colin
/
UBUNTU24-CIS-Audit
mirror of https://github.com/ansible-lockdown/UBUNTU24-CIS-Audit.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9 from ansible-lockdown/benchmark_v1.0.0 

Benchmark v1.0.0 updated to latest
This commit is contained in:
uk-bolly 2025-01-24 20:31:41 +00:00 committed by GitHub
parent 1b988f8d64 66ae34de32
commit aaa38a0f94
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
43 changed files with 944 additions and 587 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

145
README.md
View File

@ -2,30 +2,29 @@
## Overview ## Overview
### Based on CIS Ubuntu Linux 24.04 LTS Benchmark v1.0.0 [Release](https://downloads.cisecurity.org/#/) ### Based on CIS Benchmark for Ubuntu 24.04 LTS Benchmark v1.0.0
Set of configuration files and directories to run the first stages of CIS of Ubuntu 24.04 servers [Centre For Internet Security]
This repository is set of configuration files and directories to run the audit of the relevant benchmark of Ubuntu 24.04 servers
This is configured in a directory structure level. This is configured in a directory structure level.
This could do with further testing but sections 1.x should be complete
Goss is run based on the goss.yml file in the top level directory. This specifies the configuration.
## variables ## variables
file: vars/cis.yml file: vars/{benchmark_type}.yml
Please refer to the file for all options and their meanings Please refer to the file for all options and their meanings
CIS listed variable for every control/benchmark can be turned on/off or section The listed variable for every control/benchmark can be turned on/off or section
- other controls - Other controls
enable_selinux - enable_selinux
run_heavy_tasks - run_heavy_tasks
- bespoke options - Bespoke options
If a site has specific options e.g. password complexity these can also be set.
If a site has specific options e.g. password complexity these can also be set.
## Requirements ## Requirements
@ -39,101 +38,47 @@ If running as part of the ansible playbook, this will pull in the relevant branc
- e.g. v1.0.0 will pull in branch benchmark-v1.0.0 - e.g. v1.0.0 will pull in branch benchmark-v1.0.0
Devel is normally the latest benchmark version, so maybe different from the version of benchmark you wish to test. Devel is normally the latest benchmark version, so maybe different from the version of benchmark you wish to test.
Details will show in the README as to the benchmark for the version it is written for. Details will show in the README as part of the remedation as to the benchmark for the version it is written for.
## Usage ## Usage
You must have [goss](https://github.com/goss-org/goss/) available to your host you would like to test. Fot the latest information on audit and how it can be used please visit
- Run as root not sudo due to sudo and shared memory access [Read the Docs - Audit]
Assuming you have already clone this repository you can run goss from where you wish.
- full check
```sh
# {{path to your goss binary}} --vars {{ path to the vars file }} -g {{path to your clone of this repo }}/goss.yml --validate
```
example:
```sh
# /usr/local/bin/goss --vars ../vars/cis.yml -g /home/bolly/rh8_cis_goss/goss.yml validate
......FF....FF................FF...F..FF.............F........................FSSSS.............FS.F.F.F.F.........FFFFF....
Failures/Skipped:
Title: 1.6.1 Ensure core dumps are restricted (Automated)_sysctl
Command: suid_dumpable_2: exit-status:
Expected
<int>: 1
to equal
<int>: 0
Command: suid_dumpable_2: stdout: patterns not found: [fs.suid_dumpable = 0]
Title: 1.4.2 Ensure filesystem integrity is regularly checked (Automated)
Service: aidecheck: enabled:
Expected
<bool>: false
to equal
<bool>: true
Service: aidecheck: running:
Expected
<bool>: false
to equal
<bool>: true
< ---------cut ------- >
Title: 1.1.22 Ensure sticky bit is set on all world-writable directories
Command: version: exit-status:
Expected
<int>: 0
to equal
<int>: 123
Total Duration: 5.102s
Count: 124, Failed: 21, Skipped: 5
```
- running a particular section of tests
```sh
# /usr/local/bin/goss -g /home/bolly/rh8_cis_goss/section_1/cis_1.1/cis_1.1.22.yml validate
............
Total Duration: 0.033s
Count: 12, Failed: 0, Skipped: 0
```
- changing the output
```sh
# /usr/local/bin/goss -g /home/bolly/rh8_cis_goss/section_1/cis_1.1/cis_1.1.22.yml validate -f documentation
Title: 1.1.20 Check for removeable media nodev
Command: floppy_nodev: exit-status: matches expectation: [0]
Command: floppy_nodev: stdout: matches expectation: [OK]
< -------cut ------- >
Title: 1.1.20 Check for removeable media noexec
Command: floppy_noexec: exit-status: matches expectation: [0]
Command: floppy_noexec: stdout: matches expectation: [OK]
Total Duration: 0.022s
Count: 12, Failed: 0, Skipped: 0
```
## Extra settings ## Extra settings
Ability to add your own requirements is available in several sections Ability to add your own requirements is available in several sections
## further information ## Support
- [goss documentation](https://github.com/goss-org/goss/blob/master/README.md) [Discord Community Discussions]
- [CIS standards](https://www.cisecurity.org)
## Feedback required [Enterprise Support]
[MindPoint Group]
## Links and Further information
- [Goss]
- [Goss documentation]
- [Centre For Internet Security]
<!----
README Links
---->
[benchmark-type]: CIS
[OS-VERSION]: Ubuntu2404
[os-type]: Linux
[Centre For Internet Security]: https://www.cisecurity.org
[Read the Docs - Audit]: https://ansible-lockdown.readthedocs.io/en/latest/audit/getting-started-audit.html
[goss documentation]: (https://github.com/goss-org/goss/blob/master/README.md)
[Goss]: https://goss.rocks
[DISA STIG]: https://public.cyber.mil/stigs
[MindPoint Group]: https://mindpointgroup.com/cybersecurity-consulting/automate/baseline-modernization#GH_LockdownReadMe
[Discord Community Discussions]: https://www.lockdownenterprise.com/discord
[Enterprise Support]: https://lockdownenterprise.com#GH_LockdownReadMe

8
run_audit.sh
View File

@ -17,13 +17,14 @@
# benchmark vars moved # benchmark vars moved
# December 2023 Added goss version and testing # December 2023 Added goss version and testing
# April 2024 Updating of OS discovery to work for all supported OSs # April 2024 Updating of OS discovery to work for all supported OSs
# August 2024 Improve failure capture
# Variables in upper case tend to be able to be adjusted # Variables in upper case tend to be able to be adjusted
# lower case variables are discovered or built from other variables # lower case variables are discovered or built from other variables
# Goss benchmark variables (these should not need changing unless new release) # Goss benchmark variables (these should not need changing unless new release)
BENCHMARK=CIS # Benchmark Name aligns to the audit BENCHMARK=CIS # Benchmark Name aligns to the audit
BENCHMARK_VER=2.0.0 BENCHMARK_VER=1.0.0
BENCHMARK_OS=UBUNTU24 BENCHMARK_OS=UBUNTU24
# Goss host Variables # Goss host Variables
@ -202,12 +203,13 @@ echo
$AUDIT_BIN -g "$audit_content_dir/$AUDIT_FILE" --vars "$varfile_path" --vars-inline "$audit_json_vars" v $format_output > "$audit_out" $AUDIT_BIN -g "$audit_content_dir/$AUDIT_FILE" --vars "$varfile_path" --vars-inline "$audit_json_vars" v $format_output > "$audit_out"
# create screen output # create screen output
if [ "$(grep -c $BENCHMARK "$audit_out")" != 0 ] || [ "$format" = junit ] || [ "$format" = tap ]; then if [ "$(grep -c Count: "$audit_out")" -ge 1 ] || [ "$format" = junit ] || [ "$format" = tap ]; then
eval $output_summary eval $output_summary
echo "Completed file can be found at $audit_out" echo "Completed file can be found at $audit_out"
echo "###############" echo "###############"
echo "Audit Completed" echo "Audit Completed"
echo "###############" echo "###############"
else else
echo -e "Fail: There were issues when running the audit please investigate $audit_out" echo -e "Fail: There were issues when running the audit please investigate $audit_out";
exit 1
fi fi

2
section_1/cis_1.1/cis_1.1.1.7.yml
View File

@ -1,7 +1,7 @@
--- ---
{{ if .Vars.ubtu24cis_level_2 }} {{ if .Vars.ubtu24cis_level_2 }}
{{ if not .Vars.ubtu24cis_squashfs_required }} {{ if .Vars.ubtu24cis_squashfs_required }}
{{ if .Vars.ubtu24cis_rule_1_1_1_7 }} {{ if .Vars.ubtu24cis_rule_1_1_1_7 }}
file: file:
squashfs_disabled: squashfs_disabled:

46
section_1/cis_1.1/cis_1.1.2.1.2.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_1_2 }}
mount:
tmp_nodev_options:
title: 1.1.2.1.2 | Ensure nodev option set on /tmp partition
mountpoint: /tmp
exists: true
opts:
- nodev
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.1.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
tmp_nodev_fstab_options:
title: 1.1.2.1.2 | Ensure nodev option set on /tmp partition
exists: true
path: /etc/fstab
contents:
- '/\s\/tmp.*nodev/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.1.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

66
section_1/cis_1.1/cis_1.1.2.1.2_4.yml
View File

@ -1,66 +0,0 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_1_1 }}
mount:
tmp_options:
title: |
1.1.2.1.2 | Ensure nodev option set on /tmp partition
1.1.2.1.3 | Ensure nosuid option set on /tmp partition
1.1.2.1.4 | Ensure noexec option set on /tmp partition
mountpoint: /tmp
exists: true
opts:
{{ if .Vars.ubtu24cis_rule_1_1_2_1_2 }}
- nodev
{{ end }}
{{ if .Vars.ubtu24cis_rule_1_1_2_1_3 }}
- nosuid
{{ end }}
{{ if .Vars.ubtu24cis_rule_1_1_2_1_4 }}
- noexec
{{ end }}
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.1.2
- 1.1.2.1.3
- 1.1.2.1.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
tmp_fstab_options:
title: |
1.1.2.1.2 | Ensure nodev option set on /tmp partition
1.1.2.1.3 | Ensure nosuid option set on /tmp partition
1.1.2.1.4 | Ensure noexec option set on /tmp partition
exists: true
path: /etc/fstab
contents:
- '/\s\/tmp.*{{ if .Vars.ubtu24cis_rule_1_1_2_1_2 }}nodev{{ end }}/'
- '/\s\/tmp.*{{ if .Vars.ubtu24cis_rule_1_1_2_1_3 }}nosuid{{ end }}.*/'
- '/\s\/tmp.*{{ if .Vars.ubtu24cis_rule_1_1_2_1_4 }}noexec{{ end }}.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.1.2
- 1.1.2.1.3
- 1.1.2.1.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

46
section_1/cis_1.1/cis_1.1.2.1.3.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_1_3 }}
mount:
tmp_nosuid_options:
title: 1.1.2.1.3 | Ensure nosuid option set on /tmp partition
mountpoint: /tmp
exists: true
opts:
- nosuid
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.1.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
tmp_nosuid_fstab_options:
title: 1.1.2.1.3 | Ensure nosuid option set on /tmp partition
exists: true
path: /etc/fstab
contents:
- '/\s\/tmp.*nosuid.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.1.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

46
section_1/cis_1.1/cis_1.1.2.1.4.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_1_4 }}
mount:
tmp_noexec_options:
title: 1.1.2.1.4 | Ensure noexec option set on /tmp partition
mountpoint: /tmp
exists: true
opts:
- noexec
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.1.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
tmp_fstab_noexec_options:
title: 1.1.2.1.4 | Ensure noexec option set on /tmp partition
exists: true
path: /etc/fstab
contents:
- '/\s\/tmp.*noexec.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.1.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

46
section_1/cis_1.1/cis_1.1.2.2.2.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_2_2 }}
mount:
dev_shm_nodev_options:
title: 1.1.2.2.2 | Ensure nodev option set on /dev/shm partition
mountpoint: /dev/shm
exists: true
opts:
- nodev
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.2.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
dev_shm_nodev_fstab_options:
title: 1.1.2.2.2 | Ensure nodev option set on /dev/shm partition
exists: true
path: /etc/fstab
contents:
- '/\s\/dev\/shm.*nodev/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.2.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

66
section_1/cis_1.1/cis_1.1.2.2.2_4.yml
View File

@ -1,66 +0,0 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_2_1 }}
mount:
dev_shm_options:
title: |
1.1.2.2.2 | Ensure nodev option set on /dev/shm partition
1.1.2.2.3 | Ensure nosuid option set on /dev/shm partition
1.1.2.2.4 | Ensure noexec option set on /dev/shm partition
mountpoint: /dev/shm
exists: true
opts:
{{ if .Vars.ubtu24cis_rule_1_1_2_2_2 }}
- nodev
{{ end }}
{{ if .Vars.ubtu24cis_rule_1_1_2_2_3 }}
- nosuid
{{ end }}
{{ if .Vars.ubtu24cis_rule_1_1_2_2_4 }}
- noexec
{{ end }}
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.2.2
- 1.1.2.2.3
- 1.1.2.2.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
dev_shm_fstab_options:
title: |
1.1.2.2.2 | Ensure nodev option set on /dev/shm partition
1.1.2.2.3 | Ensure nosuid option set on /dev/shm partition
1.1.2.2.4 | Ensure noexec option set on /dev/shm partition
exists: true
path: /etc/fstab
contents:
- '/\s\/dev\/shm.*{{ if .Vars.ubtu24cis_rule_1_1_2_2_2 }}nodev{{ end }}/'
- '/\s\/dev\/shm.*{{ if .Vars.ubtu24cis_rule_1_1_2_2_3 }}nosuid{{ end }}.*/'
- '/\s\/dev\/shm.*{{ if .Vars.ubtu24cis_rule_1_1_2_2_4 }}noexec{{ end }}.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.2.2
- 1.1.2.2.3
- 1.1.2.2.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

46
section_1/cis_1.1/cis_1.1.2.2.3.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_2_3 }}
mount:
dev_shm_nosuid_options:
title: 1.1.2.2.3 | Ensure nosuid option set on /dev/shm partition
mountpoint: /dev/shm
exists: true
opts:
- nosuid
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.2.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
dev_shm_nosuid_fstab_options:
title: 1.1.2.2.3 | Ensure nosuid option set on /dev/shm partition
exists: true
path: /etc/fstab
contents:
- '/\s\/dev\/shm.*nosuid.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.2.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

46
section_1/cis_1.1/cis_1.1.2.2.4.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_2_4 }}
mount:
dev_shm_noexec_options:
title: 1.1.2.2.4 | Ensure noexec option set on /dev/shm partition
mountpoint: /dev/shm
exists: true
opts:
- noexec
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.2.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
dev_shm_noexec_fstab_options:
title: 1.1.2.2.4 | Ensure noexec option set on /dev/shm partition
exists: true
path: /etc/fstab
contents:
- '/\s\/dev\/shm.*noexec.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.2.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

46
section_1/cis_1.1/cis_1.1.2.3.2.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_3_2 }}
mount:
home_nodev_options:
title: 1.1.2.3.2 | Ensure nodev option set on /home partition
mountpoint: /home
exists: true
opts:
- nodev
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.3.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
home_nodev_fstab_options:
title: 1.1.2.3.2 | Ensure nodev option set on /home partition
exists: true
path: /etc/fstab
contents:
- '/\s\/home.*nodev/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.3.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

58
section_1/cis_1.1/cis_1.1.2.3.2_4.yml
View File

@ -1,58 +0,0 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_3_1 }}
mount:
home_options:
title: |
1.1.2.3.2 | Ensure nodev option set on /home partition
1.1.2.3.3 | Ensure nosuid option set on /home partition
mountpoint: /home
exists: true
opts:
{{ if .Vars.ubtu24cis_rule_1_1_2_3_2 }}
- nodev
{{ end }}
{{ if .Vars.ubtu24cis_rule_1_1_2_3_3 }}
- nosuid
{{ end }}
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.3.2
- 1.1.2.3.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
home_fstab_options:
title: |
1.1.2.3.2 | Ensure nodev option set on /home partition
1.1.2.3.3 | Ensure nosuid option set on /home partition
exists: true
path: /etc/fstab
contents:
- '/\s\/home.*{{ if .Vars.ubtu24cis_rule_1_1_2_3_2 }}nodev{{ end }}/'
- '/\s\/home.*{{ if .Vars.ubtu24cis_rule_1_1_2_3_3 }}nosuid{{ end }}.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.3.2
- 1.1.2.3.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

46
section_1/cis_1.1/cis_1.1.2.3.3.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_3_3 }}
mount:
home_nosuid_options:
title: 1.1.2.3.3 | Ensure nosuid option set on /home partition
mountpoint: /home
exists: true
opts:
- nosuid
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.3.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
home_nosuid_fstab_options:
title: 1.1.2.3.3 | Ensure nosuid option set on /home partition
exists: true
path: /etc/fstab
contents:
- '/\s\/home.*nosuid.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.3.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

46
section_1/cis_1.1/cis_1.1.2.4.2.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_4_2 }}
mount:
var_nodev_options:
title: 1.1.2.4.2 | Ensure nodev option set on /var partition
mountpoint: '/var'
exists: true
opts:
- nodev
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.4.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_fstab_nodev_options:
title: 1.1.2.4.2 | Ensure nodev option set on /var partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\s.*nodev/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.4.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

58
section_1/cis_1.1/cis_1.1.2.4.2_3.yml
View File

@ -1,58 +0,0 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_4_1 }}
mount:
var_options:
title: |
1.1.2.4.2 | Ensure nodev option set on /var partition
1.1.2.4.3 | Ensure nosuid option set on /var partition
mountpoint: '/var'
exists: true
opts:
{{ if .Vars.ubtu24cis_rule_1_1_2_4_2 }}
- nodev
{{ end }}
{{ if .Vars.ubtu24cis_rule_1_1_2_4_3 }}
- nosuid
{{ end }}
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.4.2
- 1.1.2.4.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_fstab_options:
title: |
1.1.2.4.2 | Ensure nodev option set on /var partition
1.1.2.4.3 | Ensure nosuid option set on /var partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_4_2 }}nodev{{ end }}/'
- '/\s\/var\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_4_3 }}nosuid{{ end }}.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.4.2
- 1.1.2.4.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

46
section_1/cis_1.1/cis_1.1.2.4.3.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_4_3 }}
mount:
var_nosuid_options:
title: 1.1.2.4.3 | Ensure nosuid option set on /var partition
mountpoint: '/var'
exists: true
opts:
- nosuid
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.4.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_nosuid_fstab_options:
title: 1.1.2.4.3 | Ensure nosuid option set on /var partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\s.*nosuid.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.4.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

46
section_1/cis_1.1/cis_1.1.2.5.2.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_5_2 }}
mount:
var_tmp_nodev_options:
title: 1.1.2.5.2 | Ensure nodev option set on /var/tmp partition
mountpoint: '/var/tmp'
exists: true
opts:
- nodev
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.5.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_tmp_nodev_fstab_options:
title: 1.1.2.5.2 | Ensure nodev option set on /var/tmp partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\/tmp\s.*nodev/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.5.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

66
section_1/cis_1.1/cis_1.1.2.5.2_4.yml
View File

@ -1,66 +0,0 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_5_1 }}
mount:
var_tmp_options:
title: |
1.1.2.5.2 | Ensure nodev option set on /var/tmp partition
1.1.2.5.3 | Ensure nosuid option set on /var/tmp partition
1.1.2.5.4 | Ensure noexec option set on /var/tmp partition
mountpoint: '/var/tmp'
exists: true
opts:
{{ if .Vars.ubtu24cis_rule_1_1_2_5_2 }}
- nodev
{{ end }}
{{ if .Vars.ubtu24cis_rule_1_1_2_5_3 }}
- nosuid
{{ end }}
{{ if .Vars.ubtu24cis_rule_1_1_2_5_4 }}
- noexec
{{ end }}
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.5.2
- 1.1.2.5.3
- 1.1.2.5.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_tmp_fstab_options:
title: |
1.1.2.5.2 | Ensure nodev option set on /var/tmp partition
1.1.2.5.3 | Ensure nosuid option set on /var/tmp partition
1.1.2.5.4 | Ensure noexec option set on /var/tmp partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\/tmp\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_5_2 }}nodev{{ end }}/'
- '/\s\/var\/tmp\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_5_3 }}nosuid{{ end }}.*/'
- '/\s\/var\/tmp\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_5_4 }}noexec{{ end }}.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.5.2
- 1.1.2.5.3
- 1.1.2.5.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

46
section_1/cis_1.1/cis_1.1.2.5.3.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_5_3 }}
mount:
var_tmp_nosuid_options:
title: 1.1.2.5.3 | Ensure nosuid option set on /var/tmp partition
mountpoint: '/var/tmp'
exists: true
opts:
- nosuid
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.5.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_tmp_nosuid_fstab_options:
title: 1.1.2.5.3 | Ensure nosuid option set on /var/tmp partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\/tmp\s.*nosuid.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.5.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

46
section_1/cis_1.1/cis_1.1.2.5.4.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_5_4 }}
mount:
var_tmp_noexec_options:
title: 1.1.2.5.4 | Ensure noexec option set on /var/tmp partition
mountpoint: '/var/tmp'
exists: true
opts:
- noexec
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.5.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_tmp_noexec_fstab_options:
title: 1.1.2.5.4 | Ensure noexec option set on /var/tmp partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\/tmp\s.*noexec.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.5.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

46
section_1/cis_1.1/cis_1.1.2.6.2.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_6_2 }}
mount:
var_log_nodev_options:
title: 1.1.2.6.2 | Ensure nodev option set on /var/log partition
mountpoint: '/var/log'
exists: true
opts:
- nodev
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.6.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_log_nodev_fstab_options:
title: 1.1.2.6.2 | Ensure nodev option set on /var/log partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\/log\s.*nodev/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.6.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

66
section_1/cis_1.1/cis_1.1.2.6.2_4.yml
View File

@ -1,66 +0,0 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_6_1 }}
mount:
var_log_options:
title: |
1.1.2.6.2 | Ensure nodev option set on /var/log partition
1.1.2.6.3 | Ensure nosuid option set on /var/log partition
1.1.2.6.4 | Ensure noexec option set on /var/log partition
mountpoint: '/var/log'
exists: true
opts:
{{ if .Vars.ubtu24cis_rule_1_1_2_6_2 }}
- nodev
{{ end }}
{{ if .Vars.ubtu24cis_rule_1_1_2_6_3 }}
- nosuid
{{ end }}
{{ if .Vars.ubtu24cis_rule_1_1_2_6_4 }}
- noexec
{{ end }}
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.6.2
- 1.1.2.6.3
- 1.1.2.6.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_log_fstab_options:
title: |
1.1.2.6.2 | Ensure nodev option set on /var/log partition
1.1.2.6.3 | Ensure nosuid option set on /var/log partition
1.1.2.6.4 | Ensure noexec option set on /var/log partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\/log\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_6_2 }}nodev{{ end }}/'
- '/\s\/var\/log\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_6_3 }}nosuid{{ end }}.*/'
- '/\s\/var\/log\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_6_4 }}noexec{{ end }}.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.6.2
- 1.1.2.6.3
- 1.1.2.6.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

46
section_1/cis_1.1/cis_1.1.2.6.3.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_6_3 }}
mount:
var_log_nosuid_options:
title: 1.1.2.6.3 | Ensure nosuid option set on /var/log partition
mountpoint: '/var/log'
exists: true
opts:
- nosuid
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.6.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_log_nosuid_fstab_options:
title: 1.1.2.6.3 | Ensure nosuid option set on /var/log partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\/log\s.*nosuid.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.6.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

46
section_1/cis_1.1/cis_1.1.2.6.4.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_6_1 }}
mount:
var_log_noexec_options:
title: 1.1.2.6.4 | Ensure noexec option set on /var/log partition
mountpoint: '/var/log'
exists: true
opts:
- noexec
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.6.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_log_noexec_fstab_options:
title: 1.1.2.6.4 | Ensure noexec option set on /var/log partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\/log\s.*noexec.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.6.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

46
section_1/cis_1.1/cis_1.1.2.7.2.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_7_2 }}
mount:
var_log_nodev_audit_options:
title: 1.1.2.7.2 | Ensure nodev option set on /var/log/audit partition
mountpoint: '/var/log/audit'
exists: true
opts:
- nodev
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.7.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_log_audit_nodev_fstab_options:
title: 1.1.2.7.2 | Ensure nodev option set on /var/log/audit partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\/log\/audit\s.*nodev/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.7.2
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

66
section_1/cis_1.1/cis_1.1.2.7.2_4.yml
View File

@ -1,66 +0,0 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_7_1 }}
mount:
var_log_audit_options:
title: |
1.1.2.7.2 | Ensure nodev option set on /var/log/audit partition
1.1.2.7.3 | Ensure nosuid option set on /var/log/audit partition
1.1.2.7.4 | Ensure noexec option set on /var/log/audit partition
mountpoint: '/var/log/audit'
exists: true
opts:
{{ if .Vars.ubtu24cis_rule_1_1_2_7_2 }}
- nodev
{{ end }}
{{ if .Vars.ubtu24cis_rule_1_1_2_7_3 }}
- nosuid
{{ end }}
{{ if .Vars.ubtu24cis_rule_1_1_2_7_4 }}
- noexec
{{ end }}
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.7.2
- 1.1.2.7.3
- 1.1.2.7.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_log_audit_fstab_options:
title: |
1.1.2.7.2 | Ensure nodev option set on /var/log/audit partition
1.1.2.7.3 | Ensure nosuid option set on /var/log/audit partition
1.1.2.7.4 | Ensure noexec option set on /var/log/audit partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\/log\/audit\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_7_2 }}nodev{{ end }}/'
- '/\s\/var\/log\/audit\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_7_3 }}nosuid{{ end }}.*/'
- '/\s\/var\/log\/audit\s.*{{ if .Vars.ubtu24cis_rule_1_1_2_7_4 }}noexec{{ end }}.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.7.2
- 1.1.2.7.3
- 1.1.2.7.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

46
section_1/cis_1.1/cis_1.1.2.7.3.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_7_1 }}
mount:
var_log_audit_options:
title: 1.1.2.7.3 | Ensure nosuid option set on /var/log/audit partition
mountpoint: '/var/log/audit'
exists: true
opts:
- nosuid
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.7.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_log_audit_nosuid_fstab_options:
title: 1.1.2.7.3 | Ensure nosuid option set on /var/log/audit partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\/log\/audit\s.*nosuid.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.7.3
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

46
section_1/cis_1.1/cis_1.1.2.7.4.yml Normal file
View File

@ -0,0 +1,46 @@
---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_1_1_2_7_4 }}
mount:
var_log_audit_noexec_options:
title: 1.1.2.7.4 | Ensure noexec option set on /var/log/audit partition
mountpoint: '/var/log/audit'
exists: true
opts:
- noexec
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.7.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
file:
var_log_audit_noexec_fstab_options:
title: 1.1.2.7.4 | Ensure noexec option set on /var/log/audit partition
exists: true
path: /etc/fstab
contents:
- '/\s\/var\/log\/audit\s.*noexec.*/'
meta:
server: 1
workstation: 1
CIS_ID:
- 1.1.2.7.4
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-7
- AC-3
- MP-2
{{ end }}
{{ end }}

6
section_1/cis_1.5/cis_1.5.2.yml
View File

@ -10,7 +10,7 @@ kernel-param:
server: 1 server: 1
workstation: 1 workstation: 1
CIS_ID: CIS_ID:
- 1.5.1 - 1.5.2
CISv8: 10.5 CISv8: 10.5
CISv8_IG1: false CISv8_IG1: false
CISv8_IG2: true CISv8_IG2: true
@ -18,7 +18,7 @@ kernel-param:
NIST800-53R5: CM-6 NIST800-53R5: CM-6
command: command:
ptrace_restrict_2: ptrace_restrict_2:
title: 1.5.1 | Ensure ptrace_scope is restricted | sysctl_configured title: 1.5.2 | Ensure ptrace_scope is restricted | sysctl_configured
exit-status: exit-status:
or: or:
- 0 - 0
@ -30,7 +30,7 @@ command:
server: 1 server: 1
workstation: 1 workstation: 1
CIS_ID: CIS_ID:
- 1.5.1 - 1.5.2
CISv8: 10.5 CISv8: 10.5
CISv8_IG1: false CISv8_IG1: false
CISv8_IG2: true CISv8_IG2: true

21
section_2/cis_2.3/cis_2.3.1.1.yml
View File

@ -50,26 +50,5 @@ package:
- AU-3 - AU-3
- AU-12 - AU-12
{{ end }} {{ end }}
{{ if ne .Vars.ubtu24cis_time_sync_tool "systemd-timesyncd" }}
file:
timesync_masked:
title: 2.3.1.1 | Ensure time synchronization is in use | systemd-timesyncd masked
path: /etc/systemd/system/systemd-timesyncd.service
filetype: symlink
linked-to: /dev/null
exists: true
meta:
server: 1
workstation: 1
CIS_ID: 2.3.1.1
CISv8:
- 8.4
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- AU-3
- AU-12
{{ end }}
{{ end }} {{ end }}
{{ end }} {{ end }}

2
section_2/cis_2.3/cis_2.3.2.1.yml
View File

@ -9,7 +9,7 @@ file:
path: /etc/systemd/timesyncd.conf.d/50-timesyncd.conf path: /etc/systemd/timesyncd.conf.d/50-timesyncd.conf
exists: true exists: true
contents: contents:
- '/^NTP={{ .Vars.ubtu24cis_time_pool_name }}/' - '/^NTP={{- range .Vars.ubtu24cis_time_pool }}{{ .name }}{{ end }}/'
- '/^FallbackNTP={{- range .Vars.ubtu24cis_time_servers }}{{ .name }} {{ end }}/' - '/^FallbackNTP={{- range .Vars.ubtu24cis_time_servers }}{{ .name }} {{ end }}/'
meta: meta:
server: 1 server: 1

2
section_2/cis_2.3/cis_2.3.3.2.yml
View File

@ -2,7 +2,7 @@
{{ if eq .Vars.ubtu24cis_time_sync_tool "chrony" }} {{ if eq .Vars.ubtu24cis_time_sync_tool "chrony" }}
{{ if .Vars.ubtu24cis_level_1 }} {{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_2_1_2_2 }} {{ if .Vars.ubtu24cis_rule_2_3_3_2 }}
file: file:
chrony_user: chrony_user:
title: 2.3.3.2 | Ensure chrony is running as user _chrony title: 2.3.3.2 | Ensure chrony is running as user _chrony

2
section_3/cis_3.3/cis_3.3.6.yml
View File

@ -27,7 +27,7 @@ kernel-param:
server: 1 server: 1
workstation: 1 workstation: 1
CIS_ID: CIS_ID:
- 3.2.6 - 3.3.6
CISv8: CISv8:
- 4.8 - 4.8
CISv8_IG1: false CISv8_IG1: false

2
section_3/cis_3.3/cis_3.3.8.yml
View File

@ -8,7 +8,7 @@ kernel-param:
server: 1 server: 1
workstation: 1 workstation: 1
CIS_ID: CIS_ID:
- 3.3.1 - 3.3.8
CISv8: CISv8:
- 4.8 - 4.8
CISv8_IG1: false CISv8_IG1: false

2
section_5/cis_5.1/cis_5.1.13.yml
View File

@ -4,7 +4,7 @@
{{ if .Vars.ubtu24cis_rule_5_1_13 }} {{ if .Vars.ubtu24cis_rule_5_1_13 }}
file: file:
ssh_logingrace: ssh_logingrace:
title: 5.1.21 | Ensure sshd LoginGraceTime is configured title: 5.1.13 | Ensure sshd LoginGraceTime is configured
path: /etc/ssh/sshd_config path: /etc/ssh/sshd_config
exists: true exists: true
contents: contents:

2
section_5/cis_5.1/cis_5.1.2.yml
View File

@ -12,7 +12,7 @@ command:
server: 1 server: 1
workstation: 1 workstation: 1
CIS_ID: CIS_ID:
- 5.1.3 - 5.1.2
CISv8: CISv8:
- 3.3 - 3.3
CISv8_IG1: true CISv8_IG1: true

2
section_5/cis_5.3.3.2/cis_5.3.3.2.8.yml
View File

@ -17,7 +17,7 @@ command:
server: 1 server: 1
workstation: 1 workstation: 1
CIS_ID: CIS_ID:
- 5.3.3.2.7 - 5.3.3.2.8
CISv8: CISv8:
- 5.2 - 5.2
CISv8_IG1: true CISv8_IG1: true

2
section_6/cis_6.1.1.x/cis_6.1.1.2.yml
View File

@ -4,7 +4,7 @@
{{ if .Vars.ubtu24cis_rule_6_1_1_2 }} {{ if .Vars.ubtu24cis_rule_6_1_1_2 }}
command: command:
/etc/tmpfiles.d/systemd.conf: /etc/tmpfiles.d/systemd.conf:
title: 6.2.1.1.2 | Ensure journald log file access is configured | Manual Check Required title: 6.1.1.2 | Ensure journald log file access is configured | Manual Check Required
exec: echo "Manual - Please check journald default permissions" exec: echo "Manual - Please check journald default permissions"
exit-status: 0 exit-status: 0
stdout: stdout:

6
section_6/cis_6.1.2.x/cis_6.1.2.1.2.yml
View File

@ -10,9 +10,9 @@ file:
exists: true exists: true
contents: contents:
- '/^URL=/' - '/^URL=/'
- '/ServerKeyFile=.*.pem' - '/ServerKeyFile=.*.pem/'
- '/ServerCertificateFile=.*.pem' - '/ServerCertificateFile=.*.pem/'
- '/TrustedCertificateFile=.*.pem' - '/TrustedCertificateFile=.*.pem/'
meta: meta:
server: 1 server: 1
workstation: 1 workstation: 1

2
section_6/cis_6.2.3/cis_6.2.3.14.yml
View File

@ -25,7 +25,7 @@ command:
- AU-3 - AU-3
- CM-6 - CM-6
auditd_MAC_live: auditd_MAC_live:
title: 6.2.6 | Ensure events that modify the system's Mandatory Access Controls are collected | Live title: 6.2.3.14 | Ensure events that modify the system's Mandatory Access Controls are collected | Live
exec: auditctl -l | grep MAC-policy exec: auditctl -l | grep MAC-policy
exit-status: 0 exit-status: 0
stdout: stdout:

2
section_6/cis_6.2.3/cis_6.2.3.19.yml
View File

@ -33,6 +33,8 @@ command:
meta: meta:
server: 2 server: 2
workstation: 2 workstation: 2
CIS_ID:
- 6.2.3.19
CISv8: CISv8:
- 8.5 - 8.5
CISv8_IG1: false CISv8_IG1: false

3
vars/CIS.yml
View File

@ -591,7 +591,8 @@ ubtu24cis_time_sync_tool: "systemd-timesyncd"
# Each list item contains two settings, `name` (the domain name of the pool) and synchronization `options`. # Each list item contains two settings, `name` (the domain name of the pool) and synchronization `options`.
# The default setting for the `options` is `iburst maxsources 4` -- please refer to the documentation # The default setting for the `options` is `iburst maxsources 4` -- please refer to the documentation
# of the time synchronization mechanism you are using. # of the time synchronization mechanism you are using.
ubtu24cis_time_pool_name: time.nist.gov ubtu24cis_time_pool:
- name: time.nist.gov
# The following variable represents a list of of time servers used # The following variable represents a list of of time servers used
# for configuring chrony and timesyncd # for configuring chrony and timesyncd