feat(cis_baseline): add 1.5.4 / 1.6 controls that are not supported o…

…n Arch
karras · Sep 9, 2023 · dd325bc · dd325bc
1 parent 8172491
commit dd325bc
Show file tree

Hide file tree

Showing 9 changed files with 96 additions and 4 deletions.
diff --git a/roles/cis_baseline/README.md b/roles/cis_baseline/README.md
@@ -8,7 +8,9 @@ Due to missing packages or capabilities related to Arch Linux, the following
 chapters and controls have not yet been implemented:
 
 * 1.3 Filesystem Integrity Checking (missing and broken AIDE packages)
-* 1.4.4 Interactive Boot Disabling (not supported for systemd-boot)
+* 1.4.4 Interactive Boot Deactivation (not supported for systemd-boot)
+* 1.5.4 Prelink Deactivation (not available for Arch Linux)
+* 1.6 Mandatory Access Control (not available for Arch Linux)
 
 ## Example Playbook
 
@@ -47,9 +49,10 @@ cis_baseline_ignored_rules: []
 cis_baseline_sections:
   - 1_1_filesystem
   - 1_2_software_updates
-  - 1_3_filesystem_integrity  # Not implemented yet
+  - 1_3_filesystem_integrity     # Not implemented yet
   - 1_4_boot_settings
   - 1_5_process_hardening
+  - 1_6_mandatory_access_control
 
 # List of mandatory repositories to verify (1.2.1)
 cis_baseline_repositories:

diff --git a/roles/cis_baseline/defaults/main.yml b/roles/cis_baseline/defaults/main.yml
@@ -19,6 +19,7 @@ cis_baseline_sections:
   - 1_3_filesystem_integrity  # Not implemented yet
   - 1_4_boot_settings
   - 1_5_process_hardening
+  - 1_6_mandatory_access_control
 
 # List of mandatory repositories to verify (1.2.1)
 cis_baseline_repositories:

diff --git a/roles/cis_baseline/meta/argument_specs.yml b/roles/cis_baseline/meta/argument_specs.yml
@@ -74,3 +74,7 @@ argument_specs:
         default:
           - 1_1_filesystem
           - 1_2_software_updates
+          - 1_3_filesystem_integrity
+          - 1_4_boot_settings
+          - 1_5_process_hardening
+          - 1_6_mandatory_access_control
diff --git a/roles/cis_baseline/molecule/default/tests/1_4_boot_settings.yml b/roles/cis_baseline/molecule/default/tests/1_4_boot_settings.yml
@@ -31,4 +31,4 @@
 
 # 1.4.4 Ensure interactive boot is not enabled (Not Scored)
 #
-# Not available for systemd-boot
+# Not available for systemd-boot.
diff --git a/roles/cis_baseline/molecule/default/tests/1_5_process_hardening.yml b/roles/cis_baseline/molecule/default/tests/1_5_process_hardening.yml
@@ -41,3 +41,7 @@
   changed_when: false
   failed_when: '"kernel.randomize_va_space = 2" not in out.stdout'
   when: ansible_connection not in ["container", "docker", "community.docker.docker"]
+
+# 1.5.4 Ensure prelink is disabled (Scored)
+#
+# Not available for Arch Linux.
diff --git a/roles/cis_baseline/molecule/default/tests/1_6_mandatory_access_control.yml b/roles/cis_baseline/molecule/default/tests/1_6_mandatory_access_control.yml
@@ -0,0 +1,38 @@
+---
+
+# 1.6.1.1 Ensure SELinux or AppArmor are installed (Scored)
+#
+# Not available for Arch Linux.
+
+# 1.6.2.1 Ensure SELinux is not disabled in bootloader configuration (Scored)
+#
+# Not available for Arch Linux.
+
+# 1.6.2.2 Ensure the SELinux state is enforcing (Scored)
+#
+# Not available for Arch Linux.
+
+# 1.6.2.3 Ensure SELinux policy is configured (Scored)
+#
+# Not available for Arch Linux.
+
+# 1.6.2.4 Ensure SETroubleshoot is not installed (Scored)
+#
+# Not available for Arch Linux.
+
+# 1.6.2.5 Ensure the MCS Translation Service (mcstrans) is not installed
+# (Scored)
+#
+# Not available for Arch Linux.
+
+# 1.6.2.6 Ensure no unconfined daemons exist (Scored)
+#
+# Not available for Arch Linux.
+
+# 1.6.3.1 Ensure AppArmor is not disabled in bootloader configuration (Scored)
+#
+# Not available for Arch Linux.
+
+# 1.6.3.2 Ensure all AppArmor Profiles are enforcing (Scored)
+#
+# Not available for Arch Linux.
diff --git a/roles/cis_baseline/tasks/1_4_boot_settings.yml b/roles/cis_baseline/tasks/1_4_boot_settings.yml
@@ -34,4 +34,4 @@
 
 # 1.4.4 Ensure interactive boot is not enabled (Not Scored)
 #
-# Not available for systemd-boot
+# Not available for systemd-boot.
diff --git a/roles/cis_baseline/tasks/1_5_process_hardening.yml b/roles/cis_baseline/tasks/1_5_process_hardening.yml
@@ -69,3 +69,7 @@
     group: root
     mode: '0644'
   when: not '1.5.3' in cis_baseline_ignored_rules
+
+# 1.5.4 Ensure prelink is disabled (Scored)
+#
+# Not available for Arch Linux.
diff --git a/roles/cis_baseline/tasks/1_6_mandatory_access_control.yml b/roles/cis_baseline/tasks/1_6_mandatory_access_control.yml
@@ -0,0 +1,38 @@
+---
+
+# 1.6.1.1 Ensure SELinux or AppArmor are installed (Scored)
+#
+# Not available for Arch Linux.
+
+# 1.6.2.1 Ensure SELinux is not disabled in bootloader configuration (Scored)
+#
+# Not available for Arch Linux.
+
+# 1.6.2.2 Ensure the SELinux state is enforcing (Scored)
+#
+# Not available for Arch Linux.
+
+# 1.6.2.3 Ensure SELinux policy is configured (Scored)
+#
+# Not available for Arch Linux.
+
+# 1.6.2.4 Ensure SETroubleshoot is not installed (Scored)
+#
+# Not available for Arch Linux.
+
+# 1.6.2.5 Ensure the MCS Translation Service (mcstrans) is not installed
+# (Scored)
+#
+# Not available for Arch Linux.
+
+# 1.6.2.6 Ensure no unconfined daemons exist (Scored)
+#
+# Not available for Arch Linux.
+
+# 1.6.3.1 Ensure AppArmor is not disabled in bootloader configuration (Scored)
+#
+# Not available for Arch Linux.
+
+# 1.6.3.2 Ensure all AppArmor Profiles are enforcing (Scored)
+#
+# Not available for Arch Linux.