Merge pull request #28 from ansible-lockdown/devel

Update Audit details and CIS table
ansible-lockdown · Oct 24, 2024 · 2ee3db7 · 2ee3db7
2 parents e1fe1fd + 7a94832
commit 2ee3db7
Show file tree

Hide file tree

Showing 2 changed files with 103 additions and 11 deletions.
diff --git a/docs/source/CIS/CIS_table.rst b/docs/source/CIS/CIS_table.rst
@@ -8,8 +8,8 @@ Operating Systems
    :header: "Benchmark", "Maintained", "Remediate", "Audit", "Release"
    :widths: 25, 15, 15, 15, 25
 
-   "AMAZON2-CIS_", "True", "True", "True",  ".. image:: https://img.shields.io/github/v/release/ansible-lockdown/AMAZON2-CIS?style=plastic"
-   "AMAZON2023-CIS_", "True", "True", "True",  ".. image:: https://img.shields.io/github/v/release/ansible-lockdown/AMAZON2023-CIS?style=plastic"
+   "AMAZON2-CIS_", "True", "True", "True", ".. image:: https://img.shields.io/github/v/release/ansible-lockdown/AMAZON2-CIS?style=plastic"
+   "AMAZON2023-CIS_", "True", "True", "True", ".. image:: https://img.shields.io/github/v/release/ansible-lockdown/AMAZON2023-CIS?style=plastic"
    "DEBIAN11-CIS_", "True", "True", "True", ".. image:: https://img.shields.io/github/v/release/ansible-lockdown/DEBIAN11-CIS?style=plastic"
    "DEBIAN12-CIS_", "True", "True", "WIP", "N/A"
    "RHEL7-CIS_", "True", "True", "True", ".. image:: https://img.shields.io/github/v/release/ansible-lockdown/RHEL7-CIS?style=plastic"
@@ -18,13 +18,14 @@ Operating Systems
    "UBUNTU18-CIS_", "True", "True", "True", ".. image:: https://img.shields.io/github/v/release/ansible-lockdown/UBUNTU18-CIS?style=plastic"
    "UBUNTU20-CIS_", "True", "True", "True", ".. image:: https://img.shields.io/github/v/release/ansible-lockdown/UBUNTU20-CIS?style=plastic"
    "UBUNTU22-CIS_", "True", "True", "True", ".. image:: https://img.shields.io/github/v/release/ansible-lockdown/UBUNTU22-CIS?style=plastic"
+   "UBUNTU24-CIS_", "True", "True", "True", "N/A"
 
 .. csv-table:: CIS Windows Benchmark Availability
    :header: "Benchmark", "Maintained", "Remediate", "Audit", "Release"
    :widths: 25, 15, 15, 15, 25
 
-   "Windows-10-CIS_", "True", "True", "True", ".. image:: https://img.shields.io/github/v/release/ansible-lockdown/Windows-10-CIS?style=plastic"
-   "Windows-11-CIS_", "True", "True", "True", ".. image:: https://img.shields.io/github/v/release/ansible-lockdown/Windows-11-CIS?style=plastic"
+   "Windows-10-CIS_", "True", "True", "NA", ".. image:: https://img.shields.io/github/v/release/ansible-lockdown/Windows-10-CIS?style=plastic"
+   "Windows-11-CIS_", "True", "True", "NA", ".. image:: https://img.shields.io/github/v/release/ansible-lockdown/Windows-11-CIS?style=plastic"
    "Windows-2016-CIS_", "True", "True", "True", ".. image:: https://img.shields.io/github/v/release/ansible-lockdown/Windows-2016-CIS?style=plastic"
    "Windows-2019-CIS_", "True", "True", "True", ".. image:: https://img.shields.io/github/v/release/ansible-lockdown/Windows-2019-CIS?style=plastic"
    "Windows-2022-CIS_", "True", "True", "WIP", ".. image:: https://img.shields.io/github/v/release/ansible-lockdown/Windows-2022-CIS?style=plastic"

diff --git a/docs/source/audit/getting-started-audit.rst b/docs/source/audit/getting-started-audit.rst
@@ -8,8 +8,7 @@ Audit
 Overview
 --------
 
-Ansible remediation for security benchmarks now utilizes an open-source
-go binary called `goss <https://goss.rocks>`_ to audit the system.
+Ansible remediation for security benchmarks now utilizes an open-source go binary called `goss <https://goss.rocks>`_ to audit the system.
 
