RHEL 8.3.0 failing selected rules #72
Comments
ovlords
changed the title
|
What kind of failures do you see? Can you provide the error messages? |
|
Hi @bjvrielink, Thanks for asking. Apologies for the late reply. Here are the error messages I'm gettting and the rules which I believe relate to them: <ensure_nftables_is_not_enabled> <ensure_no****_option_set_on_tmp_partition> <ensure_mail_transfer_agent_is_configured_for_local_only_mode> |
|
The nftables error is most likely because the nftables package is not installed (which should be fine). Puppet cannot mask a service that simply does not exist. We should work around this and make the service resource conditional depending on the presence of the nftables package. I guess the tmp errors are because /tmp is not specified in /etc/fstab but instead as a systemd unit. Although the CIS guidelines only mention /etc/fstab in the remediation section, I do not think enforcing the use of /etc/fstab only is the way to go. I'm not sure how easy this would be to fix. The Postfix error is because a bug in the Postfix Puppet module, see voxpupuli/puppet-postfix#261 |
|
The postfix bug should be fixed in versions >= 1.10.0 of the Postfix module. |
RHEL 8.3.0 (from AWS AMI RHEL-8.3.0_HVM-20201031-x86_64-0-Hourly2-GP2 [ami-044c46b1952ad5861]) is failing the following rules:
secure_linux_cis::rules::ensure_nftables_is_not_enabled
secure_linux_cis::rules::ensure_ipv6_loopback_traffic_is_configured
secure_linux_cis::rules::ensure_nodev_option_set_on_tmp_partition
secure_linux_cis::rules::ensure_nosuid_option_set_on_tmp_partition
secure_linux_cis::rules::ensure_noexec_option_set_on_tmp_partition
secure_linux_cis::rules::ensure_mail_transfer_agent_is_configured_for_local_only_mode
Is this expected?
Your README has the following under Limitations: "RedHat family '8' OSes are not fully covered. Almost, but not quite."
The text was updated successfully, but these errors were encountered: