search

dev-sec / puppet-os-hardening

This puppet module provides numerous security-related configurations, providing all-round base protection.
http://dev-sec.io/
Apache License 2.0
281 stars 101 forks source link

New warning - max_files - exceeds the default soft limit 1000 #279

Closed earthgecko closed 3 years ago

earthgecko commented 3 years ago

exceeds the default soft limit 1000 An update to puppet-agent 6.23 seems to have resulted in a new warning that I think is related to $folders_to_restrict in https://github.com/dev-sec/puppet-os-hardening/blob/master/manifests/minimize_access.pp#L51

Expected behavior Not receiving warnings.

Actual behavior

Warning: The directory '/usr/bin' contains 1346 entries, which exceeds the default soft limit 1000 and may cause excessive resource consumption and degraded performance. To remove this warning set a value for `max_files` parameter or consider using an alternate method to manage large directory trees
Warning: The directory '/bin' contains 1346 entries, which exceeds the default soft limit 1000 and may cause excessive resource consumption and degraded performance. To remove this warning set a value for `max_files` parameter or consider using an alternate method to manage large directory trees

Example code

puppet agent --test --tags os_hardening

OS / Environment

os => {
  architecture => "x86_64",
  distro => {
    codename => "n/a",
    description => "CentOS Linux release 8.4.2105",
    id => "CentOS",
    release => {
      full => "8.4.2105",
      major => "8",
      minor => "4"
    },
    specification => "..."
  },
  family => "RedHat",
  hardware => "x86_64",
  name => "CentOS",
  release => {
    full => "8.4.2105",
    major => "8",
    minor => "4"
  },
  selinux => {
    config_mode => "enforcing",
    config_policy => "targeted",
    current_mode => "enforcing",
    enabled => true,
    enforced => true,
    policy_version => "33"
  }
}

Puppet Version

6.23.0

Additional context

I can confirm that the addition of max_files => -1, to the $folders_to_restrict definition resolves this issue and the warnings go away.

However I shall not PR that change as it may not be deemed by the project as the best method with which resolve this issue. Perhaps the warning is desired and it is not regarding as an issue, which could be acceptable behaviour and point of view of the os_hardening project, then this issue ticket can just be FYI for other users who experience warnings, given that not all users may know what os_hardening manages if they have simply included in via r10k or similar and have not looked at the code.

  { $folders_to_restrict => {
      ensure                  => directory,
      ignore                  => $ignore_files_in_folder_to_restrict,
      links                   => follow,
      mode                    => 'go-w',
      recurse                 => true,
      recurselimit            => $recurselimit,
      selinux_ignore_defaults => true,
      max_files               => -1,
    }
  }
mcgege commented 3 years ago

Solved by #280