search

arildjensen / cis-puppet

Center for Internet Security Linux Benchmark implementation for PuppetLabs
Other
117 stars 62 forks source link

Errors on minimal CentOS 6.5 install #7

Closed spartyzik closed 10 years ago

spartyzik commented 10 years ago

I did a minimal install of CentOS 6.5, added puppet 3.4.2, and cis. I get the following errors:

puppet apply -e 'include cis::el6all'

/bin/cat: /var/log/control_f0003: No such file or directory /bin/cat: /var/log/control_f0003: No such file or directory /bin/cat: /var/log/control_f0002: No such file or directory /bin/cat: /var/log/control_f0002: No such file or directory Warning: Variable access via 'ntpserver' is deprecated. Use '@ntpserver' instead. template[/etc/puppet/modules/cis/templates/el6/etc/ntp.conf.erb]:5 (at /etc/puppet/modules/cis/templates/el6/etc/ntp.conf.erb:5:in result') Warning: Variable access via 'logserver' is deprecated. Use '@logserver' instead. template[/etc/puppet/modules/cis/templates/el6/etc/rsyslog.conf.erb]:16 (at /etc/puppet/modules/cis/templates/el6/etc/rsyslog.conf.erb:16:inresult') Notice: Compiled catalog for vmtest3.ats.msu.edu in environment production in 4.39 seconds /bin/cat: /var/log/control_f0003: No such file or directory /bin/cat: /var/log/control_f0003: No such file or directory /bin/cat: /var/log/control_f0002: No such file or directory /bin/cat: /var/log/control_f0002: No such file or directory

Scripts cis/files/linuxcontrols/scripts/f000[23].sh send output to /var/log/control_f000[23] and it is checked in cis/lib/facter/f000[23].rb. The other scripts send pass/fail to standard out and check the results of the shell.

If I change f0002 and 3 to behave like the other scripts it seems to work so I don't understand why the difference.

nibalizer commented 10 years ago

@spartyzik I have recently been given contributor commit access to this project. Would you be willing to make a pull request to fix the errant scripts?

Thanks

nibalizer commented 10 years ago

So i've looked into this a bit more. The controls for 02 and 03 are very long running checks. The point here is that you can run daily cron jobs to run those checks, then communicate with the output via the /var/log/control* files.

I think the correct way forward is to document this and set the 02 and 03 facts to not run unless the corresponding /var/log/control* files are in place.

nibalizer commented 10 years ago

Resloved in #18