cis-dil-benchmark
cis-dil-benchmark copied to clipboard
dev-sec
Describe.one runs all instead of just one
This is a valid fix but took about about an hour diving into this because I noticed some unexpected behavior with this control that I don't know if its a regression or not.
The symbol syntax should behave the same as the string syntax, as long as the file actually exists. i.e when running against a docker an ubuntu:{focal, jammy} based container, none of the grub_conf.locations exist so I would expect the control to fail because of the describe.one block
https://github.com/dev-sec/cis-dil-benchmark/blob/ab97de3044961a674a775d5a10a842187b18a167/controls/1_4_secure_boot_settings.rb#L30-L44
but what I'm seeing when testing locally is that all of the files are being tested rather than just one of the files (both in container and VM), which I don't think is the desired behavior
https://github.com/dev-sec/cis-dil-benchmark/blob/ab97de3044961a674a775d5a10a842187b18a167/libraries/grubconf.rb#L7
@spencer-cdw can you provide some more detail about your testing environment (OS version, path of actual grub conf file, etc) as well as CLI output?
$ cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.1 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.1 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.co
$ cinc-auditor version
5.18.14
$ cinc-auditor exec https://github.com/dev-sec/cis-dil-benchmark --controls=cis-dil-benchmark-1.4.1
[2022-11-03T01:47:03+00:00] WARN: URL target https://github.com/dev-sec/cis-dil-benchmark transformed to https://github.com/dev-sec/cis-dil-benchmark/archive/master.tar.gz. Consider using the git fetcher
[2022-11-03T01:47:05+00:00] WARN: Cannot find a UUID for your node.
Profile: CIS Distribution Independent Linux Benchmark Profile (cis-dil-benchmark)
Version: 0.4.13
Target: local://
Target ID:
× cis-dil-benchmark-1.4.1: Ensure permissions on bootloader config are configured (21 failed)
× File /boot/grub/grub.conf is expected to exist
expected File /boot/grub/grub.conf to exist
✔ File /boot/grub/grub.conf is expected not to be readable by group
✔ File /boot/grub/grub.conf is expected not to be writable by group
✔ File /boot/grub/grub.conf is expected not to be executable by group
✔ File /boot/grub/grub.conf is expected not to be readable by other
✔ File /boot/grub/grub.conf is expected not to be writable by other
✔ File /boot/grub/grub.conf is expected not to be executable by other
× File /boot/grub/grub.conf gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/grub/grub.conf uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/grub/grub.cfg is expected to exist
expected File /boot/grub/grub.cfg to exist
✔ File /boot/grub/grub.cfg is expected not to be readable by group
✔ File /boot/grub/grub.cfg is expected not to be writable by group
✔ File /boot/grub/grub.cfg is expected not to be executable by group
✔ File /boot/grub/grub.cfg is expected not to be readable by other
✔ File /boot/grub/grub.cfg is expected not to be writable by other
✔ File /boot/grub/grub.cfg is expected not to be executable by other
× File /boot/grub/grub.cfg gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/grub/grub.cfg uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/grub/menu.lst is expected to exist
expected File /boot/grub/menu.lst to exist
✔ File /boot/grub/menu.lst is expected not to be readable by group
✔ File /boot/grub/menu.lst is expected not to be writable by group
✔ File /boot/grub/menu.lst is expected not to be executable by group
✔ File /boot/grub/menu.lst is expected not to be readable by other
✔ File /boot/grub/menu.lst is expected not to be writable by other
✔ File /boot/grub/menu.lst is expected not to be executable by other
× File /boot/grub/menu.lst gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/grub/menu.lst uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/boot/grub/grub.conf is expected to exist
expected File /boot/boot/grub/grub.conf to exist
✔ File /boot/boot/grub/grub.conf is expected not to be readable by group
✔ File /boot/boot/grub/grub.conf is expected not to be writable by group
✔ File /boot/boot/grub/grub.conf is expected not to be executable by group
✔ File /boot/boot/grub/grub.conf is expected not to be readable by other
✔ File /boot/boot/grub/grub.conf is expected not to be writable by other
✔ File /boot/boot/grub/grub.conf is expected not to be executable by other
× File /boot/boot/grub/grub.conf gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/boot/grub/grub.conf uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/boot/grub/grub.cfg is expected to exist
expected File /boot/boot/grub/grub.cfg to exist
✔ File /boot/boot/grub/grub.cfg is expected not to be readable by group
✔ File /boot/boot/grub/grub.cfg is expected not to be writable by group
✔ File /boot/boot/grub/grub.cfg is expected not to be executable by group
✔ File /boot/boot/grub/grub.cfg is expected not to be readable by other
✔ File /boot/boot/grub/grub.cfg is expected not to be writable by other
✔ File /boot/boot/grub/grub.cfg is expected not to be executable by other
× File /boot/boot/grub/grub.cfg gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/boot/grub/grub.cfg uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/boot/grub/menu.lst is expected to exist
expected File /boot/boot/grub/menu.lst to exist
✔ File /boot/boot/grub/menu.lst is expected not to be readable by group
✔ File /boot/boot/grub/menu.lst is expected not to be writable by group
✔ File /boot/boot/grub/menu.lst is expected not to be executable by group
✔ File /boot/boot/grub/menu.lst is expected not to be readable by other
✔ File /boot/boot/grub/menu.lst is expected not to be writable by other
✔ File /boot/boot/grub/menu.lst is expected not to be executable by other
× File /boot/boot/grub/menu.lst gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/boot/grub/menu.lst uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/grub2/grub.cfg is expected to exist
expected File /boot/grub2/grub.cfg to exist
✔ File /boot/grub2/grub.cfg is expected not to be readable by group
✔ File /boot/grub2/grub.cfg is expected not to be writable by group
✔ File /boot/grub2/grub.cfg is expected not to be executable by group
✔ File /boot/grub2/grub.cfg is expected not to be readable by other
✔ File /boot/grub2/grub.cfg is expected not to be writable by other
✔ File /boot/grub2/grub.cfg is expected not to be executable by other
× File /boot/grub2/grub.cfg gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/grub2/grub.cfg uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped
Test Summary: 42 successful, 21 failures, 0 skipped
Originally posted by @deric4 in https://github.com/dev-sec/cis-dil-benchmark/issues/134#issuecomment-1301593312
Here is another example cis-dil-benchmark-1.3.2
https://github.com/dev-sec/cis-dil-benchmark/blob/c845274efcf6e5f2e9307a780995a94c7bee0042/controls/1_3_filesystem_integrity_checking.rb#L42-L64
Only 1 of the 3 following should match
describe.one do
%w(/var/spool/cron/crontabs/root /var/spool/cron/root /etc/crontab).each do |f|
Yet all 3 files are failing
