Hey @makakin, thanks for submitting your issues.

Yes, in this case because the test has returned a non-zero state, the test will fail. The way the script is written, is such that states will fail by default unless they explicitly pass - by way of updating the result you've copied above.

The reason for this is to reduce repetition when checking / testing the pass/fail status.

The value of the state can be used to help identify which of the check(s) caused the test to fail. In this case, it is the following line:

    [ "$(grep "net.$protocol.conf.default.$sysctl" /etc/sysctl.conf /etc/sysctl.d/*.conf | sed 's/^.*://')" == "net.$protocol.conf.default.$sysctl = $val" ] || state=8

For example, for test 3.1.2, in order to pass test 8, as above, you need to have the following in the /etc/sysctl directory.

net.ipv4.conf.default.send_redirects = 0

from cis-benchmarks-audit.

I have checked the configuration had been added into /etc/sysctl.d/ipv4.conf
but the result still shows fail

cat /etc/sysctl.d/ipv4.conf

CIS 3.1.1

net.ipv4.ip_forward = 0

CIS 3.1.2

net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

from cis-benchmarks-audit.

Note to myself, will do a fork and PR if I can find a better solution.

There are 2 possibilities that can lead to a fail even if the system is configured correctly.

1. In the return setting, there may or may not be a space between the setting and the desired value. A solution would be to remove all whitespaces in the returned string and the compared value,

2. For the greps, the same setting might be returned more than once depending on how many files it's added to. Currently, I'm using a temporary workaround by chaining another sed -n '1p' to return just the first string prior to comparison. The ideal solution would be to ensure all the settings returned are the same (and subject to point 1 above) before returning just one string.

from cis-benchmarks-audit.

Hey @makakin and @WilliamKoh , my apologies for such a long period of silence on this one.

I have recently pushed 2a41d0d which identified issues checking for sysctl paramaters - specifically where there were duplicates, this would previously result in a Fail result. @WilliamKoh this relates to your point 2. above.

With regards to your point 1. given how these tests are designed (and others through the script), stripping the spaces then comparing would be a good solution as this would probably allow more flexibility to leave the spacing to each individual's discretion / standards.

from cis-benchmarks-audit.

@makakin @WilliamKoh can you please test with this latest commit and let me know if this is still an issue for you / whether there are any other additions you'd like to see?

from cis-benchmarks-audit.