cis-dil-benchmark-4.2.2.1 not looking for custom configurations in /journald.conf.d/

[jshburkett]

Describe the bug

cis-dil-benchmark-4.2.2.1 seems to simply be checking etc/systemd/journald.conf with

parse_config_file('/etc/systemd/journald.conf') do
its('Journal') { should include({ 'ForwardToSyslog' => 'yes' }) }

It’s saying we fail this test. However, as per recommendations I see online, we have a separate .conf file in /etc/systemd/journald.conf.d/ that contains:

[Journal]
ForwardToSyslog=true

So as far as I can tell, we do, in fact, have a proper setup, but the inspec report doesn’t see it. Every entry in the journald.conf file is commented out, but that seems to be standard practice. Uncommenting the line #ForwardToSyslog=yes and re-running an inspec run fixes the issue.

Expected behavior

The benchmark should scan /etc/systemd/journald.conf.d/ for custom configuration files since these override what's in /etc/systemd/journald.conf. It should read that configuration file and recognize that it satisfies the requirement.

Actual behavior

results [ |  
-- | --
0 {code_descParse Config File /etc/systemd/journald.conf Journal is expected to include {"ForwardToSyslog" => "yes"}messageexpected {} to include {"ForwardToSyslog" => "yes"} Diff: @@ -1,2 +1 @@ -"ForwardToSyslog" => "yes", resource_classparse_config_fileresource_params["/etc/systemd/journald.conf"]run_time0.000724913start_time2022-09-14T03:59:12+00:00statusfailed} | 0 {code_descParse Config File /etc/systemd/journald.conf Journal is expected to include {"ForwardToSyslog" => "yes"}messageexpected {} to include {"ForwardToSyslog" => "yes"} Diff: @@ -1,2 +1 @@ -"ForwardToSyslog" => "yes", resource_classparse_config_fileresource_params["/etc/systemd/journald.conf"]run_time0.000724913start_time2022-09-14T03:59:12+00:00statusfailed} | 0 { |   | code_descParse Config File /etc/systemd/journald.conf Journal is expected to include {"ForwardToSyslog" => "yes"}messageexpected {} to include {"ForwardToSyslog" => "yes"} Diff: @@ -1,2 +1 @@ -"ForwardToSyslog" => "yes", resource_classparse_config_fileresource_params["/etc/systemd/journald.conf"]run_time0.000724913start_time2022-09-14T03:59:12+00:00statusfailed | code_desc | Parse Config File /etc/systemd/journald.conf Journal is expected to include {"ForwardToSyslog" => "yes"} | message | expected {} to include {"ForwardToSyslog" => "yes"} Diff: @@ -1,2 +1 @@ -"ForwardToSyslog" => "yes", | resource_class | parse_config_file | resource_params | ["/etc/systemd/journald.conf"] | run_time | 0.000724913 | start_time | 2022-09-14T03:59:12+00:00 | status | failed | }
0 {code_descParse Config File /etc/systemd/journald.conf Journal is expected to include {"ForwardToSyslog" => "yes"}messageexpected {} to include {"ForwardToSyslog" => "yes"} Diff: @@ -1,2 +1 @@ -"ForwardToSyslog" => "yes", resource_classparse_config_fileresource_params["/etc/systemd/journald.conf"]run_time0.000724913start_time2022-09-14T03:59:12+00:00statusfailed} | 0 { |   | code_descParse Config File /etc/systemd/journald.conf Journal is expected to include {"ForwardToSyslog" => "yes"}messageexpected {} to include {"ForwardToSyslog" => "yes"} Diff: @@ -1,2 +1 @@ -"ForwardToSyslog" => "yes", resource_classparse_config_fileresource_params["/etc/systemd/journald.conf"]run_time0.000724913start_time2022-09-14T03:59:12+00:00statusfailed | code_desc | Parse Config File /etc/systemd/journald.conf Journal is expected to include {"ForwardToSyslog" => "yes"} | message | expected {} to include {"ForwardToSyslog" => "yes"} Diff: @@ -1,2 +1 @@ -"ForwardToSyslog" => "yes", | resource_class | parse_config_file | resource_params | ["/etc/systemd/journald.conf"] | run_time | 0.000724913 | start_time | 2022-09-14T03:59:12+00:00 | status | failed | }
0 { |  
code_descParse Config File /etc/systemd/journald.conf Journal is expected to include {"ForwardToSyslog" => "yes"}messageexpected {} to include {"ForwardToSyslog" => "yes"} Diff: @@ -1,2 +1 @@ -"ForwardToSyslog" => "yes", resource_classparse_config_fileresource_params["/etc/systemd/journald.conf"]run_time0.000724913start_time2022-09-14T03:59:12+00:00statusfailed | code_desc | Parse Config File /etc/systemd/journald.conf Journal is expected to include {"ForwardToSyslog" => "yes"} | message | expected {} to include {"ForwardToSyslog" => "yes"} Diff: @@ -1,2 +1 @@ -"ForwardToSyslog" => "yes", | resource_class | parse_config_file | resource_params | ["/etc/systemd/journald.conf"] | run_time | 0.000724913 | start_time | 2022-09-14T03:59:12+00:00 | status | failed
code_desc | Parse Config File /etc/systemd/journald.conf Journal is expected to include {"ForwardToSyslog" => "yes"}
message | expected {} to include {"ForwardToSyslog" => "yes"} Diff: @@ -1,2 +1 @@ -"ForwardToSyslog" => "yes",
resource_class | parse_config_file
resource_params | ["/etc/systemd/journald.conf"]
run_time | 0.000724913
start_time | 2022-09-14T03:59:12+00:00
status | failed
}
]

Example code

Setup and how to replicate is described above.

OS / Environment

$ uname -rvmpis
Linux 5.4.0-1089-azure #94~18.04.1-Ubuntu SMP Fri Aug 5 12:34:50 UTC 2022 x86_64 x86_64 x86_64

Inspec Version

4.46.13

Baseline Version

https://github.com/dev-sec/cis-dil-benchmark/archive/master.zip

[spencer-cdw]

I suspect the fix will be to do something like what is done with the cron.d directory

cis-dil-benchmark/controls/1_3_filesystem_integrity_checking.rb

Lines 50 to 62 in c845274

	describe.one do
	%w(/var/spool/cron/crontabs/root /var/spool/cron/root /etc/crontab).each do |f|
	describe file(f) do
	its('content') { should match(/aide (--check|-C)/) }
	end
	end
	%w(cron.d cron.hourly cron.daily cron.weekly cron.monthly).each do |f|
	command("find /etc/#{f} -type f").stdout.split.each do |entry|
	describe file(entry) do
	its('content') { should match(/aide (--check|-C)/) }
	end
	end