-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CentOS 7 3.0.0 benchmark updates not present #73
Comments
See also #69 |
Yes I saw that but thought the OS version should be separate issues. On a side note, Nessus is a bit annoying with the way it validates settings, though it may suggest ways this module could be expanded a little. For example in 'ensure_gpgcheck_is_globally_activated.pp' it enforces the requirement by setting 'gpgcheck = 1' only in /etc/yum.conf. However Nessus greps all repo files in /etc/yum.repos.d/. Not sure if we would actually want to do that as it goes beyond 'globally' depending on if that is interpreted as 'at the highest level' or 'for all'. Thoughts appreciated... |
I have access to the CIS-CAT Pro Assessor tool, and by looking at the XML definitions, I can see that for the gpgcheck check it performs 4 different tests:
At the moment, this Puppet module only covers the first 2 checks, so there's room for improvement. I'm not convinced however that it is this module's job to fix any and all repo files, as it is not trivial (especially with multiple repositories in 1 repo file). I'd settle for a notice. |
Scanning against Nessus with CentOS 7 CIS L1 & L2 v3.0.0 shows that CIS have added compliance rules from v 2.2.0 which this module does not yet have (It looks like around 30). Unfortunately CIS have not included their usual changelog at the bottom of new PDF
CIS_CentOS_Linux_7_Benchmark_v3.0.0.pdf
The text was updated successfully, but these errors were encountered: