Merge pull request #4 from ansible-lockdown/devel

Updated for benchmarks 1.3 and other fixes 
Signed-off-by: George Nalen <[email protected]>

Changelog.MD

@@ -0,0 +1,200 @@
+# Changelog
+
+stig V1R3 23rd July 2021
+
+stig.yml
+
+- linting
+- new rules (see below)
+- Added new benchmark metadata to be populated
+
+goss.yml & run_audit.sh
+
+- wrapper script for values and corresponding values for benchmark in goss.yml
+
+## All control changes have a new rule ID
+
+## CAT-1
+
+- RHEL-08-010000
+  - update rule id and title
+- RHEL-08-010150
+  - moved content to 010149
+- RHEL-08-020330
+  - updated checks
+- RHEL-08-020331
+  - new control
+- RHEL-08-020332
+  - new control
+
+## CAT-2
+
+- RHEL-08-010001
+  - new control
+- RHEL-08-010049
+  - new control
+- RHEL-08-010050
+  - moved some content to 010049
+- RHEL-08-010130
+  - moved some content to 010131
+- RHEL-08-010131
+  - new control
+- RHEL-08-010140
+  - moved some content to 010141
+- RHEL-08-010141
+  - new control
+- RHEL-08-010149
+  - new control
+- RHEL-08-010151
+- RHEL-08-010152
+  - new control
+- RHEL-08-010159
+  - new control
+- RHEL-08-010160
+  - moved content to 010159
+- RHEL-08-010200
+  - moved content to 010201
+- RHEL-08-010201
+  - new control
+- RHEL-08-010287
+  - new control
+- RHEL-08-010290
+  - moved content to 010287
+- RHEL-08-010291
+  - tidy up
+- RHEL-08-010384
+- RHEL-08-010390
+  - updated
+- RHEL-08-010400
+  - updated check
+- RHEL-08-010422
+  - updated check
+- RHEL-08-010472
+  - new control
+- RHEL-08-010490
+  - update title
+- RHEL-08-010510
+  - updated check
+- RHEL-08-010521
+  - title
+  - moved content to 010522
+- RHEL-08-010522
+  - new control
+- RHEL-08-010544
+  - new control
+- RHEL-08-010571
+  - updated to bios boot only check
+- RHEL-08-010572
+  - new control
+- RHEL-08-010700
+  - title update
+- RHEL-08-010710
+- RHEL-08-010731
+  - new control
+- RHEL-08-010740
+  - updated rule
+- RHEL-08-010741
+  - new control
+- RHEL-08-010830
+- RHEL-08-020011,
+  - updated checks
+- RHEL-08-020013
+  - updated checks
+- RHEL-08- 020015
+  - updated checks
+- RHEL-08-020017
+  - updated checks
+- RHEL-08-020019
+  - updated checks
+- RHEL-08-020021
+  - updated check
+- RHEL-08-020023
+  - updated checks
+- RHEL-08-020025
+  - new control
+- RHEL-08-020026
+  - new control
+- RHEL-08-020031
+  - new control
+- RHEL-08-020032
+  - new control
+- RHEL-08-020039
+  - new control
+- RHEL-08-020040
+  - moved some comntent to 020039
+- RHEL-08-020080
+  - moved some checks to 020081 & 020082
+- RHEL-08-020081
+  - new control
+- RHEL-08-020082
+  - new control
+- RHEL-08-030010
+  - title change
+- RHEL-08-030050
+  - updated check
+- RHEL-08-030180
+  - title updated
+- RHEL-08-030181
+  - new control
+- RHEL-08-030320
+- RHEL-08-030630
+- RHEL-08-030680
+  - package name updated
+- RHEL-08-030730
+  - moved part check to 030731
+- RHEL-08-030731
+  - new control
+- RHEL-08-040023
+  - updated check
+- RHEL-08-040100
+- RHEL-08-040101
+  - new control
+- RHEL-08-040135
+  - moved some content to 010436 & 010437
+- RHEL-08-040136
+  - new control
+- RHEL-08-040137
+  - new control
+- RHEL-08-040139
+  - new control
+- RHEL-08-040140
+  - moved some content to 0101439 & 010141
+- RHEL-08-040141
+  - new control
+- RHEL-08-040150
+  - changes in requirements
+- RHEL-08-040159
+  - new control
+- RHEL-08-040160
+  - moved some content to 010459
+- RHEL-08-040162
+  - Removed
+- RHEL-08-040209
+  - new control
+- RHEL-08-040210
+  - moved ipv4 to 040209
+  - new title
+- RHEL-08-040220
+- RHEL-08-040230
+- RHEL-08-040239
+  - new control
+- RHEL-08-040240
+  - moved ipv4 to 040239
+  - new title
+- RHEL-08-040249
+  - new control
+- RHEL-08-040250
+  - moved ipv4 to 040249
+- RHEL-08-040270
+- RHEL-08-040279
+  - new control
+- RHEL-08-040280
+  - moved ipv4 check to 040279
+- RHEL-08-040286
+  - new control
+- RHEL-08-040370 - Updated CCI mapping
+
+## CAT-3
+
+- RHEL-08-030602
+- RHEL-08-030603

README.md

@@ -2,15 +2,26 @@
 
 ## Overview
 
-based on STIG v1r2
+based on STIG v1r3 July 2021
 
-Set of configuration files and directories to run the first stages of STIG of RHEL/CentOS/Rocky 8 servers
+Ability to audit a system using a lightweight binary to check the current state.
 
-This is configured in a directory structure level.
+This is:
 
-This could do with further testing but sections 1.x should be complete
+- very small 11MB
+- lightweight
+- self contained
 
-Goss is run based on the goss.yml file in the top level directory. This specifies the configuration.
+It works using a set of configuration files and directories to audit STIG of RHEL/CentOS 7 servers. These files/directories correlate to the STIG Level and STIG_ID
+
+Tested on
+
+- RHEL8
+- CentOS8
+- Rocky8
+- Alma-Linux 8
+
+feedback on any differences between OSs please raise an issue
 
 ## variables
 
@@ -29,13 +40,76 @@ If a site has specific options e.g. password complexity these can also be set.
 
 ## Usage
 
-You must have [goss](https://github.com/aelsabbahy/goss/) available to your host you would like to test.
+- You must have [goss](https://github.com/aelsabbahy/goss/) available to your host you would like to test.
+
+- You must have sudo/root access to the system as some commands require privilege information.
+
+- Assuming you have already clone this repository you can run goss from where you wish.
+
+- The ability to run via a wrapper script in the form of run_audit.sh is also available.
+  - This populates benchmark meta fields consistently inline with remediate generated audits
+  - This does need to be run full root privileges
+  - Some variables can be amended to suit your system
+
+```sh
+# run_audit.sh -h
+Script to run the goss audit
+
+Syntax: run_audit.sh [-g|-o|-h]
+options:
+-g     optional - Add a group that the server should be grouped with
+-o     optional - file to output audit data
+-h     Print this Help.
+
+```
+
+This also works alongside the [Ansible Lockdown RHEL8-STIG role](https://github.com/ansible-lockdown/RHEL8-STIG)
+
+Which will:
+
+- install
+- audit
+- remediate
+- audit
 
-You must have root access to the system as some commands require privilege information.
+## Audit variables
 
-- Run as root not sudo due to sudo and shared memory access
+These are found in vars/stig.yml
+Please refer to the file for all options and their meanings
+
+STIG listed variable for every control/benchmark can be turned on/off or section
+
+### The variable files
+
+In this case installed or skipped using the standard name for a package to be installed or _skip to skip a test.
+
+### Extra settings
+
+Some sections can have several options in that case the skip flag maybe passed to the test or exact details relating to your requirements
+e.g.
 
-Assuming you have already clone this repository you can run goss from where you wish.
+- rhel8stig_use_gui
+- rhel8stig_is_router
+- rhel8_stig_nameservers:
+  - 8.8.8.8
+  - 9.9.9.9
+
+## Examples
+
+- run via wrapper script
+
+```sh
+# ./run_audit.sh
+Success Audit
+    "summary": {
+        "failed-count": 290,
+        "summary-line": "Count: 544, Failed: 290, Duration: 34.588s",
+        "test-count": 544,
+        "total-duration": 34588004404
+    }
+}
+Completed file can be found at /var/tmp/audit_1631702160.json
+```
 
 - full check
 
@@ -115,10 +189,6 @@ Total Duration: 0.022s
 Count: 12, Failed: 0, Skipped: 0
 ```
 
-## Extra settings
-
-Ability to add your own requirements is available in several sections
-
 ## further information
 
 - [goss documentation](https://github.com/aelsabbahy/goss/blob/master/docs/manual.md#patterns)
@@ -127,4 +197,4 @@ Ability to add your own requirements is available in several sections
 ## Feedback required
 
 - If using nftables or iptables rather than firewalld
-- Rocky fails to update from public repos if enable FIPS due to SSL cert chain
+- RHEL-08-010020 FIPS crypto with ec2 has seen to fail with cert issues.

cat_1/RHEL-08-010000.yml

@@ -1,15 +1,15 @@
 {{ if .Vars.RHEL_08_010000 }}
 file:
   /etc/redhat-release:
-    title: RHEL-08-010000 | RHEL 8 must be a vendor-supported release.
+    title: RHEL-08-010000 | RHEL 8 must be a vendor-supported release. (Not checking for EUS)
     exists: true
     contains:
     - '/.* 8.[4-8]/'
     meta:
       Cat: 1
       CCI: CCI-000366
       Group_Title: SRG-OS-000480-GPOS-00227
-      Rule_ID: SV-230221r627750_rule
+      Rule_ID: SV-230221r743913_rule
       STIG_ID: RHEL-08-010000
       Vul_ID: V-230221
 {{ end }}

cat_1/RHEL-08-010140.yml

@@ -6,23 +6,12 @@ file:
     exists: true
     contains:
     - '/^GRUB2_PASSWORD={{ .Vars.rhel8stig_password_hash }}/'
+    - '/^GRUB2_PASSWORD=grub.pbkdf2.sha512/'
     meta:
       Cat: 1
       CCI: CCI-000213
       Group_Title: SRG-OS-000080-GPOS-00048
-      Rule_ID: SV-230234r627750_rule
-      STIG_ID: RHEL-08-010140
-      Vul_ID: V-230234
-  {{ .Vars.rhel8stig_bootloader_path }}/grub.cfg:
-    title: RHEL-08-010140 | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | grub_cfg
-    exists: true
-    contains:
-    - '/^set superusers="{{ .Vars.rhel8stig_boot_superuser }}/'
-    meta:
-      Cat: 1
-      CCI: CCI-000213
-      Group_Title: SRG-OS-000080-GPOS-00048
-      Rule_ID: SV-230234r627750_rule
+      Rule_ID: SV-230234r743922_rule
       STIG_ID: RHEL-08-010140
       Vul_ID: V-230234
   {{ end }}

cat_1/RHEL-08-010150.yml

@@ -10,19 +10,7 @@ file:
       Cat: 1
       CCI: CCI-000213
       Group_Title: SRG-OS-000080-GPOS-00048
-      Rule_ID: SV-230235r627750_rule
-      STIG_ID: RHEL-08-010150
-      Vul_ID: V-230235
-  {{ .Vars.rhel8stig_bootloader_path }}/grub.cfg:
-    title: RHEL-08-010150 | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | grub_cfg
-    exists: true
-    contains:
-    - '/^set superusers="{{ .Vars.rhel8stig_boot_superuser }}/'
-    meta:
-      Cat: 1
-      CCI: CCI-000213
-      Group_Title: SRG-OS-000080-GPOS-00048
-      Rule_ID: SV-230235r627750_rule
+      Rule_ID: SV-230235r743925_rule
       STIG_ID: RHEL-08-010150
       Vul_ID: V-230235
   {{ end }}