Based on CIS Ubuntu Linux 22.04 LTS Benchmark v1.0.0 Release
Set of configuration files and directories to run the first stages of CIS of Ubuntu 20.04 servers
This is configured in a directory structure level.
This could do with further testing but sections 1.x should be complete
Goss is run based on the goss.yml file in the top level directory. This specifies the configuration.
file: vars/cis.yml
Please refer to the file for all options and their meanings
CIS listed variable for every control/benchmark can be turned on/off or section
-
other controls enable_selinux run_heavy_tasks
-
bespoke options If a site has specific options e.g. password complexity these can also be set.
goss >= 0.4.4 root privileges
If running as part of the ansible playbook, this will pull in the relevant branch for the version of benchmark you are remediating.
- e.g. v1.2 will pull in branch benchmark_v1.2
Devel is normally the latest benchmark, so maybe different from the version of benchmark you wish to test. Details will show in the README.
You must have goss available to your host you would like to test.
- Run as root not sudo due to sudo and shared memory access
Assuming you have already clone this repository you can run goss from where you wish.
- full check
# {{path to your goss binary}} --vars {{ path to the vars file }} -g {{path to your clone of this repo }}/goss.yml --validate
example:
# /usr/local/bin/goss --vars ../vars/cis.yml -g /home/bolly/rh8_cis_goss/goss.yml validate
......FF....FF................FF...F..FF.............F........................FSSSS.............FS.F.F.F.F.........FFFFF....
Failures/Skipped:
Title: 1.6.1 Ensure core dumps are restricted (Automated)_sysctl
Command: suid_dumpable_2: exit-status:
Expected
<int>: 1
to equal
<int>: 0
Command: suid_dumpable_2: stdout: patterns not found: [fs.suid_dumpable = 0]
Title: 1.4.2 Ensure filesystem integrity is regularly checked (Automated)
Service: aidecheck: enabled:
Expected
<bool>: false
to equal
<bool>: true
Service: aidecheck: running:
Expected
<bool>: false
to equal
<bool>: true
< ---------cut ------- >
Title: 1.1.22 Ensure sticky bit is set on all world-writable directories
Command: version: exit-status:
Expected
<int>: 0
to equal
<int>: 123
Total Duration: 5.102s
Count: 124, Failed: 21, Skipped: 5
- running a particular section of tests
# /usr/local/bin/goss -g /home/bolly/rh8_cis_goss/section_1/cis_1.1/cis_1.1.22.yml validate
............
Total Duration: 0.033s
Count: 12, Failed: 0, Skipped: 0
- changing the output
# /usr/local/bin/goss -g /home/bolly/rh8_cis_goss/section_1/cis_1.1/cis_1.1.22.yml validate -f documentation
Title: 1.1.20 Check for removeable media nodev
Command: floppy_nodev: exit-status: matches expectation: [0]
Command: floppy_nodev: stdout: matches expectation: [OK]
< -------cut ------- >
Title: 1.1.20 Check for removeable media noexec
Command: floppy_noexec: exit-status: matches expectation: [0]
Command: floppy_noexec: stdout: matches expectation: [OK]
Total Duration: 0.022s
Count: 12, Failed: 0, Skipped: 0Ability to add your own requirements is available in several sections