diff --git a/goss.yml b/goss.yml index 1f903f6..9395970 100644 --- a/goss.yml +++ b/goss.yml @@ -20,7 +20,7 @@ gossfile: section_3/cis_3.4.3.1/*.yml: {} section_3/cis_3.4.3.2/*.yml: {} {{ if .Vars.rhel8cis_ipv6_required }} - section_3/cis_3.4.3.2/*.yml: {} + section_3/cis_3.4.3.3/*.yml: {} {{ end }} {{ end }} {{ end }} @@ -64,4 +64,4 @@ command: host_system_type: {{ .Vars.system_type }} benchmark_type: {{ .Vars.benchmark_type }} benchmark_version: {{ .Vars.benchmark_version }} - benchmark_os: {{ .Vars.benchmark_os }} \ No newline at end of file + benchmark_os: {{ .Vars.benchmark_os }} diff --git a/section_1/cis_1.4/cis_1.4.1.yml b/section_1/cis_1.4/cis_1.4.1.yml index 0735197..fdc5020 100644 --- a/section_1/cis_1.4/cis_1.4.1.yml +++ b/section_1/cis_1.4/cis_1.4.1.yml @@ -1,5 +1,6 @@ {{ if .Vars.rhel8cis_rule_1_4_1 }} {{ if .Vars.rhel8cis_set_boot_pass }} +file: /boot/grub2/user.cfg: title: 1.4.1 | Ensure bootloader password is set and permissions exists: true @@ -20,4 +21,4 @@ CISv8_IG2: true CISv8_IG3: true {{ end }} -{{ end }} \ No newline at end of file +{{ end }} diff --git a/section_1/cis_1.8/cis_1.8.2.yml b/section_1/cis_1.8/cis_1.8.2.yml index da6f5e3..ba8d6be 100644 --- a/section_1/cis_1.8/cis_1.8.2.yml +++ b/section_1/cis_1.8/cis_1.8.2.yml @@ -9,7 +9,7 @@ command: - '/^user-db:user/' - '/^system-db:user/' - '/^file-db:\/usr\/share\/gdm\/greeter-dconf-defaults/' - - '/^banner-message-test=\'{{ .Vars.rhel8cis_warning_banner }}\' + - "/^banner-message-test=\'{{ .Vars.rhel8cis_warning_banner }}\'/" meta: server: 1 workstation: 1 @@ -24,13 +24,13 @@ command: title: 1.8.2 | Ensure GDM login banner is configured exec: grep "[org/gnome/login-screen]" /etc/dconf/db/gdm.d/* | grep banner-message exit-status: - or: - - 0 - - 1 + or: + - 0 + - 1 stdout: - '/^banner-message-enable=true/' - '!/^banner-message-enable=false/' - - '/^banner-message-test=\'{{ .Vars.rhel8cis_warning_banner }}\'/' + - "/^banner-message-test=\'{{ .Vars.rhel8cis_warning_banner }}\'/" meta: server: 1 workstation: 1 @@ -42,4 +42,4 @@ command: CISv8_IG2: true CISv8_IG3: true {{ end }} -{{ end }} \ No newline at end of file +{{ end }} diff --git a/section_1/cis_1.8/cis_1.8.3.yml b/section_1/cis_1.8/cis_1.8.3.yml index b3cbd4b..0243f11 100644 --- a/section_1/cis_1.8/cis_1.8.3.yml +++ b/section_1/cis_1.8/cis_1.8.3.yml @@ -23,9 +23,9 @@ command: title: 1.8.3 | Ensure last logged in user display is disabled exec: grep "[org/gnome/login-screen]" /etc/dconf/db/gdm.d/* | grep disable-user-list exit-status: - or: - - 0 - - 1 + or: + - 0 + - 1 stdout: - '/^disable-user-list=true/' - '!/^disable-user-list=false/' @@ -40,4 +40,4 @@ command: CISv8_IG2: true CISv8_IG3: true {{ end }} -{{ end }} \ No newline at end of file +{{ end }} diff --git a/section_2/cis_2.2/cis_2.2.10.yml b/section_2/cis_2.2/cis_2.2.10.yml index 7d65bfe..9844376 100644 --- a/section_2/cis_2.2/cis_2.2.10.yml +++ b/section_2/cis_2.2/cis_2.2.10.yml @@ -9,7 +9,7 @@ service: server: 1 workstation: 1 CIS_ID: - - 2.2.9 + - 2.2.10 CISv8: - 4.8 CISv8_IG1: false @@ -23,7 +23,7 @@ service: server: 1 workstation: 1 CIS_ID: - - 2.2.9 + - 2.2.10 CISv8: - 4.8 CISv8_IG1: false diff --git a/section_2/cis_2.2/cis_2.2.7.yml b/section_2/cis_2.2/cis_2.2.7.yml index 5e5c84f..976e7dd 100644 --- a/section_2/cis_2.2/cis_2.2.7.yml +++ b/section_2/cis_2.2/cis_2.2.7.yml @@ -1,9 +1,9 @@ {{ if not .Vars.rhel8cis_ftp_server}} {{ if .Vars.rhel8cis_rule_2_2_7 }} -installed: +package: ftp: title: 2.2.7 | Ensure FTP Server is not installed - installed: {{ false }} + installed: false meta: server: 1 workstation: 1 diff --git a/section_2/cis_2.2/cis_2.2.8.yml b/section_2/cis_2.2/cis_2.2.8.yml index be59eca..ea3d8a6 100644 --- a/section_2/cis_2.2/cis_2.2.8.yml +++ b/section_2/cis_2.2/cis_2.2.8.yml @@ -1,9 +1,9 @@ {{ if not .Vars.rhel8cis_vsftpd_server}} {{ if .Vars.rhel8cis_rule_2_2_8 }} -installed: +package: vsftp: title: 2.2.8 | Ensure VSFTP Server is not installed - installed: {{ false }} + installed: false meta: server: 1 workstation: 1 diff --git a/section_2/cis_2.2/cis_2.2.9.yml b/section_2/cis_2.2/cis_2.2.9.yml index 9b7708a..5b05a79 100644 --- a/section_2/cis_2.2/cis_2.2.9.yml +++ b/section_2/cis_2.2/cis_2.2.9.yml @@ -1,9 +1,9 @@ {{ if not .Vars.rhel8cis_tftp_server }} {{ if .Vars.rhel8cis_rule_2_2_9 }} -installed: +package: tftp-server: title: 2.2.8 | Ensure TFTP Server is not installed - installed: {{ false }} + installed: false meta: server: 1 workstation: 1 diff --git a/section_2/cis_2.3/cis_2.3.1_5.yml b/section_2/cis_2.3/cis_2.3.1_5.yml deleted file mode 100644 index a7790cf..0000000 --- a/section_2/cis_2.3/cis_2.3.1_5.yml +++ /dev/null @@ -1,86 +0,0 @@ -package: - {{ if not .Vars.rhel8cis_ypbind_required }} - {{ if .Vars.rhel8cis_rule_2_3_1 }} - ypbind: - title: 2.3.1 | Ensure NIS Client is not installed - installed: false - meta: - server: 1 - workstation: 1 - CIS_ID: - - 2.3.1 - CISv8: - - 4.8 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - {{ end }} - {{ end }} - {{ if not .Vars.rhel8cis_rsh_required }} - {{ if .Vars.rhel8cis_rule_2_3_2 }} - telnet: - title: 2.3.2 | Ensure rsh client is not installed - installed: false - meta: - server: 1 - workstation: 1 - CIS_ID: - - 2.3.2 - CISv8: - - 4.8 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - {{ end }} - {{ end }} - {{ if not .Vars.rhel8cis_talk_required }} - {{ if .Vars.rhel8cis_rule_2_3_3 }} - talk: - title: 2.3.3 | Ensure talk client is not installed - installed: false - meta: - server: 1 - workstation: 1 - CIS_ID: - - 2.3.3 - CISv8: - - 4.8 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - {{ end }} - {{ end }} - {{ if not .Vars.rhel8cis_telnet_required }} - {{ if .Vars.rhel8cis_rule_2_3_4 }} - talk: - title: 2.3.4 | Ensure telnet client is not installed - installed: false - meta: - server: 1 - workstation: 1 - CIS_ID: - - 2.3.4 - CISv8: - - 4.8 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - {{ end }} - {{ end }} - {{ if not .Vars.rhel8cis_openldap_clients_required }} - {{ if .Vars.rhel8cis_rule_2_3_5}} - openldap-clients: - title: 2.3.5 | Ensure LDAP client is not installed - installed: false - meta: - server: 1 - workstation: NA - CIS_ID: - - 2.3.5 - CISv8: - - 4.8 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - {{ end }} - {{ end }} diff --git a/section_3/cis_3.1/cis_3.1.1.yml b/section_3/cis_3.1/cis_3.1.1.yml index 8479f71..185bc6c 100644 --- a/section_3/cis_3.1/cis_3.1.1.yml +++ b/section_3/cis_3.1/cis_3.1.1.yml @@ -5,7 +5,7 @@ file: title: 3.1.1 | Verify if IPv6 is enabled on the system exists: true contains: - - '/(?=\S+\s(ipv6\.disable=1.*)$)^GRUB_CMDLINE_LINUX="/' + - '/^GRUB_CMDLINE_LINUX="(\S+\s)*(ipv6\.disable=1).*$/' meta: server: 1 workstation: 1 @@ -20,7 +20,7 @@ command: title: 3.1.1 | Verify if IPv6 is enabled on the system exec: grep disable_ipv6 /etc/sysctl.conf /etc/sysctl.d/* exit-status: - or: + or: - 0 - 1 stdout: diff --git a/section_3/cis_3.1/cis_3.1.2.yml b/section_3/cis_3.1/cis_3.1.2.yml index 60c0b07..af6f09a 100644 --- a/section_3/cis_3.1/cis_3.1.2.yml +++ b/section_3/cis_3.1/cis_3.1.2.yml @@ -4,7 +4,7 @@ command: modprobe_sctp: title: 3.1.2 | Ensure SCTP is disabled exit-status: 0 - exec: 'modprobe -n -v dccp' + exec: 'modprobe -n -v sctp' stdout: ['install /bin/true'] meta: server: 2 diff --git a/section_3/cis_3.4.2/cis_3.4.2.3.yml b/section_3/cis_3.4.2/cis_3.4.2.3.yml index 8fe072a..963fa81 100644 --- a/section_3/cis_3.4.2/cis_3.4.2.3.yml +++ b/section_3/cis_3.4.2/cis_3.4.2.3.yml @@ -15,4 +15,3 @@ package: CISv8_IG2: true CISv8_IG3: true {{ end }} -{{ end }} \ No newline at end of file diff --git a/section_3/cis_3.4.2/cis_3.4.2.4.yml b/section_3/cis_3.4.2/cis_3.4.2.4.yml index de4da6a..5fd627b 100644 --- a/section_3/cis_3.4.2/cis_3.4.2.4.yml +++ b/section_3/cis_3.4.2/cis_3.4.2.4.yml @@ -4,9 +4,9 @@ command: title: 3.4.2.4 | Ensure iptables are flushed with nftables | ipv4 exec: iptables -L exit-status: - or: - - 0 - - 127 + or: + - 0 + - 127 stdout: - '!/.*/' meta: @@ -23,9 +23,9 @@ command: title: 3.4.2.4 | Ensure iptables are flushed with nftables | ipv6 exec: ip6tables -L exit-status: - or: - - 0 - - 127 + or: + - 0 + - 127 stdout: - '!/.*/' meta: @@ -38,4 +38,4 @@ command: CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true -{{ end }} \ No newline at end of file +{{ end }} diff --git a/section_3/cis_3.4.2/cis_3.4.2.8.yml b/section_3/cis_3.4.2/cis_3.4.2.8.yml index d796e9f..3b8af8f 100644 --- a/section_3/cis_3.4.2/cis_3.4.2.8.yml +++ b/section_3/cis_3.4.2/cis_3.4.2.8.yml @@ -1,4 +1,4 @@ -{{ if .Vars.rhel8ciscis_rule_3_4_2_8 }} +{{ if .Vars.rhel8cis_rule_3_4_2_8 }} command: nft_conns: title: 3.4.2.8 | Ensure nftables outbound and established connections are configured @@ -16,4 +16,4 @@ command: CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true -{{ end }} \ No newline at end of file +{{ end }} diff --git a/section_4/cis_4.2.1/cis_4.2.1.3.yml b/section_4/cis_4.2.1/cis_4.2.1.3.yml index 29564bb..e582a95 100644 --- a/section_4/cis_4.2.1/cis_4.2.1.3.yml +++ b/section_4/cis_4.2.1/cis_4.2.1.3.yml @@ -10,7 +10,7 @@ file: server: 1 workstation: 1 CIS_ID: - - 4.2.1.13 + - 4.2.1.3 CISv8: - 8.2 - 8.9 diff --git a/section_4/cis_4.2.2/cis_4.2.2.1.5.yml b/section_4/cis_4.2.2/cis_4.2.2.1.5.yml deleted file mode 100644 index 9c88558..0000000 --- a/section_4/cis_4.2.2/cis_4.2.2.1.5.yml +++ /dev/null @@ -1,16 +0,0 @@ -{{ if .Vars.rhel8cis_rule_4_2_2_2 }} -service: - systemd-journald: - title: 4.2.2.2 | Ensure journald service is enabled - running: true - enabled: true - meta: - server: 1 - workstation: 1 - CIS_ID: - - 4.2.2.2 - CISv8: 8.2 - CISv8_IG1: true - CISv8_IG2: true - CISv8_IG3: true -{{ end }} diff --git a/section_5/cis_5.1/cis_5.1.8_9.yml b/section_5/cis_5.1/cis_5.1.8_9.yml index 8bb31e5..cd3d498 100644 --- a/section_5/cis_5.1/cis_5.1.8_9.yml +++ b/section_5/cis_5.1/cis_5.1.8_9.yml @@ -1,5 +1,5 @@ -{{ if .Vars.rhel8cis_rule_5_1_8 }} file: + {{ if .Vars.rhel8cis_rule_5_1_8 }} /etc/cron.deny: title: 5.1.8 | Ensure cron is restricted to authorized users exists: false @@ -27,8 +27,10 @@ file: CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true + {{ end }} + {{ if .Vars.rhel8cis_rule_5_1_9 }} /etc/at.deny: - title: 5.1.8 | Ensure at is restricted to authorized users + title: 5.1.9 | Ensure at is restricted to authorized users exists: false meta: server: 1 @@ -40,7 +42,7 @@ file: CISv8_IG2: true CISv8_IG3: true /etc/at.allow: - title: 5.1.8 | Ensure at is restricted to authorized users + title: 5.1.9 | Ensure at is restricted to authorized users exists: true owner: root group: root @@ -54,4 +56,4 @@ file: CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true -{{ end }} + {{ end }} diff --git a/section_5/cis_5.2/cis_5.2.15.yml b/section_5/cis_5.2/cis_5.2.15.yml index 7bf71cc..0059a03 100644 --- a/section_5/cis_5.2/cis_5.2.15.yml +++ b/section_5/cis_5.2/cis_5.2.15.yml @@ -20,7 +20,7 @@ command: CISv8_IG2: true CISv8_IG3: true ssh_configd_banner: - title: 5.3.18 | Ensure SSH warning banner configured | conf.d banner settings + title: 5.2.15 | Ensure SSH warning banner configured | conf.d banner settings exec: grep -Eis '^\s*Banner\s+"?none\b'/etc/ssh/sshd_config.d/*.conf exit-status: or: diff --git a/section_5/cis_5.4/cis_5.4.2.yml b/section_5/cis_5.4/cis_5.4.2.yml index 1316142..481a3f9 100644 --- a/section_5/cis_5.4/cis_5.4.2.yml +++ b/section_5/cis_5.4/cis_5.4.2.yml @@ -18,7 +18,7 @@ command: CISv8_IG3: true file: /etc/authselect/authselect.conf: - title: 5.3.3 | Ensure authselect includes with-faillock + title: 5.4.2 | Ensure authselect includes with-faillock exists: true contains: - '/^with-faillock/' @@ -26,7 +26,7 @@ file: server: 1 workstation: 1 CIS_ID: - - 5.3.3 + - 5.4.2 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true diff --git a/section_5/cis_5.6/cis_5.6.1.3.yml b/section_5/cis_5.6/cis_5.6.1.3.yml index af62616..35a8647 100644 --- a/section_5/cis_5.6/cis_5.6.1.3.yml +++ b/section_5/cis_5.6/cis_5.6.1.3.yml @@ -1,7 +1,7 @@ {{ if .Vars.rhel8cis_rule_5_6_1_3 }} command: login_defs_warn_age: - title: 5.5.1.3 | Ensure password expiration warning days is 7 or more + title: 5.6.1.3 | Ensure password expiration warning days is 7 or more exec: grep PASS_WARN_AGE /etc/login.defs exit-status: 0 stdout: @@ -11,7 +11,7 @@ command: server: 1 workstation: 1 CIS_ID: - - 5.5.1.3 + - 5.6.1.3 CISv8: 4.1 CISv8_IG1: true CISv8_IG2: true diff --git a/vars/CIS.yml b/vars/CIS.yml index c38a715..ff258b3 100644 --- a/vars/CIS.yml +++ b/vars/CIS.yml @@ -101,14 +101,14 @@ rhel8cis_rule_1_5_1: true rhel8cis_rule_1_5_2: true rhel8cis_rule_1_5_3: true # 1.6 Mandatory Access Control -rhel8cis_rule_1_6_1: true -rhel8cis_rule_1_6_2: true -rhel8cis_rule_1_6_3: true -rhel8cis_rule_1_6_4: true -rhel8cis_rule_1_6_5: true -rhel8cis_rule_1_6_6: true -rhel8cis_rule_1_6_7: true -rhel8cis_rule_1_6_8: true +rhel8cis_rule_1_6_1_1: true +rhel8cis_rule_1_6_1_2: true +rhel8cis_rule_1_6_1_3: true +rhel8cis_rule_1_6_1_4: true +rhel8cis_rule_1_6_1_5: true +rhel8cis_rule_1_6_1_6: true +rhel8cis_rule_1_6_1_7: true +rhel8cis_rule_1_6_1_8: true # 1.7 Command Line Warning Banners rhel8cis_rule_1_7_1: true rhel8cis_rule_1_7_2: true @@ -160,6 +160,7 @@ rhel8cis_rule_2_3_2: true rhel8cis_rule_2_3_3: true rhel8cis_rule_2_3_4: true rhel8cis_rule_2_3_5: true +rhel8cis_rule_2_3_6: true rhel8cis_rule_2_4: true # todo @@ -292,6 +293,7 @@ rhel8cis_rule_5_1_5: true rhel8cis_rule_5_1_6: true rhel8cis_rule_5_1_7: true rhel8cis_rule_5_1_8: true +rhel8cis_rule_5_1_9: true # 5.2 Configure SSH Server rhel8cis_rule_5_2_1: true @@ -468,6 +470,7 @@ rhel8cis_telnet_required: false rhel8cis_talk_required: false rhel8cis_rsh_required: false rhel8cis_ypbind_required: false +rhel8cis_tftp_required: false rhel8cis_firewall: firewalld # rhel8cis_firewall: iptables