Comments (5)
Hey @makakin, thanks for submitting your issues.
Yes, in this case because the test has returned a non-zero state, the test will fail. The way the script is written, is such that states will fail by default unless they explicitly pass - by way of updating the result you've copied above.
The reason for this is to reduce repetition when checking / testing the pass/fail status.
The value of the state can be used to help identify which of the check(s) caused the test to fail. In this case, it is the following line:
[ "$(grep "net.$protocol.conf.default.$sysctl" /etc/sysctl.conf /etc/sysctl.d/*.conf | sed 's/^.*://')" == "net.$protocol.conf.default.$sysctl = $val" ] || state=8
For example, for test 3.1.2, in order to pass test 8, as above, you need to have the following in the /etc/sysctl directory.
net.ipv4.conf.default.send_redirects = 0
from cis-benchmarks-audit.
I have checked the configuration had been added into /etc/sysctl.d/ipv4.conf
but the result still shows fail
cat /etc/sysctl.d/ipv4.conf
CIS 3.1.1
net.ipv4.ip_forward = 0
CIS 3.1.2
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
from cis-benchmarks-audit.
Note to myself, will do a fork and PR if I can find a better solution.
There are 2 possibilities that can lead to a fail even if the system is configured correctly.
-
In the return setting, there may or may not be a space between the setting and the desired value. A solution would be to remove all whitespaces in the returned string and the compared value,
-
For the greps, the same setting might be returned more than once depending on how many files it's added to. Currently, I'm using a temporary workaround by chaining another sed -n '1p' to return just the first string prior to comparison. The ideal solution would be to ensure all the settings returned are the same (and subject to point 1 above) before returning just one string.
from cis-benchmarks-audit.
Hey @makakin and @WilliamKoh , my apologies for such a long period of silence on this one.
I have recently pushed 2a41d0d which identified issues checking for sysctl paramaters - specifically where there were duplicates, this would previously result in a Fail result. @WilliamKoh this relates to your point 2. above.
With regards to your point 1. given how these tests are designed (and others through the script), stripping the spaces then comparing would be a good solution as this would probably allow more flexibility to leave the spacing to each individual's discretion / standards.
from cis-benchmarks-audit.
@makakin @WilliamKoh can you please test with this latest commit and let me know if this is still an issue for you / whether there are any other additions you'd like to see?
from cis-benchmarks-audit.
Related Issues (20)
- 5.1.8 if in my system doesn't turn SELinux
- Email or report output? HOT 3
- ntp 2.2.1.2 expects multiple entries in server pool which CIS does not require HOT 2
- Several of the tests produce false failures HOT 1
- test 1.5.1 fails if entry is in multiple files HOT 3
- Getting error - not a valid identifier HOT 2
- Update to CentOS 7 v3.0.0 standard HOT 1
- Add support for latest RHEL & CentOS 8 standards
- No result in this test? HOT 2
- Test 2.2.2 will always pass
- Doesn't behave well if files are missing.
- v0.20 - Refactor to Python
- Certain kernel disabled test failing based on incorrect string search HOT 2
- Update deprecated NodeJS GitHub Actions
- Not found 'Score' result HOT 1
- Is test 6.2.6 Ensure no duplicate group names exist implemented? HOT 3
- Fork claims ownership
- Miss checking on 2.2.1.1 , 5.3.2 and 5.3.3 HOT 1
- No module named 'tests' HOT 3
- Support for Centos 9/Amazon Linux 2023 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cis-benchmarks-audit.