Open dtseiler opened 2 years ago
I have two things to highlight here:
Guidelines published by the US Department of Defense require that warning messages include at least the name of the organization that owns the system, the fact that the system is subject to monitoring and that such monitoring is in compliance with local statutes, and that use of the system implies consent to such monitoring.
I have two things to highlight here:
- While there isn't necessarily a security risk to not having an motd, it usually is a good idea to have one to cover you legally (see page 178 in https://www.justice.gov/criminal/file/442156/download). The official CIS Benchmark (Section 1.7) also states this as a requirement:
I should clarify, we have an MOTD, it just isn't at that location. Our base cookbook drops a file under the /etc/update-motd.d/
directory.
I believe this is more along the lines of what you are looking for? I'll get a PR opened shortly
✔ cis-dil-benchmark-1.7.1.4: Ensure permissions on /etc/motd and /etc/update-motd.d/* are configured
✔ File /etc/update-motd.d/60-unminimize group is expected to eq "root"
✔ File /etc/update-motd.d/60-unminimize owner is expected to eq "root"
✔ File /etc/update-motd.d/60-unminimize mode is expected to cmp == "0755"
✔ File /etc/update-motd.d/00-header group is expected to eq "root"
✔ File /etc/update-motd.d/00-header owner is expected to eq "root"
✔ File /etc/update-motd.d/00-header mode is expected to cmp == "0755"
✔ File /etc/update-motd.d/10-help-text group is expected to eq "root"
✔ File /etc/update-motd.d/10-help-text owner is expected to eq "root"
✔ File /etc/update-motd.d/10-help-text mode is expected to cmp == "0755"
✔ File /etc/update-motd.d/50-motd-news group is expected to eq "root"
✔ File /etc/update-motd.d/50-motd-news owner is expected to eq "root"
✔ File /etc/update-motd.d/50-motd-news mode is expected to cmp == "0755"
We also don't have any of those other files, our /etc/update-motd.d
directory only contains the one file that we drop in there. I might be misunderstanding the change, I just didn't want to have the same problem with 4 other files now.
Update, sorry I'm just realizing that that is sample output from your own machine. I'm slow.
No worries :) This will account for any files under /etc/update-motd.d/
Describe the bug We've been getting Inspec reports about the
/etc/motd
permissions from this section here: https://github.com/dev-sec/cis-dil-benchmark/blob/master/controls/1_7_warning_banners.rb#L61-L74However in most of our VMs, we do not have an
/etc/motd
file. The inspec message is:I would think the check should just skip if the file doesn't exist. It's certainly not a security issue.
Expected behavior Exit/skip and move on to the next check
Actual behavior
Example code
OS / Environment
Inspec Version
Baseline Version Whatever is in https://github.com/dev-sec/cis-dil-benchmark/archive/master.zip
Additional context Add any other context about the problem here.