dev-sec definitions: linux-hardening, ssh-hardening etc. #692
Comments
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
not stale. |
|
JFYI, you may find some sec-related checks here: |
|
FYFI There are also some more found here:
These are standalone configs but can be run in conjunction with Ansible. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
not stale. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
Hello, I'm doing some maintenance until @aelsabbahy takes back over. This issue seems interesting as cis-benchmarks seems like a great usecase for Goss. My suggestion would be for the goss-cis-benchmark repo to live under dev-sec org and any blockers be opened as an issue on Goss repository. I would assume the latest release of Goss wouldn't cover all the tests without some If you've done any of this research already, please post your findings and link the issues here, I'll make sure stale bot doesn't close them out. A quick search through GitHub shows that others may have done some work already on this: https://github.com/NeowayLabs/goss-cis-benchmark Thanks |
|
Hi @ekelali @MindPointGroup we have been developing the CIS and STIG benchmarks using goss for some time based on the links below for both linux and windows (to be released soon) OS's. I am sure there are improvements our configurations as it stands right now that we welcome feedback on. You are correct it does require some We haven't created any issues as yet due to how quiet the repository has become and the issues that already exist not yet having been incorporated and just going stale. These are the CIS links but we do maintain STIG/DISA in the same org https://github.com/ansible-lockdown/RHEL8-CIS-Audit thanks |
|
Hello @uk-bolly , The attached repos look great, awesome work! Just to be clear, I assume this is a working implementation using the latest Goss release and not a fork, correct? If possible, I would love to discuss your ideas and concerns and see if we can turn those into action items (read: github issues). Also, when listing the issues can you provide some details on priority (what's most painful, what provides most value, etc.) and whether any issue was a blocker for your team and/or current workarounds. Thanks |
|
hi @ekelali This is purely the latest release not yet forked. Sorry for the delay in response, We are hoping to do some more work on the repos over the next couple of weeks, as we all get back to working with goss daily again we hope to add the relevant issues. Thanks uk-bolly |
|
Hello @uk-bolly, Following up on this. I see quite a bit of work has been done on the tests you maintain over the past few months.
I would love to get more information on this and see if there are enhancements that align with the goals of goss. https://github.com/aelsabbahy/goss/blob/master/.github/CONTRIBUTING.md#feature-requests Also, if stale bot (which is has been disabled for a few months now) has closed out an issue that you were interested in, we can re-open it for further discussion if it alignes. Thanks, |
|
hi @aelsabbahy Thank you for following up and what is a very clever and extremely useful project. There are a few others that i have in mind including the ability for something to return as true and run the next test. Although unsure on how that could be approached. But i know there are many ways to skin a cat and sure others have a similar thoughts or requirements. Thinking maybe a working group could be a good idea? We've been trying to build the community up for my content by using a discord group. Thank you again uk-bolly |
|
Hello uk-bolly, thank you for the kind words. This use-case is one I had in mind for a long time now, but never had the time to take it on. I assume the issue you're referring to is this one #742 :) Would the file test be sufficient to unblock you, or did you need it for all tests to be unblocked?
I don't think I fully understood this request. Can you expand on it a bit more, or give an example usage. Perhaps some high-level YAML examples. Honestly, I'm interested in hearing all the ideas. |
|
HI @aelsabbahy You are most welcome and you deserve it, it is a great project. I use all the modules where i can so long as they have some way of giving it another unique identifier and don't override other testing results already captured that would be brilliant. With regard to the random thought i will add more context and add a feature request and get the conversations going. Thank once again uk-bolly |
|
Hello @uk-bolly wondering if this particular issue is completed at this point. #742 was closed by v4 and #843 should help with warnings. Anyways, let me know if there's still anything actionable on this particular issue and if any other issues are high priority for you. Also, feel free to ping me on slack if you'd like a more "working group"/discussion to hash out some ideas before we formalize them into issues. Issues are fine too if that's your preference. |
|
hi @aelsabbahy Superb fix really helps with the work we are doing, v4 is a great release. many thanks uk-bolly |
Thank you for all the effort put into
goss, and for making it open source.Context: We currently use
chef-zeroandinspecand are looking to migrate tosaltandgossas we migrate we thought to try and contribute to the salt/goss communities in a way they value....Is there any effort underway to port the dev-sec defintions/descriptions/specifications to
goss?If not; any thoughts on where this is best housed: up-stream dev-sec, wherever, etc.?
Any thoughts on how best to go about this from a
gosspov?Our 2c:
controlsfolder and proposing their inclusion upstream. Whether upstream would accept them is a separate question. Thegossproject could distribute those controls as agit subrepoin acontrolsfolder - giving a user one less thing to do to have access to "reasonable" hardening settings - where "reasonable" is defined by upstreamdev-sec.goss-linux-hardening, etc. as repository names under the dev-sec org. Thoughts?The text was updated successfully, but these errors were encountered: