CIS 1.3.2 Add support for /etc/cron.d directory

[spencer-cdw]

Inspec Check 1.3.2 currently only checks 3 locations for cron jobs

• /var/spool/cron/crontabs/root
• /var/spool/cron/root
• /etc/crontab

This benchmark presently does not check for any files inside the /etc/cron.d directory. Some tools ( like ansible ) recommend putting all user configuration data in the /etc/cron.d directory.

This PR will search the /etc/cron.d directory for any files and search them for matching patterns.

Before

After

[spencer-cdw]

Here is the ansible that generates the /etc/cron.d/filesystem_integrity_check file

- name: CIS-1.3.2 Ensure filesystem integrity is regularly checked
  ansible.builtin.cron:
    name: "CIS-1.3.2 Ensure filesystem integrity is regularly checked"
    job: "/usr/sbin/aide --check"
    minute: "0"
    hour: "5"
    day: "*"
    month: "*"
    weekday: "*"
    user: root
    cron_file: filesystem_integrity_check
  tags:
  - cis_level_1

[deric4]

@spencer-cdw my understanding is that this part of the control should cover this exact scenario.

https://github.com/dev-sec/cis-dil-benchmark/blob/48cd600d714bef3aec4fa21d533dc8f6c5b02585/controls/1_3_filesystem_integrity_checking.rb#L57-L63

Is this reporting as failed because of the heimdal logic or is the inspec reporter saying this control is failing as well?

[spencer-cdw]

🤔 Interesting I overlooked those lines. Indeed it should be executing the command find /etc/cron.d -type f. Let me look back at my inspec reports and see why this was failing for me every time.

[spencer-cdw]

I've setup the following test and found that it is indeed working as intended. I'm not sure why my test is failing, but I'm 99% sure it is a problem with my setup, and not a problem with these benchmarks. Sorry for the noise. Thanks for looking into this.

docker run -it ubuntu/cinc-auditor bash -c 'echo "aide --check" >> /etc/cron.d/foobar && cinc-auditor exec https://github.com/deric4/cis-dil-benchmark.git --controls=cis-dil-benchmark-1.3.2'
[2022-11-15T21:08:04+00:00] WARN: Cannot find a UUID for your node.

Profile:   CIS Distribution Independent Linux Benchmark Profile (cis-dil-benchmark)
Version:   0.4.13
Target:    local://
Target ID: 

  ✔  cis-dil-benchmark-1.3.2: Ensure filesystem integrity is regularly checked
     ✔  File /etc/cron.d/foobar content is expected to match /aide (--check|-C)/

Profile Summary: 1 successful control, 0 control failures, 0 controls skipped
Test Summary: 1 successful, 0 failures, 0 skipped

[spencer-cdw]

There is definitely strange behavior going on. cinc-auditor shows this test as passing, however both the json and html reports are showing this as a failure. Furthermore the html/json failures show that the cron.d directory is not being checked.

It smells related to the other issue where describe.one does not work as expected https://github.com/dev-sec/cis-dil-benchmark/issues/136

I've attached the json and html report as a zip:

Archive.zip

Here is the output when I switch back to the master branch of this benchmark.

inspec --version
5.18.14

---
lockfile_version: 1
depends:
- name: cis-dil-benchmark
  resolved_source:
    git: https://github.com/dev-sec/cis-dil-benchmark
    ref: 8aa338e60e8f1c478c02e9e9928bc7dad91d3fa0
  version_constraints: []

# packer config to view the file
  provisioner "shell" {
    inline = ["cat /etc/cron.d/filesystem_integrity_check"]
    execute_command = "echo 'ubuntu' | sudo -S sh -c '{{ .Vars }} {{ .Path }}'"
    valid_exit_codes = [0, 1]
  }

/etc/cron.d/filesystem_integrity_check

#Ansible: CIS-1.3.2 Ensure filesystem integrity is regularly checked
@daily root /usr/bin/aide --check --config /var/lib/aide/aide.conf.autogenerated

[spencer-cdw]

I think I have found the problem. Posting here in case it helps anyone else.

CIS 1.5.7 requires that /etc/cron.d permissions be set to 0700 (Stock ubuntu permissions are 0755).

Even though I'm running inspec as root (through the packer provider), I'm finding that CIS 1.5.7 is breaking CIS 1.3.2.

# Ansible
# This fixes CIS 5.1.7, but breaks 3.1.2
- name: CIS-5.1.7 Ensure permissions on /etc/cron.d are configured
  file:
    path: /etc/cron.d
    mode: 0700
    owner: root
    group: root
    state: directory
  tags:
  - cis_level_1

# packer config
  provisioner "inspec" {
    user = "root"                # < --------- Notice that this is running as root
    inspec_env_vars  = ["CHEF_LICENSE=accept"]
    profile          = "${path.cwd}/../inspec/profiles/foobar"
    valid_exit_codes = [0, 100, 101]
    extra_arguments = [
      "--reporter", 
      "html2:${path.cwd}/../output/inspec_{{timestamp}}.html", 
      "json:${path.cwd}/../output/inspec_{{timestamp}}.json",
    ]
  }```

[spencer-cdw]

Related to this: https://github.com/inspec/inspec/issues/1279

Fixed the issue by using --sudo in the packer config. user = "root" is not the same as --sudo

  provisioner "inspec" {
    // user = "root" # Setting this to 'root' is not the same as using --sudo in the extra_arguments
    inspec_env_vars  = ["CHEF_LICENSE=accept"]
    profile          = "${path.cwd}/../inspec/profiles/foobar"
    valid_exit_codes = [0, 100, 101]
    extra_arguments = [
        "--sudo",
        "-l", "debug",
        "--reporter", 
        "html2:${path.cwd}/../output/inspec_{{timestamp}}.html", 
        "json:${path.cwd}/../output/inspec_{{timestamp}}.json",
    ]
  }