Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

3.3.7 Ensure Reverse Path Filtering is enabled bug #106

Closed
brisky opened this issue Oct 31, 2023 · 7 comments · Fixed by #105
Closed

3.3.7 Ensure Reverse Path Filtering is enabled bug #106

brisky opened this issue Oct 31, 2023 · 7 comments · Fixed by #105
Labels
bug Something isn't working

Comments

@brisky
Copy link
Contributor

brisky commented Oct 31, 2023

Describe the Issue
CIS-CAT assessment reports failure.

Expected Behavior
Assessment pass.

Actual Behavior
FAIL

  • Reason(s) for audit failure:
  • "net.ipv4.conf.default.rp_filter" is set incorrectly in "/usr/lib/sysctl.d/50-default.conf
    /lib/sysctl.d/50-default.conf"`

Control(s) Affected
3.3.7 Ensure Reverse Path Filtering is enabled

Environment:

  • branch being used: devel
  • Ansible Version: 2.15.4
  • Host Python Version: 3.9.6
  • Ansible Server Python Version: 3.9.16
  • Additional Details: N/A

Possible Solution

- name: POST | Update usr sysctl
  ansible.builtin.lineinfile:
      dest: /usr/lib/sysctl.d/50-default.conf
      regexp: "{{ item.regexp }}"
      line: "{{ item.line }}"
  loop:
      - { regexp: '^net.ipv4.conf.default.rp_filter', line: 'net.ipv4.conf.default.rp_filter = 1' }
      - { regexp: '^net.ipv4.conf.*.rp_filter', line: 'net.ipv4.conf.*.rp_filter = 1' }
  when:
      - rhel9cis_sysctl_update
      - not system_is_container
      - "'procps-ng' in ansible_facts.packages"
@brisky brisky added the bug Something isn't working label Oct 31, 2023
@uk-bolly
Copy link
Member

hi @brisky

Thank you so much for the issue and pull request.
Unfortunately we do see these false positives quite often, what is suggested and what is tested for is scanner is not aligned.
The audit test that they suggest in their documentation it to look at multiple locations where sysctl files can be found

searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"

with the suggested remediation step provided by CIS is outputting to a completely different file

# printf "
net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1
" >> /etc/sysctl.d/60-netipv4_sysctl.conf

If you manually test the setting is indeed set into one of the locations they suggest searching, but the scanner still fails.

We see this with many different scanners while they can be excellent, the testing can be too brittle and means even more work for the admins to prove that it is indeed set with the time to get the issue resolved can be multiple releases later, which defeats the point of the scanner and all the reporting in many ways.

This is the reason we took to write and maintain our own audit code using an open source product, should anything of this type come up we are able to work to fix this quickly get the new code out in a reasonable length of time.

Sorry to disappoint you in this instance, but as you can imagine all the variations for all the scanners that could occur over all the repos we manage make this impossible to maintain. In this scenario we would be writing the baseline to met each scanners wishes rather than ensure we hit the requirement as documented.

So on this occasion, we are unable to accept your PR, I do hope that this explanation makes sense and any questions please do let us know.

many thanks

uk-bolly

@brisky
Copy link
Contributor Author

brisky commented Oct 31, 2023

The CIS-CAT, does check the configuration in /usr/lib/sysctl.d/50-default.conf, since it would override the global settings.
So it fails. In my tests, after this fix is implemented, the assessment will pass.

@uk-bolly
Copy link
Member

uk-bolly commented Oct 31, 2023

hi @brisky

Having just checked again manually on a clean new build system and running the commands that they request in the documentation this works as expected and finds the settings in /etc/sysctl.d/60-netipv4_sysctl.conf file.

If i understand your feedback it only passes if the value is added to the file /usr/lib/sysctl.d/50-default.conf?

Running the commands below and setting sysctl --system it picks up the settings in the file that we configure so the settings in /usr/lib/sysctl.d/50-default.conf has no bearing on the requirement.

I am trying to understand the difference between what they required documented and why the scanner is checking something different? When the value is correct on a running system if changed as per the documentation.

many thanks

uk-bolly

[root@rocky9-bios ~]# sysctl -a | grep -E "(all|default).rp_filter"
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0

[root@rocky9-bios ~]# printf "net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
" >> /etc/sysctl.d/60-netipv4_sysctl.conf

[root@rocky9-bios ~]# sysctl -a | grep -E "(all|default).rp_filter"
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
[root@rocky9-bios ~]# searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf"

[root@rocky9-bios ~]# grep -E "(all|default).rp_filter" $searchloc
grep: /run/sysctl.d/*.conf: No such file or directory
/etc/sysctl.d/60-netipv4_sysctl.conf:net.ipv4.conf.all.rp_filter = 1
/etc/sysctl.d/60-netipv4_sysctl.conf:net.ipv4.conf.default.rp_filter = 1
grep: /usr/local/lib/sysctl.d/*.conf: No such file or directory
/usr/lib/sysctl.d/50-default.conf:net.ipv4.conf.default.rp_filter = 2
/usr/lib/sysctl.d/50-default.conf:-net.ipv4.conf.all.rp_filter
/usr/lib/sysctl.d/50-redhat.conf:net.ipv4.conf.default.rp_filter = 1
/usr/lib/sysctl.d/50-redhat.conf:-net.ipv4.conf.all.rp_filter
/lib/sysctl.d/50-default.conf:net.ipv4.conf.default.rp_filter = 2
/lib/sysctl.d/50-default.conf:-net.ipv4.conf.all.rp_filter
/lib/sysctl.d/50-redhat.conf:net.ipv4.conf.default.rp_filter = 1
/lib/sysctl.d/50-redhat.conf:-net.ipv4.conf.all.rp_filter

[root@rocky9-bios ~]# sysctl -a | grep -E "(all|default).rp_filter"
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0

[root@rocky9-bios ~]# sysctl --system
* Applying /usr/lib/sysctl.d/10-default-yama-scope.conf ...
* Applying /usr/lib/sysctl.d/50-coredump.conf ...
* Applying /usr/lib/sysctl.d/50-default.conf ...
* Applying /usr/lib/sysctl.d/50-libkcapi-optmem_max.conf ...
* Applying /usr/lib/sysctl.d/50-pid-max.conf ...
* Applying /usr/lib/sysctl.d/50-redhat.conf ...
* Applying /etc/sysctl.d/60-netipv4_sysctl.conf ...
* Applying /etc/sysctl.d/99-sysctl.conf ...
* Applying /etc/sysctl.conf ...
kernel.yama.ptrace_scope = 0
kernel.core_pattern = |/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h
kernel.core_pipe_limit = 16
fs.suid_dumpable = 2
kernel.sysrq = 16
kernel.core_uses_pid = 1
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.enp0s3.rp_filter = 2
net.ipv4.conf.enp0s8.rp_filter = 2
net.ipv4.conf.lo.rp_filter = 2
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.enp0s3.accept_source_route = 0
net.ipv4.conf.enp0s8.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.default.promote_secondaries = 1
net.ipv4.conf.enp0s3.promote_secondaries = 1
net.ipv4.conf.enp0s8.promote_secondaries = 1
net.ipv4.conf.lo.promote_secondaries = 1
net.ipv4.ping_group_range = 0 2147483647
net.core.default_qdisc = fq_codel
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
fs.protected_regular = 1
fs.protected_fifos = 1
net.core.optmem_max = 81920
kernel.pid_max = 4194304
kernel.kptr_restrict = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.enp0s3.rp_filter = 1
net.ipv4.conf.enp0s8.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

[root@rocky9-bios ~]# grep -E "(all|default).rp_filter" $searchloc
grep: /run/sysctl.d/*.conf: No such file or directory
/etc/sysctl.d/60-netipv4_sysctl.conf:net.ipv4.conf.all.rp_filter = 1
/etc/sysctl.d/60-netipv4_sysctl.conf:net.ipv4.conf.default.rp_filter = 1
grep: /usr/local/lib/sysctl.d/*.conf: No such file or directory
/usr/lib/sysctl.d/50-default.conf:net.ipv4.conf.default.rp_filter = 2
/usr/lib/sysctl.d/50-default.conf:-net.ipv4.conf.all.rp_filter
/usr/lib/sysctl.d/50-redhat.conf:net.ipv4.conf.default.rp_filter = 1
/usr/lib/sysctl.d/50-redhat.conf:-net.ipv4.conf.all.rp_filter
/lib/sysctl.d/50-default.conf:net.ipv4.conf.default.rp_filter = 2
/lib/sysctl.d/50-default.conf:-net.ipv4.conf.all.rp_filter
/lib/sysctl.d/50-redhat.conf:net.ipv4.conf.default.rp_filter = 1
/lib/sysctl.d/50-redhat.conf:-net.ipv4.conf.all.rp_filter

[root@rocky9-bios ~]# sysctl -a | grep -E "(all|default).rp_filter"
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

@brisky
Copy link
Contributor Author

brisky commented Oct 31, 2023

Could it be that you're running in Rocky and I tested in RHEL9?
( Will setup a Rocky9 and test it. )

