Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rule 5.2.20 expects values different than 0, but previous form of the… #171

Closed
wants to merge 91 commits into from
Closed

Rule 5.2.20 expects values different than 0, but previous form of the… #171

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
91 commits
Select commit Hold shift + click to select a range
a2162db
Document variables in defaults/main.yml, Fix 2.
brisky Nov 24, 2023
34b0521
Document variables in defaults/main.yml, Fix 5 from devel
brisky Nov 29, 2023
dc59c32
Small additions to first part of documentation.
ipruteanu-sie Dec 5, 2023
06489db
Doc additions for:
ipruteanu-sie Dec 6, 2023
6dfbe18
Doc additions for:
ipruteanu-sie Dec 7, 2023
28a61fa
Last docs part - additions
ipruteanu-sie Dec 8, 2023
a57333d
Added vars for streams.
brisky Dec 27, 2023
560475e
Finalising the docs content & syntax
ipruteanu-sie Jan 17, 2024
14cd1e0
Merge branch 'siemens/feat/document_main_variables' of code.siemens.c…
ipruteanu-sie Jan 17, 2024
677424d
Merge branch 'devel' of github.com:siemens/RHEL9-CIS into siemens/fea…
ipruteanu-sie Jan 19, 2024
8fc85fc
Documenting usage of chrony variables.
ipruteanu-sie Jan 19, 2024
b4bef29
Improving doc for journald log parameters.
ipruteanu-sie Jan 19, 2024
073f6b7
Revert "Added vars for streams."
ipruteanu-sie Jan 19, 2024
48f0c7d
Using again the default values used by Lockdown for sshd vars, as the…
ipruteanu-sie Jan 19, 2024
36ab51d
Removing not useful line from docs
ipruteanu-sie Jan 19, 2024
dfffb19
Adding testfile with L1.
ipruteanu-sie Nov 15, 2023
f5b2299
Naming the Ansible vars in tesfile properly, with respect to rhel9 ta…
ipruteanu-sie Nov 15, 2023
17592cc
new branch in Sfera_automation_pipeline, OIDC-testing
ipruteanu-sie Nov 21, 2023
3724f3f
Adding newest test results for L2.
ipruteanu-sie Nov 21, 2023
3dde4b1
Adding CI file
ipruteanu-sie Nov 15, 2023
7190ecb
Using again sfera_automation_pipeline's master branch
ipruteanu-sie Nov 21, 2023
9614e9d
Adding testfile with L1.
ipruteanu-sie Nov 15, 2023
6ef4e38
As Nuno discovered, I was accidentally adding a new line(un-needed)
ipruteanu-sie Nov 22, 2023
19693c0
Naming the Ansible vars in tesfile properly, with respect to rhel9 ta…
ipruteanu-sie Nov 15, 2023
a52d2a6
new branch in Sfera_automation_pipeline, OIDC-testing
ipruteanu-sie Nov 21, 2023
d62e60d
Adding newest test results for L2.
ipruteanu-sie Nov 21, 2023
c2630dc
Using again sfera_automation_pipeline's master branch
ipruteanu-sie Nov 21, 2023
5cb6108
As Nuno discovered, I was accidentally adding a new line(un-needed)
ipruteanu-sie Nov 22, 2023
d6ae2b6
Merge branch 'siemens/rhel9/devel' of code.siemens.com:infosec-pss-go…
brisky Nov 27, 2023
06b39c0
Fixing conflicts after rebasing branch:"/siemens/rhel9/devel" onto up…
ipruteanu-sie Nov 15, 2023
b89fa21
new branch in Sfera_automation_pipeline, OIDC-testing
ipruteanu-sie Nov 21, 2023
89d1373
Adding newest test results for L2(rebasing siemens/rhel9/devel onto d…
ipruteanu-sie Nov 21, 2023
cd116a5
Using again sfera_automation_pipeline's master branch
ipruteanu-sie Nov 21, 2023
b931555
As Nuno discovered, I was accidentally adding a new line(un-needed)
ipruteanu-sie Nov 22, 2023
221f64d
Merge branch 'siemens/rhel9/devel' of code.siemens.com:infosec-pss-go…
ipruteanu-sie Jan 19, 2024
9ce1fb6
Solved minor conflicts in defaults/main.yml file, when re-basing
dulin Nov 22, 2023
da62626
Fixing conflicts after rebasing current feature branch onto 'devel'
brisky Nov 24, 2023
e780e07
Merge branch 'siemens/feat/document_main_variables' into siemens/rhel…
ipruteanu-sie Jan 19, 2024
7bab634
Updating the testfile with documented findings
ipruteanu-sie Jan 25, 2024
4cbc2e3
new branch in Sfera_automation_pipeline, OIDC-testing
ipruteanu-sie Nov 21, 2023
0e671e8
Adding CI file
ipruteanu-sie Nov 15, 2023
80fd642
Adding newest test results for L2.
ipruteanu-sie Nov 21, 2023
5884ef4
Adding testfile with L1.
ipruteanu-sie Nov 15, 2023
8bcb3c2
Using again sfera_automation_pipeline's master branch
ipruteanu-sie Nov 21, 2023
4dff7f0
Naming the Ansible vars in tesfile properly, with respect to rhel9 ta…
ipruteanu-sie Nov 15, 2023
ad107e7
As Nuno discovered, I was accidentally adding a new line(un-needed)
ipruteanu-sie Nov 22, 2023
8815f14
new branch in Sfera_automation_pipeline, OIDC-testing
ipruteanu-sie Nov 21, 2023
3b91e9c
Adding newest test results for L2.
ipruteanu-sie Nov 21, 2023
af7e032
Using again sfera_automation_pipeline's master branch
ipruteanu-sie Nov 21, 2023
7641fd3
As Nuno discovered, I was accidentally adding a new line(un-needed)
ipruteanu-sie Nov 22, 2023
a621341
Merge branch 'siemens/rhel9/devel' of code.siemens.com:infosec-pss-go…
brisky Nov 27, 2023
b262d0a
Solving conflicts after latest rebase
brisky Nov 29, 2023
65aed53
Fixing conflicts after `rebase --continue`
ipruteanu-sie Dec 5, 2023
490a47e
Doc additions for:
ipruteanu-sie Dec 6, 2023
85ed8ce
Doc additions for:
ipruteanu-sie Dec 7, 2023
e40d8cb
Fixing conflicts
ipruteanu-sie Dec 8, 2023
5815c43
Added vars for streams.
brisky Dec 27, 2023
d1434f6
Rebasing
brisky Nov 24, 2023
159a06d
Finalising the docs content & syntax
ipruteanu-sie Jan 17, 2024
6744d90
Merge branch 'siemens/feat/document_main_variables' of code.siemens.c…
ipruteanu-sie Jan 17, 2024
945e020
Documenting usage of chrony variables.
ipruteanu-sie Jan 19, 2024
674e0fd
Improving doc for journald log parameters.
ipruteanu-sie Jan 19, 2024
f90a679
Revert "Added vars for streams."
ipruteanu-sie Jan 19, 2024
efdff71
Removing not useful line from docs
ipruteanu-sie Jan 19, 2024
0dab713
Solved minor conflicts in defaults/main.yml file, when re-basing
dulin Nov 22, 2023
a3ddf8f
Fixing conflicts after rebasing current feature branch onto 'devel'
brisky Nov 24, 2023
e62d048
Fixing conflicts after rebasing branch:"/siemens/rhel9/devel" onto up…
ipruteanu-sie Nov 15, 2023
8ef4610
new branch in Sfera_automation_pipeline, OIDC-testing
ipruteanu-sie Nov 21, 2023
cc42640
Adding newest test results for L2(rebasing siemens/rhel9/devel onto d…
ipruteanu-sie Nov 21, 2023
977899a
Using again sfera_automation_pipeline's master branch
ipruteanu-sie Nov 21, 2023
6c3a9e2
As Nuno discovered, I was accidentally adding a new line(un-needed)
ipruteanu-sie Nov 22, 2023
d87451a
Merge branch 'siemens/rhel9/devel' of code.siemens.com:infosec-pss-go…
ipruteanu-sie Jan 19, 2024
cc3cc03
Merge branch 'siemens/feat/document_main_variables' into siemens/rhel…
ipruteanu-sie Jan 19, 2024
e1bb833
Updating the testfile with documented findings
ipruteanu-sie Jan 25, 2024
9bd22c2
Merge branch 'siemens/rhel9/devel' of code.siemens.com:infosec-pss-go…
ipruteanu-sie Jan 30, 2024
c70c236
Aplying patch to be used for extending-documentation
ipruteanu-sie Jan 31, 2024
a83678e
Removing statement about SSH precedence vars.
ipruteanu-sie Jan 31, 2024
f2a2757
Fixing yaml-lint errors
ipruteanu-sie Jan 31, 2024
3581793
Documenting also new added(`space_left` & `admin_space_left`)
ipruteanu-sie Jan 31, 2024
594e52a
Solving conflicts after previous commit:
ipruteanu-sie Jan 30, 2024
1880342
Replacing secure-configuration of 'audit' and 'audit_backlog_limit' f…
ipruteanu-sie Jan 26, 2024
e2738f0
Fixing indentation for lines reported by yamllint
ipruteanu-sie Jan 31, 2024
057afdc
[IP] New branch was created, so a new merge will be done.
