Skip to content

Commit

Permalink
Merge pull request #1 from ansible-lockdown/devel
Browse files Browse the repository at this point in the history
Initial Release
Signed-off-by: George Nalen <[email protected]>
  • Loading branch information
georgenalen authored Aug 19, 2021
2 parents a04ace1 + bab2971 commit 5210f87
Show file tree
Hide file tree
Showing 342 changed files with 8,057 additions and 187 deletions.
130 changes: 130 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,130 @@
# RHEL/CentOS 8 Goss config

## Overview

based on STIG v1r2

Set of configuration files and directories to run the first stages of STIG of RHEL/CentOS/Rocky 8 servers

This is configured in a directory structure level.

This could do with further testing but sections 1.x should be complete

Goss is run based on the goss.yml file in the top level directory. This specifies the configuration.

## variables

file: vars/stig.yml

Please refer to the file for all options and their meanings

STIG listed variable for every control/benchmark can be turned on/off or section

- other controls
enable_selinux
run_heavy_tasks

- bespoke options
If a site has specific options e.g. password complexity these can also be set.

## Usage

You must have [goss](https://github.com/aelsabbahy/goss/) available to your host you would like to test.

You must have root access to the system as some commands require privilege information.

- Run as root not sudo due to sudo and shared memory access

Assuming you have already clone this repository you can run goss from where you wish.

- full check

```sh
# {{path to your goss binary}} --vars {{ path to the vars file }} -g {{path to your clone of this repo }}/goss.yml --validate

```

example:

```sh
# /usr/local/bin/goss --vars ../vars/cis.yml -g /home/bolly/rh8_cis_goss/goss.yml validate
......FF....FF................FF...F..FF.............F........................FSSSS.............FS.F.F.F.F.........FFFFF....

Failures/Skipped:

Title: 1.6.1 Ensure core dumps are restricted (Automated)_sysctl
Command: suid_dumpable_2: exit-status:
Expected
<int>: 1
to equal
<int>: 0
Command: suid_dumpable_2: stdout: patterns not found: [fs.suid_dumpable = 0]


Title: 1.4.2 Ensure filesystem integrity is regularly checked (Automated)
Service: aidecheck: enabled:
Expected
<bool>: false
to equal
<bool>: true
Service: aidecheck: running:
Expected
<bool>: false
to equal
<bool>: true

< ---------cut ------- >

Title: 1.1.22 Ensure sticky bit is set on all world-writable directories
Command: version: exit-status:
Expected
<int>: 0
to equal
<int>: 123

Total Duration: 5.102s
Count: 124, Failed: 21, Skipped: 5

```

- running a particular section of tests

```sh
# /usr/local/bin/goss -g /home/bolly/rh8_cis_goss/section_1/cis_1.1/cis_1.1.22.yml validate
............

Total Duration: 0.033s
Count: 12, Failed: 0, Skipped: 0

```

- changing the output

```sh
# /usr/local/bin/goss -g /home/bolly/rh8_cis_goss/section_1/cis_1.1/cis_1.1.22.yml validate -f documentation
Title: 1.1.20 Check for removeable media nodev
Command: floppy_nodev: exit-status: matches expectation: [0]
Command: floppy_nodev: stdout: matches expectation: [OK]
< -------cut ------- >
Title: 1.1.20 Check for removeable media noexec
Command: floppy_noexec: exit-status: matches expectation: [0]
Command: floppy_noexec: stdout: matches expectation: [OK]


Total Duration: 0.022s
Count: 12, Failed: 0, Skipped: 0
```

## Extra settings

Ability to add your own requirements is available in several sections

## further information

- [goss documentation](https://github.com/aelsabbahy/goss/blob/master/docs/manual.md#patterns)
- [STIG standards](https://public.cyber.mil/stigs/downloads/)

## Feedback required

- If using nftables or iptables rather than firewalld
- Rocky fails to update from public repos if enable FIPS due to SSL cert chain
13 changes: 7 additions & 6 deletions cat_1/RHEL-08-010000.yml
Original file line number Diff line number Diff line change
@@ -1,14 +1,15 @@
{{ if .Vars.RHEL_08_010000 }}
file:
/etc/redhat-release:
title: RHEL-08-010000 | RHEL 8 must be a vendor-supported release.
exists: true
contains:
- '/.* 8.[4-8]/'
meta:
- Cat: 1
- CCI: CCI-000366
- Group_Title: SRG-OS-000480-GPOS-00227
- Rule_ID: SV-230221r627750_rule
- STIG_ID: RHEL-08-010000
- Vul_ID: V-230221
Cat: 1
CCI: CCI-000366
Group_Title: SRG-OS-000480-GPOS-00227
Rule_ID: SV-230221r627750_rule
STIG_ID: RHEL-08-010000
Vul_ID: V-230221
{{ end }}
38 changes: 19 additions & 19 deletions cat_1/RHEL-08-010020.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,35 +8,35 @@ command:
- '!/.*disabled/'
- '/.*enabled/'
meta:
- Cat: 1
- CCI: CCI-000068
- Rule_ID: SV-230223r627750_rule
- STIG_ID: RHEL-08-010020
- Vul_ID: V-230223
Cat: 1
CCI: CCI-000068
Rule_ID: SV-230223r627750_rule
STIG_ID: RHEL-08-010020
Vul_ID: V-230223
fips_live:
title: RHEL-08-010020 | Verify the operating system implements DoD-approved encryption to protect the confidentiality of remote access sessions | fips_kernel
exec: grub2-editenv - list | grep fip
exit-status: 0
stdout:
- '/^kernelopts+.*fips=1'
- '/^kernelopts+.*fips=0'
meta:
- Cat: 1
- CCI: CCI-000068
- Rule_ID: SV-230223r627750_rule
- STIG_ID: RHEL-08-010020
- Vul_ID: V-230223
- '/^kernelopts+.*fips=1/'
- '!/^kernelopts+.*fips=0/'
meta:
Cat: 1
CCI: CCI-000068
Rule_ID: SV-230223r627750_rule
STIG_ID: RHEL-08-010020
Vul_ID: V-230223
file:
/proc/sys/crypto/fips_enabled:
title: RHEL-08-010020 | Verify the operating system implements DoD-approved encryption to protect the confidentiality of remote access sessions | fips_process
exists: true
contains:
- '1'
meta:
- Cat: 1
- CCI: CCI-000068
- Group_Title: SRG-OS-000033-GPOS-00014
- Rule_ID: SV-230223r627750_rule
- STIG_ID: RHEL-08-010020
- Vul_ID: V-230223
Cat: 1
CCI: CCI-000068
Group_Title: SRG-OS-000033-GPOS-00014
Rule_ID: SV-230223r627750_rule
STIG_ID: RHEL-08-010020
Vul_ID: V-230223
{{ end }}
28 changes: 20 additions & 8 deletions cat_1/RHEL-08-010140.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,16 +2,28 @@
{{ if .Vars.RHEL_08_010140 }}
file:
{{ .Vars.rhel8stig_bootloader_path }}/user.cfg:
title: RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.
title: RHEL-08-010140 | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | user_cfg
exists: true
contains:
- '/^GRUB2_PASSWORD=grub.pbkdf2.sha512.{{ .Vars.rhel8stig_password_hash }}/'
- '/^GRUB2_PASSWORD={{ .Vars.rhel8stig_password_hash }}/'
meta:
- Cat: 1
- CCI: CCI-000213
- Group_Title: SRG-OS-000080-GPOS-00048
- Rule_ID: SV-230234r627750_rule
- STIG_ID: RHEL-08-010140
- Vul_ID: V-230234
Cat: 1
CCI: CCI-000213
Group_Title: SRG-OS-000080-GPOS-00048
Rule_ID: SV-230234r627750_rule
STIG_ID: RHEL-08-010140
Vul_ID: V-230234
{{ .Vars.rhel8stig_bootloader_path }}/grub.cfg:
title: RHEL-08-010140 | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | grub_cfg
exists: true
contains:
- '/^set superusers="{{ .Vars.rhel8stig_boot_superuser }}/'
meta:
Cat: 1
CCI: CCI-000213
Group_Title: SRG-OS-000080-GPOS-00048
Rule_ID: SV-230234r627750_rule
STIG_ID: RHEL-08-010140
Vul_ID: V-230234
{{ end }}
{{ end }}
28 changes: 20 additions & 8 deletions cat_1/RHEL-08-010150.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,16 +2,28 @@
{{ if .Vars.RHEL_08_010150 }}
file:
{{ .Vars.rhel8stig_bootloader_path }}/user.cfg:
title: RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.
title: RHEL-08-010150 | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | user_cfg
exists: true
contains:
- '/^GRUB2_PASSWORD=grub.pbkdf2.sha512.{{ .Vars.rhel8stig_password_hash }}/'
- '/^GRUB2_PASSWORD={{ .Vars.rhel8stig_password_hash }}/'
meta:
- Cat: 1
- CCI: CCI-000213
- Group_Title: SRG-OS-000080-GPOS-00048
- Rule_ID: SV-230235r627750_rule
- STIG_ID: RHEL-08-010150
- Vul_ID: V-230235
Cat: 1
CCI: CCI-000213
Group_Title: SRG-OS-000080-GPOS-00048
Rule_ID: SV-230235r627750_rule
STIG_ID: RHEL-08-010150
Vul_ID: V-230235
{{ .Vars.rhel8stig_bootloader_path }}/grub.cfg:
title: RHEL-08-010150 | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance. | grub_cfg
exists: true
contains:
- '/^set superusers="{{ .Vars.rhel8stig_boot_superuser }}/'
meta:
Cat: 1
CCI: CCI-000213
Group_Title: SRG-OS-000080-GPOS-00048
Rule_ID: SV-230235r627750_rule
STIG_ID: RHEL-08-010150
Vul_ID: V-230235
{{ end }}
{{ end }}
44 changes: 23 additions & 21 deletions cat_1/RHEL-08-010370.yml
Original file line number Diff line number Diff line change
@@ -1,44 +1,46 @@
{{ if .Vars.RHEL_08_010370 }}
command:
gpg_check_default:
title: RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | dnf_running
title: RHEL-08-010370 | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | dnf_running
exec: dnf config-manager --dump | grep gpgcheck
timeout: {{ .Vars.timeout_ms }}
exit-status: 0
stdout:
- '/^gpgcheck.*1/'
- '!/^gpgcheck.*0/'
meta:
- Cat: 1
- CCI: CCI-001749
- Group_Title: SRG-OS-000366-GPOS-00153
- Rule_ID: SV-230264r627750_rule
- STIG_ID: RHEL-08-010370
- Vul_ID: V-230264
Cat: 1
CCI: CCI-001749
Group_Title: SRG-OS-000366-GPOS-00153
Rule_ID: SV-230264r627750_rule
STIG_ID: RHEL-08-010370
Vul_ID: V-230264
gpg_check_repos:
title: RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | repo_check
title: RHEL-08-010370 | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | repo_check
exec: grep -cR '.*gpgcheck.*=0' /etc/yum.repos.d/*.repo
timeout: {{ .Vars.timeout_ms }}
exit-status: 1
stdout:
- '!/.*[1-9][0-9]*$/'
meta:
- Cat: 1
- CCI: CCI-001749
- Group_Title: SRG-OS-000366-GPOS-00153
- Rule_ID: SV-230264r627750_rule
- STIG_ID: RHEL-08-010370
- Vul_ID: V-230264
Cat: 1
CCI: CCI-001749
Group_Title: SRG-OS-000366-GPOS-00153
Rule_ID: SV-230264r627750_rule
STIG_ID: RHEL-08-010370
Vul_ID: V-230264
file:
/etc/dnf/dnf.conf:
title: RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | dnf_conf
title: RHEL-08-010370 | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | dnf_conf
exists: true
contains:
- '/^gpgcheck.*1/'
- '!/^gpgcheck.*0/'
meta:
- Cat: 1
- CCI: CCI-001749
- Group_Title: SRG-OS-000366-GPOS-00153
- Rule_ID: SV-230264r627750_rule
- STIG_ID: RHEL-08-010370
- Vul_ID: V-230264
Cat: 1
CCI: CCI-001749
Group_Title: SRG-OS-000366-GPOS-00153
Rule_ID: SV-230264r627750_rule
STIG_ID: RHEL-08-010370
Vul_ID: V-230264
{{ end }}
29 changes: 15 additions & 14 deletions cat_1/RHEL-08-010371.yml
Original file line number Diff line number Diff line change
@@ -1,31 +1,32 @@
{{ if .Vars.RHEL_08_010371 }}
command:
localpkg_gpg_check_default:
title: RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | dnf_runnig
title: RHEL-08-010371 | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | dnf_running
exec: dnf config-manager --dump | grep gpgcheck
timeout: {{ .Vars.timeout_ms }}
exit-status: 0
stdout:
- '/^localpkg_gpgcheck.*(1|[tT]rue|yes)/'
- '!/^localpkg_gpgcheck.*(0|[fF]alse|no)/'
meta:
- Cat: 1
- CCI: CCI-001749
- Group_Title: SRG-OS-000366-GPOS-00153
- Rule_ID: SV-230265r627750_rule
- STIG_ID: RHEL-08-010371
- Vul_ID: V-230265
Cat: 1
CCI: CCI-001749
Group_Title: SRG-OS-000366-GPOS-00153
Rule_ID: SV-230265r627750_rule
STIG_ID: RHEL-08-010371
Vul_ID: V-230265
file:
/etc/dnf/dnf.conf:
title: RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | dnf_conf
title: RHEL-08-010371 | RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | dnf_conf
exists: true
contains:
- '/^localpkg_gpgcheck.*(1|[tT]rue|yes)/'
- '!/^localpkg_gpgcheck.*(0|[fF]alse|no)/'
meta:
- Cat: 1
- CCI: CCI-001749
- Group_Title: SRG-OS-000366-GPOS-00153
- Rule_ID: SV-230265r627750_rule
- STIG_ID: RHEL-08-010371
- Vul_ID: V-230265
Cat: 1
CCI: CCI-001749
Group_Title: SRG-OS-000366-GPOS-00153
Rule_ID: SV-230265r627750_rule
STIG_ID: RHEL-08-010371
Vul_ID: V-230265
{{ end }}
Loading

0 comments on commit 5210f87

Please sign in to comment.