Update few sysctl rules to accept multiple compliant values #9286
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This also removes value '0' from the list of possible configurations. This change aligns the rule better with STIG.
This also removes value '0' from the list of possible configurations. This change aligns the rule better with STIG.
The rule only accepts values 1 or 2 as compliant, the XCCDF Variable cannot have the value 0, it will never result in pass.
For now, the only STIGs I see that adopted this change were RHEL's and OL's.
yuumasato
added
Update Rule
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
jan-cerny
reviewed
Aug 3, 2022
There was a problem hiding this comment.
The CI fail is probably caused by the container environment, when I execute it on a virtual machine backend, they all pass:
[jcerny@thinkpad scap-security-guide{pr/9283}]$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 sysctl_kernel_kptr_restrict,sysctl_net_ipv4_conf_all_rp_filter
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2022-08-03-1315/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter
INFO - Script two_sysctls_on_same_file_name.fail.sh using profile (all) OK
INFO - Script symlinks_to_same_file.pass.sh using profile (all) OK
INFO - Script line_not_there.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - Script comment.fail.sh using profile (all) OK
INFO - Script two_sysctls_on_same_file.pass.sh using profile (all) OK
INFO - Script symlink_repeated_sysctl_conf.pass.sh using profile (all) OK
INFO - Script symlink_same_option.fail.sh using profile (all) OK
INFO - Script two_sysctls_on_d.fail.sh using profile (all) OK
INFO - Script symlink_root_incompliant.fail.sh using profile (all) OK
INFO - Script wrong_runtime.fail.sh using profile (all) OK
INFO - Script one_sysctl_conf_one_sysctl_d.fail.sh using profile (all) OK
INFO - Script symlink_different_option.pass.sh using profile (all) OK
INFO - Script wrong_value_d_directory.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script symlink_root_duplicate.fail.sh using profile (all) OK
INFO - Script value_1.pass.sh using profile (all) OK
INFO - Script value_2.pass.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict
INFO - Script value_1.pass.sh using profile (all) OK
INFO - Script value_2.pass.sh using profile (all) OK
[jcerny@thinkpad scap-security-guide{pr/9286}]$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 --remediate-using ansible sysctl_kernel_kptr_restrict,sysctl_net_ipv4_conf_all_rp_filter
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2022-08-03-1321/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter
INFO - Script one_sysctl_conf_one_sysctl_d.fail.sh using profile (all) OK
INFO - Script symlink_root_duplicate.fail.sh using profile (all) OK
INFO - Script two_sysctls_on_d.fail.sh using profile (all) OK
INFO - Script two_sysctls_on_same_file.pass.sh using profile (all) OK
INFO - Script symlink_repeated_sysctl_conf.pass.sh using profile (all) OK
INFO - Script symlink_same_option.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script symlink_root_incompliant.fail.sh using profile (all) OK
INFO - Script wrong_runtime.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - Script symlink_different_option.pass.sh using profile (all) OK
INFO - Script two_sysctls_on_same_file_name.fail.sh using profile (all) OK
INFO - Script line_not_there.fail.sh using profile (all) OK
INFO - Script comment.fail.sh using profile (all) OK
INFO - Script symlinks_to_same_file.pass.sh using profile (all) OK
INFO - Script wrong_value_d_directory.fail.sh using profile (all) OK
INFO - Script value_1.pass.sh using profile (all) OK
INFO - Script value_2.pass.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict
INFO - Script value_1.pass.sh using profile (all) OK
INFO - Script value_2.pass.sh using profile (all) OK
...etwork-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
Show resolved
Hide resolved
|
This datastream diff is auto generated by the check Click here to see the full diffOCIL for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,25 @@
-The runtime status of the net.ipv4.conf.all.rp_filter kernel parameter can be queried
+The runtime status of the net.ipv4.conf.all.rp_filter parameter can be queried
by running the following command:
$ sysctl net.ipv4.conf.all.rp_filter
-1.
+The output of the command should indicate either:
+net.ipv4.conf.all.rp_filter = 1
+or:
+net.ipv4.conf.all.rp_filter = 2
+The output of the command should not indicate:
+net.ipv4.conf.all.rp_filter = 0
- Is it the case that the correct value is not returned?
+The preferable way how to assure the runtime compliance is to have
+correct persistent configuration, and rebooting the system.
+
+The persistent sysctl parameter configuration is performed by specifying the appropriate
+assignment in any file located in the /etc/sysctl.d directory.
+Verify that there is not any existing incorrect configuration by executing the following command:
+$ grep -r '^\s*net.ipv4.conf.all.rp_filter\s*=' /etc/sysctl.conf /etc/sysctl.d
+The command should not find any assignments other than:
+net.ipv4.conf.all.rp_filter = 1
+or:
+net.ipv4.conf.all.rp_filter = 2
+
+Conflicting assignments are not allowed.
+ Is it the case that the net.ipv4.conf.all.rp_filter is not set to 1 or 2 or is configured to be 0?
OCIL for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,25 @@
The runtime status of the kernel.kptr_restrict kernel parameter can be queried
by running the following command:
$ sysctl kernel.kptr_restrict
-1.
+The output of the command should indicate either:
+kernel.kptr_restrict = 1
+or:
+kernel.kptr_restrict = 2
+The output of the command should not indicate:
+kernel.kptr_restrict = 0
- Is it the case that the correct value is not returned?
+The preferable way how to assure the runtime compliance is to have
+correct persistent configuration, and rebooting the system.
+
+The persistent kernel parameter configuration is performed by specifying the appropriate
+assignment in any file located in the /etc/sysctl.d directory.
+Verify that there is not any existing incorrect configuration by executing the following command:
+$ grep -r '^\s*kernel.kptr_restrict\s*=' /etc/sysctl.conf /etc/sysctl.d
+The command should not find any assignments other than:
+kernel.kptr_restrict = 1
+or:
+kernel.kptr_restrict = 2
+
+Conflicting assignments are not allowed.
+ Is it the case that the kernel.kptr_restrict is not set to 1 or 2 or is configured to be 0?
|
The OCIL should should mention both compliant values.
yuumasato
force-pushed
the
update_sysctl_rules_with_new_compliant_values
branch
from
5f4b2f7
to
a159f7d
Compare
|
Code Climate has analyzed commit a159f7d and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 42.7% (0.0% change). View more on Code Climate. |
|
@yuumasato: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
jan-cerny
approved these changes
Aug 4, 2022
There was a problem hiding this comment.
[jcerny@thinkpad scap-security-guide{pr/9286}]$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 sysctl_kernel_kptr_restrict
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2022-08-04-1402/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict
INFO - Script one_sysctl_conf_one_sysctl_d.fail.sh using profile (all) OK
INFO - Script symlink_repeated_sysctl_conf.pass.sh using profile (all) OK
INFO - Script symlink_same_option.fail.sh using profile (all) OK
INFO - Script symlink_root_incompliant.fail.sh using profile (all) OK
INFO - Script two_sysctls_on_same_file.pass.sh using profile (all) OK
INFO - Script line_not_there.fail.sh using profile (all) OK
INFO - Script symlink_root_duplicate.fail.sh using profile (all) OK
INFO - Script symlinks_to_same_file.pass.sh using profile (all) OK
INFO - Script comment.fail.sh using profile (all) OK
INFO - Script two_sysctls_on_d.fail.sh using profile (all) OK
INFO - Script wrong_runtime.fail.sh using profile (all) OK
INFO - Script two_sysctls_on_same_file_name.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script wrong_value_d_directory.fail.sh using profile (all) OK
INFO - Script symlink_different_option.pass.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - Script value_1.pass.sh using profile (all) OK
INFO - Script value_2.pass.sh using profile (all) OK
[jcerny@thinkpad scap-security-guide{pr/9286}]$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 sysctl_net_ipv4_conf_all_rp_filter
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2022-08-04-1408/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter
INFO - Script two_sysctls_on_same_file.pass.sh using profile (all) OK
INFO - Script one_sysctl_conf_one_sysctl_d.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script symlink_repeated_sysctl_conf.pass.sh using profile (all) OK
INFO - Script wrong_runtime.fail.sh using profile (all) OK
INFO - Script symlink_root_duplicate.fail.sh using profile (all) OK
INFO - Script two_sysctls_on_d.fail.sh using profile (all) OK
INFO - Script comment.fail.sh using profile (all) OK
INFO - Script symlink_same_option.fail.sh using profile (all) OK
INFO - Script symlink_root_incompliant.fail.sh using profile (all) OK
INFO - Script two_sysctls_on_same_file_name.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - Script line_not_there.fail.sh using profile (all) OK
INFO - Script symlinks_to_same_file.pass.sh using profile (all) OK
INFO - Script symlink_different_option.pass.sh using profile (all) OK
INFO - Script wrong_value_d_directory.fail.sh using profile (all) OK
INFO - Script value_1.pass.sh using profile (all) OK
INFO - Script value_2.pass.sh using profile (all) OK
[jcerny@thinkpad scap-security-guide{pr/9286}]$
|
Unfortunately there are issues with the build using OVAL 5.10: More code here should be applicable only to OVAL 5.11: This problem was probably introduced in the PR that introduced support to multiple values, not this one. |
yuumasato
pushed a commit
to yuumasato/scap-security-guide
that referenced
this pull request
Aug 8, 2022
…_rules_with_new_compliant_values Update few sysctl rules to accept multiple compliant values Patch-name: scap-security-guide-0.1.64-add_multivalue_compliance_kptr_rp_filter.patch Patch-status: Update few sysctl rules to accept multiple compliant values
yuumasato
pushed a commit
to yuumasato/scap-security-guide
that referenced
this pull request
Aug 11, 2022
…_rules_with_new_compliant_values Update few sysctl rules to accept multiple compliant values Patch-name: scap-security-guide-0.1.64-add_multivalue_compliance_kptr_rp_filter-PR_9286.patch Patch-status: Update few sysctl rules to accept multiple compliant values
yuumasato
pushed a commit
to yuumasato/scap-security-guide
that referenced
this pull request
Aug 11, 2022
…_rules_with_new_compliant_values Update few sysctl rules to accept multiple compliant values Patch-name: scap-security-guide-0.1.64-add_multivalue_compliance_kptr_rp_filter-PR_9286.patch Patch-status: Update few sysctl rules to accept multiple compliant values
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
sysctl_net_ipv4_conf_all_rp_filtersysctl_kernel_kptr_restrictRationale: