-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RootDistanceMax instead of RootDistanceMaxSec #92
Comments
@yvespp is correct. Reviewing the CIS Distribution Independent Linux Benchmark v2.0.0, I can see how this was defined incorrectly: The Remediation Procedure for 2.2.1.4 - Ensure systemd-timesyncd is configured has the same INCORRECT ❌ config key:
Further investigation shows that the CIS Ubuntu Linux 18.04 LTS Benchmark v2.0.1
@micheelengronne the V2 controls were written to match the audits/remediations defined in the benchmark as exactly as possible, but this is obviously an error. Is there a preference on how to handle these type of discrepancies? @yvespp would you mind sharing your process in discovering this bug? Curious if this was caught in some automated way which could have caught this earlier in the development cycle. |
@deric4 It was more by chance. I checked the timesyncd docs because I wanted to know more about the value and the copied it from the docs to our vm template. After that the test was still failing and then I filed this bug. |
@deric4 I don't know if the CIS Center has any kind of procedure to resolve that. On the Devsec side, I would go for passing the problematic key as a parameter that would take That way, users who really need (for insurance reasons for instance) to be compliant with CIS Distribution Independent Linux Benchmark v2.0.0 would leave the parameter as it is and other users would be able to modify it. |
I just double-checked the latest version DIL 2.0.0 pdf (it seems like this was altered but the version was not increased 🤷 ) It states the correct |
Describe the bug
According to https://www.freedesktop.org/software/systemd/man/timesyncd.conf.html
RootDistanceMax
should be calledRootDistanceMaxSec
cis-dil-benchmark/controls/2_2_special_purpose_services.rb
Line 136 in 907e58f
The text was updated successfully, but these errors were encountered: