linux-baseline icon indicating copy to clipboard operation
linux-baseline copied to clipboard

Published 20 hours ago verified publisher icon dev-sec

sysctl-17 title/description does not match test

Open rjhornsby opened this issue 8 years ago • 6 comments

As per this inline comment[1], there's a mismatch between the title/description and the actual test for systcl-17[2], martian logging.

The title says we're testing to ensure martian logging is disabled, but the actual test verifies that the logging is enabled. If I'm understanding correctly it's possible, even likely, that this is just a simple oversight in commit bb7c532f where the test was updated correctly, but the title/description were missed.

Martian logging enabled matches the chef-os-hardening cookbook behavior[3].

The CIS standards agree martian logging should be enabled. However, the chef BaseOS compliance profile says it should be disabled, perhaps because as the sysctl-17 description states, this logging can create a DoS attack vector.

There's a valid argument to be made either way - enable the logging, or disable it. I don't know which is more correct. Seems like the Chef compliance profile is perhaps the odd man out here, and that logging should be enabled.

[1] https://github.com/dev-sec/linux-baseline/commit/bb7c532f0f20dc88de3cd6e4e54414031b94f7ef#commitcomment-20365340 [2] https://github.com/dev-sec/linux-baseline/blob/bb7c532f0f20dc88de3cd6e4e54414031b94f7ef/controls/sysctl_spec.rb#L186-L193 [3] https://github.com/dev-sec/chef-os-hardening/blob/ea3c8b6634d1c75fa8e84d43b4122cb27293d78f/attributes/sysctl.rb#L124-L126

rjhornsby avatar Jan 09 '17 15:01 rjhornsby

I think in production this definitly should be disabled because of the DoC risk

mcgege avatar Jun 22 '17 06:06 mcgege

i agree it can produce a big logfile. @artem-sidorenko , @chris-rock your opinion? I am not aware anymore why we activate this

atomic111 avatar Jun 22 '17 10:06 atomic111

@atomic111 I agree on disabling this. What about making it configurable here and switch it off per default (and providing a comment why its disabled) ?

I guess it affects all implementations, chef-os-hardening, ansible-os-hardening and puppet-os-hardening. This change will probably lead to a new major release everywhere

artem-sidorenko avatar Jun 22 '17 10:06 artem-sidorenko

@mcgege @artem-sidorenko @atomic111 In my opinion ( I might be completely wrong ). With the size of hard-disk now a days in the range of 512GB/ 1-2 TB. It's a rare chance that the log file would become so big to become DoS attack. I would probably, keep it enabled to adhere with the CIS compliance.

bitvijays avatar Jul 02 '17 00:07 bitvijays

Well, on my production servers the size of the root disk is way smaller ... but if it's required by compliance: How about enable this here in the baseline and make it configurable in the check/ansible/puppet implementation plus a warning in the documentation?

mcgege avatar Jul 02 '17 11:07 mcgege

With the size of hard-disk now a days in the range of 512GB/ 1-2 TB. It's a rare chance that the log file would become so big to become DoS attack

@bitvijays this might be right for typical metal systems today, but you have a lot of systems as VMs with OS HDDs about 10-20GB, esp in the cloud environments

@atomic111 @chris-rock ping, whats your view: to keep it CIS complaint per default, or to make it operations friendly per default?

artem-sidorenko avatar Jul 02 '17 12:07 artem-sidorenko