This repository has been archived by the owner on Apr 17, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 46
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* updating controls up to v2.6 of STIG Signed-off-by: HackerShark <[email protected]> * updating controls up to v2.6 of STIG Signed-off-by: HackerShark <[email protected]> * Updating name, title and summary * updated local vagrant to working state - cleanup required fixed long running controls started on EC2 spot instanstance testing using the SPEL partitioned images Signed-off-by: Aaron Lippold <[email protected]> * workflow testing Signed-off-by: Aaron Lippold <[email protected]> * added kitchen commands to workflow Signed-off-by: Aaron Lippold <[email protected]> * added bundler to the workflow Signed-off-by: Aaron Lippold <[email protected]> * fixed yaml syntax error Signed-off-by: Aaron Lippold <[email protected]> * added build-essentials package to the container and removed simp-helper Signed-off-by: Aaron Lippold <[email protected]> * fixed spelling Signed-off-by: Aaron Lippold <[email protected]> * apt-get issues ... Signed-off-by: Aaron Lippold <[email protected]> * fix for sudo Signed-off-by: Aaron Lippold <[email protected]> * fixed vagrant kitchen file to keep in line with other kitchen files added validation, threshold and upload to heimdall-demo Signed-off-by: Aaron Lippold <[email protected]> * added uploading artifacts changed path to results to be in the './results' dir Signed-off-by: Aaron Lippold <[email protected]> * fixed spacing error Signed-off-by: Aaron Lippold <[email protected]> * added `chef shell-init` to build process. Signed-off-by: Aaron Lippold <[email protected]> * correct chef shell-init command added parallel jobs to bundler Signed-off-by: Aaron Lippold <[email protected]> * fixing workflow a bit more Signed-off-by: Aaron Lippold <[email protected]> * added inspec_tools to Gemfile Signed-off-by: Aaron Lippold <[email protected]> * bundler updates and hacks Signed-off-by: Aaron Lippold <[email protected]> * bundler again... Signed-off-by: Aaron Lippold <[email protected]> * Gemfile updates Signed-off-by: Aaron Lippold <[email protected]> * fixed ruby version Signed-off-by: Aaron Lippold <[email protected]> * updated results file name and made it cleaner Signed-off-by: Aaron Lippold <[email protected]> * added more explicit kitchen steps Signed-off-by: Aaron Lippold <[email protected]> * spacing issue Signed-off-by: Aaron Lippold <[email protected]> * added puppet to gemfile Signed-off-by: Aaron Lippold <[email protected]> * moved off the container Signed-off-by: Aaron Lippold <[email protected]> * fixed yml formatting Signed-off-by: Aaron Lippold <[email protected]> * fixed workstation uri Signed-off-by: Aaron Lippold <[email protected]> * added needed sudo commands Signed-off-by: Aaron Lippold <[email protected]> * corrected apt install command Signed-off-by: Aaron Lippold <[email protected]> * switching to dpkg Signed-off-by: Aaron Lippold <[email protected]> * almost to full done Signed-off-by: Aaron Lippold <[email protected]> * removed testing and setting of root password Signed-off-by: Aaron Lippold <[email protected]> * testing new aws testing instance type Signed-off-by: Aaron Lippold <[email protected]> * Fixes #11 Added logic to allow the control to insensitively match the prescribed values. This is the behavior of audisp. * Fixes #14 Updated the control to utilize '/etc/audisp/plugins.d/au-remote.conf' instead of '/etc/audisp/audispd.conf'. Also, pulled the filename into a variable to ease the burden of future updates. * Fixes #12 Updated the control to utilize '/etc/audisp/plugins.d/au-remote.conf' instead of '/etc/audisp/audispd.conf'. Also, pulled the filename into a variable to ease the burden of future updates. * Resolves #19 Utilized the default input values from the v1 controls to generate default values in inspec.yml. Signed-off-by: Lesley Kimmel <[email protected]> * Reorganized logic for V-72433 (#47) Pulled the conditional impact statements out of the if/then construct early on and added them to the corresponding section near the corresponding describe blocks. - Fixes #16 Signed-off-by: Lesley Kimmel <[email protected]> Co-authored-by: Lesley Kimmel <[email protected]> * Reorganized logic for V-71965 (#49) Pulled the conditional impact statements out of the if/then construct early on and added them to the corresponding section near the corresponding describe blocks. - Fixes #18 Signed-off-by: Lesley Kimmel <[email protected]> Co-authored-by: Lesley Kimmel <[email protected]> * Updated V-81019 to correctly match configurations (#50) Added logic to allow the control to insensitively match the prescribed values. This is the behavior of audisp. - Fixes #21 Signed-off-by: Lesley Kimmel <[email protected]> Co-authored-by: Lesley Kimmel <[email protected]> * Resolved datatype comparison issue in V-72223 (#52) The control was comparing os_env('value').content to an integer. os_env('value'}.content returns a string. Updated to convert the string to an integer (to_i). The output of doing this directly was poor so I added an explicit subject to clean up the output. - Fixes #27 Signed-off-by: Lesley Kimmel <[email protected]> Co-authored-by: Lesley Kimmel <[email protected]> * Update V-71861.rb * Update V-71859.rb * Update V-71891.rb * fixed some of the missing NAs that didn't have impact 0.0 but more remain Signed-off-by: Aaron Lippold <[email protected]> * moved impact back to outside the describe block Signed-off-by: Aaron Lippold <[email protected]> * Reorganized logic for V-72417 (#48) * Reorganized logic for V-72417 Pulled the conditional impact statements out of the if/then construct early on and added them to the corresponding section near the corresponding describe blocks. - Fixes #17 Signed-off-by: Lesley Kimmel <[email protected]> * updated to expet syntax for cleaner reporting Signed-off-by: Aaron Lippold <[email protected]> * expect syntax fix Signed-off-by Aaron Lippold <[email protected]> * updated back to standard should syntax Signed-off-by: Aaron Lippold <[email protected]> Co-authored-by: Lesley Kimmel <[email protected]> Co-authored-by: Aaron Lippold <[email protected]> * Adding support for chronyd in V-72269 - Added tests to ensure either chronyd or ntpd are installed, enabled and running. - Modified to search for files under /etc/cron.daily that contain 'ntpd -q' rather than checking for static file /etc/cron.daily/ntpdate. - Allowed for checking configuration of both services if both are installed. - Extract the actual `maxpoll` values into a list for more readable reporting (avoid printing complex regex). - Fixes #13 Signed-off-by: Lesley Kimmel <[email protected]> * Adjusted calculation logic in V-72089 - Removed the `@` symbol from the `#{audit_log_dir}` variable causing it to resolve to `nil` and presenting all system partitions. - Update the shell call to `df` to use standard 1K blocksize instead of human readable format which can return results with various units. - Update the space calculation to convert KB into MB ( / 1024) instead of converting [assumed] GB into MB ( * 1024). - Updated to remove the use of the Ruby `File` class which would be executed on the Inspec runner instead of the target. - Fixes #32 Signed-off-by: Lesley Kimmel <[email protected]> * Resolved `undefined local variable` in V-71911 Added variable definition via input (difok). - Fixes #33 Signed-off-by: Lesley Kimmel <[email protected]> * Resolved `undefined local variable` in V-71863 Added variable definition via input (banner_message_text_cli). Added variable definition via input (banner_message_text_cli_limited). - Fixes #34 Signed-off-by: Lesley Kimmel <[email protected]> * Fixed `undefined variable` error for V-71933 Added a variable definition via input (min_reuse_generations). - Fixes #35 Signed-off-by: Lesley Kimmel <[email protected]> * Remove faulty logic from V-78995 Removed the switch 'skip_deprecated_controls' from the control. Restored 'traditional' if/then structure and located the 'impact' override in the fallthrough case. - Fixes #3 Signed-off-by: Lesley Kimmel <[email protected]> * moved to c5.large instances to lower test bed cost Signed-off-by: Aaron Lippold <[email protected]> * Adding new control for V-92253 - Fixes #8 Signed-off-by: Lesley Kimmel <[email protected]> * Adding new control for V-92251 - Fixes #7 Signed-off-by: Lesley Kimmel <[email protected]> * Consider limits.d when checking for hard maxlogins Added the functionality of collecting all configuration files under limits.d. These files are then searched for any global ('*') entries matching 'hard' and 'maxlogins'. Entries are then compared to the maximum allowable value. At least one file containing a compliant entry is required. No files can contain noncompliant entries. The maximum login number is now configurable via an input ('maxlogins_limit'). - Fixes #23 Signed-off-by: Lesley Kimmel <[email protected]> * Update V-72217.rb * Added new control for V-92255. - Resolves #9 Signed-off-by: Lesley Kimmel <[email protected]> * Allow customization of the A/V solution in use. (#73) Update the control to take a switch/boolean input that specifies whether a non-nails solution is in use. If it is, require that a description of the solution be input as a way to document the solution - Fixes #24 Signed-off-by: Lesley Kimmel <[email protected]> Co-authored-by: Lesley Kimmel <[email protected]> Co-authored-by: Aaron Lippold <[email protected]> * Restore default property value. Property value for 'custom_antivirus_description' was mistakenly removed in a previous commit. Signed-off-by: Lesley Kimmel <[email protected]> * Added new control V-94843. Signed-off-by: Lesley Kimmel <[email protected]> * Updated V-71963 to be NA when EFI not in use - Added a check to see if the EFI configuration file exists. If not, this becomes NA. - Added a check for minor version of the OS. If 7.2 or later we only allow 'root' as a superuser. - The STIG guidance states that this is NA for versions after 7.2. However, it seems clear that this is still needed it just changes the way we enforce it. - Removed 'efi_user_boot_files' input as it doesn't matter what file the configuration comes from, only that it is merged into the main config. - Removed 'efi_main_cfg' input since we need to make the path dynamic to support RHEL variants such as CentOS. Also, the EFI path is pretty well static. - Fixes #40 Signed-off-by: Lesley Kimmel <[email protected]> * testing Signed-off-by: Aaron Lippold <[email protected]> * Corrected the tests for V-72171 - Removed the architecture check for path watches. - Removed all check for '/bin/mount' as this path is not used. - Fixes #29 Signed-off-by: Lesley Kimmel <[email protected]> * Update V-72095 to use `execve` This new change prevents us from having to collect all of the SUID/SGID files on the system. - Fixes #30 Signed-off-by: Lesley Kimmel <[email protected]> * Updated V-72073 to support overrides - Simplified logic to remove loop searching for 'sha512' entries. Instead return them directly with the 'where' clause. - Provide an input array to contain patterns to exclude from the test. - Fixes #36 Signed-off-by: Lesley Kimmel <[email protected]> * Updating V-72065 to account for fstab entry - Allow /tmp to be specified in /etc/fstab as well as with the tmp.mount service. - Validate that there is only one entry for /tmp in fstab - Ensure that the device_name is not empty for the mount - Fixes #37 Signed-off-by: Lesley Kimmel <[email protected]> * Update V-71897 to allow multiple multiplexers - Per v2r6 of the DISA STIG `tmux` is now an allowable option along with screen. - Add an input list to contain `screen` and `tmux` and to support any future options. - Fixes #67 Signed-off-by: Lesley Kimmel <[email protected]> * Modify V-71937 to ignore `*-ac` files - If ac (authconfig) files are included or substacked by other services they will still be checked. - Loop over each service file in /etc/pam.d to provide a complete view of the configuration. - Fixes #41 Signed-off-by: Lesley Kimmel <[email protected]> * Updating V-72001 to validate all `allowed_users` - The STIG control asks to validate that all accounts present on the system are approved. Explicilty adding them to a known user list provides that validation. - There doesn't seem to be a need for a 'disallowed_users' list as users are implicitly disallowed by not being explicitly allowed. - Use 'expect' syntax to allow for finer control over the reporting output. Previous output displayed a list of users for each line. Now we just show that each user listed in /etc/passwd has been explicitly listed as an approved user. - Fixes #39 Signed-off-by: Lesley Kimmel <[email protected]> * Adding test logic for new control V-81003 - Fixes #4 Signed-off-by: Lesley Kimmel <[email protected]> * added logic to new control Signed-off-by: HackerShark <[email protected]> * updating logic test for UEFI Signed-off-by: HackerShark <[email protected]> * adding logic to control V-81005. Updating V-81007 logic to account for extra condition Signed-off-by: HackerShark <[email protected]> * Updated logic, rather than taking user input checking system directly if it uses UEFI or BIOS Signed-off-by: HackerShark <[email protected]> * Update V-81005.rb * added creating the current profile JSON and uploading it to the repo Signed-off-by: Aaron Lippold <[email protected]> * testing profile creation Signed-off-by: Aaron Lippold <[email protected]> * actually helps to add the file you create * removing fancy text * adding -a to the commandwq * adding a pull prior to the push * adding a pull prior to the push * adding a pull prior to the push * adding a pull prior to the push * adding profile.json to the repository * adding a pull prior to the push * testing * further fixing on the script Signed-off-by: Aaron Lippold <[email protected]> * adding profile.json to the repository * added saving both the profile.json and the test-result.json to the repo on each change Signed-off-by: Aaron Lippold <[email protected]> * added git status Signed-off-by: Aaron Lippold <[email protected]> * trying to fix build Signed-off-by: Aaron Lippold <[email protected]> * removed profile.json and updated file to older version Signed-off-by: Aaron Lippold <[email protected]> * added git add to the command Signed-off-by: Aaron Lippold <[email protected]> * adding profile.json to the repository * adding test-result.json to the repository * updating controls to place impact adjustment in the main code body Signed-off-by: HackerShark <[email protected]> * refactored conrols to match current style * fixed malformed control Signed-off-by: Aaron Lippold <[email protected]> * adding profile.json to the repository * adding test-result.json to the repository * testing to see if this gets the right branch name Signed-off-by: Aaron Lippold <[email protected]> * removed files for testing Signed-off-by: Aaron Lippold <[email protected]> * adding profile.json to the repository * adding test-result.json to the repository * updated to using the v2 preview of upload-artifact added the git --cache trick to allow for unchanged profile.json or test-result.json Signed-off-by: Aaron Lippold <[email protected]> * fixed json file Signed-off-by: Aaron Lippold <[email protected]> * added -f for the git add commands Signed-off-by: Aaron Lippold <[email protected]> * being a bit more forceful ... Signed-off-by: Aaron Lippold <[email protected]> * removing git commits for now to unblock the PR process - artifacts are still being saved. Signed-off-by: Aaron Lippold <[email protected]> * added the creation of the profile.json again Signed-off-by: Aaron Lippold <[email protected]> * fixing control logic Signed-off-by: HackerShark <[email protected]> * adding profile.json to the repository * adding test-result.json to the repository * demoing a full run Signed-off-by: Aaron Lippold <[email protected]> * fixed the vagrant kichen file to use the vagrant user and not ec2-user Signed-off-by: Aaron Lippold <[email protected]> * Modified inspec.yml to use `block` style - Updated inspec.yml to remove any arrays or hashes with enclosing brackets. - The only time brackets are used is when an empty array ([]) or hash ({}) needs to be represented - Fixes #84 Signed-off-by: Lesley Kimmel <[email protected]> * Fixed reporting for V-71947 - This control was not splitting output lines into an array and was matching ALL lines containing 'NOPASSWD', which included commented lines. - Modified to use the `file` resource to be more OS agnostic and build a results array of uncommented lines containing 'NOPASSWD' - Reporting is improved for readability - Fixes #90 Signed-off-by: Lesley Kimmel <[email protected]> * Correct logic in V-81005 - Only OS versions earlier than 7.2 should be checked. Was checking any version 7.2 and later. - Fixes #91 Signed-off-by: Lesley Kimmel <[email protected]> * Fixed issues in V-72219 - Changed `firewalld_ports_deny` to a Hash instead of Array - Cast hash references to symbols for proper resolution - Fixes #28 Signed-off-by: Lesley Kimmel <[email protected]> * Fixes issue #56 Signed-off-by: HackerShark <[email protected]> * Fixing logic error * Fixes issue #55 Signed-off-by: HackerShark <[email protected]> * Fixing logic error * Updated V-72257 - Removed multiple individual tests and replaced with 'be_more_permissive_than' which covers all permission sets. - Changed the command to return key files to stop filtering by current permissions. Inspec should validate the permissions in tests. We need pre-filter results outside of tests. - Fixes #97 Signed-off-by: Lesley Kimmel <[email protected]> * Fixes #57 Signed-off-by: HackerShark <[email protected]> * Fixes #59 Signed-off-by: HackerShark <[email protected]> * added note about long running controls Signed-off-by: Aaron Lippold <[email protected]> * added utf-8 encoding strings Signed-off-by: Aaron Lippold <[email protected]> * Fixed bug in V-71855 - Added input call for `rpm_verify_integrity_except` - Fixes #103 Signed-off-by: Lesley Kimmel <[email protected]> * Fixed bug in V-71849 - Added input call for `rpm_verify_perms_except` - Fixes #102 Signed-off-by: Lesley Kimmel <[email protected]> * Fixes #58 Signed-off-by: HackerShark <[email protected]> * fixing error Signed-off-by: HackerShark <[email protected]> * Fixes #53 Signed-off-by: HackerShark <[email protected]> * fixing error Signed-off-by: HackerShark <[email protected]> * updated logic to properly look for systems that don't use passwords for authentication Signed-off-by: HackerShark <[email protected]> * Fixes #54 Signed-off-by: HackerShark <[email protected]> * fixing error Signed-off-by: HackerShark <[email protected]> * updated logic to properly look for systems that don't use passwords for authentication Signed-off-by: HackerShark <[email protected]> * testing gpg Signed-off-by: Aaron Lippold <[email protected]> * Update workflow to not install ruby twice, remove a few unnecessary commands * Do not install chef workstation and instead just use ruby 2.7 with Chef gems * Cleanup kitchen.yml, add vanilla test run This cleans up the code for kitchen to deduplicate some items between kitchen.ec2.yml and kitchen.vagrant.yml. It also adds support for vanilla and hardened threshold levels that the CI can be tested against. * Remove proxy-related pieces of kitchen vagrant file * Try running Vagrant with macos in GH Actions * Remove EC2 verification step and perform the verification in Github Actions using Vagrant instead * Verify using Vagrant for every PR, only verify using EC2 on release * Fix update profile script to properly push to PRs * Rename inputs.example.yml to a more descriptive name * Move inspec check to a different file, fix the Github action profile.json push back to repository * Updating profile.json in the repository * Add clarification with respect to local testing and EC2 versus Vagrant * Fixes #91 Signed-off-by: HackerShark <[email protected]> * Fixes #112 Signed-off-by: HackerShark <[email protected]> * Fixes #101 Signed-off-by: HackerShark <[email protected]> * Fixes #31 (#110) * Fixes #31 Signed-off-by: HackerShark <[email protected]> * updating logic to call inputs directly Signed-off-by: HackerShark <[email protected]> * Fixes #111 (#118) * Fixes #111 Signed-off-by: HackerShark <[email protected]> * Updating profile.json in the repository * Revert "Fixes #111 (#118)" This reverts commit e53c5a4. * Switch over to the official ruby setup since the actions/setup-ruby one is throwing an error * Lock ruby version to 2.6 in order to avoid Puppet load error bundler is installed automatically, no need to install it as part of our steps Release Puppet version lock * Updating profile.json in the repository * Update V-72417.rb bugfix * Add Trend AV to V-72213 checks Trend Micro Anti-virus service is named 'ds_agent'. This adds one more type of anti-virus this check can check for. * Updating profile.json in the repository * Fix describe.one formatting for V-72213 * Updating profile.json in the repository * Fixes #115, fixes #25 (#124) * Fixes #115, fixes #25 Signed-off-by: HackerShark <[email protected]> * Updating profile.json in the repository * Revert "Fixes #111 (#118)" This reverts commit e53c5a4. * Switch over to the official ruby setup since the actions/setup-ruby one is throwing an error * Lock ruby version to 2.6 in order to avoid Puppet load error bundler is installed automatically, no need to install it as part of our steps Release Puppet version lock * Updating profile.json in the repository * Update V-72417.rb bugfix * Add Trend AV to V-72213 checks Trend Micro Anti-virus service is named 'ds_agent'. This adds one more type of anti-virus this check can check for. * Updating profile.json in the repository * Fix describe.one formatting for V-72213 * Updating profile.json in the repository * Fixes #115, fixes #25 Signed-off-by: HackerShark <[email protected]> * Updating profile.json in the repository * Fixes #115, fixes #25 Signed-off-by: HackerShark <[email protected]> * rebase, resolve merge conflicts Signed-off-by: HackerShark <[email protected]> * Updating profile.json in the repository * Updating profile.json in the repository Co-authored-by: Robert Clark <[email protected]> Co-authored-by: rbclark <[email protected]> Co-authored-by: Maven35 <[email protected]> Co-authored-by: ejaronne <[email protected]> Co-authored-by: ejaronne <[email protected]> * Fixes #114 (#131) * Add Trend AV to V-72213 checks Trend Micro Anti-virus service is named 'ds_agent'. This