I’m using the built-in policy for CIS CentOS Linux 7 Level Two - Server v3.0.0 to scan a single host. The very first policy rule (“1.1.1.1. Ensure mounting of cramfs filesystems is disabled”) indicates that the test failed.
However, when I run the manual audit procedures described in the benchmark, they pass:
modprobe -n -v cramfs | grep -E '(cramfs|install)'
returns
install /bin/true
and
lsmod | grep cramfs
returns no output.
My first question is: since a manual audit shows this passes, why does InsightVM show that it fails?
Additionally, I’m not sure I’m interpreting InsightVM’s output correctly:
This is a complex check. Operator = AND
oval-org.cisecurity.benchmarks.centos_centos_7-def-1026588: FAIL
Based on the following 1 results:
At least one specified ShellCommand entry must match the given criteria. At least one evaluation must pass.
Entry 1 findings: FAIL
command: modprobe -n -v cramfs
line_selection: .+
stdout_line:
oval-org.cisecurity.benchmarks.centos_centos_7-def-1026589: PASS
Based on the following 1 results:
At least one specified ShellCommand entry must match the given criteria. No evaluation may pass.
Entry 1 findings: FAIL
command: modprobe -n -v cramfs
line_selection: .+
stdout_line:
It looks like the automated checks are both running the same command, they are both selecting the same lines (any results with 1 or more characters) but both are expected to be empty, but that one passes in that case but the other fails. It looks like these can’t both be true at the same time, and therefore the test will always fail?