Skip to content
This repository has been archived by the owner on Apr 17, 2023. It is now read-only.

Format using saf cli #162

Closed
wants to merge 90 commits into from
Closed

Format using saf cli #162

wants to merge 90 commits into from

Conversation

em-c-rod
Copy link

@em-c-rod em-c-rod commented Apr 5, 2023

No description provided.

aaronlippold and others added 30 commits April 2, 2020 14:14
* updating controls up to v2.6 of STIG

Signed-off-by: HackerShark <[email protected]>

* updating controls up to v2.6 of STIG

Signed-off-by: HackerShark <[email protected]>

* Updating name, title and summary

* updated local vagrant to working state - cleanup required
fixed long running controls
started on EC2 spot instanstance testing using the SPEL partitioned images

Signed-off-by: Aaron Lippold <[email protected]>

* workflow testing

Signed-off-by: Aaron Lippold <[email protected]>

* added kitchen commands to workflow

Signed-off-by: Aaron Lippold <[email protected]>

* added bundler to the workflow

Signed-off-by: Aaron Lippold <[email protected]>

* fixed yaml syntax error

Signed-off-by: Aaron Lippold <[email protected]>

* added build-essentials package to the container and removed simp-helper

Signed-off-by: Aaron Lippold <[email protected]>

* fixed spelling

Signed-off-by: Aaron Lippold <[email protected]>

* apt-get issues ...

Signed-off-by: Aaron Lippold <[email protected]>

* fix for sudo

Signed-off-by: Aaron Lippold <[email protected]>

* fixed vagrant kitchen file to keep in line with other kitchen files
added validation, threshold and upload to heimdall-demo

Signed-off-by: Aaron Lippold <[email protected]>

* added uploading artifacts
changed path to results to be in the './results' dir

Signed-off-by: Aaron Lippold <[email protected]>

* fixed spacing error

Signed-off-by: Aaron Lippold <[email protected]>

* added `chef shell-init` to build process.

Signed-off-by: Aaron Lippold <[email protected]>

* correct chef shell-init command
added parallel jobs to bundler

Signed-off-by: Aaron Lippold <[email protected]>

* fixing workflow a bit more

Signed-off-by: Aaron Lippold <[email protected]>

* added inspec_tools to Gemfile

Signed-off-by: Aaron Lippold <[email protected]>

* bundler updates and hacks

Signed-off-by: Aaron Lippold <[email protected]>

* bundler again...

Signed-off-by: Aaron Lippold <[email protected]>

* Gemfile updates

Signed-off-by: Aaron Lippold <[email protected]>

* fixed ruby version

Signed-off-by: Aaron Lippold <[email protected]>

* updated results file name and made it cleaner

Signed-off-by: Aaron Lippold <[email protected]>

* added more explicit kitchen steps

Signed-off-by: Aaron Lippold <[email protected]>

* spacing issue

Signed-off-by: Aaron Lippold <[email protected]>

* added puppet to gemfile

Signed-off-by: Aaron Lippold <[email protected]>

* moved off the container

Signed-off-by: Aaron Lippold <[email protected]>

* fixed yml formatting

Signed-off-by: Aaron Lippold <[email protected]>

* fixed workstation uri

Signed-off-by: Aaron Lippold <[email protected]>

* added needed sudo commands

Signed-off-by: Aaron Lippold <[email protected]>

* corrected apt install command

Signed-off-by: Aaron Lippold <[email protected]>

* switching to dpkg

Signed-off-by: Aaron Lippold <[email protected]>

* almost to full done

Signed-off-by: Aaron Lippold <[email protected]>

* removed testing and setting of root password

Signed-off-by: Aaron Lippold <[email protected]>

* testing new aws testing instance type

Signed-off-by: Aaron Lippold <[email protected]>

* Fixes #11

Added logic to allow the control to insensitively match the
prescribed values. This is the behavior of audisp.

* Fixes #14

Updated the control to utilize '/etc/audisp/plugins.d/au-remote.conf'
instead of '/etc/audisp/audispd.conf'. Also, pulled the filename
into a variable to ease the burden of future updates.

* Fixes #12

Updated the control to utilize '/etc/audisp/plugins.d/au-remote.conf'
instead of '/etc/audisp/audispd.conf'. Also, pulled the filename
into a variable to ease the burden of future updates.

* Resolves #19

Utilized the default input values from the v1 controls to generate
default values in inspec.yml.

Signed-off-by: Lesley Kimmel <[email protected]>

* Reorganized logic for V-72433 (#47)

Pulled the conditional impact statements out of the if/then construct
early on and added them to the corresponding section near the
corresponding describe blocks.

- Fixes #16

Signed-off-by: Lesley Kimmel <[email protected]>

Co-authored-by: Lesley Kimmel <[email protected]>

* Reorganized logic for V-71965 (#49)

Pulled the conditional impact statements out of the if/then construct
early on and added them to the corresponding section near the
corresponding describe blocks.

- Fixes #18

Signed-off-by: Lesley Kimmel <[email protected]>

Co-authored-by: Lesley Kimmel <[email protected]>

* Updated V-81019 to correctly match configurations (#50)

Added logic to allow the control to insensitively match the
prescribed values. This is the behavior of audisp.

- Fixes #21

Signed-off-by: Lesley Kimmel <[email protected]>

Co-authored-by: Lesley Kimmel <[email protected]>

* Resolved datatype comparison issue in V-72223 (#52)

The control was comparing os_env('value').content to an integer.
os_env('value'}.content returns a string. Updated to convert the
string to an integer (to_i). The output of doing this directly was
poor so I added an explicit subject to clean up the output.

- Fixes #27

Signed-off-by: Lesley Kimmel <[email protected]>

Co-authored-by: Lesley Kimmel <[email protected]>

* Update V-71861.rb

* Update V-71859.rb

* Update V-71891.rb

* fixed some of the missing NAs that didn't have impact 0.0 but more remain

Signed-off-by: Aaron Lippold <[email protected]>

* moved impact back to outside the describe block

Signed-off-by: Aaron Lippold <[email protected]>

* Reorganized logic for V-72417 (#48)

* Reorganized logic for V-72417

Pulled the conditional impact statements out of the if/then construct
early on and added them to the corresponding section near the
corresponding describe blocks.

- Fixes #17

Signed-off-by: Lesley Kimmel <[email protected]>

* updated to expet syntax for cleaner reporting

Signed-off-by: Aaron Lippold <[email protected]>

* expect syntax fix

Signed-off-by Aaron Lippold <[email protected]>

* updated back to standard should syntax

Signed-off-by: Aaron Lippold <[email protected]>

Co-authored-by: Lesley Kimmel <[email protected]>
Co-authored-by: Aaron Lippold <[email protected]>

* Adding support for chronyd in V-72269

- Added tests to ensure either chronyd or ntpd are installed, enabled
  and running.
- Modified to search for files under /etc/cron.daily that contain
  'ntpd -q' rather than checking for static file /etc/cron.daily/ntpdate.
- Allowed for checking configuration of both services if both are installed.
- Extract the actual `maxpoll` values into a list for more readable
  reporting (avoid printing complex regex).

- Fixes #13

Signed-off-by: Lesley Kimmel <[email protected]>

* Adjusted calculation logic in V-72089

- Removed the `@` symbol from the `#{audit_log_dir}` variable causing
  it to resolve to `nil` and presenting all system partitions.
- Update the shell call to `df` to use standard 1K blocksize instead
  of human readable format which can return results with various units.
- Update the space calculation to convert KB into MB ( / 1024) instead
  of converting [assumed] GB into MB ( * 1024).
- Updated to remove the use of the Ruby `File` class which would be
  executed on the Inspec runner instead of the target.

- Fixes #32

Signed-off-by: Lesley Kimmel <[email protected]>

* Resolved `undefined local variable` in V-71911

Added variable definition via input (difok).

- Fixes #33

Signed-off-by: Lesley Kimmel <[email protected]>

* Resolved `undefined local variable` in V-71863

Added variable definition via input (banner_message_text_cli).
Added variable definition via input (banner_message_text_cli_limited).

- Fixes #34

Signed-off-by: Lesley Kimmel <[email protected]>

* Fixed `undefined variable` error for V-71933

Added a variable definition via input (min_reuse_generations).

- Fixes #35

Signed-off-by: Lesley Kimmel <[email protected]>

* Remove faulty logic from V-78995

Removed the switch 'skip_deprecated_controls' from the control.
Restored 'traditional' if/then structure and located the 'impact'
override in the fallthrough case.

- Fixes #3

Signed-off-by: Lesley Kimmel <[email protected]>

* moved to c5.large instances to lower test bed cost

Signed-off-by: Aaron Lippold <[email protected]>

* Adding new control for V-92253

- Fixes #8

Signed-off-by: Lesley Kimmel <[email protected]>

* Adding new control for V-92251

- Fixes #7

Signed-off-by: Lesley Kimmel <[email protected]>

* Consider limits.d when checking for hard maxlogins

Added the functionality of collecting all configuration files under
limits.d. These files are then searched for any global ('*') entries
matching 'hard' and 'maxlogins'. Entries are then compared to the
maximum allowable value. At least one file containing a compliant
entry is required. No files can contain noncompliant entries.

The maximum login number is now configurable via an input
('maxlogins_limit').

- Fixes #23

Signed-off-by: Lesley Kimmel <[email protected]>

* Update V-72217.rb

* Added new control for V-92255.

- Resolves #9

Signed-off-by: Lesley Kimmel <[email protected]>

* Allow customization of the A/V solution in use. (#73)

Update the control to take a switch/boolean input that specifies
whether a non-nails solution is in use. If it is, require that
a description of the solution be input as a way to document
the solution

- Fixes #24

Signed-off-by: Lesley Kimmel <[email protected]>

Co-authored-by: Lesley Kimmel <[email protected]>
Co-authored-by: Aaron Lippold <[email protected]>

* Restore default property value.

Property value for 'custom_antivirus_description' was mistakenly removed
in a previous commit.

Signed-off-by: Lesley Kimmel <[email protected]>

* Added new control V-94843.

Signed-off-by: Lesley Kimmel <[email protected]>

* Updated V-71963 to be NA when EFI not in use

- Added a check to see if the EFI configuration file exists. If not,
  this becomes NA.
- Added a check for minor version of the OS. If 7.2 or later we only
  allow 'root' as a superuser.
- The STIG guidance states that this is NA for versions after 7.2.
  However, it seems clear that this is still needed it just changes
  the way we enforce it.
- Removed 'efi_user_boot_files'  input as it doesn't matter what file
  the configuration comes from, only that it is merged into the main
  config.
- Removed 'efi_main_cfg' input since we need to make the path dynamic to
  support RHEL variants such as CentOS. Also, the EFI path is pretty
  well static.

- Fixes #40

Signed-off-by: Lesley Kimmel <[email protected]>

* testing

Signed-off-by: Aaron Lippold <[email protected]>

* Corrected the tests for V-72171

- Removed the architecture check for path watches.
-  Removed all check for '/bin/mount' as this path is not used.

- Fixes #29

Signed-off-by: Lesley Kimmel <[email protected]>

* Update V-72095 to use `execve`

This new change prevents us from having to collect all of the SUID/SGID
files on the system.

- Fixes #30

Signed-off-by: Lesley Kimmel <[email protected]>

* Updated V-72073 to support overrides

- Simplified logic to remove loop searching for 'sha512' entries.
  Instead return them directly with the 'where' clause.
- Provide an input array to contain patterns to exclude from the test.

- Fixes #36

Signed-off-by: Lesley Kimmel <[email protected]>

* Updating V-72065 to account for fstab entry

- Allow /tmp to be specified in /etc/fstab as well as with the tmp.mount
  service.
- Validate that there is only one entry for /tmp in fstab
- Ensure that the device_name is not empty for the mount

- Fixes #37

Signed-off-by: Lesley Kimmel <[email protected]>

* Update V-71897 to allow multiple multiplexers

- Per v2r6 of the DISA STIG `tmux` is now an allowable option along with
  screen.
- Add an input list to contain `screen` and `tmux` and to support any
  future options.

- Fixes #67

Signed-off-by: Lesley Kimmel <[email protected]>

* Modify V-71937 to ignore `*-ac` files

- If ac (authconfig) files are included or substacked by other services
  they will still be checked.
- Loop over each service file in /etc/pam.d to provide a complete view
  of the configuration.

  - Fixes #41

Signed-off-by: Lesley Kimmel <[email protected]>

* Updating V-72001 to validate all `allowed_users`

- The STIG control asks to validate that all accounts present on the
  system are approved. Explicilty adding them to a known user list
  provides that validation.
- There doesn't seem to be a need for a 'disallowed_users' list as users are
  implicitly disallowed by not being explicitly allowed.
- Use 'expect' syntax to allow for finer control over the reporting
  output. Previous output displayed a list of users for each line. Now we
  just show that each user listed in /etc/passwd has been explicitly
  listed as an approved user.

- Fixes #39

Signed-off-by: Lesley Kimmel <[email protected]>

* Adding test logic for new control V-81003

- Fixes #4

Signed-off-by: Lesley Kimmel <[email protected]>

* added logic to new control

Signed-off-by: HackerShark <[email protected]>

* updating logic test for UEFI

Signed-off-by: HackerShark <[email protected]>

* adding logic to control V-81005. Updating V-81007 logic to account for extra condition

Signed-off-by: HackerShark <[email protected]>

* Updated logic, rather than taking user input checking system directly if it uses UEFI or BIOS

Signed-off-by: HackerShark <[email protected]>

* Update V-81005.rb

* added creating the current profile JSON and uploading it to the repo

Signed-off-by: Aaron Lippold <[email protected]>

* testing profile creation

Signed-off-by: Aaron Lippold <[email protected]>

* actually helps to add the file you create

* removing fancy text

* adding -a to the commandwq

* adding a pull prior to the push

* adding a pull prior to the push

* adding a pull prior to the push

* adding a pull prior to the push

* adding profile.json to the repository

* adding a pull prior to the push

* testing

* further fixing on the script

Signed-off-by: Aaron Lippold <[email protected]>

* adding profile.json to the repository

* added saving both the profile.json and the test-result.json to the repo on each change

Signed-off-by: Aaron Lippold <[email protected]>

* added git status

Signed-off-by: Aaron Lippold <[email protected]>

* trying to fix build

Signed-off-by: Aaron Lippold <[email protected]>

* removed profile.json and updated file to older version

Signed-off-by: Aaron Lippold <[email protected]>

* added git add to the command

Signed-off-by: Aaron Lippold <[email protected]>

* adding profile.json to the repository

* adding test-result.json to the repository

* updating controls to place impact adjustment in the main code body

Signed-off-by: HackerShark <[email protected]>

* refactored conrols to match current style

* fixed malformed control

Signed-off-by: Aaron Lippold <[email protected]>

* adding profile.json to the repository

* adding test-result.json to the repository

* testing to see if this gets the right branch name

Signed-off-by: Aaron Lippold <[email protected]>

* removed files for testing

Signed-off-by: Aaron Lippold <[email protected]>

* adding profile.json to the repository

* adding test-result.json to the repository

* updated to using the v2 preview of upload-artifact
added the git --cache trick to allow for unchanged profile.json or test-result.json

Signed-off-by: Aaron Lippold <[email protected]>

* fixed json file

Signed-off-by: Aaron Lippold <[email protected]>

* added -f for the git add commands

Signed-off-by: Aaron Lippold <[email protected]>

* being a bit more forceful ...

Signed-off-by: Aaron Lippold <[email protected]>

* removing git commits for now to unblock the PR process - artifacts are still being saved.

Signed-off-by: Aaron Lippold <[email protected]>

* added the creation of the profile.json again

Signed-off-by: Aaron Lippold <[email protected]>

* fixing control logic

Signed-off-by: HackerShark <[email protected]>

* adding profile.json to the repository

* adding test-result.json to the repository

* demoing a full run

Signed-off-by: Aaron Lippold <[email protected]>

* fixed the vagrant kichen file to use the vagrant user and not ec2-user

Signed-off-by: Aaron Lippold <[email protected]>

* Modified inspec.yml to use `block` style

- Updated inspec.yml to remove any arrays or hashes with enclosing
  brackets.
- The only time brackets are used is when an empty array ([]) or hash
 ({}) needs  to be represented

 - Fixes #84

Signed-off-by: Lesley Kimmel <[email protected]>

* Fixed reporting for V-71947

- This control was not splitting output lines into an array and was
  matching ALL lines containing 'NOPASSWD', which included commented
  lines.
- Modified to use the `file` resource to be more OS agnostic and build
  a results array of uncommented lines containing 'NOPASSWD'
- Reporting is improved for readability

- Fixes #90

Signed-off-by: Lesley Kimmel <[email protected]>

* Correct logic in V-81005

- Only OS versions earlier than 7.2 should be checked. Was checking any
  version 7.2 and later.

- Fixes #91

Signed-off-by: Lesley Kimmel <[email protected]>

* Fixed issues in V-72219

- Changed `firewalld_ports_deny` to a Hash instead of Array
- Cast hash references to symbols for proper resolution

- Fixes #28

Signed-off-by: Lesley Kimmel <[email protected]>

* Fixes issue #56

Signed-off-by: HackerShark <[email protected]>

* Fixing logic error

* Fixes issue #55

Signed-off-by: HackerShark <[email protected]>

* Fixing logic error

* Updated V-72257

- Removed multiple individual tests and replaced with
  'be_more_permissive_than' which covers all permission sets.
- Changed the command to return key files to stop filtering by current
  permissions. Inspec should validate the permissions in tests. We need
  pre-filter results outside of tests.

  - Fixes #97

Signed-off-by: Lesley Kimmel <[email protected]>

* Fixes #57

Signed-off-by: HackerShark <[email protected]>

* Fixes #59

Signed-off-by: HackerShark <[email protected]>

* added note about long running controls

Signed-off-by: Aaron Lippold <[email protected]>

* added utf-8 encoding strings

Signed-off-by: Aaron Lippold <[email protected]>

* Fixed bug in V-71855

- Added input call for `rpm_verify_integrity_except`

- Fixes #103

Signed-off-by: Lesley Kimmel <[email protected]>

* Fixed bug in V-71849

- Added input call for `rpm_verify_perms_except`

- Fixes #102

Signed-off-by: Lesley Kimmel <[email protected]>

* Fixes #58

Signed-off-by: HackerShark <[email protected]>

* fixing error

Signed-off-by: HackerShark <[email protected]>

* Fixes #53

Signed-off-by: HackerShark <[email protected]>

* fixing error

Signed-off-by: HackerShark <[email protected]>

* updated logic to properly look for systems that don't use passwords for authentication

Signed-off-by: HackerShark <[email protected]>

* Fixes #54

Signed-off-by: HackerShark <[email protected]>

* fixing error

Signed-off-by: HackerShark <[email protected]>

* updated logic to properly look for systems that don't use passwords for authentication

Signed-off-by: HackerShark <[email protected]>

* testing gpg

Signed-off-by: Aaron Lippold <[email protected]>

* Update workflow to not install ruby twice, remove a few unnecessary commands

* Do not install chef workstation and instead just use ruby 2.7 with Chef gems

* Cleanup kitchen.yml, add vanilla test run

This cleans up the code for kitchen to deduplicate some items between kitchen.ec2.yml and kitchen.vagrant.yml. It also adds support for vanilla and hardened threshold levels that the CI can be tested against.

* Remove proxy-related pieces of kitchen vagrant file

* Try running Vagrant with macos in GH Actions

* Remove EC2 verification step and perform the verification in Github Actions using Vagrant instead

* Verify using Vagrant for every PR, only verify using EC2 on release

* Fix update profile script to properly push to PRs

* Rename inputs.example.yml to a more descriptive name

* Move inspec check to a different file, fix the Github action profile.json push back to repository

* Updating profile.json in the repository

* Add clarification with respect to local testing and EC2 versus Vagrant

* Fixes #91

Signed-off-by: HackerShark <[email protected]>

* Fixes #112

Signed-off-by: HackerShark <[email protected]>

* Fixes #101

Signed-off-by: HackerShark <[email protected]>

* Fixes #31 (#110)

* Fixes #31

Signed-off-by: HackerShark <[email protected]>

* updating logic to call inputs directly

Signed-off-by: HackerShark <[email protected]>

* Fixes #111 (#118)

* Fixes #111

Signed-off-by: HackerShark <[email protected]>

* Updating profile.json in the repository

* Revert "Fixes #111 (#118)"

This reverts commit e53c5a4.

* Switch over to the official ruby setup since the actions/setup-ruby one is throwing an error

* Lock ruby version to 2.6 in order to avoid Puppet load error

bundler is installed automatically, no need to install it as part of our steps

Release Puppet version lock

* Updating profile.json in the repository

* Update V-72417.rb

bugfix

* Add Trend AV to V-72213 checks

Trend Micro Anti-virus service is named 'ds_agent'.
This adds one more type of anti-virus this check can check for.

* Updating profile.json in the repository

* Fix describe.one formatting for V-72213

* Updating profile.json in the repository

* Fixes #115, fixes #25 (#124)

* Fixes #115, fixes #25

Signed-off-by: HackerShark <[email protected]>

* Updating profile.json in the repository

* Revert "Fixes #111 (#118)"

This reverts commit e53c5a4.

* Switch over to the official ruby setup since the actions/setup-ruby one is throwing an error

* Lock ruby version to 2.6 in order to avoid Puppet load error

bundler is installed automatically, no need to install it as part of our steps

Release Puppet version lock

* Updating profile.json in the repository

* Update V-72417.rb

bugfix

* Add Trend AV to V-72213 checks

Trend Micro Anti-virus service is named 'ds_agent'.
This adds one more type of anti-virus this check can check for.

* Updating profile.json in the repository

* Fix describe.one formatting for V-72213

* Updating profile.json in the repository

* Fixes #115, fixes #25

Signed-off-by: HackerShark <[email protected]>

* Updating profile.json in the repository

* Fixes #115, fixes #25

Signed-off-by: HackerShark <[email protected]>

* rebase, resolve merge conflicts

Signed-off-by: HackerShark <[email protected]>

* Updating profile.json in the repository

* Updating profile.json in the repository

Co-authored-by: Robert Clark <[email protected]>
Co-authored-by: rbclark <[email protected]>
Co-authored-by: Maven35 <[email protected]>
Co-authored-by: ejaronne <[email protected]>
Co-authored-by: ejaronne <[email protected]>

* Fixes #114 (#131)

* Add Trend AV to V-72213 checks

Trend Micro Anti-virus service is named 'ds_agent'.
This adds one more type of anti-virus this check can check for.

* Updating profile.json in the repository

* Fix describe.one formatting for V-72213

* Updating profile.json in the repository

* Fixes #114

Signed-off-by: HackerShark <[email protected]>

* Updating profile.json in the repository

* fixing syntax error

Signed-off-by: HackerShark <[email protected]>

* Delete profile.json

* Fixes #114

Signed-off-by: HackerShark <[email protected]>

* fixing syntax error

Signed-off-by: HackerShark <[email protected]>

* Updating profile.json in the repository

* Fixes #115, fixes #25 (#124)

* Fixes #115, fixes #25

Signed-off-by: HackerShark <[email protected]>

* Updating profile.json in the repository

* Revert "Fixes #111 (#118)"

This reverts commit e53c5a4.

* Switch over to the official ruby setup since the actions/setup-ruby one is throwing an error

* Lock ruby version to 2.6 in order to avoid Puppet load error

bundler is installed automatically, no need to install it as part of our steps

Release Puppet version lock

* Updating profile.json in the repository

* Update V-72417.rb

bugfix

* Add Trend AV to V-72213 checks

Trend Micro Anti-virus service is named 'ds_agent'.
This adds one more type of anti-virus this check can check for.

* Updating profile.json in the repository

* Fix describe.one formatting for V-72213

* Updating profile.json in the repository

* Fixes #115, fixes #25

Signed-off-by: HackerShark <[email protected]>

* Updating profile.json in the repository

* Fixes #115, fixes #25

Signed-off-by: HackerShark <[email protected]>

* rebase, resolve merge conflicts

Signed-off-by: HackerShark <[email protected]>

* Updating profile.json in the repository

* Updating profile.json in the repository

Co-authored-by: Robert Clark <[email protected]>
Co-authored-by: rbclark <[email protected]>
Co-authored-by: Maven35 <[email protected]>
Co-authored-by: ejaronne <[email protected]>
Co-authored-by: ejaronne <[email protected]>

* Fixes #114

Signed-off-by: HackerShark <[email protected]>

* fixing syntax error

Signed-off-by: HackerShark <[email protected]>

* Updating profile.json in the repository

* Updating profile.json in the repository

Co-authored-by: ejaronne <[email protected]>
Co-authored-by: ejaronne <[email protected]>
Co-authored-by: Robert Clark <[email protected]>
Co-authored-by: rbclark <[email protected]>
Co-authored-by: Aaron Lippold <[email protected]>
Co-authored-by: Maven35 <[email protected]>

* Update inspec.yml

locking inspec_version

* Updating profile.json in the repository

* fixing #132 (#133)

* fixing #132

Signed-off-by: HackerShark <[email protected]>

* Updating profile.json in the repository

* Update inspec.yml

locking inspec_version

* Updating profile.json in the repository

* version bump

* Updating profile.json in the repository

Co-authored-by: Aaron Lippold <[email protected]>
Co-authored-by: Lesley Kimmel <[email protected]>
Co-authored-by: ljkimmel <[email protected]>
Co-authored-by: GitHub Action <[email protected]>
Co-authored-by: Robert Clark <[email protected]>
Co-authored-by: rbclark <[email protected]>
Co-authored-by: Maven35 <[email protected]>
Co-authored-by: ejaronne <[email protected]>
Co-authored-by: ejaronne <[email protected]>
The cache seems to be causing issues with nokogiri
…rtain controls that require external connectivity in the target system
fixed regex escaping

Signed-off-by: Aaron Lippold <[email protected]>
* removed the v2.6 branch from the workflows now that
it has been merged

Signed-off-by: Aaron Lippold <[email protected]>

* Updating profile.json in the repository

* removed the conflicting profile.json

Signed-off-by: Aaron Lippold <[email protected]>

Co-authored-by: aaronlippold <[email protected]>
* Remove Rev_4 from NIST tag

- removed the Rev_4 array element form the NIST tag array

Signed-off-by: Aaron Lippold <[email protected]>

* Updating profile.json in the repository

* Updating profile.json in the repository

Co-authored-by: aaronlippold <[email protected]>
Emily Rodriguez and others added 26 commits February 18, 2022 20:00
Signed-off-by: Emily Rodriguez <[email protected]>
Signed-off-by: Emily Rodriguez <[email protected]>
Signed-off-by: Emily Rodriguez <[email protected]>
Signed-off-by: Emily Rodriguez <[email protected]>
Signed-off-by: Emily Rodriguez <[email protected]>
Signed-off-by: Emily Rodriguez <[email protected]>
adding amazon to the supported list
Signed-off-by: Emily Rodriguez <[email protected]>
Updating STIG from V2R6 to V3R6

* Fixes and Rev4 updates for PAM controls (#41)

Updated PAM controls and pam resource to reflect changes from the revision 4 update

Signed-off-by: Sam Cornwell <[email protected]>

* Fixes and Rev4 updates for grub controls (#29)

* Updated CCI and NIST tags to use arrays.
* * Reviewed all controls and fixed many issues
  * updated impact logic to account for Not Applicable cases
  * used the protected regex pattern `%r{ }` in place of //
  * fixed many false positives reported by end users
  * added TODOs to all controls that need to be enhanced
  * added a new attributes files for this branch for review
  * added logic so that all controls correctly report
  * removed most `only_if` statments and replaced with skips + impact 0.0
  * removed all `severity` tags in lue of using `impact`
* * updated V-71863 fix the banner compare
  * updated V-71961 to account for multiple users
  * added attributes to support each
* Fixed V-71961 regex to accept spaces in front of password_pbkdf2
* Fixed V-71963 regex to accept spaces in front of password_pbkdf2
* Rewrote V-72075 to check the root partition is not removable
* Rewrote V-72067 to use grubby to check actual args for fips=1 rather than using buggy resource to try to parse the grub config
* Removed constant attributes from grub controls
* Removing dedup from V-72075

* Fixes and Rev4 updates for ssh controls (#25)

* Updated CCI and NIST tags to use arrays.
* * Reviewed all controls and fixed many issues
* updated impact logic to account for Not Applicable cases
* used the protected regex pattern `%r{ }` in place is //
* fixed many false positives reported by end users
* added TODOs to all controls that need to be enhanced
* added a new attributes files for this branch for review
* added logic so that all controls correctly report
* removed most `only_if` statements and replaced with skips + impact 0.0
* removed all `severity` tags in lue of using `impact`
** Added EXEMPT_HOME_USERS attribute attributes file
* Removed extra attribute defn
* Fixed typo in call to package resource
* Updated attributes file
* Updating to do a range check and if the ClientAliveInterval is not set
* updating controls so they don't evaluate to not_tested.
* Fixed some ssh controls to be more explicit
* Replaced constant attribute CLIENT_ALIVE_INTERVAL with non-constant

* Fixes and Rev4 updates for login_defs controls (#32)

* * Reviewed all controls and fixed many issues
* updated impact logic to account for Not Applicable cases
* used the protected regex pattern `%r{ }` in place is //
* fixed many false positives reported by end users
* added TODOs to all controls that need to be enhanced
* added a new attributes files for this branch for review
* added logic so that all controls correctly report
* removed most `only_if` statements and replaced with skips + impact 0.0
* removed all `severity` tags in lieu of using `impact`
** Added EXEMPT_HOME_USERS attribute attributes file
* Removed extra attribute defn
* Fixed typo in call to package resource
* Updated attributes file
* Fixing typo in login_defs UMASK setting name

* Fixes and Rev4 updates for antivirus controls (#34)

* Updated to verify that the anti-virus software is installed.
* Updated to use an attribute to check if the anti-virus installation check should be performed.
** Reviewed all controls and fixed many issues
* updated impact logic to account for Not Applicable cases
* used the protected regex pattern `%r{ }` in place is //
* fixed many false positives reported by end users
* added TODOs to all controls that need to be enhanced
* added a new attributes files for this branch for review
* added logic so that all controls correctly report
* removed most `only_if` statements and replaced with skips + impact 0.0
* removed all `severity` tags in lieu of using `impact`
** updated V-71863 fix the banner compare
* updated V-71961 to account for multiple users
* added attributes to support each
* Removing ENABLE_AV attribute from antivirus controls

* Fixed the all_with_integer_arg logic (#43)

* Fixed the all_with_integer_arg logic
* This wasn't failing in all cases but was triggered in testing the SIMP
  PAM module and required a fix.
* Removed the need to make the operators a symbol and also allow
  strings for ease of use.
* Minor fixes
* Throw a helpful message if somone passes a bad operator
* Flip the default mode to immediately pass on success
* Make sure the value is actually an integer
* Fixed all_with_integer_arg and added any_with_integer_arg to PAM matcher
* Loosened constraint in V-71933 to allow either pam_unix or pam_pwhistory to have remember arg

* Fixes and Rev4 updates for initialization files controls (#22)

* Updated to use attribute to determine if control should be run as well as updated to get home directories from users resource.
* Updated to get home directories from users resource.
* Refactored control to check permissions using the find command.
* Refactored control to check owners using the find command.
* Updated to check for a length of 0.
* Updated to check for user gid and root group.
* Removed debug code and added a comment stating how we would be checking for directories more permissive than 750 and files more permissive than 640.
* Refactored to not use describe statements to check permissions when we can do it with find.
* Updated to use sets and check the length of findings.
* Updated to check that it should be empty.
* Updated CCI and NIST tags to use arrays.
* Fixed a few errors in the tags.
* Updated to use be_empty. Also removed attribute for now.
* Removed extra end keyword.
* Updated to support an attribute that allows the control to be disabled because it is slow.
* * Reviewed all controls and fixed many issues
* updated impact logic to account for Not Applicable cases
* used the protected regex pattern `%r{ }` in place is //
* fixed many false positives reported by end users
* added TODOs to all controls that need to be enhanced
* added a new attributes files for this branch for review
* added logic so that all controls correctly report
* removed most `only_if` statments and replaced with skips + impact 0.0
* removed all `severity` tags in lue of using `impact`
* * Added EXEMPT_HOME_USERS attribute attributes file
* Removed extra attribute defn
* Fixed typo in call to package resource
* Updated attributes file
* small change to push file
* * updated V-71863 fix the banner compare
* updated V-71961 to account for multiple users
* added attrubutes to support each
* * fixed small / major issues with some of the tests.
* enhanced / corrected the Not Applicable reporting.
* ensured all 'Not Applicable' by attribute controls worked fully.
* small fixes to attributes
* enhamcements to completeness of controls and testing
* Updated local interactive checks to filter out non-interactive users.
* Fixed several controls involving interactive users which were not properly querying for only interactive users
* Minor update to make consistent with other controls
* Updated to use users resource. Also, added check to exclude comments and check for nosuid being set in /etc/fstab.
* Fixing logic of control V-72037 to properly get count of references to world-writable files and compare against it
* Formatting changes
* Fixed find command in V-72027 to search for all directories and files with permissions less restrictive than 0750
* Update to RHEL7v4
* Fixing smart double quotes to be ascii double quotes
* updating controls so they don't evaluate to not_tested.
* Removed constants from initialization files controls
* Adding /bin/true to list of non-interactive shells

* Fixes and Rev4 updates for miscellaneous controls (#40)

* Updated to fix typo in grep command.
* Updated CCI and NIST tags to use arrays.
** Reviewed all controls and fixed many issues
* updated impact logic to account for Not Applicable cases
* used the protected regex pattern `%r{ }` in place is //
* fixed many false positives reported by end users
* added TODOs to all controls that need to be enhanced
* added a new attributes files for this branch for review
* added logic so that all controls correctly report
* removed most `only_if` statements and replaced with skips + impact 0.0
* removed all `severity` tags in lieu of using `impact`
** Added EXEMPT_HOME_USERS attribute attributes file
* Removed extra attribute defn
* Fixed typo in call to package resource
* Updated attributes file
** updated V-71863 fix the banner compare
* updated V-71961 to account for multiple users
* added attributes to support each
** fixed small / major issues with some of the tests.
* enhanced / corrected the Not Applicable reporting.
* ensured all 'Not Applicable' by attribute controls worked fully.
* small fixes to attributes
* enhancements to completeness of controls and testing
* Fixed usb storage driver name. For configuration files, usb-storage and usb_storage are interchangeable. modprobe seems to use the name usb_storage regardless of the config name
* Update to RHEL7v4
* Fixing smart double quotes to be ascii double quotes
* Removing constant attributes and adding subsystems tag for misc controls

* Fixes and Rev4 updates for privilege controls (#39)

* Rewrote V-71947 to be able to recursively process all sudoers files by following include and `includedir` directives
* Removed constant variables in some privilege controls
* Removed non-standard users from V-72001

* Fixes and Rev4 updates for installed packages controls (#38)

* Fixed clean_requirements_on_remove to be referenced within the main section of yum.conf for control V-71987
* Update to RHEL7v4
* Fixed find expression and test statement for control V-72039
* Rewrote V-72299 to allow ftp server as long as SSL is used
* Rewrote rpm verify controls to remove hard-coded exceptions
* Removed constant attribute from V-72307
* Added dangerous tag to control which uses global find command

* Fixes and Rev4 updates for interactive user controls (#36)

* Updated local interactive checks to filter out non-interactive users.
* Fixed several controls involving interactive users which were not properly querying for only interactive users
* Adding uid constraints to controls V-72011 and V-72015
* Update to RHEL7v4
* Removed constant attributes from interactive user controls
* Added lookup of UID_MIN from login_defs to the interactive user controls
* Added xdev and xautofs args to some find commands on home directories

* Fixes and Rev4 updates for network controls (#33)

* Updated to include iptables check.
* Updated to account for IPv6 being disabled in the kernel.
* Updated CCI and NIST tags to use arrays.
* fixed missing [ in cci tag.
* Pulling in changes from csp_mod branch
* * Reviewed all controls and fixed many issues
* updated impact logic to account for Not Applicable cases
* used the protected regex pattern `%r{ }` in place is //
* fixed many false positives reported by end users
* added TODOs to all controls that need to be enhanced
* added a new attributes files for this branch for review
* added logic so that all controls correctly report
* removed most `only_if` statments and replaced with skips + impact 0.0
* removed all `severity` tags in lue of using `impact`
* * Added EXEMPT_HOME_USERS attribute attributes file
* Removed extra attribute defn
* Fixed typo in call to package resource
* Updated attributes file
* small change to push file
* * updated V-71863 fix the banner compare
* updated V-71961 to account for multiple users
* added attrubutes to support each
* * Added check in V-72223 for TMOUT is in the bashrc file
* Corrected attribute name in V-72223
* Merged attributes files
* * Updated control V-72317
* * fixed small / major issues with some of the tests. * enhanced / corrected the Not Applicable reporting. * ensured all 'Not Applicable' by attribute controls worked fully. * small fixes to attributes * enhamcements to completeness of controls and testing
* Update to RHEL7v4
* Updated to support checking the files in /etc/profile.d
* Fixed V-72269 to properly check that maxpoll is set
* Fixed control V-72223 to describe.one on all the possible locations of TMOUT
* Removed constant attribute from V-72223
* Added xautofs flag to a few find commands
* Rewrote SNMP control V-72313 to recursively find all conf files via include statements
* Rewrote ipsec control V-72317 to recursively find all conf files via include
* Changed ntpd maxpoll control to use ntpd --saveconfigquit (currently loaded config) rather than the config file
* Added dangerous global find tag to couple controls

* Fixes and Rev4 updates for multifactor controls  (#31)

* Updated to check for other sssd files
* Updated to include checking logic.
* Fixed SMART_CARD_STATUS constant attribute to be a non-constant
* Modified multifactor_enabled control to take optional user parameter to use when running dconf

* Fixes and Rev4 updates for LDAP controls (#28)

* fixing the logic of the V-72227 to match check text
* fixing the logic of the V-72229 to match check text
* fixing the logic of the V-72231 to match check text
* Added support to LDAP controls for SSSD (#11)
* Updating V-72227, V-72229, and V-72231 controls to take into account usage of SSSD
* Tweaked regex syntax in V-72229 and V-72231 controls
* Revised LDAP controls to not be dependent upon authconfig and also removed constant variables
* Fixed LDAP controls to dynamically extract CA cert files and directories

* Fixes and Rev4 updates for session lock controls (#26)

* Update from RHEL7 Rel1 to Rel4
* Updating logic to extract value so it can be evaluated using comparison operators.
* Fixing smart double quotes to be ascii double quotes
* updating controls so they don't evaluate to not_tested.
* Improved gnome controls to use gsettings rather than hard-coded file paths

* Fixes and Rev4 updates for aide controls (#24)

* Update to RHEL7v4
* Fixed V-72069, V-72071, and V-72073 to work around aide_conf resource bug
* Replaced constant attribute FILE_INTEGRITY_INTERVAL and FILE_INTEGRITY_TOOL with non-constants
* Fixed aide controls to also search for cron jobs in the root crontab and /etc/cron.d

* Fixes and Rev4 updates for filesystem controls (#30)

* Adding attributes and removing login.defs requirement from V-72059 (#13)
* Fixing uid comparison logic of control V-72059 to use the same constant min_uid of 1000 as in other controls. Added exception to this control to ignore the root user because its home directory does not typically exist on the same mount point as other home directories
* Updating control to include new logic using the mount resource.
* updating controls so they don't evaluate to not_tested.
* Removed some constant attributes
* Rewrote nouser and nogroup controls to properly iterate over all mounted filesystem types
* Added lookup of UID_MIN from login_defs to V-72059

* Fixes and Rev4 updates for banner controls (#23)

* Updated to check if banner is not set, disabled, or provides a non-existent filepath.
* Fixed misuse of constants in banner controls. Constants inside the controls have global scope, and so re-use of constant names between controls can cause collisions if they are not intended to be the same
* Updated to make escaping of quote characters consistent.
* Tweaking V-71859 attribute to work even if boolean passed instead of string
* updating controls so they don't evaluate to not_tested.
* Removed constant attributes on banner controls and added some guards to check for gnome on certain controls. Added ability to specify a user to use to execute dconf

* Add attributes file and clean attributes (#44)

* Adding attributes file
* Cleaned up all the attributes. Fixed some inconsistencies and renamed a few. Also added missing attributes to attributes.yml
* Formatting banner texts to be multiline string. Removing unbound user from known_system_accounts

Signed-off-by: Sam Cornwell <[email protected]>

* Adding configurable unlock_time to pam_faillock controls (#47)

* Adding configurable unlock_time to pam_faillock controls
* Adding lockout_time to attributes file

* (SIMP-MAINT) Subsystem control tagging update (#65)

* (SIMP-MAINT) Subsystem control tagging update

* vendor prior to tests

* force revendoring

* tweak travis settings

* require all checks to pass

* Updated the find command for V-72027 to filter by '! -type l' (#71)

* Set the desc field for the control and only update the describe/skip … (#70)

* Set the desc field for the control and only update the describe/skip text in V-71849.

* Fix syntax error (missing :)

* Remove TODO comments to cleanup control

* Modify reporting for V-71999 to 'List of out-of-date packages should be empty'. Fix describe.one syntax error. (#69)

* Update mfa_pkg_list attribute with packages from RHEL documentation (#68)

* Various updates (#66)

* Update V-72241 and V-72251 to check the operating system release as described.

* Introduce a 'virtual_machine' attribute for V-72039 so that if the target is expected to be a virtual machine the check will allow /dev/vmci. Update V-72039 to check for vmci_device_t contexts.

* Fix impact rating in V-72305 when TFTP is not installed. Fix checking for incorrect package name. Expand RegEx check to match the long option (--secure) and short optin (-s) and match an absolute path.

* Update comment for smart_card_status in attributes.yml to include V-72417 and V-72433.

* Expand comment about exempt_home_users attribute to include all applicable controls.

* Fix disable_slow_controls to false and update comment for exempt_home_users

* Move impact reduction out of describe block

* Updated 72253 (#11)

* fix typo (#78)

Small fix: Typo fix on 'explicitly'

* removed extra spaces (#77)

* - V-71999: fixed incorrect path for `su` in auditd config (#79)

- disabled slow controls in .kitchen.yml
- added a `nolong` attributes file

Signed-off-by: Aaron Lippold <[email protected]>

* Moves linux_patch resource into our libraries directory (#80)

* moves the linux patches resource into our profiles library
* updates the `inspec.yml` to remove dependcy upstream
* updates the `.gitignore` to include .beaker
* bumped Gemfile for beaker-helper to 1.14.1

Signed-off-by: Aaron Lippold <[email protected]>

* Fixes #82 (#83)

Signed-off-by: Rony Xavier <[email protected]>

* added subsystem tag to aide tests (#84)

* Updated 'default' label for attributes to 'value' (#85)

* (SIMP-6708) Create and ensure inspec tests work  (#86)

* Updated 'default' label for attributes to 'value'
* Added 'subsystem' tags to items that did not have them

* (SIMP-6708) Create and ensure inspec tests work by module (#87)

Added subsystem tags

* missing parenthesis on example (#89)

* (SIMP-6708) Create and ensure inspec tests work by module (#90)

* Updated subsystem tags

* V-72037 V2R1 Update title and find command

Per https://github.com/ComplianceAsCode/content/issues/3432
Adding -xdev to find prevents scanning /proc/, significantly speeding up
this control.

* Update V-72037 to search using pattern file

To reduce the number of grep invocations, we instead combine the
world-writable files list and invoke grep using this combined list as a
pattern file.
If no world-writable files exist, we skip the grep invocations
to prevent matching on an empty pattern

* Update V-72037 to limit grep pattern file length

Since we are passing the list of world-writable files to grep using
process substitution, we need to make sure the command line isn't too
long. We hard-code a limit and break the list of world-writable files
into chunks of pattern files no bigger than said limit.

* Update V-72037 to prevent searching .bash_history

Since .bash_history isn't executed, it will cause false positives if
there is any mention of a world writable file.

* Update V-72037, Get PATTERN_FILE_MAX_LENGTH

* Update V-72427.rb (#99)

Updating to handle the case where SSSD is installed, but, no configuration files are found.

* Update V-71941.rb

Closes #93.

* Update V-71983.rb

Closes #96.

* Update V-72059.rb

Closes #94.

* Update V-72315.rb

Closes #95.

* Update V-72433.rb

Re-issuing @Bialogs pull request (https://github.com/simp/inspec-profile-disa_stig-el7/pull/72).

* (SIMP-6708) Create and ensure inspec tests work by module (#91)

Added tags to the various inspec controls

* changing attributes to inputs (#106)

* updating the code so it doesn't error out when the file doesn't exist. (#108)

* updating check and fix text to use new format. (#107)

* 72433 (#109)

* Updating control to handle the case when the file doesn't exist. Replaces PR #72.

* updating to use inputs and sub descriptions.

* adding the `matchers.rb` file back into the libraries as the `pam` resource breaks without it until the pam work is merged into upstream master. (#111)

Signed-off-by: Aaron Lippold <[email protected]>

* updating controls to use resources. (#115)

* V-71961 grub2 Configuration File (#67)

* Changed array of grub2 superusers to a single superuser in grub_superuser attribute. Updated V-71961 to look for all instances of setting a grub2 superuser and superusers password within given grub configuration.

* Update V-71961 to check if environment variables are being set for the grub2 superuser password, if they are the control now examines provided user.cfg files to ensure that they password is encrypted with pbkdf2, if they are not it will check the password_ line entry in the given grub_main_cfg file.

* V 72049 (#122)

* Updated to check mask of initialization files and umask for each user.
* Skips remote filesystems

* Adding an automated test for this control.  (#123)

* Updating control to check ports and services for all zones. (#120)

* Update V-71961.rb (#124)

* Updating attributes to inputs and moving defaults to inspec.yml. (#130)

* 73163 - Updating attributes to inputs and moving defaults to inspec.yml. (#132)

* Fixing 72223 to correctly handle the collection of TMOUT (#133)

Fixed a bug in 72223 where it was reporting a value of nil when the configuration setting was not set in a file. The code now reports that the configuration setting is not configured in the specific file.

Updating this control to include an active check by looking at the set TMOUT environment variable as well as accommodating situations where 'readonly TMOUT' is set.

* Update inspec.yml (#134)

* Fixed the check for oscp_on in the cert policy lines. (#136)

* Fixed incorrect subsystem entries (#138)

* Update dconf input to use nil instead of '' (#131)

* Updating attributes to inputs and moving defaults to inspec.yml.
* Updating dconf checks to use nil instead of ''.
* fix trailing whitespace

Co-authored-by: Trevor Vaughan <[email protected]>

* V-71971 SELinux should ignore system_u (#139)

- Fixed the SELinux tests to ignore system_u by default in V-71971

* Fix to issue #140 (#141)

* Addressing issue #143 (#146)

Modified a duplicate declaration of 'file_integrity_tool' in inspec.yml.

Signed-off-by: Lesley Kimmel <[email protected]>

* Addressing issue #145 (#147)

Updated control V-72191 to reference '/usr/bin/kmod' instead of
'/sbin/insmod'.

Signed-off-by: Lesley Kimmel <[email protected]>

Co-authored-by: Lesley Kimmel <[email protected]>
Co-authored-by: Trevor Vaughan <[email protected]>

* Addressing issue #129 (#148)

Set the input 'grub_superuser' to type String with value 'root' in
inspec.yml as this is what dependent controls expect.

Signed-off-by: Lesley Kimmel <[email protected]>

Co-authored-by: Lesley Kimmel <[email protected]>
Co-authored-by: Trevor Vaughan <[email protected]>

* Addressing issue #149 (#150)

Moved the 'linux_update' resource reference out of the describe/subject
block into a control-level variable. Also, generated a list of package
names to pass to the 'List of out-of-date packages' block instead of
the entire JSON object for cleaner output.

Signed-off-by: Lesley Kimmel <[email protected]>

Co-authored-by: Lesley Kimmel <[email protected]>
Co-authored-by: Trevor Vaughan <[email protected]>

* Set theme jekyll-theme-cayman

* Updating repo name in readme

* Setting up github workflows

* Delete .travis.yml

* Updating master branch to v2.6 of STIG (#135)

* updating controls up to v2.6 of STIG

Signed-off-by: HackerShark <[email protected]>

* updating controls up to v2.6 of STIG

Signed-off-by: HackerShark <[email protected]>

* Updating name, title and summary

* updated local vagrant to working state - cleanup required
fixed long running controls
started on EC2 spot instanstance testing using the SPEL partitioned images

Signed-off-by: Aaron Lippold <[email protected]>

* workflow testing

Signed-off-by: Aaron Lippold <[email protected]>

* added kitchen commands to workflow

Signed-off-by: Aaron Lippold <[email protected]>

* added bundler to the workflow

Signed-off-by: Aaron Lippold <[email protected]>

* fixed yaml syntax error

Signed-off-by: Aaron Lippold <[email protected]>

* added build-essentials package to the container and removed simp-helper

Signed-off-by: Aaron Lippold <[email protected]>

* fixed spelling

Signed-off-by: Aaron Lippold <[email protected]>

* apt-get issues ...

Signed-off-by: Aaron Lippold <[email protected]>

* fix for sudo

Signed-off-by: Aaron Lippold <[email protected]>

* fixed vagrant kitchen file to keep in line with other kitchen files
added validation, threshold and upload to heimdall-demo

Signed-off-by: Aaron Lippold <[email protected]>

* added uploading artifacts
changed path to results to be in the './results' dir

Signed-off-by: Aaron Lippold <[email protected]>

* fixed spacing error

Signed-off-by: Aaron Lippold <[email protected]>

* added `chef shell-init` to build process.

Signed-off-by: Aaron Lippold <[email protected]>

* correct chef shell-init command
added parallel jobs to bundler

Signed-off-by: Aaron Lippold <[email protected]>

* fixing workflow a bit more

Signed-off-by: Aaron Lippold <[email protected]>

* added inspec_tools to Gemfile

Signed-off-by: Aaron Lippold <[email protected]>

* bundler updates and hacks

Signed-off-by: Aaron Lippold <[email protected]>

* bundler again...

Signed-off-by: Aaron Lippold <[email protected]>

* Gemfile updates

Signed-off-by: Aaron Lippold <[email protected]>

* fixed ruby version

Signed-off-by: Aaron Lippold <[email protected]>

* updated results file name and made it cleaner

Signed-off-by: Aaron Lippold <[email protected]>

* added more explicit kitchen steps

Signed-off-by: Aaron Lippold <[email protected]>

* spacing issue

Signed-off-by: Aaron Lippold <[email protected]>

* added puppet to gemfile

Signed-off-by: Aaron Lippold <[email protected]>

* moved off the container

Signed-off-by: Aaron Lippold <[email protected]>

* fixed yml formatting

Signed-off-by: Aaron Lippold <[email protected]>

* fixed workstation uri

Signed-off-by: Aaron Lippold <[email protected]>

* added needed sudo commands

Signed-off-by: Aaron Lippold <[email protected]>

* corrected apt install command

Signed-off-by: Aaron Lippold <[email protected]>

* switching to dpkg

Signed-off-by: Aaron Lippold <[email protected]>

* almost to full done

Signed-off-by: Aaron Lippold <[email protected]>

* removed testing and setting of root password

Signed-off-by: Aaron Lippold <[email protected]>

* testing new aws testing instance type

Signed-off-by: Aaron Lippold <[email protected]>

* Fixes #11

Added logic to allow the control to insensitively match the
prescribed values. This is the behavior of audisp.

* Fixes #14

Updated the control to utilize '/etc/audisp/plugins.d/au-remote.conf'
instead of '/etc/audisp/audispd.conf'. Also, pulled the filename
into a variable to ease the burden of future updates.

* Fixes #12

Updated the control to utilize '/etc/audisp/plugins.d/au-remote.conf'
instead of '/etc/audisp/audispd.conf'. Also, pulled the filename
into a variable to ease the burden of future updates.

* Resolves #19

Utilized the default input values from the v1 controls to generate
default values in inspec.yml.

Signed-off-by: Lesley Kimmel <[email protected]>

* Reorganized logic for V-72433 (#47)

Pulled the conditional impact statements out of the if/then construct
early on and added them to the corresponding section near the
corresponding describe blocks.

- Fixes #16

Signed-off-by: Lesley Kimmel <[email protected]>

Co-authored-by: Lesley Kimmel <[email protected]>

* Reorganized logic for V-71965 (#49)

Pulled the conditional impact statements out of the if/then construct
early on and added them to the corresponding section near the
corresponding describe blocks.

- Fixes #18

Signed-off-by: Lesley Kimmel <[email protected]>

Co-authored-by: Lesley Kimmel <[email protected]>

* Updated V-81019 to correctly match configurations (#50)

Added logic to allow the control to insensitively match the
prescribed values. This is the behavior of audisp.

- Fixes #21

Signed-off-by: Lesley Kimmel <[email protected]>

Co-authored-by: Lesley Kimmel <[email protected]>

* Resolved datatype comparison issue in V-72223 (#52)

The control was comparing os_env('value').content to an integer.
os_env('value'}.content returns a string. Updated to convert the
string to an integer (to_i). The output of doing this directly was
poor so I added an explicit subject to clean up the output.

- Fixes #27

Signed-off-by: Lesley Kimmel <[email protected]>

Co-authored-by: Lesley Kimmel <[email protected]>

* Update V-71861.rb

* Update V-71859.rb

* Update V-71891.rb

* fixed some of the missing NAs that didn't have impact 0.0 but more remain

Signed-off-by: Aaron Lippold <[email protected]>

* moved impact back to outside the describe block

Signed-off-by: Aaron Lippold <[email protected]>

* Reorganized logic for V-72417 (#48)

* Reorganized logic for V-72417

Pulled the conditional impact statements out of the if/then construct
early on and added them to the corresponding section near the
corresponding describe blocks.

- Fixes #17

Signed-off-by: Lesley Kimmel <[email protected]>

* updated to expet syntax for cleaner reporting

Signed-off-by: Aaron Lippold <[email protected]>

* expect syntax fix

Signed-off-by Aaron Lippold <[email protected]>

* updated back to standard should syntax

Signed-off-by: Aaron Lippold <[email protected]>

Co-authored-by: Lesley Kimmel <[email protected]>
Co-authored-by: Aaron Lippold <[email protected]>

* Adding support for chronyd in V-72269

- Added tests to ensure either chronyd or ntpd are installed, enabled
  and running.
- Modified to search for files under /etc/cron.daily that contain
  'ntpd -q' rather than checking for static file /etc/cron.daily/ntpdate.
- Allowed for checking configuration of both services if both are installed.
- Extract the actual `maxpoll` values into a list for more readable
  reporting (avoid printing complex regex).

- Fixes #13

Signed-off-by: Lesley Kimmel <[email protected]>

* Adjusted calculation logic in V-72089

- Removed the `@` symbol from the `#{audit_log_dir}` variable causing
  it to resolve to `nil` and presenting all system partitions.
- Update the shell call to `df` to use standard 1K blocksize instead
  of human readable format which can return results with various units.
- Update the space calculation to convert KB into MB ( / 1024) instead
  of converting [assumed] GB into MB ( * 1024).
- Updated to remove the use of the Ruby `File` class which would be
  executed on the Inspec runner instead of the target.

- Fixes #32

Signed-off-by: Lesley Kimmel <[email protected]>

* Resolved `undefined local variable` in V-71911

Added variable definition via input (difok).

- Fixes #33

Signed-off-by: Lesley Kimmel <[email protected]>

* Resolved `undefined local variable` in V-71863

Added variable definition via input (banner_message_text_cli).
Added variable definition via input (banner_message_text_cli_limited).

- Fixes #34

Signed-off-by: Lesley Kimmel <[email protected]>

* Fixed `undefined variable` error for V-71933

Added a variable definition via input (min_reuse_generations).

- Fixes #35

Signed-off-by: Lesley Kimmel <[email protected]>

* Remove faulty logic from V-78995

Removed the switch 'skip_deprecated_controls' from the control.
Restored 'traditional' if/then structure and located the 'impact'
override in the fallthrough case.

- Fixes #3

Signed-off-by: Lesley Kimmel <[email protected]>

* moved to c5.large instances to lower test bed cost

Signed-off-by: Aaron Lippold <[email protected]>

* Adding new control for V-92253

- Fixes #8

Signed-off-by: Lesley Kimmel <[email protected]>

* Adding new control for V-92251

- Fixes #7

Signed-off-by: Lesley Kimmel <[email protected]>

* Consider limits.d when checking for hard maxlogins

Added the functionality of collecting all configuration files under
limits.d. These files are then searched for any global ('*') entries
matching 'hard' and 'maxlogins'. Entries are then compared to the
maximum allowable value. At least one file containing a compliant
entry is required. No files can contain noncompliant entries.

The maximum login number is now configurable via an input
('maxlogins_limit').

- Fixes #23

Signed-off-by: Lesley Kimmel <[email protected]>

* Update V-72217.rb

* Added new control for V-92255.

- Resolves #9

Signed-off-by: Lesley Kimmel <[email protected]>

* Allow customization of the A/V solution in use. (#73)

Update the control to take a switch/boolean input that specifies
whether a non-nails solution is in use. If it is, require that
a description of the solution be input as a way to document
the solution

- Fixes #24

Signed-off-by: Lesley Kimmel <[email protected]>

Co-authored-by: Lesley Kimmel <[email protected]>
Co-authored-by: Aaron Lippold <[email protected]>

* Restore default property value.

Property value for 'custom_antivirus_description' was mistakenly removed
in a previous commit.

Signed-off-by: Lesley Kimmel <[email protected]>

* Added new control V-94843.

Signed-off-by: Lesley Kimmel <[email protected]>

* Updated V-71963 to be NA when EFI not in use

- Added a check to see if the EFI configuration file exists. If not,
  this becomes NA.
- Added a check for minor version of the OS. If 7.2 or later we only
  allow 'root' as a superuser.
- The STIG guidance states that this is NA for versions after 7.2.
  However, it seems clear that this is still needed it just changes
  the way we enforce it.
- Removed 'efi_user_boot_files'  input as it doesn't matter what file
  the configuration comes from, only that it is merged into the main
  config.
- Removed 'efi_main_cfg' input since we need to make the path dynamic to
  support RHEL variants such as CentOS. Also, the EFI path is pretty
  well static.

- Fixes #40

Signed-off-by: Lesley Kimmel <[email protected]>

* testing

Signed-off-by: Aaron Lippold <[email protected]>

* Corrected the tests for V-72171

- Removed the architecture check for path watches.
-  Removed all check for '/bin/mount' as this path is not used.

- Fixes #29

Signed-off-by: Lesley Kimmel <[email protected]>

* Update V-72095 to use `execve`

This new change prevents us from having to collect all of the SUID/SGID
files on the system.

- Fixes #30

Signed-off-by: Lesley Kimmel <[email protected]>

* Updated V-72073 to support overrides

- Simplified logic to remove loop searching for 'sha512' entries.
  Instead return them directly with the 'where' clause.
- Provide an input array to contain patterns to exclude from the test.

- Fixes #36

Signed-off-by: Lesley Kimmel <[email protected]>

* Updating V-72065 to account for fstab entry

- Allow /tmp to be specified in /etc/fstab as well as with the tmp.mount
  service.
- Validate that there is only one entry for /tmp in fstab
- Ensure that the device_name is not empty for the mount

- Fixes #37

Signed-off-by: Lesley Kimmel <[email protected]>

* Update V-71897 to allow multiple multiplexers

- Per v2r6 of the DISA STIG `tmux` is now an allowable option along with
  screen.
- Add an input list to contain `screen` and `tmux` and to support any
  future options.

- Fixes #67

Signed-off-by: Lesley Kimmel <[email protected]>

* Modify V-71937 to ignore `*-ac` files

- If ac (authconfig) files are included or substacked by other services
  they will still be checked.
- Loop over each service file in /etc/pam.d to provide a complete view
  of the configuration.

  - Fixes #41

Signed-off-by: Lesley Kimmel <[email protected]>

* Updating V-72001 to validate all `allowed_users`

- The STIG control asks to validate that all accounts present on the
  system are approved. Explicilty adding them to a known user list
  provides that validation.
- There doesn't seem to be a need for a 'disallowed_users' list as users are
  implicitly disallowed by not being explicitly allowed.
- Use 'expect' syntax to allow for finer control over the reporting
  output. Previous output displayed a list of users for each line. Now we
  just show that each user listed in /etc/passwd has been explicitly
  listed as an approved user.

- Fixes #39

Signed-off-by: Lesley Kimmel <[email protected]>

* Adding test logic for new control V-81003

- Fixes #4

Signed-off-by: Lesley Kimmel <[email protected]>

* added logic to new control

Signed-off-by: HackerShark <[email protected]>

* updating logic test for UEFI

Signed-off-by: HackerShark <[email protected]>

* adding logic to control V-81005. Updating V-81007 logic to account for extra condition

Signed-off-by: HackerShark <[email protected]>

* Updated logic, rather than taking user input checking system directly if it uses UEFI or BIOS

Signed-off-by: HackerShark <[email protected]>

* Update V-81005.rb

* added creating the current profile JSON and uploading it to the repo

Signed-off-by: Aaron Lippold <[email protected]>

* testing profile creation

Signed-off-by: Aaron Lippold <[email protected]>

* actually helps to add the file you create

* removing fancy text

* adding -a to the commandwq

* adding a pull prior to the push

* adding a pull prior to the push

* adding a pull prior to the push

* adding a pull prior to the push

* adding profile.json to the repository

* adding a pull prior to the push

* testing

* further fixing on the script

Signed-off-by: Aaron Lippold <[email protected]>

* adding profile.json to the repository

* added saving both the profile.json and the test-result.json to the repo on each change

Signed-off-by: Aaron Lippold <[email protected]>

* added git status

Signed-off-by: Aaron Lippold <[email protected]>

* trying to fix build

Signed-off-by: Aaron Lippold <[email protected]>

* removed profile.json and updated file to older version

Signed-off-by: Aaron Lippold <[email protected]>

* added git add to the command

Signed-off-by: Aaron Lippold <[email protected]>

* adding profile.json to the repository

* adding test-result.json to the repository

* updating controls to place impact adjustment in the main code body

Signed-off-by: HackerShark <[email protected]>

* refactored conrols to match current style

* fixed malformed control

Signed-off-by: Aaron Lippold <[email protected]>

* adding profile.json to the repository

* adding test-result.json to the repository

* testing to see if this gets the right branch name

Signed-off-by: Aaron Lippold <[email protected]>

* removed files for testing

Signed-off-by: Aaron Lippold <[email protected]>

* adding profile.json to the repository

* adding test-result.json to the repository

* updated to using the v2 preview of upload-artifact
added the git --cache trick to allow for unchanged profile.json or test-result.json

Signed-off-by: Aaron Lippold <[email protected]>

* fixed json file

Signed-off-by: Aaron Lippold <[email protected]>

* added -f for the git add commands

Signed-off-by: Aaron Lippold <[email protected]>

* being a bit more forceful ...

Signed-off-by: Aaron Lippold <[email protected]>

* removing git commits for now to unblock the PR process - artifacts are still being saved.

Signed-off-by: Aaron Lippold <[email protected]>

* added the creation of the profile.json again

Signed-off-by: Aaron Lippold <[email protected]>

* fixing control logic

Signed-off-by: HackerShark <[email protected]>

* adding profile.json to the repository

* adding test-result.json to the repository

* demoing a full run

Signed-off-by: Aaron Lippold <[email protected]>

* fixed the vagrant kichen file to use the vagrant user and not ec2-user

Signed-off-by: Aaron Lippold <[email protected]>

* Modified inspec.yml to use `block` style

- Updated inspec.yml to remove any arrays or hashes with enclosing
  brackets.
- The only time brackets are used is when an empty array ([]) or hash
 ({}) needs  to be represented

 - Fixes #84

Signed-off-by: Lesley Kimmel <[email protected]>

* Fixed reporting for V-71947

- This control was not splitting output lines into an array and was
  matching ALL lines containing 'NOPASSWD', which included commented
  lines.
- Modified to use the `file` resource to be more OS agnostic and build
  a results array of uncommented lines containing 'NOPASSWD'
- Reporting is improved for readability

- Fixes #90

Signed-off-by: Lesley Kimmel <[email protected]>

* Correct logic in V-81005

- Only OS versions earlier than 7.2 should be checked. Was checking any
  version 7.2 and later.

