Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Why mode matcher doesn't work on a file resource #781

Closed
anniehedgpeth opened this issue Jun 5, 2016 · 2 comments
Closed

Why mode matcher doesn't work on a file resource #781

anniehedgpeth opened this issue Jun 5, 2016 · 2 comments

Comments

@anniehedgpeth
Copy link
Contributor

Description

Logged in as vagrant, I first tried using the following control, but it failed.

control "cis-4-5-3" do
  impact 1.0
  title "4.5.3 Verify Permissions on /etc/hosts.allow (Scored)"
  desc "It is critical to ensure that the /etc/hosts.allow file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions." 
  describe file('/etc/hosts.allow') do
    its('owner') { should eq 'root' }
    its('mode') { should eq 644 }
  end
end

I tried remediating in Chef with Kitchen using this, but it still failed.

cookbook_file '/etc/hosts.allow' do
  source 'hosts.allow'
  owner 'root'
  mode '0644'
  action :create
end

And finally I used

control "cis-4-5-3" do
  impact 1.0
  title "4.5.3 Verify Permissions on /etc/hosts.allow (Scored)"
  desc "It is critical to ensure that the /etc/hosts.allow file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions." 
  describe file("/etc/hosts.allow") do
    it { should exist }
    it { should_not be_executable.by "group" }
    it { should be_readable.by "group" }
    it { should_not be_writable.by "group" }
    it { should_not be_executable.by "other" }
    it { should be_readable.by "other" }
    it { should_not be_writable.by "other" }
    it { should_not be_executable.by "owner" }
    it { should be_readable.by "owner" }
    it { should be_writable.by "owner" }
  end
end

And it passed. But I'm curious as to why the mode matcher didn't work. I thought at first it was because I was logged in as vagrant, perhaps, but even through Chef it didn't work. Does running through Chef change the root?

InSpec and Platform Version

InSpec version 0.21.3
CentOS 6

Replication Case

See above

Possible Solutions

Just wondering if this has something to do with being logged in as vagrant or if it's more to do with the control. I was surprised when I looked at the "official" profile for CentOS 6 that it didn't check for mode but rather checked for group, other, and owner permissions. The mode matcher seems simpler.
@alexpop
Copy link
Contributor

alexpop commented Jun 6, 2016

Hi Annie,

Can you please update to the latest verion of inspec? We've made a few fixes recently on file mode matching.

Here's my test file:

describe file('/etc/hosts') do
  its('mode') { should eq 0644 }
end

describe file('/etc/hosts') do
  its('mode') { should cmp 0644 }
end

And the results from the shell:

$ inspec exec a.rb
..

Finished in 0.03216 seconds (files took 1.71 seconds to load)
2 examples, 0 failures

$ inspec version
0.24.0

@anniehedgpeth
Copy link
Contributor Author

Thanks, @alexpop ! That's all it was.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alexpop @anniehedgpeth