1.6.1.3 fails on default config due to space at the end of line

[rabcin]

The grep doesn't match the returned value due to a space at the end which appears to exist in the default configuration.

[finalduty]

I can't replicate this issue, the grep isn't looking for extra spaces, so should just ignore them. Can you please grab the lastest copy of the script from master and send me the output you get when you run cis-audit.sh --include 1.6.1.3 --debug?

[rabcin]

[nick@ntp ~]$ ./cis-audit.sh --include 1.6.1.3 --debug
[DEBUG] 2019-07-29T09:26:18,797996048+0100 Debug enabled
[DEBUG] 2019-07-29T09:26:18,809073145+0100 Tests will run with reduced CPU priority
[DEBUG] 2019-07-29T09:26:18,891082801+0100 Exclude list is empty
[DEBUG] 2019-07-29T09:26:18,898585206+0100 Include list is populated " 1.6.1.3  "
[DEBUG] 2019-07-29T09:26:18,906543104+0100 Going to run tests from any level
[DEBUG] 2019-07-29T09:26:18,914098069+0100 Script was started with PID: 46084
[DEBUG] 2019-07-29T09:26:18,931792128+0100 Renicing 46084 (process ID) old priority 0, new priority 5
[DEBUG] 2019-07-29T09:26:18,933592442+0100 Creating tmp files with base /tmp/.cis_audit*
[DEBUG] 2019-07-29T09:26:18,957615301+0100 Not displaying progress ticker while debug is enabled
[DEBUG] 2019-07-29T09:26:18,959939411+0100 Checking whether to run test 1
[DEBUG] 2019-07-29T09:26:18,971266152+0100 Test 1 is the parent of an included test
[DEBUG] 2019-07-29T09:26:18,978770139+0100 Including test 1
[DEBUG] 2019-07-29T09:26:18,980946379+0100 Writing to /tmp/.cis_audit-190729092618.output - 1,Initial Setup
[DEBUG] 2019-07-29T09:26:18,987766101+0100 Checking whether to run test 1.1
[DEBUG] 2019-07-29T09:26:19,003816545+0100 Excluding test 1.1 (Not found in the include list)
[DEBUG] 2019-07-29T09:26:19,011891815+0100 Checking whether to run test 1.2
[DEBUG] 2019-07-29T09:26:19,027711677+0100 Excluding test 1.2 (Not found in the include list)
[DEBUG] 2019-07-29T09:26:19,035952987+0100 Checking whether to run test 1.3
[DEBUG] 2019-07-29T09:26:19,051953708+0100 Excluding test 1.3 (Not found in the include list)
[DEBUG] 2019-07-29T09:26:19,060155748+0100 Checking whether to run test 1.4
[DEBUG] 2019-07-29T09:26:19,075710510+0100 Excluding test 1.4 (Not found in the include list)
[DEBUG] 2019-07-29T09:26:19,084039953+0100 Checking whether to run test 1.5
[DEBUG] 2019-07-29T09:26:19,100880449+0100 Excluding test 1.5 (Not found in the include list)
[DEBUG] 2019-07-29T09:26:19,108946295+0100 Checking whether to run test 1.6
[DEBUG] 2019-07-29T09:26:19,119622558+0100 Test 1.6 is the parent of an included test
[DEBUG] 2019-07-29T09:26:19,127655919+0100 Including test 1.6
[DEBUG] 2019-07-29T09:26:19,130028730+0100 Writing to /tmp/.cis_audit-190729092618.output - 1.6,Mandatory Access Control
[DEBUG] 2019-07-29T09:26:19,137344448+0100 Checking whether to run test 1.6.1
[DEBUG] 2019-07-29T09:26:19,148419576+0100 Test 1.6.1 is the parent of an included test
[DEBUG] 2019-07-29T09:26:19,155995477+0100 Including test 1.6.1
[DEBUG] 2019-07-29T09:26:19,158268359+0100 Writing to /tmp/.cis_audit-190729092618.output - 1.6.1,Configure SELinux
[DEBUG] 2019-07-29T09:26:19,293806143+0100 Checking whether to run test 1.6.1.1
[DEBUG] 2019-07-29T09:26:19,310819182+0100 Excluding test 1.6.1.1 (Not found in the include list)
[DEBUG] 2019-07-29T09:26:19,326523981+0100 Checking whether to run test 1.6.1.2
[DEBUG] 2019-07-29T09:26:19,343628046+0100 Excluding test 1.6.1.2 (Not found in the include list)
[DEBUG] 2019-07-29T09:26:19,357186676+0100 Checking whether to run test 1.6.1.3
[DEBUG] 2019-07-29T09:26:19,365273439+0100 Test 1.6.1.3 was explicitly included
[DEBUG] 2019-07-29T09:26:19,372975243+0100 Including test 1.6.1.3
[DEBUG] 2019-07-29T09:26:19,375335101+0100 Requesting test 1.6.1.3 by calling "test_1.6.1.3 1.6.1.3  &"
[DEBUG] 2019-07-29T09:26:19,439933272+0100 There were 0/10 max_running_tasks when starting test 1.6.1.3.
+ test_1.6.1.3 1.6.1.3 2
+ id=1.6.1.3
+ level=2
+ description='Ensure SELinux policy is configured'
+ scored=Scored
++ test_start 1.6.1.3
++ id=1.6.1.3
++ level=
++ write_debug 'Test 1.6.1.3 started'
++ '[' True == True ']'
+++ date -Ins
++ printf '[DEBUG] 2019-07-29T09:26:19,442758181+0100 Test 1.6.1.3 started\n'
[DEBUG] 2019-07-29T09:26:19,442758181+0100 Test 1.6.1.3 started
++ echo .
+++ wc -l /tmp/.cis_audit-190729092618.finished.counter
+++ awk '{print $1}'
+++ awk '{print $1}'
+++ wc -l /tmp/.cis_audit-190729092618.started.counter
++ write_debug 'Progress: 0/1 tests.'
++ '[' True == True ']'
+++ date -Ins
++ printf '[DEBUG] 2019-07-29T09:26:19,458086531+0100 Progress: 0/1 tests.\n'
[DEBUG] 2019-07-29T09:26:19,458086531+0100 Progress: 0/1 tests.
++ now
+++ date +%s%N
++ echo 1564388779460
+ test_start_time=1564388779460
+ state=0
++ grep SELINUXTYPE=targeted /etc/selinux/config
+ '[' 'SELINUXTYPE=targeted ' == SELINUXTYPE=targeted ']'
+ state=1
++ awk '/Loaded policy name/ {print $4}'
++ sestatus
+ '[' targeted == targeted ']'
+ '[' 1 -eq 0 ']'
++ test_finish 1.6.1.3 1564388779460
++ id=1.6.1.3
++ start_time=1564388779460
+++ now
++++ date +%s%N
+++ echo 1564388779488
++ duration=28
++ write_debug 'Test 1.6.1.3 completed after 28ms'
++ '[' True == True ']'
+++ date -Ins
++ printf '[DEBUG] 2019-07-29T09:26:19,491013391+0100 Test 1.6.1.3 completed after 28ms\n'
[DEBUG] 2019-07-29T09:26:19,491013391+0100 Test 1.6.1.3 completed after 28ms
++ echo .
+++ wc -l /tmp/.cis_audit-190729092618.finished.counter
+++ awk '{print $1}'
+++ wc -l /tmp/.cis_audit-190729092618.started.counter
+++ awk '{print $1}'
++ write_debug 'Progress: 1/1 tests.'
++ '[' True == True ']'
+++ date -Ins
++ printf '[DEBUG] 2019-07-29T09:26:19,506190524+0100 Progress: 1/1 tests.\n'
[DEBUG] 2019-07-29T09:26:19,506190524+0100 Progress: 1/1 tests.
++ echo 28
+ duration=28ms
+ write_result '1.6.1.3,Ensure SELinux policy is configured,Scored,2,Fail,28ms'
+ write_debug 'Writing result to /tmp/.cis_audit-190729092618.output - 1.6.1.3,Ensure SELinux policy is configured,Scored,2,Fail,28ms'
+ '[' True == True ']'
++ date -Ins
+ printf '[DEBUG] 2019-07-29T09:26:19,508600097+0100 Writing result to /tmp/.cis_audit-190729092618.output - 1.6.1.3,Ensure SELinux policy is configured,Scored,2,Fail,28ms\n'
[DEBUG] 2019-07-29T09:26:19,508600097+0100 Writing result to /tmp/.cis_audit-190729092618.output - 1.6.1.3,Ensure SELinux policy is configured,Scored,2,Fail,28ms
+ echo 1.6.1.3,Ensure SELinux policy is configured,Scored,2,Fail,28ms
+ set +x
[DEBUG] 2019-07-29T09:26:19,524631395+0100 Checking whether to run test 1.6.1.4
[DEBUG] 2019-07-29T09:26:19,541338700+0100 Excluding test 1.6.1.4 (Not found in the include list)
[DEBUG] 2019-07-29T09:26:19,555510134+0100 Checking whether to run test 1.6.1.5
[DEBUG] 2019-07-29T09:26:19,572086706+0100 Excluding test 1.6.1.5 (Not found in the include list)
[DEBUG] 2019-07-29T09:26:19,586175426+0100 Checking whether to run test 1.6.1.6
[DEBUG] 2019-07-29T09:26:19,603762490+0100 Excluding test 1.6.1.6 (Not found in the include list)
[DEBUG] 2019-07-29T09:26:19,623132215+0100 Checking whether to run test 1.6.2
[DEBUG] 2019-07-29T09:26:19,640833716+0100 Excluding test 1.6.2 (Not found in the include list)
[DEBUG] 2019-07-29T09:26:19,649856981+0100 Checking whether to run test 1.7
[DEBUG] 2019-07-29T09:26:19,666971274+0100 Excluding test 1.7 (Not found in the include list)
[DEBUG] 2019-07-29T09:26:19,682628909+0100 Checking whether to run test 1.8
[DEBUG] 2019-07-29T09:26:19,700850844+0100 Excluding test 1.8 (Not found in the include list)
[DEBUG] 2019-07-29T09:26:19,710689139+0100 Checking whether to run test 2
[DEBUG] 2019-07-29T09:26:19,727660562+0100 Excluding test 2 (Not found in the include list)
[DEBUG] 2019-07-29T09:26:19,737076859+0100 Checking whether to run test 3
[DEBUG] 2019-07-29T09:26:19,754276627+0100 Excluding test 3 (Not found in the include list)
[DEBUG] 2019-07-29T09:26:19,763887199+0100 Checking whether to run test 4
[DEBUG] 2019-07-29T09:26:19,781596993+0100 Excluding test 4 (Not found in the include list)
[DEBUG] 2019-07-29T09:26:19,791395864+0100 Checking whether to run test 5
[DEBUG] 2019-07-29T09:26:19,809150305+0100 Excluding test 5 (Not found in the include list)
[DEBUG] 2019-07-29T09:26:19,818949123+0100 Checking whether to run test 6
[DEBUG] 2019-07-29T09:26:19,836374162+0100 Excluding test 6 (Not found in the include list)
[DEBUG] 2019-07-29T09:26:19,852892702+0100 All tests have completed
[DEBUG] 2019-07-29T09:26:19,854835674+0100 Formatting and writing results to STDOUT

 CIS CentOS 7 Benchmark v2.2.0 Results
---------------------------------------
ID       Description                          Scoring  Level  Result  Duration
--       -----------                          -------  -----  ------  --------

1        Initial Setup
1.6      Mandatory Access Control
1.6.1    Configure SELinux
1.6.1.3  Ensure SELinux policy is configured  Scored   2      Fail    28ms

Passed 0 of 1 tests in 1 seconds (0 Skipped, 0 Errors)

[DEBUG] 2019-07-29T09:26:19,923221202+0100 All results written to STDOUT
removed ‘/tmp/.cis_audit-190729092618.finished.counter’
removed ‘/tmp/.cis_audit-190729092618.output’
removed ‘/tmp/.cis_audit-190729092618.started.counter’
removed ‘/tmp/.cis_audit-stage’
[DEBUG] 2019-07-29T09:26:19,967429908+0100 Exiting with code 0

[rabcin]

[nick@ntp ~]$ more /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
#

Whilst its not clear on this copy\paste the line SELINUXTYPE=targeted contains a space on the end which appears to be part of our default build which I believe is part of a standard install and this line was not modified.