ovh / debian-cis Goto Github PK

Hello,

I was running the audit tests and the hardening and I would like to know what is the meaning of those tests marked as INFO instead of OK or KO.

6.2.13_set_perm_on_user_n [ OK ] Check Passed
hardening [INFO] Treating /home/deployment/config/cis-benchmark/cis-debian10/bin/hardening/6.2.14_find_user_rhosts_files.sh
6.2.14_find_user_rhosts_f [INFO] Working on 6.2.14_find_user_rhosts_files
6.2.14_find_user_rhosts_f [INFO] [DESCRIPTION] No user's .rhosts file.
6.2.14_find_user_rhosts_f [INFO] Checking Configuration
6.2.14_find_user_rhosts_f [INFO] Performing audit
6.2.14_find_user_rhosts_f [ OK ] No .rhosts present in users home directory
6.2.14_find_user_rhosts_f [ OK ] Check Passed

In the remediation, all of those the config file is marked as "enabled" to harden those tests. I think I don't understand those marked as INFO after hardening. What does this mean? does it mean those tests failed too?

Thanks,
Best regards

this check fail (/proc/sys/net/ipv[46]/conf/all/accept_ra missing)
if we have disabled ipv6 (tested on debian 10) maybe we can consider skip it if ipv6 disabled ?

Hello folks,

first of all thank you for sharing that script suite. It must have been an awful lot of work. Are there any plans to introduce support for Debian 10?

Thanks,
Peter

Hello

This option is deprecated in openssh-7.5.

Changelog available here:
https://www.openssh.com/txt/release-7.5

Regards

5.4.5_default_timeout check for TMOUT= at the beginning of line only (pattern searched is ^TMOUT=) but CIS benchmark recommend using `readonly TMOUT=900; exort TMOUT' so the pattern is not at the beginning of line and subsequently the check fails.

This check should not enforce TMOUT= being at the beginning of line or at least allow optional readonly or export keyword before the variable assignment.

Debug run :

bin/hardening/5.4.5_default_timeout.sh --audit-all pouet
5.4.5_default_timeout     [DBG ] Audit all specified, setting status to audit regardless of configuration
5.4.5_default_timeout     [DBG ] Unknown option passed
5.4.5_default_timeout     [INFO] Working on 5.4.5_default_timeout
5.4.5_default_timeout     [INFO] [DESCRIPTION] Timeout 600 seconds on tty.
5.4.5_default_timeout     [INFO] Checking Configuration
5.4.5_default_timeout     [INFO] Performing audit
5.4.5_default_timeout     [DBG ] Checking if ^TMOUT= is present in /etc/bash.bashrc
5.4.5_default_timeout     [DBG ]  grep -q -E -- '^TMOUT=' /etc/bash.bashrc
5.4.5_default_timeout     [DBG ] Pattern NOT found in /etc/bash.bashrc
5.4.5_default_timeout     [DBG ] TMOUT= is not present in /etc/bash.bashrc
5.4.5_default_timeout     [DBG ] /etc/profile.d is a directory
5.4.5_default_timeout     [DBG ] Checking if ^TMOUT= is present in /etc/profile.d/bash_autologout.sh
5.4.5_default_timeout     [DBG ]  grep -q -E -- '^TMOUT=' /etc/profile.d/bash_autologout.sh
5.4.5_default_timeout     [DBG ] Pattern NOT found in /etc/profile.d/bash_autologout.sh 

Note: It should have been found in this file ^

5.4.5_default_timeout     [DBG ] TMOUT= is not present in /etc/profile.d//etc/profile.d/bash_autologout.sh
5.4.5_default_timeout     [DBG ] Checking if ^TMOUT= is present in /etc/profile.d/bash_completion.sh
5.4.5_default_timeout     [DBG ]  grep -q -E -- '^TMOUT=' /etc/profile.d/bash_completion.sh
5.4.5_default_timeout     [DBG ] Pattern NOT found in /etc/profile.d/bash_completion.sh
5.4.5_default_timeout     [DBG ] TMOUT= is not present in /etc/profile.d//etc/profile.d/bash_completion.sh
5.4.5_default_timeout     [DBG ] Checking if ^TMOUT= is present in /etc/profile
5.4.5_default_timeout     [DBG ]  grep -q -E -- '^TMOUT=' /etc/profile
5.4.5_default_timeout     [DBG ] Pattern NOT found in /etc/profile
5.4.5_default_timeout     [DBG ] TMOUT= is not present in /etc/profile
5.4.5_default_timeout     [ KO ] TMOUT= is not present in /etc/bash.bashrc /etc/profile.d /etc/profile
5.4.5_default_timeout     [ KO ] Check Failed

This:

$6$rounds=512000$OoeF2DfZnxl4vrVg$/x3TJ3n2xL6w.i2vqF.WB8qzFMrDJUWJ.mZbYILqYA7btc3zTRcXu0ElregINPaEkoreNUw4T2kWGIr2kYzRu/

(note rounds=512000) should pass bin/hardening/99.5.4.5.2_acc_shadow_sha512.sh. It doesn't.

check with a global var if we use a monolithic kernel or not

Hello,

Thanks for your help on this first. Is there a way for example just to harden a specific section for example just section 2?
So far I think is just adding the enabled flag in the config file. Just to confirm if there was another way.

Thank you,
Guillermo

I have found this guide https://madaidans-insecurities.github.io/guides/linux-hardening.html made by a core developer of Whonix .

It comes back on many points already implemented but also describes many others. It could be interesting to look at this and to implement some of the recommendations as bonus checks.

In https://github.com/ovh/debian-cis/blob/master/bin/hardening/5.4.5_default_timeout.sh, it seems like it SHOULD be appending to /etc/bash.bashrc, /etc/profile, and /etc/profile.d/*.sh, but instead it only appends to $FILE, which is /etc/profile.d/CIS_99.1_timeout.sh (and doesn't check the contents of that file before appending?)

$ cat /etc/profile.d/CIS_99.1_timeout.sh
readonly TMOUT=600
export TMOUT
readonly TMOUT=600
export TMOUT
readonly TMOUT=600
export TMOUT
readonly TMOUT=600
export TMOUT
readonly TMOUT=600
export TMOUT
readonly TMOUT=600
export TMOUT
readonly TMOUT=600
export TMOUT
readonly TMOUT=600
export TMOUT
readonly TMOUT=600
export TMOUT
readonly TMOUT=600
export TMOUT

I'm getting this output on a container without OpenSSH installed:

hardening                 [INFO] Treating /opt/cis-hardening/bin/hardening/5.2.15_ssh_cry_kex.sh
5.2.15_ssh_cry_kex        [INFO] Working on 5.2.15_ssh_cry_kex
5.2.15_ssh_cry_kex        [INFO] [DESCRIPTION] Checking key exchange ciphers.
/opt/cis-hardening/bin/hardening/5.2.15_ssh_cry_kex.sh: line 79: [[: bullseye/sid: division by 0 (error token is "sid")
/opt/cis-hardening/bin/hardening/5.2.15_ssh_cry_kex.sh: line 81: [[: bullseye/sid: division by 0 (error token is "sid")
/opt/cis-hardening/bin/hardening/5.2.15_ssh_cry_kex.sh: line 81: [[: bullseye/sid: division by 0 (error token is "sid")
5.2.15_ssh_cry_kex        [INFO] Checking Configuration
5.2.15_ssh_cry_kex        [INFO] Performing audit
5.2.15_ssh_cry_kex        [ KO ] openssh-server is not installed!
5.2.15_ssh_cry_kex        [ KO ] Check Failed

Maybe a check of the existence of the file is missing or something?

Image Update on 09/02/2021.
Error on PAM to investigate

Use the same variable name

There are have two files cannot be configured, When --set-hardening-level is executed.

Example:
~# bash ./bin/hardening.sh --set-hardening-level 3
The script 99.1_timeout_tty doesn't have a hardening level, configuration untouched for it
The script 99.2_disable_usb_devices doesn't have a hardening level, configuration untouched for it

4.2.1.6_remote_syslog-ng_acl.sh uses a config variable REMOTE_HOST to define if currently tested host is a syslog server or not.

Default configuration for this script defines REMOTE_HOST to "false" in this line and this script tests if system is a syslog server with if [[ "$REMOTE_HOST" ]]; then.

However, REMOTE_HOST being a non-empty string (here "false") this check is always true even if REMOTE_HOST is set to "false".

IMHO, either REMOTE_HOST should be set to empty string if host is not a syslog server or check_config() should empty REMOTE_HOST variable if its value is false.

Default configuration with value false and script working as if it has been set to true is dangerous from a security point of view by validating non-compliant systems

Is stderr is not empty, something is probably wrong so test must fail.

Add a test that checks this at the end.

Hi !

Today i have some trouble with two scripts :

4.1.1.3_audit_bootloader.sh
4.1.1.4_audit_backlog_limit.sh

I have made the require changes and the scripts still doesn't see it :

 ~/debian-cis/etc/conf.d # cat /etc/default/grub |grep "GRUB_CMDLINE_LINUX="
GRUB_CMDLINE_LINUX="net.iframes=0 biosdevname=0 audit=1 audit_backlog_limit=8192 apparmor=1 security=apparmor"

~/debian-cis/etc/conf.d # /root/debian-cis/bin/hardening/4.1.1.3_audit_bootloader.sh --audit
4.1.1.3_audit_bootloader  [INFO] Working on 4.1.1.3_audit_bootloader
4.1.1.3_audit_bootloader  [INFO] [DESCRIPTION] Enable auditing for processes that start prior to auditd.
4.1.1.3_audit_bootloader  [INFO] Checking Configuration
4.1.1.3_audit_bootloader  [INFO] Performing audit
4.1.1.3_audit_bootloader  [ OK ] /etc/default/grub exists, checking configuration
4.1.1.3_audit_bootloader  [ KO ] ^GRUB_CMDLINE_LINUX="audit=1" is not present in /etc/default/grub
4.1.1.3_audit_bootloader  [ KO ] Check Failed

~/debian-cis/etc/conf.d # /root/debian-cis/bin/hardening/4.1.1.4_audit_backlog_limit.sh --audit
4.1.1.4_audit_backlog_lim [INFO] Working on 4.1.1.4_audit_backlog_limit
4.1.1.4_audit_backlog_lim [INFO] [DESCRIPTION] Configure audit_backlog_limit to be sufficient.
4.1.1.4_audit_backlog_lim [INFO] Checking Configuration
4.1.1.4_audit_backlog_lim [INFO] Performing audit
4.1.1.4_audit_backlog_lim [ OK ] /etc/default/grub exists, checking configuration
4.1.1.4_audit_backlog_lim [ KO ] ^GRUB_CMDLINE_LINUX="audit

Thanks for you help !

• 99.1.1.23
• 99.1.3
• 99.5.2.3
• 99.5.2.4
• 99.5.2.5
• 99.5.2.7
• 99.5.4.5.1
• 99.5.4.5.2

2.2.1.3_configure_chrony consider check failed if chrony package is not installed. However, CIS benchmark §2.2.1.3 is only related to chrony proper configuration and clearly states:

This recommendation only applies if chrony is in use on the system.

so the check should be skipped if package is not installed instead of failing (like when grub is not in use for test 1.5.1_bootloader_ownership

same should apply to 2.2.1.4_configure_ntp if ntp is not instaled

2.2.1.3_configure_chrony  [ KO ] chrony is not installed!
2.2.1.3_configure_chrony  [ KO ] Check Failed

I run apply to automatically update SSH rules, but /etc/ssh/sshd_config doesn't seem to end with a newline by default! classic!

9.3.5_sshd_maxauthtries.sh uses the default add_end_of_file which results in two parameters being located on the same line like so:

UseDNS noMaxAuthTries 4

which causes ssh service to fail a restart

 /etc/ssh/sshd_config line 89: Bad yes/no argument: noMaxAuthTries

root@ip-172-31-47-112:/tmp/debian-cis# ssh -V
OpenSSH_6.7p1 Debian-5+deb8u4, OpenSSL 1.0.1t  3 May 2016
root@ip-172-31-47-112:/tmp/debian-cis# uname -a
Linux ip-172-31-47-112 4.4.121-k8s #1 SMP Sun Mar 11 19:39:47 UTC 2018 x86_64 GNU/Linux

Rules for auditd in section 4.1 are being added directly to
/etc/audit/audit.rules
which means they don't get applied and they get flushed at restart of auditd service. The right location for them is at
/etc/audit/rules.d/

Hi !

