Initial

Signed-off-by: Mark Bolwell <[email protected]>

.gitattributes

@@ -0,0 +1,6 @@
+# adding github settings to show correct language
+*.sh linguist-detectable=true
+*.yml linguist-detectable=true
+*.ps1 linguist-detectable=true
+*.j2 linguist-detectable=true
+*.md linguist-documentation

.gitignore

@@ -0,0 +1,45 @@
+.env
+*.log
+*.retry
+.cache
+.vagrant
+tests/*redhat-subscription
+tests/Dockerfile
+*.iso
+*.box
+packer_cache
+delete*
+ignore*
+# VSCode
+.vscode
+
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# DS_Store
+.DS_Store
+._*
+
+# Linux Editors
+*~
+\#*\#
+/.emacs.desktop
+/.emacs.desktop.lock
+.elc
+auto-save-list
+tramp
+.\#*
+*.swp
+*.swo
+rh-creds.env
+travis.env
+
+# Lockdown-specific
+benchparse/
+*xccdf.xml
+*.retry
+
+# GitHub Action/Workflow files
+.github/

CONTRIBUTING.md

@@ -0,0 +1,71 @@
+Contributing to MindPoint Group Projects
+========================================
+
+Rules
+-----
+
+1) All commits must be GPG signed (details in Signing section)
+2) All commits must have Signed-off-by (Signed-off-by: Joan Doe <[email protected]>) in the commit message (details in Signing section)
+3) All work is done in your own branch or own fork
+4) Pull requests
+    a) From within the repo: All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing
+    b) From a forked repo: All pull requests will go into a staging branch within the repo. There are automated checks for signed commits, signoff in commit message, and functional testing when going from staging to devel
+5) All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing)
+6) Be open and nice to each other
+
+Workflow
+--------
+
+- Your work is done in your own individual branch. Make sure to to Signed-off and GPG sign all commits you intend to merge
+- All community Pull Requests are into the devel branch. There are automated checks for GPG signed, Signed-off in commits, and functional tests before being approved. If your pull request comes in from outside of our repo, the pull request will go into a staging branch. There is info needed from our repo for our CI/CD testing.
+- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release
+
+Signing your contribution
+-------------------------
+
+We've chosen to use the Developer's Certificate of Origin (DCO) method
+that is employed by the Linux Kernel Project, which provides a simple
+way to contribute to MindPoint Group projects.
+
+The process is to certify the below DCO 1.1 text
+::
+
+    Developer's Certificate of Origin 1.1
+
+    By making a contribution to this project, I certify that:
+
+    (a) The contribution was created in whole or in part by me and I
+        have the right to submit it under the open source license
+        indicated in the file; or
+
+    (b) The contribution is based upon previous work that, to the best
+        of my knowledge, is covered under an appropriate open source
+        license and I have the right under that license to submit that
+        work with modifications, whether created in whole or in part
+        by me, under the same open source license (unless I am
+        permitted to submit under a different license), as indicated
+        in the file; or
+
+    (c) The contribution was provided directly to me by some other
+        person who certified (a), (b) or (c) and I have not modified
+        it.
+
+    (d) I understand and agree that this project and the contribution
+        are public and that a record of the contribution (including all
+        personal information I submit with it, including my sign-off) is
+        maintained indefinitely and may be redistributed consistent with
+        this project or the open source license(s) involved.
+::
+
+Then, when it comes time to submit a contribution, include the
+following text in your contribution commit message:
+
+::
+
+   Signed-off-by: Joan Doe <[email protected]>
+
+::
+
+This message can be entered manually, or if you have configured git
+with the correct `user.name` and `user.email`, you can use the `-s`
+option to `git commit` to automatically include the signoff message.

