chore(CIS): enforce CIS modprobe recommendations #1061
Conversation
Verified w/ "ubuntu" distro cluster:
|
Codecov Report
@@ Coverage Diff @@
## master #1061 +/- ##
==========================================
+ Coverage 74.33% 74.33% +<.01%
==========================================
Files 131 131
Lines 18258 18259 +1
==========================================
+ Hits 13572 13573 +1
Misses 3905 3905
Partials 781 781 |
85b9572
to
95b4732
Compare
95b4732
to
e4f2c32
Compare
@@ -18,6 +20,7 @@ cp $SYSCTL_CONFIG_SRC $SYSCTL_CONFIG_DEST | |||
sysctl_reload 20 5 10 | |||
cp $ETC_ISSUE_CONFIG_SRC $ETC_ISSUE_CONFIG_DEST | |||
cp $ETC_ISSUE_NET_CONFIG_SRC $ETC_ISSUE_NET_CONFIG_DEST | |||
cp $MODPROBE_CIS_SRC $MODPROBE_CIS_DEST |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should this be before the reload?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As far as my testing uncovered, sysctl --system
was not necessary to pull in updated kernel module config.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Honestly I think there's a problem here, the sysctl_reload
call doesn't really need to be called vi VHD CI (it'll be applied when it boots up), but if we are calling it we should at least error out if it fails as a kind of basic validation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: CecileRobertMichon, jackfrancis The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Additional findings from Nessus scan
|
Reason for Change:
Adds modprobe configuration enforcement, following CIS recommendations.
Issue Fixed:
Fixes #986
Requirements:
Notes: