ansible-lockdown/UBUNTU22-CIS

Unexpected Deletion of Tanium Configuration Files during CIS Benchmark Application

vivekbangare opened this issue · 2 comments

vivekbangare commented

Describe the Issue
When applying the CIS benchmark to my system, I've encountered an unexpected behavior that results in the removal of Tanium configuration files. This issue occurs specifically between principles 4.1.4.6 to 4.1.4.8.

Steps to Reproduce

  • Apply Tanium configuration (either manually or through a specific method).
  • Apply CIS benchmark principles, specifically focusing on 4.1.4.6 to 4.1.4.8.

Expected Behavior
The Tanium configuration files should not be deleted or modified during the application of CIS benchmarks. I expect the Tanium configuration to persist after applying the benchmarks.

Actual Behavior
The Tanium configuration files, located in /opt/Tanium/TaniumClient/, are being removed or modified during the application of CIS benchmarks. This behavior is observed consistently when applying principles 4.1.4.6 to 4.1.4.8.

Control(s) Affected
What controls are being affected by the issue

Environment (please complete the following information):

  • branch being used: devel
  • Ansible Version: core 2.14.6
  • Host Python Version: 3.9.18
  • Ansible Server Python Version: 3.9.18
  • Tanium Version: 7.4.10.1060
  • Operating System: ubuntu 22.04

Additional Notes
I have attempted to apply the Tanium configuration both before and after applying CIS benchmarks, and the issue persists in both scenarios.

uk-bolly commented

hi @vivekbangare

Thank you for taking the time to raise this issue. We will require some more information to understand this issue completely.

Have you tried torun the benchmark with a the tag to work out which control is making these changes?
The control_IDs you mention shouldn't be anywhere near Tanium they are related to auditd files in some way?
Im Afraid i have no knowledge around the product so this really will be a matter of testing as with all baselines to see what breaks and how to mitigate the risk or to document the exception.
Happy to add/change if this issue can be better defined and a fix created.

many thanks

uk-bolly

uk-bolly commented

hi @vivekbangare

This issue has been open for sometime, are you happy to close?

Many thanks

uk-bolly