colin
/
UBUNTU24-CIS-Audit
mirror of https://github.com/ansible-lockdown/UBUNTU24-CIS-Audit.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #6 from ansible-lockdown/mount_updates 

Mount updates
This commit is contained in:
uk-bolly 2024-12-09 14:10:11 +00:00 committed by GitHub
parent 9ab737f351 7328ffd613
commit 593c45d6b0
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
27 changed files with 879 additions and 449 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
run_audit.sh
View File

@ -17,13 +17,14 @@
# benchmark vars moved # benchmark vars moved
# December 2023 Added goss version and testing # December 2023 Added goss version and testing
# April 2024 Updating of OS discovery to work for all supported OSs # April 2024 Updating of OS discovery to work for all supported OSs
# August 2024 Improve failure capture
# Variables in upper case tend to be able to be adjusted # Variables in upper case tend to be able to be adjusted
# lower case variables are discovered or built from other variables # lower case variables are discovered or built from other variables
# Goss benchmark variables (these should not need changing unless new release) # Goss benchmark variables (these should not need changing unless new release)
BENCHMARK=CIS # Benchmark Name aligns to the audit BENCHMARK=CIS # Benchmark Name aligns to the audit
BENCHMARK_VER=2.0.0 BENCHMARK_VER=1.0.0
BENCHMARK_OS=UBUNTU24 BENCHMARK_OS=UBUNTU24
# Goss host Variables # Goss host Variables
@ -202,12 +203,13 @@ echo
$AUDIT_BIN -g "$audit_content_dir/$AUDIT_FILE" --vars "$varfile_path" --vars-inline "$audit_json_vars" v $format_output > "$audit_out" $AUDIT_BIN -g "$audit_content_dir/$AUDIT_FILE" --vars "$varfile_path" --vars-inline "$audit_json_vars" v $format_output > "$audit_out"
# create screen output # create screen output
if [ "$(grep -c $BENCHMARK "$audit_out")" != 0 ] || [ "$format" = junit ] || [ "$format" = tap ]; then if [ "$(grep -c Count: "$audit_out")" -ge 1 ] || [ "$format" = junit ] || [ "$format" = tap ]; then
eval $output_summary eval $output_summary
echo "Completed file can be found at $audit_out" echo "Completed file can be found at $audit_out"
echo "###############" echo "###############"
echo "Audit Completed" echo "Audit Completed"
echo "###############" echo "###############"
else else
echo -e "Fail: There were issues when running the audit please investigate $audit_out" echo -e "Fail: There were issues when running the audit please investigate $audit_out";
exit 1
fi fi

46
section_1/cis_1.1/cis_1.1.2.1.2.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_1_2 }}
mount:
tmp_nodev_options:
title: 1.1.2.1.2 | Ensure nodev option set on /tmp partition
mountpoint: /tmp
exists: true
opts:
- nodev
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.1.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
tmp_nodev_fstab_options:
title: 1.1.2.1.2 | Ensure nodev option set on /tmp partition
exists: true
path: /etc/fstab
contents:
- '/\s\/tmp.*nodev/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.1.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

66
section_1/cis_1.1/cis_1.1.2.1.2_4.yml
View File

@ -1,66 +0,0 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_1_1 }}
mount:
tmp_options:
title: |
1.1.2.1.2 | Ensure nodev option set on /tmp partition
1.1.2.1.3 | Ensure nosuid option set on /tmp partition
1.1.2.1.4 | Ensure noexec option set on /tmp partition
mountpoint: /tmp
exists: true
opts:
{{ if .Vars.ubtu24cis_rule_1_1_2_1_2 }}
- nodev
{{ end }}
{{ if .Vars.ubtu24cis_rule_1_1_2_1_3 }}
- nosuid
{{ end }}
{{ if .Vars.ubtu24cis_rule_1_1_2_1_4 }}
- noexec
{{ end }}
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.1.2
- 1.1.2.1.3
- 1.1.2.1.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
tmp_fstab_options:
title: |
1.1.2.1.2 | Ensure nodev option set on /tmp partition
1.1.2.1.3 | Ensure nosuid option set on /tmp partition
1.1.2.1.4 | Ensure noexec option set on /tmp partition
exists: true
path: /etc/fstab
contents:
- '/\s\/tmp.*{{ if .Vars.ubtu24cis_rule_1_1_2_1_2 }}nodev{{ end }}/'
- '/\s\/tmp.*{{ if .Vars.ubtu24cis_rule_1_1_2_1_3 }}nosuid{{ end }}.*/'
- '/\s\/tmp.*{{ if .Vars.ubtu24cis_rule_1_1_2_1_4 }}noexec{{ end }}.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.1.2
- 1.1.2.1.3
- 1.1.2.1.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

46
section_1/cis_1.1/cis_1.1.2.1.3.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_1_3 }}
mount:
tmp_nosuid_options:
title: 1.1.2.1.3 | Ensure nosuid option set on /tmp partition
mountpoint: /tmp
exists: true
opts:
- nosuid
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.1.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
tmp_nosuid_fstab_options:
title: 1.1.2.1.3 | Ensure nosuid option set on /tmp partition
exists: true
path: /etc/fstab
contents:
- '/\s\/tmp.*nosuid.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.1.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

46
section_1/cis_1.1/cis_1.1.2.1.4.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_1_4 }}
mount:
tmp_noexec_options:
title: 1.1.2.1.4 | Ensure noexec option set on /tmp partition
mountpoint: /tmp
exists: true
opts:
- noexec
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.1.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
tmp_fstab_noexec_options:
title: 1.1.2.1.4 | Ensure noexec option set on /tmp partition
exists: true
path: /etc/fstab
contents:
- '/\s\/tmp.*noexec.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.1.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

46
section_1/cis_1.1/cis_1.1.2.2.2.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_2_2 }}
mount:
dev_shm_nodev_options:
title: 1.1.2.2.2 | Ensure nodev option set on /dev/shm partition
mountpoint: /dev/shm
exists: true
opts:
- nodev
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.2.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
dev_shm_nodev_fstab_options:
title: 1.1.2.2.2 | Ensure nodev option set on /dev/shm partition
exists: true
path: /etc/fstab
contents:
- '/\s\/dev\/shm.*nodev/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.2.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

66
section_1/cis_1.1/cis_1.1.2.2.2_4.yml
View File

@ -1,66 +0,0 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_2_1 }}
mount:
dev_shm_options:
title: |
1.1.2.2.2 | Ensure nodev option set on /dev/shm partition
1.1.2.2.3 | Ensure nosuid option set on /dev/shm partition
1.1.2.2.4 | Ensure noexec option set on /dev/shm partition
mountpoint: /dev/shm
exists: true
opts:
{{ if .Vars.ubtu24cis_rule_1_1_2_2_2 }}
- nodev
{{ end }}
{{ if .Vars.ubtu24cis_rule_1_1_2_2_3 }}
- nosuid
{{ end }}
{{ if .Vars.ubtu24cis_rule_1_1_2_2_4 }}
- noexec
{{ end }}
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.2.2
- 1.1.2.2.3
- 1.1.2.2.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
dev_shm_fstab_options:
title: |
1.1.2.2.2 | Ensure nodev option set on /dev/shm partition
1.1.2.2.3 | Ensure nosuid option set on /dev/shm partition
1.1.2.2.4 | Ensure noexec option set on /dev/shm partition
exists: true
path: /etc/fstab
contents:
- '/\s\/dev\/shm.*{{ if .Vars.ubtu24cis_rule_1_1_2_2_2 }}nodev{{ end }}/'
- '/\s\/dev\/shm.*{{ if .Vars.ubtu24cis_rule_1_1_2_2_3 }}nosuid{{ end }}.*/'
- '/\s\/dev\/shm.*{{ if .Vars.ubtu24cis_rule_1_1_2_2_4 }}noexec{{ end }}.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.2.2
- 1.1.2.2.3
- 1.1.2.2.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

46
section_1/cis_1.1/cis_1.1.2.2.3.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_2_3 }}
mount:
dev_shm_nosuid_options:
title: 1.1.2.2.3 | Ensure nosuid option set on /dev/shm partition
mountpoint: /dev/shm
exists: true
opts:
- nosuid
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.2.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
dev_shm_nosuid_fstab_options:
title: 1.1.2.2.3 | Ensure nosuid option set on /dev/shm partition
exists: true
path: /etc/fstab
contents:
- '/\s\/dev\/shm.*nosuid.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.2.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

46
section_1/cis_1.1/cis_1.1.2.2.4.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_2_4 }}
mount:
dev_shm_noexec_options:
title: 1.1.2.2.4 | Ensure noexec option set on /dev/shm partition
mountpoint: /dev/shm
exists: true
opts:
- noexec
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.2.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
dev_shm_noexec_fstab_options:
title: 1.1.2.2.4 | Ensure noexec option set on /dev/shm partition
exists: true
path: /etc/fstab
contents:
- '/\s\/dev\/shm.*noexec.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.2.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

46
section_1/cis_1.1/cis_1.1.2.3.2.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_3_2 }}
mount:
home_nodev_options:
title: 1.1.2.3.2 | Ensure nodev option set on /home partition
mountpoint: /home
exists: true
opts:
- nodev
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.3.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
home_nodev_fstab_options:
title: 1.1.2.3.2 | Ensure nodev option set on /home partition
exists: true
path: /etc/fstab
contents:
- '/\s\/home.*nodev/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.3.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

58
section_1/cis_1.1/cis_1.1.2.3.2_4.yml
View File

@ -1,58 +0,0 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_3_1 }}
mount:
home_options:
title: |
1.1.2.3.2 | Ensure nodev option set on /home partition
1.1.2.3.3 | Ensure nosuid option set on /home partition
mountpoint: /home
exists: true
opts:
{{ if .Vars.ubtu24cis_rule_1_1_2_3_2 }}
- nodev
{{ end }}
{{ if .Vars.ubtu24cis_rule_1_1_2_3_3 }}
- nosuid
{{ end }}
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.3.2
- 1.1.2.3.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
home_fstab_options:
title: |
1.1.2.3.2 | Ensure nodev option set on /home partition
1.1.2.3.3 | Ensure nosuid option set on /home partition
exists: true
path: /etc/fstab
contents:
- '/\s\/home.*{{ if .Vars.ubtu24cis_rule_1_1_2_3_2 }}nodev{{ end }}/'
- '/\s\/home.*{{ if .Vars.ubtu24cis_rule_1_1_2_3_3 }}nosuid{{ end }}.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.3.2
- 1.1.2.3.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

46
section_1/cis_1.1/cis_1.1.2.3.3.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_3_3 }}
mount:
home_nosuid_options:
title: 1.1.2.3.3 | Ensure nosuid option set on /home partition
mountpoint: /home
exists: true
opts:
- nosuid
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.3.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
home_nosuid_fstab_options:
title: 1.1.2.3.3 | Ensure nosuid option set on /home partition
exists: true
path: /etc/fstab
contents:
- '/\s\/home.*nosuid.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.3.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

46
section_1/cis_1.1/cis_1.1.2.4.2.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_4_2 }}
mount:
var_nodev_options:
title: 1.1.2.4.2 | Ensure nodev option set on /var partition
mountpoint: '/var'
exists: true
opts:
- nodev
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.4.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_fstab_nodev_options:
title: 1.1.2.4.2 | Ensure nodev option set on /var partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\s.*nodev/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.4.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

58
section_1/cis_1.1/cis_1.1.2.4.2_3.yml
View File

@ -1,58 +0,0 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_4_1 }}
mount:
var_options:
title: |
1.1.2.4.2 | Ensure nodev option set on /var partition
1.1.2.4.3 | Ensure nosuid option set on /var partition
mountpoint: '/var'
exists: true
opts:
{{ if .Vars.ubtu24cis_rule_1_1_2_4_2 }}
- nodev
{{ end }}
{{ if .Vars.ubtu24cis_rule_1_1_2_4_3 }}
- nosuid
{{ end }}
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.4.2
- 1.1.2.4.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_fstab_options:
title: |
1.1.2.4.2 | Ensure nodev option set on /var partition
1.1.2.4.3 | Ensure nosuid option set on /var partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_4_2 }}nodev{{ end }}/'
- '/\s\/var\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_4_3 }}nosuid{{ end }}.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.4.2
- 1.1.2.4.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

46
section_1/cis_1.1/cis_1.1.2.4.3.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_4_3 }}
mount:
var_nosuid_options:
title: 1.1.2.4.3 | Ensure nosuid option set on /var partition
mountpoint: '/var'
exists: true
opts:
- nosuid
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.4.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_nosuid_fstab_options:
title: 1.1.2.4.3 | Ensure nosuid option set on /var partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\s.*nosuid.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.4.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

46
section_1/cis_1.1/cis_1.1.2.5.2.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_5_2 }}
mount:
var_tmp_nodev_options:
title: 1.1.2.5.2 | Ensure nodev option set on /var/tmp partition
mountpoint: '/var/tmp'
exists: true
opts:
- nodev
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.5.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_tmp_nodev_fstab_options:
title: 1.1.2.5.2 | Ensure nodev option set on /var/tmp partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\/tmp\s.*nodev/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.5.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

66
section_1/cis_1.1/cis_1.1.2.5.2_4.yml
View File

@ -1,66 +0,0 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_5_1 }}
mount:
var_tmp_options:
title: |
1.1.2.5.2 | Ensure nodev option set on /var/tmp partition
1.1.2.5.3 | Ensure nosuid option set on /var/tmp partition
1.1.2.5.4 | Ensure noexec option set on /var/tmp partition
mountpoint: '/var/tmp'
exists: true
opts:
{{ if .Vars.ubtu24cis_rule_1_1_2_5_2 }}
- nodev
{{ end }}
{{ if .Vars.ubtu24cis_rule_1_1_2_5_3 }}
- nosuid
{{ end }}
{{ if .Vars.ubtu24cis_rule_1_1_2_5_4 }}
- noexec
{{ end }}
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.5.2
- 1.1.2.5.3
- 1.1.2.5.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_tmp_fstab_options:
title: |
1.1.2.5.2 | Ensure nodev option set on /var/tmp partition
1.1.2.5.3 | Ensure nosuid option set on /var/tmp partition
1.1.2.5.4 | Ensure noexec option set on /var/tmp partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\/tmp\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_5_2 }}nodev{{ end }}/'
- '/\s\/var\/tmp\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_5_3 }}nosuid{{ end }}.*/'
- '/\s\/var\/tmp\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_5_4 }}noexec{{ end }}.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.5.2
- 1.1.2.5.3
- 1.1.2.5.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

46
section_1/cis_1.1/cis_1.1.2.5.3.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_5_3 }}
mount:
var_tmp_nosuid_options:
title: 1.1.2.5.3 | Ensure nosuid option set on /var/tmp partition
mountpoint: '/var/tmp'
exists: true
opts:
- nosuid
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.5.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_tmp_nosuid_fstab_options:
title: 1.1.2.5.3 | Ensure nosuid option set on /var/tmp partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\/tmp\s.*nosuid.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.5.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

46
section_1/cis_1.1/cis_1.1.2.5.4.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_5_4 }}
mount:
var_tmp_noexec_options:
title: 1.1.2.5.4 | Ensure noexec option set on /var/tmp partition
mountpoint: '/var/tmp'
exists: true
opts:
- noexec
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.5.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_tmp_noexec_fstab_options:
title: 1.1.2.5.4 | Ensure noexec option set on /var/tmp partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\/tmp\s.*noexec.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.5.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

46
section_1/cis_1.1/cis_1.1.2.6.2.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_6_2 }}
mount:
var_log_nodev_options:
title: 1.1.2.6.2 | Ensure nodev option set on /var/log partition
mountpoint: '/var/log'
exists: true
opts:
- nodev
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.6.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_log_nodev_fstab_options:
title: 1.1.2.6.2 | Ensure nodev option set on /var/log partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\/log\s.*nodev/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.6.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

66
section_1/cis_1.1/cis_1.1.2.6.2_4.yml
View File

@ -1,66 +0,0 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_6_1 }}
mount:
var_log_options:
title: |
1.1.2.6.2 | Ensure nodev option set on /var/log partition
1.1.2.6.3 | Ensure nosuid option set on /var/log partition
1.1.2.6.4 | Ensure noexec option set on /var/log partition
mountpoint: '/var/log'
exists: true
opts:
{{ if .Vars.ubtu24cis_rule_1_1_2_6_2 }}
- nodev
{{ end }}
{{ if .Vars.ubtu24cis_rule_1_1_2_6_3 }}
- nosuid
{{ end }}
{{ if .Vars.ubtu24cis_rule_1_1_2_6_4 }}
- noexec
{{ end }}
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.6.2
- 1.1.2.6.3
- 1.1.2.6.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_log_fstab_options:
title: |
1.1.2.6.2 | Ensure nodev option set on /var/log partition
1.1.2.6.3 | Ensure nosuid option set on /var/log partition
1.1.2.6.4 | Ensure noexec option set on /var/log partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\/log\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_6_2 }}nodev{{ end }}/'
- '/\s\/var\/log\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_6_3 }}nosuid{{ end }}.*/'
- '/\s\/var\/log\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_6_4 }}noexec{{ end }}.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.6.2
- 1.1.2.6.3
- 1.1.2.6.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

