diff --git a/README.md b/README.md index 1be514d..fd0e94d 100644 --- a/README.md +++ b/README.md @@ -1,22 +1,32 @@ # Development Only -## RHEL 9 CIS (predicted) - ALPHA - CIS baselines or OS not yet GA +***RHEL 9 CIS (predicted) - ALPHA - CIS baselines or OS not yet GA*** -## Testing if you have access to the RH developer branches +***Testing if you have access to the RH developer branches*** --- -# RHEL 9 Goss config +## RHEL 9 Goss config +# Overview -## Overview +based on CIS 2.0.0 -based on RedHat 8 CIS 2.0.0 +Ability to audit a system using a lightweight binary to check the current state. -Set of configuration files and directories to run the first stages of CIS of RHEL 9 servers +This is: -This is configured in a directory structure level. +- very small 11MB +- lightweight +- self contained -Goss is run based on the goss.yml file in the top level directory. This specifies the configuration. +It works using a set of configuration files and directories to audit STIG of RHEL/CentOS 7 servers. These files/directories correlate to the STIG Level and STIG_ID + +Tested on + +- RHEL8 +- CentOS8 +- Rocky8 +- Alma-Linux 8 ## Requirements @@ -28,7 +38,7 @@ Assuming you have already clone this repository you can run goss from where you Please refer to the audit documentation for usage. -- [Audit Documents](https://github.com/ansible-lockdown/RHEL9-CIS-Audit/docs/Security_remediation_and_auditing.md) +- [readthedocs](https://ansible-lockdown.readthedocs.io/en/latest/) This also works alongside the [Ansible Lockdown RHEL9-CIS role](https://github.com/ansible-lockdown/RHEL9-CIS) @@ -39,112 +49,15 @@ Which will: - remediate - audit -## variables - -file: vars/CIS.yml - -Please refer to the file for all options and their meanings - -CIS listed variable for every control/benchmark can be turned on/off or section - -- other controls -enable_selinux -run_heavy_tasks - -- bespoke options -If a site has specific options e.g. password complexity these can also be set. - -## Usage - -You must have [goss](https://github.com/aelsabbahy/goss/) available to your host you would like to test. - -You must have root access to the system as some commands require privilege information. - -- Run as root not sudo due to sudo and shared memory access - -Assuming you have already clone this repository you can run goss from where you wish. - -- full check - -```sh -# {{path to your goss binary}} --vars {{ path to the vars file }} -g {{path to your clone of this repo }}/goss.yml --validate - -``` +## Join us -example: +On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users -```sh -# /usr/local/bin/goss --vars ../vars/cis.yml -g /home/bolly/rh8_cis_goss/goss.yml validate -......FF....FF................FF...F..FF.............F........................FSSSS.............FS.F.F.F.F.........FFFFF.... - -Failures/Skipped: - -Title: 1.6.1 Ensure core dumps are restricted (Automated)_sysctl -Command: suid_dumpable_2: exit-status: -Expected - : 1 -to equal - : 0 -Command: suid_dumpable_2: stdout: patterns not found: [fs.suid_dumpable = 0] - - -Title: 1.4.2 Ensure filesystem integrity is regularly checked (Automated) -Service: aidecheck: enabled: -Expected - : false -to equal - : true -Service: aidecheck: running: -Expected - : false -to equal - : true - -< ---------cut ------- > - -Title: 1.1.22 Ensure sticky bit is set on all world-writable directories -Command: version: exit-status: -Expected - : 0 -to equal - : 123 - -Total Duration: 5.102s -Count: 124, Failed: 21, Skipped: 5 - -``` - -- running a particular section of tests - -```sh -# /usr/local/bin/goss -g /home/bolly/rh8_cis_goss/section_1/cis_1.1/cis_1.1.22.yml validate -............ - -Total Duration: 0.033s -Count: 12, Failed: 0, Skipped: 0 - -``` - -- changing the output - -```sh -# /usr/local/bin/goss -g /home/bolly/rh8_cis_goss/section_1/cis_1.1/cis_1.1.22.yml validate -f documentation -Title: 1.1.20 Check for removeable media nodev -Command: floppy_nodev: exit-status: matches expectation: [0] -Command: floppy_nodev: stdout: matches expectation: [OK] -< -------cut ------- > -Title: 1.1.20 Check for removeable media noexec -Command: floppy_noexec: exit-status: matches expectation: [0] -Command: floppy_noexec: stdout: matches expectation: [OK] - - -Total Duration: 0.022s -Count: 12, Failed: 0, Skipped: 0 -``` +Set of configuration files and directories to run the first stages of CIS of RHEL 9 servers -## Extra settings +This is configured in a directory structure level. -Ability to add your own requirements is available in several sections +Goss is run based on the goss.yml file in the top level directory. This specifies the configuration. ## further information diff --git a/run_audit.sh b/run_audit.sh index 78303a0..00379a4 100755 --- a/run_audit.sh +++ b/run_audit.sh @@ -21,7 +21,7 @@ # Goss host Variables AUDIT_BIN="${AUDIT_BIN:-/usr/local/bin/goss}" # location of the goss executable AUDIT_FILE="${AUDIT_FILE:-goss.yml}" # the default goss file used by the audit provided by the audit configuration -AUDIT_CONTENT_LOCATION="${AUDIT_CONTENT_LOCATION:-/var/tmp}" # Location of the audit configuration file as available to the OS +AUDIT_CONTENT_LOCATION="${AUDIT_CONTENT_LOCATION:-/opt}" # Location of the audit configuration file as available to the OS # Goss benchmark variables (these should not need changing unless new release) @@ -130,7 +130,7 @@ host_os_hostname=`hostname` ## Set variable audit_out if [ -z $OUTFILE ]; then - export audit_out=$AUDIT_CONTENT_LOCATION/audit_${host_os_hostname}_${host_epoch}.$format + export audit_out=$AUDIT_CONTENT_LOCATION/audit_${host_os_hostname}-${BENCHMARK}-${BENCHMARK_OS}_${host_epoch}.$format else export audit_out=$OUTFILE fi @@ -203,4 +203,4 @@ echo "###############" else echo "Fail Audit - There were issues when running the audit please investigate $audit_out" -fi \ No newline at end of file +fi diff --git a/section_1/cis_1.4/cis_1.4.1.yml b/section_1/cis_1.4/cis_1.4.1.yml index eed19a1..a5439d5 100644 --- a/section_1/cis_1.4/cis_1.4.1.yml +++ b/section_1/cis_1.4/cis_1.4.1.yml @@ -1,23 +1,24 @@ {{ if .Vars.rhel9cis_rule_1_4_1 }} {{ if .Vars.rhel9cis_set_boot_pass }} - /boot/grub2/user.cfg: - title: 1.4.1 | Ensure bootloader password is set and permissions - exists: true - owner: root - group: root - mode: "0600" - {{ if .Vars.rhel9cis_set_boot_pass }} - contains: [GRUB2_PASSWORD=] - {{ end }} - meta: - server: 1 - workstation: 1 - CIS_ID: - - 1.4.1 - CISv8: - - 3.3 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true + file: + /boot/grub2/user.cfg: + title: 1.4.1 | Ensure bootloader password is set and permissions + exists: true + owner: root + group: root + mode: "0600" + {{ if .Vars.rhel9cis_set_boot_pass }} + contains: [GRUB2_PASSWORD=] + {{ end }} + meta: + server: 1 + workstation: 1 + CIS_ID: + - 1.4.1 + CISv8: + - 3.3 + CISv8_IG1: true + CISv8_IG2: true + CISv8_IG3: true {{ end }} {{ end }} diff --git a/section_1/cis_1.8/cis_1.8.2.yml b/section_1/cis_1.8/cis_1.8.2.yml index d9ad819..d9499ab 100644 --- a/section_1/cis_1.8/cis_1.8.2.yml +++ b/section_1/cis_1.8/cis_1.8.2.yml @@ -9,7 +9,7 @@ command: - '/^user-db:user/' - '/^system-db:user/' - '/^file-db:\/usr\/share\/gdm\/greeter-dconf-defaults/' - - '/^banner-message-test=\'{{ .Vars.rhel9cis_warning_banner }}\' + - "/^banner-message-test=\'{{ .Vars.rhel9cis_warning_banner }}\'/" meta: server: 1 workstation: 1 @@ -24,13 +24,13 @@ command: title: 1.8.2 | Ensure GDM login banner is configured exec: grep "[org/gnome/login-screen]" /etc/dconf/db/gdm.d/* | grep banner-message exit-status: - or: - - 0 - - 1 + or: + - 0 + - 1 stdout: - '/^banner-message-enable=true/' - '!/^banner-message-enable=false/' - - '/^banner-message-test=\'{{ .Vars.rhel9cis_warning_banner }}\'/' + - "/^banner-message-test=\'{{ .Vars.rhel9cis_warning_banner }}\'/" meta: server: 1 workstation: 1 diff --git a/section_1/cis_1.8/cis_1.8.3.yml b/section_1/cis_1.8/cis_1.8.3.yml index f9e2b6a..325d5db 100644 --- a/section_1/cis_1.8/cis_1.8.3.yml +++ b/section_1/cis_1.8/cis_1.8.3.yml @@ -23,9 +23,9 @@ command: title: 1.8.3 | Ensure last logged in user display is disabled exec: grep "[org/gnome/login-screen]" /etc/dconf/db/gdm.d/* | grep disable-user-list exit-status: - or: - - 0 - - 1 + or: + - 0 + - 1 stdout: - '/^disable-user-list=true/' - '!/^disable-user-list=false/' diff --git a/section_2/cis_2.2/cis_2.2.10.yml b/section_2/cis_2.2/cis_2.2.10.yml index 515c15f..6071d45 100644 --- a/section_2/cis_2.2/cis_2.2.10.yml +++ b/section_2/cis_2.2/cis_2.2.10.yml @@ -9,7 +9,7 @@ service: server: 1 workstation: 1 CIS_ID: - - 2.2.9 + - 2.2.10 CISv8: - 4.8 CISv8_IG1: false @@ -22,8 +22,8 @@ service: meta: server: 1 workstation: 1 - CIS_ID: - - 2.2.9 + CIS_ID: + - 2.2.10 CISv8: - 4.8 CISv8_IG1: false diff --git a/section_2/cis_2.2/cis_2.2.7.yml b/section_2/cis_2.2/cis_2.2.7.yml index bdd8df8..fd5231e 100644 --- a/section_2/cis_2.2/cis_2.2.7.yml +++ b/section_2/cis_2.2/cis_2.2.7.yml @@ -1,9 +1,9 @@ {{ if not .Vars.rhel9cis_ftp_server}} {{ if .Vars.rhel9cis_rule_2_2_7 }} -installed: +package: ftp: title: 2.2.7 | Ensure FTP Server is not installed - installed: {{ false }} + installed: false meta: server: 1 workstation: 1 diff --git a/section_2/cis_2.2/cis_2.2.8.yml