Comments (3)
This Puppet module uses herculesteam's augeasproviders_grub module for the kernel_parameter resource to do the heavy lifting. Complication 1 should/could be fixed in that module, so that this module can also benefit from it.
Complication 2 is beyond the scope of the secure_linux_cis module, as the CIS benchmarks it implements already specify which of the 2 GRUB variables should be used for which settings. Adding the parameter to the other GRUB CMDLINE variable would make no sense if complying to the CIS benchmark is your goal.
from secure_linux_cis.
Thanks for your reply @bjvrielink
In that case, there's some inconsistencies in the RHEL 7 & 8 CIS benchmarks & bootmodes this module enforces. For example
This module adds ipv6.disable=1
& audit_backlog_limit=8192
to GRUB_CMDLINE_LINUX_DEFAULT
while the CIS controls for both RHEL 7 & 8 specify GRUB_CMDLINE_LINUX
to be used for these variables. There may be other inconsistencies, I can take a look over the weekend.
How would you like to proceed?
from secure_linux_cis.
I agree with you that these 2 (and maybe others, I did not check all cases where kernel_parameter is used) do use the wrong GRUB_CMDLINE_*, as all Linux CIS benchmarks specify GRUB_CMDLINE_LINUX, not just RHEL 7 & 8 for these specific parameters.
I think a pull request that uses the correct kernel_parameter bootmode (either 'all' (or absent) for GRUB_CMDLINE_LINUX or 'normal' for GRUB_CMDLINE_LINUX_DEFAULT) is the way to go.
Of course, this would lead to duplicate entries for systems that already use this Puppet module, unless complication 1 is fixed by the Herculesteam.
from secure_linux_cis.
Related Issues (20)
- [Q] rhel7 3.0.0 HOT 5
- RHEL 8.3.0 failing selected rules HOT 4
- CentOS 7 3.0.0 benchmark updates not present HOT 3
- root_path_integrity triggers on missing directories, not just writable ones HOT 1
- Setting boot password through module doesn't satisfy boot password compliance check HOT 2
- update upper version for puppetlabs/reboot in metadata
- Error: Could not set 'present' on ensure: no implicit conversion of Integer into String
- Custom postfix module in spec tests - why? HOT 3
- 3.0.0 broken for Oracle Linux
- firewalld Service Duplicate Declaration HOT 2
- version 3.0.0 on the forge, but not on github - breaking changes? HOT 1
- Do not load module if rule is disabled
- Please republish to Forge, current module fails to install - incorrect metadata HOT 3
- secure_linux_cis
- Documentation not updated for Internet Security (CIS) benchmarks OS HOT 1
- Need to exclude rules also in v3.0.0 HOT 1
- crypto_policy_sshd.rb unexpected return
- include_rules and exclude_rules disabled in module init.pp HOT 2
- pam_tally2.so not available in Debian >=11 (stable an onward)
- file should be file_line for ensure_rsyslog_is_not_configured_to_recieve_logs_from_a_remote_client
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from secure_linux_cis.