From 8831118603bf9aa185f549cca7f6539288b93de7 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Wed, 4 Dec 2024 07:47:51 +0000
Subject: [PATCH 1/2] removed ref to rule_1.1.1.3 Removed reference to 1.1.3.3
 thanks to @Olzhas011

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 section_1/cis_1.1/{cis_1.1.1.1_3.yml => cis_1.1.1.1_2.yml} | 0
 section_1/cis_1.1/cis_1.1.3.2_4.yml                        | 2 +-
 vars/CIS.yml                                               | 1 -
 3 files changed, 1 insertion(+), 2 deletions(-)
 rename section_1/cis_1.1/{cis_1.1.1.1_3.yml => cis_1.1.1.1_2.yml} (100%)

diff --git a/section_1/cis_1.1/cis_1.1.1.1_3.yml b/section_1/cis_1.1/cis_1.1.1.1_2.yml
similarity index 100%
rename from section_1/cis_1.1/cis_1.1.1.1_3.yml
rename to section_1/cis_1.1/cis_1.1.1.1_2.yml
diff --git a/section_1/cis_1.1/cis_1.1.3.2_4.yml b/section_1/cis_1.1/cis_1.1.3.2_4.yml
index c6fd2e5..5667d2e 100644
--- a/section_1/cis_1.1/cis_1.1.3.2_4.yml
+++ b/section_1/cis_1.1/cis_1.1.3.2_4.yml
@@ -4,7 +4,7 @@ mount:
   /var:
     title: |
         1.1.3.2 | Ensure nodev option set on /var partition
-        1.1.3.3 | Ensure noexec option set on /var partition
+        1.1.3.3 | Ensure nosuid option set on /var partition
     exists: true
     opts:
     {{ if .Vars.rhel9cis_rule_1_1_3_2 }}
diff --git a/vars/CIS.yml b/vars/CIS.yml
index 95a3975..83c2037 100644
--- a/vars/CIS.yml
+++ b/vars/CIS.yml
@@ -40,7 +40,6 @@ rhel9cis_set_boot_pass: true
 # 1.1.1 Disable unused filesystems
 rhel9cis_rule_1_1_1_1: true
 rhel9cis_rule_1_1_1_2: true
-rhel9cis_rule_1_1_1_3: true
 # 1.1.2 Configure /tmp
 rhel9cis_rule_1_1_2_1: true
 rhel9cis_rule_1_1_2_2: true

From 68a9ff76a2872e2fd72c6fb31bcbb3fa904c4df6 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Wed, 4 Dec 2024 07:49:37 +0000
Subject: [PATCH 2/2] updated audit_script

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 run_audit.sh | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/run_audit.sh b/run_audit.sh
index 325b094..71a0bab 100755
--- a/run_audit.sh
+++ b/run_audit.sh
@@ -15,12 +15,15 @@
 #               linting (thanks to @cf-sewe)
 #               Oracle included by default if RHEL family
 #               benchmark vars moved
+# December 2023 Added goss version and testing
+# April 2024    Updating of OS discovery to work for all supported OSs
+# August 2024   Improve failure capture
 
 # Variables in upper case tend to be able to be adjusted
 # lower case variables are discovered or built from other variables
 
 # Goss benchmark variables (these should not need changing unless new release)
-BENCHMARK=CIS  # Benchmark Name aligns to the audit
+BENCHMARK=CIS # Benchmark Name aligns to the audit
 BENCHMARK_VER=1.0.0
 BENCHMARK_OS=RHEL9
 
@@ -80,10 +83,12 @@ fi
 
 # Discover OS version aligning with audit
 # Define os_vendor variable
-if [ "$(grep -Ec "rhel|oracle" /etc/os-release)" != 0 ]; then
+if [ "$(uname -a | grep -c amzn)" -ge 1 ]; then
+    os_vendor="AMAZON"
+elif [ "$(grep -Ec "rhel|oracle" /etc/os-release)" != 0 ]; then
   os_vendor="RHEL"
 else
-  os_vendor="$(hostnamectl | grep Oper | cut -d : -f2 | awk '{print $1}' | tr '[:lower:]')"
+  os_vendor="$(hostnamectl | grep Oper | cut -d : -f2 | awk '{print toupper($1)}')"
 fi
 
 os_maj_ver="$(grep -w VERSION_ID= /etc/os-release | awk -F\" '{print $2}' | cut -d '.' -f1)"
@@ -135,7 +140,7 @@ else
 fi
 
 ## Set the AUDIT json string
-audit_json_vars='{"benchmark_type":'"$BENCHMARK"'","benchmark_os":"'"$BENCHMARK_OS"'","benchmark_version":"'"$BENCHMARK_VER"'","machine_uuid":"'"$host_machine_uuid"'","epoch":"'"$host_epoch"'","os_locale":"'"$host_os_locale"'","os_release":"'"$host_os_version"'","os_distribution":"'"$host_os_name"'","os_hostname":"'"$host_os_hostname"'","auto_group":"'"$host_auto_group"'","system_type":"'"$host_system_type"'"}'
+audit_json_vars='{"benchmark_type":"'"$BENCHMARK"'","benchmark_os":"'"$BENCHMARK_OS"'","benchmark_version":"'"$BENCHMARK_VER"'","machine_uuid":"'"$host_machine_uuid"'","epoch":"'"$host_epoch"'","os_locale":"'"$host_os_locale"'","os_release":"'"$host_os_version"'","os_distribution":"'"$host_os_name"'","os_hostname":"'"$host_os_hostname"'","auto_group":"'"$host_auto_group"'","system_type":"'"$host_system_type"'"}'
 
 ## Run pre checks
 
@@ -198,12 +203,14 @@ echo
 $AUDIT_BIN -g "$audit_content_dir/$AUDIT_FILE" --vars "$varfile_path"  --vars-inline "$audit_json_vars" v $format_output > "$audit_out"
 
 # create screen output
-if [ "$(grep -c $BENCHMARK "$audit_out")" != 0 ]  || [ "$format" = junit ] || [ "$format" = tap ]; then
+# create screen output
+if [ "$(grep -c Count: "$audit_out")" -ge 1 ]  || [ "$format" = junit ] || [ "$format" = tap ]; then
   eval $output_summary
   echo "Completed file can be found at $audit_out"
   echo "###############"
   echo "Audit Completed"
   echo "###############"
 else
-  echo -e "Fail: There were issues when running the audit please investigate $audit_out"
+  echo -e "Fail: There were issues when running the audit please investigate $audit_out";
+  exit 1
 fi