Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sysctl improvements #10534

Closed
wants to merge 44 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
44 commits
Select commit Hold shift + click to select a range
e4353d4
feature: ssg: add escape_regex_all and escape_regex_sq
maage May 5, 2023
5d5821e
change: sysctl: enable fedora
maage May 7, 2023
d0c432b
feature: bash: add bash_sed_escape_*
maage May 4, 2023
eca3fc7
feature: bash: add bash_sysctl_*
maage May 7, 2023
95f6a3e
fix: bash_replace_or_append: use bash_sed_escape_replacement
maage May 7, 2023
de77cd1
fix: bash_replace_or_append: add LC_ALL=C to sed too
maage May 7, 2023
6807cb4
feature: bash_replace_or_append: add key_regex
maage May 7, 2023
a9d8a7d
feature: bash_replace_or_append: add ignore_case
maage May 7, 2023
fe359f9
feature: bash_replace_or_append: add word_boundary
maage May 7, 2023
c3632e2
fix: sysctl/tests: use bash_sysctl_test_clean
maage Mar 4, 2022
b2b78bf
fix: sysctl/tests: use bash_sysctl_set_config_directories
maage May 7, 2023
a3f8558
fix: sysctl/bash: follow sysctl quirks more
maage May 4, 2023
82624ff
fix: sysctl/tests: change wrong_value_d_directory.fail.sh to test all…
maage May 5, 2023
5af086b
fix: sysctl: allow template to set correct_sysctlval_for_testing, wro…
maage May 7, 2023
7591877
change: sysctl_kernel_perf_event_paranoid: allow 3 too
maage Mar 31, 2023
af46ce0
feature: oval: add oval_list_to_set
maage May 7, 2023
9a6b2a2
feature: oval: add oval_var_trim
maage May 10, 2023
3d77266
fix: sysctl: correct_value_usr_local_lib: only on sle
maage May 6, 2023
4267427
style: sysctl/oval: indent 4
maage May 7, 2023
a85e3f6
style: sysctl/oval: remove extra ws
maage May 7, 2023
e647e3c
change: sysctl/oval: sysctl quirks
maage May 5, 2023
ce39fa2
change: sysctl/ansible: ensure sysctl value is actually set
maage Apr 29, 2023
49c99fc
feature: sysctl: add ansible_sysctl_set_config_directories
maage May 5, 2023
9458487
feature: sysctl: use ansible_sysctl_set_config_directories
maage May 5, 2023
c985906
change: sysctl/ansible: sysctl quirks
maage May 7, 2023
5ed3057
sysctl/ansible: comment keep previous
maage May 7, 2023
779e30b
change: sysctl_net_ipv4_ip_local_port_range: add variable support
maage Apr 29, 2023
e751de4
fix: sysctl: remove unnecessary tests/shared/sysctl.sh
maage May 5, 2023
ee35e94
change: sysctl/oval: use oval_var_trim
maage May 10, 2023
7463627
fix: sysctl: allow to handle empty values
maage May 10, 2023
8de43b2
change: sysctl_kernel_core_pattern_empty_string: use sysctl template
maage May 7, 2023
1d4a663
bugfix: aide_check_audit_tools: Ensure no suffix prefix
maage May 11, 2023
3f951f1
fix: aide_check_audit_tools: support fedora
maage May 11, 2023
fe0930f
bugfix: rsyslog_remote_loghost: word_boundary is space or tab
maage May 11, 2023
17c6d50
fix: rsyslog_logfiles_attributes_modify/bash: handle conf w/o paths
maage May 12, 2023
e2b701f
fix: sysctl/ansible: FQDN
maage May 11, 2023
4972177
fix: oval_list_to_set: work with older than 2.10 Jinja2
maage May 11, 2023
b906e08
fix: sysctl/oval: work with older than 2.10 Jinja2
maage May 11, 2023
9e31c29
fix: oval_list_to_set: work with older than 2.8 Jinja2
maage May 11, 2023
d773b16
fix: sysctl/ansible: work with older than 2.8 Jinja2
maage May 12, 2023
054b3d3
fix: sysctl/ansible: work with older than v2.11.0 Jinja2
maage May 11, 2023
d3565e2
fix: escape_regex*: be also python 2 compatible
maage May 9, 2023
63fe82c
fix: sysctl/ansible: FQDN ansible.posix.sysctl not in 2.9
maage May 12, 2023
a89d834
bash: be v4.2 compat
maage May 12, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 22 additions & 3 deletions docs/templates/template_reference.md
Original file line number Diff line number Diff line change
Expand Up @@ -834,8 +834,10 @@ The selected value can be changed in the profile (consult the actual variable fo
sysctl configurations:
- /etc/sysctl.conf
- /etc/sysctl.d/\*.conf
- /lib/sysctl.d/\*.conf (does not apply to Fedora, RHEL and OL)
- /run/sysctl.d/\*.conf
- /usr/lib/sysctl.d/\*.conf (does not apply to RHEL and OL)
- /usr/local/lib/sysctl.d/\*.conf (only if SLE)
- /usr/lib/sysctl.d/\*.conf (does not apply to Fedora, RHEL and OL)

A sysctl option is allowed to be defined in more than one file within the scanned directories
as long as those values are compliant.
Expand All @@ -862,8 +864,13 @@ The selected value can be changed in the profile (consult the actual variable fo
in the OVAL check, but won't be used in the remediations.
All remediations will use an XCCDF value instead.

- **wrong_sysctlval_for_testing** - the value that is always wrong. This
will be used in templated test scenarios when **sysctlval** is a list.
- **correct_sysctlval_for_testing** - the value that is always correct.
This will be used in templated test scenarios when **sysctlval** is a
list or comes from variable.

- **wrong_sysctlval_for_testing** - the value that is always wrong.
This will be used in templated test scenarios when **sysctlval** is a
list or comes from variable.

- **missing_parameter_pass** - if set to `true` the check will pass if the
setting for the given **sysctlvar** is not present in sysctl
Expand Down Expand Up @@ -1114,6 +1121,18 @@ escape_regex
some regular expression, behaves similar to the Python 3’s
[**re.escape**](https://docs.python.org/3/library/re.html#re.escape).

escape_regex_all
- Escapes characters in the string for it to be usable as a part of
some regular expression.
Escape all but unprintable and **\w**.
[**re.escape**](https://docs.python.org/3/library/re.html#re.escape).

escape_regex_sq
- Escapes characters in the string for it to be usable as a part of
some regular expression.
Use `.` -> `[.]` style escape method. And `^` is replaced with `\^'.
Escape all but unprintable and **\w**.

escape_yaml_key
- Escape uppercase letters and `^` with additional `^` and convert letters
to lovercase. This is because of OVAL's name argument limitations.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,9 @@
{{{ ansible_instantiate_variables("rsyslog_remote_loghost_address") }}}

- name: "Set rsyslog remote loghost"
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/rsyslog.conf
regexp: "^\\*\\.\\*"
regexp: >-
^\*\.\*[ \\t]+(?:@|\:omrelp\:)
line: "*.* @@{{ rsyslog_remote_loghost_address }}"
create: yes
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,11 @@

{{{ bash_instantiate_variables("rsyslog_remote_loghost_address") }}}

{{{ bash_replace_or_append('/etc/rsyslog.conf', '^\*\.\*', "@@$rsyslog_remote_loghost_address", '%s %s') }}}
{{{ bash_replace_or_append(
'/etc/rsyslog.conf',
'*.*',
"@@${rsyslog_remote_loghost_address}",
'%s %s',
key_regex='^\*\.\*[ \t]\+(@|\:omrelp\:)',
word_boundary='',
) }}}
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{%- set remote_rx = "^\*\.\*[ \t]+(?:@|\:omrelp\:)" -%}}
<def-group>
<definition class="compliance" id="rsyslog_remote_loghost" version="1">
{{{ oval_metadata("Syslog logs should be sent to a remote loghost") }}}
Expand Down Expand Up @@ -33,14 +34,14 @@

<ind:textfilecontent54_object id="object_remote_loghost_rsyslog_conf" version="1">
<ind:filepath>/etc/rsyslog.conf</ind:filepath>
<ind:pattern operation="pattern match">^\*\.\*[\s]+(?:@|\:omrelp\:)</ind:pattern>
<ind:pattern operation="pattern match">{{{ remote_rx }}}</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>

<ind:textfilecontent54_object id="object_remote_loghost_rsyslog_d" version="1">
<ind:path>/etc/rsyslog.d</ind:path>
<ind:filename operation="pattern match">^.+\.conf$</ind:filename>
<ind:pattern operation="pattern match">^\*\.\*[\s]+(?:@|\:omrelp\:)</ind:pattern>
<ind:pattern operation="pattern match">{{{ remote_rx }}}</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>

Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
documentation_complete: true

prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204

title: 'Configure Accepting Router Advertisements on All IPv6 Interfaces'

Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
documentation_complete: true

prodtype: sle12,sle15
prodtype: fedora,sle12,sle15

title: 'Disable Kernel Parameter for IPv6 Forwarding by default'

Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
documentation_complete: true

prodtype: rhel7,rhel8,rhel9
prodtype: fedora,rhel7,rhel8,rhel9

title: 'Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces'

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ template:
name: sysctl
vars:
sysctlvar: net.ipv4.conf.all.rp_filter
{{% if 'ol' in product or 'rhel' in product %}}
{{% if product in ['fedora'] or 'ol' in product or 'rhel' in product %}}
sysctlval:
- '1'
- '2'
Expand Down
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
#!/bin/bash
# platform = multi_platform_ol,multi_platform_rhel
# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel

# Clean sysctl config directories
rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
{{{ bash_sysctl_test_clean() }}}

sed -i "/net.ipv4.conf.all.rp_filter/d" /etc/sysctl.conf
echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf
Expand Down
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
#!/bin/bash
# platform = multi_platform_ol,multi_platform_rhel
# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel

# Clean sysctl config directories
rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
{{{ bash_sysctl_test_clean() }}}

sed -i "/net.ipv4.conf.all.rp_filter/d" /etc/sysctl.conf
echo "net.ipv4.conf.all.rp_filter = 2" >> /etc/sysctl.conf
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
#!/bin/bash

# Clean sysctl config directories
rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
{{{ bash_sysctl_test_clean() }}}

sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf
echo "net.ipv4.conf.default.accept_source_route = 1" >> /run/sysctl.d/run.conf
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15

title: 'Set Kernel Parameter to Increase Local Port Range'

description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.ip_local_port_range", value="32768 65535") }}}'
description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.ip_local_port_range", value=xccdf_value("sysctl_net_ipv4_ip_local_port_range_value")) }}}'

rationale: |-
This setting defines the local port range that is used by TCP and UDP to
Expand All @@ -23,13 +23,12 @@ identifiers:
references:
anssi: BP28(R22)

{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.ip_local_port_range", value="32768 65535") }}}
{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.ip_local_port_range", value=xccdf_value("sysctl_net_ipv4_ip_local_port_range_value")) }}}

template:
name: sysctl
vars:
sysctlvar: net.ipv4.ip_local_port_range
datatype: string
sysctlval: 32768 65535
operation: pattern match
sysctlval_regex: '32768\s*65535'
correct_sysctlval_for_testing: 32768 65535
wrong_sysctlval_for_testing: 48000 60000
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
documentation_complete: true

title: net.ipv4.ip_local_port_range

description: |-
Configure the local port range that is used by TCP and UDP to choose the
local port. First number is start of range and last number is last of range.

type: string

operator: equals

interactive: true

options:
default: 32768 65535
fedora: 32768 60999
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
documentation_complete: true

prodtype: ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle15
prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle15

title: 'Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments'

Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
documentation_complete: true

prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15
prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15

title: 'Enable Kernel Parameter to Use TCP RFC 1337 on IPv4 Interfaces'

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ template:
name: sysctl
vars:
sysctlvar: kernel.kptr_restrict
{{% if 'ol' in product or 'rhel' in product %}}
{{% if product in ['fedora'] or 'ol' in product or 'rhel' in product %}}
sysctlval:
- '1'
- '2'
Expand Down
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
#!/bin/bash
# platform = multi_platform_ol,multi_platform_rhel
# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel

# Clean sysctl config directories
rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
{{{ bash_sysctl_test_clean() }}}

sed -i "/kernel.kptr_restrict/d" /etc/sysctl.conf
echo "kernel.kptr_restrict = 1" >> /etc/sysctl.conf
Expand Down
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
#!/bin/bash
# platform = multi_platform_ol,multi_platform_rhel
# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel

# Clean sysctl config directories
rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
{{{ bash_sysctl_test_clean() }}}

sed -i "/kernel.kptr_restrict/d" /etc/sysctl.conf
echo "kernel.kptr_restrict = 2" >> /etc/sysctl.conf
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ rationale: |-

severity: medium

{{% if product in ["rhel9"] %}}
{{% if product in ["fedora", "rhel9"] %}}
conflicts:
- sysctl_kernel_core_pattern_empty_string
{{% endif %}}
Expand Down

This file was deleted.

This file was deleted.

Loading