From b412ca458e1f2bc13e1445fd05873af4208cd7bf Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Nov 2024 11:55:21 +0000 Subject: [PATCH 1/4] updated to new format Signed-off-by: Mark Bolwell --- README.md | 120 +++++++----------------------------------------------- 1 file changed, 15 insertions(+), 105 deletions(-) diff --git a/README.md b/README.md index c63446d..3dc1bc2 100644 --- a/README.md +++ b/README.md @@ -12,128 +12,38 @@ This could do with further testing but sections 1.x should be complete Goss is run based on the goss.yml file in the top level directory. This specifies the configuration. -## variables - -file: vars/cis.yml - -Please refer to the file for all options and their meanings - -CIS listed variable for every control/benchmark can be turned on/off or section - -- other controls -enable_selinux -run_heavy_tasks - -- bespoke options -If a site has specific options e.g. password complexity these can also be set. - ## Requirements -goss >= 0.4.4 -root privileges - -## Branches - -If running as part of the ansible playbook, this will pull in the relevant branch for the version of benchmark you are remediating. - -- e.g. v1.0.0 will pull in branch benchmark-v1.0.0 - -Devel is normally the latest benchmark version, so maybe different from the version of benchmark you wish to test. -Details will show in the README as to the benchmark for the version it is written for. - -## Usage - You must have [goss](https://github.com/goss-org/goss/) available to your host you would like to test. -- Run as root not sudo due to sudo and shared memory access +You must have sudo/root access to the system as some commands require privilege information. Assuming you have already clone this repository you can run goss from where you wish. -- full check - -```sh -# {{path to your goss binary}} --vars {{ path to the vars file }} -g {{path to your clone of this repo }}/goss.yml --validate - -``` +Please refer to the audit documentation for usage. -example: +- [readthedocs](https://ansible-lockdown.readthedocs.io/en/latest/) -```sh -# /usr/local/bin/goss --vars ../vars/cis.yml -g /home/bolly/rh8_cis_goss/goss.yml validate -......FF....FF................FF...F..FF.............F........................FSSSS.............FS.F.F.F.F.........FFFFF.... +This also works alongside the [Ansible Lockdown UBUNTU22-CIS role](https://github.com/ansible-lockdown/UBUNTU22-CIS) -Failures/Skipped: +Which will: -Title: 1.6.1 Ensure core dumps are restricted (Automated)_sysctl -Command: suid_dumpable_2: exit-status: -Expected - : 1 -to equal - : 0 -Command: suid_dumpable_2: stdout: patterns not found: [fs.suid_dumpable = 0] +- install +- audit +- remediate +- audit +## Join us -Title: 1.4.2 Ensure filesystem integrity is regularly checked (Automated) -Service: aidecheck: enabled: -Expected - : false -to equal - : true -Service: aidecheck: running: -Expected - : false -to equal - : true +On our [Discord Server](https://www.lockdownenterprise.com/discord) to ask questions, discuss features, or just chat with other Ansible-Lockdown users -< ---------cut ------- > +Set of configuration files and directories to run the first stages of CIS of RHEL 9 servers -Title: 1.1.22 Ensure sticky bit is set on all world-writable directories -Command: version: exit-status: -Expected - : 0 -to equal - : 123 - -Total Duration: 5.102s -Count: 124, Failed: 21, Skipped: 5 - -``` - -- running a particular section of tests - -```sh -# /usr/local/bin/goss -g /home/bolly/rh8_cis_goss/section_1/cis_1.1/cis_1.1.22.yml validate -............ - -Total Duration: 0.033s -Count: 12, Failed: 0, Skipped: 0 - -``` - -- changing the output - -```sh -# /usr/local/bin/goss -g /home/bolly/rh8_cis_goss/section_1/cis_1.1/cis_1.1.22.yml validate -f documentation -Title: 1.1.20 Check for removeable media nodev -Command: floppy_nodev: exit-status: matches expectation: [0] -Command: floppy_nodev: stdout: matches expectation: [OK] -< -------cut ------- > -Title: 1.1.20 Check for removeable media noexec -Command: floppy_noexec: exit-status: matches expectation: [0] -Command: floppy_noexec: stdout: matches expectation: [OK] - - -Total Duration: 0.022s -Count: 12, Failed: 0, Skipped: 0 -``` - -## Extra settings +This is configured in a directory structure level. -Ability to add your own requirements is available in several sections +Goss is run based on the goss.yml file in the top level directory. This specifies the configuration. ## further information -- [goss documentation](https://github.com/goss-org/goss/blob/master/README.md) +- [goss documentation](https://github.com/aelsabbahy/goss/blob/master/docs/manual.md#patterns) - [CIS standards](https://www.cisecurity.org) - -## Feedback required From 883b2e4d5932514839a6e92855a2acce9334a1a7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Nov 2024 12:02:45 +0000 Subject: [PATCH 2/4] fixed typo thanks to #36 @Rafouf69 Signed-off-by: Mark Bolwell --- section_5/cis_5.2/cis_5.2.3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/section_5/cis_5.2/cis_5.2.3.yml b/section_5/cis_5.2/cis_5.2.3.yml index 08b49fa..ffc93fc 100644 --- a/section_5/cis_5.2/cis_5.2.3.yml +++ b/section_5/cis_5.2/cis_5.2.3.yml @@ -9,7 +9,7 @@ command: exit-status: lt: 3 stdout: - - '/[1:99]/' + - '/[1-99]/' meta: server: 1 workstation: 1 From 2bed26431d526cb841363bb24b2f79e2671f327d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Nov 2024 12:03:02 +0000 Subject: [PATCH 3/4] fixed typo thanks to #34 @Rafouf69 Signed-off-by: Mark Bolwell --- section_1/cis_1.3.1/cis_1.3.1.3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/section_1/cis_1.3.1/cis_1.3.1.3.yml b/section_1/cis_1.3.1/cis_1.3.1.3.yml index 909635c..309ea5b 100644 --- a/section_1/cis_1.3.1/cis_1.3.1.3.yml +++ b/section_1/cis_1.3.1/cis_1.3.1.3.yml @@ -6,7 +6,7 @@ command: apparmor_enf_or_comp: title: 1.3.1.3 | Ensure all AppArmor Profiles are in enforce or complain mode | profile - exec: LOADED=`apparmor_status | grep 'profiles are loaded' | awk '{print $1}'` && ENFORCE=`apparmor_status | grep 'profiles are in enforce mode.' | awk '{print $1}'` && COMPLAIN=`apparmor_status | grep 'profiles are in complain mode.' | awk '{print $1}'` && if [ $((LOADED + COMPLAIN)) != "$ENFORCE" ]; then echo "Profiles Error";fi + exec: LOADED=`apparmor_status | grep 'profiles are loaded' | awk '{print $1}'` && ENFORCE=`apparmor_status | grep 'profiles are in enforce mode.' | awk '{print $1}'` && COMPLAIN=`apparmor_status | grep 'profiles are in complain mode.' | awk '{print $1}'` && if [ $((ENFORCE + COMPLAIN)) != "$LOADED " ]; then echo "Profiles Error";fi exit-status: 0 stdout: - '!/Profiles Error/' From 574fc437027d500ffa6236d0cdf4ee2dc4c438c3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Nov 2024 12:10:08 +0000 Subject: [PATCH 4/4] updated typos Signed-off-by: Mark Bolwell --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 3dc1bc2..b9a4096 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ ### Based on CIS Ubuntu Linux 22.04 LTS Benchmark v2.0.0 [Release](https://downloads.cisecurity.org/#/) -Set of configuration files and directories to run the first stages of CIS of Ubuntu 20.04 servers +Set of configuration files and directories to run the first stages of CIS of Ubuntu 22.04 servers This is configured in a directory structure level. @@ -37,7 +37,7 @@ Which will: On our [Discord Server](https://www.lockdownenterprise.com/discord) to ask questions, discuss features, or just chat with other Ansible-Lockdown users -Set of configuration files and directories to run the first stages of CIS of RHEL 9 servers +Set of configuration files and directories to run the first stages of CIS of UBUNTU 22 servers This is configured in a directory structure level.