Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »


Product Name

CIS-CAT Pro Assessor v4

Product Version

All

Date



Problem

I have a script that runs CIS CAT Pro from the Linux command line. When I run the script, the CIS CAT assessment runs fine.

However, if I run the same script using a cron job as the same user, some of the checks get reported as "unknown" and I wind up with a much lower compliance score.

Solution

This has to do with the environment variables that are part of a users profile. More specifically, them not being present when using cron.

Test on a RHEL 7 System as below. Note root is used just to keep a consistency:

This is the command line option to run CIS-CAT;
[root@ip-10-30-40-156 Assessor-CLI]# cd /CIS/Assessor-CLI ; ./Assessor-CLI.sh -b benchmarks/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v2.2.0-xccdf.xml -html --info

Next I set a cronjob and added the `. $HOME/.bash_profile` to make sure the cronjob profile was the same;
[root@ip-10-30-40-156 Assessor-CLI]# crontab -l
25 * * * * cd /CIS/Assessor-CLI ; . $HOME/.bash_profile ; ./Assessor-CLI.sh -b benchmarks/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v2.2.0-xccdf.xml -html --info

Finally I compared the Total score for both runs and as you can see they are the same.
[root@ip-10-30-40-156 Assessor-CLI]# grep Total: logs/assessor-cli.*
26/03/2020 19:23:07.550 INFO org.cisecurity.assessor.impl.status.ConsoleStatusWriter -                 Total: 58.23%
26/03/2020 19:25:28.377 INFO org.cisecurity.assessor.impl.status.ConsoleStatusWriter -                 Total: 58.23%

Keywords; cron cronjob

Content by Label


Copyright © 2020

Center for Internet Security®


  • No labels