Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/ansible-lockdown/RHEL7-STIG-Audit
Audit configurations for RHEL7 STIG
https://github.com/ansible-lockdown/RHEL7-STIG-Audit
ansible-role compliance-automation goss redhat7 rhel7 rhel7-stig security security-audit security-auditing-tool security-hardening security-tools stig stig-compliant
Last synced: 21 days ago
JSON representation
Audit configurations for RHEL7 STIG
- Host: GitHub
- URL: https://github.com/ansible-lockdown/RHEL7-STIG-Audit
- Owner: ansible-lockdown
- License: mit
- Created: 2021-02-18T16:46:57.000Z (almost 4 years ago)
- Default Branch: devel
- Last Pushed: 2024-04-24T09:26:10.000Z (8 months ago)
- Last Synced: 2024-06-05T12:42:20.179Z (6 months ago)
- Topics: ansible-role, compliance-automation, goss, redhat7, rhel7, rhel7-stig, security, security-audit, security-auditing-tool, security-hardening, security-tools, stig, stig-compliant
- Language: YAML
- Homepage:
- Size: 469 KB
- Stars: 17
- Watchers: 5
- Forks: 3
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: Changelog.md
- Contributing: CONTRIBUTING.rst
- License: LICENSE
- Security: docs/Security_remediation_and_auditing.md
Awesome Lists containing this project
- awesome-hacking-lists - ansible-lockdown/RHEL7-STIG-Audit - Audit configurations for RHEL7 STIG (YAML)
README
# RHEL/CentOS 7 Goss config for STIG
## Overview
based on STIG Version 3 Release 14 - 24th Jan 2024
Set of configuration files and directories to audit STIG of RHEL/CentOS 7 servers
This is configured in a directory structure level.
This could do with further testing but sections 1.x should be complete
Goss is run based on the goss.yml file in the top level directory. This specifies the configuration.## Join us
On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users
## Requirements
You must have [goss](https://github.com/aelsabbahy/goss/) available to your host you would like to test.
You must have sudo/root access to the system as some commands require privilege information.
Assuming you have already clone this repository you can run goss from where you wish.
Please refer to the audit documentation for usage.
- [Read the docs](http://ansible-lockdown.readthedocs.io/)
This also works alongside the [Ansible Lockdown RHEL7-STIG role](https://github.com/ansible-lockdown/RHEL7-STIG)
Which will:
- install
- audit
- remediate
- audit## variables
These are found in vars/STIG.yml
Please refer to the file for all options and their meaningsSTIG listed variable for every control/benchmark can be turned on/off or section
### The variable files
In this case installed or skipped using the standard name for a package to be installed or _skip to skip a test.
### Extra settings
Some sections can have several options in that case the skip flag maybe passed to the test or exact details relating to your requirements
e.g.- rhel7stig_use_gui
- rhel7stig_is_router
- rhel7_stig_nameservers:
- 8.8.8.8
- 9.9.9.9## Examples
- full check
```sh
# {{path to your goss binary}} --vars {{ path to the vars file }} -g {{path to your clone of this repo }}/goss.yml v
```
- example:
```sh
# /usr/local/bin/goss --vars ../vars/stig.yml -g /home/bolly/rh7_cis_goss/goss.yml validate
......FF....FF................FF...F..FF.............F........................FSSSS.............FS.F.F.F.F.........FFFFF....Failures/Skipped:
Title: CAT_2 | RHEL-07-040641 | Must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
KernelParam: net.ipv4.conf.all.accept_redirects: value:
Expected
: 1
to equal
: 0Title: CAT_2 | RHEL-07-021000 | Must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
Mount: /mnt: exists:
Expected
: false
to equal
: true< ---------cut ------- >
Title: CAT_2 | RHEL-07-010280 | Must be configured so that passwords are a minimum of 15 characters in length.
File: /etc/security/pwquality.conf: contains: patterns not found: [/^minlen = 15/]Title: CAT_2 | RHEL-07-040500 | Must for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
File: /etc/chrony.conf: contains: patterns not found: [/^server.*maxpoll 10/]Title: CAT_2 | RHEL-07-010310 | Must disable account identifiers (individuals, groups, roles, and devices) if the password expires.
File: /etc/default/useradd: contains: patterns not found: [/^INACTIVE=0/]Total Duration: 31.127s
Count: 308, Failed: 162, Skipped: 21
```- running a particular section of tests
```sh
# /usr/local/bin/goss -g /home/bolly/rh7_cis_goss/section_1/cis_1.1/cis_1.1.22.yml validate
............Total Duration: 0.033s
Count: 12, Failed: 0, Skipped: 0
```- changing the output
```sh
# /usr/local/bin/goss -g /home/bolly/rh7_stig_goss/Cat_2/RHEL-07-010030.yml validate -f documentation
goss -g Cat_2/RHEL-07-020240.yml --vars vars/stig.yml v -f documentation
Title: CAT_2 | RHEL-07-020240 | Must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
File: /etc/login.defs: exists: matches expectation: [true]
File: /etc/login.defs: mode: matches expectation: ["0644"]
File: /etc/login.defs: contains: patterns not found: [/^UMASK 077]Failures/Skipped:
Title: CAT_2 | RHEL-07-020240 | Must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
File: /etc/login.defs: contains: patterns not found: [/^UMASK 077]Total Duration: 0.000s
Count: 3, Failed: 1, Skipped: 0
```## further information
- [goss documentation](https://github.com/aelsabbahy/goss/blob/master/docs/manual.md#patterns)
- [STIG standards](https://public.cyber.mil/stigs/)