Skip to content

Conversation

rndmh3ro
Copy link
Member

see dev-sec/linux-baseline#160

Signed-off-by: rndmh3ro [email protected]

@schurzi schurzi merged commit 08b0fd1 into master Oct 24, 2021
@schurzi schurzi deleted the sysctl-34 branch October 24, 2021 09:21
@partha005
Copy link

partha005 commented Apr 25, 2022

Hello!

My playbook is stating fs.protected_regular setting is changed, but it doesn't actually reflect in the system:

ok: [localhost] => (item={u'key': u'net.ipv4.conf.all.arp_announce', u'value': 2})
ok: [localhost] => (item={u'key': u'net.ipv4.conf.all.rp_filter', u'value': 1})
changed: [localhost] => (item={u'key': u'fs.protected_regular', u'value': 2}) <<<<<
ok: [localhost] => (item={u'key': u'net.ipv4.conf.default.send_redirects', u'value': 0})
ok: [localhost] => (item={u'key': u'net.ipv4.conf.all.accept_redirects', u'value': 0})

not actually set:
[root@ip-10-0-0-24 roles]# sysctl -n fs.protected_hardlinks fs.protected_regular
1
sysctl: cannot stat /proc/sys/fs/protected_regular: No such file or directory
[root@ip-10-0-0-24 roles]# sysctl -a | egrep -i "fs.protected_hardlinks|fs.protected_regular"
fs.protected_hardlinks = 1
sysctl: reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
sysctl: reading key "net.ipv6.conf.eth0.stable_secret"
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
[root@ip-10-0-0-24 roles]#

Could you please check, or is it possible that the issue is only happening in my system.

divialth pushed a commit to divialth/ansible-collection-hardening that referenced this pull request Aug 3, 2022
implement sysctl-34 - link protection settings
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants