Merge pull request #11 from ansible-lockdown/fixes_and_typos

Fixes and typos

README.md

@@ -1,22 +1,32 @@
 # Development Only
 
-## RHEL 9 CIS (predicted) - ALPHA - CIS baselines or OS not yet GA
+***RHEL 9 CIS (predicted) - ALPHA - CIS baselines or OS not yet GA***
 
-## Testing if you have access to the RH developer branches
+***Testing if you have access to the RH developer branches***
 
 ---
 
-# RHEL 9 Goss config
+## RHEL 9 Goss config
+# Overview
 
-## Overview
+based on CIS 2.0.0
 
-based on RedHat 8 CIS 2.0.0
+Ability to audit a system using a lightweight binary to check the current state.
 
-Set of configuration files and directories to run the first stages of CIS of RHEL 9 servers
+This is:
 
-This is configured in a directory structure level.
+- very small 11MB
+- lightweight
+- self contained
 
-Goss is run based on the goss.yml file in the top level directory. This specifies the configuration.
+It works using a set of configuration files and directories to audit STIG of RHEL/CentOS 7 servers. These files/directories correlate to the STIG Level and STIG_ID
+
+Tested on
+
+- RHEL8
+- CentOS8
+- Rocky8
+- Alma-Linux 8
 
 ## Requirements
 
@@ -28,7 +38,7 @@ Assuming you have already clone this repository you can run goss from where you
 
 Please refer to the audit documentation for usage.
 
-- [Audit Documents](https://github.com/ansible-lockdown/RHEL9-CIS-Audit/docs/Security_remediation_and_auditing.md)
+- [readthedocs](https://ansible-lockdown.readthedocs.io/en/latest/)
 
 This also works alongside the [Ansible Lockdown RHEL9-CIS role](https://github.com/ansible-lockdown/RHEL9-CIS)
 
@@ -39,112 +49,15 @@ Which will:
 - remediate
 - audit
 
-## variables
-
-file: vars/CIS.yml
-
-Please refer to the file for all options and their meanings
-
-CIS listed variable for every control/benchmark can be turned on/off or section
-
-- other controls
-enable_selinux
-run_heavy_tasks
-
-- bespoke options
-If a site has specific options e.g. password complexity these can also be set.
-
-## Usage
-
-You must have [goss](https://github.com/aelsabbahy/goss/) available to your host you would like to test.
-
-You must have root access to the system as some commands require privilege information.
-
-- Run as root not sudo due to sudo and shared memory access
-
-Assuming you have already clone this repository you can run goss from where you wish.
-
-- full check
-
-```sh
-# {{path to your goss binary}} --vars {{ path to the vars file }} -g {{path to your clone of this repo }}/goss.yml --validate
-
-```
+## Join us
 
-example:
+On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users
 
-```sh
-# /usr/local/bin/goss --vars ../vars/cis.yml -g /home/bolly/rh8_cis_goss/goss.yml validate
-......FF....FF................FF...F..FF.............F........................FSSSS.............FS.F.F.F.F.........FFFFF....
-
-Failures/Skipped:
-
-Title: 1.6.1 Ensure core dumps are restricted (Automated)_sysctl
-Command: suid_dumpable_2: exit-status:
-Expected
-    <int>: 1
-to equal
-    <int>: 0
-Command: suid_dumpable_2: stdout: patterns not found: [fs.suid_dumpable = 0]
-
-
-Title: 1.4.2 Ensure filesystem integrity is regularly checked (Automated)
-Service: aidecheck: enabled:
-Expected
-    <bool>: false
-to equal
-    <bool>: true
-Service: aidecheck: running:
-Expected
-    <bool>: false
-to equal
-    <bool>: true
-
-< ---------cut ------- >
-
-Title: 1.1.22 Ensure sticky bit is set on all world-writable directories
-Command: version: exit-status:
-Expected
-    <int>: 0
-to equal
-    <int>: 123
-
-Total Duration: 5.102s
-Count: 124, Failed: 21, Skipped: 5
-
-```
-
-- running a particular section of tests
-
-```sh
-# /usr/local/bin/goss -g /home/bolly/rh8_cis_goss/section_1/cis_1.1/cis_1.1.22.yml  validate
-............
-
-Total Duration: 0.033s
-Count: 12, Failed: 0, Skipped: 0
-
-```
-
-- changing the output
-
-```sh
-# /usr/local/bin/goss -g /home/bolly/rh8_cis_goss/section_1/cis_1.1/cis_1.1.22.yml  validate -f documentation
-Title: 1.1.20 Check for removeable media nodev
-Command: floppy_nodev: exit-status: matches expectation: [0]
-Command: floppy_nodev: stdout: matches expectation: [OK]
-< -------cut ------- >
-Title: 1.1.20 Check for removeable media noexec
-Command: floppy_noexec: exit-status: matches expectation: [0]
-Command: floppy_noexec: stdout: matches expectation: [OK]
-
-
-Total Duration: 0.022s
-Count: 12, Failed: 0, Skipped: 0
-```
+Set of configuration files and directories to run the first stages of CIS of RHEL 9 servers
 
-## Extra settings
+This is configured in a directory structure level.
 
-Ability to add your own requirements is available in several sections
+Goss is run based on the goss.yml file in the top level directory. This specifies the configuration.
 
 ## further information
 

run_audit.sh

@@ -21,7 +21,7 @@
 # Goss host Variables
 AUDIT_BIN="${AUDIT_BIN:-/usr/local/bin/goss}"  # location of the goss executable
 AUDIT_FILE="${AUDIT_FILE:-goss.yml}"  # the default goss file used by the audit provided by the audit configuration
-AUDIT_CONTENT_LOCATION="${AUDIT_CONTENT_LOCATION:-/var/tmp}"  # Location of the audit configuration file as available to the OS
+AUDIT_CONTENT_LOCATION="${AUDIT_CONTENT_LOCATION:-/opt}"  # Location of the audit configuration file as available to the OS
 
 
 # Goss benchmark variables (these should not need changing unless new release)
@@ -130,7 +130,7 @@ host_os_hostname=`hostname`
 
 ## Set variable audit_out
 if [ -z $OUTFILE ]; then
-  export audit_out=$AUDIT_CONTENT_LOCATION/audit_${host_os_hostname}_${host_epoch}.$format
+  export audit_out=$AUDIT_CONTENT_LOCATION/audit_${host_os_hostname}-${BENCHMARK}-${BENCHMARK_OS}_${host_epoch}.$format
 else
   export audit_out=$OUTFILE
 fi
@@ -203,4 +203,4 @@ echo "###############"
 
 else
   echo "Fail Audit - There were issues when running the audit please investigate $audit_out"
-fi
+fi

section_1/cis_1.4/cis_1.4.1.yml

@@ -1,23 +1,24 @@
 {{ if .Vars.rhel9cis_rule_1_4_1 }}
   {{ if .Vars.rhel9cis_set_boot_pass }}
-  /boot/grub2/user.cfg:
-    title: 1.4.1 | Ensure bootloader password is set and permissions
-    exists: true
-    owner: root
-    group: root
-    mode: "0600"
-    {{ if .Vars.rhel9cis_set_boot_pass }}
-    contains: [GRUB2_PASSWORD=<encrypted-password>]
-    {{ end }}
-    meta:
-      server: 1
-      workstation: 1
-      CIS_ID: 
-      - 1.4.1
-      CISv8: 
-      - 3.3
-      CISv8_IG1: true
-      CISv8_IG2: true
-      CISv8_IG3: true
+  file:
+    /boot/grub2/user.cfg:
+      title: 1.4.1 | Ensure bootloader password is set and permissions
+      exists: true
+      owner: root
+      group: root
+      mode: "0600"
+      {{ if .Vars.rhel9cis_set_boot_pass }}
+      contains: [GRUB2_PASSWORD=<encrypted-password>]
+      {{ end }}
+      meta:
+        server: 1
+        workstation: 1
+        CIS_ID: 
+        - 1.4.1
+        CISv8: 
+        - 3.3
+        CISv8_IG1: true
+        CISv8_IG2: true
+        CISv8_IG3: true
   {{ end }}
 {{ end }}

section_1/cis_1.8/cis_1.8.2.yml

@@ -9,7 +9,7 @@ command:
     - '/^user-db:user/'
     - '/^system-db:user/'
     - '/^file-db:\/usr\/share\/gdm\/greeter-dconf-defaults/'
-    - '/^banner-message-test=\'{{ .Vars.rhel9cis_warning_banner }}\'
+    - "/^banner-message-test=\'{{ .Vars.rhel9cis_warning_banner }}\'/"
     meta:
       server: 1
       workstation: 1
@@ -24,13 +24,13 @@ command:
     title: 1.8.2 | Ensure GDM login banner is configured
     exec: grep "[org/gnome/login-screen]" /etc/dconf/db/gdm.d/* | grep banner-message
     exit-status:
-    or:
-    - 0
-    - 1
+      or:
+      - 0
+      - 1
     stdout:
     - '/^banner-message-enable=true/'
     - '!/^banner-message-enable=false/'
-    - '/^banner-message-test=\'{{ .Vars.rhel9cis_warning_banner }}\'/'
+    - "/^banner-message-test=\'{{ .Vars.rhel9cis_warning_banner }}\'/"
     meta:
       server: 1
       workstation: 1

