SLES12 -- false +ve test result

kallol · October 11, 2016, 7:15pm

I have been trying to use chef compliance tool to audit a SLES12.01 system.

The tool works great except for a few cases.

Somehow the tool tails detect most of the services under /etc/xinetd.d are disabled.

For example even if the rsh server entry in /etc/xinetd.d/rsh is configured as:

service shell
{
socket_type = stream
protocol = tcp
flags = NAMEINARGS
wait = no
user = root
group = root
log_on_success += USERID
log_on_failure += USERID
server = /usr/sbin/tcpd

server_args = /usr/sbin/in.rshd -L

    server_args     = /usr/sbin/in.rshd -aL
    disable         = yes

}

The failure message displayed is:

Falire: Xinetd config /etc/xinetd.conf with service == “shell” socket_type == “stream”

Any input how to work around it?

.

kallol · October 11, 2016, 10:18pm

If I enable a service in xinetd.d I get the following error:

chris-rock · October 17, 2016, 12:05pm

Which version of Chef Compliance are you using? We’ve added a couple of Suse improvements with InSpec v0.33.0 https://github.com/chef/inspec/pull/1007 which is included in Chef Compliance 1.5.6 Chef Compliance 1.5.6 Released In case your see still issues, it would be very helpful if you could copy the InSpec test or the CIS identifier

kallol · October 24, 2016, 10:39pm

root@secplat:/opt/chef-compliance/embedded# dpkg -l | grep chef
ii chef-compliance 1.5.14-1 amd64 The full stack of chef-compliance

CIS identifier 5.1.3 Ensure rsh server is not enabled (Scored).

The tool has been installed on ubuntu 14.04 LTS (trusty). Target now is SUSE 12-SP1.

kallol · October 25, 2016, 4:32am

I have upgraded chef compliance to version 1.6.8 on ubuntu 14.04. Still the issue is present.

None of the xinetd tests passes. In /etc/xinetd.d/discard below the service discard is disabled, yet the compliance fails saying "Ensure discard is not enabled".

kallol · October 25, 2016, 7:42pm

Here is the relevant code from translated-controls.rb:

control “xccdf_org.cisecurity.benchmarks_rule_5.9_Ensure_discard_is_not_enabled” do
title "Ensure discard is not enabled"
desc "discard is a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled."
impact 1.0
describe xinetd_conf.services(“discard”).socket_types(“stream”) do
it { should be disabled }
end
end

chris-rock · November 7, 2016, 1:21pm

I tracked that issue here https://github.com/chef/inspec/issues/1282

Topic		Replies	Views
Broken rsyslog test on SLES12 Chef Infra (archive)	0	516	November 1, 2016
Chef Compliance 1.2.4 Released Chef Release Announcements	0	894	May 17, 2016
Chef InSpec 4.12.0 Released! Chef Release Announcements	0	380	August 15, 2019
500 Error - Chef Compliance Profile Upload Chef Automate	3	1633	November 9, 2016
Chef InSpec 5.12.2 Released! Chef Release Announcements	0	506	April 8, 2022

SLES12 -- false +ve test result

server_args = /usr/sbin/in.rshd -L

Related topics