SLES12 -- false +ve test result

kallol · October 11, 2016, 7:15pm

I have been trying to use chef compliance tool to audit a SLES12.01 system.

The tool works great except for a few cases.

Somehow the tool tails detect most of the services under /etc/xinetd.d are disabled.

For example even if the rsh server entry in /etc/xinetd.d/rsh is configured as:

service shell
{
socket_type = stream
protocol = tcp
flags = NAMEINARGS
wait = no
user = root
group = root
log_on_success += USERID
log_on_failure += USERID
server = /usr/sbin/tcpd

server_args = /usr/sbin/in.rshd -L

    server_args     = /usr/sbin/in.rshd -aL
    disable         = yes

}

The failure message displayed is:

Falire: Xinetd config /etc/xinetd.conf with service == “shell” socket_type == “stream”

Any input how to work around it?

.

kallol · October 11, 2016, 10:18pm

If I enable a service in xinetd.d I get the following error:

chris-rock · October 17, 2016, 12:05pm

Which version of Chef Compliance are you using? We’ve added a couple of Suse improvements with InSpec v0.33.0 https://github.com/chef/inspec/pull/1007 which is included in Chef Compliance 1.5.6 Chef Compliance 1.5.6 Released In case your see still issues, it would be very helpful if you could copy the InSpec test or the CIS identifier

kallol · October 24, 2016, 10:39pm

root@secplat:/opt/chef-compliance/embedded# dpkg -l | grep chef
ii chef-compliance 1.5.14-1 amd64 The full stack of chef-compliance

CIS identifier 5.1.3 Ensure rsh server is not enabled (Scored).

The tool has been installed on ubuntu 14.04 LTS (trusty). Target now is SUSE 12-SP1.

kallol · October 25, 2016, 4:32am

I have upgraded chef compliance to version 1.6.8 on ubuntu 14.04. Still the issue is present.

None of the xinetd tests passes. In /etc/xinetd.d/discard below the service discard is disabled, yet the compliance fails saying "Ensure discard is not enabled".

kallol · October 25, 2016, 7:42pm

Here is the relevant code from translated-controls.rb:

control “xccdf_org.cisecurity.benchmarks_rule_5.9_Ensure_discard_is_not_enabled” do
title "Ensure discard is not enabled"
desc "discard is a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
impact 1.0
describe xinetd_conf.services(“discard”).socket_types(“stream”) do
it { should be disabled }
end
end

chris-rock · November 7, 2016, 1:21pm

I tracked that issue here https://github.com/chef/inspec/issues/1282

Topic		Replies	Views
Broken rsyslog test on SLES12 Chef Infra (archive)	0	500	November 1, 2016
Inspec file matcher windows Chef InSpec	3	2026	March 31, 2016
RE: Service statement bug in recipe when running on SuSe..? Chef Infra (archive)	0	215	September 16, 2011
Unable to Skip Inspec Test os-06 (Check for SUID/ SGID blacklist) in DevSec Linux Security Baseline 2.2.0 profile Chef InSpec	0	914	May 10, 2018
CHEF to check CHEF Chef Infra (archive)	2	299	January 30, 2019

SLES12 -- false +ve test result

server_args = /usr/sbin/in.rshd -L

Related Topics