adds one more type of anti-virus this check can check for. * Updating profile.json in the repository * Fix describe.one formatting for V-72213 * Updating profile.json in the repository * Fixes #114 Signed-off-by: HackerShark <[email protected]> * Updating profile.json in the repository * fixing syntax error Signed-off-by: HackerShark <[email protected]> * Delete profile.json * Fixes #114 Signed-off-by: HackerShark <[email protected]> * fixing syntax error Signed-off-by: HackerShark <[email protected]> * Updating profile.json in the repository * Fixes #115, fixes #25 (#124) * Fixes #115, fixes #25 Signed-off-by: HackerShark <[email protected]> * Updating profile.json in the repository * Revert "Fixes #111 (#118)" This reverts commit e53c5a4. * Switch over to the official ruby setup since the actions/setup-ruby one is throwing an error * Lock ruby version to 2.6 in order to avoid Puppet load error bundler is installed automatically, no need to install it as part of our steps Release Puppet version lock * Updating profile.json in the repository * Update V-72417.rb bugfix * Add Trend AV to V-72213 checks Trend Micro Anti-virus service is named 'ds_agent'. This adds one more type of anti-virus this check can check for. * Updating profile.json in the repository * Fix describe.one formatting for V-72213 * Updating profile.json in the repository * Fixes #115, fixes #25 Signed-off-by: HackerShark <[email protected]> * Updating profile.json in the repository * Fixes #115, fixes #25 Signed-off-by: HackerShark <[email protected]> * rebase, resolve merge conflicts Signed-off-by: HackerShark <[email protected]> * Updating profile.json in the repository * Updating profile.json in the repository Co-authored-by: Robert Clark <[email protected]> Co-authored-by: rbclark <[email protected]> Co-authored-by: Maven35 <[email protected]> Co-authored-by: ejaronne <[email protected]> Co-authored-by: ejaronne <[email protected]> * Fixes #114 Signed-off-by: HackerShark <[email protected]> * fixing syntax error Signed-off-by: HackerShark <[email protected]> * Updating profile.json in the repository * Updating profile.json in the repository Co-authored-by: ejaronne <[email protected]> Co-authored-by: ejaronne <[email protected]> Co-authored-by: Robert Clark <[email protected]> Co-authored-by: rbclark <[email protected]> Co-authored-by: Aaron Lippold <[email protected]> Co-authored-by: Maven35 <[email protected]> * Update inspec.yml locking inspec_version * Updating profile.json in the repository * fixing #132 (#133) * fixing #132 Signed-off-by: HackerShark <[email protected]> * Updating profile.json in the repository * Update inspec.yml locking inspec_version * Updating profile.json in the repository * version bump * Updating profile.json in the repository Co-authored-by: Aaron Lippold <[email protected]> Co-authored-by: Lesley Kimmel <[email protected]> Co-authored-by: ljkimmel <[email protected]> Co-authored-by: GitHub Action <[email protected]> Co-authored-by: Robert Clark <[email protected]> Co-authored-by: rbclark <[email protected]> Co-authored-by: Maven35 <[email protected]> Co-authored-by: ejaronne <[email protected]> Co-authored-by: ejaronne <[email protected]>
Signed-off-by: Rony Xavier <[email protected]>
The cache seems to be causing issues with nokogiri
Remove caching
…rtain controls that require external connectivity in the target system
fixed regex escaping Signed-off-by: Aaron Lippold <[email protected]>
* removed the v2.6 branch from the workflows now that it has been merged Signed-off-by: Aaron Lippold <[email protected]> * Updating profile.json in the repository * removed the conflicting profile.json Signed-off-by: Aaron Lippold <[email protected]> Co-authored-by: aaronlippold <[email protected]>
* Remove Rev_4 from NIST tag - removed the Rev_4 array element form the NIST tag array Signed-off-by: Aaron Lippold <[email protected]> * Updating profile.json in the repository * Updating profile.json in the repository Co-authored-by: aaronlippold <[email protected]>
Signed-off-by: Emily Rodriguez <[email protected]>
Signed-off-by: Emily Rodriguez <[email protected]>
Signed-off-by: Emily Rodriguez <[email protected]>
Signed-off-by: Emily Rodriguez <[email protected]>
Signed-off-by: Emily Rodriguez <[email protected]>
Signed-off-by: Emily Rodriguez <[email protected]>
Signed-off-by: Emily Rodriguez <[email protected]>
adding amazon to the supported list
Signed-off-by: Emily Rodriguez <[email protected]>
Update saf command
Updating STIG from V2R6 to V3R6 * Fixes and Rev4 updates for PAM controls (#41) Updated PAM controls and pam resource to reflect changes from the revision 4 update Signed-off-by: Sam Cornwell <[email protected]> * Fixes and Rev4 updates for grub controls (#29) * Updated CCI and NIST tags to use arrays. * * Reviewed all controls and fixed many issues * updated impact logic to account for Not Applicable cases * used the protected regex pattern `%r{ }` in place of // * fixed many false positives reported by end users * added TODOs to all controls that need to be enhanced * added a new attributes files for this branch for review * added logic so that all controls correctly report * removed most `only_if` statments and replaced with skips + impact 0.0 * removed all `severity` tags in lue of using `impact` * * updated V-71863 fix the banner compare * updated V-71961 to account for multiple users * added attributes to support each * Fixed V-71961 regex to accept spaces in front of password_pbkdf2 * Fixed V-71963 regex to accept spaces in front of password_pbkdf2 * Rewrote V-72075 to check the root partition is not removable * Rewrote V-72067 to use grubby to check actual args for fips=1 rather than using buggy resource to try to parse the grub config * Removed constant attributes from grub controls * Removing dedup from V-72075 * Fixes and Rev4 updates for ssh controls (#25) * Updated CCI and NIST tags to use arrays. * * Reviewed all controls and fixed many issues * updated impact logic to account for Not Applicable cases * used the protected regex pattern `%r{ }` in place is // * fixed many false positives reported by end users * added TODOs to all controls that need to be enhanced * added a new attributes files for this branch for review * added logic so that all controls correctly report * removed most `only_if` statements and replaced with skips + impact 0.0 * removed all `severity` tags in lue of using `impact` ** Added EXEMPT_HOME_USERS attribute attributes file * Removed extra attribute defn * Fixed typo in call to package resource * Updated attributes file * Updating to do a range check and if the ClientAliveInterval is not set * updating controls so they don't evaluate to not_tested. * Fixed some ssh controls to be more explicit * Replaced constant attribute CLIENT_ALIVE_INTERVAL with non-constant * Fixes and Rev4 updates for login_defs controls (#32) * * Reviewed all controls and fixed many issues * updated impact logic to account for Not Applicable cases * used the protected regex pattern `%r{ }` in place is // * fixed many false positives reported by end users * added TODOs to all controls that need to be enhanced * added a new attributes files for this branch for review * added logic so that all controls correctly report * removed most `only_if` statements and replaced with skips + impact 0.0 * removed all `severity` tags in lieu of using `impact` ** Added EXEMPT_HOME_USERS attribute attributes file * Removed extra attribute defn * Fixed typo in call to package resource * Updated attributes file * Fixing typo in login_defs UMASK setting name * Fixes and Rev4 updates for antivirus controls (#34) * Updated to verify that the anti-virus software is installed. * Updated to use an attribute to check if the anti-virus installation check should be performed. ** Reviewed all controls and fixed many issues * updated impact logic to account for Not Applicable cases * used the protected regex pattern `%r{ }` in place is // * fixed many false positives reported by end users * added TODOs to all controls that need to be enhanced * added a new attributes files for this branch for review * added logic so that all controls correctly report * removed most `only_if` statements and replaced with skips + impact 0.0 * removed all `severity` tags in lieu of using `impact` ** updated V-71863 fix the banner compare * updated V-71961 to account for multiple users * added attributes to support each * Removing ENABLE_AV attribute from antivirus controls * Fixed the all_with_integer_arg logic (#43) * Fixed the all_with_integer_arg logic * This wasn't failing in all cases but was triggered in testing the SIMP PAM module and required a fix. * Removed the need to make the operators a symbol and also allow strings for ease of use. * Minor fixes * Throw a helpful message if somone passes a bad operator * Flip the default mode to immediately pass on success * Make sure the value is actually an integer * Fixed all_with_integer_arg and added any_with_integer_arg to PAM matcher * Loosened constraint in V-71933 to allow either pam_unix or pam_pwhistory to have remember arg * Fixes and Rev4 updates for initialization files controls (#22) * Updated to use attribute to determine if control should be run as well as updated to get home directories from users resource. * Updated to get home directories from users resource. * Refactored control to check permissions using the find command. * Refactored control to check owners using the find command. * Updated to check for a length of 0. * Updated to check for user gid and root group. * Removed debug code and added a comment stating how we would be checking for directories more permissive than 750 and files more permissive than 640. * Refactored to not use describe statements to check permissions when we can do it with find. * Updated to use sets and check the length of findings. * Updated to check that it should be empty. * Updated CCI and NIST tags to use arrays. * Fixed a few errors in the tags. * Updated to use be_empty. Also removed attribute for now. * Removed extra end keyword. * Updated to support an attribute that allows the control to be disabled because it is slow. * * Reviewed all controls and fixed many issues * updated impact logic to account for Not Applicable cases * used the protected regex pattern `%r{ }` in place is // * fixed many false positives reported by end users * added TODOs to all controls that need to be enhanced * added a new attributes files for this branch for review * added logic so that all controls correctly report * removed most `only_if` statments and replaced with skips + impact 0.0 * removed all `severity` tags in lue of using `impact` * * Added EXEMPT_HOME_USERS attribute attributes file * Removed extra attribute defn * Fixed typo in call to package resource * Updated attributes file * small change to push file * * updated V-71863 fix the banner compare * updated V-71961 to account for multiple users * added attrubutes to support each * * fixed small / major issues with some of the tests. * enhanced / corrected the Not Applicable reporting. * ensured all 'Not Applicable' by attribute controls worked fully. * small fixes to attributes * enhamcements to completeness of controls and testing * Updated local interactive checks to filter out non-interactive users. * Fixed several controls involving interactive users which were not properly querying for only interactive users * Minor update to make consistent with other controls * Updated to use users resource. Also, added check to exclude comments and check for nosuid being set in /etc/fstab. * Fixing logic of control V-72037 to properly get count of references to world-writable files and compare against it * Formatting changes * Fixed find command in V-72027 to search for all directories and files with permissions less restrictive than 0750 * Update to RHEL7v4 * Fixing smart double quotes to be ascii double quotes * updating controls so they don't evaluate to not_tested. * Removed constants from initialization files controls * Adding /bin/true to list of non-interactive shells * Fixes and Rev4 updates for miscellaneous controls (#40) * Updated to fix typo in grep command. * Updated CCI and NIST tags to use arrays. ** Reviewed all controls and fixed many issues * updated impact logic to account for Not Applicable cases * used the protected regex pattern `%r{ }` in place is // * fixed many false positives reported by end users * added TODOs to all controls that need to be enhanced * added a new attributes files for this branch for review * added logic so that all controls correctly report * removed most `only_if` statements and replaced with skips + impact 0.0 * removed all `severity` tags in lieu of using `impact` ** Added EXEMPT_HOME_USERS attribute attributes file * Removed extra attribute defn * Fixed typo in call to package resource * Updated attributes file ** updated V-71863 fix the banner compare * updated V-71961 to account for multiple users * added attributes to support each ** fixed small / major issues with some of the tests. * enhanced / corrected the Not Applicable reporting. * ensured all 'Not Applicable' by attribute controls worked fully. * small fixes to attributes * enhancements to completeness of controls and testing * Fixed usb storage driver name. For configuration files, usb-storage and usb_storage are interchangeable. modprobe seems to use the name usb_storage regardless of the config name * Update to RHEL7v4 * Fixing smart double quotes to be ascii double quotes * Removing constant attributes and adding subsystems tag for misc controls * Fixes and Rev4 updates for privilege controls (#39) * Rewrote V-71947 to be able to recursively process all sudoers files by following include and `includedir` directives * Removed constant variables in some privilege controls * Removed non-standard users from V-72001 * Fixes and Rev4 updates for installed packages controls (#38) * Fixed clean_requirements_on_remove to be referenced within the main section of yum.conf for control V-71987 * Update to RHEL7v4 * Fixed find expression and test statement for control V-72039 * Rewrote V-72299 to allow ftp server as long as SSL is used * Rewrote rpm verify controls to remove hard-coded exceptions * Removed constant attribute from V-72307 * Added dangerous tag to control which uses global find command * Fixes and Rev4 updates for interactive user controls (#36) * Updated local interactive checks to filter out non-interactive users. * Fixed several controls involving interactive users which were not properly querying for only interactive users * Adding uid constraints to controls V-72011 and V-72015 * Update to RHEL7v4 * Removed constant attributes from interactive user controls * Added lookup of UID_MIN from login_defs to the interactive user controls * Added xdev and xautofs args to some find commands on home directories * Fixes and Rev4 updates for network controls (#33) * Updated to include iptables check. * Updated to account for IPv6 being disabled in the kernel. * Updated CCI and NIST tags to use arrays. * fixed missing [ in cci tag. * Pulling in changes from csp_mod branch * * Reviewed all controls and fixed many issues * updated impact logic to account for Not Applicable cases * used the protected regex pattern `%r{ }` in place is // * fixed many false positives reported by end users * added TODOs to all controls that need to be enhanced * added a new attributes files for this branch for review * added logic so that all controls correctly report * removed most `only_if` statments and replaced with skips + impact 0.0 * removed all `severity` tags in lue of using `impact` * * Added EXEMPT_HOME_USERS attribute attributes file * Removed extra attribute defn * Fixed typo in call to package resource * Updated attributes file * small change to push file * * updated V-71863 fix the banner compare * updated V-71961 to account for multiple users * added attrubutes to support each * * Added check in V-72223 for TMOUT is in the bashrc file * Corrected attribute name in V-72223 * Merged attributes files * * Updated control V-72317 * * fixed small / major issues with some of the tests. * enhanced / corrected the Not Applicable reporting. * ensured all 'Not Applicable' by attribute controls worked fully. * small fixes to attributes * enhamcements to completeness of controls and testing * Update to RHEL7v4 * Updated to support checking the files in /etc/profile.d * Fixed V-72269 to properly check that maxpoll is set * Fixed control V-72223 to describe.one on all the possible locations of TMOUT * Removed constant attribute from V-72223 * Added xautofs flag to a few find commands * Rewrote SNMP control V-72313 to recursively find all conf files via include statements * Rewrote ipsec control V-72317 to recursively find all conf files via include * Changed ntpd maxpoll control to use ntpd --saveconfigquit (currently loaded config) rather than the config file * Added dangerous global find tag to couple controls * Fixes and Rev4 updates for multifactor controls (#31) * Updated to check for other sssd files * Updated to include checking logic. * Fixed SMART_CARD_STATUS constant attribute to be a non-constant * Modified multifactor_enabled control to take optional user parameter to use when running dconf * Fixes and Rev4 updates for LDAP controls (#28) * fixing the logic of the V-72227 to match check text * fixing the logic of the V-72229 to match check text * fixing the logic of the V-72231 to match check text * Added support to LDAP controls for SSSD (#11) * Updating V-72227, V-72229, and V-72231 controls to take into account usage of SSSD * Tweaked regex syntax in V-72229 and V-72231 controls * Revised LDAP controls to not be dependent upon authconfig and also removed constant variables * Fixed LDAP controls to dynamically extract CA cert files and directories * Fixes and Rev4 updates for session lock controls (#26) * Update from RHEL7 Rel1 to Rel4 * Updating logic to extract value so it can be evaluated using comparison operators. * Fixing smart double quotes to be ascii double quotes * updating controls so they don't evaluate to not_tested. * Improved gnome controls to use gsettings rather than hard-coded file paths * Fixes and Rev4 updates for aide controls (#24) * Update to RHEL7v4 * Fixed V-72069, V-72071, and V-72073 to work around aide_conf resource bug * Replaced constant attribute FILE_INTEGRITY_INTERVAL and FILE_INTEGRITY_TOOL with non-constants * Fixed aide controls to also search for cron jobs in the root crontab and /etc/cron.d * Fixes and Rev4 updates for filesystem controls (#30) * Adding attributes and removing login.defs requirement from V-72059 (#13) * Fixing uid comparison logic of control V-72059 to use the same constant min_uid of 1000 as in other controls. Added exception to this control to ignore the root user because its home directory does not typically exist on the same mount point as other home directories * Updating control to include new logic using the mount resource. * updating controls so they don't evaluate to not_tested. * Removed some constant attributes * Rewrote nouser and nogroup controls to properly iterate over all mounted filesystem types * Added lookup of UID_MIN from login_defs to V-72059 * Fixes and Rev4 updates for banner controls (#23) * Updated to check if banner is not set, disabled, or provides a non-existent filepath. * Fixed misuse of constants in banner controls. Constants inside the controls have global scope, and so re-use of constant names between controls can cause collisions if they are not intended to be the same * Updated to make escaping of quote characters consistent. * Tweaking V-71859 attribute to work even if boolean passed instead of string * updating controls so they don't evaluate to not_tested. * Removed constant attributes on banner controls and added some guards to check for gnome on certain controls. Added ability to specify a user to use to execute dconf * Add attributes file and clean attributes (#44) * Adding attributes file * Cleaned up all the attributes. Fixed some inconsistencies and renamed a few. Also added missing attributes to attributes.yml * Formatting banner texts to be multiline string. Removing unbound user from known_system_accounts Signed-off-by: Sam Cornwell <[email protected]> * Adding configurable unlock_time to pam_faillock controls (#47) * Adding configurable unlock_time to pam_faillock controls * Adding lockout_time to attributes file * (SIMP-MAINT) Subsystem control tagging update (#65) * (SIMP-MAINT) Subsystem control tagging update * vendor prior to tests * force revendoring * tweak travis settings * require all checks to pass * Updated the find command for V-72027 to filter by '! -type l' (#71) * Set the desc field for the control and only update the describe/skip … (#70) * Set the desc field for the control and only update the describe/skip text in V-71849. * Fix syntax error (missing :) * Remove TODO comments to cleanup control * Modify reporting for V-71999 to 'List of out-of-date packages should be empty'. Fix describe.one syntax error. (#69) * Update mfa_pkg_list attribute with packages from RHEL documentation (#68) * Various updates (#66) * Update V-72241 and V-72251 to check the operating system release as described. * Introduce a 'virtual_machine' attribute for V-72039 so that if the target is expected to be a virtual machine the check will allow /dev/vmci. Update V-72039 to check for vmci_device_t contexts. * Fix impact rating in V-72305 when TFTP is not installed. Fix checking for incorrect package name. Expand RegEx check to match the long option (--secure) and short optin (-s) and match an absolute path. * Update comment for smart_card_status in attributes.yml to include V-72417 and V-72433. * Expand comment about exempt_home_users attribute to include all applicable controls. * Fix disable_slow_controls to false and update comment for exempt_home_users * Move impact reduction out of describe block * Updated 72253 (#11) * fix typo (#78) Small fix: Typo fix on 'explicitly' * removed extra spaces (#77) * - V-71999: fixed incorrect path for `su` in auditd config (#79) - disabled slow controls in .kitchen.yml - added a `nolong` attributes file Signed-off-by: Aaron Lippold <[email protected]> * Moves linux_patch resource into our libraries directory (#80) * moves the linux patches resource into our profiles library * updates the `inspec.yml` to remove dependcy upstream * updates the `.gitignore` to include .beaker * bumped Gemfile for beaker-helper to 1.14.1 Signed-off-by: Aaron Lippold <[email protected]> * Fixes #82 (#83) Signed-off-by: Rony Xavier <[email protected]> * added subsystem tag to aide tests (#84) * Updated 'default' label for attributes to 'value' (#85) * (SIMP-6708) Create and ensure inspec tests work (#86) * Updated 'default' label for attributes to 'value' * Added 'subsystem' tags to items that did not have them * (SIMP-6708) Create and ensure inspec tests work by module (#87) Added subsystem tags * missing parenthesis on example (#89) * (SIMP-6708) Create and ensure inspec tests work by module (#90) * Updated subsystem tags * V-72037 V2R1 Update title and find command Per https://github.com/ComplianceAsCode/content/issues/3432 Adding -xdev to find prevents scanning /proc/, significantly speeding up this control. * Update V-72037 to search using pattern file To reduce the number of grep invocations, we instead combine the world-writable files list and invoke grep using this combined list as a pattern file. If no world-writable files exist, we skip the grep invocations to prevent matching on an empty pattern * Update V-72037 to limit grep pattern file length Since we are passing the list of world-writable files to grep using process substitution, we need to make sure the command line isn't too long. We hard-code a limit and break the list of world-writable files into chunks of pattern files no bigger than said limit. * Update V-72037 to prevent searching .bash_history Since .bash_history isn't executed, it will cause false positives if there is any mention of a world writable file. * Update V-72037, Get PATTERN_FILE_MAX_LENGTH * Update V-72427.rb (#99) Updating to handle the case where SSSD is installed, but, no configuration files are found. * Update V-71941.rb Closes #93. * Update V-71983.rb Closes #96. * Update V-72059.rb Closes #94. * Update V-72315.rb Closes #95. * Update V-72433.rb Re-issuing @Bialogs pull request (https://github.com/simp/inspec-profile-disa_stig-el7/pull/72). * (SIMP-6708) Create and ensure inspec tests work by module (#91) Added tags to the various inspec controls * changing attributes to inputs (#106) * updating the code so it doesn't error out when the file doesn't exist. (#108) * updating check and fix text to use new format. (#107) * 72433 (#109) * Updating control to handle the case when the file doesn't exist. Replaces PR #72. * updating to use inputs and sub descriptions. * adding the `matchers.rb` file back into the libraries as the `pam` resource breaks without it until the pam work is merged into upstream master. (#111) Signed-off-by: Aaron Lippold <[email protected]> * updating controls to use resources. (#115) * V-71961 grub2 Configuration File (#67) * Changed array of grub2 superusers to a single superuser in grub_superuser attribute. Updated V-71961 to look for all instances of setting a grub2 superuser and superusers password within given grub configuration. * Update V-71961 to check if environment variables are being set for the grub2 superuser password, if they are the control now examines provided user.cfg files to ensure that they password is encrypted with pbkdf2, if they are not it will check the password_ line entry in the given grub_main_cfg file. * V 72049 (#122) * Updated to check mask of initialization files and umask for each user. * Skips remote filesystems * Adding an automated test for this control. (#123) * Updating control to check ports and services for all zones. (#120) * Update V-71961.rb (#124) * Updating attributes to inputs and moving defaults to inspec.yml. (#130) * 73163 - Updating attributes to inputs and moving defaults to inspec.yml. (#132) * Fixing 72223 to correctly handle the collection of TMOUT (#133) Fixed a bug in 72223 where it was reporting a value of nil when the configuration setting was not set in a file. The code now reports that the configuration setting is not configured in the specific file. Updating this control to include an active check by looking at the set TMOUT environment variable as well as accommodating situations where 'readonly TMOUT' is set. * Update inspec.yml (#134) * Fixed the check for oscp_on in the cert policy lines. (#136) * Fixed incorrect subsystem entries (#138) * Update dconf input to use nil instead of '' (#131) * Updating attributes to inputs and moving defaults to inspec.yml. * Updating dconf checks to use nil instead of ''. * fix trailing whitespace Co-authored-by: Trevor Vaughan <[email protected]> * V-71971 SELinux should ignore system_u (#139) - Fixed the SELinux tests to ignore system_u by default in V-71971 * Fix to issue #140 (#141) * Addressing issue #143 (#146) Modified a duplicate declaration of 'file_integrity_tool' in inspec.yml. Signed-off-by: Lesley Kimmel <[email protected]> * Addressing issue #145 (#147) Updated control V-72191 to reference '/usr/bin/kmod' instead of '/sbin/insmod'. Signed-off-by: Lesley Kimmel <[email protected]> Co-authored-by: Lesley Kimmel <[email protected]> Co-authored-by: Trevor Vaughan <[email protected]> * Addressing issue #129 (#148) Set the input 'grub_superuser' to type String with value 'root' in inspec.yml as this is what dependent controls expect. Signed-off-by: Lesley Kimmel <[email protected]> Co-authored-by: Lesley Kimmel <[email protected]> Co-authored-by: Trevor Vaughan <[email protected]> * Addressing issue #149 (#150) Moved the 'linux_update' resource reference out of the describe/subject block into a control-level variable. Also, generated a list of package names to pass to the 'List of out-of-date packages' block instead of the entire JSON object for cleaner output. Signed-off-by: Lesley Kimmel <[email protected]> Co-authored-by: Lesley Kimmel <[email protected]> Co-authored-by: Trevor Vaughan <[email protected]> * Set theme jekyll-theme-cayman * Updating repo name in readme * Setting up github workflows * Delete .travis.yml * Updating master branch to v2.6 of STIG (#135) * updating controls up to v2.6 of STIG Signed-off-by: HackerShark <[email protected]> * updating controls up to v2.6 of STIG Signed-off-by: HackerShark <[email protected]> * Updating name, title and summary * updated local vagrant to working state - cleanup required fixed long running controls started on EC2 spot instanstance testing using the SPEL partitioned images Signed-off-by: Aaron Lippold <[email protected]> * workflow testing Signed-off-by: Aaron Lippold <[email protected]> * added kitchen commands to workflow Signed-off-by: Aaron Lippold <[email protected]> * added bundler to the workflow Signed-off-by: Aaron Lippold <[email protected]> * fixed yaml syntax error Signed-off-by: Aaron Lippold <[email protected]> * added build-essentials package to the container and removed simp-helper Signed-off-by: Aaron Lippold <[email protected]> * fixed spelling Signed-off-by: Aaron Lippold <[email protected]> * apt-get issues ... Signed-off-by: Aaron Lippold <[email protected]> * fix for sudo Signed-off-by: Aaron Lippold <[email protected]> * fixed vagrant kitchen file to keep in line with other kitchen files added validation, threshold and upload to heimdall-demo Signed-off-by: Aaron Lippold <[email protected]> * added uploading artifacts changed path to results to be in the './results' dir Signed-off-by: Aaron Lippold <[email protected]> * fixed spacing error Signed-off-by: Aaron Lippold <[email protected]> * added `chef shell-init` to build process. Signed-off-by: Aaron Lippold <[email protected]> * correct chef shell-init command added parallel jobs to bundler Signed-off-by: Aaron Lippold <[email protected]> * fixing workflow a bit more Signed-off-by: Aaron Lippold <[email protected]> * added inspec_tools to Gemfile Signed-off-by: Aaron Lippold <[email protected]> * bundler updates and hacks Signed-off-by: Aaron Lippold <[email protected]> * bundler again... Signed-off-by: Aaron Lippold <[email protected]> * Gemfile updates Signed-off-by: Aaron Lippold <[email protected]> * fixed ruby version Signed-off-by: Aaron Lippold <[email protected]> * updated results file name and made it cleaner Signed-off-by: Aaron Lippold <[email protected]> * added more explicit kitchen steps Signed-off-by: Aaron Lippold <[email protected]> * spacing issue Signed-off-by: Aaron Lippold <[email protected]> * added puppet to gemfile Signed-off-by: Aaron Lippold <[email protected]> * moved off the container Signed-off-by: Aaron Lippold <[email protected]> * fixed yml formatting Signed-off-by: Aaron Lippold <[email protected]> * fixed workstation uri Signed-off-by: Aaron Lippold <[email protected]> * added needed sudo commands Signed-off-by: Aaron Lippold <[email protected]> * corrected apt install command Signed-off-by: Aaron Lippold <[email protected]> * switching to dpkg Signed-off-by: Aaron Lippold <[email protected]> * almost to full done Signed-off-by: Aaron Lippold <[email protected]> * removed testing and setting of root password Signed-off-by: Aaron Lippold <[email protected]> * testing new aws testing instance type Signed-off-by: Aaron Lippold <[email protected]> * Fixes #11 Added logic to allow the control to insensitively match the prescribed values. This is the behavior of audisp. * Fixes #14 Updated the control to utilize '/etc/audisp/plugins.d/au-remote.conf' instead of '/etc/audisp/audispd.conf'. Also, pulled the filename into a variable to ease the burden of future updates. * Fixes #12 Updated the control to utilize '/etc/audisp/plugins.d/au-remote.conf' instead of '/etc/audisp/audispd.conf'. Also, pulled the filename into a variable to ease the burden of future updates. * Resolves #19 Utilized the default input values from the v1 controls to generate default values in inspec.yml. Signed-off-by: Lesley Kimmel <[email protected]> * Reorganized logic for V-72433 (#47) Pulled the conditional impact statements out of the if/then construct early on and added them to the corresponding section near the corresponding describe blocks. - Fixes #16 Signed-off-by: Lesley Kimmel <[email protected]> Co-authored-by: Lesley Kimmel <[email protected]> * Reorganized logic for V-71965 (#49) Pulled the conditional impact statements out of the if/then construct early on and added them to the corresponding section near the corresponding describe blocks. - Fixes #18 Signed-off-by: Lesley Kimmel <[email protected]> Co-authored-by: Lesley Kimmel <[email protected]> * Updated V-81019 to correctly match configurations (#50) Added logic to allow the control to insensitively match the prescribed values. This is the behavior of audisp. - Fixes #21 Signed-off-by: Lesley Kimmel <[email protected]> Co-authored-by: Lesley Kimmel <[email protected]> * Resolved datatype comparison issue in V-72223 (#52) The control was comparing os_env('value').content to an integer. os_env('value'}.content returns a string. Updated to convert the string to an integer (to_i). The output of doing this directly was poor so I added an explicit subject to clean up the output. - Fixes #27 Signed-off-by: Lesley Kimmel <[email protected]> Co-authored-by: Lesley Kimmel <[email protected]> * Update V-71861.rb * Update V-71859.rb * Update V-71891.rb * fixed some of the missing NAs that didn't have impact 0.0 but more remain Signed-off-by: Aaron Lippold <[email protected]> * moved impact back to outside the describe block Signed-off-by: Aaron Lippold <[email protected]> * Reorganized logic for V-72417 (#48) * Reorganized logic for V-72417 Pulled the conditional impact statements out of the if/then construct early on and added them to the corresponding section near the corresponding describe blocks. - Fixes #17 Signed-off-by: Lesley Kimmel <[email protected]> * updated to expet syntax for cleaner reporting Signed-off-by: Aaron Lippold <[email protected]> * expect syntax fix Signed-off-by Aaron Lippold <[email protected]> * updated back to standard should syntax Signed-off-by: Aaron Lippold <[email protected]> Co-authored-by: Lesley Kimmel <[email protected]> Co-authored-by: Aaron Lippold <[email protected]> * Adding support for chronyd in V-72269 - Added tests to ensure either chronyd or ntpd are installed, enabled and running. - Modified to search for files under /etc/cron.daily that contain 'ntpd -q' rather than checking for static file /etc/cron.daily/ntpdate. - Allowed for checking configuration of both services if both are installed. - Extract the actual `maxpoll` values into a list for more readable reporting (avoid printing complex regex). - Fixes #13 Signed-off-by: Lesley Kimmel <[email protected]> * Adjusted calculation logic in V-72089 - Removed the `@` symbol from the `#{audit_log_dir}` variable causing it to resolve to `nil` and presenting all system partitions. - Update the shell call to `df` to use standard 1K blocksize instead of human readable format which can return results with various units. - Update the space calculation to convert KB into MB ( / 1024) instead of converting [assumed] GB into MB ( * 1024). - Updated to remove the use of the Ruby `File` class which would be executed on the Inspec runner instead of the target. - Fixes #32 Signed-off-by: Lesley Kimmel <[email protected]> * Resolved `undefined local variable` in V-71911 Added variable definition via input (difok). - Fixes #33 Signed-off-by: Lesley Kimmel <[email protected]> * Resolved `undefined local variable` in V-71863 Added variable definition via input (banner_message_text_cli). Added variable definition via input (banner_message_text_cli_limited). - Fixes #34 Signed-off-by: Lesley Kimmel <[email protected]> * Fixed `undefined variable` error for V-71933 Added a variable definition via input (min_reuse_generations). - Fixes #35 Signed-off-by: Lesley Kimmel <[email protected]> * Remove faulty logic from V-78995 Removed the switch 'skip_deprecated_controls' from the control. Restored 'traditional' if/then structure and located the 'impact' override in the fallthrough case. - Fixes #3 Signed-off-by: Lesley Kimmel <[email protected]> * moved to c5.large instances to lower test bed cost Signed-off-by: Aaron Lippold <[email protected]> * Adding new control for V-92253 - Fixes #8 Signed-off-by: Lesley Kimmel <[email protected]> * Adding new control for V-92251 - Fixes #7 Signed-off-by: Lesley Kimmel <[email protected]> * Consider limits.d when checking for hard maxlogins Added the functionality of collecting all configuration files under limits.d. These files are then searched for any global ('*') entries matching 'hard' and 'maxlogins'. Entries are then compared to the maximum allowable value. At least one file containing a compliant entry is required. No files can contain noncompliant entries. The maximum login number is now configurable via an input ('maxlogins_limit'). - Fixes #23 Signed-off-by: Lesley Kimmel <[email protected]> * Update V-72217.rb * Added new control for V-92255. - Resolves #9 Signed-off-by: Lesley Kimmel <[email protected]> * Allow customization of the A/V solution in use. (#73) Update the control to take a switch/boolean input that specifies whether a non-nails solution is in use. If it is, require that a description of the solution be input as a way to document the solution - Fixes #24 Signed-off-by: Lesley Kimmel <[email protected]> Co-authored-by: Lesley Kimmel <[email protected]> Co-authored-by: Aaron Lippold <[email protected]> * Restore default property value. Property value for 'custom_antivirus_description' was mistakenly removed in a previous commit. Signed-off-by: Lesley Kimmel <[email protected]> * Added new control V-94843. Signed-off-by: Lesley Kimmel <[email protected]> * Updated V-71963 to be NA when EFI not in use - Added a check to see if the EFI configuration file exists. If not, this becomes NA. - Added a check for minor version of the OS. If 7.2 or later we only allow 'root' as a superuser. - The STIG guidance states that this is NA for versions after 7.2. However, it seems clear that this is still needed it just changes the way we enforce it. - Removed 'efi_user_boot_files' input as it doesn't matter what file the configuration comes from, only that it is merged into the main config. - Removed 'efi_main_cfg' input since we need to make the path dynamic to support RHEL variants such as CentOS. Also, the EFI path is pretty well static. - Fixes #40 Signed-off-by: Lesley Kimmel <[email protected]> * testing Signed-off-by: Aaron Lippold <[email protected]> * Corrected the tests for V-72171 - Removed the architecture check for path watches. - Removed all check for '/bin/mount' as this path is not used. - Fixes #29 Signed-off-by: Lesley Kimmel <[email protected]> * Update V-72095 to use `execve` This new change prevents us from having to collect all of the SUID/SGID files on the system. - Fixes #30 Signed-off-by: Lesley Kimmel <[email protected]> * Updated V-72073 to support overrides - Simplified logic to remove loop searching for 'sha512' entries. Instead return them directly with the 'where' clause. - Provide an input array to contain patterns to exclude from the test. - Fixes #36 Signed-off-by: Lesley Kimmel <[email protected]> * Updating V-72065 to account for fstab entry - Allow /tmp to be specified in /etc/fstab as well as with the tmp.mount service. - Validate that there is only one entry for /tmp in fstab - Ensure that the device_name is not empty for the mount - Fixes #37 Signed-off-by: Lesley Kimmel <[email protected]> * Update V-71897 to allow multiple multiplexers - Per v2r6 of the DISA STIG `tmux` is now an allowable option along with screen. - Add an input list to contain `screen` and `tmux` and to support any future options. - Fixes #67 Signed-off-by: Lesley Kimmel <[email protected]> * Modify V-71937 to ignore `*-ac` files - If ac (authconfig) files are included or substacked by other services they will still be checked. - Loop over each service file in /etc/pam.d to provide a complete view of the configuration. - Fixes #41 Signed-off-by: Lesley Kimmel <[email protected]> * Updating V-72001 to validate all `allowed_users` - The STIG control asks to validate that all accounts present on the system are approved. Explicilty adding them to a known user list provides that validation. - There doesn't seem to be a need for a 'disallowed_users' list as users are implicitly disallowed by not being explicitly allowed. - Use 'expect' syntax to allow for finer control over the reporting output. Previous output displayed a list of users for each line. Now we just show that each user listed in /etc/passwd has been explicitly listed as an approved user. - Fixes #39 Signed-off-by: Lesley Kimmel <[email protected]> * Adding test logic for new control V-81003 - Fixes #4 Signed-off-by: Lesley Kimmel <[email protected]> * added logic to new control Signed-off-by: HackerShark <[email protected]> * updating logic test for UEFI Signed-off-by: HackerShark <[email protected]> * adding logic to control V-81005. Updating V-81007 logic to account for extra condition Signed-off-by: HackerShark <[email protected]> * Updated logic, rather than taking user input checking system directly if it uses UEFI or BIOS Signed-off-by: HackerShark <[email protected]> * Update V-81005.rb * added creating the current profile JSON and uploading it to the repo Signed-off-by: Aaron Lippold <[email protected]> * testing profile creation Signed-off-by: Aaron Lippold <[email protected]> * actually helps to add the file you create * removing fancy text * adding -a to the commandwq * adding a pull prior to the push * adding a pull prior to the push * adding a pull prior to the push * adding a pull prior to the push * adding profile.json to the repository * adding a pull prior to the push * testing * further fixing on the script Signed-off-by: Aaron Lippold <[email protected]> * adding profile.json to the repository * added saving both the profile.json and the test-result.json to the repo on each change Signed-off-by: Aaron Lippold <[email protected]> * added git status Signed-off-by: Aaron Lippold <[email protected]> * trying to fix build Signed-off-by: Aaron Lippold <[email protected]> * removed profile.json and updated file to older version Signed-off-by: Aaron Lippold <[email protected]> * added git add to the command Signed-off-by: Aaron Lippold <[email protected]> * adding profile.json to the repository * adding test-result.json to the repository * updating controls to place impact adjustment in the main code body Signed-off-by: HackerShark <[email protected]> * refactored conrols to match current style * fixed malformed control Signed-off-by: Aaron Lippold <[email protected]> * adding profile.json to the repository * adding test-result.json to the repository * testing to see if this gets the right branch name Signed-off-by: Aaron Lippold <[email protected]> * removed files for testing Signed-off-by: Aaron Lippold <[email protected]> * adding profile.json to the repository * adding test-result.json to the repository * updated to using the v2 preview of upload-artifact added the git --cache trick to allow for unchanged profile.json or test-result.json Signed-off-by: Aaron Lippold <[email protected]> * fixed json file Signed-off-by: Aaron Lippold <[email protected]> * added -f for the git add commands Signed-off-by: Aaron Lippold <[email protected]> * being a bit more forceful ... Signed-off-by: Aaron Lippold <[email protected]> * removing git commits for now to unblock the PR process - artifacts are still being saved. Signed-off-by: Aaron Lippold <[email protected]> * added the creation of the profile.json again Signed-off-by: Aaron Lippold <[email protected]> * fixing control logic Signed-off-by: HackerShark <[email protected]> * adding profile.json to the repository * adding test-result.json to the repository * demoing a full run Signed-off-by: Aaron Lippold <[email protected]> * fixed the vagrant kichen file to use the vagrant user and not ec2-user Signed-off-by: Aaron Lippold <[email protected]> * Modified inspec.yml to use `block` style - Updated inspec.yml to remove any arrays or hashes with enclosing brackets. - The only time brackets are used is when an empty array ([]) or hash ({}) needs to be represented - Fixes #84 Signed-off-by: Lesley Kimmel <[email protected]> * Fixed reporting for V-71947 - This control was not splitting output lines into an array and was matching ALL lines containing 'NOPASSWD', which included commented lines. - Modified to use the `file` resource to be more OS agnostic and build a results array of uncommented lines containing 'NOPASSWD' - Reporting is improved for readability - Fixes #90 Signed-off-by: Lesley Kimmel <[email protected]> * Correct logic in V-81005 - Only OS versions earlier than 7.2 should be checked. Was