ipruteanu-sie Feb 1, 2024
9c1a473
Merge branch 'siemens/feat/Refactor_Document_main_variables' into 'si…
ipruteanu-sie Feb 1, 2024
ead88e8
Merge branch 'siemens/feat/b5_6_5_pam-d_files_session' into 'siemens/…
ipruteanu-sie Feb 1, 2024
d26d116
Merge branch 'siemens/feat/BgrubbyUsageForParams' into 'siemens/rhel9…
ipruteanu-sie Feb 1, 2024
a84cf8f
Rule 5.2.20 expects values different than 0, but previous form of the…
ipruteanu-sie Feb 6, 2024
09272d0
Fixing conflict when changed value from 0>3(caused by previous lines …
ipruteanu-sie Feb 6, 2024
42f0ce4
Fixing conflicts caused by docs addition <> default value changed, th…
ipruteanu-sie Feb 6, 2024
54a7f90
Merge branch 'siemens/feat/5_2_20_Wrong_Value_clientalivecountmax' of…
ipruteanu-sie Feb 6, 2024
d53e3ed
Adding CIS default expectation for ClientAliveInterval
ipruteanu-sie Feb 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions .gitlab-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
include:
- project: 'cybersecurity/automated_hardening_tech/sfera_automation_pipeline'
# Do not forget to also set the correct pipeline branch below in the first variable!!!
ref: &pipeline_branch master
file: 'pipeline_for_include_ansible.yml'

variables:
# Basic data
# Require branch of pipeline so as to include correct version of resources
PIPELINE_BRANCH: *pipeline_branch
BASELINE_FOLDER_NAME: ANSIBLE_CIS_RHEL_9
230 changes: 230 additions & 0 deletions .scapolite_tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,230 @@
os_family: unix
os_image: rhel
os_image_version: v9
ciscat_version: v4.33.0
testruns:
- name: L2_Server_CIS_RHEL9_Ansible
testrun_ciscat_profile: xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Server
testrun_benchmark_filename: CIS_Red_Hat_Enterprise_Linux_9_Benchmark_v1.0.0-xccdf.xml
testrun_checklist_id: "xccdf_org.cisecurity.benchmarks_benchmark_1.0.0_CIS_Red_Hat_Enterprise_Linux_9_Benchmark"
testrun_ansible_vars:
ubtu22cis_sshd:
allow_users: "ec2-user"
allow_groups: "sshadmins"
testrun_ansible_tags:
- level2-server
- level1-server
testrun_skip_ansible_tags:
- rule_5.3.4 # Enforcing password-based escalation will be disruptive for our AWS automation
activities:
# - id: 20_Ansible_Role_InitialCheck_L2_Workstation
# type: ansible
# role_name: rhel9-cis # code.siemens.com
# ansible:
# check_mode: yes
- id: 21_initial_ciscat_check
type: ciscat
validations:
- sub_type: count
expected:
pass: 134
fail: 97
not selected: 24
- sub_type: by_id
result: pass
check_ids: [R1_1_2_2, R1_1_2_3, R1_1_2_4, R1_1_3_2, R1_1_3_3, R1_1_4_2, R1_1_4_3, R1_1_4_4, R1_1_5_2, R1_1_5_3, R1_1_5_4, R1_1_6_2, R1_1_6_3, R1_1_6_4, R1_1_7_2, R1_1_7_3, R1_1_8_1, R1_1_8_2, R1_1_8_4, R1_2_2, R1_6_1_1, R1_6_1_2, R1_6_1_3, R1_6_1_4, R1_6_1_5, R1_6_1_7, R1_6_1_8, R1_7_1, R1_7_4, R1_7_5, R1_7_6, R1_8_1, R1_8_2, R1_8_3, R1_8_4, R1_8_5, R1_8_6, R1_8_7, R1_8_8, R1_8_9, R1_8_10, R1_10, R2_1_1, R2_2_1, R2_2_2, R2_2_3, R2_2_4, R2_2_5, R2_2_6, R2_2_7, R2_2_8, R2_2_9, R2_2_10, R2_2_11, R2_2_12, R2_2_13, R2_2_14, R2_2_15, R2_2_16, R2_2_17, R2_2_18, R2_3_1, R2_3_2, R2_3_3, R2_3_4, R3_1_2, R3_4_2_1, R3_4_2_7, R4_1_1_1, R4_1_1_4, R4_1_2_1, R4_1_4_1, R4_1_4_2, R4_1_4_3, R4_1_4_4, R4_1_4_5, R4_1_4_7, R4_1_4_8, R4_1_4_9, R4_1_4_10, R4_2_1_1, R4_2_1_2, R4_2_1_7, R4_2_2_1_4, R4_2_2_2, R5_1_1, R5_1_9, R5_2_1, R5_2_2, R5_2_3, R5_2_5, R5_2_6, R5_2_8, R5_2_9, R5_2_10, R5_2_11, R5_2_14, R5_2_18, R5_2_20, R5_3_1, R5_3_5, R5_3_6, R5_5_4, R5_6_1_3, R5_6_1_5, R5_6_2, R5_6_4, R6_1_1, R6_1_2, R6_1_3, R6_1_4, R6_1_5, R6_1_6, R6_1_7, R6_1_8, R6_1_9, R6_1_10, R6_1_11, R6_1_12, R6_2_1, R6_2_3, R6_2_4, R6_2_5, R6_2_6, R6_2_7, R6_2_8, R6_2_9, R6_2_10, R6_2_11, R6_2_12, R6_2_13, R6_2_14, R6_2_15, R6_2_16]
- sub_type: by_id
result: fail
check_ids: [R1_1_1_1, R1_1_1_2, R1_1_2_1, R1_1_3_1, R1_1_4_1, R1_1_5_1, R1_1_6_1, R1_1_7_1, R1_1_8_3, R1_1_9, R1_3_1, R1_3_2, R1_3_3, R1_4_1, R1_4_2, R1_5_1, R1_5_2, R1_5_3, R1_6_1_6, R1_7_2, R1_7_3, R2_1_2, R3_1_3, R3_2_1, R3_2_2, R3_3_1, R3_3_2, R3_3_3, R3_3_4, R3_3_5, R3_3_6, R3_3_7, R3_3_8, R3_3_9, R3_4_1_1, R3_4_1_2, R3_4_2_2, R3_4_2_3, R3_4_2_4, R4_1_1_2, R4_1_1_3, R4_1_2_2, R4_1_2_3, R4_1_3_1, R4_1_3_2, R4_1_3_3, R4_1_3_4, R4_1_3_5, R4_1_3_6, R4_1_3_7, R4_1_3_8, R4_1_3_9, R4_1_3_10, R4_1_3_11, R4_1_3_12, R4_1_3_13, R4_1_3_14, R4_1_3_15, R4_1_3_16, R4_1_3_17, R4_1_3_18, R4_1_3_19, R4_1_3_20, R4_2_1_4, R4_2_2_3, R4_2_2_4, R4_2_3, R5_1_2, R5_1_3, R5_1_4, R5_1_5, R5_1_6, R5_1_7, R5_1_8, R5_2_4, R5_2_7, R5_2_12, R5_2_13, R5_2_15, R5_2_16, R5_2_17, R5_2_19, R5_3_2, R5_3_3, R5_3_4, R5_3_7, R5_4_2, R5_5_1, R5_5_2, R5_5_3, R5_6_1_1, R5_6_1_2, R5_6_1_4, R5_6_3, R5_6_5, R5_6_6, R6_2_2]
- id: 22_Ansible_Role_Implement_L2_Workstation
type: ansible
role_name: "rhel9-cis"
before_script: |
/sbin/groupadd sshadmins
/sbin/usermod -a -G sshadmins ec2-user
- id: 23_ciscat_check_after_implement
type: ciscat
validations:
- sub_type: count
expected:
pass: 213
fail: 18
not selected: 24
- sub_type: compare
compare_with: 21_initial_ciscat_check
overall_expected_change: improvement
expected:
rules_passed_only_here: [R1_1_1_1, R1_1_1_2, R1_1_8_3, R1_1_9, R1_3_1, R1_3_2, R1_3_3, R1_4_1, R1_4_2, R1_5_1, R1_5_2, R1_5_3, R1_7_2, R1_7_3, R2_1_2, R3_1_3, R3_2_1, R3_2_2, R3_3_1, R3_3_2, R3_3_3, R3_3_4, R3_3_5, R3_3_6, R3_3_7, R3_3_8, R3_3_9, R3_4_1_1, R3_4_1_2, R3_4_2_2, R3_4_2_3, R3_4_2_4, R4_1_2_2, R4_1_2_3, R4_1_3_1, R4_1_3_10, R4_1_3_11, R4_1_3_12, R4_1_3_13, R4_1_3_14, R4_1_3_15, R4_1_3_16, R4_1_3_17, R4_1_3_18, R4_1_3_19, R4_1_3_2, R4_1_3_20, R4_1_3_3, R4_1_3_4, R4_1_3_5, R4_1_3_6, R4_1_3_7, R4_1_3_8, R4_1_3_9, R4_2_1_4, R4_2_3, R5_1_2, R5_1_3, R5_1_4, R5_1_5, R5_1_6, R5_1_7, R5_1_8, R5_2_13, R5_2_15, R5_2_16, R5_2_17, R5_2_19, R5_2_7, R5_3_2, R5_3_3, R5_3_7, R5_4_2, R5_5_1, R5_5_2, R5_5_3, R5_6_1_1, R5_6_1_2, R5_6_1_4, R5_6_3]
