Product Name
CIS-CAT Pro Assessor v4
Product Version
All
Date
Problem
I have a script that runs CIS CAT Pro from the Linux command line. When I run the script, the CIS CAT assessment runs fine.
However, if I run the same script using a cron job as the same user, some of the checks get reported as "unknown" and I wind up with a much lower compliance score.
Solution
This has to do with the environment variables that are part of a users profile. More specifically, them not being present when using cron.
Test on a RHEL 7 System as below. Note root is used just to keep a consistency: This is the command line option to run CIS-CAT; [root@ip-10-30-40-156 Assessor-CLI]# cd /CIS/Assessor-CLI ; ./Assessor-CLI.sh -b benchmarks/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v2.2.0-xccdf.xml -html --info Set a cronjob and add the `. $HOME/.bash_profile` to make sure the cronjob profile is the same; [root@ip-10-30-40-156 Assessor-CLI]# crontab -l 25 * * * * cd /CIS/Assessor-CLI ; . $HOME/.bash_profile ; ./Assessor-CLI.sh -b benchmarks/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v2.2.0-xccdf.xml -html --info Finally, compare the Total score for both runs and as you can see they are the same. [root@ip-10-30-40-156 Assessor-CLI]# grep Total: logs/assessor-cli.* 26/03/2020 19:23:07.550 INFO org.cisecurity.assessor.impl.status.ConsoleStatusWriter - Total: 58.23% 26/03/2020 19:25:28.377 INFO org.cisecurity.assessor.impl.status.ConsoleStatusWriter - Total: 58.23%
Add Comment