0

I'm performing a CIS-CAT scan and I'm questioning the results of the scanner being poorly designed. Now I am running on Debian 9 which isn't officially supported by the scanner but I can get it to run and I've implemented 95% of their requirements and can successfully scan using the following command:

sudo ./CIS-CAT.sh -f -D ignore.platform.mismatch=true -D include.csv.remediation=true -csv

/bin has permissions of drwxr-x--x and they want me to remove execute for other, however if I "chmod o-x /bin" then a regular user cannot execute standard commands like "ls" Is there a different approach to this?

Same thing with the following:
/dev
/var/cache/man
/run/systemd
/run/dbus
/run/sshd

which have permissions of drwxr-xr-x. CIS-CAT wants me to remove other read and execute but it's permissions get reset on reboot.

Here's the scan results:

File:   /usr/sbin
CIS-CAT Expected... CIS-CAT Collected...
the file's Other Read to be set to false    false
the file's Other Execute to be set to false false
the file's Other Write to be set to false   false
the file's Group Write to be set to false   false
File:   /bin
CIS-CAT Expected... CIS-CAT Collected...
the file's Other Read to be set to false    false
the file's Other Execute to be set to false true
the file's Other Write to be set to false   false
the file's Group Write to be set to false   false
File:   /dev
CIS-CAT Expected... CIS-CAT Collected...
the file's Other Read to be set to false    true
the file's Other Execute to be set to false true
the file's Other Write to be set to false   false
the file's Group Write to be set to false   false
File:   /usr/games
CIS-CAT Expected... CIS-CAT Collected...
the file's Other Read to be set to false    false
the file's Other Execute to be set to false false
the file's Other Write to be set to false   false
the file's Group Write to be set to false   false
File:   /var/cache/man
CIS-CAT Expected... CIS-CAT Collected...
the file's Other Read to be set to false    true
the file's Other Execute to be set to false true
the file's Other Write to be set to false   false
the file's Group Write to be set to false   false
File:   /var/spool/lpd
CIS-CAT expected any number of matching file items to be collected, and found 0 items.
File:   /var/mail
CIS-CAT Expected... CIS-CAT Collected...
the file's Other Read to be set to false    false
the file's Other Execute to be set to false false
the file's Other Write to be set to false   false
the file's Group Write to be set to false   false
File:   /var/spool/news
CIS-CAT expected any number of matching file items to be collected, and found 0 items.
File:   /var/spool/uucp
CIS-CAT expected any number of matching file items to be collected, and found 0 items.
File:   /bin
CIS-CAT Expected... CIS-CAT Collected...
the file's Other Read to be set to false    false
the file's Other Execute to be set to false true
the file's Other Write to be set to false   false
the file's Group Write to be set to false   false
File:   /var/www
CIS-CAT expected any number of matching file items to be collected, and found 0 items.
File:   /var/backups
CIS-CAT Expected... CIS-CAT Collected...
the file's Other Read to be set to false    false
the file's Other Execute to be set to false false
the file's Other Write to be set to false   false
the file's Group Write to be set to false   false
File:   /var/list
CIS-CAT expected any number of matching file items to be collected, and found 0 items.
File:   /run/ircd
CIS-CAT expected any number of matching file items to be collected, and found 0 items.
File:   /var/lib/gnats
CIS-CAT expected any number of matching file items to be collected, and found 0 items.
File:   /nonexistent
CIS-CAT expected any number of matching file items to be collected, and found 0 items.
File:   /run/systemd
CIS-CAT Expected... CIS-CAT Collected...
the file's Other Read to be set to false    true
the file's Other Execute to be set to false true
the file's Other Write to be set to false   false
the file's Group Write to be set to false   false
File:   /run/systemd/netif
CIS-CAT Expected... CIS-CAT Collected...
the file's Other Read to be set to false    true
the file's Other Execute to be set to false true
the file's Other Write to be set to false   false
the file's Group Write to be set to false   false
File:   /run/systemd/resolve
CIS-CAT expected any number of matching file items to be collected, and found 0 items.
File:   /run/systemd
CIS-CAT Expected... CIS-CAT Collected...
the file's Other Read to be set to false    true
the file's Other Execute to be set to false true
the file's Other Write to be set to false   false
the file's Group Write to be set to false   false
File:   /nonexistent
CIS-CAT expected any number of matching file items to be collected, and found 0 items.
File:   /var/spool/exim4
CIS-CAT Expected... CIS-CAT Collected...
the file's Other Read to be set to false    false
the file's Other Execute to be set to false false
the file's Other Write to be set to false   false
the file's Group Write to be set to false   false
File:   /run/dbus
CIS-CAT Expected... CIS-CAT Collected...
the file's Other Read to be set to false    true
the file's Other Execute to be set to false true
the file's Other Write to be set to false   false
the file's Group Write to be set to false   false
File:   /run/sshd
CIS-CAT Expected... CIS-CAT Collected...
the file's Other Read to be set to false    true
the file's Other Execute to be set to false true
the file's Other Write to be set to false   false
the file's Group Write to be set to false   false
File:   /home/UserName
CIS-CAT Expected... CIS-CAT Collected...
the file's Other Read to be set to false    false
the file's Other Execute to be set to false false
the file's Other Write to be set to false   false
the file's Group Write to be set to false   false
File:   /nonexistent
CIS-CAT expected any number of matching file items to be collected, and found 0 items.
File:   /home/ntp
CIS-CAT expected any number of matching file items to be collected, and found 0 items.
File:   /home/esets
CIS-CAT Expected... CIS-CAT Collected...
the file's Other Read to be set to false    false
the file's Other Execute to be set to false false
the file's Other Write to be set to false   false
the file's Group Write to be set to false   false
Jackspace
  • 113
  • 6
Brad
  • 250
  • 1
  • 11
  • None of those directories were listed in the CIS benchmark for Debian 9. So I don't know what this script is doing. You can be sure, though, that if a proposed "security" measure actually prevents functionality you need, then you need to do something else. – Michael Hampton Dec 27 '18 at 22:07
  • It's under section 13.7 of the scan. – Brad Dec 27 '18 at 22:19
  • You must be reading some other CIS than I am. Exactly where did you get this and what standard is it referring to? – Michael Hampton Dec 27 '18 at 22:20
  • CIS-CAT-Pro Assessor version 3.0.45 – Brad Dec 27 '18 at 22:57
  • Nope, that's the same CIS. So I have absolutely no idea why their scanning tool is going on about these directories. Again, they don't actually appear in the CIS benchmarks. – Michael Hampton Dec 28 '18 at 14:54
  • When running I'm using the following options: #19 -- CIS Debian Linux 8 Benchmark #1 -- xccdf_org.cisecurity.benchmarks_profile_Level_1 It very well could be a bug since the template used is for Debian 8 and not 9 as described above and may need to wait for an update to officially support Debian 9 but so far there's only been a few items that the scan fails as a false positive because the response has to do with a particular .sh file in sce/ such as "no_ungrouped_files_and_directories.sh" which even if I fix the script CIS-CAT still shows a failure which is fine. – Brad Dec 28 '18 at 15:16
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/87610/discussion-between-brad-and-michael-hampton). – Brad Dec 28 '18 at 21:09

0 Answers0