schurzi
commented
2 years ago Hi @partha005 ,
it seems your Linux distribution does not have this sysctl. Can you tell us what OS you are running? You can find this information in /etc/os-release.
Open partha005 opened 2 years ago
schurzi
commented
2 years ago Hi @partha005 ,
it seems your Linux distribution does not have this sysctl. Can you tell us what OS you are running? You can find this information in /etc/os-release.
partha005
commented
2 years ago Thanks for taking a look. It is CentOS. [root@ip-10-0-0-217 ~]# cat /etc/centos-release CentOS Linux release 7.9.2009 (Core) [root@ip-10-0-0-217 ~]# uname -a Linux ip-10-0-0-217 3.10.0-1160.62.1.el7.x86_64 #1 SMP Tue Apr 5 16:57:59 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux [root@ip-10-0-0-217 ~]#
partha005
commented
2 years ago I do see an entry is made in sysctl.conf, but it fails to set when I try to reload: [root@ip-10-0-0-217 ~]# cat /etc/sysctl.conf | grep -i protected_regular fs.protected_regular=2 [root@ip-10-0-0-217 ~]#
[root@ip-10-0-0-217 ~]# sysctl -p fs.protected_hardlinks = 1 fs.protected_symlinks = 1 sysctl: cannot stat /proc/sys/fs/protected_fifos: No such file or directory sysctl: cannot stat /proc/sys/fs/protected_regular: No such file or directory fs.suid_dumpable = 0
Thanks
partha005
commented
2 years ago Hi @schurzi , is there a way by which we could filter out settings related to a different distribution being tested in Inspec.
partha005
commented
2 years ago So I did check in a Ubuntu instance, and this parameter is present there. Now, Im wondering why Inspec checks for this param in a CentOS machine.
$ sysctl -a | grep -i protected fs.protected_fifos = 1 fs.protected_hardlinks = 1 fs.protected_regular = 2 fs.protected_symlinks = 1 $ $ cat /usr/src/linux-aws-5.11-headers-5.11.0-1022/include/linux/fs.h | grep -i protected_regular extern int sysctl_protected_regular; $
schurzi
commented
2 years ago This will get a bit more complicated. As per my tests CentOS8 supports all these sysctls. So we would need to match the supported options to the respective distros. I can take a look into this, but this will take some time.
Hi @schurzi , is there a way by which we could filter out settings related to a different distribution being tested in Inspec.
This should be easy. inspec has some options to change it's behavior https://docs.chef.io/inspec/cli/#options-3. We are using a waiver.ymlfile to skip some tests in our CI. This should also be usable by you.
partha005
commented
2 years ago Thanks @schurzi . We have excluded sysctl-34 from being checked, for the time being.
Also, this I believe is the original commit to the kernel, if that helps in some way: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=30aba6656f61ed44cba445a3c0d38b296fa9e8f5
Thanks!
EHEX-schildt
commented
1 month ago It looks like, at least under Archlinux, systemd-sysctl.service will ignore /etc/sysctl.conf (see also man sysctl.d)
Check for Configuration Conflicts:
grep -rn 'fs.protected_regular' /etc/sysctl.conf /etc/sysctl.d /usr/local/lib/sysctl.d /usr/lib/sysctl.dArchlinux Output:
/etc/sysctl.conf:4:fs.protected_regular=2
grep: /usr/local/lib/sysctl.d: No such file or directory
/usr/lib/sysctl.d/50-default.conf:55:fs.protected_regular = 1This leads to the following behavior:
/etc/sysctl.conf gets wirten by TASK Change various sysctl-settings, look at the sysctl-vars file for documentation
Modify the TASK with sysctl_file: /etc/sysctl.d/hardening.conf for systemd-sysctl.service Users will fix this or
linking /etc/sysctl.conf to /etc/sysctl.d/hardening.conf.
Test Workaround:
sysctl fs.protected_regular
fs.protected_regular = 1
ln -s /etc/sysctl.conf /etc/sysctl.d/hardening.conf
systemctl restart systemd-sysctl.service
sysctl fs.protected_regular
fs.protected_regular = 2
Hello!
My playbook is stating fs.protected_regular setting is changed, but it doesn't actually reflect in the system:
ok: [localhost] => (item={u'key': u'net.ipv4.conf.all.arp_announce', u'value': 2}) ok: [localhost] => (item={u'key': u'net.ipv4.conf.all.rp_filter', u'value': 1}) changed: [localhost] => (item={u'key': u'fs.protected_regular', u'value': 2}) <<<<< ok: [localhost] => (item={u'key': u'net.ipv4.conf.default.send_redirects', u'value': 0}) ok: [localhost] => (item={u'key': u'net.ipv4.conf.all.accept_redirects', u'value': 0})
not actually set: [root@ip-10-0-0-24 roles]# sysctl -n fs.protected_hardlinks fs.protected_regular 1 sysctl: cannot stat /proc/sys/fs/protected_regular: No such file or directory [root@ip-10-0-0-24 roles]# sysctl -a | egrep -i "fs.protected_hardlinks|fs.protected_regular" fs.protected_hardlinks = 1 sysctl: reading key "net.ipv6.conf.all.stable_secret" sysctl: reading key "net.ipv6.conf.default.stable_secret" sysctl: reading key "net.ipv6.conf.eth0.stable_secret" sysctl: reading key "net.ipv6.conf.lo.stable_secret" [root@ip-10-0-0-24 roles]#
Please refer to: https://github.com/dev-sec/ansible-collection-hardening/pull/494/files
Could you please check, or is it possible that the issue is only happening in my system.