-
Notifications
You must be signed in to change notification settings - Fork 743
Coreos build - enable more rules #5018
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Coreos build - enable more rules #5018
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thank you very much for working on the profile, Gabe! The profile builds and in general the added rules make sense to me.
I left a couple of questions inline. I think some rules might not be needed in an OCP environment, mostly I'm concerned about the IPv4 forwarding rule, although I have not tested out if disabling the sysctl really breaks OCP networking.
But if you want, please go ahead and merge the content. The point of the inline comments is not to block the PR, it's really just questions :-) We can (and will) iterate on the content later.
|
On 15 Nov 2019, at 17:48, Shawn Wells ***@***.***> wrote:
@shawndwells commented on this pull request.
In ocp4/profiles/coreos-ncp.profile:
> - #- auditd_audispd_configure_remote_server
- #- auditd_audispd_encrypt_sent_records
- #- auditd_audispd_disk_full_action
- #- auditd_audispd_network_failure_action
-
+ - service_auditd_enabled
+ - var_auditd_flush=incremental_async
+ - auditd_data_retention_flush
+ - auditd_local_events
+ - auditd_write_logs
+ - auditd_log_format
+ - auditd_freq
+ - auditd_name_format
+ - var_auditd_action_mail_acct=root
+ - var_auditd_space_left_action=email
+ - auditd_audispd_configure_remote_server
Showing my lack of product knowledge here - does that operator also pickup the CoreOS logs?
If you mean `/var/log/audit/audit.log` then yes. Otherwise, I’d have to look up the answer.
|
|
On 15 Nov 2019, at 17:42, Shawn Wells ***@***.***> wrote:
@shawndwells commented on this pull request.
In ocp4/profiles/coreos-ncp.profile:
> @@ -140,75 +133,75 @@ selections:
### Kernel Config
## Boot prompt
- #- grub2_audit_argument
- #- grub2_audit_backlog_limit_argument
- #- grub2_slub_debug_argument
- #- grub2_page_poison_argument
- #- grub2_vsyscall_argument
- #- grub2_vsyscall_argument.role=unscored
- #- grub2_vsyscall_argument.severity=info
- #- grub2_pti_argument
+ - grub2_audit_argument
+ - grub2_audit_backlog_limit_argument
+ - grub2_slub_debug_argument
+ - grub2_page_poison_argument
+ - grub2_vsyscall_argument
vsyscall is already disabled in other government profiles, such as the DoD baselines for RHEL.
Having this rule in the ComplianceAsCode catalog allows for per-profile selection. For example the Government baselines may require this, and accept the implications, however more general-purpose baselines like PCI-DSS the rule may not need to be selected.
If it’s possible to opt-out in the unlikely case a customer would want to run a RHEL-6 container on an OCP4 cluster, then it’s fine. We might want to make this clear in the rule description, though. (Not as part of this PR of course)
|
- Remove ip_forward rule - Enable ipv6 disabling - Comment out audispd checks and add note that fluentd checks are needed
1f7046b to
61441dc
Compare
| - functionality: |- | ||
| Certain technologies such as virtual machines, containers, etc. rely on IPv4 forwarding to enable and use networking. | ||
| Disabling IPv4 forwarding would cause those technologies to stop working. Therefore, this rule should not be used in | ||
| profiles or benchmarks that target usage of IPv4 forwarding. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for creating this warning. Should be very helpful for those tailoring or justifying dropping this rule locally based on how the endpoint is being used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With all conversations resolved, ack'ing this PR.
Description: