-
Notifications
You must be signed in to change notification settings - Fork 96
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
3.3.7 Ensure Reverse Path Filtering is enabled bug #106
Comments
hi @brisky Thank you so much for the issue and pull request.
with the suggested remediation step provided by CIS is outputting to a completely different file
If you manually test the setting is indeed set into one of the locations they suggest searching, but the scanner still fails. We see this with many different scanners while they can be excellent, the testing can be too brittle and means even more work for the admins to prove that it is indeed set with the time to get the issue resolved can be multiple releases later, which defeats the point of the scanner and all the reporting in many ways. This is the reason we took to write and maintain our own audit code using an open source product, should anything of this type come up we are able to work to fix this quickly get the new code out in a reasonable length of time. Sorry to disappoint you in this instance, but as you can imagine all the variations for all the scanners that could occur over all the repos we manage make this impossible to maintain. In this scenario we would be writing the baseline to met each scanners wishes rather than ensure we hit the requirement as documented. So on this occasion, we are unable to accept your PR, I do hope that this explanation makes sense and any questions please do let us know. many thanks uk-bolly |
The CIS-CAT, does check the configuration in /usr/lib/sysctl.d/50-default.conf, since it would override the global settings. |
hi @brisky Having just checked again manually on a clean new build system and running the commands that they request in the documentation this works as expected and finds the settings in /etc/sysctl.d/60-netipv4_sysctl.conf file. If i understand your feedback it only passes if the value is added to the file /usr/lib/sysctl.d/50-default.conf? Running the commands below and setting sysctl --system it picks up the settings in the file that we configure so the settings in /usr/lib/sysctl.d/50-default.conf has no bearing on the requirement. I am trying to understand the difference between what they required documented and why the scanner is checking something different? When the value is correct on a running system if changed as per the documentation. many thanks uk-bolly
|
Could it be that you're running in Rocky and I tested in RHEL9? This is what I got in the assessment:
|
hi @brisky Thank you so much for helping me to find where this is happening. many thanks again for your effort and time uk-bolly |
Sure, Anything else I can help with? Regards. brisky. |
Hi @uk-bolly
|
Describe the Issue
CIS-CAT assessment reports failure.
Expected Behavior
Assessment pass.
Actual Behavior
FAIL
/lib/sysctl.d/50-default.conf"`
Control(s) Affected
3.3.7 Ensure Reverse Path Filtering is enabled
Environment:
Possible Solution
The text was updated successfully, but these errors were encountered: