kernel_parameter logic about secure_linux_cis HOT 3 OPEN

This Puppet module uses herculesteam's augeasproviders_grub module for the kernel_parameter resource to do the heavy lifting. Complication 1 should/could be fixed in that module, so that this module can also benefit from it.

Complication 2 is beyond the scope of the secure_linux_cis module, as the CIS benchmarks it implements already specify which of the 2 GRUB variables should be used for which settings. Adding the parameter to the other GRUB CMDLINE variable would make no sense if complying to the CIS benchmark is your goal.

from secure_linux_cis.

Thanks for your reply @bjvrielink

In that case, there's some inconsistencies in the RHEL 7 & 8 CIS benchmarks & bootmodes this module enforces. For example

This module adds ipv6.disable=1 & audit_backlog_limit=8192 to GRUB_CMDLINE_LINUX_DEFAULT while the CIS controls for both RHEL 7 & 8 specify GRUB_CMDLINE_LINUX to be used for these variables. There may be other inconsistencies, I can take a look over the weekend.

How would you like to proceed?

from secure_linux_cis.

I agree with you that these 2 (and maybe others, I did not check all cases where kernel_parameter is used) do use the wrong GRUB_CMDLINE_*, as all Linux CIS benchmarks specify GRUB_CMDLINE_LINUX, not just RHEL 7 & 8 for these specific parameters.

I think a pull request that uses the correct kernel_parameter bootmode (either 'all' (or absent) for GRUB_CMDLINE_LINUX or 'normal' for GRUB_CMDLINE_LINUX_DEFAULT) is the way to go.
Of course, this would lead to duplicate entries for systems that already use this Puppet module, unless complication 1 is fixed by the Herculesteam.

from secure_linux_cis.