chore(CIS): grub configuration changes to accommodate CIS #1111
Conversation
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jackfrancis The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Validated w/ "ubuntu" distro:
|
Codecov Report
@@ Coverage Diff @@
## master #1111 +/- ##
=========================================
+ Coverage 74.4% 74.4% +<.01%
=========================================
Files 131 131
Lines 18283 18284 +1
=========================================
+ Hits 13603 13604 +1
Misses 3901 3901
Partials 779 779 |
@@ -0,0 +1,35 @@ | |||
# If you change this file, run 'update-grub' afterwards to update |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we make this file "lighter" by removing a lot of the commented out lines?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
stat /boot/grub/grub.cfg | grep 'Access: (0400' || exit 1 | ||
# validate grub configuration | ||
sudo grep "^\s*linux" /boot/grub/grub.cfg | grep 'audit=1' || exit 1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we also grep for ipv6.disable=1
or is that not part of the CIS recommendation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, in fact this grep is carried over specifically from here:
2ffe464
to
a18b773
Compare
Reason for Change:
Enables auditing via grub, see https://secscan.acron.pl/centos7/4/1/3
Issue Fixed:
Fixes #1009
Requirements:
Notes: