Closed rcousens closed 2 years ago
rcousens
commented
2 years ago Here you go Florian :) More generally, thanks for this module and all your hard work! Very useful and I am personally so grateful to have something this functional and ready to go out of the box that I can use for CIS hardening!
alex-rowe
commented
2 years ago @rcousens Is that meant to be disable the new 1.1.1.6 rule for squashfs, or to disable the 1.1.1.7 rule for udf when using snap?
We previously had the vfat rule disabled, but with the latest change we get errors on squashfs being builtin.
rcousens
commented
2 years ago @alex-rowe Unfortunately that will require a config update to ignore that rule. I just updated the code to match the published CIS Benchmark for Ubuntu 20.04 (v1.1.0), even though I think it is probably misguided in this instance. It appears the CIS benchmark doesn't understand that on Ubuntu at least, squashfs is a kernel source patch that is applied at compile time and CANNOT be disabled. This is not true for other distributions like CentOS 7 etc and technically you could also build an Ubuntu kernel with squashfs as a loadable module.
See the benchmark available at: https://downloads.cisecurity.org/#/
rcousens
commented
2 years ago @alex-rowe Also thought I'd mention that squashfs being disabled is a Level 2 Profile and is set as a manual step, not automated, see https://www.cisecurity.org/cis-benchmarks/cis-benchmarks-faq#:~:text=The%20Level%202%20profile%20is,appropriately%20or%20without%20due%20care.
This raises the question @florianutz, would it be worth disabling that rule by default but leaving it in the source for correctness?
rcousens
commented
2 years ago alex-rowe
commented
2 years ago Also thought I'd mention that squashfs
All good, I've disabled it and it's run without issues
Removes fat (unscored), and adds squashfs to the list of filesystems to be disabled.
NOTE: If you use snap, you would likely want to disable the new 1.1.1.7 rule.