CIS profile check running into timeout

muelli · November 2, 2022, 10:16am

Hello forum,

I am running a daily CIS compliance (CIS RedHat Enterprise Linux 7 Benchmark Level 1 - server) check nightly and on one server two checks fail and exit because of timeout (many, many files!):

xccdf_org.cisecurity.benchmarks_rule_6.1.11_Ensure_no_unowned_files_or_directories_exist:
Command df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser timed out after seconds

xccdf_org.cisecurity.benchmarks_rule_6.1.12_Ensure_no_ungrouped_files_or_directories_exist:
Command df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup timed out after seconds

I tried to create a wrapper and overwrite the checks above and append a "timeout=3600" option to the command directive. Sadly this did not work.
Any advice an how to add this timeout the correct way?

Thanks!

muelli · November 4, 2022, 7:04am

I found out, if I run inspec not via the chef audit cookbook but via CLI and pass the --command-timeout=3600 parameter, the scan completes successfully.
This pops up two questions in my head:

according to the docs, 3600 should be the default if --command-timeout is not passed at all. So why does it fail then?
how can I pass the --command-option to inspec if run from the audit cookbook?

Any advice? Thanks!

Topic		Replies	Views
Having trouble with chefspec on EC2 error - Net::OpenTimeout execution expired Chef Infra (archive)	0	1347	October 18, 2017
Chef InSpec 4.31.0 Released! Chef Release Announcements	0	337	April 7, 2021
Unable to Skip Inspec Test os-06 (Check for SUID/ SGID blacklist) in DevSec Linux Security Baseline 2.2.0 profile Chef InSpec	0	963	May 10, 2018
Chef InSpec 4.32.0 Released! Chef Release Announcements	0	414	April 14, 2021
InSpec - checking files/directories when testing remote hosts Chef InSpec	1	1126	February 2, 2019

CIS profile check running into timeout

Related topics