Fixing 72223 to correctly handle the collection of TMOUT

simp / inspec-profile-disa_stig-el7

InSpec Profile for the EL7 DISA STIG

Apache License 2.0

22 stars 46 forks source link

Fixing 72223 to correctly handle the collection of TMOUT #133

Closed djhaynes closed 4 years ago

djhaynes commented 4 years ago

Fixed a bug in 72223 where it was reporting a value of nil when the configuration setting was not set in a file. The code now reports that the configuration setting is not configured in the specific file.

trevor-vaughan commented 4 years ago

@djhaynes Technically, this should be modified to only pick up the last instance of TMOUT and should also hook in /etc/profile.

Now this gets hairy because:

Users should not be modifying /etc/bashrc or /etc/profile
The TMOUT value can be changed by the user unless readonly TMOUT is set after setting TMOUT (which makes the current check a 'feel good' check instead of something useful.
- This means that we need to check for TMOUT and then stop processing at either readonly TMOUT or the last instance of TMOUT found.

Not sure if you just want to merge this in or go ahead and fix these items while you're poking around.

Also, could you update the title of this PR to reflect the changes?

djhaynes commented 4 years ago

@trevor-vaughan the parse_config_file returns the last TMOUT value found in a particular file by default. Is that what you are referring to?

trevor-vaughan commented 4 years ago

@djhaynes Not exactly. What we need is the last TMOUT found in all config files processed.

For instance:

/etc/profile.d/00_foo => TMOUT=500
/etc/profile.d/ZZ_bar => TMOUT=10

Result: TMOUT=10

Unless 00_foo has:

TMOUT=500
readonly TMOUT

djhaynes commented 4 years ago

@trevor-vaughan Is it fair to assume that TMOUT is set only once per file?

aaronlippold commented 4 years ago

So we are checking multiple things:

the value of TMOUT in the env
the value of TMOUT in all files
if read-only is set or not
aka we want active and passive testing
the number of times TMOUT is set doesn't really matter in my opinion - its final value and if it is immutable or not are the things we should be testing right?

Am I missing anything here?

djhaynes commented 4 years ago

I took another pass at this control. It now operates as follows:


Check the TMOUT environment variable (active test) - pass/fail the control based on if the value is <= system_activity_timeout

Loop through all files (passive test)
    If TMOUT isn't found in a file - skip it and continue processing other files
    If TMOUT is found - loop through all occurrences of TMOUT in the file
        If it is a commented out line - skip it
        If it contains 'readonly TMOUT = <value>' - get the value and end processing of files
        If it contains 'readonly TMOUT' - get the latest TMOUT value from the current file. Otherwise, use the last value from the previous file and end processing of files
           Readonly is not set - make the current value the latest value seen  

If latest value is nil - fail the control for TMOUT not being configured
If latest value is not nil - pass/fail the control based on if the value is <= system_activity_timeout