46
section_1/cis_1.1/cis_1.1.2.6.3.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_6_3 }}
mount:
var_log_nosuid_options:
title: 1.1.2.6.3 | Ensure nosuid option set on /var/log partition
mountpoint: '/var/log'
exists: true
opts:
- nosuid
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.6.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_log_nosuid_fstab_options:
title: 1.1.2.6.3 | Ensure nosuid option set on /var/log partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\/log\s.*nosuid.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.6.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

46
section_1/cis_1.1/cis_1.1.2.6.4.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_6_1 }}
mount:
var_log_noexec_options:
title: 1.1.2.6.4 | Ensure noexec option set on /var/log partition
mountpoint: '/var/log'
exists: true
opts:
- noexec
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.6.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_log_noexec_fstab_options:
title: 1.1.2.6.4 | Ensure noexec option set on /var/log partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\/log\s.*noexec.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.6.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

46
section_1/cis_1.1/cis_1.1.2.7.2.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_7_2 }}
mount:
var_log_nodev_audit_options:
title: 1.1.2.7.2 | Ensure nodev option set on /var/log/audit partition
mountpoint: '/var/log/audit'
exists: true
opts:
- nodev
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.7.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_log_audit_nodev_fstab_options:
title: 1.1.2.7.2 | Ensure nodev option set on /var/log/audit partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\/log\/audit\s.*nodev/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.7.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

66
section_1/cis_1.1/cis_1.1.2.7.2_4.yml
View File

@ -1,66 +0,0 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_7_1 }}
mount:
var_log_audit_options:
title: |
1.1.2.7.2 | Ensure nodev option set on /var/log/audit partition
1.1.2.7.3 | Ensure nosuid option set on /var/log/audit partition
1.1.2.7.4 | Ensure noexec option set on /var/log/audit partition
mountpoint: '/var/log/audit'
exists: true
opts:
{{ if .Vars.ubtu24cis_rule_1_1_2_7_2 }}
- nodev
{{ end }}
{{ if .Vars.ubtu24cis_rule_1_1_2_7_3 }}
- nosuid
{{ end }}
{{ if .Vars.ubtu24cis_rule_1_1_2_7_4 }}
- noexec
{{ end }}
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.7.2
- 1.1.2.7.3
- 1.1.2.7.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_log_audit_fstab_options:
title: |
1.1.2.7.2 | Ensure nodev option set on /var/log/audit partition
1.1.2.7.3 | Ensure nosuid option set on /var/log/audit partition
1.1.2.7.4 | Ensure noexec option set on /var/log/audit partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\/log\/audit\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_7_2 }}nodev{{ end }}/'
- '/\s\/var\/log\/audit\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_7_3 }}nosuid{{ end }}.*/'
- '/\s\/var\/log\/audit\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_7_4 }}noexec{{ end }}.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.7.2
- 1.1.2.7.3
- 1.1.2.7.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

46
section_1/cis_1.1/cis_1.1.2.7.3.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_7_1 }}
mount:
var_log_audit_options:
title: 1.1.2.7.3 | Ensure nosuid option set on /var/log/audit partition
mountpoint: '/var/log/audit'
exists: true
opts:
- nosuid
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.7.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_log_audit_nosuid_fstab_options:
title: 1.1.2.7.3 | Ensure nosuid option set on /var/log/audit partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\/log\/audit\s.*nosuid.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.7.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

46
section_1/cis_1.1/cis_1.1.2.7.4.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_7_4 }}
mount:
var_log_audit_noexec_options:
title: 1.1.2.7.4 | Ensure noexec option set on /var/log/audit partition
mountpoint: '/var/log/audit'
exists: true
opts:
- noexec
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.7.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_log_audit_noexec_fstab_options:
title: 1.1.2.7.4 | Ensure noexec option set on /var/log/audit partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\/log\/audit\s.*noexec.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.7.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}