Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CentOS 7 3.0.0 benchmark updates not present #73

Open
canihavethisone opened this issue Jan 29, 2021 · 3 comments
Open

CentOS 7 3.0.0 benchmark updates not present #73

canihavethisone opened this issue Jan 29, 2021 · 3 comments

Comments

@canihavethisone
Copy link
Contributor

canihavethisone commented Jan 29, 2021

Scanning against Nessus with CentOS 7 CIS L1 & L2 v3.0.0 shows that CIS have added compliance rules from v 2.2.0 which this module does not yet have (It looks like around 30). Unfortunately CIS have not included their usual changelog at the bottom of new PDF
CIS_CentOS_Linux_7_Benchmark_v3.0.0.pdf

@bjvrielink
Copy link
Collaborator

See also #69

@canihavethisone
Copy link
Contributor Author

Yes I saw that but thought the OS version should be separate issues.

On a side note, Nessus is a bit annoying with the way it validates settings, though it may suggest ways this module could be expanded a little. For example in 'ensure_gpgcheck_is_globally_activated.pp' it enforces the requirement by setting 'gpgcheck = 1' only in /etc/yum.conf. However Nessus greps all repo files in /etc/yum.repos.d/. Not sure if we would actually want to do that as it goes beyond 'globally' depending on if that is interpreted as 'at the highest level' or 'for all'. Thoughts appreciated...

@bjvrielink
Copy link
Collaborator

I have access to the CIS-CAT Pro Assessor tool, and by looking at the XML definitions, I can see that for the gpgcheck check it performs 4 different tests:

  • gpgcheck=1 occurs at least once in /etc/yum.conf
  • gpgcheck=[^1] does not occur in /etc/yum.conf
  • gpgcheck=1 occurs at least once in /etc/yum.repos.d/*.repo
  • gpgcheck=[^1] does not occur in /etc/yum.repos.d/*.repo

At the moment, this Puppet module only covers the first 2 checks, so there's room for improvement. I'm not convinced however that it is this module's job to fix any and all repo files, as it is not trivial (especially with multiple repositories in 1 repo file). I'd settle for a notice.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants