search

ansible-lockdown / RHEL9-CIS

Ansible role for Red Hat 9 CIS Baseline
https://ansible-lockdown.readthedocs.io
MIT License
109 stars 86 forks source link

Feb24 updates #179

Closed uk-bolly closed 6 months ago

uk-bolly commented 6 months ago

Overall Review of Changes: Several updates and improvements

Issue Fixes:

115

125

134

146

175

Enhancements: precommit versions removed added rp_filter from post

How has this been tested?: Manually and pipeline

ipruteanu-sie commented 6 months ago

Short question about a recent CIS failure on us, for Control 3.3.7/rp-filter:

In this merge, the POST task written by my colleague @bgro (PR #105), is now removed, ending up with a failure for this control(at least on our side). There's a discussion about this also on the RHEL Portal, highlighting the fact that different RPMs may imply different values in the config files. However, there's a similar behavior on X11Forwarding SSH parameter for which current devel treats explicitly the /etc/ssh/sshd_config.d/50-redhat.conf file.

My actual question:

Was this POST task doing any harm or what was the reason it got removed ?

PS: Current results, on my side:

$ cat /usr/lib/sysctl.d/50-default.conf | grep rp_filter
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.*.rp_filter = 2
-net.ipv4.conf.all.rp_filter

$ cat /lib/sysctl.d/50-default.conf | grep rp_filter
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.*.rp_filter = 2
-net.ipv4.conf.all.rp_filter

image