Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

/etc/motd should skip permissions check if file doesn't exist #125

Open
dtseiler opened this issue Jun 16, 2022 · 5 comments · May be fixed by #146
Open

/etc/motd should skip permissions check if file doesn't exist #125

dtseiler opened this issue Jun 16, 2022 · 5 comments · May be fixed by #146

Comments

@dtseiler
Copy link

Describe the bug
We've been getting Inspec reports about the /etc/motd permissions from this section here: https://github.com/dev-sec/cis-dil-benchmark/blob/master/controls/1_7_warning_banners.rb#L61-L74

However in most of our VMs, we do not have an /etc/motd file. The inspec message is:

expected: "root"
     got: nil

(compared using ==)

I would think the check should just skip if the file doesn't exist. It's certainly not a security issue.

Expected behavior
Exit/skip and move on to the next check

Actual behavior

0 {
code_desc   File /etc/motd group is expected to eq "root"
message
expected: "root"
     got: nil

(compared using ==)
resource_class  file
resource_params ["/etc/motd"]
run_time    0.000364499
start_time  2022-06-16T03:59:19+00:00
status  failed
},
1 {
code_desc   File /etc/motd owner is expected to eq "root"
message
expected: "root"
     got: nil

(compared using ==)
resource_class  file
resource_params ["/etc/motd"]
run_time    0.000201999
start_time  2022-06-16T03:59:19+00:00
status  failed
},
2 {
code_desc   File /etc/motd mode is expected to cmp == "0644"
message
expected: 0644
     got:

(compared using `cmp` matcher)
resource_class  file
resource_params ["/etc/motd"]
run_time    0.000698698
start_time  2022-06-16T03:59:19+00:00
status  failed
}

Example code

/opt/chef/embedded/bin/inspec exec https://github.com/dev-sec/cis-dil-benchmark/archive/master.zip --reporter=json

OS / Environment

  • Ubuntu Linux 18.04 in Azure (5.4.0-1083-azure)
$ uname -rvmpis
Linux 5.4.0-1083-azure #87~18.04.1-Ubuntu SMP Fri Jun 3 13:19:07 UTC 2022 x86_64 x86_64 x86_64

Inspec Version

4.46.13

Baseline Version
Whatever is in https://github.com/dev-sec/cis-dil-benchmark/archive/master.zip

Additional context
Add any other context about the problem here.
@bendres97
Copy link
Contributor

I have two things to highlight here:

  1. While there isn't necessarily a security risk to not having an motd, it usually is a good idea to have one to cover you legally (see page 178 in https://www.justice.gov/criminal/file/442156/download). The official CIS Benchmark (Section 1.7) also states this as a requirement:

Guidelines published by the US Department of Defense require that warning messages
include at least the name of the organization that owns the system, the fact that the system
is subject to monitoring and that such monitoring is in compliance with local statutes, and
that use of the system implies consent to such monitoring.

  1. You are able to write waivers to skip this check if your use case dictates that it is not required and therefore is expected to fail. See https://docs.chef.io/inspec/waivers/ for this documentation.

@dtseiler
Copy link
Author

I have two things to highlight here:

  1. While there isn't necessarily a security risk to not having an motd, it usually is a good idea to have one to cover you legally (see page 178 in https://www.justice.gov/criminal/file/442156/download). The official CIS Benchmark (Section 1.7) also states this as a requirement:

I should clarify, we have an MOTD, it just isn't at that location. Our base cookbook drops a file under the /etc/update-motd.d/ directory.

@bendres97
Copy link
Contributor

bendres97 commented Jun 24, 2022
edited

I believe this is more along the lines of what you are looking for? I'll get a PR opened shortly

  ✔  cis-dil-benchmark-1.7.1.4: Ensure permissions on /etc/motd and /etc/update-motd.d/* are configured
     ✔  File /etc/update-motd.d/60-unminimize group is expected to eq "root"
     ✔  File /etc/update-motd.d/60-unminimize owner is expected to eq "root"
     ✔  File /etc/update-motd.d/60-unminimize mode is expected to cmp == "0755"
     ✔  File /etc/update-motd.d/00-header group is expected to eq "root"
     ✔  File /etc/update-motd.d/00-header owner is expected to eq "root"
     ✔  File /etc/update-motd.d/00-header mode is expected to cmp == "0755"
     ✔  File /etc/update-motd.d/10-help-text group is expected to eq "root"
     ✔  File /etc/update-motd.d/10-help-text owner is expected to eq "root"
     ✔  File /etc/update-motd.d/10-help-text mode is expected to cmp == "0755"
     ✔  File /etc/update-motd.d/50-motd-news group is expected to eq "root"
     ✔  File /etc/update-motd.d/50-motd-news owner is expected to eq "root"
     ✔  File /etc/update-motd.d/50-motd-news mode is expected to cmp == "0755"

This was referenced Jun 24, 2022
Closed
Closed
@dtseiler
Copy link
Author

dtseiler commented Jun 24, 2022
edited

We also don't have any of those other files, our /etc/update-motd.d directory only contains the one file that we drop in there. I might be misunderstanding the change, I just didn't want to have the same problem with 4 other files now.

Update, sorry I'm just realizing that that is sample output from your own machine. I'm slow.

@bendres97
Copy link
Contributor

No worries :) This will account for any files under /etc/update-motd.d/

@bendres97 bendres97 linked a pull request Mar 15, 2023 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@dtseiler @bendres97