Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rule 3.3.4: if ufw is used, then the rule is overwritten #69

Closed
CFoltin opened this issue Jan 27, 2023 · 3 comments
Closed

Rule 3.3.4: if ufw is used, then the rule is overwritten #69

CFoltin opened this issue Jan 27, 2023 · 3 comments
Assignees
@uk-bolly

Comments

@CFoltin
Copy link

CFoltin commented Jan 27, 2023

See

UBUNTU20-CIS/tasks/section_3/cis_3.3.x.yml

Line 104 in a1f61e2

- name: "AUTOMATED | 3.3.4 | PATCH | Ensure suspicious packets are logged"

Use the additional rule (maybe an additional when for ufw check is missing...)

- name: "AUTOMATED | 3.3.4 | PATCH | Ensure suspicious packets are logged, ufw part"
  sysctl:
    name: "{{ item }}"
    value: '1'
    sysctl_set: yes
    state: present
    reload: yes
    ignoreerrors: yes
    sysctl_file: /etc/ufw/sysctl.conf
  with_items:
    - net.ipv4.conf.all.log_martians
    - net.ipv4.conf.default.log_martians
  notify: sysctl flush ipv4 route table
  when:
    - ubtu20cis_rule_3_3_4
  tags:
    - level1-server
    - level1-workstation
    - automated
    - patch
    - rule_3.3.4
    - suspicious_packets
    - sysctl
@uk-bolly uk-bolly self-assigned this Feb 22, 2023
@uk-bolly
Copy link
Member

hi @CFoltin

Thank you for raising this issue. Feedback like this helps us to improve the content we supply.
I have been working through the possibilities in this request.

I believe if you have set IPT_SYSCTL= /etc/sysctl.conf
This request would not be valid and not be required

If you are using UFW and not changed the sysctl import file, still want it logged you need to add that line to the /etc/ufw/sysctl.conf as you have mentioned.

Reading into this it could be quite a bespoke setting and not actually directly listed as part of a requirement for CIS unless the options above and ufw import file not changed and the settings in the ufw file override and turn it off.

I believe what would be required is.
either

If the file /etc/ufw/sysctl.conf exists and contains *log_martians=0 then change that as well even if not using ufw?
This would also count for any other controls not just 3.3.4.

or

Do we then change the /etc/default/ufw to be IPT_SYSCTL=/etc/sysctl.conf and add a comment?
This means settings that are added into that file then are not used we not addressed in CIS?

Any thoughts?

thanks

uk-bolly

@uk-bolly uk-bolly mentioned this issue Feb 23, 2023
Merged
@uk-bolly
Copy link
Member

uk-bolly commented Mar 3, 2023

hi @CFoltin

Thank you again for raising this issue. This has now been merged into the devel branch. Aiming to put this into main if all is well in the next couple of weeks.

many thanks again

uk-bolly

@uk-bolly uk-bolly mentioned this issue Mar 17, 2023
Merged
@MrSteve81
Copy link
Contributor

This was added to PR #74 that addressed a lot of fixes. This has been merged to main. Thanks @CFoltin for the find.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@uk-bolly uk-bolly

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@CFoltin @uk-bolly @MrSteve81