sysctl-34 - fs.protected_regular not set

[partha005]

Hello!

My playbook is stating fs.protected_regular setting is changed, but it doesn't actually reflect in the system:

ok: [localhost] => (item={u'key': u'net.ipv4.conf.all.arp_announce', u'value': 2})
ok: [localhost] => (item={u'key': u'net.ipv4.conf.all.rp_filter', u'value': 1})
changed: [localhost] => (item={u'key': u'fs.protected_regular', u'value': 2}) <<<<<
ok: [localhost] => (item={u'key': u'net.ipv4.conf.default.send_redirects', u'value': 0})
ok: [localhost] => (item={u'key': u'net.ipv4.conf.all.accept_redirects', u'value': 0})

not actually set:
[root@ip-10-0-0-24 roles]# sysctl -n fs.protected_hardlinks fs.protected_regular
1
sysctl: cannot stat /proc/sys/fs/protected_regular: No such file or directory
[root@ip-10-0-0-24 roles]# sysctl -a | egrep -i "fs.protected_hardlinks|fs.protected_regular"
fs.protected_hardlinks = 1
sysctl: reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
sysctl: reading key "net.ipv6.conf.eth0.stable_secret"
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
[root@ip-10-0-0-24 roles]#

Please refer to: https://github.com/dev-sec/ansible-collection-hardening/pull/494/files

Could you please check, or is it possible that the issue is only happening in my system.

[schurzi]

Hi @partha005 ,

it seems your Linux distribution does not have this sysctl. Can you tell us what OS you are running? You can find this information in /etc/os-release.

[partha005]

Thanks for taking a look. It is CentOS.
[root@ip-10-0-0-217 ~]# cat /etc/centos-release
CentOS Linux release 7.9.2009 (Core)
[root@ip-10-0-0-217 ~]# uname -a
Linux ip-10-0-0-217 3.10.0-1160.62.1.el7.x86_64 #1 SMP Tue Apr 5 16:57:59 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
[root@ip-10-0-0-217 ~]#

[partha005]

I do see an entry is made in sysctl.conf, but it fails to set when I try to reload:
[root@ip-10-0-0-217 ~]# cat /etc/sysctl.conf | grep -i protected_regular
fs.protected_regular=2
[root@ip-10-0-0-217 ~]#

[root@ip-10-0-0-217 ~]# sysctl -p
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
sysctl: cannot stat /proc/sys/fs/protected_fifos: No such file or directory
sysctl: cannot stat /proc/sys/fs/protected_regular: No such file or directory
fs.suid_dumpable = 0

Thanks

[partha005]

Hi @schurzi , is there a way by which we could filter out settings related to a different distribution being tested in Inspec.

[partha005]

So I did check in a Ubuntu instance, and this parameter is present there.
Now, Im wondering why Inspec checks for this param in a CentOS machine.

$ sysctl -a | grep -i protected
fs.protected_fifos = 1
fs.protected_hardlinks = 1
fs.protected_regular = 2
fs.protected_symlinks = 1
$
$ cat /usr/src/linux-aws-5.11-headers-5.11.0-1022/include/linux/fs.h | grep -i protected_regular
extern int sysctl_protected_regular;
$

[schurzi]

This will get a bit more complicated. As per my tests CentOS8 supports all these sysctls. So we would need to match the supported options to the respective distros. I can take a look into this, but this will take some time.

Hi @schurzi , is there a way by which we could filter out settings related to a different distribution being tested in Inspec.

This should be easy. inspec has some options to change it's behavior https://docs.chef.io/inspec/cli/#options-3. We are using a waiver.ymlfile to skip some tests in our CI. This should also be usable by you.

see:

ansible-collection-hardening/molecule/os_hardening/verify.yml

Line 58 in 9cf1659

command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit --waiver-file waivers.yaml https://github.com/dev-sec/linux-baseline/archive/refs/heads/master.zip"

ansible-collection-hardening/molecule/os_hardening/waivers.yaml

Lines 1 to 3 in 9cf1659

	os-14:
	run: false
	justification: "not yet implemented"

[partha005]

Thanks @schurzi . We have excluded sysctl-34 from being checked, for the time being.

Also, this I believe is the original commit to the kernel, if that helps in some way: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=30aba6656f61ed44cba445a3c0d38b296fa9e8f5

Thanks!

[EHEX-schildt]

It looks like, at least under Archlinux, systemd-sysctl.service will ignore /etc/sysctl.conf (see also man sysctl.d)

Check for Configuration Conflicts:

grep -rn 'fs.protected_regular' /etc/sysctl.conf /etc/sysctl.d /usr/local/lib/sysctl.d /usr/lib/sysctl.d

Archlinux Output:

/etc/sysctl.conf:4:fs.protected_regular=2
grep: /usr/local/lib/sysctl.d: No such file or directory
/usr/lib/sysctl.d/50-default.conf:55:fs.protected_regular = 1

This leads to the following behavior:

• onboot / reboot /etc/sysctl.conf get loaded (from kernel at some point?) and set (fs.protected_regular = 2)
• sometime later systemd-sysctl.service run and set the override from /usr/lib/sysctl.d/50-default.conf (fs.protected_regular = 1)

/etc/sysctl.conf gets wirten by TASK Change various sysctl-settings, look at the sysctl-vars file for documentation

Modify the TASK with sysctl_file: /etc/sysctl.d/hardening.conf for systemd-sysctl.service Users will fix this or
linking /etc/sysctl.conf to /etc/sysctl.d/hardening.conf.

Test Workaround:

sysctl fs.protected_regular
fs.protected_regular = 1

ln -s /etc/sysctl.conf /etc/sysctl.d/hardening.conf
systemctl restart systemd-sysctl.service

sysctl fs.protected_regular
fs.protected_regular = 2