undefined method `match?' for nil:NilClass - CentOs 7

[chrobotm]

Describe the bug Using a CentOs 7 AMi, the build fails

Expected behavior Build should pass

Actual behavior Build is failing with:

amazon-ebs:   ×  ssh-22: Client: CRYPTO_POLICY
amazon-ebs:      ×  Control Source Code Error ssh-baseline-master/controls/ssh_spec.rb:231
amazon-ebs:      undefined method `match?' for nil:NilClass

OS / Environment

CentOs 7 AMI https://aws.amazon.com/marketplace/pp/Centosorg-CentOS-7-x8664-with-Updates-HVM/B00O7WM7QW

Inspec Version

3.7.11

Baseline Version

2.5.13

[micheelengronne]

Can you check that your environment has the file /etc/sysconfig/sshd and if it does what is the content of that file ?

[chrobotm]

# Configuration file for the sshd service.

# The server keys are automatically generated if they are missing.
# To change the automatic creation uncomment and change the appropriate
# line. Accepted key types are: DSA RSA ECDSA ED25519.
# The default is "RSA ECDSA ED25519"

# AUTOCREATE_SERVER_KEYS=""
# AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519"

# Do not change this option unless you have hardware random
# generator and you REALLY know what you are doing

SSH_USE_STRONG_RNG=0
# SSH_USE_STRONG_RNG=1

[micheelengronne]

@schurzi the check looks for CRYPTO_POLICY but its not present in the config. What should the check return ?

[schurzi]

the check should return false. CRYPTO_POLICY is currently only present on el8.

This specific error (undefined method `match?' for nil:NilClass) might be related to file access rights or selinux, since the file clearly exists but the content seems not accessible.

[chrobotm]

the permissions on the file are set to

-rw-r-----.  1 root root  506 Aug  9  2019 sshd

can confirm running inspec as root works but running it as the centos user fails with the above error

[schurzi]

ahh nice, that explains the behaviour. I did not take this in account when designing the condition. @micheelengronne is it expected, that this inspec test should work completely when not run as root?

Since this are ssh-client checks maybe I should rewrite the conditon to check for the availability of the -G flag on ssh command. That would be more exact and less error prone for client. But this would also run the checks on every system, that support ssh -G which is not a problem, I guess.

[micheelengronne]

@schurzi It should be expected that this Inspec profile run as a non root-user.

These profiles can be used as smoke-tests or continuous spec-verifications on production servers where they can't be run as root.

I personally use it for a container with a SSH server that doesn't run as root.

[schurzi]

OK, It also seems the sshd checks are not performed if this profile is run without root permission (or at least sbin in the path variable). So this only affects ssh controls. Am I correct?

[micheelengronne]

The checks also run for sshd. But, indeed, you have to configure this parameter sshd_custom_user and have sshd command in PATH.

[schurzi]

then sshd-49 will also generate this error. I will try to fix this control too.

[micheelengronne]

Thanks a lot for your work.

[chrobotm]

Thanks, can confirm that the checks now pass