Skip to content

implement sysctl-34 - link protection settings #494

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 24, 2021
Merged

implement sysctl-34 - link protection settings #494

merged 2 commits into from
Oct 24, 2021

Conversation

rndmh3ro
Copy link
Member

see dev-sec/linux-baseline#160

Signed-off-by: rndmh3ro [email protected]

@rndmh3ro rndmh3ro requested a review from schurzi October 20, 2021 19:00
schurzi
schurzi reviewed Oct 24, 2021
View reviewed changes
@schurzi schurzi merged commit 08b0fd1 into master Oct 24, 2021
@schurzi schurzi deleted the sysctl-34 branch October 24, 2021 09:21
@partha005
Copy link

partha005 commented Apr 25, 2022
edited
Loading

Hello!

My playbook is stating fs.protected_regular setting is changed, but it doesn't actually reflect in the system:

ok: [localhost] => (item={u'key': u'net.ipv4.conf.all.arp_announce', u'value': 2})
ok: [localhost] => (item={u'key': u'net.ipv4.conf.all.rp_filter', u'value': 1})
changed: [localhost] => (item={u'key': u'fs.protected_regular', u'value': 2}) <<<<<
ok: [localhost] => (item={u'key': u'net.ipv4.conf.default.send_redirects', u'value': 0})
ok: [localhost] => (item={u'key': u'net.ipv4.conf.all.accept_redirects', u'value': 0})

not actually set:
[root@ip-10-0-0-24 roles]# sysctl -n fs.protected_hardlinks fs.protected_regular
1
sysctl: cannot stat /proc/sys/fs/protected_regular: No such file or directory
[root@ip-10-0-0-24 roles]# sysctl -a | egrep -i "fs.protected_hardlinks|fs.protected_regular"
fs.protected_hardlinks = 1
sysctl: reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
sysctl: reading key "net.ipv6.conf.eth0.stable_secret"
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
[root@ip-10-0-0-24 roles]#

Could you please check, or is it possible that the issue is only happening in my system.

divialth pushed a commit to divialth/ansible-collection-hardening that referenced this pull request Aug 3, 2022
@schurzi
Merge pull request dev-sec#494 from dev-sec/sysctl-34
e088a93 
implement sysctl-34 - link protection settings
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@schurzi schurzi schurzi left review comments

Assignees

No one assigned

Labels

enhancement minor os_hardening

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rndmh3ro @partha005 @schurzi