-
Notifications
You must be signed in to change notification settings - Fork 690
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Don't scan dir with preconfigured sysctls #8718
Don't scan dir with preconfigured sysctls #8718
Conversation
With the introduction of checks for options defined in multiple files the pre-configured sysctls became prominent and started to cause rules to fail. In /usr/lib/sysctl.d there are sysctl options defined by systemd and other packages. The files in witch these options are defined are not meant to be edited, these options should be overriden by options in dirs of higher priorrity, like /etc/sysctl.d, or /etc/sysctl.conf. Remediating these files will cause problems with rule rpm_verify_hashes, as these files are not RPM config files. As the sysctl remediations don't edit the pre-configured files the rule will always result in error. This commit removes the checks for the pre-configured directory, i.e. /usr/lib/sysctl.d/. The end result is that any sysctl option that is pre-configured in /usr/lib/sysctl.d will be defined in two files, the pre-configured one ane /etc/sysctl.conf. The sysctl option in effect should be the one configured in /etc/sysctl.conf as this file has the highest priority for sysctl.
I was reviewing OL STIG latest update and noticed that DISA requires to check the sysctl options in:
This is the same for RHEL.
|
This logic can apply to any directory where the distro ships sysctl configuration options. |
@Xeicker Should I make the same changes for OL too? |
Yes please. |
Also because of the OVAL criterion |
The config files in this directory should not be edited, they should be overwritten by settings in /etc/sysctl.d and /etc/sysctl.conf
Also comment sysctl config file in /run/sysctl.d.
2a70b26
to
66020fc
Compare
@Xeicker Do you know how of exapmles of sysctl config files in Although FHS states that [0] https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch03s15.html |
This datastream diff is auto generated by the check Click here to see the trimmed diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv6.conf.all.disable_ipv6 from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.disable_ipv6.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv6.conf.all.disable_ipv6.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv6.conf.default.disable_ipv6 from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.disable_ipv6.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv6.conf.default.disable_ipv6.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv6.conf.all.accept_ra from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_ra.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv6.conf.all.accept_ra.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv6.conf.all.accept_ra_defrtr from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_ra_defrtr.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv6.conf.all.accept_ra_defrtr.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv6.conf.all.accept_ra_pinfo from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_ra_pinfo.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv6.conf.all.accept_ra_pinfo.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv6.conf.all.accept_ra_rtr_pref from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_ra_rtr_pref.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv6.conf.all.accept_ra_rtr_pref.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv6.conf.all.accept_redirects from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_redirects.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv6.conf.all.accept_redirects.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv6.conf.all.accept_source_route from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.accept_source_route.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv6.conf.all.accept_source_route.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv6.conf.all.autoconf from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.autoconf.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv6.conf.all.autoconf.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv6.conf.all.forwarding from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.forwarding.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv6.conf.all.forwarding.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv6.conf.all.max_addresses from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.max_addresses.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv6.conf.all.max_addresses.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv6.conf.all.router_solicitations from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.router_solicitations.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv6.conf.all.router_solicitations.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv6.conf.default.accept_ra from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_ra.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv6.conf.default.accept_ra.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_defrtr' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv6.conf.default.accept_ra_defrtr from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_ra_defrtr.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_defrtr' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv6.conf.default.accept_ra_defrtr.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_pinfo' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv6.conf.default.accept_ra_pinfo from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_ra_pinfo.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_pinfo' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv6.conf.default.accept_ra_pinfo.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv6.conf.default.accept_ra_rtr_pref from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_ra_rtr_pref.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv6.conf.default.accept_ra_rtr_pref.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv6.conf.default.accept_redirects from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_redirects.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv6.conf.default.accept_redirects.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv6.conf.default.accept_source_route from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.accept_source_route.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv6.conf.default.accept_source_route.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_autoconf' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv6.conf.default.autoconf from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.autoconf.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_autoconf' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv6.conf.default.autoconf.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_max_addresses' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv6.conf.default.max_addresses from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.max_addresses.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_max_addresses' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv6.conf.default.max_addresses.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_router_solicitations' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv6.conf.default.router_solicitations from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.router_solicitations.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_router_solicitations' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv6.conf.default.router_solicitations.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_local' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv4.conf.all.accept_local from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.accept_local.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_local' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv4.conf.all.accept_local.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv4.conf.all.accept_redirects from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.accept_redirects.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv4.conf.all.accept_redirects.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv4.conf.all.accept_source_route from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.accept_source_route.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv4.conf.all.accept_source_route.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_arp_filter' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv4.conf.all.arp_filter from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.arp_filter.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_arp_filter' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv4.conf.all.arp_filter.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_arp_ignore' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv4.conf.all.arp_ignore from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.arp_ignore.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_arp_ignore' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv4.conf.all.arp_ignore.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_drop_gratuitous_arp' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv4.conf.all.drop_gratuitous_arp from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.drop_gratuitous_arp.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_drop_gratuitous_arp' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv4.conf.all.drop_gratuitous_arp.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv4.conf.all.log_martians from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.log_martians.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv4.conf.all.log_martians.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_route_localnet' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv4.conf.all.route_localnet from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.route_localnet.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_route_localnet' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv4.conf.all.route_localnet.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv4.conf.all.rp_filter from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.rp_filter.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv4.conf.all.rp_filter.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv4.conf.all.secure_redirects from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.secure_redirects.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv4.conf.all.secure_redirects.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_shared_media' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv4.conf.all.shared_media from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.shared_media.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_shared_media' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv4.conf.all.shared_media.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv4.conf.default.accept_redirects from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.accept_redirects.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv4.conf.default.accept_redirects.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv4.conf.default.accept_source_route from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.accept_source_route.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv4.conf.default.accept_source_route.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv4.conf.default.log_martians from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.log_martians.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv4.conf.default.log_martians.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv4.conf.default.rp_filter from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.rp_filter.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv4.conf.default.rp_filter.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv4.conf.default.secure_redirects from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.secure_redirects.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv4.conf.default.secure_redirects.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_shared_media' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv4.conf.default.shared_media from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.shared_media.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_shared_media' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv4.conf.default.shared_media.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv4.icmp_echo_ignore_broadcasts from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.icmp_echo_ignore_broadcasts.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv4.icmp_echo_ignore_broadcasts.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv4.icmp_ignore_bogus_error_responses from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.icmp_ignore_bogus_error_responses.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv4.icmp_ignore_bogus_error_responses.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_local_port_range' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv4.ip_local_port_range from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.ip_local_port_range.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_local_port_range' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv4.ip_local_port_range.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_invalid_ratelimit' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv4.tcp_invalid_ratelimit from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.tcp_invalid_ratelimit.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_invalid_ratelimit' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv4.tcp_invalid_ratelimit.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_rfc1337' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv4.tcp_rfc1337 from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.tcp_rfc1337.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_rfc1337' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv4.tcp_rfc1337.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv4.tcp_syncookies from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.tcp_syncookies.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv4.tcp_syncookies.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv4.conf.all.send_redirects from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.send_redirects.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv4.conf.all.send_redirects.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv4.conf.default.send_redirects from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.send_redirects.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv4.conf.default.send_redirects.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv4.ip_forward from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.ip_forward.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.ipv4.ip_forward.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of fs.protected_hardlinks from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*fs.protected_hardlinks.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*fs.protected_hardlinks.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of fs.protected_symlinks from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*fs.protected_symlinks.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*fs.protected_symlinks.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*kernel.core_pattern.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*kernel.core_pattern.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of kernel.dmesg_restrict from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*kernel.dmesg_restrict.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*kernel.dmesg_restrict.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of kernel.kexec_load_disabled from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*kernel.kexec_load_disabled.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*kernel.kexec_load_disabled.*$
patterns: '*.conf'
register: find_sysctl_d
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_modules_disabled' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*kernel.modules_disabled.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_panic_on_oops' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of kernel.panic_on_oops from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*kernel.panic_on_oops.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_panic_on_oops' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*kernel.panic_on_oops.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_cpu_time_max_percent' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of kernel.perf_cpu_time_max_percent from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*kernel.perf_cpu_time_max_percent.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_cpu_time_max_percent' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*kernel.perf_cpu_time_max_percent.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_max_sample_rate' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of kernel.perf_event_max_sample_rate from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*kernel.perf_event_max_sample_rate.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_max_sample_rate' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*kernel.perf_event_max_sample_rate.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of kernel.perf_event_paranoid from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*kernel.perf_event_paranoid.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*kernel.perf_event_paranoid.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_pid_max' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of kernel.pid_max from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*kernel.pid_max.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_pid_max' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*kernel.pid_max.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_sysrq' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of kernel.sysrq from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*kernel.sysrq.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_sysrq' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*kernel.sysrq.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of kernel.unprivileged_bpf_disabled from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*kernel.unprivileged_bpf_disabled.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*kernel.unprivileged_bpf_disabled.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of kernel.yama.ptrace_scope from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*kernel.yama.ptrace_scope.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*kernel.yama.ptrace_scope.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.core.bpf_jit_harden from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.core.bpf_jit_harden.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
find:
- paths: /etc/sysctl.d/
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
contains: ^[\s]*net.core.bpf_jit_harden.*$
patterns: '*.conf'
register: find_sysctl_d
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces' differs:
--- old datastream
+++ new datastream
@@ -2,7 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of user.max_user_namespaces from /etc/sysctl.d/*.conf files
-for f in /etc/sysctl.d/*.conf ; do
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*user.max_user_namespaces.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
- name: List /etc/sysctl.d/*.conf files
... The diff is trimmed here ... |
Not really, I just saw that sysctl uses that directory for configuration, and DISA requires to check it. So I thought that there could be that scenario which ansible or bash wouldn't fix. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, I tested it in VM because sysctl seems to be problematic in containers. Tests pass and changes look sane.
Just small changes to documentation are needed.
Typo sysct.d -> sysctl.d And both OL and RHEL skip checking sysctl options in /usr/lib/sysctl.d Co-authored-by: vojtapolasek <krecoun@gmail.com>
Analysis results are not available for those commits View more on Code Climate. |
@yuumasato: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good now, thank you.
Description:
/usr/lib/sysctl.d
when checking forsysctl
options./etc/sysctl.conf
and the system will be compliant./etc/sysctl.d/
and/run/sysctl.d/
.Rationale:
With the introduction of checks for options defined in multiple files
the pre-configured sysctls became prominent and started to cause rules
to fail.
In /usr/lib/sysctl.d there are sysctl options defined by systemd and
other packages. The files in witch these options are defined are not
meant to be edited, these options should be overriden by options in
dirs of higher priorrity, like /etc/sysctl.d, or /etc/sysctl.conf.
Remediating these files will cause problems with rule rpm_verify_hashes,
as these files are not RPM config files.
As the sysctl remediations don't edit the pre-configured files the
rule will always result in error.
This commit removes the checks for the pre-configured directory,
i.e. /usr/lib/sysctl.d/.
The end result is that any sysctl option that is pre-configured in
/usr/lib/sysctl.d will be defined in two files, the pre-configured one
ane /etc/sysctl.conf.
The sysctl option in effect should be the one configured in
/etc/sysctl.conf as this file has the highest priority for sysctl.
error
results in RHEL for sysctl options that are pre-configured, like:sysctl_kernel_yama_ptrace_scope
sysctl_kernel_core_pattern