 Ensuring consistency in checks by using the same settings and controls
 that have been enabled in the remediation steps, are the same ones
@@ -35,7 +34,6 @@ It can be run in two ways:
   - run_audit.ps1 (Windows(powershell))
 
 
-
 Currently Enabled Playbooks
 ---------------------------
 
@@ -65,17 +63,18 @@ The following requirements are needed (OS dependant)
 
   - Linux
 
-    - `Binary <https://github.com/aelsabbahy/goss/releases/download/v0.3.16/goss-linux-amd64>`_
-    - `Checksum <https://github.com/aelsabbahy/goss/releases/download/v0.3.16/goss-linux-amd64.sha256>`_
+    - `Binary <https://github.com/aelsabbahy/goss/releases/download/v0.4.9/goss-linux-amd64>`_
+    - `Checksum <https://github.com/aelsabbahy/goss/releases/download/v0.4.9/goss-linux-amd64.sha256>`_
 
   - Windows
 
-    - `Binary <https://github.com/aelsabbahy/goss/releases/download/v0.3.16/goss-alpha-windows-amd64.exe>`_
-    - `Checksum <https://github.com/aelsabbahy/goss/releases/download/v0.3.16/goss-alpha-windows-amd64.exe.sha265>`_
+    - `Binary <https://github.com/aelsabbahy/goss/releases/download/v0.4.9/goss-alpha-windows-amd64.exe>`_
+    - `Checksum <https://github.com/aelsabbahy/goss/releases/download/v0.4.9/goss-alpha-windows-amd64.exe.sha265>`_
 
 .. note::
     The binary only needs to be accessible to the host with ability to use.
     The relevant script needs to be adjust to point to the path of the binary.
+    Ensure you have the correct binary for your architecture examples above are AMD64, but also works on ARM64 (may have bad results with auditd settings)
 
 Running the Audit Only as part of remediate playbook
 ----------------------------------------------------
@@ -161,6 +160,98 @@ script help
 
    Other options can be assigned in the script itself
 
+**Running goss without script**
+
+This assumes you have goss and access to super user privileges.
+
+It is possible to run goss in its raw form, while this is not recommended, for consistency it is added here.
+
+The script discovers and adds extra inline variablesto the goss output in the form of the metadata fields as found in the goss.yml
+This needs to be amended before being able to run in raw form.
+
+- Edit goss.yml remove the lines starting at #metadata and the command tests Vars below
+
+Goss can then be run manually
+
+- full check
+
+.. code-block:: shell
+
+    # {{path to your goss binary}} --vars {{ path to the vars file }} -g {{path to your clone of this repo }}/goss.yml --validate
+
+
+example:
+
+.. code-block:: shell
+    # /usr/local/bin/goss --vars ../vars/cis.yml -g /home/bolly/rh8_cis_goss/goss.yml validate
+    ......FF....FF................FF...F..FF.............F........................FSSSS.............FS.F.F.F.F.........FFFFF....
+
+    Failures/Skipped:
+
+    Title: 1.6.1 Ensure core dumps are restricted (Automated)_sysctl
+    Command: suid_dumpable_2: exit-status:
+    Expected
+        <int>: 1
+    to equal
+        <int>: 0
+    Command: suid_dumpable_2: stdout: patterns not found: [fs.suid_dumpable = 0]
+
+
+    Title: 1.4.2 Ensure filesystem integrity is regularly checked (Automated)
+    Service: aidecheck: enabled:
+    Expected
+        <bool>: false
+    to equal
+        <bool>: true
+    Service: aidecheck: running:
+    Expected
+        <bool>: false
+    to equal
+        <bool>: true
+
+    < ---------cut ------- >
+
+    Title: 1.1.22 Ensure sticky bit is set on all world-writable directories
+    Command: version: exit-status:
+    Expected
+        <int>: 0
+    to equal
+        <int>: 123
+
+    Total Duration: 5.102s
+    Count: 124, Failed: 21, Skipped: 5
+
+
+- running a particular section of tests
+
+.. code-block:: shell
+
+    # /usr/local/bin/goss -g /home/bolly/rh8_cis_goss/section_1/cis_1.1/cis_1.1.22.yml  validate
+    ............
+
+    Total Duration: 0.033s
+    Count: 12, Failed: 0, Skipped: 0
+
+
+- changing the output
+
+.. code-block:: shell
+
+    # /usr/local/bin/goss -g /home/bolly/rh8_cis_goss/section_1/cis_1.1/cis_1.1.22.yml  validate -f documentation
+    Title: 1.1.20 Check for removeable media nodev
+    Command: floppy_nodev: exit-status: matches expectation: [0]
+    Command: floppy_nodev: stdout: matches expectation: [OK]
+    < -------cut ------- >
+    Title: 1.1.20 Check for removeable media noexec
+    Command: floppy_noexec: exit-status: matches expectation: [0]
+    Command: floppy_noexec: stdout: matches expectation: [OK]
+
+
+    Total Duration: 0.022s
+    Count: 12, Failed: 0, Skipped: 0
+
+
+
 Running on Windows
 ------------------