Changelog.md

@@ -0,0 +1,10 @@
+# Changes to Ubunut20-CIS-Audit
+
+## 0.2 updates
+
+Several control updates and new tests
+adopted new goss binary >= 0.4.0 now required
+
+## 0.1 initial release
+
+- Based on CIS 1.0

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2021 MindPoint Group
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,130 @@
+# Debian 11 Goss config
+
+## Overview
+
+### Based on CIS Debian Linux 11 Benchmark v1.0.0 [Release](https://downloads.cisecurity.org/#/)
+
+Set of configuration files and directories to run the first stages of CIS of Debian 11 servers
+
+This is configured in a directory structure level.
+
+This could do with further testing but sections 1.x should be complete
+
+Goss is run based on the goss.yml file in the top level directory. This specifies the configuration.
+
+## variables
+
+file: vars/cis.yml
+
+Please refer to the file for all options and their meanings
+
+CIS listed variable for every control/benchmark can be turned on/off or section
+
+- other controls
+enable_selinux
+run_heavy_tasks
+
+- bespoke options
+If a site has specific options e.g. password complexity these can also be set.
+
+## Requirements
+
+goss >= 0.4.0
+root privileges
+
+## Usage
+
+You must have [goss](https://github.com/goss-org/goss/) available to your host you would like to test.
+
+- Run as root not sudo due to sudo and shared memory access
+
+Assuming you have already clone this repository you can run goss from where you wish.
+
+- full check
+
+```sh
+# {{path to your goss binary}} --vars {{ path to the vars file }} -g {{path to your clone of this repo }}/goss.yml --validate
+
+```
+
+example:
+
+```sh
+# /usr/local/bin/goss --vars ../vars/cis.yml -g /home/bolly/rh8_cis_goss/goss.yml validate
+......FF....FF................FF...F..FF.............F........................FSSSS.............FS.F.F.F.F.........FFFFF....
+
+Failures/Skipped:
+
+Title: 1.6.1 Ensure core dumps are restricted (Automated)_sysctl
+Command: suid_dumpable_2: exit-status:
+Expected
+    <int>: 1
+to equal
+    <int>: 0
+Command: suid_dumpable_2: stdout: patterns not found: [fs.suid_dumpable = 0]
+
+
+Title: 1.4.2 Ensure filesystem integrity is regularly checked (Automated)
+Service: aidecheck: enabled:
+Expected
+    <bool>: false
+to equal
+    <bool>: true
+Service: aidecheck: running:
+Expected
+    <bool>: false
+to equal
+    <bool>: true
+
+< ---------cut ------- >
+
+Title: 1.1.22 Ensure sticky bit is set on all world-writable directories
+Command: version: exit-status:
+Expected
+    <int>: 0
+to equal
+    <int>: 123
+
+Total Duration: 5.102s
+Count: 124, Failed: 21, Skipped: 5
+
+```
+
+- running a particular section of tests
+
+```sh
+# /usr/local/bin/goss -g /home/bolly/rh8_cis_goss/section_1/cis_1.1/cis_1.1.22.yml  validate
+............
+
+Total Duration: 0.033s
+Count: 12, Failed: 0, Skipped: 0
+
+```
+
+- changing the output
+
+```sh
+# /usr/local/bin/goss -g /home/bolly/rh8_cis_goss/section_1/cis_1.1/cis_1.1.22.yml  validate -f documentation
+Title: 1.1.20 Check for removeable media nodev
+Command: floppy_nodev: exit-status: matches expectation: [0]
+Command: floppy_nodev: stdout: matches expectation: [OK]
+< -------cut ------- >
+Title: 1.1.20 Check for removeable media noexec
+Command: floppy_noexec: exit-status: matches expectation: [0]
+Command: floppy_noexec: stdout: matches expectation: [OK]
+
+
+Total Duration: 0.022s
+Count: 12, Failed: 0, Skipped: 0
+```
+
+## Extra settings
+
+Ability to add your own requirements is available in several sections
+
+## further information
+
+- [goss documentation](https://github.com/goss-org/goss/blob/master/docs/manual.md#patterns)
+- [CIS standards](https://www.cisecurity.org)
+
+## Feedback required

goss.yml

@@ -0,0 +1,94 @@
+gossfile:
+  {{ if .Vars.debian11cis_section1 }}
+  section_1/*/*.yml: {}
+  {{ end }}
+
+ # Section 2
+  {{ if .Vars.debian11cis_section2 }}
+  section_2/cis_2.1/cis_2.1.1.1.yml: {}
+    {{ if eq .Vars.debian11cis_time_service "chrony" }}
+  section_2/cis_2.1/cis_2.1.2.*.yml: {}
+    {{ end }}
+    {{ if eq .Vars.debian11cis_time_service "timesyncd" }}
+  section_2/cis_2.1/cis_2.1.3.*.yml: {}
+    {{ end }}
+    {{ if eq .Vars.debian11cis_time_service "ntp" }}
+  section_2/cis_2.1/cis_2.1.4.*.yml: {}
+    {{ end }}
+  # Special Services
+  section_2/cis_2.2/*.yml: {}
+  # Client Service
+  section_2/cis_2.3/*.yml: {}
+  # Essential service
+  section_2/cis_2.4/*.yml: {}
+  {{ end }}
+
+# Section 3
+  {{ if .Vars.debian11cis_section3 }}
+  section_3/cis_3.1/*.yml: {}
+  section_3/cis_3.2/*.yml: {}
+  section_3/cis_3.3/*.yml: {}
+    {{ if .Vars.debian11cis_ipv6_required }}
+  section_3/cis_3.3/ipv6/*.yml: {}
+    {{ end }}
+    # If ufw firewall
+    {{ if eq .Vars.debian11cis_firewall "ufw" }}
+  section_3/cis_3.5.1/*.yml: {}
+    {{ end }}
+    # If nftables firewall
+    {{ if eq .Vars.debian11cis_firewall "nftables" }}
+  section_3/cis_3.5.2/*.yml: {}
+    {{ end }}
+    # If iptables firewall
+    {{ if eq .Vars.debian11cis_firewall "iptables" }}
+  section_3/cis_3.5.3/*.yml: {}
+    {{ end }}
+  {{ end }}
+
+# Section 4
+  {{ if .Vars.debian11cis_section4 }}
+  # Auditd and level 2
+    {{ if .Vars.debian11cis_level_2 }}
+      {{ if .Vars.debian11cis_auditd }}
+  section_4/cis_4.1.1/*.yml: {}
+  section_4/cis_4.1.2/*.yml: {}
+  section_4/cis_4.1.3/*.yml: {}
+  section_4/cis_4.1.4/*.yml: {}
+      {{ end }}
+    {{ end }}
+    {{ if eq .Vars.debian11cis_syslog_service "journald" }}
+  section_4/cis_4.2.1/*.yml: {}
+    {{ end }}
+    {{ if eq .Vars.debian11cis_syslog_service "rsyslog" }}
+  section_4/cis_4.2.2/*.yml: {}
+    {{ end }}
+  {{ end }}
+
+# Section 5
+  {{ if .Vars.debian11cis_section5 }}
+  section_5/*/*.yml: {}
+  {{ end }}
+
+# Section 6
+  {{ if .Vars.debian11cis_section6 }}
+  section_6/*/*.yml: {}
+  {{ end }}
+
+# Metadata
+command:
+  benchmark_meta:
+    title: Benchmark MetaData
+    exec: echo BenchMark MetaData
+    exit-status: 0
+    meta:
+      host_machine_uuid: {{ .Vars.machine_uuid }}
+      host_epoch: {{ .Vars.epoch }}
+      host_os_locale: {{ .Vars.os_locale }}
+      host_os_release: {{ .Vars.os_release }}
+      host_os_distribution: {{ .Vars.os_distribution }}
+      host_automation_group: {{ .Vars.auto_group }}
+      host_hostname: {{ .Vars.os_hostname }}
+      host_system_type: {{ .Vars.system_type }}
+      benchmark_type: {{ .Vars.benchmark_type }}
+      benchmark_version: {{ .Vars.benchmark_version }}
+      benchmark_os: {{ .Vars.benchmark_os }}