search

dev-sec / cis-dil-benchmark

CIS Distribution Independent Linux Benchmark - InSpec Profile
Apache License 2.0
149 stars 92 forks source link

cis-dil-benchmark-2.2.1.3 assumes user `chrony` exists #129

Closed spencer-cdw closed 2 years ago

spencer-cdw commented 2 years ago

The check for cis 2.2.13 assumes that there is a chrony user on the system and that the chronyd service is running as that user. 

   describe processes('chronyd') do 
     its(:users) { should cmp 'chrony' } 
   end

The debian package for chrony does not provide a user.

docker run -it --cap-add SYS_TIME --rm ubuntu /bin/bash
cat /etc/issue
Ubuntu 22.04.1 LTS \n \l
apt update
apt install chrony -y
id chrony
id: 'chrony': no such user

There is however a user named _chrony 

ps aux | grep chrony
_chrony    685  0.2  0.0  84148  2436 ?        S    13:04   0:00 chronyd
root       691  0.0  0.0   2884  1296 pts/0    S+   13:04   0:00 grep --color=auto chrony

root@465ded794870:/# id _chrony
uid=101(_chrony) gid=101(_chrony) groups=101(_chrony)

root@465ded794870:/# id chrony
id: 'chrony': no such user

https://github.com/dev-sec/cis-dil-benchmark/blob/c845274efcf6e5f2e9307a780995a94c7bee0042/controls/2_2_special_purpose_services.rb#L98-L122

spencer-cdw commented 2 years ago

Attempts to fix

  1. describe processes('chronyd') do
its(:users) { should match(/^(chrony|_chrony)) }
end
deric4 commented 2 years ago

@spencer-cdw

Attempts to fix

  describe processes('chronyd') do
    its(:users) { should match(/^(chrony|_chrony)) }
  end

I think the trailing / in your match expression is missing, but that should work.

The emerging convention in this profile seems to be: add a default variable/input when values are expected to be different across distros (see https://github.com/dev-sec/cis-dil-benchmark/issues/112#issuecomment-817071258).

This might be easier/quicker fix to implement/release into this profile than fixing the bug you in heimdall you linked.

spencer-cdw commented 2 years ago

Good observation. This fix is small enough I think it is ok to put the logic in the describe stanza.

I see your point about managing large differences (e.g. centos/amazon linux/debian ect...). I've stumbled on something similar where ubuntu 18.04 varies significantly from ubuntu 22.04 with regards to grub/grub2/auditd.

With regards to this bug, I think the following should fix it. (I'll open a PR if it does)

  describe processes('chronyd') do
    its(:users) { should be_in ['chrony', '_chrony'] }
  end

Update

Confirmed fixed: https://github.com/dev-sec/cis-dil-benchmark/pull/135

schurzi commented 2 years ago

Nice catch. This seems to be this way since a very long time.

https://salsa.debian.org/debian/chrony/-/blob/debian/latest/debian/README.Debian#L17-24

Since version 1.31.1-1, we create the _chrony system user to which chronyd will drop root privileges on initialisation.