SLES12 -- false +ve test result


#1

I have been trying to use chef compliance tool to audit a SLES12.01 system.

The tool works great except for a few cases.

Somehow the tool tails detect most of the services under /etc/xinetd.d are disabled.

For example even if the rsh server entry in /etc/xinetd.d/rsh is configured as:

service shell
{
socket_type = stream
protocol = tcp
flags = NAMEINARGS
wait = no
user = root
group = root
log_on_success += USERID
log_on_failure += USERID
server = /usr/sbin/tcpd

server_args = /usr/sbin/in.rshd -L

    server_args     = /usr/sbin/in.rshd -aL
    disable         = yes

}

The failure message displayed is:

Falire: Xinetd config /etc/xinetd.conf with service == “shell” socket_type == “stream”

Any input how to work around it?

.


#2

If I enable a service in xinetd.d I get the following error:


#3

Which version of Chef Compliance are you using? We’ve added a couple of Suse improvements with InSpec v0.33.0 https://github.com/chef/inspec/pull/1007 which is included in Chef Compliance 1.5.6 Chef Compliance 1.5.6 Released In case your see still issues, it would be very helpful if you could copy the InSpec test or the CIS identifier


#4

root@secplat:/opt/chef-compliance/embedded# dpkg -l | grep chef
ii chef-compliance 1.5.14-1 amd64 The full stack of chef-compliance

CIS identifier 5.1.3 Ensure rsh server is not enabled (Scored).

The tool has been installed on ubuntu 14.04 LTS (trusty). Target now is SUSE 12-SP1.


#5

I have upgraded chef compliance to version 1.6.8 on ubuntu 14.04. Still the issue is present.

None of the xinetd tests passes. In /etc/xinetd.d/discard below the service discard is disabled, yet the compliance fails saying “Ensure discard is not enabled”.


#6

Here is the relevant code from translated-controls.rb:

control “xccdf_org.cisecurity.benchmarks_rule_5.9_Ensure_discard_is_not_enabled” do
title "Ensure discard is not enabled"
desc "discard is a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
impact 1.0
describe xinetd_conf.services(“discard”).socket_types(“stream”) do
it { should be disabled }
end
end


#7

I tracked that issue here https://github.com/chef/inspec/issues/1282