florianutz
commented
2 years ago Hi @rcousens , it would be great if you could create a PR for the necessary changes.
Closed rcousens closed 2 years ago
florianutz
commented
2 years ago Hi @rcousens , it would be great if you could create a PR for the necessary changes.
rcousens
commented
2 years ago When I get a moment in the next week or two I'll do that :)
rcousens
commented
2 years ago @florianutz Thanks for accepting my PR. After a comment on the PR from @alex-rowe I've done some more thinking about the applicability of the changes I made.
I notice that CIS Benchmark has Level 1 and Level 2 Profiles for both Server and Workstation (obviously Server being applicable here). Is the intent of this module to implement both Level 1 and Level 2 indiscriminately?
Also, specifically relating to squashfs: on Ubuntu squashfs is a built-in filesystem compiled into the kernel by default. Which makes rule 1.1.1.6 from the latest CIS Benchmark kind of silly in that the remediation is not actually possible. I will note that the rule is "manual" implying that it's not scored directly for compliance. What are your thoughts on supporting manual/automated? Should manual steps be disabled (set to false) by default?
See https://github.com/florianutz/ubuntu2004_cis/pull/52 for more details.
rcousens
commented
2 years ago @florianutz This ticket can be closed!
The current CIS standard for 20.04 specifies 1.1.1.6 as disabling squashfs (which is problematic, because of the rise of "snap".) See below:
https://github.com/florianutz/ubuntu2004_cis/blob/main/tasks/section1.yml#L165
Your 1.1.1.6 specifies udf, and 1.1.1.7 specifies fat which is not mentioned in the standard anymore.
Happy to submit a PR if you agree that you'd like to update the role to be in compliance with the latest published standard