- Fixes #91

Signed-off-by: Lesley Kimmel <[email protected]>

* Fixed issues in V-72219

- Changed `firewalld_ports_deny` to a Hash instead of Array
- Cast hash references to symbols for proper resolution

- Fixes #28

Signed-off-by: Lesley Kimmel <[email protected]>

* Fixes issue #56

Signed-off-by: HackerShark <[email protected]>

* Fixing logic error

* Fixes issue #55

Signed-off-by: HackerShark <[email protected]>

* Fixing logic error

* Updated V-72257

- Removed multiple individual tests and replaced with
  'be_more_permissive_than' which covers all permission sets.
- Changed the command to return key files to stop filtering by current
  permissions. Inspec should validate the permissions in tests. We need
  pre-filter results outside of tests.

  - Fixes #97

Signed-off-by: Lesley Kimmel <[email protected]>

* Fixes #57

Signed-off-by: HackerShark <[email protected]>

* Fixes #59

Signed-off-by: HackerShark <[email protected]>

* added note about long running controls

Signed-off-by: Aaron Lippold <[email protected]>

* added utf-8 encoding strings

Signed-off-by: Aaron Lippold <[email protected]>

* Fixed bug in V-71855

- Added input call for `rpm_verify_integrity_except`

- Fixes #103

Signed-off-by: Lesley Kimmel <[email protected]>

* Fixed bug in V-71849

- Added input call for `rpm_verify_perms_except`

- Fixes #102

Signed-off-by: Lesley Kimmel <[email protected]>

* Fixes #58

Signed-off-by: HackerShark <[email protected]>

* fixing error

Signed-off-by: HackerShark <[email protected]>

* Fixes #53

Signed-off-by: HackerShark <[email protected]>

* fixing error

Signed-off-by: HackerShark <[email protected]>

* updated logic to properly look for systems that don't use passwords for authentication

Signed-off-by: HackerShark <[email protected]>

* Fixes #54

Signed-off-by: HackerShark <[email protected]>

* fixing error

Signed-off-by: HackerShark <[email protected]>

* updated logic to properly look for systems that don't use passwords for authentication

Signed-off-by: HackerShark <[email protected]>

* testing gpg

Signed-off-by: Aaron Lippold <[email protected]>

* Update workflow to not install ruby twice, remove a few unnecessary commands

* Do not install chef workstation and instead just use ruby 2.7 with Chef gems

* Cleanup kitchen.yml, add vanilla test run

This cleans up the code for kitchen to deduplicate some items between kitchen.ec2.yml and kitchen.vagrant.yml. It also adds support for vanilla and hardened threshold levels that the CI can be tested against.

* Remove proxy-related pieces of kitchen vagrant file

* Try running Vagrant with macos in GH Actions

* Remove EC2 verification step and perform the verification in Github Actions using Vagrant instead

* Verify using Vagrant for every PR, only verify using EC2 on release

* Fix update profile script to properly push to PRs

* Rename inputs.example.yml to a more descriptive name

* Move inspec check to a different file, fix the Github action profile.json push back to repository

* Updating profile.json in the repository

* Add clarification with respect to local testing and EC2 versus Vagrant

* Fixes #91

Signed-off-by: HackerShark <[email protected]>

* Fixes #112

Signed-off-by: HackerShark <[email protected]>

* Fixes #101

Signed-off-by: HackerShark <[email protected]>

* Fixes #31 (#110)

* Fixes #31

Signed-off-by: HackerShark <[email protected]>

* updating logic to call inputs directly

Signed-off-by: HackerShark <[email protected]>

* Fixes #111 (#118)

* Fixes #111

Signed-off-by: HackerShark <[email protected]>

* Updating profile.json in the repository

* Revert "Fixes #111 (#118)"

This reverts commit e53c5a4f39582120c93d603fd816130fcc165127.

* Switch over to the official ruby setup since the actions/setup-ruby one is throwing an error

* Lock ruby version to 2.6 in order to avoid Puppet load error

bundler is installed automatically, no need to install it as part of our steps

Release Puppet version lock

* Updating profile.json in the repository

* Update V-72417.rb

bugfix

* Add Trend AV to V-72213 checks

Trend Micro Anti-virus service is named 'ds_agent'.
This adds one more type of anti-virus this check can check for.

* Updating profile.json in the repository

* Fix describe.one formatting for V-72213

* Updating profile.json in the repository

* Fixes #115, fixes #25 (#124)

* Fixes #115, fixes #25

Signed-off-by: HackerShark <[email protected]>

* Updating profile.json in the repository

* Revert "Fixes #111 (#118)"

This reverts commit e53c5a4f39582120c93d603fd816130fcc165127.

* Switch over to the official ruby setup since the actions/setup-ruby one is throwing an error

* Lock ruby version to 2.6 in order to avoid Puppet load error

bundler is installed automatically, no need to install it as part of our steps

Release Puppet version lock

* Updating profile.json in the repository

* Update V-72417.rb

bugfix

* Add Trend AV to V-72213 checks

Trend Micro Anti-virus service is named 'ds_agent'.
This adds one more type of anti-virus this check can check for.

* Updating profile.json in the repository

* Fix describe.one formatting for V-72213

* Updating profile.json in the repository

* Fixes #115, fixes #25

Signed-off-by: HackerShark <[email protected]>

* Updating profile.json in the repository

* Fixes #115, fixes #25

Signed-off-by: HackerShark <[email protected]>

* rebase, resolve merge conflicts

Signed-off-by: HackerShark <[email protected]>

* Updating profile.json in the repository

* Updating profile.json in the repository

Co-authored-by: Robert Clark <[email protected]>
Co-authored-by: rbclark <[email protected]>
Co-authored-by: Maven35 <[email protected]>
Co-authored-by: ejaronne <[email protected]>
Co-authored-by: ejaronne <[email protected]>

* Fixes #114 (#131)

* Add Trend AV to V-72213 checks

Trend Micro Anti-virus service is named 'ds_agent'.
This adds one more type of anti-virus this check can check for.

* Updating profile.json in the repository

* Fix describe.one formatting for V-72213

* Updating profile.json in the repository

* Fixes #114

Signed-off-by: HackerShark <[email protected]>

* Updating profile.json in the repository

* fixing syntax error

Signed-off-by: HackerShark <[email protected]>

* Delete profile.json

* Fixes #114

Signed-off-by: HackerShark <[email protected]>

* fixing syntax error

Signed-off-by: HackerShark <[email protected]>

* Updating profile.json in the repository

* Fixes #115, fixes #25 (#124)

* Fixes #115, fixes #25

Signed-off-by: HackerShark <[email protected]>

* Updating profile.json in the repository

* Revert "Fixes #111 (#118)"

This reverts commit e53c5a4f39582120c93d603fd816130fcc165127.

* Switch over to the official ruby setup since the actions/setup-ruby one is throwing an error

* Lock ruby version to 2.6 in order to avoid Puppet load error

bundler is installed automatically, no need to install it as part of our steps

Release Puppet version lock

* Updating profile.json in the repository

* Update V-72417.rb

bugfix

* Add Trend AV to V-72213 checks

Trend Micro Anti-virus service is named 'ds_agent'.
This adds one more type of anti-virus this check can check for.

* Updating profile.json in the repository

* Fix describe.one formatting for V-72213

* Updating profile.json in the repository

* Fixes #115, fixes #25

Signed-off-by: HackerShark <[email protected]>

* Updating profile.json in the repository

* Fixes #115, fixes #25

Signed-off-by: HackerShark <[email protected]>

* rebase, resolve merge conflicts

Signed-off-by: HackerShark <[email protected]>

* Updating profile.json in the repository

* Updating profile.json in the repository

Co-authored-by: Robert Clark <[email protected]>
Co-authored-by: rbclark <[email protected]>
Co-authored-by: Maven35 <[email protected]>
Co-authored-by: ejaronne <[email protected]>
Co-authored-by: ejaronne <[email protected]>

* Fixes #114

Signed-off-by: HackerShark <[email protected]>

* fixing syntax error

Signed-off-by: HackerShark <[email protected]>

* Updating profile.json in the repository

* Updating profile.json in the repository

Co-authored-by: ejaronne <[email protected]>
Co-authored-by: ejaronne <[email protected]>
Co-authored-by: Robert Clark <[email protected]>
Co-authored-by: rbclark <[email protected]>
Co-authored-by: Aaron Lippold <[email protected]>
Co-authored-by: Maven35 <[email protected]>

* Update inspec.yml

locking inspec_version

* Updating profile.json in the repository

* fixing #132 (#133)

* fixing #132

Signed-off-by: HackerShark <[email protected]>

* Updating profile.json in the repository

* Update inspec.yml

locking inspec_version

* Updating profile.json in the repository

* version bump

* Updating profile.json in the repository

Co-authored-by: Aaron Lippold <[email protected]>
Co-authored-by: Lesley Kimmel <[email protected]>
Co-authored-by: ljkimmel <[email protected]>
Co-authored-by: GitHub Action <[email protected]>
Co-authored-by: Robert Clark <[email protected]>
Co-authored-by: rbclark <[email protected]>
Co-authored-by: Maven35 <[email protected]>
Co-authored-by: ejaronne <[email protected]>
Co-authored-by: ejaronne <[email protected]>

* Delete greetings_program.yml

* added 4th NOTICE statement since this is STIG based

* Update README.md

* Rename LICENSE to LICENSE.md

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Updating profile.json in the repository

* Update find controls to use -xdev tags to prevent search of network fs

* Update V-72039 add -xdev to find command

Signed-off-by: Rony Xavier <[email protected]>

* Updating profile.json in the repository

* Remove caching

The cache seems to be causing issues with nokogiri

* Adding a new disconnected_system flag to allow the ability to flag certain controls that require external connectivity in the target system

* Modifying the V-71999 control to use the new disconnected_system flag

* Fixing the flag typo on the control

* Fixing another Ruby typo

* fixed location of if statement
fixed regex escaping

Signed-off-by: Aaron Lippold <[email protected]>

* Updating profile.json in the repository

* removed the v2.6 branch from the workflows (#142)

* removed the v2.6 branch from the workflows now that
it has been merged

Signed-off-by: Aaron Lippold <[email protected]>

* Updating profile.json in the repository

* removed the conflicting profile.json

Signed-off-by: Aaron Lippold <[email protected]>

Co-authored-by: aaronlippold <[email protected]>

* Remove Rev_4 from NIST tag (#143)

* Remove Rev_4 from NIST tag

- removed the Rev_4 array element form the NIST tag array

Signed-off-by: Aaron Lippold <[email protected]>

* Updating profile.json in the repository

* Updating profile.json in the repository

Co-authored-by: aaronlippold <[email protected]>

* updated the profile version number

* removed unneeded lines

* fixed the ec2 testing to go on PR or Push

Signed-off-by: Aaron Lippold <[email protected]>

* testing updates for ec2 builds and testing

Signed-off-by: Aaron Lippold <[email protected]>

* put things back

Signed-off-by: Aaron Lippold <[email protected]>

* turned the matrix back on and fixed file names for ec2 runs

Signed-off-by: Aaron Lippold <[email protected]>

* fixed typo in the yaml

Signed-off-by: Aaron Lippold <[email protected]>

* fixed broken step

Signed-off-by: Aaron Lippold <[email protected]>

* updated Workflow name for easier reading when demoing

Signed-off-by: Aaron Lippold <[email protected]>

* corrected typo for mfa

removed quotes around input for MFA:
changed multifactor_enabled: "true"
to
multifactor_enabled: true

* fixed reference to input

* fixed reference to input

* fixed another reference to input

* another fix to input refernce

* fixed new line issues

* ensuring no profile errors

* ensuring no profile errors

* Updated License.md

Signed-off-by: karikarshivani <[email protected]>

* Updating profile.json in the repository

* Updated inspec.yml to the latest standards

Signed-off-by: karikarshivani <[email protected]>

* Updating profile.json in the repository

* Updating README.md to latest standards

Signed-off-by: HackerShark <[email protected]>

* Updating profile.json in the repository

* adding a sensitive input for test and demo

* Revert "adding a sensitive input for test and demo"

This reverts commit 569e50997e55b214c16cadae3ccc57c18e980b5e.

* Check permissions for all auditd rules in a cleaner manner

The previous method was causing very opaque failures due to permissions returning a nil array in some cases and `nil.include` was causing an error. This change provides a much more straightfoward error to show users that they have to add the execute filter in auditd for their test to pass.

* Updating profile.json in the repository

* Remove newline from middle of starting

This was causing a newline to show up in the scan results.

* Updating profile.json in the repository

* Fix supports for base profile (#162)

* Fix supports for base profile

Testing if this falls through to child profiles

* Updating profile.json in the repository

* added centos

Signed-off-by: GitHub <[email protected]>

* update profile.json

Signed-off-by: GitHub <[email protected]>

* fixing profile.json

Signed-off-by: GitHub <[email protected]>

* Updating profile.json in the repository

Co-authored-by: aaronlippold <[email protected]>

* swapped descs to tags

Signed-off-by: Will Dower <[email protected]>

* rubocop run

Signed-off-by: Will Dower <[email protected]>

* fixed a buggy regex

Signed-off-by: Will Dower <[email protected]>

* used inspec_delta profile update_id to update control filenames to SV-XXXXXX

Signed-off-by: Will Dower <[email protected]>

* ran inspec_delta profile update to update metadata/control names

Signed-off-by: Will Dower <[email protected]>

* swapped out check, fix, and rational tags for descs

Signed-off-by: Will Dower <[email protected]>

* ran rubocop

Signed-off-by: Will Dower <[email protected]>

* fixed buggy regex

Signed-off-by: Will Dower <[email protected]>

* moved descs to tags

Signed-off-by: Will Dower <[email protected]>

* added LineLength to rubocop

Signed-off-by: Will Dower <[email protected]>

* ran update

Signed-off-by: Will Dower <[email protected]>

* swapped out tags for check, fix, rational with descs

Signed-off-by: Will Dower <[email protected]>

* updating to use the pipeline config that we will use for gitlab repo side

Signed-off-by: Will Dower <[email protected]>

* pulling in correct Gemfile for this pipeline version

Signed-off-by: Will Dower <[email protected]>

* made a local docker testing yml and some docker testing inputs

Signed-off-by: Will Dower <[email protected]>

* first few new controls

Signed-off-by: Will Dower <[email protected]>

* wrote the brand new controls, removed spec dir

Signed-off-by: Will Dower <[email protected]>

* removed unecessary files from old profile version

Signed-off-by: Will Dower <[email protected]>

* merging in pipeline control code

Signed-off-by: Will Dower <[email protected]>

* removing controls from previous versions of the STIG that have been deprecated

Signed-off-by: Will Dower <[email protected]>

* refactored audit control

Signed-off-by: Will Dower <[email protected]>

* finished updating audit controls to new pattern

Signed-off-by: Will Dower <[email protected]>

* further updates to old control code, fixed pipeline to run the full profile, updated the hardened ec2 threshold

Signed-off-by: Will Dower <[email protected]>

* last batch of updates to control code to bring it to current STIG release

Signed-off-by: Will Dower <[email protected]>

* fixing profile errors

Signed-off-by: Will Dower <[email protected]>

* fixed profile errors from pipeline, started adding tags to the controls based on container applicability and subsystem category

Signed-off-by: Will Dower <[email protected]>

* assessing more controls for container applicability

Signed-off-by: Will Dower <[email protected]>

* refactored the remaining audit controls to match the new pattern, applied tags

Signed-off-by: Will Dower <[email protected]>

* finished tagging controls for container applicability

Signed-off-by: Will Dower <[email protected]>

* clarifying test output, fixing bugs

Signed-off-by: Will Dower <[email protected]>

* taking a look at the pam controls

Signed-off-by: Will Dower <[email protected]>

* updating README

Signed-off-by: Will Dower <[email protected]>

* adding in a few more container checks, figured out a cleaner test pattern for the pam checks

Signed-off-by: Will Dower <[email protected]>

* small tweaks to inspec.yml and the README

Signed-off-by: Will Dower <[email protected]>

* removed threshold file from controls dir

Signed-off-by: Aaron Lippold <[email protected]>

* Updated the README and `inspec.yml`

- updated langauage to not promise an ATO if they ran this on their
  system
- udpated all organizational references to offical sources, DISA, NIST,
  etc
- simplifed and ocrrected direction on execution of the profile both
  locally and from an archive
- simplified language and use of acronyms
- corrected vendor references and names
- corrected instructions on use of inputs
- corrected references to SRGs, STIGs, CCIs, NIST 800-53 controls etc
- removed all external links - wikipedia etc - and used official
  publications
- linted for GitLab Markdown Sytleguide
- reformatted yaml files

Signed-off-by: Aaron Lippold <[email protected]>

* Forgot the container aware section and enhanced the inputs section for a bit more clarity as to why they want to do things this way

* Add new file

* Update CONTAINER-ONLY-TESTS.md

* Documented the create method

* added links to profile stats

* getting the paths working

* Update README.md

* Simplified the Profile stats section

* Fixed typo in path

* clarified the intended use of the main branch vs our formal releases

* Grammer

* removed unneed bolding of text and a few other grammer use issues

* Update README.md

* fixed broken link

* Update README.md

* Update README.md

* Delete CONTAINER-ONLY-TESTS.md

* moved the container applicable controls page to a wiki

* fixed typo in kitchen.dokken-local.yml

Signed-off-by: Aaron Lippold <[email protected]>

* Update section depth to be more logical with what the user has to do and added section links

* Logical flow and information grouping

* Update README.md

* Update README.md

* Update README.md

* tweaking the README

Signed-off-by: Will Dower <[email protected]>

* adding cli output to container pipeline run for easier reading

Signed-off-by: Will Dower <[email protected]>

* adjusted the rest of the pam checks, added a few more inputs for configurability

Signed-off-by: Will Dower <[email protected]>

* standardized input names, fixed a few broken inputs in the

Signed-off-by: Will Dower <[email protected]>

* fixed broken inputs, updated README to explain the expected vs max/min inputs

Signed-off-by: Will Dower <[email protected]>

* removed to_i calls in several tests to ensure that nil values don't get incorrectly cast as '0'

Signed-off-by: Will Dower <[email protected]>

* fixed bug in which audit space_left was expected to exactly equal what should have been a minimum threshold

Signed-off-by: Will Dower <[email protected]>

* fixed parse_config_file matching regex to allow for the value to be contained in quotes

Signed-off-by: Will Dower <[email protected]>

* fixed the regex to allow for whitespace, fixed test to account for nil result

Signed-off-by: Will Dower <[email protected]>

* cleaned up output for readability

Signed-off-by: Will Dower <[email protected]>

* fixing too recent inspec version

Signed-off-by: Will Dower <[email protected]>

* started adding sub-descritions for na and container situations

Signed-off-by: Aaron Lippold <[email protected]>

* removed controls that were sonsolidated into other controls in V3R6

Signed-off-by: Will Dower <[email protected]>

* Revert "started adding sub-descritions for na and container situations" since it caused a pipeline fail

This reverts commit 73057e25ab71e8dd6c08d36251bd0aaafcca75bf.

* Remove puppet hardening (unmaintained)

* ansible vanilla role

* ansible hardening role

* ansible hardened role (directly from ansible-rhel7-stig-hardening)

* Uses actions to clone hardening repository

* Updating profile.json in the reposito…
Use STIG V3R6

* Remove puppet hardening (unmaintained)

* ansible vanilla role

* ansible hardening role

* ansible hardened role (directly from ansible-rhel7-stig-hardening)

* Uses actions to clone hardening repository

* Updating profile.json in the repository

* Update correct path for ansible hardening role

* Utilizes ansible-galaxy for hardening script

* Using ansible-galaxy in pre-converge lifecycle hooks

* Test installing ansible-galaxy manually

* Tried changing lifecycle place

* Continue to tinker with ansible-galaxy

* Test on using requirements_path

* wip -- updating ansible dependencies (pip ==> pip3)

Signed-off-by: Will Dower <[email protected]>

* firing actions on push to this branch for dev testing

Signed-off-by: Will Dower <[email protected]>

* trying to figure out package dependencies, ensuring bundler up-to-date

Signed-off-by: Will Dower <[email protected]>

* added pip dependency for jmespath, added config defualt to have ansible use python3 pip

Signed-off-by: Will Dower <[email protected]>

* Updated to use pip3

* workaround for network issue

* Updating profile.json in the repository

* more explicitly using 7.9 in bento

Signed-off-by: Will Dower <[email protected]>

* rough code for fixing openssl11 issue

Signed-off-by: Will Dower <[email protected]>

* added epel-release

Signed-off-by: Will Dower <[email protected]>

* Updating profile.json in the repository

* Update kitchen configs

* use generic/centos7 and explicitly download ansible

* update unicode setting

* Clean up ec2 driver workflow

* Updating profile.json in the repository

* Update README.md

* Update control for profile error

* Revert update to controls

* Remove debug mode. Update vanilla role readme

* Update macos environment. Use main, not master.

* Update README.md

* Update readme, strip reference to Beaker, Puppet

* More debug info for github actions

* remove debug from github actions

Co-authored-by: HenryXiaoHX <[email protected]>
Co-authored-by: Will Dower <[email protected]>
updating verify-ec2 to use mitre org secrets instead of local ones
… kitchen.ec2.yml files to eliminate redundant keys

Signed-off-by: Emily Rodriguez <[email protected]>
…n for multi-line method definitions

Signed-off-by: Emily Rodriguez <[email protected]>
Signed-off-by: Emily Rodriguez <[email protected]>
@aaronlippold
Copy link
Member

aaronlippold commented Apr 5, 2023 via email

@Andy-Adrian
Copy link

Thanks @aaronlippold, closing this PR

@em-c-rod em-c-rod deleted the formatUsingSafCli branch April 12, 2023 14:36
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.