Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable sysctl_kernel_modules_disabled Ansible remediation #12514

Merged
merged 1 commit into from
Oct 18, 2024
Merged

Disable sysctl_kernel_modules_disabled Ansible remediation #12514

merged 1 commit into from
Oct 18, 2024

Conversation

mildas
Copy link
Contributor

@mildas mildas commented Oct 18, 2024
edited
Loading

Description:

Disable Ansible remediation for sysctl_kernel_modules_disabled.

Rationale:

The remediation causes boot failure for UEFI systems.
The rule already had disabled Bash remediation (#6586) because of the same reason as #12508 .

Fixes #12508

Review Hints:

Run Contest /hardening/ansible/anssi_bp28_high to see if machine boots successfully after ANSSI hardening.

@mildas
Disable sysctl_kernel_modules_disabled Ansible remediation.
fe7fea3 
The remediation causes boot failure for UEFI systems.
@github-actions GitHub Actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions GitHub Actions
Copy link

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_modules_disabled'.
--- xccdf_org.ssgproject.content_rule_sysctl_kernel_modules_disabled
+++ xccdf_org.ssgproject.content_rule_sysctl_kernel_modules_disabled
@@ -7,7 +7,7 @@
 To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.modules_disabled = 1
 
 [warning]:
-This rule doesn't come with Bash remediation. Remediating this rule during the installation process disrupts the install and boot process.
+This rule doesn't come with remediation. Remediating this rule during the installation process disrupts the install and boot process.
 
 [reference]:
 R10

New data stream is missing ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_modules_disabled'.

@Mab879 Mab879 self-assigned this Oct 18, 2024
@Mab879 Mab879 added this to the 0.1.75 milestone Oct 18, 2024
@codeclimate CodeClimate
Copy link

codeclimate bot commented Oct 18, 2024

Code Climate has analyzed commit fe7fea3 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.0% (0.0% change).

View more on Code Climate.

@comps
Copy link
Collaborator

comps commented Oct 18, 2024

For the record, /hardening/ansible/anssi_bp28_high will not find it, but /hardening/ansible/uefi/anssi_bp28_high added by RHSecurityCompliance/contest#276 will (a warn as waived error if the issue is still present).

@Mab879
Copy link
Member

Mab879 commented Oct 18, 2024

Waving Automatus tests as they not related to this PR.

@Mab879 Mab879 merged commit f2d0158 into ComplianceAsCode:master Oct 18, 2024
96 of 104 checks passed
@mildas mildas mentioned this pull request Oct 22, 2024
Merged
@Mab879 Mab879 added the bugfix Fixes to reported bugs. label Nov 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mab879 Mab879 Mab879 approved these changes

Assignees

@Mab879 Mab879

Labels
bugfix Fixes to reported bugs.
Projects
None yet
Milestone
0.1.75
Development

Successfully merging this pull request may close these issues.

anssi_bp28_enhanced and high fails to boot on UEFI after Ansible remediation
3 participants
@mildas @comps @Mab879