Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Task 1.1.1 - Configure Filesystem Kernel Modules #285

Open
msachikanta opened this issue Jan 30, 2025 · 2 comments
Open

Task 1.1.1 - Configure Filesystem Kernel Modules #285

msachikanta opened this issue Jan 30, 2025 · 2 comments
Assignees
@uk-bolly
Labels
duplicate This issue or pull request already exists

Comments

@msachikanta
Copy link

Have you checked ReadtheDocs?:
Yes

Describe the Issue
Looks like lineinfile ansible module for tasks 1.1.1.1 to 1.1.1.9 are having wrong line as shown below:

For example, task 1.1.1.1

- name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Edit modprobe config"
      ansible.builtin.lineinfile:
        path: /etc/modprobe.d/CIS.conf
        regexp: "^(#)?install cramfs(\\s|$)"
        line: "install cramfs /bin/true"
        create: true
        mode: 'go-rwx'

As per CIS Workbench documentation it should be install squashfs /bin/false as shown below:

Image

Link to CIS workbench documentation - https://workbench.cisecurity.org/sections/2758812/recommendations/4466392

Expected Behavior
As per CIS workbench documentation, it should be install squashfs /bin/false

Actual Behavior
Its appearing as install squashfs /bin/true for all Filesystem Kernel Modules in ansible role.

Control(s) Affected
Following filesystem kernel modules controls are affected:

rhel9cis_rule_1_1_1_1
rhel9cis_rule_1_1_1_2
rhel9cis_rule_1_1_1_3
rhel9cis_rule_1_1_1_4
rhel9cis_rule_1_1_1_5
rhel9cis_rule_1_1_1_6
rhel9cis_rule_1_1_1_7
rhel9cis_rule_1_1_1_8
rhel9cis_rule_1_1_1_9

Environment (please complete the following information):

  • branch being used: devel

Additional Notes
Its the same for all the ansible roles, such as RHEL7-CIS, RHEL8-CIS, RHEL9-CIS, AMAZON2-CIS and AMAZON2023-CIS.

Possible Solution
Replace install squashfs /bin/true with install squashfs /bin/false will fix the issue.
@msachikanta msachikanta added the bug Something isn't working label Jan 30, 2025
@uk-bolly
Copy link
Member

uk-bolly commented Jan 30, 2025
edited
Loading

hi @msachikanta

Thank you for raising this issue, this is is one we have seen many times. I assume you are using a scanner of some type to check compliance.
What we are seeing is many times they are expecting the result to match the example that they provide is the benchmark for remediation.
Where as reading the audit section it gives the possible answers.
In this case

An entry including /bin/true or /bin/false exists in a file within the /etc/modprobe.d/ directory

These are seen as false positives and really caused by some of the scanners being too brittle in what they expect.

I hope that helps?

many thanks

uk-bolly

@uk-bolly uk-bolly self-assigned this Jan 30, 2025
@uk-bolly uk-bolly added duplicate This issue or pull request already exists and removed bug Something isn't working labels Jan 30, 2025
@msachikanta
Copy link
Author

Hi @uk-bolly
Thank you so much for the clarification.
Thanks, Sachi

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@uk-bolly uk-bolly

Labels
duplicate This issue or pull request already exists
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@msachikanta @uk-bolly