-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1 from ansible-lockdown/devel
Initial Release Signed-off-by: George Nalen <[email protected]>
- Loading branch information
Showing
342 changed files
with
8,057 additions
and
187 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,130 @@ | ||
| # RHEL/CentOS 8 Goss config | ||
|
|
||
| ## Overview | ||
|
|
||
| based on STIG v1r2 | ||
|
|
||
| Set of configuration files and directories to run the first stages of STIG of RHEL/CentOS/Rocky 8 servers | ||
|
|
||
| This is configured in a directory structure level. | ||
|
|
||
| This could do with further testing but sections 1.x should be complete | ||
|
|
||
| Goss is run based on the goss.yml file in the top level directory. This specifies the configuration. | ||
|
|
||
| ## variables | ||
|
|
||
| file: vars/stig.yml | ||
|
|
||
| Please refer to the file for all options and their meanings | ||
|
|
||
| STIG listed variable for every control/benchmark can be turned on/off or section | ||
|
|
||
| - other controls | ||
| enable_selinux | ||
| run_heavy_tasks | ||
|
|
||
| - bespoke options | ||
| If a site has specific options e.g. password complexity these can also be set. | ||
|
|
||
| ## Usage | ||
|
|
||
| You must have [goss](https://github.com/aelsabbahy/goss/) available to your host you would like to test. | ||
|
|
||
| You must have root access to the system as some commands require privilege information. | ||
|
|
||
| - Run as root not sudo due to sudo and shared memory access | ||
|
|
||
| Assuming you have already clone this repository you can run goss from where you wish. | ||
|
|
||
| - full check | ||
|
|
||
| ```sh | ||
| # {{path to your goss binary}} --vars {{ path to the vars file }} -g {{path to your clone of this repo }}/goss.yml --validate | ||
|
|
||
| ``` | ||
|
|
||
| example: | ||
|
|
||
| ```sh | ||
| # /usr/local/bin/goss --vars ../vars/cis.yml -g /home/bolly/rh8_cis_goss/goss.yml validate | ||
| ......FF....FF................FF...F..FF.............F........................FSSSS.............FS.F.F.F.F.........FFFFF.... | ||
|
|
||
| Failures/Skipped: | ||
|
|
||
| Title: 1.6.1 Ensure core dumps are restricted (Automated)_sysctl | ||
| Command: suid_dumpable_2: exit-status: | ||
| Expected | ||
| <int>: 1 | ||
| to equal | ||
| <int>: 0 | ||
| Command: suid_dumpable_2: stdout: patterns not found: [fs.suid_dumpable = 0] | ||
|
|
||
|
|
||
| Title: 1.4.2 Ensure filesystem integrity is regularly checked (Automated) | ||
| Service: aidecheck: enabled: | ||
| Expected | ||
| <bool>: false | ||
| to equal | ||
| <bool>: true | ||
| Service: aidecheck: running: | ||
| Expected | ||
| <bool>: false | ||
| to equal | ||
| <bool>: true | ||
|
|
||
| < ---------cut ------- > | ||
|
|
||
| Title: 1.1.22 Ensure sticky bit is set on all world-writable directories | ||
| Command: version: exit-status: | ||
| Expected | ||
| <int>: 0 | ||
| to equal | ||
| <int>: 123 | ||
|
|
||
| Total Duration: 5.102s | ||
| Count: 124, Failed: 21, Skipped: 5 | ||
|
|
||
| ``` | ||
|
|
||
| - running a particular section of tests | ||
|
|
||
| ```sh | ||
| # /usr/local/bin/goss -g /home/bolly/rh8_cis_goss/section_1/cis_1.1/cis_1.1.22.yml validate | ||
| ............ | ||
|
|
||
| Total Duration: 0.033s | ||
| Count: 12, Failed: 0, Skipped: 0 | ||
|
|
||
| ``` | ||
|
|
||
| - changing the output | ||
|
|
||
| ```sh | ||
| # /usr/local/bin/goss -g /home/bolly/rh8_cis_goss/section_1/cis_1.1/cis_1.1.22.yml validate -f documentation | ||
| Title: 1.1.20 Check for removeable media nodev | ||
| Command: floppy_nodev: exit-status: matches expectation: [0] | ||
| Command: floppy_nodev: stdout: matches expectation: [OK] | ||
| < -------cut ------- > | ||
| Title: 1.1.20 Check for removeable media noexec | ||
| Command: floppy_noexec: exit-status: matches expectation: [0] | ||
| Command: floppy_noexec: stdout: matches expectation: [OK] | ||
|
|
||
|
|
||
| Total Duration: 0.022s | ||
| Count: 12, Failed: 0, Skipped: 0 | ||
| ``` | ||
|
|
||
| ## Extra settings | ||
|
|
||
| Ability to add your own requirements is available in several sections | ||
|
|
||
| ## further information | ||
|
|
||
| - [goss documentation](https://github.com/aelsabbahy/goss/blob/master/docs/manual.md#patterns) | ||
| - [STIG standards](https://public.cyber.mil/stigs/downloads/) | ||
|
|
||
| ## Feedback required | ||
|
|
||
| - If using nftables or iptables rather than firewalld | ||
| - Rocky fails to update from public repos if enable FIPS due to SSL cert chain |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,14 +1,15 @@ | ||
| {{ if .Vars.RHEL_08_010000 }} | ||
| file: | ||
| /etc/redhat-release: | ||
| title: RHEL-08-010000 | RHEL 8 must be a vendor-supported release. | ||
| exists: true | ||
| contains: | ||
| - '/.* 8.[4-8]/' | ||
| meta: | ||
| - Cat: 1 | ||
| - CCI: CCI-000366 | ||
| - Group_Title: SRG-OS-000480-GPOS-00227 | ||
| - Rule_ID: SV-230221r627750_rule | ||
| - STIG_ID: RHEL-08-010000 | ||
| - Vul_ID: V-230221 | ||
| Cat: 1 | ||
| CCI: CCI-000366 | ||
| Group_Title: SRG-OS-000480-GPOS-00227 | ||
| Rule_ID: SV-230221r627750_rule | ||
| STIG_ID: RHEL-08-010000 | ||
| Vul_ID: V-230221 | ||
| {{ end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,44 +1,46 @@ | ||
| {{ if .Vars.RHEL_08_010370 }} | ||
| command: | ||
| gpg_check_default: | ||
| title: RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | dnf_running | ||
| title: RHEL-08-010370 | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | dnf_running | ||
| exec: dnf config-manager --dump | grep gpgcheck | ||
| timeout: {{ .Vars.timeout_ms }} | ||
| exit-status: 0 | ||
| stdout: | ||
| - '/^gpgcheck.*1/' | ||
| - '!/^gpgcheck.*0/' | ||
| meta: | ||
| - Cat: 1 | ||
| - CCI: CCI-001749 | ||
| - Group_Title: SRG-OS-000366-GPOS-00153 | ||
| - Rule_ID: SV-230264r627750_rule | ||
| - STIG_ID: RHEL-08-010370 | ||
| - Vul_ID: V-230264 | ||
| Cat: 1 | ||
| CCI: CCI-001749 | ||
| Group_Title: SRG-OS-000366-GPOS-00153 | ||
| Rule_ID: SV-230264r627750_rule | ||
| STIG_ID: RHEL-08-010370 | ||
| Vul_ID: V-230264 | ||
| gpg_check_repos: | ||
| title: RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | repo_check | ||
| title: RHEL-08-010370 | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | repo_check | ||
| exec: grep -cR '.*gpgcheck.*=0' /etc/yum.repos.d/*.repo | ||
| timeout: {{ .Vars.timeout_ms }} | ||
| exit-status: 1 | ||
| stdout: | ||
| - '!/.*[1-9][0-9]*$/' | ||
| meta: | ||
| - Cat: 1 | ||
| - CCI: CCI-001749 | ||
| - Group_Title: SRG-OS-000366-GPOS-00153 | ||
| - Rule_ID: SV-230264r627750_rule | ||
| - STIG_ID: RHEL-08-010370 | ||
| - Vul_ID: V-230264 | ||
| Cat: 1 | ||
| CCI: CCI-001749 | ||
| Group_Title: SRG-OS-000366-GPOS-00153 | ||
| Rule_ID: SV-230264r627750_rule | ||
| STIG_ID: RHEL-08-010370 | ||
| Vul_ID: V-230264 | ||
| file: | ||
| /etc/dnf/dnf.conf: | ||
| title: RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | dnf_conf | ||
| title: RHEL-08-010370 | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | dnf_conf | ||
| exists: true | ||
| contains: | ||
| - '/^gpgcheck.*1/' | ||
| - '!/^gpgcheck.*0/' | ||
| meta: | ||
| - Cat: 1 | ||
| - CCI: CCI-001749 | ||
| - Group_Title: SRG-OS-000366-GPOS-00153 | ||
| - Rule_ID: SV-230264r627750_rule | ||
| - STIG_ID: RHEL-08-010370 | ||
| - Vul_ID: V-230264 | ||
| Cat: 1 | ||
| CCI: CCI-001749 | ||
| Group_Title: SRG-OS-000366-GPOS-00153 | ||
| Rule_ID: SV-230264r627750_rule | ||
| STIG_ID: RHEL-08-010370 | ||
| Vul_ID: V-230264 | ||
| {{ end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,31 +1,32 @@ | ||
| {{ if .Vars.RHEL_08_010371 }} | ||
| command: | ||
| localpkg_gpg_check_default: | ||
| title: RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | dnf_runnig | ||
| title: RHEL-08-010371 | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | dnf_running | ||
| exec: dnf config-manager --dump | grep gpgcheck | ||
| timeout: {{ .Vars.timeout_ms }} | ||
| exit-status: 0 | ||
| stdout: | ||
| - '/^localpkg_gpgcheck.*(1|[tT]rue|yes)/' | ||
| - '!/^localpkg_gpgcheck.*(0|[fF]alse|no)/' | ||
| meta: | ||
| - Cat: 1 | ||
| - CCI: CCI-001749 | ||
| - Group_Title: SRG-OS-000366-GPOS-00153 | ||
| - Rule_ID: SV-230265r627750_rule | ||
| - STIG_ID: RHEL-08-010371 | ||
| - Vul_ID: V-230265 | ||
| Cat: 1 | ||
| CCI: CCI-001749 | ||
| Group_Title: SRG-OS-000366-GPOS-00153 | ||
| Rule_ID: SV-230265r627750_rule | ||
| STIG_ID: RHEL-08-010371 | ||
| Vul_ID: V-230265 | ||
| file: | ||
| /etc/dnf/dnf.conf: | ||
| title: RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | dnf_conf | ||
| title: RHEL-08-010371 | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | dnf_conf | ||
| exists: true | ||
| contains: | ||
| - '/^localpkg_gpgcheck.*(1|[tT]rue|yes)/' | ||
| - '!/^localpkg_gpgcheck.*(0|[fF]alse|no)/' | ||
| meta: | ||
| - Cat: 1 | ||
| - CCI: CCI-001749 | ||
| - Group_Title: SRG-OS-000366-GPOS-00153 | ||
| - Rule_ID: SV-230265r627750_rule | ||
| - STIG_ID: RHEL-08-010371 | ||
| - Vul_ID: V-230265 | ||
| Cat: 1 | ||
| CCI: CCI-001749 | ||
| Group_Title: SRG-OS-000366-GPOS-00153 | ||
| Rule_ID: SV-230265r627750_rule | ||
| STIG_ID: RHEL-08-010371 | ||
| Vul_ID: V-230265 | ||
| {{ end }} |
Oops, something went wrong.