cis-dil-benchmark icon indicating copy to clipboard operation
cis-dil-benchmark copied to clipboard

Published 20 hours ago verified publisher icon dev-sec

tcp_wrapper/tcpd is depreciated on Redhat8 and hence cls-dil failed for cis-dil-benchmark-3.4.1

Open Bharathkumarraju opened this issue 4 years ago • 3 comments

Hi Team,

I am running this inspec profile in my rhel8 and it failed like below... since the tcp_wrapper/tcpd is depreciated on Redhat8

× cis-dil-benchmark-3.4.1: Ensure TCP Wrappers is installed (2 failed)

Any work-aroud for this?

thanks, https://bharathkumaraju.com

Bharathkumarraju avatar Aug 23 '20 02:08 Bharathkumarraju

is there anyway i can skip specific check cis-dil-benchmark-3.4.1 in my inspec command ?

Bharathkumarraju avatar Aug 23 '20 02:08 Bharathkumarraju

Thank you @Bharathkumarraju for your report. We should add an only_if condition that checks for tcp wrapper, see https://docs.chef.io/inspec/dsl_inspec/#use-only_if-to-exclude-a-specific-control. Any PR is welcome to improve the situation.

chris-rock avatar Aug 24 '20 07:08 chris-rock

@chris-rock meanwhile i did some workaround for to skip the failed checks 👍 thanks!!!

We run checks with packer and my regex_to_skip variable is this.

regex_to_skip           = "/^(((?!cis-dil-benchmark-1.1.[6789])(?!cis-dil-benchmark-1.1.1[01234])(?!cis-dil-benchmark-1.1.[2345])(?!cis-dil-benchmark-1.4.2)(?!cis-dil-benchmark-6.1.[3579])(?!cis-dil-benchmark-1.[16].1.[38])(?!cis-dil-benchmark-3.6.[2345])(?!cis-dil-benchmark-5.4.1.2)(?!cis-dil-benchmark-4.1.12)(?!cis-dil-benchmark-3.4.1)(?!cis-dil-benchmark-1.1.17)(?!cis-dil-benchmark-4.2.4).))*$/"

  provisioner "inspec" {
    inspec_env_vars = ["CHEF_LICENSE=accept"]
    profile         = "https://github.com/dev-sec/cis-dil-benchmark"
    user            = "${var.aws_ssh_user}"
    extra_arguments = [ "--no-distinct-exit",
      "--sudo",
      "--controls",
      "${var.regex_to_skip}"
    ]
  }

Bharathkumarraju avatar Dec 05 '20 07:12 Bharathkumarraju