Describe.one runs all instead of just one #136
Description
This is a valid fix but took about about an hour diving into this because I noticed some unexpected behavior with this control that I don't know if its a regression or not.
The symbol syntax should behave the same as the string syntax, as long as the file actually exists. i.e when running against a docker an ubuntu:{focal, jammy} based container, none of the grub_conf.locations exist so I would expect the control to fail because of the describe.one block
cis-dil-benchmark/controls/1_4_secure_boot_settings.rb
Lines 30 to 44 in ab97de3
but what I'm seeing when testing locally is that all of the files are being tested rather than just one of the files (both in container and VM), which I don't think is the desired behavior
@spencer-cdw can you provide some more detail about your testing environment (OS version, path of actual grub conf file, etc) as well as CLI output?
$ cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.1 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.1 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.co
$ cinc-auditor version
5.18.14
$ cinc-auditor exec https://github.com/dev-sec/cis-dil-benchmark --controls=cis-dil-benchmark-1.4.1
[2022-11-03T01:47:03+00:00] WARN: URL target https://github.com/dev-sec/cis-dil-benchmark transformed to https://github.com/dev-sec/cis-dil-benchmark/archive/master.tar.gz. Consider using the git fetcher
[2022-11-03T01:47:05+00:00] WARN: Cannot find a UUID for your node.
Profile: CIS Distribution Independent Linux Benchmark Profile (cis-dil-benchmark)
Version: 0.4.13
Target: local://
Target ID:
× cis-dil-benchmark-1.4.1: Ensure permissions on bootloader config are configured (21 failed)
× File /boot/grub/grub.conf is expected to exist
expected File /boot/grub/grub.conf to exist
✔ File /boot/grub/grub.conf is expected not to be readable by group
✔ File /boot/grub/grub.conf is expected not to be writable by group
✔ File /boot/grub/grub.conf is expected not to be executable by group
✔ File /boot/grub/grub.conf is expected not to be readable by other
✔ File /boot/grub/grub.conf is expected not to be writable by other
✔ File /boot/grub/grub.conf is expected not to be executable by other
× File /boot/grub/grub.conf gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/grub/grub.conf uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/grub/grub.cfg is expected to exist
expected File /boot/grub/grub.cfg to exist
✔ File /boot/grub/grub.cfg is expected not to be readable by group
✔ File /boot/grub/grub.cfg is expected not to be writable by group
✔ File /boot/grub/grub.cfg is expected not to be executable by group
✔ File /boot/grub/grub.cfg is expected not to be readable by other
✔ File /boot/grub/grub.cfg is expected not to be writable by other
✔ File /boot/grub/grub.cfg is expected not to be executable by other
× File /boot/grub/grub.cfg gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/grub/grub.cfg uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/grub/menu.lst is expected to exist
expected File /boot/grub/menu.lst to exist
✔ File /boot/grub/menu.lst is expected not to be readable by group
✔ File /boot/grub/menu.lst is expected not to be writable by group
✔ File /boot/grub/menu.lst is expected not to be executable by group
✔ File /boot/grub/menu.lst is expected not to be readable by other
✔ File /boot/grub/menu.lst is expected not to be writable by other
✔ File /boot/grub/menu.lst is expected not to be executable by other
× File /boot/grub/menu.lst gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/grub/menu.lst uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/boot/grub/grub.conf is expected to exist
expected File /boot/boot/grub/grub.conf to exist
✔ File /boot/boot/grub/grub.conf is expected not to be readable by group
✔ File /boot/boot/grub/grub.conf is expected not to be writable by group
✔ File /boot/boot/grub/grub.conf is expected not to be executable by group
✔ File /boot/boot/grub/grub.conf is expected not to be readable by other
✔ File /boot/boot/grub/grub.conf is expected not to be writable by other
✔ File /boot/boot/grub/grub.conf is expected not to be executable by other
× File /boot/boot/grub/grub.conf gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/boot/grub/grub.conf uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/boot/grub/grub.cfg is expected to exist
expected File /boot/boot/grub/grub.cfg to exist
✔ File /boot/boot/grub/grub.cfg is expected not to be readable by group
✔ File /boot/boot/grub/grub.cfg is expected not to be writable by group
✔ File /boot/boot/grub/grub.cfg is expected not to be executable by group
✔ File /boot/boot/grub/grub.cfg is expected not to be readable by other
✔ File /boot/boot/grub/grub.cfg is expected not to be writable by other
✔ File /boot/boot/grub/grub.cfg is expected not to be executable by other
× File /boot/boot/grub/grub.cfg gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/boot/grub/grub.cfg uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/boot/grub/menu.lst is expected to exist
expected File /boot/boot/grub/menu.lst to exist
✔ File /boot/boot/grub/menu.lst is expected not to be readable by group
✔ File /boot/boot/grub/menu.lst is expected not to be writable by group
✔ File /boot/boot/grub/menu.lst is expected not to be executable by group
✔ File /boot/boot/grub/menu.lst is expected not to be readable by other
✔ File /boot/boot/grub/menu.lst is expected not to be writable by other
✔ File /boot/boot/grub/menu.lst is expected not to be executable by other
× File /boot/boot/grub/menu.lst gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/boot/grub/menu.lst uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/grub2/grub.cfg is expected to exist
expected File /boot/grub2/grub.cfg to exist
✔ File /boot/grub2/grub.cfg is expected not to be readable by group
✔ File /boot/grub2/grub.cfg is expected not to be writable by group
✔ File /boot/grub2/grub.cfg is expected not to be executable by group
✔ File /boot/grub2/grub.cfg is expected not to be readable by other
✔ File /boot/grub2/grub.cfg is expected not to be writable by other
✔ File /boot/grub2/grub.cfg is expected not to be executable by other
× File /boot/grub2/grub.cfg gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/grub2/grub.cfg uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped
Test Summary: 42 successful, 21 failures, 0 skipped
Originally posted by @deric4 in #134 (comment)