Describe.one runs all instead of just one

[spencer-cdw]

    This is a valid fix but took about about an hour diving into this because I noticed some unexpected behavior with this control that I don't know if its a regression or not.

The symbol syntax should behave the same as the string syntax, as long as the file actually exists. i.e when running against a docker an ubuntu:{focal, jammy} based container, none of the grub_conf.locations exist so I would expect the control to fail because of the describe.one block

cis-dil-benchmark/controls/1_4_secure_boot_settings.rb

Lines 30 to 44 in ab97de3

	describe.one do
	grub_conf.locations.each do |f|
	describe file(f) do
	it { should exist }
	it { should_not be_readable.by 'group' }
	it { should_not be_writable.by 'group' }
	it { should_not be_executable.by 'group' }
	it { should_not be_readable.by 'other' }
	it { should_not be_writable.by 'other' }
	it { should_not be_executable.by 'other' }
	its(:gid) { should cmp 0 }
	its(:uid) { should cmp 0 }
	end
	end
	end

but what I'm seeing when testing locally is that all of the files are being tested rather than just one of the files (both in container and VM), which I don't think is the desired behavior

cis-dil-benchmark/libraries/grubconf.rb

Line 7 in ab97de3

%w(/boot/grub/grub.conf /boot/grub/grub.cfg /boot/grub/menu.lst /boot/boot/grub/grub.conf /boot/boot/grub/grub.cfg /boot/boot/grub/menu.lst /boot/grub2/grub.cfg)

---

@spencer-cdw can you provide some more detail about your testing environment (OS version, path of actual grub conf file, etc) as well as CLI output?

$ cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.1 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.1 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.co

$ cinc-auditor version
5.18.14 

$ cinc-auditor exec https://github.com/dev-sec/cis-dil-benchmark --controls=cis-dil-benchmark-1.4.1

[2022-11-03T01:47:03+00:00] WARN: URL target https://github.com/dev-sec/cis-dil-benchmark transformed to https://github.com/dev-sec/cis-dil-benchmark/archive/master.tar.gz. Consider using the git fetcher
[2022-11-03T01:47:05+00:00] WARN: Cannot find a UUID for your node.

Profile:   CIS Distribution Independent Linux Benchmark Profile (cis-dil-benchmark)
Version:   0.4.13
Target:    local://
Target ID: 

  ×  cis-dil-benchmark-1.4.1: Ensure permissions on bootloader config are configured (21 failed)
     ×  File /boot/grub/grub.conf is expected to exist
     expected File /boot/grub/grub.conf to exist
     ✔  File /boot/grub/grub.conf is expected not to be readable by group
     ✔  File /boot/grub/grub.conf is expected not to be writable by group
     ✔  File /boot/grub/grub.conf is expected not to be executable by group
     ✔  File /boot/grub/grub.conf is expected not to be readable by other
     ✔  File /boot/grub/grub.conf is expected not to be writable by other
     ✔  File /boot/grub/grub.conf is expected not to be executable by other
     ×  File /boot/grub/grub.conf gid is expected to cmp == 0
     
     expected: 0
          got: 
     
     (compared using `cmp` matcher)

     ×  File /boot/grub/grub.conf uid is expected to cmp == 0
     
     expected: 0
          got: 
     
     (compared using `cmp` matcher)

     ×  File /boot/grub/grub.cfg is expected to exist
     expected File /boot/grub/grub.cfg to exist
     ✔  File /boot/grub/grub.cfg is expected not to be readable by group
     ✔  File /boot/grub/grub.cfg is expected not to be writable by group
     ✔  File /boot/grub/grub.cfg is expected not to be executable by group
     ✔  File /boot/grub/grub.cfg is expected not to be readable by other
     ✔  File /boot/grub/grub.cfg is expected not to be writable by other
     ✔  File /boot/grub/grub.cfg is expected not to be executable by other
     ×  File /boot/grub/grub.cfg gid is expected to cmp == 0
     
     expected: 0
          got: 
     
     (compared using `cmp` matcher)

     ×  File /boot/grub/grub.cfg uid is expected to cmp == 0
     
     expected: 0
          got: 
     
     (compared using `cmp` matcher)

     ×  File /boot/grub/menu.lst is expected to exist
     expected File /boot/grub/menu.lst to exist
     ✔  File /boot/grub/menu.lst is expected not to be readable by group
     ✔  File /boot/grub/menu.lst is expected not to be writable by group
     ✔  File /boot/grub/menu.lst is expected not to be executable by group
     ✔  File /boot/grub/menu.lst is expected not to be readable by other
     ✔  File /boot/grub/menu.lst is expected not to be writable by other
     ✔  File /boot/grub/menu.lst is expected not to be executable by other
     ×  File /boot/grub/menu.lst gid is expected to cmp == 0
     
     expected: 0
          got: 
     
     (compared using `cmp` matcher)

     ×  File /boot/grub/menu.lst uid is expected to cmp == 0
     
     expected: 0
          got: 
     
     (compared using `cmp` matcher)

     ×  File /boot/boot/grub/grub.conf is expected to exist
     expected File /boot/boot/grub/grub.conf to exist
     ✔  File /boot/boot/grub/grub.conf is expected not to be readable by group
     ✔  File /boot/boot/grub/grub.conf is expected not to be writable by group
     ✔  File /boot/boot/grub/grub.conf is expected not to be executable by group
     ✔  File /boot/boot/grub/grub.conf is expected not to be readable by other
     ✔  File /boot/boot/grub/grub.conf is expected not to be writable by other
     ✔  File /boot/boot/grub/grub.conf is expected not to be executable by other
     ×  File /boot/boot/grub/grub.conf gid is expected to cmp == 0
     
     expected: 0
          got: 
     
     (compared using `cmp` matcher)

     ×  File /boot/boot/grub/grub.conf uid is expected to cmp == 0
     
     expected: 0
          got: 
     
     (compared using `cmp` matcher)

     ×  File /boot/boot/grub/grub.cfg is expected to exist
     expected File /boot/boot/grub/grub.cfg to exist
     ✔  File /boot/boot/grub/grub.cfg is expected not to be readable by group
     ✔  File /boot/boot/grub/grub.cfg is expected not to be writable by group
     ✔  File /boot/boot/grub/grub.cfg is expected not to be executable by group
     ✔  File /boot/boot/grub/grub.cfg is expected not to be readable by other
     ✔  File /boot/boot/grub/grub.cfg is expected not to be writable by other
     ✔  File /boot/boot/grub/grub.cfg is expected not to be executable by other
     ×  File /boot/boot/grub/grub.cfg gid is expected to cmp == 0
     
     expected: 0
          got: 
     
     (compared using `cmp` matcher)

     ×  File /boot/boot/grub/grub.cfg uid is expected to cmp == 0
     
     expected: 0
          got: 
     
     (compared using `cmp` matcher)

     ×  File /boot/boot/grub/menu.lst is expected to exist
     expected File /boot/boot/grub/menu.lst to exist
     ✔  File /boot/boot/grub/menu.lst is expected not to be readable by group
     ✔  File /boot/boot/grub/menu.lst is expected not to be writable by group
     ✔  File /boot/boot/grub/menu.lst is expected not to be executable by group
     ✔  File /boot/boot/grub/menu.lst is expected not to be readable by other
     ✔  File /boot/boot/grub/menu.lst is expected not to be writable by other
     ✔  File /boot/boot/grub/menu.lst is expected not to be executable by other
     ×  File /boot/boot/grub/menu.lst gid is expected to cmp == 0
     
     expected: 0
          got: 
     
     (compared using `cmp` matcher)

     ×  File /boot/boot/grub/menu.lst uid is expected to cmp == 0
     
     expected: 0
          got: 
     
     (compared using `cmp` matcher)

     ×  File /boot/grub2/grub.cfg is expected to exist
     expected File /boot/grub2/grub.cfg to exist
     ✔  File /boot/grub2/grub.cfg is expected not to be readable by group
     ✔  File /boot/grub2/grub.cfg is expected not to be writable by group
     ✔  File /boot/grub2/grub.cfg is expected not to be executable by group
     ✔  File /boot/grub2/grub.cfg is expected not to be readable by other
     ✔  File /boot/grub2/grub.cfg is expected not to be writable by other
     ✔  File /boot/grub2/grub.cfg is expected not to be executable by other
     ×  File /boot/grub2/grub.cfg gid is expected to cmp == 0
     
     expected: 0
          got: 
     
     (compared using `cmp` matcher)

     ×  File /boot/grub2/grub.cfg uid is expected to cmp == 0
     
     expected: 0
          got: 
     
     (compared using `cmp` matcher)



Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped
Test Summary: 42 successful, 21 failures, 0 skipped

Originally posted by @deric4 in #134 (comment)

[spencer-cdw]

Here is another example cis-dil-benchmark-1.3.2

cis-dil-benchmark/controls/1_3_filesystem_integrity_checking.rb

Lines 42 to 64 in c845274

	control 'cis-dil-benchmark-1.3.2' do
	title 'Ensure filesystem integrity is regularly checked'
	desc "Periodic checking of the filesystem integrity is needed to detect changes to the filesystem.\n\nRationale: Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion."
	impact 1.0
	tag cis: 'distribution-independent-linux:1.3.2'
	tag level: 1
	describe.one do
	%w(/var/spool/cron/crontabs/root /var/spool/cron/root /etc/crontab).each do |f|
	describe file(f) do
	its('content') { should match(/aide (--check|-C)/) }
	end
	end
	%w(cron.d cron.hourly cron.daily cron.weekly cron.monthly).each do |f|
	command("find /etc/#{f} -type f").stdout.split.each do |entry|
	describe file(entry) do
	its('content') { should match(/aide (--check|-C)/) }
	end
	end
	end
	end

Only 1 of the 3 following should match

  describe.one do
    %w(/var/spool/cron/crontabs/root /var/spool/cron/root /etc/crontab).each do |f|

Yet all 3 files are failing