I'm trying to run this script :

bin/hardening/1.1.1.7_restrict_fat.sh --audit-all
1.1.1.7_restrict_fat      [INFO] Working on 1.1.1.7_restrict_fat
1.1.1.7_restrict_fat      [INFO] [DESCRIPTION] Limit mounting of FAT filesystems.
1.1.1.7_restrict_fat      [INFO] Checking Configuration
1.1.1.7_restrict_fat      [INFO] Performing audit
1.1.1.7_restrict_fat      [ KO ] CONFIG_VFAT_FS is enabled!
1.1.1.7_restrict_fat      [ KO ] Check Failed

And when i want to apply the recommanded modifications (i have status=enabled in the conf file) :

~/debian-cis # bin/hardening/1.1.1.7_restrict_fat.sh --apply
1.1.1.7_restrict_fat      [INFO] Working on 1.1.1.7_restrict_fat
1.1.1.7_restrict_fat      [INFO] [DESCRIPTION] Limit mounting of FAT filesystems.
1.1.1.7_restrict_fat      [INFO] Checking Configuration
1.1.1.7_restrict_fat      [INFO] Performing audit
1.1.1.7_restrict_fat      [ KO ] CONFIG_VFAT_FS is enabled!
1.1.1.7_restrict_fat      [INFO] Applying Hardening
1.1.1.7_restrict_fat      [WARN] I cannot fix CONFIG_VFAT_FS enabled, recompile your kernel please
1.1.1.7_restrict_fat      [ KO ] Check Failed

As you can see, the output show that the vfat FS is enable but it's not the case (according to the CIS test) :

~/debian-cis # rmmod vfat
rmmod: ERROR: Module vfat is not currently loaded

~/debian-cis # modprobe -n -v vfat | grep -E '(vfat|install)'
install /bin/true

~/debian-cis # lsmod | grep vfat
no output

~/debian-cis # grep -E -i '\svfat\s' /etc/fstab
no output

Did I make a mistake?

other thing about partition checks : all scripts from 1.1.2 to 1.1.18 are not compatible with lvm? for example :

~/debian-cis # bin/hardening/1.1.2_tmp_partition.sh --audit-all
1.1.2_tmp_partition       [INFO] Working on 1.1.2_tmp_partition
1.1.2_tmp_partition       [INFO] [DESCRIPTION] Ensure /tmp is configured (Scored)
1.1.2_tmp_partition       [INFO] Checking Configuration
1.1.2_tmp_partition       [INFO] Performing audit
1.1.2_tmp_partition       [INFO] Verifying that /tmp is a partition
1.1.2_tmp_partition       [ KO ] /tmp is not a partition
1.1.2_tmp_partition       [ KO ] Check Failed

but :

~/debian-cis # mount |grep /tmp
/dev/mapper/vgdebian-tmp on /tmp type xfs (rw,nosuid,nodev,noexec,relatime,attr2,inode64,noquota)
~/debian-cis # df -hT |grep "/tmp"
/dev/mapper/vgdebian-tmp     xfs        2,0G     35M  2,0G   2% /tmp

I got the same error for /var/log partition and i guess i will probably have the same if i had /home and /var/log/audit lvm partition.

Regards

The actual implementation method check specific Key Exchange Algorithms but this doesn't correspond to CIS requirement.

We should follow specs and check :

Run the following command and verify that output does not contain any of the listed weak Key Exchange algorithms
# sshd -T | grep kexalgorithms

detect (audit) / remove (apply) Weak Key Exchange Algorithms like :

 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1

(maybe *-sha1)

In my case I don't allow diffie-hellman-group-exchange-sha256 so it's a false positive.

A lot of tests fail when openssh-server is not installed, whereas they should probably succeed as if OpenSSH is not installed, it can't post any threat to the hardening (it's common not to install it in containers). What do you think?

# /opt/cis-hardening/bin/hardening.sh --audit-all |& grep 'openssh-server is not installed'
5.2.4_sshd_protocol       [ KO ] openssh-server is not installed!
5.2.5_sshd_loglevel       [ KO ] openssh-server is not installed!
5.2.6_disable_x11_forward [ KO ] openssh-server is not installed!
5.2.7_sshd_maxauthtries   [ KO ] openssh-server is not installed!
5.2.8_enable_sshd_ignorer [ KO ] openssh-server is not installed!
5.2.9_disable_sshd_hostba [ KO ] openssh-server is not installed!
5.2.10_disable_root_login [ KO ] openssh-server is not installed!
5.2.11_disable_sshd_permi [ KO ] openssh-server is not installed!
5.2.12_disable_sshd_seten [ KO ] openssh-server is not installed!
5.2.13_sshd_ciphers       [ KO ] openssh-server is not installed!
5.2.14_ssh_cry_mac        [ KO ] openssh-server is not installed!
5.2.15_ssh_cry_kex        [ KO ] openssh-server is not installed!
5.2.16_sshd_idle_timeout  [ KO ] openssh-server is not installed!
5.2.17_sshd_login_grace_t [ KO ] openssh-server is not installed!
5.2.18_sshd_limit_access  [ KO ] openssh-server is not installed!
5.2.19_ssh_banner         [ KO ] openssh-server is not installed!
5.2.20_enable_ssh_pam     [ KO ] openssh-server is not installed!
5.2.21_disable_ssh_allow_ [ KO ] openssh-server is not installed!
5.2.22_configure_ssh_max_ [ KO ] openssh-server is not installed!
5.2.23_limit_ssh_max_sess [ KO ] openssh-server is not installed!
99.5.2.1_ssh_auth_pubk_on [ KO ] openssh-server is not installed!
99.5.2.2_ssh_cry_rekey    [ KO ] openssh-server is not installed!
99.5.2.3_ssh_disable_feat [ KO ] openssh-server is not installed!
99.5.2.5_ssh_strict_modes [ KO ] openssh-server is not installed!
99.5.2.6_ssh_sys_accept_e [ KO ] openssh-server is not installed!
99.5.2.8_ssh_sys_sandbox  [ KO ] openssh-server is not installed!

For 5.2.7 recommended MaxAuthTries is 4 and it will fail if we have 2 configured

Hi,

On fresh install of Debian 10 i'm trying to use the script but when i follow the quickstart guide :

~/debian-cis # bin/hardening/1.1.1.1_disable_freevxfs.sh --audit-all
1.1.1.1_disable_freevxfs [INFO] Working on 1.1.1.1_disable_freevxfs
1.1.1.1_disable_freevxfs [INFO] [DESCRIPTION] Disable mounting of freevxfs filesystems.
1.1.1.1_disable_freevxfs [INFO] Checking Configuration
1.1.1.1_disable_freevxfs [INFO] Performing audit
/root/debian-cis/lib/utils.sh: ligne 362: FILTER : variable sans liaison

Do you know why?

Regards

This may be a good idea to tell the user that they're running the script in a non-officially supported Debian version, as in "there's no official PDF for this version so we'll do our best to show you results that are not entirely stupid, but please take those with a grain of salt". Same stuff if somebody has the idea to run it under Ubuntu or any other Debian derivative. Most tests will still work, but might give a false sense of security because e.g. we're looking for a package that has a different name under Ubuntu, or because defaults under Ubuntu are different so more stuff should be looked after to be disabled etc. In other words, 100% compliance under Ubuntu (or any other non-Debian-9-10 distro) does NOT mean that the system is properly hardened.
The user should be warned in some way. There are several ways to do it:

• Boldly refusing to run unless --allow-unsupported-distribution is specified on the cmdline
• Showing a big fat warn somewhere but run nevertheless, the warning could be silenced by a cmdline option
• Adding a test that always fail if not Debian-9-10, hence sysadmins would have to disable this test, and doing so, acknowledging that they know what they're doing

... and maybe other ways :)

Originally posted by @speed47 in #29 (comment)

exclude some directories from the check

Hello everyone!

I'm not sure if this is just me, so I didn't want to start a fork and edits for it until it is not confirmed.

In script 99.5.2.8, seems to me to be a deprecated option.

Is there a reason for keeping this on?

Thanks!

check wait /etc/cron.allow /etc/at.allow perms 0644, correspond to CIS requirement (not writable) but this isn't a best practice https://www.stigviewer.com/stig/oracle_linux_5/2016-06-01/finding/V-975 this should implement exact CIS test (not writable) or allow (400, 600, 640, 644)

Hello,

I have been going through the code and I would like to confirm the following steps:

- If these scripts just do the hardening part, but don't test the server before is hardened?
- How I can run manually script by script? This is what I found in the "readme" file:

Configuration

Hardening scripts are in bin/hardening. Each script has a corresponding
configuration file in etc/conf.d/[script_name].cfg.
Each hardening script can be individually enabled from its configuration file.
For example, this is the default configuration file for disable_system_accounts:

- Is there a way to see which tests have passed and which test have not before doing the hardening?

Thank you for your help.

Is there an option to show only the failed scripts (Ones with [ KO ])?

Sorry if I am just missing the option to achieve this.

Hello,

I have been running the scripts and I was able to get some results, but trying to do some remediation, I was not able to run correctly what is needed. This is an example that I have run:

In debian-cis-2021/bin/hardening route:

./1.4.1_install_tripwire.sh --apply
1.4.1_install_tripwire [INFO] Working on 1.4.1_install_tripwire
1.4.1_install_tripwire [INFO] [DESCRIPTION] Ensure tripwire package is installed.
1.4.1_install_tripwire [INFO] Checking Configuration
1.4.1_install_tripwire [INFO] Performing audit
1.4.1_install_tripwire [ KO ] tripwire is not installed!
1.4.1_install_tripwire [ KO ] Check Failed

Not sure how to use it to remediate this vulnerability.

• Also I would like to know the difference between /bin/hardening tests and /tests/hardening tests folder

Thank you for your help

On Debian 11 (current testing version), the stats displayed in Summary are incorrect :

$ bin/hardening.sh --audit-all --sudo --allow-unsupported-distribution
(...)
################### SUMMARY ###################
      Total Available Checks : 233
         Total Runned Checks : 233
         Total Passed Checks : [  98/233 ]
         Total Failed Checks : [ 133/233 ]
   Enabled Checks Percentage : 100.00 %
       Conformity Percentage : 42.06 %

233 runned checks : 98 passed, 133 failed => total = 231 (!= 233)

Hello,

There is an issue with the "script bin/hardening/1.7.1.2_enable_apparmor.sh". When the "GRUB_CMDLINE_LINUX" line have already some parameters, the apparmor parameters are added before but a space is missing at the end as you can see :

GRUB_CMDLINE_LINUX="apparmor=1 security=apparmornet.ifnames=0 biosdevname=0"

Regards,

Looks like the scripts have to be present in /opt/cis-hardening.

Following the quick start guide doesn't work: ./bin/hardening.sh immediately complains about /opt/cis-hardening not being present.

Could the README file be updated, or the code adjusted to run from arbitrary locations?

Run the checks on a blank buster container. sudo, netstat, apparmor are not present and throw errors on corresponding checks.

Protocol 1 support was removed from OpenSSH 7.4. Debian 8 might conceivably have been the last one shipping with OpenSSH earlier than that (as Stretch was shipped with 7.4). Debian 8 has reached end of life and end of security support more than a year ago. This check results in a false positive in pretty much all supported configurations (except possibly those that have been upgrades from older Debian versions and have not had their configuration properly updated).

Sounds like a good time to retire this check entirely, I suppose.

Hi,

check 2.2.1.2 Ensure systemd-timesyncd is configured (Not Scored) fails even though systemd-timesyncd is enabled since the is_service_enabled function doesn't work with systemd-timesyncd.
According to the CIS Debian 10 Benchmark, systemctl is-enabled systemd-timesyncd.service is the correct / a working check. This should return enabled.

The output of timedatectl status I get on my system isn't consistent with what's written in the benchmark.
Benchmark:

Local time: Tue 2019-06-04 15:40:45 EDT 
Universal time: Tue 2019-06-04 19:40:45 UTC 
RTC time: Tue 2019-06-04 19:40:45 
Time zone: America/New_York (EDT, -0400) 
NTP enabled: yes 
NTP synchronized: yes 
RTC in local TZ: no 
DST active: yes 
Last DST change: DST began at 
    Sun 2019-03-10 01:59:59 EST 
    Sun 2019-03-10 03:00:00 EDT 
Next DST change: DST ends (the clock jumps one hour backwards) at 
    Sun 2019-11-03 01:59:59 EDT 
    Sun 2019-11-03 01:00:00 EST

My System (up to date Debian 10)

Local time: Wed 2021-04-07 20:57:41 CEST
Universal time: Wed 2021-04-07 18:57:41 UTC
RTC time: Wed 2021-04-07 18:57:42
Time zone: Europe/Berlin (CEST, +0200)
System clock synchronized: yes
NTP service: active
RTC in local TZ: no

Getting
1.1.7_var_tmp_partition [ KO ] /var/tmp is not a partition
even through /var/tmp is a tmpfs. This seems to be because /etc/fstab is used to check if a given mountpoint is a partition. In containers, this might not work. Maybe use mountpoint instead?

# mountpoint /var/tmp/
/var/tmp/ is a mountpoint

Hello,

I was running part of the remediation tests and we found out that is modifying the docker container files permissions. How could we change this? We don't want that docker would be affected.
The partition is /var/lib/docker, but how we could avoid to modify those directories. Also not sure which remediation file caused this.
Basically changes the permissions of some files from "specific service user" to "root".

Thank you,

It seems that docker is not always visible in /etc/cgroups