rules_failed_only_here: &rulesFAILEDAfterImplementL2
- R5_2_20 # [TBD] Ensure SSH Idle Timeout Interval is configured
rules_unknown_only_there: []
- sub_type: by_id
result: pass
check_ids: &passed_rules_after_impl_l2 [R1_1_1_1, R1_1_1_2, R1_1_2_2, R1_1_2_3, R1_1_2_4, R1_1_3_2, R1_1_3_3, R1_1_4_2, R1_1_4_3, R1_1_4_4, R1_1_5_2, R1_1_5_3, R1_1_5_4, R1_1_6_2, R1_1_6_3, R1_1_6_4, R1_1_7_2, R1_1_7_3, R1_1_8_1, R1_1_8_2, R1_1_8_3, R1_1_8_4, R1_1_9, R1_2_2, R1_3_1, R1_3_2, R1_3_3, R1_4_1, R1_4_2, R1_5_1, R1_5_2, R1_5_3, R1_6_1_1, R1_6_1_2, R1_6_1_3, R1_6_1_4, R1_6_1_5, R1_6_1_7, R1_6_1_8, R1_7_1, R1_7_2, R1_7_3, R1_7_4, R1_7_5, R1_7_6, R1_8_1, R1_8_2, R1_8_3, R1_8_4, R1_8_5, R1_8_6, R1_8_7, R1_8_8, R1_8_9, R1_8_10, R1_10, R2_1_1, R2_1_2, R2_2_1, R2_2_2, R2_2_3, R2_2_4, R2_2_5, R2_2_6, R2_2_7, R2_2_8, R2_2_9, R2_2_10, R2_2_11, R2_2_12, R2_2_13, R2_2_14, R2_2_15, R2_2_16, R2_2_17, R2_2_18, R2_3_1, R2_3_2, R2_3_3, R2_3_4, R3_1_2, R3_1_3, R3_2_1, R3_2_2, R3_3_1, R3_3_2, R3_3_3, R3_3_4, R3_3_5, R3_3_6, R3_3_7, R3_3_8, R3_3_9, R3_4_1_1, R3_4_1_2, R3_4_2_1, R3_4_2_2, R3_4_2_3, R3_4_2_4, R3_4_2_7, R4_1_1_1, R4_1_1_4, R4_1_2_1, R4_1_2_2, R4_1_2_3, R4_1_3_1, R4_1_3_2, R4_1_3_3, R4_1_3_4, R4_1_3_5, R4_1_3_6, R4_1_3_7, R4_1_3_8, R4_1_3_9, R4_1_3_10, R4_1_3_11, R4_1_3_12, R4_1_3_13, R4_1_3_14, R4_1_3_15, R4_1_3_16, R4_1_3_17, R4_1_3_18, R4_1_3_19, R4_1_3_20, R4_1_4_1, R4_1_4_2, R4_1_4_3, R4_1_4_4, R4_1_4_5, R4_1_4_7, R4_1_4_8, R4_1_4_9, R4_1_4_10, R4_2_1_1, R4_2_1_2, R4_2_1_4, R4_2_1_7, R4_2_2_1_4, R4_2_2_2, R4_2_3, R5_1_1, R5_1_2, R5_1_3, R5_1_4, R5_1_5, R5_1_6, R5_1_7, R5_1_8, R5_1_9, R5_2_1, R5_2_2, R5_2_3, R5_2_5, R5_2_6, R5_2_7, R5_2_8, R5_2_9, R5_2_10, R5_2_11, R5_2_13, R5_2_14, R5_2_15, R5_2_16, R5_2_17, R5_2_18, R5_2_19, R5_3_1, R5_3_2, R5_3_3, R5_3_5, R5_3_6, R5_3_7, R5_4_2, R5_5_1, R5_5_2, R5_5_3, R5_5_4, R5_6_1_1, R5_6_1_2, R5_6_1_3, R5_6_1_4, R5_6_1_5, R5_6_2, R5_6_3, R5_6_4, R6_1_1, R6_1_2, R6_1_3, R6_1_4, R6_1_5, R6_1_6, R6_1_7, R6_1_8, R6_1_9, R6_1_10, R6_1_11, R6_1_12, R6_2_1, R6_2_3, R6_2_4, R6_2_5, R6_2_6, R6_2_7, R6_2_8, R6_2_9, R6_2_10, R6_2_11, R6_2_12, R6_2_13, R6_2_14, R6_2_15, R6_2_16]
- sub_type: by_id
result: fail
check_ids: &failed_rules_after_impl_l2
- R1_1_2_1 # [N/A] Ensure /tmp is a separate partition
- R1_1_3_1 # [N/A] Ensure separate partition exists for /var
- R1_1_4_1 # [N/A] Ensure separate partition exists for /var/tmp
- R1_1_5_1 # [N/A] Ensure separate partition exists for /var/log
- R1_1_6_1 # [N/A] Ensure separate partition exists for /var/log/audit
- R1_1_7_1 # [N/A] Ensure separate partition exists for /home
- R1_6_1_6 # [ SSM ] Ensure no unconfined services exist
- R4_1_1_2 # [Grub audit=1] Ensure auditing for processes that start prior to auditd is enabled
- R4_1_1_3 # [Grub audit_backlog_limit] Ensure audit_backlog_limit is sufficient
- R4_2_2_3 # [Compress in /etc/systemd/journald.conf] Ensure journald is configured to compress large log files
- R4_2_2_4 # [Storage=persistent /etc/systemd/journald.conf] Ensure journald is configured to write logfiles to persistent disk
- R5_2_4 # [TBD] Ensure SSH access is limited
- R5_2_12 # Ensure SSH X11 forwarding is disabled
- R5_2_20 # Ensure SSH Idle Timeout Interval is configured
- R5_3_4 # [DELIBERATELY IMPL-SKIPPED] Ensure users must provide password for escalation
- R5_6_5 # Ensure default user umask is 027 or more restrictive
- R5_6_6 # Ensure root password is set
- R6_2_2 # Ensure /etc/shadow password fields are not empty
- id: 25_reboot_system_for_testing_consistency
type: reboot
args:
- msg: "Reboot performed as requested on testfiles used for running ANSIBLE_CIS_DEBIAN_10 pipeline(L2)"
- test_command: "chmod g-wx,o-rwx /var/log/chrony/tracking.log" # Without adjusting log-perm during reboot, R4_2_3 will be reported as Fail
- reboot_timeout: 100
# - id: 24_Ansible_Role_CheckAfterImplement_L1_Workstation
# type: ansible
# role_name: "rhel9-cis"
# before_script: |
# cat /etc/os-release
# ansible:
# check_mode: yes
# diff: yes
- id: 26_ciscat_check_after_impl_AND_reboot
type: ciscat
validations:
- sub_type: count
expected:
pass: 213
fail: 18
error: 0
unknown: 0
not selected: 24
- sub_type: compare
compare_with: 23_ciscat_check_after_implement
overall_expected_change: stagnation
expected:
rules_passed_only_here: []
rules_failed_only_here: [] # - R4_2_3 # Ensure all logfiles have appropriate permissions and ownership
rules_unknown_only_here: []
- sub_type: by_id
result: pass
check_ids: *passed_rules_after_impl_l2
- sub_type: by_id
check_ids: *failed_rules_after_impl_l2
result: fail

- name: L1_Server_CIS_RHEL9_Ansible
testrun_ciscat_profile: xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server
testrun_benchmark_filename: CIS_Red_Hat_Enterprise_Linux_9_Benchmark_v1.0.0-xccdf.xml
testrun_checklist_id: "xccdf_org.cisecurity.benchmarks_benchmark_1.0.0_CIS_Red_Hat_Enterprise_Linux_9_Benchmark"
testrun_ansible_vars:
rhel9cis_sshd:
allow_users: "ec2-user"
allow_groups: "sshadmins"
testrun_ansible_tags:
- level1-server
activities:
# - id: 10_Ansible_Role_InitialCheck_L1_Workstation
# type: ansible
# role_name: rhel9-cis # code.siemens.com
# ansible:
# check_mode: yes
- id: 11_initial_ciscat_check
type: ciscat
validations:
- sub_type: count
expected:
pass: 119
fail: 62
error: 0
unknown: 0
not selected: 74
- sub_type: by_id
result: pass
