feat: audit feature

Author: samrose

audit-specs/baselines/README.md

@@ -0,0 +1,33 @@
+# Machine Baselines
+
+This directory contains captured baselines from real machines.
+
+## Generating a Baseline
+
+On your target machine:
+```bash
+sudo nix run github:supabase/ubuntu-cis-audit#cis-generate-spec -- baseline.yaml
+```
+
+## Naming Convention
+
+Use descriptive names that identify the machine type or environment:
+- `production-db-baseline.yaml` - Production database server
+- `staging-api-baseline.yaml` - Staging API server
+- `postgres-baseline.yaml` - Standard PostgreSQL server config
+
+## Using Baselines
+
+Copy your baseline to this directory and commit to git. Then use GOSS to audit other machines:
+
+```bash
+# On target machine
+goss --gossfile audit-specs/baselines/production-db-baseline.yaml validate
+```
+
+## Baseline Sources
+
+Document where each baseline came from:
+
+- `postgres-baseline.yaml` - Generated from db-pdnxwzxvlrfwogpyaltm on 2025-11-22
+- `production-baseline.yaml` - Generated from prod-server-001 on 2025-11-20

audit-specs/cis_level1_server.yaml

@@ -0,0 +1,67 @@
+# CIS Ubuntu Level 1 Server Benchmark
+# Based on CIS Ubuntu 22.04 LTS Benchmark v1.0.0
+
+file:
+  /etc/ssh/sshd_config:
+    exists: true
+    mode: "0600"
+    owner: root
+    group: root
+    contains:
+      - "PermitRootLogin no"
+      - "Protocol 2"
+
+  /etc/passwd:
+    exists: true
+    mode: "0644"
+    owner: root
+    group: root
+
+  /etc/shadow:
+    exists: true
+    mode: "0640"
+    owner: root
+
+  /etc/login.defs:
+    exists: true
+    contains:
+      - "/PASS_MIN_LEN\\s+14/"
+      - "/PASS_MAX_DAYS\\s+90/"
+
+package:
+  aide:
+    installed: true
+
+  xinetd:
+    installed: false
+
+service:
+  ufw:
+    enabled: true
+    running: true
+
+kernel-param:
+  net.ipv4.ip_forward:
+    value: 0
+
+  net.ipv6.conf.all.forwarding:
+    value: 0
+
+  net.ipv4.conf.all.accept_source_route:
+    value: 0
+
+  net.ipv4.conf.default.accept_source_route:
+    value: 0
+
+command:
+  check-password-fields:
+    exec: "awk -F: '($2 == \"\") {print}' /etc/shadow | wc -l"
+    exit-status: 0
+    stdout:
+      - "0"
+
+  check-ufw-status:
+    exec: "ufw status"
+    exit-status: 0
+    stdout:
+      - "/Status: active/"

audit-specs/cis_level2_server.yaml

@@ -0,0 +1,75 @@
+# CIS Ubuntu Level 2 Server Benchmark
+# Based on CIS Ubuntu 22.04 LTS Benchmark v1.0.0
+# Includes all Level 1 checks plus additional Level 2 requirements
+
+file:
+  /etc/ssh/sshd_config:
+    exists: true
+    mode: "0600"
+    owner: root
+    group: root
+    contains:
+      - "PermitRootLogin no"
+      - "Protocol 2"
+
+  /etc/passwd:
+    exists: true
+    mode: "0644"
+    owner: root
+    group: root
+
+  /etc/shadow:
+    exists: true
+    mode: "0640"
+    owner: root
+
+  /etc/login.defs:
+    exists: true
+    contains:
+      - "/PASS_MIN_LEN\\s+14/"
+      - "/PASS_MAX_DAYS\\s+90/"
+
+package:
+  aide:
+    installed: true
+
+  auditd:
+    installed: true
+
+  xinetd:
+    installed: false
+
+service:
+  ufw:
+    enabled: true
+    running: true
+
+  auditd:
+    enabled: true
+    running: true
+
+kernel-param:
+  net.ipv4.ip_forward:
+    value: 0
+
+  net.ipv6.conf.all.forwarding:
+    value: 0
+
+  net.ipv4.conf.all.accept_source_route:
+    value: 0
+
+  net.ipv4.conf.default.accept_source_route:
+    value: 0
+
+command:
+  check-password-fields:
+    exec: "awk -F: '($2 == \"\") {print}' /etc/shadow | wc -l"
+    exit-status: 0
+    stdout:
+      - "0"
+
+  check-ufw-status:
+    exec: "ufw status"
+    exit-status: 0
+    stdout:
+      - "/Status: active/"

nix/apps.nix

@@ -27,6 +27,9 @@
         run-testinfra = mkApp "run-testinfra" "run-testinfra";
         cleanup-ami = mkApp "cleanup-ami" "cleanup-ami";
         trigger-nix-build = mkApp "trigger-nix-build" "trigger-nix-build";
+        cis-audit = mkApp "cis-audit" "cis-audit";
+        cis-generate-spec = mkApp "cis-generate-spec" "cis-generate-spec";
+        ansible-to-goss = mkApp "ansible-to-goss" "ansible-to-goss";
       };
     };
 }

nix/checks.nix

@@ -394,6 +394,10 @@
             dbmate-tool
             packer
             pg_regress
+            goss
+            cis-audit
+            cis-generate-spec
+            ansible-to-goss
             ;
         }
         // pkgs.lib.optionalAttrs (system == "aarch64-linux") {

nix/devShells.nix

@@ -55,6 +55,10 @@
               self'.packages.build-test-ami
               self'.packages.run-testinfra
               self'.packages.cleanup-ami
+              self'.packages.cis-audit
+              self'.packages.cis-generate-spec
+              self'.packages.ansible-to-goss
+              self'.packages.goss
               dbmate
               nushell
               pythonEnv

nix/ext/versions.json

@@ -572,14 +572,6 @@
     }
   },
   "wrappers": {
-    "0.3.0": {
-      "postgresql": [
-        "15"
-      ],
-      "hash": "sha256-ogpF8NJ7kW3Ut8jaKMDiKYIXnI38nfRq2mMK4rqFAIA=",
-      "pgrx": "0.11.3",
-      "rust": "1.76.0"
-    },
     "0.4.1": {
       "postgresql": [
         "15"