b/section_2/cis_2.2/cis_2.2.8.yml index 1a60eb5..4d3e09c 100644 --- a/section_2/cis_2.2/cis_2.2.8.yml +++ b/section_2/cis_2.2/cis_2.2.8.yml @@ -1,9 +1,9 @@ {{ if not .Vars.rhel9cis_vsftpd_server}} {{ if .Vars.rhel9cis_rule_2_2_8 }} -installed: +package: vsftp: title: 2.2.8 | Ensure VSFTP Server is not installed - installed: {{ false }} + installed: false meta: server: 1 workstation: 1 diff --git a/section_2/cis_2.2/cis_2.2.9.yml b/section_2/cis_2.2/cis_2.2.9.yml index cd4a99e..65716ac 100644 --- a/section_2/cis_2.2/cis_2.2.9.yml +++ b/section_2/cis_2.2/cis_2.2.9.yml @@ -1,9 +1,9 @@ {{ if not .Vars.rhel9cis_tftp_server }} {{ if .Vars.rhel9cis_rule_2_2_9 }} -installed: +package: tftp-server: title: 2.2.8 | Ensure TFTP Server is not installed - installed: {{ false }} + installed: false meta: server: 1 workstation: 1 diff --git a/section_2/cis_2.3/cis_2.3.1_5.yml b/section_2/cis_2.3/cis_2.3.1_6.yml similarity index 83% rename from section_2/cis_2.3/cis_2.3.1_5.yml rename to section_2/cis_2.3/cis_2.3.1_6.yml index 21891d3..8c3889a 100644 --- a/section_2/cis_2.3/cis_2.3.1_5.yml +++ b/section_2/cis_2.3/cis_2.3.1_6.yml @@ -84,3 +84,20 @@ package: CISv8_IG3: true {{ end }} {{ end }} + {{ if not .Vars.rhel9cis_tftp_client }} + {{ if .Vars.rhel9cis_rule_2_3_6}} + tftp: + title: 2.3.6 | Ensure TFTP client is not installed + installed: false + meta: + server: 1 + workstation: NA + CIS_ID: + - 2.3.6 + CISv8: + - 4.8 + CISv8_IG1: false + CISv8_IG2: true + CISv8_IG3: true + {{ end }} + {{ end }} diff --git a/section_3/cis_3.1/cis_3.1.1.yml b/section_3/cis_3.1/cis_3.1.1.yml index e4c9d8c..b0da7b0 100644 --- a/section_3/cis_3.1/cis_3.1.1.yml +++ b/section_3/cis_3.1/cis_3.1.1.yml @@ -6,7 +6,7 @@ command: exec: grep ipv6 /etc/default/grub.conf exit-status: 0 stdout: - - '/(?=\S+\s(ipv6\.disable=1.*)$)^GRUB_CMDLINE_LINUX="/' + - '/^GRUB_CMDLINE_LINUX="(\S+\s)*(ipv6\.disable=1).*$/' meta: server: 1 workstation: 1 @@ -20,7 +20,7 @@ command: title: 3.1.1 | Verify if IPv6 is enabled on the system exec: grep disable_ipv6 /etc/sysctl.conf /etc/sysctl.d/* exit-status: - or: + or: - 0 - 1 stdout: diff --git a/section_3/cis_3.1/cis_3.1.2.yml b/section_3/cis_3.1/cis_3.1.2.yml index ee2ac5e..fdc0ea9 100644 --- a/section_3/cis_3.1/cis_3.1.2.yml +++ b/section_3/cis_3.1/cis_3.1.2.yml @@ -4,7 +4,7 @@ command: modprobe_sctp: title: 3.1.2 | Ensure SCTP is disabled exit-status: 0 - exec: 'modprobe -n -v dccp' + exec: 'modprobe -n -v sctp' stdout: ['install /bin/true'] meta: server: 2 diff --git a/section_4/cis_4.2.1/cis_4.2.1.3.yml b/section_4/cis_4.2.1/cis_4.2.1.3.yml index 4d0b640..69d74cb 100644 --- a/section_4/cis_4.2.1/cis_4.2.1.3.yml +++ b/section_4/cis_4.2.1/cis_4.2.1.3.yml @@ -10,7 +10,7 @@ file: server: 1 workstation: 1 CIS_ID: - - 4.2.1.13 + - 4.2.1.3 CISv8: - 8.2 - 8.9 diff --git a/section_4/cis_4.2.2/cis_4.2.2.7.yml b/section_4/cis_4.2.2/cis_4.2.2.7.yml index b50641a..5c5a867 100644 --- a/section_4/cis_4.2.2/cis_4.2.2.7.yml +++ b/section_4/cis_4.2.2/cis_4.2.2.7.yml @@ -1,5 +1,5 @@ {{ if .Vars.rhel9cis_rule_4_2_2_7 }} -file: +command: /etc/tmpfiles.d/systemd.conf: title: 4.2.2.7 | Ensure journald default file permissions are configured exec: echo "Manual - Please check journald default permissions" diff --git a/section_5/cis_5.1/cis_5.1.8_9.yml b/section_5/cis_5.1/cis_5.1.8_9.yml index 403becb..d7ff86b 100644 --- a/section_5/cis_5.1/cis_5.1.8_9.yml +++ b/section_5/cis_5.1/cis_5.1.8_9.yml @@ -27,8 +27,10 @@ file: CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true +{{ end }} +{{ if .Vars.rhel9cis_rule_5_1_9 }} /etc/at.deny: - title: 5.1.8 | Ensure at is restricted to authorized users + title: 5.1.9 | Ensure at is restricted to authorized users exists: false meta: server: 1 @@ -40,7 +42,7 @@ file: CISv8_IG2: true CISv8_IG3: true /etc/at.allow: - title: 5.1.8 | Ensure at is restricted to authorized users + title: 5.1.9 | Ensure at is restricted to authorized users exists: true owner: root group: root diff --git a/section_5/cis_5.2/cis_5.2.15.yml b/section_5/cis_5.2/cis_5.2.15.yml index c257b23..a39babd 100644 --- a/section_5/cis_5.2/cis_5.2.15.yml +++ b/section_5/cis_5.2/cis_5.2.15.yml @@ -20,7 +20,7 @@ command: CISv8_IG2: true CISv8_IG3: true ssh_configd_banner: - title: 5.3.18 | Ensure SSH warning banner configured | conf.d banner settings + title: 5.3.15 | Ensure SSH warning banner configured | conf.d banner settings exec: grep -Eis '^\s*Banner\s+"?none\b'/etc/ssh/sshd_config.d/*.conf exit-status: or: diff --git a/section_5/cis_5.4/cis_5.4.2.yml b/section_5/cis_5.4/cis_5.4.2.yml index a0d2c8d..d86fc3b 100644 --- a/section_5/cis_5.4/cis_5.4.2.yml +++ b/section_5/cis_5.4/cis_5.4.2.yml @@ -18,7 +18,7 @@ command: CISv8_IG3: true file: /etc/authselect/authselect.conf: - title: 5.3.3 | Ensure authselect includes with-faillock + title: 5.4.2 | Ensure authselect includes with-faillock exists: true contains: - '/^with-faillock/' @@ -26,7 +26,7 @@ file: server: 1 workstation: 1 CIS_ID: - - 5.3.3 + - 5.4.2 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true diff --git a/section_5/cis_5.6/cis_5.6.1.3.yml b/section_5/cis_5.6/cis_5.6.1.3.yml index f9c884b..81ea6a5 100644 --- a/section_5/cis_5.6/cis_5.6.1.3.yml +++ b/section_5/cis_5.6/cis_5.6.1.3.yml @@ -1,7 +1,7 @@ {{ if .Vars.rhel9cis_rule_5_6_1_3 }} command: login_defs_warn_age: - title: 5.5.1.3 | Ensure password expiration warning days is 7 or more + title: 5.6.1.3 | Ensure password expiration warning days is 7 or more exec: grep PASS_WARN_AGE /etc/login.defs exit-status: 0 stdout: @@ -11,7 +11,7 @@ command: server: 1 workstation: 1 CIS_ID: - - 5.5.1.3 + - 5.6.1.3 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true diff --git a/vars/CIS.yml b/vars/CIS.yml index b38b597..a2361bd 100644 --- a/vars/CIS.yml +++ b/vars/CIS.yml @@ -156,6 +156,7 @@ rhel9cis_rule_2_3_2: true rhel9cis_rule_2_3_3: true rhel9cis_rule_2_3_4: true rhel9cis_rule_2_3_5: true +rhel9cis_rule_2_3_6: true rhel9cis_rule_2_4: true # todo @@ -492,4 +493,4 @@ rhel9cis_pass: rhel9cis_sugroup: wheel ## 5.3.7 sugroup users list -rhel9cis_sugroup_users: "root" \ No newline at end of file +rhel9cis_sugroup_users: "root"