How can we improve Chef?

Chef Compliance gives false positives in Ubuntu Level 1 profile

After scanning some ubuntu servers with Chef compliance, I went through all critical issues trying to fix them developing a hardening cookbook for us. I've been able to fix all issues except three and would like to share some feedback.

6.2.8 Ensure users' home directories permission are 750 or more restrictive.

CIS document uses "/usr/bin/nologin" to filter home directories available in /etc/password while ubuntu-16.04-level-1 profile uses "/sbin/nologin". This returns more folders than expected like /bin or /dev and you can not add 750 permissions, because normal users won't be able to access /bin/bash or /dev/null for example.

1.1.1.6 Ensure mounting of squashes filesystems is disabled
1.1.1.8 Ensure mounting of FAT filesystems is disabled

Even a line is added for them in /etc/modprobe.d/CIS.conf, like for the rest of filesystems, these ones are not taking effect. Can't figure out why "modprobe -n -v vfat" does not return a line, even If it has been added.

1 vote
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Jon ArrienJon Arrien shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    0 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...

      Feedback and Knowledge Base