Bug #27357
open
CIS RHEL 8 Section 1.1.1.1 compliant code is reversed
Description
In CIS RHEL 8 Section 1.1.1.1 we have :
1.1.1.1 - Audit cramfs module is /bin/false
cis/kcl/tasks/kernel_module_disable.k
- executes : /usr/bin/env bash /var/rudder/cfengine-community/inputs/cis_rhel8/1.0/resources/is_kernel_module_disabled.sh cramfs
- With : compliant_codes = "0"
After careful analysis, the is_kernel_module_disabled.sh will actually :
- Exit 0 if the modprobe command FAILS (rc != 0)
- Also exit 0 if the modprobe command succeeded (rc = 0) AND we find “insmod” in the output (which means the module is actually insertable)
The only case where it would exit 1 is if both modprobe retuns 0 but the module is not inserted.
Which is the precise case where the module is aliased to /bin/false.
So by calling the script with “compliant_codes = "0"” we do the opposite of what we want, for this call we should have “compliant_codes = "1"”
Updated by