Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

implement sysctl-34 - link protection settings #494

Merged
merged 2 commits into from Oct 24, 2021
Merged

implement sysctl-34 - link protection settings #494

merged 2 commits into from Oct 24, 2021

Conversation

rndmh3ro
Copy link
Member

see dev-sec/linux-baseline#160

Signed-off-by: rndmh3ro github@gumpri.ch

implement sysctl-34 - link protection settings
346b064 
Signed-off-by: rndmh3ro <github@gumpri.ch>
@rndmh3ro rndmh3ro requested a review from schurzi October 20, 2021 19:00
@rndmh3ro @schurzi
Update roles/os_hardening/defaults/main.yml
9f372c2 
Co-authored-by: schurzi <Martin.Schurz@t-systems.com>
@schurzi schurzi merged commit 08b0fd1 into master Oct 24, 2021
@schurzi schurzi deleted the sysctl-34 branch October 24, 2021 09:21
@partha005
Copy link

partha005 commented Apr 25, 2022
edited

Hello!

My playbook is stating fs.protected_regular setting is changed, but it doesn't actually reflect in the system:

ok: [localhost] => (item={u'key': u'net.ipv4.conf.all.arp_announce', u'value': 2})
ok: [localhost] => (item={u'key': u'net.ipv4.conf.all.rp_filter', u'value': 1})
changed: [localhost] => (item={u'key': u'fs.protected_regular', u'value': 2}) <<<<<
ok: [localhost] => (item={u'key': u'net.ipv4.conf.default.send_redirects', u'value': 0})
ok: [localhost] => (item={u'key': u'net.ipv4.conf.all.accept_redirects', u'value': 0})

not actually set:
[root@ip-10-0-0-24 roles]# sysctl -n fs.protected_hardlinks fs.protected_regular
1
sysctl: cannot stat /proc/sys/fs/protected_regular: No such file or directory
[root@ip-10-0-0-24 roles]# sysctl -a | egrep -i "fs.protected_hardlinks|fs.protected_regular"
fs.protected_hardlinks = 1
sysctl: reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
sysctl: reading key "net.ipv6.conf.eth0.stable_secret"
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
[root@ip-10-0-0-24 roles]#

Could you please check, or is it possible that the issue is only happening in my system.

divialth pushed a commit to divialth/ansible-collection-hardening that referenced this pull request Aug 3, 2022
@schurzi
Merge pull request dev-sec#494 from dev-sec/sysctl-34
e088a93 
implement sysctl-34 - link protection settings
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@schurzi schurzi schurzi left review comments

Assignees
No one assigned
Labels
enhancement minor os_hardening
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@rndmh3ro @partha005 @schurzi