Merge pull request #30 from ansible-lockdown/devel

Benchmark 1.8 release to main

cat_2/RHEL-08-010000_010830/RHEL-08-010010.yml

@@ -5,9 +5,10 @@ command:
     title: RHEL-08-010010 | RHEL 8 vendor packaged system security patches and updates must be installed and up to date.
     exit-status: 0
     timeout: {{ .Vars.timeout_ms }}
-    exec: dnf check-update
+    exec: dnf check-update | grep -cE "\.noarch|\.x86_64|\.386"
     stdout: 
-    - "!/^[0-9].* packages available/"
+    - "/^0/"
+    - "!/^[1-9]/"
     meta:
       Cat: 2
       CCI: CCI-000366

cat_2/RHEL-08-010000_010830/RHEL-08-010040.yml

@@ -9,7 +9,6 @@ command:
       - 2
     stdout:
     - '/.*:Banner {{ .Vars.rhel8stig_banner_file }}/'
-    - '/.*:Banner.*(?<!{{ .Vars.rhel8stig_banner_file }})$/'
     meta:
       Cat: 2
       CCI: CCI-000048
@@ -21,8 +20,10 @@ command:
     title: RHEL-08-010040 | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | banner content check
     exec: cat {{ .Vars.rhel8stig_banner_file }}
     exit-status: 0
+    {{ range .Vars.rhel8stig_logon_banner }}
     stdout:
-    - '{{ .Vars.rhel8stig_logon_banner }}'
+    - {{ . }}
+    {{ end }}
     meta:
       Cat: 2
       CCI: CCI-000048

cat_2/RHEL-08-010000_010830/RHEL-08-010141.yml

@@ -1,12 +1,11 @@
 {{ if not .Vars.legacy_boot }}
   {{ if .Vars.RHEL_08_010141 }}
 file:
-  {{ .Vars.rhel8stig_bootloader_path }}/grub.cfg:
+  {{ .Vars.rhel8stig_bootloader_path }}/user.cfg:
     title: RHEL-08-010141 | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | grub_cfg
     exists: true
     contains:
-    - '/^set superusers="[{{ .Vars.rhel8stig_boot_superuser }}]"/'
-    - '/^export superusers/'
+    - '/^GRUB2_PASSWORD=grub.pbkdf2.sha512.*/'
     meta:
       Cat: 2
       CCI: CCI-000213
@@ -18,8 +17,8 @@ file:
     title: RHEL-08-010141 | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | configured
     exists: true
     contains:
-    - '/^set superusers="{{ .Vars.rhel8stig_boot_superuser }}"/'
-    - '/^export superusers/'
+    - '/^\s+set superusers="{{ .Vars.rhel8stig_boot_superuser }}"/'
+    - '/^\s+export superusers/'
     - '/^\s+password_pbkdf2 {{ .Vars.rhel8stig_boot_superuser }} \\\${GRUB2_PASSWORD}/'
     meta:
       Cat: 2

cat_2/RHEL-08-010000_010830/RHEL-08-010190.yml

@@ -5,15 +5,18 @@ command:
     title: RHEL-08-010190 | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources.
     exec: 'find / -type d \( -perm -0002 -a ! -perm -1000 \) -exec ls -ld {} \;'
     timeout: {{ .Vars.timeout_ms }}
-    exit-status: 0
+    exit-status: 
+      or:
+      - 0
+      - 1
     stdout:
     - '!/.*/'
     meta:
       Cat: 2
       CCI: CCI-001090
       Group_Title: SRG-OS-000138-GPOS-00069
       Rule_ID: SV-230243r792857_rule
-      STIG_ID: RHEL-08-010180
+      STIG_ID: RHEL-08-010190
       Vul_ID: V-230243
   {{ end }}
 {{ end }}

cat_2/RHEL-08-010000_010830/RHEL-08-010200.yml

@@ -9,7 +9,7 @@ command:
       - 2
     stdout:
     - '/.*:ClientAliveCountMax 1$/'
-    - '!/.*:ClientAliveCountMax (0|[2-9]|1[0-9];{0,}))/'
+    - '!/.*:ClientAliveCountMax (0|[2-9]|1[0-9];{0,})/'
     meta:
       Cat: 2
       CCI: CCI-001133

cat_2/RHEL-08-010000_010830/RHEL-08-010490.yml

@@ -5,7 +5,7 @@ command:
     exec: stat -c %a /etc/ssh/*_key
     exit-status: 0
     stdout:
-    - '/^(4|6)00/'
+    - '/^(4|6)(0|4)0/'
     meta:
       Cat: 2
       CCI: CCI-000366

cat_2/RHEL-08-010000_010830/RHEL-08-010522.yml

@@ -2,7 +2,7 @@
 command:
   sshd_config_gssapi:
     title: RHEL-08-010522 | The RHEL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements.
-    exec: grep GSSAPI /etc/ssh/sshd_config/etc/sshd/conf.d
+    exec: grep GSSAPI /etc/ssh/sshd_config /etc/sshd/conf.d
     exit-status:
       or:
       - 0

cat_2/RHEL-08-010000_010830/RHEL-08-010671.yml

@@ -23,8 +23,7 @@ command:
       - 0
       - 2
     stdout:
-    - '/^kernel.core_pattern( |)=( |)|\/bin\/false/'
-    - '!/^kernel.core_pattern =.*(?<!\|\/bin\/false)$/'
+    - '/.*:kernel.core_pattern( |)=( |)|\/bin\/false/'
     meta:
       Cat: 2
       CCI: CCI-000366

cat_2/RHEL-08-010000_010830/RHEL-08-010731.yml

@@ -3,7 +3,7 @@
 command:
   home_dir_file_750:
     title: RHEL-08-010731 | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive.
-    exec: find /home/*/ -name "*" -type f -exec stat -c '%n %a' {} \; | grep -v "[6|7][0|4|5][0]"
+    exec: find /home/*/ -name "*" -type f -exec stat -c '%n %a' {} \; | grep -v "[6|7][0|4|5][0]" | grep -Ev ".(ba|c|z)sh(_profile|rc|_logout)"
     timeout: {{ .Vars.timeout_ms }}
     exit-status: 
       or:

cat_2/RHEL-08-020000_020353/RHEL-08-020352.yml

@@ -3,9 +3,10 @@ command:
   validate_unnecessary_echo:
     title: RHEL-08-020352 | RHEL 8 must not have unnecessary accounts.
     exec: grep -ir umask /home/*.* | grep -v '.bash_history'
-    exit-status: 
+    exit-status:
       or:
       - 0
+      - 1
       - 2
     stdout:
     - '!/^.*/'

cat_2/RHEL-08-030000_030740/RHEL-08-030130.yml

@@ -1,7 +1,7 @@
 {{ if .Vars.RHEL_08_030130 }}
 command:
   audit_rules_shadow:
-    title: RHEL_08_030130 | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. | conf check
+    title: RHEL-08-030130 | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. | conf check
     exec: grep -w shadow /etc/audit/rules.d/audit.rules
     exit-status: 0
     stdout:
@@ -14,7 +14,7 @@ command:
       STIG_ID: RHEL-08-030130
       Vul_ID: V-230404
   auditd_shadow_live:
-    title: RHEL_08_030130 | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. | live check
+    title: RHEL-08-030130 | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. | live check
     exec: auditctl -l | grep -w shadow
     exit-status: 0
     stdout:

cat_2/RHEL-08-030000_030740/RHEL-08-030140.yml

@@ -1,7 +1,7 @@
 {{ if .Vars.RHEL_08_030140 }}
 command:
   audit_rules_opasswd:
-    title: RHEL_08_030140 | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd. | config check
+    title: RHEL-08-030140 | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd. | config check
     exec: grep opasswd /etc/audit/audit.rules
     exit-status: 0
     stdout:
@@ -14,7 +14,7 @@ command:
       STIG_ID: RHEL-08-030140
       Vul_ID: V-230405
   auditd_opasswd_live:
-    title: RHEL_08_030130 | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd. | live check
+    title: RHEL-08-030130 | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd. | live check
     exec: auditctl -l | grep -w opasswd
     exit-status: 0
     stdout:

cat_2/RHEL-08-030000_030740/RHEL-08-030150.yml

@@ -1,7 +1,7 @@
 {{ if .Vars.RHEL_08_030150 }}
 command:
   audit_rules_passwd:
-    title: RHEL_08_030150 | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. | config check
+    title: RHEL-08-030150 | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. | config check
     exec: grep -w passwd /etc/audit/rules.d/audit.rules
     exit-status: 0
     stdout:
@@ -14,7 +14,7 @@ command:
       STIG_ID: RHEL-08-030150
       Vul_ID: V-230406
   auditd_passwd_live:
-    title: RHEL_08_030150 | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. | live check
+    title: RHEL-08-030150 | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. | live check
     exec: auditctl -l | grep -w passwd
     exit-status: 0
     stdout:

cat_2/RHEL-08-030000_030740/RHEL-08-030160.yml

@@ -1,7 +1,7 @@
 {{ if .Vars.RHEL_08_030160 }}
 command:
   audit_rules_gshadow:
-    title: RHEL_08_030160 | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. | config check
+    title: RHEL-08-030160 | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. | config check
     exec: grep -w gshadow /etc/audit/rules.d/audit.rules
     exit-status: 0
     stdout:
@@ -14,7 +14,7 @@ command:
       STIG_ID: RHEL-08-030160
       Vul_ID: V-230407
   auditd_gshadow_live:
-    title: RHEL_08_030160 | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. | live check
+    title: RHEL-08-030160 | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. | live check
     exec: auditctl -l | grep -w gshadow
     exit-status: 0
     stdout:

cat_2/RHEL-08-030000_030740/RHEL-08-030170.yml

@@ -1,7 +1,7 @@
 {{ if .Vars.RHEL_08_030170 }}
 command:
   audit_rules_group:
-    title: RHEL_08_030170 | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. | config check
+    title: RHEL-08-030170 | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. | config check
     exec: grep -w group /etc/audit/rules.d/audit.rules
     exit-status: 0
     stdout:
@@ -14,7 +14,7 @@ command:
       STIG_ID: RHEL-08-030170
       Vul_ID: V-230408
   auditd_group_live:
-    title: RHEL_08_030170 | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. | live check
+    title: RHEL-08-030170 | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. | live check
     exec: auditctl -l | grep -w group
     exit-status: 0
     stdout:

cat_2/RHEL-08-030000_030740/RHEL-08-030171.yml

@@ -1,7 +1,7 @@
 {{ if .Vars.RHEL_08_030171 }}
 command:
   audit_rules_sudoers:
-    title: RHEL_08_030171 | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers. | config check
+    title: RHEL-08-030171 | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers. | config check
     exec: grep -w sudoers /etc/audit/rules.d/audit.rules
     exit-status: 0
     stdout:
@@ -14,7 +14,7 @@ command:
       STIG_ID: RHEL-08-030171
       Vul_ID: V-230409
   auditd_sudoers_live:
-    title: RHEL_08_030171 | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers. | live check
+    title: RHEL-08-030171 | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers. | live check
     exec: auditctl -l | grep -w sudoers
     exit-status: 0
     stdout:

cat_2/RHEL-08-030000_030740/RHEL-08-030172.yml

@@ -1,7 +1,7 @@
 {{ if .Vars.RHEL_08_030172 }}
 command:
   audit_rules_sudoers:
-    title: RHEL_08_030172 | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/. | config check
+    title: RHEL-08-030172 | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/. | config check
     exec: grep -w sudoers.d /etc/audit/rules.d/audit.rules
     exit-status: 0
     stdout:
@@ -14,7 +14,7 @@ command:
       STIG_ID: RHEL-08-030172
       Vul_ID: V-230410
   auditd_sudoersd_live:
-    title: RHEL_08_030172 | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/. | live check
+    title: RHEL-08-030172 | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/. | live check
     exec: auditctl -l | grep -w sudoers.d
     exit-status: 0
     stdout:

cat_2/RHEL-08-030000_030740/RHEL-08-030180.yml

@@ -1,7 +1,7 @@
 {{ if .Vars.RHEL_08_030180 }}
 package:
   audit:
-    title: RHEL_08_030180 | The RHEL 8 audit package must be installed
+    title: RHEL-08-030180 | The RHEL 8 audit package must be installed
     installed: true
     meta:
       Cat: 2

cat_2/RHEL-08-030000_030740/RHEL-08-030181.yml

@@ -1,7 +1,7 @@
 {{ if .Vars.RHEL_08_030181 }}
 service:
   auditd:
-    title: RHEL_08_030181 | The RHEL 8 audit package must be installed
+    title: RHEL-08-030181 | The RHEL 8 audit package must be installed
     running: true
     enabled: true
     meta:

cat_2/RHEL-08-030000_030740/RHEL-08-030190.yml

@@ -1,7 +1,7 @@
 {{ if .Vars.RHEL_08_030190 }}
 command:
   audit_rules_priv_change:
-    title: RHEL_08_030190 | Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record. | config check
+    title: RHEL-08-030190 | Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record. | config check
     exec: grep -w priv_change /etc/audit/audit.rules
     exit-status: 0
     stdout:
@@ -14,7 +14,7 @@ command:
       STIG_ID: RHEL-08-030190
       Vul_ID: V-230412
   auditd_priv_change_live:
-    title: RHEL_08_030190 | Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record. | live check
+    title: RHEL-08-030190 | Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record. | live check
     exec: auditctl -l | grep -w priv_change
     exit-status: 0
     stdout:

cat_2/RHEL-08-030000_030740/RHEL-08-030200.yml

@@ -1,7 +1,7 @@
 {{ if .Vars.RHEL_08_030200 }}
 command:
   audit_rules_lremovexattr:
-    title: RHEL_08_030200 | The RHEL 8 audit system must be configured to audit any usage of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. | config check
+    title: RHEL-08-030200 | The RHEL 8 audit system must be configured to audit any usage of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. | config check
     exec: grep -w lremovexattr /etc/audit/audit.rules
     exit-status: 0
     stdout:
@@ -17,7 +17,7 @@ command:
       STIG_ID: RHEL-08-030200
       Vul_ID: V-230413
   auditd_lremovexattr_live:
-    title: RHEL_08_030200 | The RHEL 8 audit system must be configured to audit any usage of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. | live check
+    title: RHEL-08-030200 | The RHEL 8 audit system must be configured to audit any usage of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. | live check
     exec: auditctl -l | grep -w lremovexattr
     exit-status: 0
     stdout:

cat_2/RHEL-08-030000_030740/RHEL-08-030250.yml

@@ -1,7 +1,7 @@
 {{ if .Vars.RHEL_08_030250 }}
 command:
   audit_rules_priv_chage:
-    title: RHEL_08_030250 | Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record. | config check
+    title: RHEL-08-030250 | Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record. | config check
     exec: grep -w privileged-chage /etc/audit/audit.rules
     exit-status: 0
     stdout:
@@ -14,7 +14,7 @@ command:
       STIG_ID: RHEL-08-030250
       Vul_ID: V-230418
   auditd_priv_chage_live:
-    title: RHEL_08_030250 | Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record. | live check
+    title: RHEL-08-030250 | Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record. | live check
     exec: auditctl -l | grep -w privileged-chage
     exit-status: 0
     stdout:

cat_2/RHEL-08-030000_030740/RHEL-08-030260.yml

@@ -1,7 +1,7 @@
 {{ if .Vars.RHEL_08_030260 }}
 command:
   audit_rules_chcon:
-    title: RHEL_08_030260 | Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record. | config check
+    title: RHEL-08-030260 | Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record. | config check
     exec: grep -w chcon /etc/audit/audit.rules
     exit-status: 0
     stdout:
@@ -14,7 +14,7 @@ command:
       STIG_ID: RHEL-08-030260
       Vul_ID: V-230419
   auditd_chcon_live:
-    title: RHEL_08_030260 | Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record. | live check
+    title: RHEL-08-030260 | Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record. | live check
     exec: auditctl -l | grep -w chcon
     exit-status: 0
     stdout:

cat_2/RHEL-08-030000_030740/RHEL-08-030280.yml

@@ -1,7 +1,7 @@
 {{ if .Vars.RHEL_08_030280 }}
 command:
   audit_rules_ssh_agent:
-    title: RHEL_08_030280 | Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record. | config check
+    title: RHEL-08-030280 | Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record. | config check
     exec: grep -w ssh-agent /etc/audit/audit.rules
     exit-status: 0
     stdout:
@@ -15,7 +15,7 @@ command:
       Vul_ID: V-230421
 command:
   auditd_ssh_agent_live:
-    title: RHEL_08_030280 | Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record. | live check
+    title: RHEL-08-030280 | Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record. | live check
     exec: auditctl -l | grep -w ssh-agent
     exit-status: 0
     stdout:

cat_2/RHEL-08-030000_030740/RHEL-08-030290.yml

@@ -1,7 +1,7 @@
 {{ if .Vars.RHEL_08_030290 }}
 command:
   audit_rules_priv_passwd:
-    title: RHEL_08_030290 | Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record. | config check
+    title: RHEL-08-030290 | Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record. | config check
     exec: grep -w privileged-passwd /etc/audit/audit.rules
     exit-status: 0
     stdout:
@@ -14,7 +14,7 @@ command:
       STIG_ID: RHEL-08-030290
       Vul_ID: V-230422
   auditd_priv_passwd_live:
-    title: RHEL_08_030290 | Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record. | live check
+    title: RHEL-08-030290 | Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record. | live check
     exec: auditctl -l | grep -w privileged-passwd
     exit-status: 0
     stdout: