Current 4.2.3 Ensure permissions on all logfiles are configured remediation will break RHEL8

ansible-lockdown / RHEL8-CIS

Ansible role for Red Hat 8 CIS Baseline

https://ansible-lockdown.readthedocs.io/en/latest/

MIT License

274 stars 169 forks source link

Current 4.2.3 Ensure permissions on all logfiles are configured remediation will break RHEL8 #128

Closed MarcoV-git closed 3 years ago

MarcoV-git commented 3 years ago

Guys,

The CIS version v1.0.0.1 remediation will break an existing RHEL8 build; the remediation step: find /var/log -type f -exec chmod g-wx,o-rwx "{}" + -o -type d -exec chmod g-w,o-rwx "{}" + is not valid for Fedora and RHEL.

This has been fixed in the CIS v1.0.1 standard. It has been updated to: find /var/log/ -type f -perm /g+wx,o+rwx -exec chmod g-wx,o-rwx "{}" +

Please update your code in both version tags... ;-))

georgenalen commented 3 years ago

@MarcoV-git, Thanks for the find and fix. We are working on updating to the latest benchmarks and this will be added into that work. Again thanks for alerting us on issues like this one. It helps improve the project, especially if the issue is something wrong in the benchmark. Those aren't as easy to catch on the fly when creating the remediation steps.

-George

georgenalen commented 3 years ago

This issue was resolved in release 1.4.0