Counting and status of controls without tests #849

alexpop · 2016-08-01T10:36:02Z

Here's a few controls from the CIS CentOS Linux 7 Benchmark Level 2 profile shipped with Chef Compliance:

control "xccdf_org.cisecurity.benchmarks_rule_1.1.11_Add_nodev_Option_to_Removable_Media_Partitions"
control "xccdf_org.cisecurity.benchmarks_rule_1.1.12_Add_noexec_Option_to_Removable_Media_Partitions"
control "xccdf_org.cisecurity.benchmarks_rule_1.1.13_Add_nosuid_Option_to_Removable_Media_Partitions"
control "xccdf_org.cisecurity.benchmarks_rule_1.1.18_Disable_Mounting_of_cramfs_Filesystems"
control "xccdf_org.cisecurity.benchmarks_rule_1.1.19_Disable_Mounting_of_freevxfs_Filesystems"
control "xccdf_org.cisecurity.benchmarks_rule_1.1.20_Disable_Mounting_of_jffs2_Filesystems"
control "xccdf_org.cisecurity.benchmarks_rule_1.1.21_Disable_Mounting_of_hfs_Filesystems"
control "xccdf_org.cisecurity.benchmarks_rule_1.1.22_Disable_Mounting_of_hfsplus_Filesystems"
control "xccdf_org.cisecurity.benchmarks_rule_1.1.23_Disable_Mounting_of_squashfs_Filesystems"
control "xccdf_org.cisecurity.benchmarks_rule_1.1.24_Disable_Mounting_of_udf_Filesystems"
control "xccdf_org.cisecurity.benchmarks_rule_1.2.3_Obtain_Software_Package_Updates_with_yum"
control "xccdf_org.cisecurity.benchmarks_rule_1.2.4_Verify_Package_Integrity_Using_RPM"

These controls have no tests in them and after execution, there's inconsistency in how they are reported here:

Counting them as passed in the audit cookbook
Counting them as skipped in Chef Visibility
InSpec is not counting or displaying their status when using the cli, progress or documentation formatters.

For example, this profile:

control 'Checking success' do
  impact 0.8
  describe port(45678) do
    it { should_not be_listening }
  end
end

control "xccdf_org.cisecurity.benchmarks_rule_1.1.11_Add_nodev_Option_to_Removable_Media_Partitions" do
  title "Add nodev Option to Removable Media Partitions"
  desc  "Set nodev on removable media to prevent character and block special devices that are present on the removable be treated as these device files."
  impact 0.0
end

returns the following in inspec:

$ bin/inspec exec ~/tmp/s.rb

Target:  local://

  ✔  Checking success: Port 45678 should not be listening

Summary: 1 successful, 0 failures, 0 skipped

I would like to use this ticket to decide how to count and what status to report for these controls.

The text was updated successfully, but these errors were encountered:

arlimus · 2016-08-01T14:18:57Z

@alexpop Awesome, thank you for bringing it up!!

Let's address the larger issue of actually counting controls vs tests 😄
==> #852

arlimus · 2016-09-20T09:49:06Z

Closed by #1083

alexpop added the Type: Enhancement Improves an existing feature label Aug 1, 2016

chris-rock added this to the 1.0.0 milestone Aug 1, 2016

chris-rock modified the milestones: 0.29.0, 1.0.0, 0.31.0 Aug 8, 2016

chris-rock modified the milestones: 0.31.0, 0.32.0 Aug 19, 2016

arlimus modified the milestones: 1.0.0, 0.32.0 Aug 22, 2016

arlimus modified the milestones: 0.35.0, 1.0.0 Sep 14, 2016

arlimus added the ready label Sep 15, 2016

arlimus self-assigned this Sep 15, 2016

chris-rock modified the milestones: 0.35.0, 0.36.0 Sep 19, 2016

arlimus added in progress and removed ready labels Sep 19, 2016

arlimus closed this as completed Sep 20, 2016

chris-rock removed this from the 0.36.0 milestone Sep 21, 2016

chris-rock modified the milestones: 1.0.0, 0.36.0 Sep 21, 2016

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Counting and status of controls without tests #849

Counting and status of controls without tests #849

alexpop commented Aug 1, 2016

arlimus commented Aug 1, 2016

arlimus commented Sep 20, 2016

Counting and status of controls without tests #849

Counting and status of controls without tests #849

Comments

alexpop commented Aug 1, 2016

arlimus commented Aug 1, 2016

arlimus commented Sep 20, 2016