This is what I got in the assessment:

  Script: sce/nix_kernel_parameter_chk.sh Result: Pass Exit Value: 101 Output: - Audit Result: ** PASS ** - "net.ipv4.conf.all.rp_filter" is set to "1" in the running configuration - "net.ipv4.conf.all.rp_filter" is set to "1" in "/etc/sysctl.d/60-netipv4_sysctl.conf" No error lines were collected. Script: sce/nix_kernel_parameter_chk.sh Result: Fail Exit Value: 102 Output: - Audit Result: ** FAIL ** - Reason(s) for audit failure: - "net.ipv4.conf.default.rp_filter" is set incorrectly in "/usr/lib/sysctl.d/50-default.conf /lib/sysctl.d/50-default.conf" - Correctly set: - "net.ipv4.conf.default.rp_filter" is set to "1" in the running configuration - "net.ipv4.conf.default.rp_filter" is set to "1" in "/etc/sysctl.d/60-netipv4_sysctl.conf /usr/lib/sysctl.d/50-redhat.conf /lib/sysctl.d/50-redhat.conf" Script: sce/nix_kernel_parameter_chk.sh Result: Pass Exit Value: 101 Output: - Audit Result: ** PASS ** - "net.ipv4.conf.all.rp_filter" is set to "1" in the running configuration - "net.ipv4.conf.all.rp_filter" is set to "1" in "/etc/sysctl.d/60-netipv4_sysctl.conf" No error lines were collected. Script: sce/nix_kernel_parameter_chk.sh Result: Fail Exit Value: 102 Output: - Audit Result: ** FAIL ** - Reason(s) for audit failure: - "net.ipv4.conf.default.rp_filter" is set incorrectly in "/usr/lib/sysctl.d/50-default.conf /lib/sysctl.d/50-default.conf" - Correctly set: - "net.ipv4.conf.default.rp_filter" is set to "1" in the running configuration - "net.ipv4.conf.default.rp_filter" is set to "1" in "/etc/sysctl.d/60-netipv4_sysctl.conf /usr/lib/sysctl.d/50-redhat.conf /lib/sysctl.d/50-redhat.conf"
Script: sce/nix_kernel_parameter_chk.sh
Result: Pass
Exit Value: 101
Output: - Audit Result: ** PASS ** - "net.ipv4.conf.all.rp_filter" is set to "1" in the running configuration - "net.ipv4.conf.all.rp_filter" is set to "1" in "/etc/sysctl.d/60-netipv4_sysctl.conf"
No error lines were collected.
Script: sce/nix_kernel_parameter_chk.sh
Result: Fail
Exit Value: 102
Output: - Audit Result: ** FAIL ** - Reason(s) for audit failure: - "net.ipv4.conf.default.rp_filter" is set incorrectly in "/usr/lib/sysctl.d/50-default.conf /lib/sysctl.d/50-default.conf" - Correctly set: - "net.ipv4.conf.default.rp_filter" is set to "1" in the running configuration - "net.ipv4.conf.default.rp_filter" is set to "1" in "/etc/sysctl.d/60-netipv4_sysctl.conf /usr/lib/sysctl.d/50-redhat.conf /lib/sysctl.d/50-redhat.conf"

@uk-bolly
Copy link
Member

hi @brisky

Thank you so much for helping me to find where this is happening.
I am trying to understand why the scanner is running a test that is not documented in their own baseline or not required in that file to be set in order for the running value to be correct.
It would be great to get to the bottom of this.

many thanks again for your effort and time

uk-bolly

@brisky
Copy link
Contributor Author

brisky commented Oct 31, 2023

Sure, Anything else I can help with?
Will be out tomorrow.

Regards.

brisky.

@brisky
Copy link
Contributor Author

brisky commented Nov 6, 2023

Hi @uk-bolly
Installed a Rocky host, and in my installation of Rocky 9 the rule also fails with;

Output: - Audit Result: ** FAIL ** - Reason(s) for audit failure: - "net.ipv4.conf.default.rp_filter" is set incorrectly in "/usr/lib/sysctl.d/50-default.conf /lib/sysctl.d/50-default.conf" - Correctly set: - "net.ipv4.conf.default.rp_filter" is set to "1" in the running configuration - "net.ipv4.conf.default.rp_filter" is set to "1" in "/etc/sysctl.d/60-netipv4_sysctl.conf /usr/lib/sysctl.d/50-redhat.conf /lib/sysctl.d/50-redhat.conf"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants