Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[os_hardening] Task for setting initramfs modules does not match its condition #590

Closed
BVollmerhaus opened this issue Oct 21, 2022 · 2 comments
Closed

[os_hardening] Task for setting initramfs modules does not match its condition #590

BVollmerhaus opened this issue Oct 21, 2022 · 2 comments
Assignees
@schurzi
Labels
bug os_hardening

Comments

@BVollmerhaus
Copy link

BVollmerhaus commented Oct 21, 2022
edited

Describe the bug

The os_hardening role's sysctl task file contains a task called "Rebuild initramfs with starting pack of modules, if module loading at runtime is disabled". Whether module loading is enabled is controlled by the os_security_kernel_enable_module_loading variable, which is true by default.

As far as I can see, the task checks for the variable to be true in order to execute:

name: Rebuild initramfs with starting pack of modules, if module loading at runtime is disabled
[...]
when:
    - ansible_facts.os_family == 'Debian'
    - os_security_kernel_enable_module_loading

If I'm not mistaken, this is either a case of the task name being incorrect or the condition not being negated, whichever is the intended behavior. But it's late, so I hope I'm not confusing things here. 🙂

Role Version

8.2.0
@BVollmerhaus BVollmerhaus changed the title [os_hardening] Name of task for setting initramfs modules does not match its condition [os_hardening] Task for setting initramfs modules does not match its condition Oct 21, 2022
@schurzi schurzi self-assigned this Oct 22, 2022
@schurzi
Copy link
Contributor

schurzi commented Oct 23, 2022

very nice catch!
The basic intention here is to preload all modules, when we have disabled kernel module loading via sysctl.
We have not set this specific sysctl for a very long time:

ansible-collection-hardening/roles/os_hardening/defaults/main.yml

Lines 116 to 119 in 53be805

# This setting controls how the kernel behaves towards module changes at
# runtime. Setting to 1 will disable module loading at runtime.
# Setting it to 0 is actually never supported. | sysctl-29
# kernel.modules_disabled: 1

@schurzi schurzi linked a pull request Oct 23, 2022 that will close this issue
consistent naming of initramfs task #591
Closed
@schurzi schurzi added the bug label Oct 25, 2022
@rndmh3ro
Copy link
Member

Feature is deprecated. See #618

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@schurzi schurzi

Labels
bug os_hardening
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

consistent naming of initramfs task dev-sec/ansible-collection-hardening
3 participants
@schurzi @rndmh3ro @BVollmerhaus