initial

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2020 MindPoint Group
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,141 @@
+# RHEL/CentOS 7 Goss config 
+
+## Overview
+based on CIS 3.01
+
+Set of configuration files and directories to run the first stages of CIS of RHEL/CentOS 7 servers
+
+This is configured in a directory structure level.
+
+This could do with further testing but sections 1.x should be complete
+
+Goss is run based on the goss.yml file in the top level directory. This specifies the configuration.
+
+
+## variables
+
+these are found in vars/cis.yml
+Please refer to the file for all options and their meanings
+
+CIS listed variable for every control/benchmark can be turned on/off or section
+
+- other controls
+enable_selinux
+run_heavy_tasks
+
+- bespoke options
+If a site has specific options e.g. password complexity these can also be set.
+## Usage
+
+You must have [goss](https://github.com/aelsabbahy/goss/) available to your host you would like to test.
+
+You must have sudo/root acces sto the system as some commands require privilege information.
+- Run as root not sudo due to sudo and shared memory access
+
+Assuming you have already clone this repository you can run goss from where you wish.
+
+- full check
+```
+$ sudo {{path to your goss binary}} --vars {{ path to the vars file }} -g {{path to your clone of this repo }}/goss.yml --validate
+```
+
+example:
+```
+$ sudo /usr/local/bin/goss --vars ../vars/cis.yml -g /home/bolly/rh7_cis_goss/goss.yml validate
+......FF....FF................FF...F..FF.............F........................FSSSS.............FS.F.F.F.F.........FFFFF....
+
+Failures/Skipped:
+
+Title: 1.6.1 Ensure core dumps are restricted (Automated)_sysctl
+Command: suid_dumpable_2: exit-status:
+Expected
+    <int>: 1
+to equal
+    <int>: 0
+Command: suid_dumpable_2: stdout: patterns not found: [fs.suid_dumpable = 0]
+
+
+Title: 1.4.2 Ensure filesystem integrity is regularly checked (Automated)
+Service: aidecheck: enabled:
+Expected
+    <bool>: false
+to equal
+    <bool>: true
+Service: aidecheck: running:
+Expected
+    <bool>: false
+to equal
+    <bool>: true
+
+< ---------cut ------- >
+
+Title: 1.1.22 Ensure sticky bit is set on all world-writable directories
+Command: version: exit-status:
+Expected
+    <int>: 0
+to equal
+    <int>: 123
+
+Total Duration: 5.102s
+Count: 124, Failed: 21, Skipped: 5
+
+```
+- running a particular section of tests
+
+```
+$ sudo /usr/local/bin/goss -g /home/bolly/rh7_cis_goss/section_1/cis_1.1/cis_1.1.22.yml  validate
+............
+
+Total Duration: 0.033s
+Count: 12, Failed: 0, Skipped: 0
+
+```
+
+- changing the output
+
+```
+$ sudo /usr/local/bin/goss -g /home/bolly/rh7_cis_goss/section_1/cis_1.1/cis_1.1.22.yml  validate -f documentation
+Title: 1.1.20 Check for removeable media nodev
+Command: floppy_nodev: exit-status: matches expectation: [0]
+Command: floppy_nodev: stdout: matches expectation: [OK]
+< -------cut ------- >
+Title: 1.1.20 Check for removeable media noexec
+Command: floppy_noexec: exit-status: matches expectation: [0]
+Command: floppy_noexec: stdout: matches expectation: [OK]
+
+
+Total Duration: 0.022s
+Count: 12, Failed: 0, Skipped: 0
+```
+## Variables
+
+### The variable files
+sections_2/service.yml allows you to tune it further for specific environments.
+In this case installed or skipped using the standard name for a package to be installed or _skip to skip a test.
+
+
+## Extra settings
+
+
+
+Some sections can have several options in that case the skip flag maybe passed to the test.
+e.g. 
+- section_1/cis/1.8 - need to review the MOTD and issue files for bespoke content
+- section_1/cis_1.10/cis_1.10.yml  - Has gdm either not installed or configured default to not installed and skipped configured.
+- section_2/cis_2.2/cis_chrony_2.2.1.1.yml - this is chosen between ntp of chrony in the goss file
+## further information
+
+- [goss documentation](https://github.com/aelsabbahy/goss/blob/master/docs/manual.md#patterns)
+- [CIS standards](https://www.cisecurity.org)
+
+## Outstanding
+- To add other sections
+- build up vars to extend this further 
+- 1.2.2 and 1.9 have extended timeout - This maybe a new switch (ignore heavy tasks?)
+- 4.1.13 needs review 
+- 4.2.1.5 remote syslog server? variable? 
+- 4.2.1.6 listen as syslog server?  
+
+- 6.1.13 & 6.1.14 does tyhis need a default exclusion list for expected files?
+- 6.2.1 to work thorugh the file and regex the answers
+- 6.2.4 to test heavily

bolly.yml

@@ -0,0 +1,16 @@
+gossfile:
+  {{ if .Vars.rhel8cis_section1 }}
+  section_1/*/*.yml: {}
+  {{ end }}
+  {{ if .Vars.rhel8cis_section2 }}
+  section_2/*/*.yml: {}
+  {{ end }}
+  {{ if .Vars.rhel8cis_section3 }}
+  section_3/*/*.yml: {}
+  {{ end }}
+  {{ if .Vars.rhel8cis_section4 }}
+  section_4/*/*.yml: {}
+  {{ end }}
+  {{ if .Vars.rhel8cis_section5 }}
+  section_5/*/*.yml: {}
+  {{ end }}

notes.md

@@ -0,0 +1,109 @@
+# Goss notes
+
+
+## Gotchas
+
+- Only use underscore '_' in variables hypen '-' and dot '.' will cause issues
+
+- When using command you need to escape any colon':' in the line or it will error
+
+- Read the error it may mention the line or what the problem is (not always) (newer version appears better)
+
+- when running goss use goss file option (-g) if not specified it will only default to ./goss.yaml (not goss.yml)
+
+## Variables
+These are loaded within the vars file using the command
+```
+goss -g {{ goss file }} --vars vars.cis.yml
+```
+- written in a key:value format
+e.g.
+```
+rhel8cis_rule_1_1_1: true
+passwd_age: "10"   #Int wrapped in quotes
+users:
+- bob
+- alison
+- fred
+```
+
+
+### pass a variable
+The are references using the .Vars option.
+
+These are surrounded by curly brace.
+```
+{{ .Vars.some_variable_here }}
+```
+
+## Adding logic to a variable
+
+- Place the test between if and close if statements
+
+
+### Boolean value
+```
+{{ if .Vars.rhel8cis_rule_1_1_1 }}
+put you're test in between
+the 
+start and stop statements
+{{ end }}
+```
+
+### Using a list 
+```
+{{ range .Vars.list_variables }}
+stdout: {{ . }}
+{{ end }}
+```
+
+### Matching a variable
+```
+{{ if eq .Vars.some_value 'OK' }}
+
+{{ end }}
+```
+
+### Multiple tests
+e.g.
+
+```
+{{ if (( eq .Vars.somevalue 'OK' ) and .Vars.rhel8cis_rule_1_1_1 ) }}
+goss requirements
+placed in 
+here
+{{ end }}
+```
+
+## Using regex
+
+Surround the string and regex with '/'
+e.g.
+A number between 1 and 9
+```
+['/[1-9]/']
+```
+not between 1 and 9
+```
+['!/[1-9]/']
+```
+Expect an empty response from command
+```
+['!/./']
+```
+
+### Using variables inside variables (nested)
+
+e.g.
+```
+{{ if .Vars.rhel8cis_rule_1_1_1 }}
+file:
+  /etc/users:
+    exists: true
+    contains:
+    {{ range .Vars.users }}
+    stdout:
+    - {{ . }}
+    {{ end }}
+{{ end }}
+```