Chef Compliance gives false positives in Ubuntu Level 1 profile
After scanning some ubuntu servers with Chef compliance, I went through all critical issues trying to fix them developing a hardening cookbook for us. I've been able to fix all issues except three and would like to share some feedback.
6.2.8 Ensure users' home directories permission are 750 or more restrictive.
CIS document uses "/usr/bin/nologin" to filter home directories available in /etc/password while ubuntu-16.04-level-1 profile uses "/sbin/nologin". This returns more folders than expected like /bin or /dev and you can not add 750 permissions, because normal users won't be able to access /bin/bash or /dev/null for example.
184.108.40.206 Ensure mounting of squashes filesystems is disabled
220.127.116.11 Ensure mounting of FAT filesystems is disabled
Even a line is added for them in /etc/modprobe.d/CIS.conf, like for the rest of filesystems, these ones are not taking effect. Can't figure out why "modprobe -n -v vfat" does not return a line, even If it has been added.