TNBL265/Ansible-Lockdown-Ubuntu20-Audit

Ubuntu 20.04 Audit

Overview

This repository is forked from ansible-lockdown/UBUNTU20-CIS-Audit branch: devel and commit: b0b484f198b145eb7cbe8cc0e8a7b0abab3003b5

Perform Audit

# Install GOSS
sudo curl -L https://github.com/aelsabbahy/goss/releases/latest/download/goss-linux-amd64 -o /usr/local/bin/goss
sudo chmod +rx /usr/local/bin/goss

# Install Git and clone repo
sudo apt update
sudo apt install git -y

cd /var/tmp/
sudo git clone --single-branch --branch dev https://bitbucket.it.keysight.com/scm/kps011/ansible-lockdown-ubuntu20-audit.git

cd ansible-lockdown-ubuntu20-audit

# Run audit
sudo ./run_audit.sh

Report Dissection

• Report will be generated at /var/tmp with the naming format audit_ansible-lockdown-ubuntu20_${epoch_time}.json
• N.B.: each CIS rule can have multiple goss checks
• 2 main keys:

  • summary: high level goss statistic

    "summary": {
      "failed-count": 142,
      "summary-line": "Count: 372, Failed: 142, Duration: 42.973s",
      "test-count": 372,
      "total-duration": 42972592899
    }

    • where:
      • failed-count: number of failed checks
      • summary-line: summary of test-count, failed-count and total-duration in s
      • test-count: total number of checks
      • total-duration: time taken to perform all checks in ns

  • results: contains a list of goss check in the following format

    "results": [
        ...,
        {
            "duration": 597607,
            "err": null,
            "expected": [
                "/^Storage=none/",
                "/^ProcessSizeMax=0/"
            ],
            "found": null,
            "human": "",
            "meta": {
                "CIS_ID": [
                    "1.5.1"
                ],
                "CISv8": [
                    4.1
                ],
                "CISv8_IG1": true,
                "CISv8_IG2": true,
                "CISv8_IG3": true,
                "server": 1,
                "workstation": "NA"
            },
            "property": "contains",
            "resource-id": "/etc/systemd/coredump.conf",
            "resource-type": "File",
            "result": 1,
            "successful": false,
            "summary-line": "File: /etc/systemd/coredump.conf: contains: patterns not found: [/^Storage=none/, /^ProcessSizeMax=0/]",
            "test-type": 2,
            "title": "1.5.1 | Ensure core dumps are restricted | coredump.conf"
        },
        ...
    ],

    • where:
      • duration: time taken to run the check in ns
      • err: error encountered during goss audit
      • expected: desired value
      • found: actual value
      • human: autogenerated string using expected and found
      • meta: metadata of the corresponding CIS rule
      • property: specific check performed correspond to resource-type
      • resource-id: UID of goss check
      • resource-type: type of goss check (availabe tests here)
      • result:
        • goss result in integer: 0 if found == expected else 1
        • special case: 2 if skipped, 3 if unknown
      • successful: goss result in string: true if found == expected else false
      • summary-line: autogenerated string using resource-type, resource-id, property, expected and found
      • test-type:
        • 1 if skipped else 0
        • special case: 2 when
          • resource-type == Command and property == stdout
          • resource-type == File and property == contains
      • title: title of the corresponding CIS rule