ansible-lockdown / rhel8-cis-audit Goto Github PK

I found duplicate checks in the sections. I do not understand why? Version goss 0.4.3 immediately speaks about this.
Example, please check
section_3/cis_3.3/cis_3.3.7.yml
check duplicated net.ip4.conf.all.rp_filter
And this problem exists in all sections

Describe the Issue
This role does not appear to have a meta/main.yml file.

Expected Behavior
Starting galaxy role install process

• changing role RHEL8_cis_audit from to unspecified

Actual Behavior
[WARNING]: - RHEL8-CIS-Audit was NOT installed successfully

Control(s) Affected
Using it in a project.

Environment (please complete the following information):

not relevant here.

Additional Notes
Anything additional goes here

Possible Solution
Add file meta/main.yml.

There are plans to rework the audit to work with goss version >0.4.x
When using version >0.4.x, the field does not contain the correct queries:
"matcher-result": {

"Actual": "object: *bytes.Reader",

"Expected": [
"/^MaxAuthTries [1-4]/",
"!/^MaxAuthTries [5-9]/"
],
"ExtraElements": null,
"Message": "to have patterns",
"MissingElements": [
"/^MaxAuthTries [1-4]/"

created an issue in the developer's repository
goss-org/goss#845

Hi dev team,

I have noticed some of the missing rules in json report and did a backtrack to try to analyse the reason behind the missing rules.
Some of the missing rules were cause by errors generated from goss validation.

Attached some of my findings and hope to hear more from you.

cis_2.3.1_6.yml.txt
Actinum_RHEL8_CIS_AUDIT_git_diff.txt
Actinum_RHEL8_CIS_AUDIT_git_status.txt

Greetings colleagues! I want to ask - is it possible to do a cis audit on many remote computers, so as not to logon into each

Describe the Issue
in cis_1.1.7.1_5.yml audit, one test checks for quota package, this is a part of the test for usrquota and grpquota. This test is not inside an if clause, meaning it will run even if we have selected to not check usrquota or grpquota

Expected Behavior
To be skipped if

rhel8cis_rule_1_1_7_4: false
rhel8cis_rule_1_1_7_5: false

Actual Behavior
Will always run, and create false negatives

Control(s) Affected
What controls are being affected by the issue
relevent files associated.
CIS 1.1.7.4
CIS 1.1.7.5

RHEL8-CIS-Audit/section_1/cis_1.1/cis_1.1.7.1_5.yml

Environment (please complete the following information):

• goss version: v0.3.21
• OS version: RHEL 8.9
• Additional Details:

Additional Notes
Anything additional goes here

Possible Solution

package:
{{ if .Vars.rhel8cis_rule_1_1_7_4 or .Vars.rhel8cis_rule_1_1_7_5 }}
quota:
title: |
1.1.7.4 | Ensure usrquota option set on /home partition | quota pkg installed
1.1.7.5 | Ensure grpquota option set on /home partition | quota pkg installed
installed: true
meta:
server: 2
workstation: 2
CIS_ID:
- 1.1.7.4
- 1.1.7.5
CISv8: 3.3
CISv8_IG1: true
CISv8_IG2: true
{{ end }}

Feature Request or Enhancement:

• Feature [ Change rhel8cis_firewall_interface in ansible_vars_goss.yml.j2 to take variable]
• Enhancement [Not everyone uses enp0s3 or enp0s8 network interface]

Summary of Request
Want to be able to control which network interfaces goss tests for.
Only allowing enp0s3 or enp0s8 creates false negatives

Describe alternatives you've considered
Disable the whole test

Suggested Code

in ansible_vars_goss.yml.j2:

rhel8cis_firewall_interface: {{ rhel8cis_firewall_interfaces }}

in defaults/main.yml

rhel8cis_firewall_interfaces: {{ ansible_default_ipv4.interface }}

align with rhel7-cis section 5.6 to enable the ability for a sugroup

Describe the Issue
When running run_audit.sh, you get the following error:

tr: missing operand after ‘[:lower:]’
Two strings must be given when translating.
Try 'tr --help' for more information.

Expected Behavior
This error shouldn't be thrown. This is clearly a syntax error in the script.

Actual Behavior
You get a syntax error

Control(s) Affected

• run_audit.sh

Environment (please complete the following information):

• goss version: 0.4.2
• OS version: openSUSE Tumbleweed on WSL
• Additional Details:

Additional Notes
Testing the code on my WSL sandbox before launching it in the actual environment

Possible Solution
On line 86 the following possible amendments can be made:

• os_vendor="$(hostnamectl | grep Oper | cut -d: -f2 | awk '{print $1}' | tr '[:upper:]' '[:lower:]')"
• os_vendor="$(hostnamectl | grep Oper | cut -d: -f2 | awk '{print tolower($1)}')"