section_1/cis_1.8/cis_1.8.3.yml

@@ -23,9 +23,9 @@ command:
     title: 1.8.3 | Ensure last logged in user display is disabled
     exec: grep "[org/gnome/login-screen]" /etc/dconf/db/gdm.d/* | grep disable-user-list
     exit-status:
-    or:
-    - 0
-    - 1
+      or:
+      - 0
+      - 1
     stdout:
     - '/^disable-user-list=true/'
     - '!/^disable-user-list=false/'

section_2/cis_2.2/cis_2.2.10.yml

@@ -9,7 +9,7 @@ service:
       server: 1
       workstation: 1
       CIS_ID: 
-      - 2.2.9
+      - 2.2.10
       CISv8:
       - 4.8
       CISv8_IG1: false
@@ -22,8 +22,8 @@ service:
     meta:
       server: 1
       workstation: 1
-      CIS_ID: 
-      - 2.2.9
+      CIS_ID:
+      - 2.2.10
       CISv8:
       - 4.8
       CISv8_IG1: false

section_2/cis_2.2/cis_2.2.7.yml

@@ -1,9 +1,9 @@
 {{ if not .Vars.rhel9cis_ftp_server}}
   {{ if .Vars.rhel9cis_rule_2_2_7 }}
-installed:
+package:
   ftp:
     title: 2.2.7 | Ensure FTP Server is not installed
-    installed: {{ false }}
+    installed: false
     meta:
       server: 1
       workstation: 1

section_2/cis_2.2/cis_2.2.8.yml

@@ -1,9 +1,9 @@
 {{ if not .Vars.rhel9cis_vsftpd_server}}
   {{ if .Vars.rhel9cis_rule_2_2_8 }}
-installed:
+package:
   vsftp:
     title: 2.2.8 | Ensure VSFTP Server is not installed
-    installed: {{ false }}
+    installed: false
     meta:
       server: 1
       workstation: 1

section_2/cis_2.2/cis_2.2.9.yml

@@ -1,9 +1,9 @@
 {{ if not .Vars.rhel9cis_tftp_server }}
   {{ if .Vars.rhel9cis_rule_2_2_9 }}
-installed:
+package:
   tftp-server:
     title: 2.2.8 | Ensure TFTP Server is not installed
-    installed: {{ false }}
+    installed: false
     meta:
       server: 1
       workstation: 1

section_2/cis_2.3/cis_2.3.1_5.yml → section_2/cis_2.3/cis_2.3.1_6.yml

@@ -84,3 +84,20 @@ package:
       CISv8_IG3: true
     {{ end }}
   {{ end }}
+  {{ if not .Vars.rhel9cis_tftp_client }}
+    {{ if .Vars.rhel9cis_rule_2_3_6}}
+  tftp:
+    title: 2.3.6 | Ensure TFTP client is not installed
+    installed: false
+    meta:
+      server: 1
+      workstation: NA
+      CIS_ID: 
+      - 2.3.6
+      CISv8:
+      - 4.8
+      CISv8_IG1: false
+      CISv8_IG2: true
+      CISv8_IG3: true
+    {{ end }}
+  {{ end }}

section_3/cis_3.1/cis_3.1.1.yml

@@ -6,7 +6,7 @@ command:
     exec: grep ipv6 /etc/default/grub.conf
     exit-status: 0
     stdout:
-    - '/(?=\S+\s(ipv6\.disable=1.*)$)^GRUB_CMDLINE_LINUX="/'
+    - '/^GRUB_CMDLINE_LINUX="(\S+\s)*(ipv6\.disable=1).*$/'
     meta:
       server: 1
       workstation: 1
@@ -20,7 +20,7 @@ command:
     title: 3.1.1 | Verify if IPv6 is enabled on the system
     exec: grep disable_ipv6 /etc/sysctl.conf /etc/sysctl.d/*
     exit-status:
-    or:
+      or:
       - 0
       - 1
     stdout:

section_3/cis_3.1/cis_3.1.2.yml

@@ -4,7 +4,7 @@ command:
   modprobe_sctp:
     title: 3.1.2 | Ensure SCTP is disabled
     exit-status: 0
-    exec: 'modprobe -n -v dccp'
+    exec: 'modprobe -n -v sctp'
     stdout: ['install /bin/true']
     meta:
       server: 2

section_4/cis_4.2.1/cis_4.2.1.3.yml

@@ -10,7 +10,7 @@ file:
       server: 1
       workstation: 1
       CIS_ID:
-      - 4.2.1.13
+      - 4.2.1.3
       CISv8: 
       - 8.2
       - 8.9

section_4/cis_4.2.2/cis_4.2.2.7.yml

@@ -1,5 +1,5 @@
 {{ if .Vars.rhel9cis_rule_4_2_2_7 }}
-file:
+command:
   /etc/tmpfiles.d/systemd.conf:
     title: 4.2.2.7 | Ensure journald default file permissions are configured
     exec: echo "Manual - Please check journald default permissions"