Why do I receive a different score when running Assessor through a cron job?

Product Name

CIS-CAT Pro Assessor v4

Product Version

All

Date

Dec 22, 2021

Problem

I have a script that runs CIS CAT Pro from the Linux command line. When I run the script, the CIS CAT assessment runs fine.

However, if I run the same script using a cron job as the same user, some of the checks get reported as "unknown" and I wind up with a much lower compliance score.

Solution

This has to do with the environment variables that are part of a users profile. More specifically, them not being present when using cron.

Test on a RHEL 7 System as below. Note root is used just to keep a consistency:

This is the command line option to run CIS-CAT;
[root@ip-10-30-40-156 Assessor-CLI]# cd /CIS/Assessor-CLI ; ./Assessor-CLI.sh -b benchmarks/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v2.2.0-xccdf.xml -html --info

Set a cronjob and add the `. $HOME/.bash_profile` to make sure the cronjob profile is the same;
[root@ip-10-30-40-156 Assessor-CLI]# crontab -l
25 * * * * cd /CIS/Assessor-CLI ; . $HOME/.bash_profile ; ./Assessor-CLI.sh -b benchmarks/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v2.2.0-xccdf.xml -html --info

Finally, compare the Total score for both runs and as you can see they are the same.
[root@ip-10-30-40-156 Assessor-CLI]# grep Total: logs/assessor-cli.*
26/03/2020 19:23:07.550 INFO org.cisecurity.assessor.impl.status.ConsoleStatusWriter -                 Total: 58.23%
26/03/2020 19:25:28.377 INFO org.cisecurity.assessor.impl.status.ConsoleStatusWriter -                 Total: 58.23%

Keywords; cron cronjob

Content by Label

Page:

Feature Enhancement Requests for CIS Products

Center for Internet Security®

Privacy Policy