sysctl-34 - fs.protected_regular not set

[partha005]

Hello!

My playbook is stating fs.protected_regular setting is changed, but it doesn't actually reflect in the system:

ok: [localhost] => (item={u'key': u'net.ipv4.conf.all.arp_announce', u'value': 2})
ok: [localhost] => (item={u'key': u'net.ipv4.conf.all.rp_filter', u'value': 1})
changed: [localhost] => (item={u'key': u'fs.protected_regular', u'value': 2}) <<<<<
ok: [localhost] => (item={u'key': u'net.ipv4.conf.default.send_redirects', u'value': 0})
ok: [localhost] => (item={u'key': u'net.ipv4.conf.all.accept_redirects', u'value': 0})

not actually set:
[root@ip-10-0-0-24 roles]# sysctl -n fs.protected_hardlinks fs.protected_regular
1
sysctl: cannot stat /proc/sys/fs/protected_regular: No such file or directory
[root@ip-10-0-0-24 roles]# sysctl -a | egrep -i "fs.protected_hardlinks|fs.protected_regular"
fs.protected_hardlinks = 1
sysctl: reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
sysctl: reading key "net.ipv6.conf.eth0.stable_secret"
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
[root@ip-10-0-0-24 roles]#

Please refer to: https://github.com/dev-sec/ansible-collection-hardening/pull/494/files

Could you please check, or is it possible that the issue is only happening in my system.

[schurzi]

Hi @partha005 ,

it seems your Linux distribution does not have this sysctl. Can you tell us what OS you are running? You can find this information in /etc/os-release.

[partha005]

Thanks for taking a look. It is CentOS.
[root@ip-10-0-0-217 ~]# cat /etc/centos-release
CentOS Linux release 7.9.2009 (Core)
[root@ip-10-0-0-217 ~]# uname -a
Linux ip-10-0-0-217 3.10.0-1160.62.1.el7.x86_64 #1 SMP Tue Apr 5 16:57:59 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
[root@ip-10-0-0-217 ~]#

[partha005]

I do see an entry is made in sysctl.conf, but it fails to set when I try to reload:
[root@ip-10-0-0-217 ~]# cat /etc/sysctl.conf | grep -i protected_regular
fs.protected_regular=2
[root@ip-10-0-0-217 ~]#

[root@ip-10-0-0-217 ~]# sysctl -p
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
sysctl: cannot stat /proc/sys/fs/protected_fifos: No such file or directory
sysctl: cannot stat /proc/sys/fs/protected_regular: No such file or directory
fs.suid_dumpable = 0

Thanks

[partha005]

Hi @schurzi , is there a way by which we could filter out settings related to a different distribution being tested in Inspec.

[partha005]

So I did check in a Ubuntu instance, and this parameter is present there.
Now, Im wondering why Inspec checks for this param in a CentOS machine.

$ sysctl -a | grep -i protected
fs.protected_fifos = 1
fs.protected_hardlinks = 1
fs.protected_regular = 2
fs.protected_symlinks = 1
$
$ cat /usr/src/linux-aws-5.11-headers-5.11.0-1022/include/linux/fs.h | grep -i protected_regular
extern int sysctl_protected_regular;
$

[schurzi]

This will get a bit more complicated. As per my tests CentOS8 supports all these sysctls. So we would need to match the supported options to the respective distros. I can take a look into this, but this will take some time.

Hi @schurzi , is there a way by which we could filter out settings related to a different distribution being tested in Inspec.

This should be easy. inspec has some options to change it's behavior https://docs.chef.io/inspec/cli/#options-3. We are using a waiver.ymlfile to skip some tests in our CI. This should also be usable by you.

see:

ansible-collection-hardening/molecule/os_hardening/verify.yml

Line 58 in 9cf1659

command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit --waiver-file waivers.yaml https://github.com/dev-sec/linux-baseline/archive/refs/heads/master.zip"

ansible-collection-hardening/molecule/os_hardening/waivers.yaml

Lines 1 to 3 in 9cf1659

	os-14:
	run: false
	justification: "not yet implemented"

[partha005]

Thanks @schurzi . We have excluded sysctl-34 from being checked, for the time being.

Also, this I believe is the original commit to the kernel, if that helps in some way: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=30aba6656f61ed44cba445a3c0d38b296fa9e8f5

Thanks!