From f1406e18549856d1955f2aa3e8b539f3d0b9eb80 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 23 Oct 2024 10:21:08 +0100 Subject: [PATCH 1/2] Updated table Signed-off-by: Mark Bolwell --- docs/source/CIS/CIS_table.rst | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/docs/source/CIS/CIS_table.rst b/docs/source/CIS/CIS_table.rst index 91e673b..1817e69 100644 --- a/docs/source/CIS/CIS_table.rst +++ b/docs/source/CIS/CIS_table.rst @@ -8,8 +8,8 @@ Operating Systems :header: "Benchmark", "Maintained", "Remediate", "Audit", "Release" :widths: 25, 15, 15, 15, 25 - "AMAZON2-CIS_", "True", "True", "True", ".. image:: https://img.shields.io/github/v/release/ansible-lockdown/AMAZON2-CIS?style=plastic" - "AMAZON2023-CIS_", "True", "True", "True", ".. image:: https://img.shields.io/github/v/release/ansible-lockdown/AMAZON2023-CIS?style=plastic" + "AMAZON2-CIS_", "True", "True", "True", ".. image:: https://img.shields.io/github/v/release/ansible-lockdown/AMAZON2-CIS?style=plastic" + "AMAZON2023-CIS_", "True", "True", "True", ".. image:: https://img.shields.io/github/v/release/ansible-lockdown/AMAZON2023-CIS?style=plastic" "DEBIAN11-CIS_", "True", "True", "True", ".. image:: https://img.shields.io/github/v/release/ansible-lockdown/DEBIAN11-CIS?style=plastic" "DEBIAN12-CIS_", "True", "True", "WIP", "N/A" "RHEL7-CIS_", "True", "True", "True", ".. image:: https://img.shields.io/github/v/release/ansible-lockdown/RHEL7-CIS?style=plastic" @@ -18,13 +18,14 @@ Operating Systems "UBUNTU18-CIS_", "True", "True", "True", ".. image:: https://img.shields.io/github/v/release/ansible-lockdown/UBUNTU18-CIS?style=plastic" "UBUNTU20-CIS_", "True", "True", "True", ".. image:: https://img.shields.io/github/v/release/ansible-lockdown/UBUNTU20-CIS?style=plastic" "UBUNTU22-CIS_", "True", "True", "True", ".. image:: https://img.shields.io/github/v/release/ansible-lockdown/UBUNTU22-CIS?style=plastic" + "UBUNTU24-CIS_", "True", "True", "True", "N/A" .. csv-table:: CIS Windows Benchmark Availability :header: "Benchmark", "Maintained", "Remediate", "Audit", "Release" :widths: 25, 15, 15, 15, 25 - "Windows-10-CIS_", "True", "True", "True", ".. image:: https://img.shields.io/github/v/release/ansible-lockdown/Windows-10-CIS?style=plastic" - "Windows-11-CIS_", "True", "True", "True", ".. image:: https://img.shields.io/github/v/release/ansible-lockdown/Windows-11-CIS?style=plastic" + "Windows-10-CIS_", "True", "True", "NA", ".. image:: https://img.shields.io/github/v/release/ansible-lockdown/Windows-10-CIS?style=plastic" + "Windows-11-CIS_", "True", "True", "NA", ".. image:: https://img.shields.io/github/v/release/ansible-lockdown/Windows-11-CIS?style=plastic" "Windows-2016-CIS_", "True", "True", "True", ".. image:: https://img.shields.io/github/v/release/ansible-lockdown/Windows-2016-CIS?style=plastic" "Windows-2019-CIS_", "True", "True", "True", ".. image:: https://img.shields.io/github/v/release/ansible-lockdown/Windows-2019-CIS?style=plastic" "Windows-2022-CIS_", "True", "True", "WIP", ".. image:: https://img.shields.io/github/v/release/ansible-lockdown/Windows-2022-CIS?style=plastic" From 7a94832d643ad79f028192e5df9a9026ac2def82 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 23 Oct 2024 10:22:30 +0100 Subject: [PATCH 2/2] Added new section for goss without script Signed-off-by: Mark Bolwell --- docs/source/audit/getting-started-audit.rst | 105 ++++++++++++++++++-- 1 file changed, 98 insertions(+), 7 deletions(-) diff --git a/docs/source/audit/getting-started-audit.rst b/docs/source/audit/getting-started-audit.rst index da4a7d5..7d6dd91 100644 --- a/docs/source/audit/getting-started-audit.rst +++ b/docs/source/audit/getting-started-audit.rst @@ -8,8 +8,7 @@ Audit Overview -------- -Ansible remediation for security benchmarks now utilizes an open-source -go binary called `goss `_ to audit the system. +Ansible remediation for security benchmarks now utilizes an open-source go binary called `goss `_ to audit the system. Ensuring consistency in checks by using the same settings and controls that have been enabled in the remediation steps, are the same ones @@ -35,7 +34,6 @@ It can be run in two ways: - run_audit.ps1 (Windows(powershell)) - Currently Enabled Playbooks --------------------------- @@ -65,17 +63,18 @@ The following requirements are needed (OS dependant) - Linux - - `Binary `_ - - `Checksum `_ + - `Binary `_ + - `Checksum `_ - Windows - - `Binary `_ - - `Checksum `_ + - `Binary `_ + - `Checksum `_ .. note:: The binary only needs to be accessible to the host with ability to use. The relevant script needs to be adjust to point to the path of the binary. + Ensure you have the correct binary for your architecture examples above are AMD64, but also works on ARM64 (may have bad results with auditd settings) Running the Audit Only as part of remediate playbook ---------------------------------------------------- @@ -161,6 +160,98 @@ script help Other options can be assigned in the script itself +**Running goss without script** + +This assumes you have goss and access to super user privileges. + +It is possible to run goss in its raw form, while this is not recommended, for consistency it is added here. + +The script discovers and adds extra inline variablesto the goss output in the form of the metadata fields as found in the goss.yml +This needs to be amended before being able to run in raw form. + +- Edit goss.yml remove the lines starting at #metadata and the command tests Vars below + +Goss can then be run manually + +- full check + +.. code-block:: shell + + # {{path to your goss binary}} --vars {{ path to the vars file }} -g {{path to your clone of this repo }}/goss.yml --validate + + +example: + +.. code-block:: shell + # /usr/local/bin/goss --vars ../vars/cis.yml -g /home/bolly/rh8_cis_goss/goss.yml validate + ......FF....FF................FF...F..FF.............F........................FSSSS.............FS.F.F.F.F.........FFFFF.... + + Failures/Skipped: + + Title: 1.6.1 Ensure core dumps are restricted (Automated)_sysctl + Command: suid_dumpable_2: exit-status: + Expected + : 1 + to equal + : 0 + Command: suid_dumpable_2: stdout: patterns not found: [fs.suid_dumpable = 0] + + + Title: 1.4.2 Ensure filesystem integrity is regularly checked (Automated) + Service: aidecheck: enabled: + Expected + : false + to equal + : true + Service: aidecheck: running: + Expected + : false + to equal + : true + + < ---------cut ------- > + + Title: 1.1.22 Ensure sticky bit is set on all world-writable directories + Command: version: exit-status: + Expected + : 0 + to equal + : 123 + + Total Duration: 5.102s + Count: 124, Failed: 21, Skipped: 5 + + +- running a particular section of tests + +.. code-block:: shell + + # /usr/local/bin/goss -g /home/bolly/rh8_cis_goss/section_1/cis_1.1/cis_1.1.22.yml validate + ............ + + Total Duration: 0.033s + Count: 12, Failed: 0, Skipped: 0 + + +- changing the output + +.. code-block:: shell + + # /usr/local/bin/goss -g /home/bolly/rh8_cis_goss/section_1/cis_1.1/cis_1.1.22.yml validate -f documentation + Title: 1.1.20 Check for removeable media nodev + Command: floppy_nodev: exit-status: matches expectation: [0] + Command: floppy_nodev: stdout: matches expectation: [OK] + < -------cut ------- > + Title: 1.1.20 Check for removeable media noexec + Command: floppy_noexec: exit-status: matches expectation: [0] + Command: floppy_noexec: stdout: matches expectation: [OK] + + + Total Duration: 0.022s + Count: 12, Failed: 0, Skipped: 0 + + + Running on Windows ------------------