Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add modprobe template, control os-10 #138

Merged
merged 16 commits into from
Aug 8, 2017
Merged

add modprobe template, control os-10 #138

merged 16 commits into from
Aug 8, 2017

Conversation

rndmh3ro
Copy link
Member

@rndmh3ro rndmh3ro commented Aug 4, 2017

I'm not sure if we should also run theses commands in addition to adding them to the modprobe.d-directory.
Currently I'd say yes so there's no restart required.

What do you think, @chris-rock @atomic111 @ypid ?

ypid
ypid approved these changes Aug 5, 2017
View reviewed changes
Copy link
Member

@ypid ypid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you are on to something. Disabling probing of unused filesystem when mounting a filesystem without specifiying the filesystem sounds like a good idea. Do you have any refs to documentation where this is also done?

@rndmh3ro
Copy link
Member Author

rndmh3ro commented Aug 5, 2017

That's actually a CIS recommendation, see here: https://www.cisecurity.org/wp-content/uploads/2017/04/CIS_Oracle_Linux_6_Benchmark_v1.0.0.pdf, search for "1.1.1 Disable unused filesystems".

I updated the readme.

@rndmh3ro rndmh3ro mentioned this pull request Aug 6, 2017
Merged
ypid
ypid approved these changes Aug 6, 2017
View reviewed changes
Copy link
Member

@ypid ypid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. One minor detail in the comments.

tasks/modprobe.yml Outdated
dest: "/etc/modprobe.d/dev-sec.conf"
owner: "root"
group: "root"
mode: "0640"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems your editor did not add a \n automatically. You can check with a hexeditor. Can you add one just to be safe :) ?

install modprobe package,
62d20e2 
check for modprobe

use apt and yum instead of package

Revert "use apt and yum instead of package"

This reverts commit 215a97b.

use latest to install kmod

run apt-get update
@rndmh3ro
Copy link
Member Author

rndmh3ro commented Aug 7, 2017

@ypid, I added some tasks to install modprobe and squashed the commits. Can you do one last review? :)

ypid
ypid requested changes Aug 7, 2017
View reviewed changes
Copy link
Member

@ypid ypid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Two things could be addressed. Other than that, it should be fine.

tasks/modprobe.yml Outdated
command: 'modprobe -V'
register: modprobe_installed
ignore_errors: True
changed_when: False
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would drop this check task. The next task can just ensure that kmod is present.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I don't really know why I did this. There wa a problem with installing kmod on ubuntu 16.04 but I fixed this with the apt-task in default.yml.

Anyway, I removed it.

tasks/modprobe.yml Outdated
package:
name: 'kmod'
state: 'installed'
when: modprobe_installed and modprobe_installed.rc != 0
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would change the state from installed to present. According to the docs installed should not work.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@rndmh3ro rndmh3ro changed the title [wip] add modprobe template, control os-10 add modprobe template, control os-10 Aug 7, 2017
Sebastian Gumprich and others added 9 commits August 7, 2017 21:53
add shadow task
de6653d
remove execshield on rhel7
ef1c718
add kitchen to os_ignore_user to fix #124
41feffd
add passwd vars
e879831
@rndmh3ro
Update minimize_access.yml
e1395fb
@duk3luk3
Remove rsync from package blacklist
3ccb3eb 
rsync was erroneously added to `os_security_packages_list` variable,
meaning it was uninstalled as a "package with known issues".

Fixes #141
change vars file loading
db517e9
install modprobe package,
8f7c7ba 
check for modprobe

use apt and yum instead of package

Revert "use apt and yum instead of package"

This reverts commit 215a97b.

use latest to install kmod

run apt-get update
rebasing
fde065d
ypid
ypid approved these changes Aug 7, 2017
View reviewed changes
Copy link
Member

@ypid ypid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@rndmh3ro rndmh3ro merged commit 49d380f into master Aug 8, 2017
@rndmh3ro rndmh3ro deleted the modprobe branch August 8, 2017 06:32
rndmh3ro added a commit that referenced this pull request Jul 24, 2020
@rndmh3ro
Merge pull request #138 from kekumu/patch-1
0c8fd63 
Issue #137: Indent sshd_config's "Match Group sftponly"
divialth pushed a commit to divialth/ansible-collection-hardening that referenced this pull request Aug 3, 2022
@rndmh3ro
Merge pull request dev-sec#138 from dev-sec/modprobe
163b5a6 
add modprobe template, control os-10
divialth pushed a commit to divialth/ansible-collection-hardening that referenced this pull request Aug 3, 2022
@rndmh3ro
Merge pull request dev-sec#138 from kekumu/patch-1
738837f 
Issue dev-sec#137: Indent sshd_config's "Match Group sftponly"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ypid ypid ypid approved these changes

Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rndmh3ro @ypid @duk3luk3