search

dev-sec / cis-dil-benchmark

CIS Distribution Independent Linux Benchmark - InSpec Profile
Apache License 2.0
146 stars 92 forks source link

/etc/motd should skip permissions check if file doesn't exist #125

Open dtseiler opened 2 years ago

dtseiler commented 2 years ago

Describe the bug We've been getting Inspec reports about the /etc/motd permissions from this section here: https://github.com/dev-sec/cis-dil-benchmark/blob/master/controls/1_7_warning_banners.rb#L61-L74

However in most of our VMs, we do not have an /etc/motd file. The inspec message is:

expected: "root"
     got: nil

(compared using ==)

I would think the check should just skip if the file doesn't exist. It's certainly not a security issue.

Expected behavior Exit/skip and move on to the next check

Actual behavior

0 {
code_desc   File /etc/motd group is expected to eq "root"
message
expected: "root"
     got: nil

(compared using ==)
resource_class  file
resource_params ["/etc/motd"]
run_time    0.000364499
start_time  2022-06-16T03:59:19+00:00
status  failed
},
1 {
code_desc   File /etc/motd owner is expected to eq "root"
message
expected: "root"
     got: nil

(compared using ==)
resource_class  file
resource_params ["/etc/motd"]
run_time    0.000201999
start_time  2022-06-16T03:59:19+00:00
status  failed
},
2 {
code_desc   File /etc/motd mode is expected to cmp == "0644"
message
expected: 0644
     got:

(compared using `cmp` matcher)
resource_class  file
resource_params ["/etc/motd"]
run_time    0.000698698
start_time  2022-06-16T03:59:19+00:00
status  failed
}

Example code

/opt/chef/embedded/bin/inspec exec https://github.com/dev-sec/cis-dil-benchmark/archive/master.zip --reporter=json

OS / Environment

$ uname -rvmpis
Linux 5.4.0-1083-azure #87~18.04.1-Ubuntu SMP Fri Jun 3 13:19:07 UTC 2022 x86_64 x86_64 x86_64

Inspec Version

4.46.13

Baseline Version Whatever is in https://github.com/dev-sec/cis-dil-benchmark/archive/master.zip

Additional context Add any other context about the problem here.

bendres97 commented 2 years ago

I have two things to highlight here:

  1. While there isn't necessarily a security risk to not having an motd, it usually is a good idea to have one to cover you legally (see page 178 in https://www.justice.gov/criminal/file/442156/download). The official CIS Benchmark (Section 1.7) also states this as a requirement:

Guidelines published by the US Department of Defense require that warning messages include at least the name of the organization that owns the system, the fact that the system is subject to monitoring and that such monitoring is in compliance with local statutes, and that use of the system implies consent to such monitoring.

  1. You are able to write waivers to skip this check if your use case dictates that it is not required and therefore is expected to fail. See https://docs.chef.io/inspec/waivers/ for this documentation.
dtseiler commented 2 years ago

I have two things to highlight here:

  1. While there isn't necessarily a security risk to not having an motd, it usually is a good idea to have one to cover you legally (see page 178 in https://www.justice.gov/criminal/file/442156/download). The official CIS Benchmark (Section 1.7) also states this as a requirement:

I should clarify, we have an MOTD, it just isn't at that location. Our base cookbook drops a file under the /etc/update-motd.d/ directory.

bendres97 commented 2 years ago

I believe this is more along the lines of what you are looking for? I'll get a PR opened shortly

  ✔  cis-dil-benchmark-1.7.1.4: Ensure permissions on /etc/motd and /etc/update-motd.d/* are configured
     ✔  File /etc/update-motd.d/60-unminimize group is expected to eq "root"
     ✔  File /etc/update-motd.d/60-unminimize owner is expected to eq "root"
     ✔  File /etc/update-motd.d/60-unminimize mode is expected to cmp == "0755"
     ✔  File /etc/update-motd.d/00-header group is expected to eq "root"
     ✔  File /etc/update-motd.d/00-header owner is expected to eq "root"
     ✔  File /etc/update-motd.d/00-header mode is expected to cmp == "0755"
     ✔  File /etc/update-motd.d/10-help-text group is expected to eq "root"
     ✔  File /etc/update-motd.d/10-help-text owner is expected to eq "root"
     ✔  File /etc/update-motd.d/10-help-text mode is expected to cmp == "0755"
     ✔  File /etc/update-motd.d/50-motd-news group is expected to eq "root"
     ✔  File /etc/update-motd.d/50-motd-news owner is expected to eq "root"
     ✔  File /etc/update-motd.d/50-motd-news mode is expected to cmp == "0755"
dtseiler commented 2 years ago

We also don't have any of those other files, our /etc/update-motd.d directory only contains the one file that we drop in there. I might be misunderstanding the change, I just didn't want to have the same problem with 4 other files now.

Update, sorry I'm just realizing that that is sample output from your own machine. I'm slow.

bendres97 commented 2 years ago

No worries :) This will account for any files under /etc/update-motd.d/