tcp_wrapper/tcpd is depreciated on Redhat8 and hence cls-dil failed for cis-dil-benchmark-3.4.1

[Bharathkumarraju]

Hi Team,

I am running this inspec profile in my rhel8 and it failed like below... since the tcp_wrapper/tcpd is depreciated on Redhat8

× cis-dil-benchmark-3.4.1: Ensure TCP Wrappers is installed (2 failed)

Any work-aroud for this?

thanks,
https://bharathkumaraju.com

[Bharathkumarraju]

is there anyway i can skip specific check cis-dil-benchmark-3.4.1 in my inspec command ?

[chris-rock]

Thank you @Bharathkumarraju for your report. We should add an only_if condition that checks for tcp wrapper, see https://docs.chef.io/inspec/dsl_inspec/#use-only_if-to-exclude-a-specific-control. Any PR is welcome to improve the situation.

[Bharathkumarraju]

@chris-rock meanwhile i did some workaround for to skip the failed checks 👍 thanks!!!

We run checks with packer and my regex_to_skip variable is this.

regex_to_skip           = "/^(((?!cis-dil-benchmark-1.1.[6789])(?!cis-dil-benchmark-1.1.1[01234])(?!cis-dil-benchmark-1.1.[2345])(?!cis-dil-benchmark-1.4.2)(?!cis-dil-benchmark-6.1.[3579])(?!cis-dil-benchmark-1.[16].1.[38])(?!cis-dil-benchmark-3.6.[2345])(?!cis-dil-benchmark-5.4.1.2)(?!cis-dil-benchmark-4.1.12)(?!cis-dil-benchmark-3.4.1)(?!cis-dil-benchmark-1.1.17)(?!cis-dil-benchmark-4.2.4).))*$/"

  provisioner "inspec" {
    inspec_env_vars = ["CHEF_LICENSE=accept"]
    profile         = "https://github.com/dev-sec/cis-dil-benchmark"
    user            = "${var.aws_ssh_user}"
    extra_arguments = [ "--no-distinct-exit",
      "--sudo",
      "--controls",
      "${var.regex_to_skip}"
    ]
  }