Policy scan using CIS benchmarks displays fail, but manual check shows pass

cherdt_cherdt · November 16, 2020, 11:16pm

I’m using the built-in policy for CIS CentOS Linux 7 Level Two - Server v3.0.0 to scan a single host. The very first policy rule (“1.1.1.1. Ensure mounting of cramfs filesystems is disabled”) indicates that the test failed.

However, when I run the manual audit procedures described in the benchmark, they pass:

modprobe -n -v cramfs | grep -E '(cramfs|install)'

returns

install /bin/true

and

lsmod | grep cramfs

returns no output.

My first question is: since a manual audit shows this passes, why does InsightVM show that it fails?

Additionally, I’m not sure I’m interpreting InsightVM’s output correctly:

This is a complex check. Operator = AND

oval-org.cisecurity.benchmarks.centos_centos_7-def-1026588: FAIL

Based on the following 1 results:

        At least one specified ShellCommand entry must match the given criteria. At least one evaluation must pass.
        Entry 1 findings:	FAIL
        command: modprobe -n -v cramfs
        line_selection: .+
        stdout_line:

oval-org.cisecurity.benchmarks.centos_centos_7-def-1026589: PASS

Based on the following 1 results:

        At least one specified ShellCommand entry must match the given criteria. No evaluation may pass.
        Entry 1 findings:	FAIL
        command: modprobe -n -v cramfs
        line_selection: .+
        stdout_line:

It looks like the automated checks are both running the same command, they are both selecting the same lines (any results with 1 or more characters) but both are expected to be empty, but that one passes in that case but the other fails. It looks like these can’t both be true at the same time, and therefore the test will always fail?

bruno_ramos_de_matos · November 20, 2020, 9:02pm

Hi cherdt,

I am with you on this one. I am having the exact same issue. I ran a Level 1 CIS policy for domain member windows 2012 r2 server and it failed for a lot of things. However, did the same checks from within the server an it was all good.

It was a bit of funny one, because I had a Rapid 7 Consultant showing me the feature when we came across the issue and he was not able to explain why it was not working, but sad he was going to get it logged with the team in the backend for feedback and resolution.

I am still waiting for the feedback.

cherdt_cherdt · November 20, 2020, 11:07pm

I also used CIS-CAT v3.0.70 to assess one of the hosts using the CIS CentOS 7 benchmarks v3.0.0.

I found dramatic differences between the results returned by CIS-CAT and InsightVM, with InsightVM reporting numerous false positives (the benchmark in the original post included).

samuel_takachicha · December 8, 2020, 7:53pm

Has anyone found a resolution to this? I am experiencing the same with policy scans.

ecornwell · January 23, 2024, 9:34pm

I came here looking for the same information. I scanned, got a result, adjusted and re-scanned. My score increased and I fixed the rest that I missed but now things that are set are failing.