change sysctl to file_line resource as fails after reboot with kernel_parameter

[canihavethisone]

in cis_3_3_1, cis_3_3_2 and cis_3_3_3. Issue is that kernel_parameter ipv6.disable=1 prevents the creation of /proc/sys/net/ipv6 and therefore sysctl module fails (even when apply param is set to false) Fixed type in cis_5_2_14 Finished refactoring bash scripts.

This merge request seems odd as its showing old commits and a conflict - let me know if I need to fix something.

[canihavethisone]

Can I pls get some help refactoring mount_options.pp so it works better with Centos? It appears that Augeas fails if the entry isn't already in /etc/fstab, and 1.1.17 for example cannot be applied when trying to add /dev/shm, and is currently commented out of centos7.pp

[dan-wittenberg]

Yeah I'll take a look

On Sat, Sep 7, 2019 at 6:35 AM canihavethisone notifications@github.com wrote:

Can I pls get some help refactoring mount_options.pp so it works better with Centos? It appears that Augeas fails if the entry isn't already in /etc/fstab, and 1.1.17 for example cannot be applied when trying to add /dev/shm, and is currently commented out of centos7.pp

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/fervidus/secure_linux_cis/pull/12?email_source=notifications&email_token=ADIIDA4QH34VVPWPSZ37VZ3QIOGZDA5CNFSM4IUPX77KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD6EW25Q#issuecomment-529100150, or mute the thread https://github.com/notifications/unsubscribe-auth/ADIIDA6I3JJU4SVD6ANGO2LQIOGZDANCNFSM4IUPX77A .

[canihavethisone]

That's a good point. It could be moved outside the if statement which would then always create the resource. I'll give it a test.

[canihavethisone]

I have moved the exec['reload rsyslog'] to both centos7.pp and redhat7.pp in a new 'shared resources' block at the end of both files. I have also added an entry for puppetlabs/reboot (and to metadata/fixtures/puppetfile) as this should be notified by classes that make changes to audit.rules and set kernel_parameter etc when changes require a reboot to take effect. I have NOT yet set those notifies however (the reboot block is for future use).

The changes in this pull request get Nessus L1 & L2 scan AFTER a reboot down to:

• 345 passed

• 30 failed

• 28 of the fails are ignorable (eg FAT filesystem active as I am using EFI, grub.cfg/user.cfg 0700 in EFI mount not catered for, banner entries, not restricted root to console only, the way that Nessus greps some files etc)

• 1 can be fixed if the /dev/shm noexec requirement is addressable by mount_options.pp changes

• 1 or 2 require further consideration eg, /var/log/btmp and wtmp have group owner utmp, and Nessus wants it to be root group

[canihavethisone]

I have also added a shared block to reload sshd config only if sshd service is already running, and only when notified by the cis_5_2_x series of classes that manage sshd_config entries. It would be a nightmare to have this in each class as they would all need unique names to avoid duplicate resources.

[canihavethisone]

Agreed. I have added a default path for execs, which can be overridden if desired in individual execs.

This module now gets a 354 passes and 21 fails in Nessus Centos 2.2.0 L1 & L2 scan. The fails are essentially ignorable for various reasons, including that Nessus runs sysctl to check ipv6 settings which fail as ipv6 has been disabled in the kernel, running EFI requires fat filesystem, I have left root enabled for SSH on my test host, opting out of installing AIDE, etc. Short of any refactoring, this is feeling pretty rock solid now once this pull request is merged. Note that a reboot is still required after first puppet run, and this has not yet been automated however the puppetlabs-reboot module has been added as a dependency and the code placed in the shared resources to do this after a run has completed when notified.

Idempotent on 3rd run (second is ideal but not essential).

Future to do's (another time perhaps):

1. parameterize content of /etc/motd, /etc/issue and /etc/issue.net done
2. all resources that require a reboot to take effect should notify => Reboot['after run'] done

[canihavethisone]

@bryanjbelanger can you please review and merge these changes as I have completed the refactoring that I had wanted to include. One remaining point for consideration is if pkill should be used at all (as it currently is with rsyslog) as it is prudent to protect a host from critical services such as rsyslog, auditd etc being terminated as this can result in the host being rebooted into single mode or shutdown if the services are configured so (hence the introduction of an opt-in reboot feature). If you agree with that then I can quickly remove the pkill usage and add those classes to the auto_restart optional array before merge is done.