel9cis_rule_5_1_7 }}
-    {{ if .Vars.rhel9cis_sshd_limited }}
 command:
   sshd_access_limited:
     title: 5.1.7 | Ensure SSH access is limited | config
-    exec: grep -E "^(Allow|Deny)(User|Group)" {{ .Vars.rhel9_cis_sshd_config_file }}
+    exec: grep -Ei "^(Allow|Deny)(Users|Groups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf
     exit-status:
       or:
       - 0
       - 1
     stdout:
-    {{ range .Vars.rhel9cis_sshd_access }}
-    - {{ . }}
-    {{ end }}
+    - allowusers: {{ .Vars.rhel9cis_sshd_allowusers }}
+    - allowgroups: {{ .Vars.rhel9cis_sshd_allowgroups }}
+    - denyusers: {{ .Vars.rhel9cis_sshd_denyusers }}
+    - denygroups: {{ .Vars.rhel9cis_sshd_denygroups }}
     meta:
       server: 1
       workstation: 1
@@ -27,6 +27,5 @@ command:
       NIST800-53R5:
       - AC-3
       - MP-2
-    {{ end }}
   {{ end }}
 {{ end }}
diff --git a/section_5/cis_5.3.2/cis_5.3.2.1.yml b/section_5/cis_5.3.2/cis_5.3.2.1.yml
index 151aa2f..61ca5f0 100644
--- a/section_5/cis_5.3.2/cis_5.3.2.1.yml
+++ b/section_5/cis_5.3.2/cis_5.3.2.1.yml
@@ -6,7 +6,7 @@
 file:
   passwd_auth_authselect_modules:
     title: 5.3.2.1 | Ensure active authselect profile includes pam modules
-    path: /etc/authselect/custom/{{ .Var.rhel9cis_authselect.custom_profile_name }}/password-auth
+    path: /etc/authselect/custom/{{ .Vars.rhel9cis_authselect_custom_profile_name }}/password-auth
     exists: true
     contents:
     - 'auth required pam_faillock.so preauth silent {include if "with-faillock"}'
@@ -30,7 +30,7 @@ file:
       NIST800-53R5: NA
   system_auth_authselect_modules:
     title: 5.3.2.1 | Ensure active authselect profile includes pam modules
-    path: /etc/authselect/custom/{{ .Var.rhel9cis_authselect.custom_profile_name }}/password-auth
+    path: /etc/authselect/custom/{{ .Vars.rhel9cis_authselect_custom_profile_name }}/system-auth
     exists: true
     contents:
     - 'auth required pam_faillock.so preauth silent {include if "with-faillock"}'
diff --git a/section_5/cis_5.3.3.2/cis_5.3.3.2.3.yml b/section_5/cis_5.3.3.2/cis_5.3.3.2.3.yml
index fa1d21d..6a0c0d5 100644
--- a/section_5/cis_5.3.3.2/cis_5.3.3.2.3.yml
+++ b/section_5/cis_5.3.3.2/cis_5.3.3.2.3.yml
@@ -11,12 +11,12 @@ command:
       - 0
       - 1
     stdout:
-    {{ if eq .Vars.rhel9cis_password_complex_option "minclass" }}
+    {{ if eq .Vars.rhel9cis_passwd_complex_option "minclass" }}
       - '/.*\:minclass\s*=\s*([4-9]|[1-9][0-9])/'
       - '!/.*\:minclass\s*=\s*[0-3]/'
       - '!/.*\:(d|l|o|u)credit/'
     {{ end }}
-    {{ if eq .Vars.rhel9cis_password_complex_option "credits" }}
+    {{ if eq .Vars.rhel9cis_passwd_complex_option "credits" }}
       - '/.*\:dcredit\s*=\s*-\d/'
       - '/.*\:lcredit\s*=\s*-\d/'
       - '/.*\:ocredit\s*=\s*-\d/'
diff --git a/section_5/cis_5.4.1/cis_5.4.1.1.yml b/section_5/cis_5.4.1/cis_5.4.1.1.yml
index 572ad54..72840f3 100644
--- a/section_5/cis_5.4.1/cis_5.4.1.1.yml
+++ b/section_5/cis_5.4.1/cis_5.4.1.1.yml
@@ -8,7 +8,7 @@ command:
     exec: grep PASS_MAX_DAYS /etc/login.defs
     exit-status: 0
     stdout:
-    - '/^PASS_MAX_DAYS\s+{{ .Vars.rhel9cis_pass.max_days }}/'
+    - '/^PASS_MAX_DAYS\s+{{ .Vars.rhel9cis_pass_max_days }}/'
     - '!/^PASS_MAX_DAYS\s+(36[6-9]|[4-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9])/'
     - '!/^PASS_MAX_DAYS\s+-1/'
     meta:
diff --git a/section_5/cis_5.4.1/cis_5.4.1.3.yml b/section_5/cis_5.4.1/cis_5.4.1.3.yml
index bebb7c8..81e9ead 100644
--- a/section_5/cis_5.4.1/cis_5.4.1.3.yml
+++ b/section_5/cis_5.4.1/cis_5.4.1.3.yml
@@ -8,7 +8,7 @@ file:
     path: /etc/login.defs
     exists: true
     contents:
-    - '/^PASS_WARN_AGE\s+{{ .Vars.rhel9cis_pass.warn_age }}$/'
+    - '/^PASS_WARN_AGE\s+{{ .Vars.rhel9cis_pass_warn_age }}$/'
     - '/^PASS_WARN_AGE\s+(7|[1-9][0-9]{1,3})$/'
     - '!/^PASS_WARN_AGE\s+[1-6]$/'
     meta:
diff --git a/section_6/cis_6.1/cis_6.1.2.yml b/section_6/cis_6.1/cis_6.1.2.yml
index 95542a6..454355c 100644
--- a/section_6/cis_6.1/cis_6.1.2.yml
+++ b/section_6/cis_6.1/cis_6.1.2.yml
@@ -3,7 +3,7 @@
 {{ if .Vars.rhel9cis_level_1 }}
   {{ if .Vars.rhel9cis_config_aide }}
     {{ if .Vars.rhel9cis_rule_6_1_2 }}
-      {{ if eq .Vars.rhel9_aide_scan "cron" }}
+      {{ if eq .Vars.rhel9cis_aide_scan "cron" }}
 command:
   aide_cron:
     title: 6.1.2 | Ensure filesystem integrity is regularly checked
@@ -29,7 +29,7 @@ command:
       - AU-2
 # Can be enabled if using timer and service files
 service:
-    {{ if eq .Vars.rhel9_aide_scan "timer" }}
+    {{ if eq .Vars.rhel9cis_aide_scan "timer" }}
   aidecheck:
     title: 6.1.2 | Ensure filesystem integrity is regularly checked
     enabled: true
diff --git a/section_7/cis_7.1/cis_7.1.12.yml b/section_7/cis_7.1/cis_7.1.12.yml
index 1a0eaa4..345e906 100644
--- a/section_7/cis_7.1/cis_7.1.12.yml
+++ b/section_7/cis_7.1/cis_7.1.12.yml
@@ -6,7 +6,7 @@
 command:
   unowned_ungrouped_dirs:
     title: 7.1.12 | Ensure no files or directories without an owner and a group exist
-    exec: df --local -P | awk {'if (NR!=1) print $7'} | xargs -I '{}' find '{}' -xdev \( -nouser -o -nogroup \)
+    exec: df --local -P | awk {'if (NR!=1) print $7'} | xargs -I '{}' find '{}' -xdev {{ .Vars.rhel9cis_exclude_unowned_search_path }}
     exit-status: 0
     timeout: {{ .Vars.timeout_ms }}
     stdout:
diff --git a/vars/CIS.yml b/vars/CIS.yml
index b2b24b7..25b3f38 100644
--- a/vars/CIS.yml
+++ b/vars/CIS.yml
@@ -425,12 +425,11 @@ rhel9cis_warning_banner: Authorized uses only. All activity may be monitored and
 # End Banner
 
 # aide setup via - cron, timer
-rhel9_aide_scan: cron
+rhel9cis_aide_scan: cron
 
 # 1.8 Gnome Desktop
 rhel9cis_dconf_db_name: local
-rhel922cis_screensaver_idle_delay: 900  # Set max value for idle-delay in seconds (between 1 and 900)
-rhel9cis_screensaver_lock_delay: 5  # Set max value for lock-delay in seconds (between 0 and 5)
+
 
 # Section 2
 # Service configuration
@@ -518,14 +517,6 @@ rhel9cis_is_router: false
 ## Section 3.4
 ### Firewall
 rhel9cis_firewall: firewalld
-##### firewalld
-rhel9cis_default_zone: public
-rhel9cis_firewalld_nftables_state: masked  # Note if absent removes the firewalld pkg dependancy
-#### nftables
-rhel9cis_nftables_firewalld_state: masked
-rhel9cis_nft_tables_autonewtable: true
-rhel9cis_nft_tables_tablename: filter
-rhel9cis_nft_tables_autochaincreate: true
 
 # Section 4
 
@@ -547,28 +538,24 @@ rhel9cis_syslog: journald
 
 rhel9_cis_sshd_config_file: /etc/ssh/sshd_config
 
-## 5.2.4 Note the following to understand precedence and layout
-rhel9cis_sshd_limited: false
-rhel9cis_sshd_access:
-  - AllowUser
-  - AllowGroup
-  - DenyUser
-  - DenyGroup
+## 5.1.7 Note the following to understand precedence and layout , comma seperated
+rhel9cis_sshd_allowusers: vagrant
+rhel9cis_sshd_allowgroups:
+rhel9cis_sshd_denyusers: nobody
+rhel9cis_sshd_denygroups:
 
-## 5.3.2 & 5.4.2 Enable automation to select custom profile options, using the settings above
+## 5.3.2.1 Enable automation to create custom profile settings, using the setings above
+rhel9cis_authselect_custom_profile_create: false
+
+## 5.3.2.1 Enable automation to select custom profile options, using the settings above
 rhel9cis_authselect_custom_profile_select: false
 
-## 5.3.2 Authselect select false if using AD or RHEL ID mgmt
-rhel9cis_authselect:
-  custom_profile_name: custom-profile
-  default_file_to_copy: sssd
+## 5.3.2.1 Authselect select false if using AD or RHEL ID mgmt
+rhel9cis_authselect_custom_profile_name: mpg_cis
 
 ## 5.3.3.2.3 Set option used for password complexity
 # either mincall or credits - enabling to check for one option in settings
-rhel9cis_password_complex_option: minclass
-
-## 5.4.1 Enable automation to create custom profile settings, using the setings above
-rhel9cis_authselect_custom_profile_create: false
+rhel9cis_passwd_complex_option: minclass
 
 # 5.5.1
 ## PAM
@@ -581,11 +568,10 @@ rhel9cis_pam_passwd_retry: "3"
 rhel9cis_pwhistory_so: "14"
 rhel9cis_passwd_remember: "5"
 
-## 5.6.x login.defs password settings
-rhel9cis_pass:
-  max_days: "365"
-  min_days: "1"
-  warn_age: "7"
+## 5.4.1.x login.defs password settings
+rhel9cis_pass_max_days: "365"
+rhel9cis_pass_min_days: "1"
+rhel9cis_pass_warn_age: "7"
 
 ## 5.3.7 set sugroup if differs from wheel
 rhel9cis_sugroup: sugroup