Merge pull request #33 from ansible-lockdown/fixes_v2.0.0

Fixes v2.0.0
ansible-lockdown · Sep 6, 2024 · e74cd19 · e74cd19
2 parents 2cf2ba9 + e197d74
commit e74cd19
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 6 deletions.
diff --git a/run_audit.sh b/run_audit.sh
@@ -17,14 +17,15 @@
 #               benchmark vars moved
 # December 2023 Added goss version and testing
 # April 2024    Updating of OS discovery to work for all supported OSs
+# August 2024   Improve failure capture
 
 # Variables in upper case tend to be able to be adjusted
 # lower case variables are discovered or built from other variables
 
 # Goss benchmark variables (these should not need changing unless new release)
 BENCHMARK=CIS # Benchmark Name aligns to the audit
 BENCHMARK_VER=2.0.0
-BENCHMARK_OS=UBUNTU22
+BENCHMARK_OS=RHEL9
 
 # Goss host Variables
 AUDIT_BIN="${AUDIT_BIN:-/usr/local/bin/goss}"  # location of the goss executable
@@ -202,12 +203,13 @@ echo
 $AUDIT_BIN -g "$audit_content_dir/$AUDIT_FILE" --vars "$varfile_path"  --vars-inline "$audit_json_vars" v $format_output > "$audit_out"
 
 # create screen output
-if [ "$(grep -c $BENCHMARK "$audit_out")" != 0 ]  || [ "$format" = junit ] || [ "$format" = tap ]; then
+if [ "$(grep -c test-count "$audit_out")" -ge 1 ]  || [ "$format" = junit ] || [ "$format" = tap ]; then
   eval $output_summary
   echo "Completed file can be found at $audit_out"
   echo "###############"
   echo "Audit Completed"
   echo "###############"
 else
-  echo -e "Fail: There were issues when running the audit please investigate $audit_out"
+  echo -e "Fail: There were issues when running the audit please investigate $audit_out";
+  exit 1
 fi
diff --git a/section_5/cis_5.3.2/cis_5.3.2.2.yml b/section_5/cis_5.3.2/cis_5.3.2.2.yml
@@ -26,7 +26,7 @@ file:
     exists: true
     contents:
     - '/^\s*auth\s+(requisite|required)\s+pam_faillock.so\s+preauth/'
-    - /^auth\s*[default=die]\s+pam_faillock.so\s+authfail/'
+    - '/^auth\s*\[default=die\]\s+pam_faillock.so\s+authfail/'
     meta:
       server: 1
       workstation: 1

diff --git a/section_5/cis_5.3.3.2/cis_5.3.3.2.6.yml b/section_5/cis_5.3.3.2/cis_5.3.3.2.6.yml
@@ -11,8 +11,8 @@ command:
       - 0
       - 1
     stdout:
-    - '/.*\:dictchk\s*=\s*1/'
-    - '!/.*\:dictchk\s*=\s*0/'
+    - '/.*\:dictcheck\s*=\s*1/'
+    - '!/.*\:dictcheck\s*=\s*0/'
     meta:
       server: 1
       workstation: 1

diff --git a/section_5/cis_5.4.2/cis_5.4.2.6.yml b/section_5/cis_5.4.2/cis_5.4.2.6.yml
@@ -7,6 +7,11 @@ command:
   root_umask_bash_profile:
     title: 5.4.2.6 | Ensure root user umask is configured
     exec: grep -i umask /root/.bash_profile /root/bashrc
+    exit-status:
+      or:
+      - 0
+      - 1
+      - 2
     stdout:
       - '/umask 00(2|7)7/'
     meta: