cis-1.1.1.yml /bin/true -> /bin/false ?

[Wykx-Sama]

Question Is that normal that in the cis_1.1.1.yml modprobe config line is set to /bin/true as it's making the rule to failed du to not being set to /bin/false ?

Example :

• name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled" block:
  • name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Edit modprobe config" ansible.builtin.lineinfile: path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install squashfs(\s|$)" line: "install squashfs /bin/true" create: true mode: '0600'

Should be that ? :

• name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled" block:
  • name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Edit modprobe config" ansible.builtin.lineinfile: path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install squashfs(\s|$)" line: "install squashfs /bin/false" create: true mode: '0600'

[uk-bolly]

hi @Wykx-Sama

Thank you for your time in raising this issue, looking through this controls documentation. It doesn't state that it must be /bin/false, the supplied remediation script set it to false but in the audit section it actually looks for the following in order to pass the audit. So in this case it can be set to either false or true.

if grep -Pq -- '^\h*install \/bin\/(true|false)' <<< "$l_loadable";
then
    l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
      else
    l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
fi

There are larger discussions about this subject this on the internet, with many feeling it should be true due to the fact running /bin/false returns a non 0 return code. Marking it as a failed item at boot time, where as /bin/true has a clean exit code, give the same effect and a clean boot.

many thanks

uk-bolly

[Wykx-Sama]

Ok thanks you very much for the clarification :)