Git Product home page Git Product logo

Comments (19)

konstruktoid avatar konstruktoid commented on June 8, 2024

Thanks for reporting this @KoenDG.

The sysctl values are verified at https://github.com/konstruktoid/ansible-role-hardening/blob/master/molecule/default/verify.yml#L330 after a reboot.

Let me retest this.

from ansible-role-hardening.

KoenDG avatar KoenDG commented on June 8, 2024

Odd. My machine is Ubuntu 20.04.5, so I assumed the symlink is default behavior.

Linux 5.4.0-131-generic

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.5 LTS
Release:        20.04
Codename:       focal

from ansible-role-hardening.

konstruktoid avatar konstruktoid commented on June 8, 2024

What's the output when you run sudo /sbin/sysctl --system?

from ansible-role-hardening.

konstruktoid avatar konstruktoid commented on June 8, 2024

On Focal and Jammy /etc/sysctl.conf gets applied last.

vagrant@jammy:~$ lsb_release -d && sudo sysctl -a | grep fifos
Description:	Ubuntu 22.04.1 LTS
fs.protected_fifos = 2
vagrant@jammy:~$ find /etc/sysctl.d/ -type l -exec ls -l  {} \;
lrwxrwxrwx 1 root root 14 Sep  9 18:47 /etc/sysctl.d/99-sysctl.conf -> ../sysctl.conf
vagrant@jammy:~$ grep -R -i fifos /etc/sysctl*
/etc/sysctl.conf:fs.protected_fifos=2
/etc/sysctl.d/99-sysctl.conf:fs.protected_fifos=2
vagrant@jammy:~$ sudo /sbin/sysctl --system
[...]
* Applying /etc/sysctl.conf ...
net.netfilter.nf_conntrack_tcp_be_liberal = 1
dev.tty.ldisc_autoload = 0
fs.protected_fifos = 2
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
fs.suid_dumpable = 0
[...]

Focal:

vagrant@focal:~$  lsb_release -d && sudo sysctl -a | grep fifos
Description:	Ubuntu 20.04.5 LTS
fs.protected_fifos = 2
vagrant@focal:~$ find /etc/sysctl.d/ -type l -exec ls -l  {} \;
lrwxrwxrwx 1 root root 14 Aug 31 15:27 /etc/sysctl.d/99-sysctl.conf -> ../sysctl.conf
vagrant@focal:~$ grep -R -i fifos /etc/sysctl*
/etc/sysctl.conf:fs.protected_fifos=2
/etc/sysctl.d/99-sysctl.conf:fs.protected_fifos=2
vagrant@focal:~$ sudo /sbin/sysctl --system
[...]
* Applying /etc/sysctl.conf ...
net.netfilter.nf_conntrack_tcp_be_liberal = 1
dev.tty.ldisc_autoload = 0
fs.protected_fifos = 2
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
fs.suid_dumpable = 0
[...]

from ansible-role-hardening.

konstruktoid avatar konstruktoid commented on June 8, 2024

Same on Debian Bullseye and AlmaLinux release 8.6.

from ansible-role-hardening.

KoenDG avatar KoenDG commented on June 8, 2024

The entire output is this:

* Applying /etc/sysctl.d/10-console-messages.conf ...
kernel.printk = 4 4 1 7
* Applying /etc/sysctl.d/10-ipv6-privacy.conf ...
* Applying /etc/sysctl.d/10-kernel-hardening.conf ...
kernel.kptr_restrict = 1
* Applying /etc/sysctl.d/10-link-restrictions.conf ...
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
* Applying /etc/sysctl.d/10-magic-sysrq.conf ...
kernel.sysrq = 176
* Applying /etc/sysctl.d/10-network-security.conf ...
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.all.rp_filter = 2
* Applying /etc/sysctl.d/10-ptrace.conf ...
kernel.yama.ptrace_scope = 1
* Applying /etc/sysctl.d/10-zeropage.conf ...
vm.mmap_min_addr = 65536
* Applying /usr/lib/sysctl.d/50-default.conf ...
net.ipv4.conf.default.promote_secondaries = 1
sysctl: setting key "net.ipv4.conf.all.promote_secondaries": Invalid argument
net.ipv4.ping_group_range = 0 2147483647
net.core.default_qdisc = fq_codel
fs.protected_regular = 1
fs.protected_fifos = 1
* Applying /usr/lib/sysctl.d/50-pid-max.conf ...
kernel.pid_max = 4194304
* Applying /etc/sysctl.d/99-sysctl.conf ...
dev.tty.ldisc_autoload = 0
net.ipv4.ip_forward = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.kptr_restrict = 2
kernel.perf_event_paranoid = 3
kernel.unprivileged_bpf_disabled = 1
net.core.bpf_jit_harden = 2
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 2
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_rmem = 8192 262144 53687091
net.ipv4.tcp_wmem = 4096 16384 53687091
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1
fs.file-max = 65535
kernel.pid_max = 65536
net.ipv4.ip_local_port_range = 2000 65000
net.ipv4.tcp_rfc1337 = 1
kernel.panic = 60
kernel.randomize_va_space = 2
net.ipv4.icmp_ignore_bogus_error_responses = 1
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
fs.protected_fifos = 2
fs.suid_dumpable = 0
vm.swappiness = 10
kernel.dmesg_restrict = 1
kernel.panic_on_oops = 60
kernel.yama.ptrace_scope = 2
net.ipv4.conf.all.shared_media = 0
net.ipv4.conf.default.shared_media = 0
net.ipv4.tcp_challenge_ack_limit = 2147483647
net.ipv4.tcp_invalid_ratelimit = 500
net.ipv4.tcp_max_syn_backlog = 20480
net.ipv4.tcp_syn_retries = 5
net.ipv4.tcp_timestamps = 0
net.netfilter.nf_conntrack_tcp_be_liberal = 1
net.netfilter.nf_conntrack_max = 2000000
net.netfilter.nf_conntrack_tcp_loose = 0
net.ipv4.tcp_adv_win_scale = -2
net.ipv4.tcp_notsent_lowat = 131072
* Applying /usr/lib/sysctl.d/protect-links.conf ...
fs.protected_fifos = 1
fs.protected_hardlinks = 1
fs.protected_regular = 2
fs.protected_symlinks = 1
* Applying /etc/sysctl.conf ...
dev.tty.ldisc_autoload = 0
net.ipv4.ip_forward = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.kptr_restrict = 2
kernel.perf_event_paranoid = 3
kernel.unprivileged_bpf_disabled = 1
net.core.bpf_jit_harden = 2
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 2
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_rmem = 8192 262144 53687091
net.ipv4.tcp_wmem = 4096 16384 53687091
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1
fs.file-max = 65535
kernel.pid_max = 65536
net.ipv4.ip_local_port_range = 2000 65000
net.ipv4.tcp_rfc1337 = 1
kernel.panic = 60
kernel.randomize_va_space = 2
net.ipv4.icmp_ignore_bogus_error_responses = 1
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
fs.protected_fifos = 2
fs.suid_dumpable = 0
vm.swappiness = 10
kernel.dmesg_restrict = 1
kernel.panic_on_oops = 60
kernel.yama.ptrace_scope = 2
net.ipv4.conf.all.shared_media = 0
net.ipv4.conf.default.shared_media = 0
net.ipv4.tcp_challenge_ack_limit = 2147483647
net.ipv4.tcp_invalid_ratelimit = 500
net.ipv4.tcp_max_syn_backlog = 20480
net.ipv4.tcp_syn_retries = 5
net.ipv4.tcp_timestamps = 0
net.netfilter.nf_conntrack_tcp_be_liberal = 1
net.netfilter.nf_conntrack_max = 2000000
net.netfilter.nf_conntrack_tcp_loose = 0
net.ipv4.tcp_adv_win_scale = -2
net.ipv4.tcp_notsent_lowat = 131072

Which does show /etc/sysctl.conf being applied last.

And if I now check, fs.protected_fifos = 2 is correct.

But on reboot, it's not:

$ uptime -p
up 3 minutes
$ sudo /sbin/sysctl -a | grep fifos
fs.protected_fifos = 1

I'll try and get the output of the initial sysctl loading into dmesg or something like that.

from ansible-role-hardening.

konstruktoid avatar konstruktoid commented on June 8, 2024

#192 (comment) was after reboot

from ansible-role-hardening.

KoenDG avatar KoenDG commented on June 8, 2024

Strange.

I need to go do some things now, though it seems the place I should be looking is the systemd-sysctl service, as that's the one audit is logging as actually doing these things.

Sorry if this all turns out to be something on my specific machine...

from ansible-role-hardening.

konstruktoid avatar konstruktoid commented on June 8, 2024

No problem at all :) it's better to debug an issue than believe your code is working.

from ansible-role-hardening.

konstruktoid avatar konstruktoid commented on June 8, 2024

What does grep -R -i fifos /etc/sysctl* return?

from ansible-role-hardening.

KoenDG avatar KoenDG commented on June 8, 2024 
/etc/sysctl.conf:fs.protected_fifos=2
/etc/sysctl.d/99-sysctl.conf:fs.protected_fifos=2

Though 99-sysctl.conf is a symlink to the first file.

I'll be looking into the systemd service now.

from ansible-role-hardening.

KoenDG avatar KoenDG commented on June 8, 2024

Ok, I think the systemd service is the source of the issue.

This is the service:

● systemd-sysctl.service - Apply Kernel Variables
     Loaded: loaded (/lib/systemd/system/systemd-sysctl.service; static; vendor preset: enabled)
     Active: active (exited) since Tue 2022-11-01 17:02:44 UTC; 16min ago
       Docs: man:systemd-sysctl.service(8)
             man:sysctl.d(5)
    Process: 650 ExecStart=/lib/systemd/systemd-sysctl (code=exited, status=0/SUCCESS)
   Main PID: 650 (code=exited, status=0/SUCCESS)

And the config file points to a different executable:

[Unit]
Description=Apply Kernel Variables
Documentation=man:systemd-sysctl.service(8) man:sysctl.d(5)
DefaultDependencies=no
Conflicts=shutdown.target
After=systemd-modules-load.service
Before=sysinit.target shutdown.target
ConditionPathIsReadWrite=/proc/sys/net/

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/lib/systemd/systemd-sysctl
TimeoutSec=90s

These are not the same executables:

$  cmp /sbin/sysctl /lib/systemd/systemd-sysctl
/sbin/sysctl /lib/systemd/systemd-sysctl differ: byte 25, line 1

The possible commands:

 /lib/systemd/systemd-sysctl --help
systemd-sysctl [OPTIONS...] [CONFIGURATION FILE...]

