2021-07-28 14:05:38 |
Nikolay Vinogradov |
description |
I'm filing this just to document one more issue related to CIS and RabbitMQ Nagios monitoring integration.
On a CIS-hardened Ubuntu system that is hardened according to the lvl2 server profile ruleset, /usr/local/bin/collect_rabbitmq_stats.sh doesn't work as expected.
The root cause is that on the hardened system, 'others' don't have any permissions for /etc/cron.d:
129893609 drwx------ 2 root root 4.0K Jul 26 11:36 cron.d
while normally they do:
230293588 drwxr-xr-x 2 root root 4.0K Jun 16 10:36 cron.d
These permissions are removed by this CIS rule:
#5.1.7 Ensure permissions on /etc/cron.d are configured (Automated)
rule-5.1.7()
{
print_rule_banner "Ensure permissions on /etc/cron.d are configured"
ensure_cron_file_perm /etc/cron.d
}
ensure_cron_file_perm()
{
local file="$@"
chown root:root $file
chmod og-rwx $file
}
The workaround is of course to restore o+rx on /etc/cron.d, and I can't propose a better fix for that atm. |
I'm filing this just to document one more issue related to CIS and RabbitMQ Nagios monitoring integration.
On a CIS-hardened Ubuntu system that is hardened according to the lvl2 server profile ruleset, /usr/local/bin/collect_rabbitmq_stats.sh doesn't work as expected because nrpe plugin can't access /etc/cron.d
The root cause is that on the hardened system, 'others' don't have any permissions for /etc/cron.d:
129893609 drwx------ 2 root root 4.0K Jul 26 11:36 cron.d
while normally they do:
230293588 drwxr-xr-x 2 root root 4.0K Jun 16 10:36 cron.d
These permissions are removed by this CIS rule:
#5.1.7 Ensure permissions on /etc/cron.d are configured (Automated)
rule-5.1.7()
{
print_rule_banner "Ensure permissions on /etc/cron.d are configured"
ensure_cron_file_perm /etc/cron.d
}
ensure_cron_file_perm()
{
local file="$@"
chown root:root $file
chmod og-rwx $file
}
The workaround is of course to restore o+rx on /etc/cron.d, and I can't propose a better fix for that atm. |
|