Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/perfecto25/salt_cis_rocky9

CIS Benchmarks for Rocky 9 Linux
https://github.com/perfecto25/salt_cis_rocky9

Last synced: 7 days ago
JSON representation

CIS Benchmarks for Rocky 9 Linux

Host: GitHub
URL: https://github.com/perfecto25/salt_cis_rocky9
Owner: perfecto25
Created: 2023-01-19T19:49:09.000Z (almost 2 years ago)
Default Branch: master
Last Pushed: 2024-04-23T22:14:27.000Z (7 months ago)
Last Synced: 2024-04-23T23:48:55.166Z (7 months ago)
Language: SaltStack
Size: 3.33 MB
Stars: 1
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# CIS Benchmark Rocky 9 Linux (v1.0.0) 12/13/2022
---

Rocky 9 CIS benchmark checks and remediation using Saltstack configuration management.

All rules are based on the CIS Rocky 9 Benchmark v1.0.0

To check your hosts for CIS compliance, run this State on your end points and pass the flag test=true. If test=true is omitted, this formula will attempt to remediate any inconsistent results it finds. CIS benchmark does its best to remediate basic things like file permissions, process and service control and user management. On other rules it will just issue a warning if something is not compliant.

CIS formula cannot remediate automatically:

- mounting of separate partitions like /home (too many variables, ie size and FS type of mount, etc, this needs to be done manually by the sysadmin)
- missing user home directories

## Prerequisites
you will need the following yum packages installed on your Centos 7 host

1. policycoreutils
1. policycoreutils-python
1. augeas

## To check a host for CIS compliance

salt [target] state.sls cis_rocky9 test=true

## Skip a Rule for all hosts (Global),
to skip a specific Rule + remediation for a specific rule for all hosts, simply set the rule to False in the ```init.sls```

{% set rules = {
'1.1.1': { 'Disable unused filesystems': False },
'1.1.2': { 'Ensure separate partition exists for /tmp': False },

## Ignore Rules, Package or Service checks on a per-host basis

to remove a service, package, filesystem or protocol from CIS check/compliance, or to skip a specific Rule check on an individual host, add a pillar to the minion,

```
cis:
ignore:
rules: ['1.4.2', '2.1.1.4']
services: ['smb', 'nfs']
packages: ['samba', 'httpd']
filesystems: ['squashfs']
protocols: ['rds']
```

by default, CIS state will apply the benchmark-recommended value settings for each check, for example

# Rule 4.1.1.2 Ensure system is disabled when audit logs are full
admin_space_left_action = {{ salt['pillar.get']('cis:default:auditd:admin_space_left_action', 'halt') }}"

it will apply the default 'halt' for admin_space_left_action parameter in /etc/audit/auditd.conf.

to specify a per-host value for these settings, add a pillar for the host

```
cis:
default:
auditd:
admin_space_left_action: SUSPEND
```

To see the full list of parameters that can be provided via pillar, see 'sample.pillar.sls'