Skip to content

Commit

Permalink
Hardening sysctl parameters
Browse files Browse the repository at this point in the history 
Apply CIS recommendations for sysctl parameters.

This will apply following CIS compliance rules:
- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra
- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects
- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route
- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding
- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra
- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects
- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route
- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects
- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route
- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians
- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter
- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects
- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects
- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route
- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians
- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter
- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects
- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts
- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses
- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies
- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects
- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects
- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward
- xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable
- xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space

Fixes #68
Related scylladb/scylla-pkg#2953

(cherry picked from commit d75951b)
  • Loading branch information
@syuu1228 @yaronkaikov
syuu1228 authored and yaronkaikov committed Dec 21, 2024
1 parent f2b705c commit 650130b
Showing 1 changed file with 79 additions and 0 deletions.
79 changes: 79 additions & 0 deletions packer/apply_cis_rules
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,3 +90,82 @@ if __name__ == '__main__':
with open('/etc/audit/auditd.conf', 'w') as f:
f.write(auditd)

sysctl_conf = '''
# xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra
net.ipv6.conf.all.accept_ra = 0
# xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects
net.ipv6.conf.all.accept_redirects = 0
# xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route
net.ipv6.conf.all.accept_source_route = 0
# xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding
net.ipv6.conf.all.forwarding = 0
# xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra
net.ipv6.conf.default.accept_ra = 0
# xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects
net.ipv6.conf.default.accept_redirects = 0
# xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route
net.ipv6.conf.default.accept_source_route = 0
# xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects
net.ipv4.conf.all.accept_redirects = 0
# xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route
net.ipv4.conf.all.accept_source_route = 0
# xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians
net.ipv4.conf.all.log_martians = 1
# xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter
net.ipv4.conf.all.rp_filter = 1
# xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects
net.ipv4.conf.all.secure_redirects = 0
# xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects
net.ipv4.conf.default.accept_redirects = 0
# xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route
net.ipv4.conf.default.accept_source_route = 0
# xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians
net.ipv4.conf.default.log_martians = 1
# xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter
net.ipv4.conf.default.rp_filter = 1
# xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects
net.ipv4.conf.default.secure_redirects = 0
# xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts
net.ipv4.icmp_echo_ignore_broadcasts = 1
# xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses
net.ipv4.icmp_ignore_bogus_error_responses = 1
# xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies
net.ipv4.tcp_syncookies = 1
# xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects
net.ipv4.conf.all.send_redirects = 0
# xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects
net.ipv4.conf.default.send_redirects = 0
# xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward
net.ipv4.ip_forward = 0
# xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable
fs.suid_dumpable = 0
# xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space
kernel.randomize_va_space = 2
'''[1:-1]
with open('/etc/sysctl.d/99-cis-rules.conf', 'w') as f:
f.write(sysctl_conf)
run('sysctl -p /etc/sysctl.d/99-cis-rules.conf', shell=True, check=True)

0 comments on commit 650130b

Please sign in to comment.