Applies kernel sysctl settings.

  -h --help             Show this help
     --version          Show package version
     --cat-config       Show configuration files
     --prefix=PATH      Only apply rules with the specified prefix
     --no-pager         Do not pipe output into a pager

See the systemd-sysctl.service(8) man page for details.

The content of man systemd-sysctl.service is completely different.

Looking at --cat-config produces an output of files that have been parsed. And it behaves the way I suspected at the start of this ticket.

I made a little GIF recording of the output. It jumps after a bit as it goes down: https://i.imgur.com/IdPpgjc.gif

It doesn't ever load /etc/sysctl.conf. While it prints the name /etc/sysctl.d/99-sysctl.conf, I suspect the systemd version internally has resolved the symlink to the original filename.

I'll test by deleting the symlink and rebooting.

from ansible-role-hardening.

KoenDG avatar KoenDG commented on June 8, 2024

Oh wow, it just didn't load /etc/sysctl.conf at all.

Only /etc/sysctl.d/*.conf and then after that /usr/lib/sysctl.d/*.conf files.

/etc/sysctl.conf does not get loaded. That is unexpected behavior. Unexpected for me, at least.

Now I'm wondering, what is the expected regular behavior, what is going on here, and how is this best addressed?

from ansible-role-hardening.

konstruktoid avatar konstruktoid commented on June 8, 2024

See systemd/systemd#8360 (comment)

from ansible-role-hardening.

KoenDG avatar KoenDG commented on June 8, 2024

Ok, so the symlink is supposed to be there...

But then it's down to the order or execution.

It first reads all files in /etc/sysctl.d/ and then after that all files in /usr/lib/sysctl.d/. And in the latter, there is a setting of fs.protected_fifos = 1, so it gets overwritten.

The manpage for systemd-sysctl says:

When invoked with no arguments, /lib/systemd/systemd-sysctl applies all directives from configuration files listed in sysctl.d(5).

Which is the order listed originally:

             /run/sysctl.d/*.conf
              /etc/sysctl.d/*.conf
              /usr/local/lib/sysctl.d/*.conf
              /usr/lib/sysctl.d/*.conf
              /lib/sysctl.d/*.conf
              /etc/sysctl.conf

So that checks out...

But that makes it odd your reboot doesn't have this issue. Unless it's not using systemd-sysctl? But the handler code that does the reload uses it...

Is you /usr/lib/sysctl.d/ empty? If it contains fs.protected_fifos = 1 anywhere, that should overwrite it, as it would get executed last.

This is getting confusing in terms of: what is the default? What config files should contain what, as provided by the OS, and what should our expectations be?

I would assume the final expectation is: the settings we add here are not overwritten on reboot.

And in the end: My machine still is stuck in this situation where /usr/lib/sysctl.d/ overrides the security settings of these playbooks upon boot.

What needs to happen here?

from ansible-role-hardening.

konstruktoid avatar konstruktoid commented on June 8, 2024

Yeah, you're right. With a .conf in either /run/sysctl.d/*.conf or /usr/lib/sysctl.d/ the value(s) will be overwritten.

$ grep -R fifo /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf | LC_ALL=C sort
grep: /run/sysctl.d/*.conf: No such file or directory
/etc/sysctl.d/99-sysctl.conf:fs.protected_fifos = 2
/usr/lib/sysctl.d/50-default.conf:fs.protected_fifos = 1
/usr/lib/sysctl.d/99-hardening.conf:fs.protected_fifos = 2
/usr/lib/sysctl.d/protect-links.conf:fs.protected_fifos = 1
/usr/lib/sysctl.d/zz-hardening.conf:fs.protected_fifos = 2
vagrant@focal:~$ sudo sysctl -a | grep fifo
fs.protected_fifos = 2

Note the zz-hardening.conf, 99-hardening.conf won't work since protect-links.conf overwrites it.

I'm going to test creating a new file, /usr/lib/sysctl.d/zz-hardening.conf but another option is to link /usr/lib/sysctl.d/zz-sysctl.conf -> /etc/sysctl.conf, but that doesn't feel right for some reason.

from ansible-role-hardening.

konstruktoid avatar konstruktoid commented on June 8, 2024

could you test #194?

from ansible-role-hardening.

KoenDG avatar KoenDG commented on June 8, 2024

Tried and can confirm it's working. Value persist after reboot and the file shows as the last one loaded as output of sudo /lib/systemd/systemd-sysctl --cat-config.

Well, that was an interesting one to discover and investigate.

from ansible-role-hardening.

konstruktoid avatar konstruktoid commented on June 8, 2024

It sure was, thanks for finding it.

from ansible-role-hardening.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.