Project

General

Profile

Actions
Copy link

Bug #25875

open

CIS Debian11 section 6.2 enforce : Repair loop on 6.2.1.2.3 and 6.2.1.2.4

Added by Michel BOUISSOU 9 days ago. Updated 5 days ago.

Status:
New
Priority:
N/A
Assignee:
-
Target version:
-
Pull Request:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
To do
Regression:
No

Description

In enforce mode, we seem to have a “repair loop” between 6.2.1.2.3 and 6.2.1.2.4.

At every run of the agent, we get :

E| repaired      cis_debian11_srv_1        Ensure systemd-journal-u| systemd-journal-u| Ensure that service systemd-journal-upload is running  was repaired
[...]
E| repaired      cis_debian11_srv_1        Ensure service systemd-j| systemd-journal-r| Ensure service systemd-journal-remote is disabled at boot  was repaired

Files

Download all files
CIS_Debian11_repair_loop_a.png (91.2 KB) CIS_Debian11_repair_loop_a.png Repair loop : agent output Michel BOUISSOU, 2024-11-14 17:43
CIS_Debian11_repair_loop_b.png (99.8 KB) CIS_Debian11_repair_loop_b.png repair loop : compliance display Michel BOUISSOU, 2024-11-14 17:43
Actions
Copy link
 #1

Updated by Michel BOUISSOU 5 days ago · Edited

Not a true repair loop : both issues are independent :

- 6.2.1.2.3 keeps being repaired because it dies if the remote URL has not been configured
- But this configuration depends on 6.2.1.2.2 which is a manual item
- So we practically cannot enforce 6.2.1.2.3 properly if 6.2.1.2.2 has not previously been manually done.

- 6.2.1.2.4 :
- The systemd-journal-remote is not a classical started/stopped enabled/disabled service, but an indirect service that relies upon a socket to be triggered.
- “systemctl disable” has no influence on this, and I guess the Rudder method “service_disabled” neither

root@lab_test_2_zgent2:~# systemctl status systemd-journal-remote
● systemd-journal-remote.service - Journal Remote Sink Service
     Loaded: loaded (/lib/systemd/system/systemd-journal-remote.service; indirect; vendor preset: disabled)
     Active: inactive (dead)
TriggeredBy: ● systemd-journal-remote.socket
       Docs: man:systemd-journal-remote(8)
             man:journal-remote.conf(5)
root@lab_test_2_zgent2:~# systemctl is-enabled systemd-journal-remote
indirect
root@lab_test_2_zgent2:~# systemctl disable systemd-journal-remote
root@lab_test_2_zgent2:~# systemctl is-enabled systemd-journal-remote
indirect
Actions
Copy link

Also available in: Atom PDF