I’m using the built-in policy for CIS CentOS Linux 7 Level Two - Server v3.0.0 to scan a single host. The very first policy rule (“126.96.36.199. Ensure mounting of cramfs filesystems is disabled”) indicates that the test failed.
However, when I run the manual audit procedures described in the benchmark, they pass:
modprobe -n -v cramfs | grep -E '(cramfs|install)'
lsmod | grep cramfs
returns no output.
My first question is: since a manual audit shows this passes, why does InsightVM show that it fails?
Additionally, I’m not sure I’m interpreting InsightVM’s output correctly:
This is a complex check. Operator = AND oval-org.cisecurity.benchmarks.centos_centos_7-def-1026588: FAIL Based on the following 1 results: At least one specified ShellCommand entry must match the given criteria. At least one evaluation must pass. Entry 1 findings: FAIL command: modprobe -n -v cramfs line_selection: .+ stdout_line: oval-org.cisecurity.benchmarks.centos_centos_7-def-1026589: PASS Based on the following 1 results: At least one specified ShellCommand entry must match the given criteria. No evaluation may pass. Entry 1 findings: FAIL command: modprobe -n -v cramfs line_selection: .+ stdout_line:
It looks like the automated checks are both running the same command, they are both selecting the same lines (any results with 1 or more characters) but both are expected to be empty, but that one passes in that case but the other fails. It looks like these can’t both be true at the same time, and therefore the test will always fail?