Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

control os-10 fails (/etc/modprobe.d/dev-sec.conf) #80

Closed
jonasduarte opened this issue Aug 15, 2017 · 10 comments
Closed

control os-10 fails (/etc/modprobe.d/dev-sec.conf) #80

jonasduarte opened this issue Aug 15, 2017 · 10 comments

Comments

@jonasduarte
Copy link

Guys,

From where does /etc/modprobe.d/dev-sec.conf come from? The control os-10 fails on all my linux nodes (Ubuntu 16.04, CentOS 7.3 and Amazon Linux), I just can't find any reference for it

control 'os-10' do
impact 1.0
title 'CIS: Disable unused filesystems'
desc '1.1.1 Ensure mounting of cramfs, freevxfs, jffs2, hfs, hfsplus, squashfs, udf, FAT'
describe file('/etc/modprobe.d/dev-sec.conf') do
its(:content) { should match 'install cramfs /bin/true' }
its(:content) { should match 'install freevxfs /bin/true' }
its(:content) { should match 'install jffs2 /bin/true' }
its(:content) { should match 'install hfs /bin/true' }
its(:content) { should match 'install hfsplus /bin/true' }
its(:content) { should match 'install squashfs /bin/true' }
its(:content) { should match 'install udf /bin/true' }
its(:content) { should match 'install vfat /bin/true' }
end
end

Best,
@atomic111
Copy link
Member

@jonasduarte yes we have to implement this in the chef, ansible and puppet modules

#71

if you want to skip this control in InSpec. you can use InSpec inheritance

https://blog.chef.io/2017/07/06/understanding-inspec-profile-inheritance/

@chris-rock
Copy link
Member

@atomic111 as an improvement we probably want to parse all modprobe configs and not rely on dev-sec config only?

@atomic111
Copy link
Member

@chris-rock oh yes this is a far more better idea!!!! thanks for your input

@chris-rock
Copy link
Member

We still need to fix this in chef cookbook :-)

@atomic111 atomic111 mentioned this issue Aug 17, 2017
Closed
@artem-sidorenko
Copy link
Member

Its mainly my fault, I did not have time to implement that directly after the merge in linux-baseline. I'll try to do that this week

@mcgege mcgege mentioned this issue Aug 21, 2017
Merged
@atomic111
Copy link
Member

it is solved by PR dev-sec/chef-os-hardening#169

Thank you @artem-sidorenko

@artem-sidorenko
Copy link
Member

artem-sidorenko commented Aug 22, 2017
edited
Loading

@jonasduarte chef implementation is in dev-sec/chef-os-hardening#169, puppet implementation is in dev-sec/puppet-os-hardening#100.

Even if both changes are not released yet, I assume they address this issue. So I'll close it , feel free to reopen if necessary

@joshuatalb
Copy link

joshuatalb commented Jan 28, 2019
edited
Loading

This should not be closed as this change hasn't been applied to the Ansible playbooks. I'll try and get time this week to merge it.

@rndmh3ro
Copy link
Member

rndmh3ro commented Feb 4, 2019

What do you mean, @joshuatalb? It's implemented here: https://github.com/dev-sec/ansible-os-hardening/blob/master/tasks/modprobe.yml

@joshuatalb
Copy link

@rndmh3ro apologies - hadn't had my coffee before I wrote this. You are correct!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@chris-rock @artem-sidorenko @rndmh3ro @atomic111 @joshuatalb @jonasduarte