Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Drop setting vm.heap_stack_gap and net.ipv4 sysctl flags #7324

Merged
merged 1 commit into from
Nov 21, 2024
+3 −51
Merged

Drop setting vm.heap_stack_gap and net.ipv4 sysctl flags #7324

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 0 additions & 30 deletions install_files/ansible-base/roles/common/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,36 +5,6 @@ disabled_kernel_modules:
- iwlmvm
- iwlwifi

sysctl_flags:
- name: "net.ipv4.tcp_max_syn_backlog"
value: "4096"
- name: "net.ipv4.tcp_syncookies"
value: "1"
- name: "net.ipv4.conf.all.rp_filter"
value: "1"
- name: "net.ipv4.conf.all.accept_source_route"
value: "0"
- name: "net.ipv4.conf.all.accept_redirects"
value: "0"
- name: "net.ipv4.conf.all.secure_redirects"
value: "0"
- name: "net.ipv4.conf.default.rp_filter"
value: "1"
- name: "net.ipv4.conf.default.accept_source_route"
value: "0"
- name: "net.ipv4.conf.default.accept_redirects"
value: "0"
- name: "net.ipv4.conf.default.secure_redirects"
value: "0"
- name: "net.ipv4.icmp_echo_ignore_broadcasts"
value: "1"
- name: "net.ipv4.ip_forward"
value: "0"
- name: "net.ipv4.conf.all.send_redirects"
value: "0"
- name: "net.ipv4.conf.default.send_redirects"
value: "0"

unused_packages:
- libiw30
- wireless-tools
Expand Down
2 changes: 0 additions & 2 deletions install_files/ansible-base/roles/common/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,6 @@

- include_tasks: remove_unused_packages.yml

- include_tasks: sysctl.yml

- include_tasks: disable_swap.yml

- include_tasks: remove_kernel_modules.yml
14 changes: 0 additions & 14 deletions install_files/ansible-base/roles/common/tasks/sysctl.yml
View file
Open in desktop

This file was deleted.

5 changes: 0 additions & 5 deletions install_files/ansible-base/roles/grsecurity/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,3 @@ grsec_sysctl_flags:
# rest will not be applied
- name: "kernel.grsecurity.grsec_lock"
value: "1"
# Stack clash mitigation, increasing main stack gap to 1MB.
# Storing as part of grsecurity vars, because sysctl option won't
# exist otherwise.
- name: "vm.heap_stack_gap"
value: "1048576"
1 change: 1 addition & 0 deletions molecule/testinfra/common/test_grsecurity.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,7 @@ def test_grsecurity_kernel_is_running(host):
[
("kernel.grsecurity.grsec_lock", 1),
("kernel.grsecurity.rwxmap_logging", 0),
# set via securedrop-grsec (in kernel-builder)
("vm.heap_stack_gap", 1048576),
legoktm marked this conversation as resolved.
Show resolved Hide resolved
],
)
Expand Down
2 changes: 2 additions & 0 deletions molecule/testinfra/common/test_system_hardening.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@ def test_sysctl_options(host, sysctl_opt):
"""
Ensure sysctl flags are set correctly. Most of these checks
are hardening IPv4, which is appropriate due to the heavy use of Tor.

These are all set via securedrop-grsec (in kernel-builder).
"""
with host.sudo():
assert host.sysctl(sysctl_opt[0]) == sysctl_opt[1]
Expand Down