search

ansible-lockdown / RHEL8-CIS

Ansible role for Red Hat 8 CIS Baseline
https://ansible-lockdown.readthedocs.io/en/latest/
MIT License
261 stars 162 forks source link

Nesus scan gives only 69% score in oracle linux 8.9 #392

Closed bantify closed 1 month ago

bantify commented 2 months ago

Question: Nesus scan gives only 69% score in oracle linux 8.9

Before upgrade of CIS compliance in nesus, scroe was 77% score for the same host.

Nesus Version: 10.7.4 CIS compliance version: V3.0.0 Use Role: RHEL8-CIS branch: devel (check out date: June-30-2024 )

Environment (please complete the following information): Oracle linux 8.9

Ansible Version: ansible [core 2.15.10] Host Python Version: [e.g. Python 3.7.6] Python 3.6.8 Ansible Server Python Version: Python 3.9.6 Additional Details:

Disbaled rule: rhel8cis_rule_1_2_3: false

image

Attached the scan report of PDF for your reference: webfe_IP_135.pdf

Last few lines of output:

TASK [roles/cis/RHEL8-CIS : Delete line TMOUT from /etc/bashrc] *****************************************************************************************************************************************************************
ok: [gzp-p-qv-webfe1]

TASK [roles/cis/RHEL8-CIS : Post Audit | Run post_remediation RHEL8-CIS audit] **************************************************************************************************************************************************
skipping: [gzp-p-qv-webfe1]

TASK [roles/cis/RHEL8-CIS : Post Audit | Ensure audit files readable by users] **************************************************************************************************************************************************
skipping: [gzp-p-qv-webfe1]

TASK [roles/cis/RHEL8-CIS : Post Audit | Capture data {{ post_audit_outfile }}] *************************************************************************************************************************************************
skipping: [gzp-p-qv-webfe1]

TASK [roles/cis/RHEL8-CIS : Post Audit | Capture post-audit result] *************************************************************************************************************************************************************
skipping: [gzp-p-qv-webfe1]

TASK [roles/cis/RHEL8-CIS : Post Audit | Capture data {{ post_audit_outfile }}] *************************************************************************************************************************************************
skipping: [gzp-p-qv-webfe1]

TASK [roles/cis/RHEL8-CIS : Post Audit | Capture post-audit result] *************************************************************************************************************************************************************
skipping: [gzp-p-qv-webfe1]

TASK [roles/cis/RHEL8-CIS : Show Audit Summary] *********************************************************************************************************************************************************************************
skipping: [gzp-p-qv-webfe1]

TASK [roles/cis/RHEL8-CIS : Output Warning count and control IDs affected] ******************************************************************************************************************************************************
ok: [gzp-p-qv-webfe1] => {
    "msg": "You have 7 warning(s) that require investigating that are related to the following benchmark ID(s)  [1.1.2.1.1] [1.1.2.5.1] [1.2.4] [1.5.1.6] [2.2.22] [4.5.1.2] [Reboot_required]"
}

PLAY RECAP **********************************************************************************************************************************************************************************************************************
gzp-p-qv-webfe1            : ok=316  changed=18   unreachable=0    failed=0    skipped=304  rescued=0    ignored=0

Please help.

Regards.

uk-bolly commented 2 months ago

hi @bantify

We see this alot as you may see from other issues, scanner all work differently. In this case if you investigate the test that the scanner is running with what CIS requires, you will see that it is often brittle, in many cases and doesn't match the requirements. Often only searching for the filename as mentioned in the remediation steps but not running the audit steps which allows it to be searched for in many places. I am sure you will find that many of the controls if you test the audit requirements it works as expected. You may also find you are running a different version of the benchmark to the scanner you are running? Controls get moved and changed, given new control IDs or even moved sections.

I also noticed a step that you have that is not part of our playbook

Delete line TMOUT from /etc/bashrc

If it is genuinely an issue happy to fix what is wrong.

Many thanks

uk-bolly

uk-bolly commented 1 month ago

hi @bantify,

Will close this issue as a problem with the scanner unless there is something not as expected please feel free to reopen?

Many thanks

uk-bolly

bantify commented 1 month ago

please close. Thanks.