checking any version 7.2 and later. - Fixes #91 Signed-off-by: Lesley Kimmel <[email protected]> * Fixed issues in V-72219 - Changed `firewalld_ports_deny` to a Hash instead of Array - Cast hash references to symbols for proper resolution - Fixes #28 Signed-off-by: Lesley Kimmel <[email protected]> * Fixes issue #56 Signed-off-by: HackerShark <[email protected]> * Fixing logic error * Fixes issue #55 Signed-off-by: HackerShark <[email protected]> * Fixing logic error * Updated V-72257 - Removed multiple individual tests and replaced with 'be_more_permissive_than' which covers all permission sets. - Changed the command to return key files to stop filtering by current permissions. Inspec should validate the permissions in tests. We need pre-filter results outside of tests. - Fixes #97 Signed-off-by: Lesley Kimmel <[email protected]> * Fixes #57 Signed-off-by: HackerShark <[email protected]> * Fixes #59 Signed-off-by: HackerShark <[email protected]> * added note about long running controls Signed-off-by: Aaron Lippold <[email protected]> * added utf-8 encoding strings Signed-off-by: Aaron Lippold <[email protected]> * Fixed bug in V-71855 - Added input call for `rpm_verify_integrity_except` - Fixes #103 Signed-off-by: Lesley Kimmel <[email protected]> * Fixed bug in V-71849 - Added input call for `rpm_verify_perms_except` - Fixes #102 Signed-off-by: Lesley Kimmel <[email protected]> * Fixes #58 Signed-off-by: HackerShark <[email protected]> * fixing error Signed-off-by: HackerShark <[email protected]> * Fixes #53 Signed-off-by: HackerShark <[email protected]> * fixing error Signed-off-by: HackerShark <[email protected]> * updated logic to properly look for systems that don't use passwords for authentication Signed-off-by: HackerShark <[email protected]> * Fixes #54 Signed-off-by: HackerShark <[email protected]> * fixing error Signed-off-by: HackerShark <[email protected]> * updated logic to properly look for systems that don't use passwords for authentication Signed-off-by: HackerShark <[email protected]> * testing gpg Signed-off-by: Aaron Lippold <[email protected]> * Update workflow to not install ruby twice, remove a few unnecessary commands * Do not install chef workstation and instead just use ruby 2.7 with Chef gems * Cleanup kitchen.yml, add vanilla test run This cleans up the code for kitchen to deduplicate some items between kitchen.ec2.yml and kitchen.vagrant.yml. It also adds support for vanilla and hardened threshold levels that the CI can be tested against. * Remove proxy-related pieces of kitchen vagrant file * Try running Vagrant with macos in GH Actions * Remove EC2 verification step and perform the verification in Github Actions using Vagrant instead * Verify using Vagrant for every PR, only verify using EC2 on release * Fix update profile script to properly push to PRs * Rename inputs.example.yml to a more descriptive name * Move inspec check to a different file, fix the Github action profile.json push back to repository * Updating profile.json in the repository * Add clarification with respect to local testing and EC2 versus Vagrant * Fixes #91 Signed-off-by: HackerShark <[email protected]> * Fixes #112 Signed-off-by: HackerShark <[email protected]> * Fixes #101 Signed-off-by: HackerShark <[email protected]> * Fixes #31 (#110) * Fixes #31 Signed-off-by: HackerShark <[email protected]> * updating logic to call inputs directly Signed-off-by: HackerShark <[email protected]> * Fixes #111 (#118) * Fixes #111 Signed-off-by: HackerShark <[email protected]> * Updating profile.json in the repository * Revert "Fixes #111 (#118)" This reverts commit e53c5a4f39582120c93d603fd816130fcc165127. * Switch over to the official ruby setup since the actions/setup-ruby one is throwing an error * Lock ruby version to 2.6 in order to avoid Puppet load error bundler is installed automatically, no need to install it as part of our steps Release Puppet version lock * Updating profile.json in the repository * Update V-72417.rb bugfix * Add Trend AV to V-72213 checks Trend Micro Anti-virus service is named 'ds_agent'. This adds one more type of anti-virus this check can check for. * Updating profile.json in the repository * Fix describe.one formatting for V-72213 * Updating profile.json in the repository * Fixes #115, fixes #25 (#124) * Fixes #115, fixes #25 Signed-off-by: HackerShark <[email protected]> * Updating profile.json in the repository * Revert "Fixes #111 (#118)" This reverts commit e53c5a4f39582120c93d603fd816130fcc165127. * Switch over to the official ruby setup since the actions/setup-ruby one is throwing an error * Lock ruby version to 2.6 in order to avoid Puppet load error bundler is installed automatically, no need to install it as part of our steps Release Puppet version lock * Updating profile.json in the repository * Update V-72417.rb bugfix * Add Trend AV to V-72213 checks Trend Micro Anti-virus service is named 'ds_agent'. This adds one more type of anti-virus this check can check for. * Updating profile.json in the repository * Fix describe.one formatting for V-72213 * Updating profile.json in the repository * Fixes #115, fixes #25 Signed-off-by: HackerShark <[email protected]> * Updating profile.json in the repository * Fixes #115, fixes #25 Signed-off-by: HackerShark <[email protected]> * rebase, resolve merge conflicts Signed-off-by: HackerShark <[email protected]> * Updating profile.json in the repository * Updating profile.json in the repository Co-authored-by: Robert Clark <[email protected]> Co-authored-by: rbclark <[email protected]> Co-authored-by: Maven35 <[email protected]> Co-authored-by: ejaronne <[email protected]> Co-authored-by: ejaronne <[email protected]> * Fixes #114 (#131) * Add Trend AV to V-72213 checks Trend Micro Anti-virus service is named 'ds_agent'. This adds one more type of anti-virus this check can check for. * Updating profile.json in the repository * Fix describe.one formatting for V-72213 * Updating profile.json in the repository * Fixes #114 Signed-off-by: HackerShark <[email protected]> * Updating profile.json in the repository * fixing syntax error Signed-off-by: HackerShark <[email protected]> * Delete profile.json * Fixes #114 Signed-off-by: HackerShark <[email protected]> * fixing syntax error Signed-off-by: HackerShark <[email protected]> * Updating profile.json in the repository * Fixes #115, fixes #25 (#124) * Fixes #115, fixes #25 Signed-off-by: HackerShark <[email protected]> * Updating profile.json in the repository * Revert "Fixes #111 (#118)" This reverts commit e53c5a4f39582120c93d603fd816130fcc165127. * Switch over to the official ruby setup since the actions/setup-ruby one is throwing an error * Lock ruby version to 2.6 in order to avoid Puppet load error bundler is installed automatically, no need to install it as part of our steps Release Puppet version lock * Updating profile.json in the repository * Update V-72417.rb bugfix * Add Trend AV to V-72213 checks Trend Micro Anti-virus service is named 'ds_agent'. This adds one more type of anti-virus this check can check for. * Updating profile.json in the repository * Fix describe.one formatting for V-72213 * Updating profile.json in the repository * Fixes #115, fixes #25 Signed-off-by: HackerShark <[email protected]> * Updating profile.json in the repository * Fixes #115, fixes #25 Signed-off-by: HackerShark <[email protected]> * rebase, resolve merge conflicts Signed-off-by: HackerShark <[email protected]> * Updating profile.json in the repository * Updating profile.json in the repository Co-authored-by: Robert Clark <[email protected]> Co-authored-by: rbclark <[email protected]> Co-authored-by: Maven35 <[email protected]> Co-authored-by: ejaronne <[email protected]> Co-authored-by: ejaronne <[email protected]> * Fixes #114 Signed-off-by: HackerShark <[email protected]> * fixing syntax error Signed-off-by: HackerShark <[email protected]> * Updating profile.json in the repository * Updating profile.json in the repository Co-authored-by: ejaronne <[email protected]> Co-authored-by: ejaronne <[email protected]> Co-authored-by: Robert Clark <[email protected]> Co-authored-by: rbclark <[email protected]> Co-authored-by: Aaron Lippold <[email protected]> Co-authored-by: Maven35 <[email protected]> * Update inspec.yml locking inspec_version * Updating profile.json in the repository * fixing #132 (#133) * fixing #132 Signed-off-by: HackerShark <[email protected]> * Updating profile.json in the repository * Update inspec.yml locking inspec_version * Updating profile.json in the repository * version bump * Updating profile.json in the repository Co-authored-by: Aaron Lippold <[email protected]> Co-authored-by: Lesley Kimmel <[email protected]> Co-authored-by: ljkimmel <[email protected]> Co-authored-by: GitHub Action <[email protected]> Co-authored-by: Robert Clark <[email protected]> Co-authored-by: rbclark <[email protected]> Co-authored-by: Maven35 <[email protected]> Co-authored-by: ejaronne <[email protected]> Co-authored-by: ejaronne <[email protected]> * Delete greetings_program.yml * added 4th NOTICE statement since this is STIG based * Update README.md * Rename LICENSE to LICENSE.md * Update README.md * Update README.md * Update README.md * Update README.md * Update README.md * Updating profile.json in the repository * Update find controls to use -xdev tags to prevent search of network fs * Update V-72039 add -xdev to find command Signed-off-by: Rony Xavier <[email protected]> * Updating profile.json in the repository * Remove caching The cache seems to be causing issues with nokogiri * Adding a new disconnected_system flag to allow the ability to flag certain controls that require external connectivity in the target system * Modifying the V-71999 control to use the new disconnected_system flag * Fixing the flag typo on the control * Fixing another Ruby typo * fixed location of if statement fixed regex escaping Signed-off-by: Aaron Lippold <[email protected]> * Updating profile.json in the repository * removed the v2.6 branch from the workflows (#142) * removed the v2.6 branch from the workflows now that it has been merged Signed-off-by: Aaron Lippold <[email protected]> * Updating profile.json in the repository * removed the conflicting profile.json Signed-off-by: Aaron Lippold <[email protected]> Co-authored-by: aaronlippold <[email protected]> * Remove Rev_4 from NIST tag (#143) * Remove Rev_4 from NIST tag - removed the Rev_4 array element form the NIST tag array Signed-off-by: Aaron Lippold <[email protected]> * Updating profile.json in the repository * Updating profile.json in the repository Co-authored-by: aaronlippold <[email protected]> * updated the profile version number * removed unneeded lines * fixed the ec2 testing to go on PR or Push Signed-off-by: Aaron Lippold <[email protected]> * testing updates for ec2 builds and testing Signed-off-by: Aaron Lippold <[email protected]> * put things back Signed-off-by: Aaron Lippold <[email protected]> * turned the matrix back on and fixed file names for ec2 runs Signed-off-by: Aaron Lippold <[email protected]> * fixed typo in the yaml Signed-off-by: Aaron Lippold <[email protected]> * fixed broken step Signed-off-by: Aaron Lippold <[email protected]> * updated Workflow name for easier reading when demoing Signed-off-by: Aaron Lippold <[email protected]> * corrected typo for mfa removed quotes around input for MFA: changed multifactor_enabled: "true" to multifactor_enabled: true * fixed reference to input * fixed reference to input * fixed another reference to input * another fix to input refernce * fixed new line issues * ensuring no profile errors * ensuring no profile errors * Updated License.md Signed-off-by: karikarshivani <[email protected]> * Updating profile.json in the repository * Updated inspec.yml to the latest standards Signed-off-by: karikarshivani <[email protected]> * Updating profile.json in the repository * Updating README.md to latest standards Signed-off-by: HackerShark <[email protected]> * Updating profile.json in the repository * adding a sensitive input for test and demo * Revert "adding a sensitive input for test and demo" This reverts commit 569e50997e55b214c16cadae3ccc57c18e980b5e. * Check permissions for all auditd rules in a cleaner manner The previous method was causing very opaque failures due to permissions returning a nil array in some cases and `nil.include` was causing an error. This change provides a much more straightfoward error to show users that they have to add the execute filter in auditd for their test to pass. * Updating profile.json in the repository * Remove newline from middle of starting This was causing a newline to show up in the scan results. * Updating profile.json in the repository * Fix supports for base profile (#162) * Fix supports for base profile Testing if this falls through to child profiles * Updating profile.json in the repository * added centos Signed-off-by: GitHub <[email protected]> * update profile.json Signed-off-by: GitHub <[email protected]> * fixing profile.json Signed-off-by: GitHub <[email protected]> * Updating profile.json in the repository Co-authored-by: aaronlippold <[email protected]> * swapped descs to tags Signed-off-by: Will Dower <[email protected]> * rubocop run Signed-off-by: Will Dower <[email protected]> * fixed a buggy regex Signed-off-by: Will Dower <[email protected]> * used inspec_delta profile update_id to update control filenames to SV-XXXXXX Signed-off-by: Will Dower <[email protected]> * ran inspec_delta profile update to update metadata/control names Signed-off-by: Will Dower <[email protected]> * swapped out check, fix, and rational tags for descs Signed-off-by: Will Dower <[email protected]> * ran rubocop Signed-off-by: Will Dower <[email protected]> * fixed buggy regex Signed-off-by: Will Dower <[email protected]> * moved descs to tags Signed-off-by: Will Dower <[email protected]> * added LineLength to rubocop Signed-off-by: Will Dower <[email protected]> * ran update Signed-off-by: Will Dower <[email protected]> * swapped out tags for check, fix, rational with descs Signed-off-by: Will Dower <[email protected]> * updating to use the pipeline config that we will use for gitlab repo side Signed-off-by: Will Dower <[email protected]> * pulling in correct Gemfile for this pipeline version Signed-off-by: Will Dower <[email protected]> * made a local docker testing yml and some docker testing inputs Signed-off-by: Will Dower <[email protected]> * first few new controls Signed-off-by: Will Dower <[email protected]> * wrote the brand new controls, removed spec dir Signed-off-by: Will Dower <[email protected]> * removed unecessary files from old profile version Signed-off-by: Will Dower <[email protected]> * merging in pipeline control code Signed-off-by: Will Dower <[email protected]> * removing controls from previous versions of the STIG that have been deprecated Signed-off-by: Will Dower <[email protected]> * refactored audit control Signed-off-by: Will Dower <[email protected]> * finished updating audit controls to new pattern Signed-off-by: Will Dower <[email protected]> * further updates to old control code, fixed pipeline to run the full profile, updated the hardened ec2 threshold Signed-off-by: Will Dower <[email protected]> * last batch of updates to control code to bring it to current STIG release Signed-off-by: Will Dower <[email protected]> * fixing profile errors Signed-off-by: Will Dower <[email protected]> * fixed profile errors from pipeline, started adding tags to the controls based on container applicability and subsystem category Signed-off-by: Will Dower <[email protected]> * assessing more controls for container applicability Signed-off-by: Will Dower <[email protected]> * refactored the remaining audit controls to match the new pattern, applied tags Signed-off-by: Will Dower <[email protected]> * finished tagging controls for container applicability Signed-off-by: Will Dower <[email protected]> * clarifying test output, fixing bugs Signed-off-by: Will Dower <[email protected]> * taking a look at the pam controls Signed-off-by: Will Dower <[email protected]> * updating README Signed-off-by: Will Dower <[email protected]> * adding in a few more container checks, figured out a cleaner test pattern for the pam checks Signed-off-by: Will Dower <[email protected]> * small tweaks to inspec.yml and the README Signed-off-by: Will Dower <[email protected]> * removed threshold file from controls dir Signed-off-by: Aaron Lippold <[email protected]> * Updated the README and `inspec.yml` - updated langauage to not promise an ATO if they ran this on their system - udpated all organizational references to offical sources, DISA, NIST, etc - simplifed and ocrrected direction on execution of the profile both locally and from an archive - simplified language and use of acronyms - corrected vendor references and names - corrected instructions on use of inputs - corrected references to SRGs, STIGs, CCIs, NIST 800-53 controls etc - removed all external links - wikipedia etc - and used official publications - linted for GitLab Markdown Sytleguide - reformatted yaml files Signed-off-by: Aaron Lippold <[email protected]> * Forgot the container aware section and enhanced the inputs section for a bit more clarity as to why they want to do things this way * Add new file * Update CONTAINER-ONLY-TESTS.md * Documented the create method * added links to profile stats * getting the paths working * Update README.md * Simplified the Profile stats section * Fixed typo in path * clarified the intended use of the main branch vs our formal releases * Grammer * removed unneed bolding of text and a few other grammer use issues * Update README.md * fixed broken link * Update README.md * Update README.md * Delete CONTAINER-ONLY-TESTS.md * moved the container applicable controls page to a wiki * fixed typo in kitchen.dokken-local.yml Signed-off-by: Aaron Lippold <[email protected]> * Update section depth to be more logical with what the user has to do and added section links * Logical flow and information grouping * Update README.md * Update README.md * Update README.md * tweaking the README Signed-off-by: Will Dower <[email protected]> * adding cli output to container pipeline run for easier reading Signed-off-by: Will Dower <[email protected]> * adjusted the rest of the pam checks, added a few more inputs for configurability Signed-off-by: Will Dower <[email protected]> * standardized input names, fixed a few broken inputs in the Signed-off-by: Will Dower <[email protected]> * fixed broken inputs, updated README to explain the expected vs max/min inputs Signed-off-by: Will Dower <[email protected]> * removed to_i calls in several tests to ensure that nil values don't get incorrectly cast as '0' Signed-off-by: Will Dower <[email protected]> * fixed bug in which audit space_left was expected to exactly equal what should have been a minimum threshold Signed-off-by: Will Dower <[email protected]> * fixed parse_config_file matching regex to allow for the value to be contained in quotes Signed-off-by: Will Dower <[email protected]> * fixed the regex to allow for whitespace, fixed test to account for nil result Signed-off-by: Will Dower <[email protected]> * cleaned up output for readability Signed-off-by: Will Dower <[email protected]> * fixing too recent inspec version Signed-off-by: Will Dower <[email protected]> * started adding sub-descritions for na and container situations Signed-off-by: Aaron Lippold <[email protected]> * removed controls that were sonsolidated into other controls in V3R6 Signed-off-by: Will Dower <[email protected]> * Revert "started adding sub-descritions for na and container situations" since it caused a pipeline fail This reverts commit 73057e25ab71e8dd6c08d36251bd0aaafcca75bf. * Remove puppet hardening (unmaintained) * ansible vanilla role * ansible hardening role * ansible hardened role (directly from ansible-rhel7-stig-hardening) * Uses actions to clone hardening repository * Updating profile.json in the reposito…
Signed-off-by: HenryXiaoHX <[email protected]>
Use STIG V3R6 * Remove puppet hardening (unmaintained) * ansible vanilla role * ansible hardening role * ansible hardened role (directly from ansible-rhel7-stig-hardening) * Uses actions to clone hardening repository * Updating profile.json in the repository * Update correct path for ansible hardening role * Utilizes ansible-galaxy for hardening script * Using ansible-galaxy in pre-converge lifecycle hooks * Test installing ansible-galaxy manually * Tried changing lifecycle place * Continue to tinker with ansible-galaxy * Test on using requirements_path * wip -- updating ansible dependencies (pip ==> pip3) Signed-off-by: Will Dower <[email protected]> * firing actions on push to this branch for dev testing Signed-off-by: Will Dower <[email protected]> * trying to figure out package dependencies, ensuring bundler up-to-date Signed-off-by: Will Dower <[email protected]> * added pip dependency for jmespath, added config defualt to have ansible use python3 pip Signed-off-by: Will Dower <[email protected]> * Updated to use pip3 * workaround for network issue * Updating profile.json in the repository * more explicitly using 7.9 in bento Signed-off-by: Will Dower <[email protected]> * rough code for fixing openssl11 issue Signed-off-by: Will Dower <[email protected]> * added epel-release Signed-off-by: Will Dower <[email protected]> * Updating profile.json in the repository * Update kitchen configs * use generic/centos7 and explicitly download ansible * update unicode setting * Clean up ec2 driver workflow * Updating profile.json in the repository * Update README.md * Update control for profile error * Revert update to controls * Remove debug mode. Update vanilla role readme * Update macos environment. Use main, not master. * Update README.md * Update readme, strip reference to Beaker, Puppet * More debug info for github actions * remove debug from github actions Co-authored-by: HenryXiaoHX <[email protected]> Co-authored-by: Will Dower <[email protected]>
Signed-off-by: Will Dower <[email protected]>
updating verify-ec2 to use mitre org secrets instead of local ones
… kitchen.ec2.yml files to eliminate redundant keys Signed-off-by: Emily Rodriguez <[email protected]>
…n for multi-line method definitions Signed-off-by: Emily Rodriguez <[email protected]>
Signed-off-by: Emily Rodriguez <[email protected]>
Signed-off-by: Emily Rodriguez <[email protected]>
Thanks @aaronlippold, closing this PR |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.