diff --git a/Cat_1/RHEL-07-040550.yml b/Cat_1/RHEL-07-040550.yml index c7388f1..39e53f2 100644 --- a/Cat_1/RHEL-07-040550.yml +++ b/Cat_1/RHEL-07-040550.yml @@ -5,8 +5,8 @@ command: title: RHEL_07_040550 | Must not contain shosts.equiv files. exit-status: or: - - 0 - - 1 + - 0 + - 1 exec: 'find / -name shosts.equiv' timeout: {{ .Vars.timeout_ms }} stdout: diff --git a/Cat_2/RHEL-07-010199.yml b/Cat_2/RHEL-07-010199.yml index 0fd4828..1bee74e 100644 --- a/Cat_2/RHEL-07-010199.yml +++ b/Cat_2/RHEL-07-010199.yml @@ -1,25 +1,77 @@ {{ if .Vars.RHEL_07_010199 }} file: - /etc/pam.d/password-auth-local: + /etc/pam.d/password-auth: title: RHEL-07-010199 | The Red Hat Enterprise Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility | passwd-auth-local. exists: true filetype: symlink + linked-to: /etc/pam.d/password-auth-local meta: Cat: 2 CCI: CCI-000196 Group_Title: SRG-OS-000073-GPOS-00041 - Rule_ID: SV-255928r902706_rule + Rule_ID: SV-255928r917838_rule STIG_ID: RHEL-07-010199 Vul_ID: V-255928 - /etc/pam.d/system-auth-local: + /etc/pam.d/system-auth: title: RHEL-07-010199 | The Red Hat Enterprise Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility | system-auth-local. exists: true filetype: symlink + linked-to: /etc/pam.d/system-auth-local + meta: + Cat: 2 + CCI: CCI-000196 + Group_Title: SRG-OS-000073-GPOS-00041 + Rule_ID: SV-255928r917838_rule + STIG_ID: RHEL-07-010199 + Vul_ID: V-255928 + /etc/pam.d/password-auth-local: + title: RHEL-07-010199 | The Red Hat Enterprise Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility | password-auth + exists: true + owner: root + group: root + filetype: file + contains: + - '/^auth\s+required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900/' + - '/^auth\s+include password-auth-ac/' + - '/^auth\s+sufficient pam_unix.so try_first_pass/' + - '/^auth\s+[default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900/' + - '/^account\s+required pam_faillock.so/' + - '/^account\s+include password-auth-ac/' + - '/^password\s+requisite pam_pwhistory.so use_authtok remember=5 retry=3/' + - '/^password\s+requisite pam_pwquality.so retry=3/' + - '/^password\s+include password-auth-ac/' + - '/^password\s+sufficient pam_unix.so sha512 shadow try_first_pass use_authtok/' + - '/^session\s+include password-auth-ac/' + meta: + Cat: 2 + CCI: CCI-000196 + Group_Title: SRG-OS-000073-GPOS-00041 + Rule_ID: SV-255928r917838_rule + STIG_ID: RHEL-07-010199 + Vul_ID: V-255928 + /etc/pam.d/system-auth-local: + title: RHEL-07-010199 | The Red Hat Enterprise Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility | password-auth + exists: true + owner: root + group: root + filetype: file + contains: + contains: + - '/^auth\s+required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900/' + - '/^auth\s+include system-auth-ac/' + - '/^auth\s+sufficient pam_unix.so try_first_pass/' + - '/^auth\s+[default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900/' + - '/^account\s+required pam_faillock.so/' + - '/^account\s+include system-auth-ac/' + - '/^password\s+requisite pam_pwhistory.so remember=5 retry=3/' + - '/^password\s+requisite pam_pwquality.so retry=3/' + - '/^password\s+include system-auth-ac/' + - '/^password\s+sufficient pam_unix.so sha512 shadow try_first_pass use_authtok/' meta: Cat: 2 CCI: CCI-000196 Group_Title: SRG-OS-000073-GPOS-00041 - Rule_ID: SV-255928r902706_rule + Rule_ID: SV-255928r917838_rule STIG_ID: RHEL-07-010199 Vul_ID: V-255928 {{ end }} diff --git a/Cat_2/RHEL-07-010200.yml b/Cat_2/RHEL-07-010200.yml index 9bd3d9a..bdc8e2d 100644 --- a/Cat_2/RHEL-07-010200.yml +++ b/Cat_2/RHEL-07-010200.yml @@ -10,7 +10,7 @@ command: Cat: 2 CCI: CCI-000196 Group_Title: SRG-OS-000073-GPOS-00041 - Rule_ID: SV-204415r880833_rule + Rule_ID: SV-204415r917816_rule STIG_ID: RHEL-07-010200 Vul_ID: V-204415 pam_unix_so_passwd_auth: @@ -23,7 +23,7 @@ command: Cat: 2 CCI: CCI-000196 Group_Title: SRG-OS-000073-GPOS-00041 - Rule_ID: SV-204415r880833_rule + Rule_ID: SV-204415r917816_rule STIG_ID: RHEL-07-010200 Vul_ID: V-204415 {{ end }} diff --git a/Cat_2/RHEL-07-010270.yml b/Cat_2/RHEL-07-010270.yml index f5dc5fc..fddfeee 100644 --- a/Cat_2/RHEL-07-010270.yml +++ b/Cat_2/RHEL-07-010270.yml @@ -5,12 +5,12 @@ command: exec: grep remember /etc/pam.d/system-auth exit-status: 0 stdout: - - /^password\s+requisite\s+pam_pwhistory.so use_authtok remember=5 retry=3/' + - /^password\s+requisite\s+pam_pwhistory.so remember=5 retry=3/' meta: Cat: 2 CCI: CCI-000200 Group_Title: SRG-OS-000077-GPOS-00045 - Rule_ID: SV-204422r880836_rule + Rule_ID: SV-204422r917818_rule STIG_ID: RHEL-07-010270 Vul_ID: V-204422 password_auth_remember: @@ -23,7 +23,7 @@ command: Cat: 2 CCI: CCI-000200 Group_Title: SRG-OS-000077-GPOS-00045 - Rule_ID: SV-204422r880836_rule + Rule_ID: SV-204422r917818_rule STIG_ID: RHEL-07-010270 Vul_ID: V-204422 {{ end }} diff --git a/Cat_2/RHEL-07-010320.yml b/Cat_2/RHEL-07-010320.yml index e5af393..4e79546 100644 --- a/Cat_2/RHEL-07-010320.yml +++ b/Cat_2/RHEL-07-010320.yml @@ -5,8 +5,8 @@ command: exec: grep -Ei "unlock_time|sufficient" /etc/pam.d/system-auth exit-status: 0 stdout: - - '/^auth\s+required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900/' - - '/^auth\s+sufficient pam_unix.so try_first_pass/' + - '/^auth\s+required\s+pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900/' + - '/^auth\s+sufficient\s+pam_unix.so try_first_pass/' - '/^auth\s+\[default=die\] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900/' meta: Cat: 2 diff --git a/Cat_2/RHEL-07-010330.yml b/Cat_2/RHEL-07-010330.yml index b62a26d..091c5ae 100644 --- a/Cat_2/RHEL-07-010330.yml +++ b/Cat_2/RHEL-07-010330.yml @@ -25,8 +25,8 @@ command: exit-status: 0 stdout: - '/^account\s+required\s+pam_faillock.so/' - - '/^auth\s+required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900/' - - '/^auth\s+\[default=die\] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900/' + - '/^auth\s+required pam_faillock.so\s+preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900/' + - '/^auth\s+\[default=die\]\s+pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900/' meta: Cat: 2 CCI: diff --git a/Cat_2/RHEL-07-010343.yml b/Cat_2/RHEL-07-010343.yml index 59987db..0294920 100644 --- a/Cat_2/RHEL-07-010343.yml +++ b/Cat_2/RHEL-07-010343.yml @@ -5,8 +5,8 @@ command: exec: grep -iRs 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* exit-status: or: - - 0 - - 1 + - 0 + - 1 stdout: - '/timestamp_timeout=[0-9]\d*$/' meta: diff --git a/Cat_2/RHEL-07-010344.yml b/Cat_2/RHEL-07-010344.yml index 37b0767..c239d3b 100644 --- a/Cat_2/RHEL-07-010344.yml +++ b/Cat_2/RHEL-07-010344.yml @@ -4,9 +4,9 @@ command: title: RHEL-07-010344 | operating system must require re-authentication when using the sudo command. exec: grep -i pam_succeed /etc/pam.d/sudo exit-status: - or: - - 0 - - 1 + or: + - 0 + - 1 stdout: - '!/pam_succeed_if/' meta: diff --git a/Cat_2/RHEL-07-020023.yml b/Cat_2/RHEL-07-020023.yml index 435640b..70e0fc0 100644 --- a/Cat_2/RHEL-07-020023.yml +++ b/Cat_2/RHEL-07-020023.yml @@ -5,8 +5,8 @@ command: exec: grep -iRs sysadm_r /etc/sudoers /etc/sudoers.d/* exit-status: or: - - 0 - - 1 + - 0 + - 1 stdout: - '/%wheel ALL=\(ALL\) TYPE=sysadm_t ROLE=sysadm_r ALL/' meta: diff --git a/Cat_2/RHEL-07-020029.yml b/Cat_2/RHEL-07-020029.yml index d7af036..7e489b7 100644 --- a/Cat_2/RHEL-07-020029.yml +++ b/Cat_2/RHEL-07-020029.yml @@ -14,6 +14,7 @@ command: aide_check: title: RHEL-07-020029 | Must use a file integrity tool to verify correct operation of all security functions | db_check exit-status: 0 + timeout: {{ .Vars.timeout_ms }} exec: /usr/sbin/aide --check stdout: - '.*AIDE database. Looks okay!' diff --git a/Cat_2/RHEL-07-020700.yml b/Cat_2/RHEL-07-020700.yml index 1928b0b..90c2a66 100644 --- a/Cat_2/RHEL-07-020700.yml +++ b/Cat_2/RHEL-07-020700.yml @@ -12,7 +12,7 @@ command: Cat: 2 CCI: CCI-000366 Group_Title: SRG-OS-000480-GPOS-00227 - Rule_ID: SV-204475r603836_rule + Rule_ID: SV-204475r917824_rule STIG_ID: RHEL-07-020700 Vul_ID: V-204475 {{ end }} diff --git a/Cat_2/RHEL-07-020710.yml b/Cat_2/RHEL-07-020710.yml index fd3be44..d2d25b2 100644 --- a/Cat_2/RHEL-07-020710.yml +++ b/Cat_2/RHEL-07-020710.yml @@ -15,7 +15,7 @@ command: Cat: 2 CCI: CCI-000366 Group_Title: SRG-OS-000480-GPOS-00227 - Rule_ID: SV-204476r603261_rule + Rule_ID: SV-204476r917827_rule STIG_ID: RHEL-07-020710 Vul_ID: V-204476 {{ end }} diff --git a/Cat_2/RHEL-07-031000.yml b/Cat_2/RHEL-07-031000.yml index 72317bc..dc2ac30 100644 --- a/Cat_2/RHEL-07-031000.yml +++ b/Cat_2/RHEL-07-031000.yml @@ -6,12 +6,12 @@ command: exec: grep @ /etc/rsyslog.conf /etc/rsyslog.d/*.conf | cut -d ':' -f2 exit-status: 0 stdout: - - '/^*.* @@ {{ .Vars.rhel7stig_log_aggregation_server }}/' + - '/^*.* @(@|) {{ .Vars.rhel7stig_log_aggregation_server }}/' meta: Cat: 2 CCI: CCI-000366 Group_Title: SRG-OS-000480-GPOS-00227 - Rule_ID: SV-204574r603261_rule + Rule_ID: SV-204574r917830_rule STIG_ID: RHEL-07-031000 Vul_ID: V-204574 {{ end }} diff --git a/Cat_2/RHEL-07-040180.yml b/Cat_2/RHEL-07-040180.yml index 3c8cbae..587f039 100644 --- a/Cat_2/RHEL-07-040180.yml +++ b/Cat_2/RHEL-07-040180.yml @@ -19,7 +19,10 @@ command: ldap_sssd_conf: title: RHEL-07-040180 | Must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications. exec: grep -Ei "ldap|id_provider" /etc/sssd/sssd.conf - exit-status: 0 + exit-status: + or: + - 0 + - 2 stdout: - 'ldap_id_use_start_tls = true' - '!/^id_provider = ad/' diff --git a/Cat_2/RHEL-07-040190.yml b/Cat_2/RHEL-07-040190.yml index c1768eb..fd61d86 100644 --- a/Cat_2/RHEL-07-040190.yml +++ b/Cat_2/RHEL-07-040190.yml @@ -19,7 +19,10 @@ command: req_crypto_sssd_conf: title: RHEL-07-040190 | Must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications. exec: grep -Ei "tls_req|id_provider" /etc/sssd/sssd.conf - exit-status: 0 + exit-status: + or: + - 0 + - 2 stdout: - 'ldap_tls_reqcert = demand' - '!