check_ids: [R1_1_2_2, R1_1_2_3, R1_1_2_4, R1_1_3_2, R1_1_3_3, R1_1_4_2, R1_1_4_3, R1_1_4_4, R1_1_5_2, R1_1_5_3, R1_1_5_4, R1_1_6_2, R1_1_6_3, R1_1_6_4, R1_1_7_2, R1_1_7_3, R1_1_8_1, R1_1_8_2, R1_1_8_4, R1_2_2, R1_6_1_1, R1_6_1_2, R1_6_1_3, R1_6_1_4, R1_6_1_7, R1_6_1_8, R1_7_1, R1_7_4, R1_7_5, R1_7_6, R1_8_2, R1_8_3, R1_8_4, R1_8_5, R1_8_6, R1_8_7, R1_8_8, R1_8_9, R1_8_10, R1_10, R2_1_1, R2_2_2, R2_2_3, R2_2_4, R2_2_5, R2_2_6, R2_2_7, R2_2_8, R2_2_9, R2_2_10, R2_2_11, R2_2_12, R2_2_13, R2_2_14, R2_2_15, R2_2_16, R2_2_17, R2_2_18, R2_3_1, R2_3_2, R2_3_3, R2_3_4, R3_1_2, R3_4_2_1, R3_4_2_7, R4_2_1_1, R4_2_1_2, R4_2_1_7, R4_2_2_1_4, R4_2_2_2, R5_1_1, R5_1_9, R5_2_1, R5_2_2, R5_2_3, R5_2_5, R5_2_6, R5_2_8, R5_2_9, R5_2_10, R5_2_11, R5_2_14, R5_2_18, R5_2_20, R5_3_1, R5_3_5, R5_3_6, R5_5_4, R5_6_1_3, R5_6_1_5, R5_6_2, R5_6_4, R6_1_1, R6_1_2, R6_1_3, R6_1_4, R6_1_5, R6_1_6, R6_1_7, R6_1_8, R6_1_9, R6_1_10, R6_1_11, R6_1_12, R6_2_1, R6_2_3, R6_2_4, R6_2_5, R6_2_6, R6_2_7, R6_2_8, R6_2_9, R6_2_10, R6_2_11, R6_2_12, R6_2_13, R6_2_14, R6_2_15, R6_2_16]
- sub_type: by_id
result: fail
check_ids: [R1_1_2_1, R1_1_8_3, R1_1_9, R1_3_1, R1_3_2, R1_3_3, R1_4_1, R1_4_2, R1_5_1, R1_5_2, R1_5_3, R1_6_1_6, R1_7_2, R1_7_3, R2_1_2, R3_2_1, R3_2_2, R3_3_1, R3_3_2, R3_3_3, R3_3_4, R3_3_5, R3_3_6, R3_3_7, R3_3_8, R3_3_9, R3_4_1_1, R3_4_1_2, R3_4_2_2, R3_4_2_3, R3_4_2_4, R4_2_1_4, R4_2_2_3, R4_2_2_4, R4_2_3, R5_1_2, R5_1_3, R5_1_4, R5_1_5, R5_1_6, R5_1_7, R5_1_8, R5_2_4, R5_2_7, R5_2_15, R5_2_16, R5_2_17, R5_2_19, R5_3_2, R5_3_3, R5_3_7, R5_4_2, R5_5_1, R5_5_2, R5_5_3, R5_6_1_1, R5_6_1_2, R5_6_1_4, R5_6_3, R5_6_5, R5_6_6, R6_2_2]
- id: 12_Ansible_Role_Implement_L1_Workstation
type: ansible
role_name: rhel9-cis # code.siemens.com
before_script: |
/sbin/groupadd sshadmins
/sbin/usermod -a -G sshadmins ec2-user
- id: 13_ciscat_check_after_implement
type: ciscat
validations:
- sub_type: count
expected:
pass: 172
fail: 9
error: 0
unknown: 0
not selected: 74
- sub_type: compare
compare_with: 11_initial_ciscat_check
overall_expected_change: improvement
expected:
rules_passed_only_here: [R1_1_8_3, R1_1_9, R1_3_1, R1_3_2, R1_3_3, R1_4_1, R1_4_2, R1_5_1, R1_5_2, R1_5_3, R1_7_2, R1_7_3, R2_1_2, R3_2_1, R3_2_2, R3_3_1, R3_3_2, R3_3_3, R3_3_4, R3_3_5, R3_3_6, R3_3_7, R3_3_8, R3_3_9, R3_4_1_1, R3_4_1_2, R3_4_2_2, R3_4_2_3, R3_4_2_4, R4_2_1_4, R4_2_3, R5_1_2, R5_1_3, R5_1_4, R5_1_5, R5_1_6, R5_1_7, R5_1_8, R5_2_15, R5_2_16, R5_2_17, R5_2_19, R5_2_7, R5_3_2, R5_3_3, R5_3_7, R5_4_2, R5_5_1, R5_5_2, R5_5_3, R5_6_1_1, R5_6_1_2, R5_6_1_4, R5_6_3]
rules_passed_only_there:
- R5_2_20
rules_unknown_only_here: []
- sub_type: by_id
result: pass
check_ids: &passed_rules_after_impl_l1 [R1_1_2_2, R1_1_2_3, R1_1_2_4, R1_1_3_2, R1_1_3_3, R1_1_4_2, R1_1_4_3, R1_1_4_4, R1_1_5_2, R1_1_5_3, R1_1_5_4, R1_1_6_2, R1_1_6_3, R1_1_6_4, R1_1_7_2, R1_1_7_3, R1_1_8_1, R1_1_8_2, R1_1_8_3, R1_1_8_4, R1_1_9, R1_2_2, R1_3_1, R1_3_2, R1_3_3, R1_4_1, R1_4_2, R1_5_1, R1_5_2, R1_5_3, R1_6_1_1, R1_6_1_2, R1_6_1_3, R1_6_1_4, R1_6_1_7, R1_6_1_8, R1_7_1, R1_7_2, R1_7_3, R1_7_4, R1_7_5, R1_7_6, R1_8_2, R1_8_3, R1_8_4, R1_8_5, R1_8_6, R1_8_7, R1_8_8, R1_8_9, R1_8_10, R1_10, R2_1_1, R2_1_2, R2_2_2, R2_2_3, R2_2_4, R2_2_5, R2_2_6, R2_2_7, R2_2_8, R2_2_9, R2_2_10, R2_2_11, R2_2_12, R2_2_13, R2_2_14, R2_2_15, R2_2_16, R2_2_17, R2_2_18, R2_3_1, R2_3_2, R2_3_3, R2_3_4, R3_1_2, R3_2_1, R3_2_2, R3_3_1, R3_3_2, R3_3_3, R3_3_4, R3_3_5, R3_3_6, R3_3_7, R3_3_8, R3_3_9, R3_4_1_1, R3_4_1_2, R3_4_2_1, R3_4_2_2, R3_4_2_3, R3_4_2_4, R3_4_2_7, R4_2_1_1, R4_2_1_2, R4_2_1_4, R4_2_1_7, R4_2_2_1_4, R4_2_2_2, R4_2_3, R5_1_1, R5_1_2, R5_1_3, R5_1_4, R5_1_5, R5_1_6, R5_1_7, R5_1_8, R5_1_9, R5_2_1, R5_2_2, R5_2_3, R5_2_5, R5_2_6, R5_2_7, R5_2_8, R5_2_9, R5_2_10, R5_2_11, R5_2_14, R5_2_15, R5_2_16, R5_2_17, R5_2_18, R5_2_19, R5_3_1, R5_3_2, R5_3_3, R5_3_5, R5_3_6, R5_3_7, R5_4_2, R5_5_1, R5_5_2, R5_5_3, R5_5_4, R5_6_1_1, R5_6_1_2, R5_6_1_3, R5_6_1_4, R5_6_1_5, R5_6_2, R5_6_3, R5_6_4, R6_1_1, R6_1_2, R6_1_3, R6_1_4, R6_1_5, R6_1_6, R6_1_7, R6_1_8, R6_1_9, R6_1_10, R6_1_11, R6_1_12, R6_2_1, R6_2_3, R6_2_4, R6_2_5, R6_2_6, R6_2_7, R6_2_8, R6_2_9, R6_2_10, R6_2_11, R6_2_12, R6_2_13, R6_2_14, R6_2_15, R6_2_16]
- sub_type: by_id
result: fail
check_ids: &failed_rules_after_impl_l1
- R1_1_2_1 # [N/A] Ensure /tmp is a separate partition
- R1_6_1_6 # [ SSM ] Ensure no unconfined services exist
- R4_2_2_3 # [Compress in /etc/systemd/journald.conf] Ensure journald is configured to compress large log files
- R4_2_2_4 # [Storage=persistent /etc/systemd/journald.conf] Ensure journald is configured to write logfiles to persistent disk
- R5_2_4 # [TBD] Ensure SSH access is limited
- R5_2_20 # # Ensure SSH Idle Timeout Interval is configured
- R5_6_5 # Ensure default user umask is 027 or more restrictive
- R5_6_6 # Ensure root password is set
- R6_2_2 # Ensure /etc/shadow password fields are not empty
- id: 15_reboot_system_for_testing_consistency
type: reboot
args:
- msg: Reboot performed as requested on testfiles used for running ANSIBLE_CIS_DEBIAN_10 pipeline(L1)
- reboot_timeout: 100
- test_command: "chmod g-wx,o-rwx /var/log/chrony/tracking.log" # Fixing rule: "R4_2_3-Ensure all logfiles have appropriate permissions and ownership"
# - id: 14_Ansible_Role_CheckAfterImplement_L1_Workstation
# type: ansible
# role_name: rhel9-cis # code.siemens.com
# before_script: |
# cat /etc/os-release
# ansible:
# check_mode: yes
# diff: yes
- id: 16_ciscat_check_after_impl_AND_reboot
type: ciscat
validations:
- sub_type: count
expected:
pass: 172
fail: 9
error: 0
unknown: 0
not selected: 74
- sub_type: compare
compare_with: 13_ciscat_check_after_implement
overall_expected_change: stagnation
expected:
rules_passed_only_here: []
rules_failed_only_here: []
rules_unknown_only_here: []
- sub_type: by_id
result: pass
check_ids: *passed_rules_after_impl_l1
- sub_type: by_id
result: fail
check_ids: *failed_rules_after_impl_l1
Loading