Merge pull request #38 from ansible-lockdown/v1_update

V1 update
ansible-lockdown · Nov 4, 2024 · 85f516f · 85f516f
2 parents d5f6432 + 618eaa9
commit 85f516f
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 110 deletions.
diff --git a/README.md b/README.md
@@ -4,135 +4,46 @@
 
 ### Based on CIS Ubuntu Linux 22.04 LTS Benchmark v1.0.0 [Release](https://learn.cisecurity.org/l/799323/2022-09-15/3l9d2k)
 
-Set of configuration files and directories to run the first stages of CIS of Ubuntu 20.04 servers
+Set of configuration files and directories to run the first stages of CIS of Ubuntu 22.04 servers
 
 This is configured in a directory structure level.
 
 This could do with further testing but sections 1.x should be complete
 
 Goss is run based on the goss.yml file in the top level directory. This specifies the configuration.
 
-## variables
-
-file: vars/cis.yml
-
-Please refer to the file for all options and their meanings
-
-CIS listed variable for every control/benchmark can be turned on/off or section
-
-- other controls
-enable_selinux
-run_heavy_tasks
-
-- bespoke options
-If a site has specific options e.g. password complexity these can also be set.
-
 ## Requirements
 
-goss >= 0.4.4
-root privileges
-
-## Branches
-
-If running as part of the ansible playbook, this will pull in the relevant branch for the version of benchmark you are remediating.
-
-- e.g. v1.2 will pull in branch benchmark_v1.2
-
-Devel is normally the latest benchmark, so maybe different from the version of benchmark you wish to test. Details will show in the README.
-
-## Usage
-
 You must have [goss](https://github.com/goss-org/goss/) available to your host you would like to test.
 
-- Run as root not sudo due to sudo and shared memory access
+You must have sudo/root access to the system as some commands require privilege information.
 
 Assuming you have already clone this repository you can run goss from where you wish.
 
-- full check
-
-```sh
-# {{path to your goss binary}} --vars {{ path to the vars file }} -g {{path to your clone of this repo }}/goss.yml --validate
-
-```
+Please refer to the audit documentation for usage.
 
-example:
+- [readthedocs](https://ansible-lockdown.readthedocs.io/en/latest/)
 
-```sh
-# /usr/local/bin/goss --vars ../vars/cis.yml -g /home/bolly/rh8_cis_goss/goss.yml validate
-......FF....FF................FF...F..FF.............F........................FSSSS.............FS.F.F.F.F.........FFFFF....
+This also works alongside the [Ansible Lockdown UBUNTU22-CIS role](https://github.com/ansible-lockdown/UBUNTU22-CIS)
 
-Failures/Skipped:
+Which will:
 
-Title: 1.6.1 Ensure core dumps are restricted (Automated)_sysctl
-Command: suid_dumpable_2: exit-status:
-Expected
-    <int>: 1
-to equal
-    <int>: 0
-Command: suid_dumpable_2: stdout: patterns not found: [fs.suid_dumpable = 0]
+- install
+- audit
+- remediate
+- audit
 
+## Join us
 
-Title: 1.4.2 Ensure filesystem integrity is regularly checked (Automated)
-Service: aidecheck: enabled:
-Expected
-    <bool>: false
-to equal
-    <bool>: true
-Service: aidecheck: running:
-Expected
-    <bool>: false
-to equal
-    <bool>: true
+On our [Discord Server](https://www.lockdownenterprise.com/discord) to ask questions, discuss features, or just chat with other Ansible-Lockdown users
 
-< ---------cut ------- >
+Set of configuration files and directories to run the first stages of CIS of Ubuntu 22 servers
 
-Title: 1.1.22 Ensure sticky bit is set on all world-writable directories
-Command: version: exit-status:
-Expected
-    <int>: 0
-to equal
-    <int>: 123
-
-Total Duration: 5.102s
-Count: 124, Failed: 21, Skipped: 5
-
-```
-
-- running a particular section of tests
-
-```sh
-# /usr/local/bin/goss -g /home/bolly/rh8_cis_goss/section_1/cis_1.1/cis_1.1.22.yml  validate
-............
-
-Total Duration: 0.033s
-Count: 12, Failed: 0, Skipped: 0
-
-```
-
-- changing the output
-
-```sh
-# /usr/local/bin/goss -g /home/bolly/rh8_cis_goss/section_1/cis_1.1/cis_1.1.22.yml  validate -f documentation
-Title: 1.1.20 Check for removeable media nodev
-Command: floppy_nodev: exit-status: matches expectation: [0]
-Command: floppy_nodev: stdout: matches expectation: [OK]
-< -------cut ------- >
-Title: 1.1.20 Check for removeable media noexec
-Command: floppy_noexec: exit-status: matches expectation: [0]
-Command: floppy_noexec: stdout: matches expectation: [OK]
-
-
-Total Duration: 0.022s
-Count: 12, Failed: 0, Skipped: 0
-```
-
-## Extra settings
+This is configured in a directory structure level.
 
-Ability to add your own requirements is available in several sections
+Goss is run based on the goss.yml file in the top level directory. This specifies the configuration.
 
 ## further information
 
-- [goss documentation](https://github.com/goss-org/goss/blob/master/README.md)
+- [goss documentation](https://github.com/aelsabbahy/goss/blob/master/docs/manual.md#patterns)
 - [CIS standards](https://www.cisecurity.org)
-
-## Feedback required
diff --git a/section_1/cis_1.6/cis_1.6.1.3.yml b/section_1/cis_1.6/cis_1.6.1.3.yml
@@ -5,7 +5,7 @@
 command:
   apparmor_enf_or_comp:
     title: 1.6.1.3 | Ensure all AppArmor Profiles are in enforce or complain mode | profile
-    exec: LOADED=`apparmor_status | grep 'profiles are loaded' | awk '{print $1}'` && ENFORCE=`apparmor_status | grep 'profiles are in enforce mode.' | awk '{print $1}'` && COMPLAIN=`apparmor_status | grep 'profiles are in complain mode.' | awk '{print $1}'` && if [ $((LOADED + COMPLAIN)) != "$ENFORCE" ]; then echo "Profiles Error";fi
+    exec: LOADED=`apparmor_status | grep 'profiles are loaded' | awk '{print $1}'` && ENFORCE=`apparmor_status | grep 'profiles are in enforce mode.' | awk '{print $1}'` && COMPLAIN=`apparmor_status | grep 'profiles are in complain mode.' | awk '{print $1}'` && if [ $((ENFORCE + COMPLAIN)) != "$LOADED " ]; then echo "Profiles Error";fi
     exit-status: 0
     stdout:
     - '!/Profiles Error/'

diff --git a/section_5/cis_5.3/cis_5.3.3.yml b/section_5/cis_5.3/cis_5.3.3.yml
@@ -1,13 +1,13 @@
 {{ if .Vars.ubtu22cis_level_1 }}
   {{ if .Vars.ubtu22cis_rule_5_3_3 }}
 command:
-  log_sudoers_d: 
+  log_sudoers_d:
     title: 5.3.3 | Ensure sudo log file exists | sudoers.d
-    exec: "grep -Ec '^Defaults logfile=/var/log/*.log' /etc/sudoers /etc/sudoers.d/.*/" 
-    exit-status: 
+    exec: "grep -Ec '^Defaults logfile=/var/log/*.log' /etc/sudoers /etc/sudoers.d/.*/"
+    exit-status:
       lt: 3
     stdout:
-    - '/[1:99]/'
+    - '/[1-99]/'
     meta:
       server: 1
       workstation: 1