/^id_provider = ad/' diff --git a/Cat_2/RHEL-07-040200.yml b/Cat_2/RHEL-07-040200.yml index 8227305..459d484 100644 --- a/Cat_2/RHEL-07-040200.yml +++ b/Cat_2/RHEL-07-040200.yml @@ -25,7 +25,10 @@ command: cacert_sssd_conf: title: RHEL-07-040200 | Must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications. exec: grep -Ei "cacert|provider" /etc/sssd/sssd.conf - exit-status: 0 + exit-status: + or: + - 0 + - 2 stdout: - 'ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt' - '!/^id_provider = ad/' diff --git a/Cat_2/RHEL-07-040300.yml b/Cat_2/RHEL-07-040300.yml index eb56f58..646352f 100644 --- a/Cat_2/RHEL-07-040300.yml +++ b/Cat_2/RHEL-07-040300.yml @@ -11,7 +11,7 @@ package: - CCI-002420 - CCI-002421 Group_Title: SRG-OS-000423-GPOS-00187 - Rule_ID: SV-204585r603261_rule + Rule_ID: SV-204585r916422_rule STIG_ID: RHEL-07-040300 Vul_ID: V-204585 openssh: @@ -25,7 +25,7 @@ package: - CCI-002420 - CCI-002421 Group_Title: SRG-OS-000423-GPOS-00187 - Rule_ID: SV-204585r603261_rule + Rule_ID: SV-204585r916422_rule STIG_ID: RHEL-07-040300 Vul_ID: V-204585 openssh-server: @@ -39,7 +39,7 @@ package: - CCI-002420 - CCI-002421 Group_Title: SRG-OS-000423-GPOS-00187 - Rule_ID: SV-204585r603261_rule + Rule_ID: SV-204585r916422_rule STIG_ID: RHEL-07-040300 Vul_ID: V-204585 {{ end }} diff --git a/Cat_2/RHEL-07-040310.yml b/Cat_2/RHEL-07-040310.yml index 47f3c4f..d6cd9fe 100644 --- a/Cat_2/RHEL-07-040310.yml +++ b/Cat_2/RHEL-07-040310.yml @@ -12,7 +12,7 @@ service: - CCI-002418 - CCI-002420 Group_Title: SRG-OS-000423-GPOS-00187 - Rule_ID: SV-204586r861071_rule + Rule_ID: SV-204586r916422_rule STIG_ID: RHEL-07-040310 Vul_ID: V-204586 {{ end }} diff --git a/Cat_2/RHEL-07-040320.yml b/Cat_2/RHEL-07-040320.yml index 5b20141..4f8882d 100644 --- a/Cat_2/RHEL-07-040320.yml +++ b/Cat_2/RHEL-07-040320.yml @@ -13,7 +13,7 @@ command: - CCI-001133 - CCI-00236 Group_Title: SRG-OS-000163-GPOS-00072 - Rule_ID: SV-204587r603261_rule + Rule_ID: SV-204587r917833_rule STIG_ID: RHEL-07-040320 Vul_ID: V-204587 {{ end }} diff --git a/Cat_2/RHEL-07-040340.yml b/Cat_2/RHEL-07-040340.yml index 03a5893..6d64cbb 100644 --- a/Cat_2/RHEL-07-040340.yml +++ b/Cat_2/RHEL-07-040340.yml @@ -13,7 +13,7 @@ command: - CCI-001133 - CCI-002361 Group_Title: SRG-OS-000163-GPOS-00072 - Rule_ID: SV-204589r603261_rule + Rule_ID: SV-204589r917836_rule STIG_ID: RHEL-07-040340 Vul_ID: V-204589 {{ end }} diff --git a/Cat_2/RHEL-07-040712.yml b/Cat_2/RHEL-07-040712.yml index 35ff265..45c2bf1 100644 --- a/Cat_2/RHEL-07-040712.yml +++ b/Cat_2/RHEL-07-040712.yml @@ -5,7 +5,7 @@ command: exec: grep -i kex /etc/ssh/sshd_config exit-status: 0 stdout: - - '/^KexAlgorithms {{ .Vars.rhel7stig_ssh_kex }}/' + - '/^KexAlgorithms "{{ .Vars.rhel7stig_ssh_kex }}"/' meta: Cat: 2 CCI: diff --git a/Changelog.md b/Changelog.md index 5eb4ccb..af7628f 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,26 @@ # changelog +## Stig V3R12 26th July 2023 - Sept23 + +updated run_audit script, enhanced and allowed testing of goss version +adding missing variables + +## Stig V3R12 26th July 2023 + +- RHEL-07-010199 - pamd password and system auth rewrite and ruleid updated +- RHEL-07-010200 - ruleid update +- RHEL_07-010270 - rewritten to align to new settings and ruleid updated +- RHEL_07_020700 - ruleid updated +- RHEL_07_020710 - ruleid updated fixed rule +- RHEL_07_031000 - updated test and ruleid updated +- RHEL_07_040300 - ruleid updated +- RHEL_07_040310 - ruleid updated +- RHEL_07_040320 - ruleid updated +- RHEL_07_040340 - ruleid updated + +- some test improvements +- basic linting + ## Stig Version 3 release 11 - 27 April 2023 works with oraclelinux diff --git a/run_audit.sh b/run_audit.sh index 3420c10..a9f6312 100755 --- a/run_audit.sh +++ b/run_audit.sh @@ -9,135 +9,133 @@ # 02 Mar 2022 - Updated benchmark variable naming # 06 Apr 2022 - Added format option in output inline with goss options e.g. json documentation this is for fault finding # 03 May 2022 - update for audit variables improvement added by @pavloos - https://github.com/ansible-lockdown/RHEL8-CIS-Audit/pull/29 +# 10 Jun 2022 - added format output for different type - supports json,documentation or rspecish # 04 Oct 2022 - Changed default content location to /opt - - -#!/bin/bash - +# 14 Sep 2023 - Tidyup of code, +# linting (thanks to @cf-sewe) +# Oracle included by default if RHEL family +# benchmark vars moved # Variables in upper case tend to be able to be adjusted # lower case variables are discovered or built from other variables +# Goss benchmark variables (these should not need changing unless new release) +BENCHMARK=STIG # Benchmark Name aligns to the audit +BENCHMARK_VER=v3r12 +BENCHMARK_OS=RHEL7 + # Goss host Variables AUDIT_BIN="${AUDIT_BIN:-/usr/local/bin/goss}" # location of the goss executable +AUDIT_BIN_MIN_VER="0.3.21" AUDIT_FILE="${AUDIT_FILE:-goss.yml}" # the default goss file used by the audit provided by the audit configuration AUDIT_CONTENT_LOCATION="${AUDIT_CONTENT_LOCATION:-/opt}" # Location of the audit configuration file as available to the OS - -# Goss benchmark variables (these should not need changing unless new release) -BENCHMARK=STIG # Benchmark Name aligns to the audit -BENCHMARK_VER=V3R10 -BENCHMARK_OS=RHEL7 - # help output Help() { - # Display Help - echo "Script to run the goss audit" - echo - echo "Syntax: $0 [-f|-g|-o|-v|-w|-h]" - echo "options:" - echo "-f optional - change the format output (default value = json)" - echo "-g optional - Add a group that the server should be grouped with (default value = ungrouped)" - echo "-o optional - file to output audit data" - echo "-v optional - relative path to thevars file to load (default e.g. $AUDIT_CONTENT_LOCATION/RHEL7-$BENCHMARK/vars/$BENCHMARK.yml)" - echo "-w optional - Sets the system_type to workstation (Default - Server)" - echo "-h Print this Help." - echo + # Display Help + echo "Script to run the goss audit" + echo + echo "Syntax: $0 [-f|-g|-o|-v|-w|-h]" + echo "options:" + echo "-f optional - change the format output (default value = json)" + echo "-g optional - Add a group that the server should be grouped with (default value = ungrouped)" + echo "-o optional - file to output audit data" + echo "-v optional - relative path to thevars file to load (default e.g. $AUDIT_CONTENT_LOCATION/RHEL7-$BENCHMARK/vars/$BENCHMARK.yml)" + echo "-w optional - Sets the system_type to workstation (Default - Server)" + echo "-h Print this Help." + echo } - # Default vars that can be set host_system_type=Server ## option statement while getopts f:g:o:v::wh option; do - case "${option}" in - f ) FORMAT=${OPTARG} ;; - g ) GROUP=${OPTARG} ;; - o ) OUTFILE=${OPTARG} ;; - v ) VARS_PATH=${OPTARG} ;; - w ) host_system_type=Workstation ;; - h ) # display Help - Help - exit;; - ? ) # Invalid option - echo "Invalid option: -${OPTARG}." - Help - exit;; + case "${option}" in + f ) FORMAT=${OPTARG} ;; + g ) GROUP=${OPTARG} ;; + o ) OUTFILE=${OPTARG} ;; + v ) VARS_PATH=${OPTARG} ;; + w ) host_system_type=Workstation ;; + h ) # display Help + Help + exit;; + ? ) # Invalid option + echo "Invalid option: -${OPTARG}." + Help + exit;; esac done #### Pre-Checks # check access need to run as root or privileges due to some configuration access -if [ $(/usr/bin/id -u) -ne 0 ]; then +if [ "$(/usr/bin/id -u)" -ne 0 ]; then echo "Script need to run with root privileges" exit 1 fi -#### Main Script +#### Main Script #### # Discover OS version aligning with audit # Define os_vendor variable -if [ `grep -cE "fedora|rhel" /etc/os-release` != 0 ]; then - os_vendor="RHEL" +if [ "$(grep -Ec "rhel|oracle" /etc/os-release)" != 0 ]; then + os_vendor="RHEL" else - os_vendor=`hostnamectl | grep Oper | cut -d : -f2 | awk '{print $1}' | tr a-z A-Z` + os_vendor="$(hostnamectl | grep Oper | cut -d : -f2 | awk '{print $1}' | tr '[:lower:]')" fi -os_maj_ver=`grep -w VERSION_ID= /etc/os-release | awk -F\" '{print $2}' | cut -d '.' -f1` +os_maj_ver="$(grep -w VERSION_ID= /etc/os-release | awk -F\" '{print $2}' | cut -d '.' -f1)" audit_content_version=$os_vendor$os_maj_ver-$BENCHMARK-Audit audit_content_dir=$AUDIT_CONTENT_LOCATION/$audit_content_version audit_vars=vars/${BENCHMARK}.yml # Set variable for format output -if [ -z $FORMAT ]; then +if [ -z "$FORMAT" ]; then export format="json" else export format=$FORMAT fi # Set variable for autogroup -if [ -z $GROUP ]; then - export auto_group="ungrouped" +if [ -z "$GROUP" ]; then + export host_auto_group="ungrouped" else - export auto_group=$GROUP + export host_auto_group=$GROUP fi # set default variable for varfile_path if [ -z "$VARS_PATH" ]; then - export varfile_path=$audit_content_dir/$audit_vars - else - # Check -v exists fail if not - if [ -f "$VARS_PATH" ]; then - export varfile_path=$VARS_PATH - else - echo "passed option '-v' $VARS_PATH does not exist" - exit 1 - fi + export varfile_path=$audit_content_dir/$audit_vars +else + # Check -v exists fail if not + if [ -f "$VARS_PATH" ]; then + export varfile_path=$VARS_PATH + else + echo "passed option '-v' $VARS_PATH does not exist" + exit 1 + fi fi - ## System variables captured for metadata -host_machine_uuid=`if [ ! -z /sys/class/dmi/id/product_uuid ]; then cat /sys/class/dmi/id/product_uuid; else dmidecode -s system-uuid; fi` -host_epoch=`date +%s` -host_os_locale=`date +%Z` -host_os_name=`grep "^NAME=" /etc/os-release | cut -d '"' -f2 | sed 's/ //' | cut -d ' ' -f1` -host_os_version=`grep "^VERSION_ID=" /etc/os-release | cut -d '"' -f2` -host_os_hostname=`hostname` +host_machine_uuid="$(if [ -f /sys/class/dmi/id/product_uuid ]; then cat /sys/class/dmi/id/product_uuid; else dmidecode -s system-uuid; fi)" +host_epoch="$(date +%s)" +host_os_locale="$(date +%Z)" +host_os_name="$(grep "^NAME=" /etc/os-release | cut -d '"' -f2 | sed 's/ //' | cut -d' ' -f1)" +host_os_version="$(grep "^VERSION_ID=" /etc/os-release | cut -d '"' -f2)" +host_os_hostname="$(hostname)" ## Set variable audit_out -if [ -z $OUTFILE ]; then - export audit_out=$AUDIT_CONTENT_LOCATION/audit_${host_os_hostname}-${BENCHMARK}-${BENCHMARK_OS}_${host_epoch}.$format +if [ -z "$OUTFILE" ]; then + export audit_out=${AUDIT_CONTENT_LOCATION}/audit_${host_os_hostname}-${BENCHMARK}-${BENCHMARK_OS}_${host_epoch}.$format else - export audit_out=$OUTFILE + export audit_out=${OUTFILE} fi - ## Set the AUDIT json string -audit_json_vars='{"benchmark_type":"'"$BENCHMARK"'","benchmark_os":"'"$BENCHMARK_OS"'","benchmark_version":"'"$BENCHMARK_VER"'","machine_uuid":"'"$host_machine_uuid"'","epoch":"'"$host_epoch"'","os_locale":"'"$host_os_locale"'","os_release":"'"$host_os_version"'","os_distribution":"'"$host_os_name"'","os_hostname":"'"$host_os_hostname"'","auto_group":"'"$host_auto_group"'","system_type":"'"$host_system_type"'"}' +audit_json_vars='{"benchmark_type":'"$BENCHMARK"'","benchmark_os":"'"$BENCHMARK_OS"'","benchmark_version":"'"$BENCHMARK_VER"'","machine_uuid":"'"$host_machine_uuid"'","epoch":"'"$host_epoch"'","os_locale":"'"$host_os_locale"'","os_release":"'"$host_os_version"'","os_distribution":"'"$host_os_name"'","os_hostname":"'"$host_os_hostname"'","auto_group":"'"$host_auto_group"'","system_type":"'"$host_system_type"'"}' ## Run pre checks @@ -146,46 +144,64 @@ echo "## Pre-Checks Start" echo export FAILURE=0 -if [ -s "$AUDIT_BIN" ]; then - echo "OK Audit binary $AUDIT_BIN is available" +if [ -s "${AUDIT_BIN}" ]; then + echo "OK - Audit binary $AUDIT_BIN is available" + goss_installed_version="$($AUDIT_BIN -v | awk '{print $NF}' | cut -dv -f2)" + ver_calc=$(awk 'BEGIN{print $goss_installed_version < $AUDIT_BIN_MIN_VER}') + if [ $AUDIT_BIN_MIN_VER = "$goss_installed_version" ] || [ "$ver_calc" = 1 ] ; then + echo "OK - Goss is installed and Version is ok"; + else + echo "WARNING - Goss installed = ${goss_installed_version}, does not met minimum of ${AUDIT_BIN_MIN_VER}"; export FAILURE=2 + fi else - echo "WARNING - The audit binary is not available at $AUDIT_BIN "; export FAILURE=1 + echo "WARNING - The audit binary is not available at $AUDIT_BIN "; export FAILURE=1 fi -if [ -f "$audit_content_dir/$AUDIT_FILE" ]; then - echo "OK $audit_content_dir/$AUDIT_FILE is available" +if [ -f "${audit_content_dir}/${AUDIT_FILE}" ]; then + echo "OK - ${audit_content_dir}/${AUDIT_FILE} is available" else - echo "WARNING - the $audit_content_dir/$AUDIT_FILE is not available"; export FAILURE=2 + echo "WARNING - the $audit_content_dir/$AUDIT_FILE is not available"; export FAILURE=3 fi - -if [ `echo $FAILURE` != 0 ]; then - echo "## Pre-checks failed please see output" - exit 1 +if [ "${FAILURE}" != 0 ]; then + echo "## Pre-checks failed please see output" + exit 1 else - echo - echo "## Pre-checks Successful" - echo + echo + echo "## Pre-checks Successful" + echo fi +# format output types +# json, rspecish = grep -A 4 \"summary\": $audit_out +# tap junit no output as no summary +# documentation = tail -2 $audit_out + +# defaults +output_summary="tail -2 $audit_out" +format_output="-f $format" + +if [ "$format" = json ]; then + format_output="-f json -o pretty" + output_summary='grep -A 4 \"summary\": $audit_out' +elif [ "$format" = junit ] || [ "$format" = tap ]; then + output_summary="" +fi ## Run commands echo "#############" echo "Audit Started" echo "#############" echo -$AUDIT_BIN -g $audit_content_dir/$AUDIT_FILE --vars $varfile_path --vars-inline $audit_json_vars v -f $format -o pretty > $audit_out +$AUDIT_BIN -g "$audit_content_dir/$AUDIT_FILE" --vars "$varfile_path" --vars-inline "$audit_json_vars" v $format_output > "$audit_out" # create screen output -if [ `grep -c $BENCHMARK $audit_out` != 0 ]; then -echo " -`tail -7 $audit_out` - -Completed file can be found at $audit_out" -echo "###############" -echo "Audit Completed" -echo "###############" - +if [ "$(grep -c $BENCHMARK "$audit_out")" != 0 ] || [ "$format" = junit ] || [ "$format" = tap ]; then + eval $output_summary + echo " Completed file can be found at $audit_out" + echo "###############" + echo "Audit Completed" + echo "###############" else - echo "Fail Audit - There were issues when running the audit please investigate $audit_out" + echo -e "Fail: There were issues when running the audit please investigate $audit_out" fi diff --git a/vars/STIG.yml b/vars/STIG.yml index f5af70a..f27b9f5 100644 --- a/vars/STIG.yml +++ b/vars/STIG.yml @@ -9,7 +9,7 @@ timeout_ms: 60000 # set to redhat/centos/oracle rhel8stig_os_distribution: redhat -rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +rpm_gpg_keys: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release gpg_key: - name: 'release key 2' fingerprint: '567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51' @@ -18,14 +18,14 @@ gpg_key: # centos #rhel8stig_os_distribution: centos-release -#gpg_package: /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 +#rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 #gpg_key: # - name: 'CentOS 7 Official Signing Key' # fingerprint: '6341 AB27 53D7 8A78 A7C2 7BB1 24C6 A8A7 F4A8 0EB5' # oracle #rhel8stig_os_distribution: oraclelinux-release -#gpg_package: /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle +#rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle #gpg_key: # - name: 'Oracle OSS group' # fingerprint: '4214 4123 FECF C55B 9086 313D 72F9 7B74 EC55 1F03' @@ -401,9 +401,9 @@ rhel7stig_FIPS_MACs: hmac-sha2-512,hmac-sha2-256 rhel7stig_FIPS_kex: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 # SSH settings -rhel7stig_ssh_ciphers: '{{ .Vars.rhel7stig_FIPS_Ciphers }}' -rhel7stig_ssh_MACs: '{{ .Vars.rhel7stig_FIPS_MACs }}' -rhel7stig_ssh_KEX: '{{ .Vars.rhel7stig_FIPS_kex }}' +rhel7stig_ssh_ciphers: aes256-ctr,aes192-ctr,aes128-ctr +rhel7stig_ssh_MACs: hmac-sha2-512,hmac-sha2-256 +rhel7stig_ssh_kex: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 # RHEL_07_040160 # Session timeout setting file (TMOUT setting can be set in multiple files) # Timeout value is in seconds. (60 seconds * 10 = 600)