Comments (5)
Great thanks @shepdelacreme we ended up going for template per rule, will put together a pr once I can get the last couple of rules to pass openscap. Looks like the version in rhel7 yum has got a couple of false positives
from rhel7-cis.
We are definitely open to PRs. There is some general contributing guidelines here that covers our preferred Ansible syntax (although it is a bit out of date and needs an update). https://github.com/ansible/ansible-lockdown/blob/master/CONTRIBUTING.md
SCORED and NOT_SCORED refer to the CIS benchmark itself. You can go here https://www.cisecurity.org/cis-benchmarks/ and get version 2.2.0 of the RHEL7 benchmark if you don't already have it. On page 14 of that document they outline the difference but essentially items that are marked as "Scored" are counted in the final benchmark assessment, "Not Scored" items are not and so if your system is not compliant with that item it should not lower the score from an automated scoring system like OpenSCAP.
However I don't know if that is how OpenSCAP operates and also I'm not sure how your auditor views. Some auditors will count "Not Scored" items against you.
The numbers are meaningful. They are directly tied to the item numbers in the CIS Benchmark PDF document. For instance...your example of "fix rpm file perms" is most likely check # "6.1.1 Audit system file permissions" from the CIS benchmark.
6.1.1 is not implemented yet which is why OpenSCAP is probably reporting that error back to you.
As you can see below the task runs command: /bin/true
which is just a placeholder and reports back success each time. If you'd like to implement this control you would edit this placeholder task.
https://github.com/MindPointGroup/RHEL7-CIS/blob/dd23ba5df908e9415ecd2d7aa5948dff6f2f1199/tasks/section6.yml#L1-L10
from rhel7-cis.
Brilliant thanks @shepdelacreme !
from rhel7-cis.
I am implementing the notimplemented auditd rules for our site
Currently there are some lineinfile rules around the conf file and the audit.rules
To me it would make sense to use a template for several of those rules (I would like to do for the unimplemented ones) called something like cis.rules.j2 that can go in /etc/audit/rules.d/ and can have conditional blocks per rule based on variables (such as rhel7cis_rule_4_1_11 and rhel7cis_rule_4_1_11) as well as env variables (such as ansible_architecture == 'x86_64')
Would this be a welcome pr, or would there be a different way (e.g sep rules file per rule, or adding to existing audit.rules file with lineinfile) you would prefer it imlemented? To me it might make sense to have a separate file per rule called something like /etc/audit/rules.d/rhel7cis_rule_4_1_13.rule
from rhel7-cis.
@sambanks This would be a welcome PR. The method you describe with a jinja2 template file or something like what is being done in our RHEL7 STIG baseline repo would work. https://github.com/MindPointGroup/RHEL7-STIG/blob/bb4e907f718ab583470e545ffb5ce81459d3952b/tasks/fix-cat2.yml#L1212
I think I might prefer a jinja2 template approach though.
from rhel7-cis.
Related Issues (20)
- Tasks using selectattr (section 6) fail on CentOS 7, Python 2.7.5, jinja2-2.7.2 HOT 2
- Rules 3.5.3.2.4 and 3.5.3.3.4 are missing HOT 2
- Show Audit Summary is missing tag run_audit HOT 3
- Missing quote line 207 of cis_5.3.x.yml HOT 1
- container discovery work and exclusions taken from rhel8cis
- Extra quote typo cis_5.4.x.yml
- Consider not following links for 6.2.13 home directory recommendations HOT 3
- Task 5.5.1.4 regex does not handle commented usernames HOT 2
- 6.2.1 does not handle an empty line in /etc/passwd using dict rhel7cis_passwd HOT 2
- Section 1.4 included on wrong variable? HOT 5
- README does not correct reflect how to run CIS levels HOT 1
- Missing OracleLinux.yml or override method for running CIS on Oracle Linux. HOT 5
- Add makestep in chrony.conf.j2 HOT 1
- Why was the rule 1.2.5 removed? HOT 2
- Unsupported parameters for (ansible.legacy.command) module: warn. HOT 3
- AIDE cron job setup 1.3.2 missing cron_file variable HOT 2
- Audit-Only Mode? HOT 3
- `RHEL7-CIS : 3.5.1.5 | AUDIT | Ensure default zone is set` fails although firewalld is up HOT 2
- Summary is not generated HOT 3
- 5.7 | PATCH | Ensure access to the su command is restricted | wheel group contains root HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rhel7-cis.