Skip to content

Disable sysctl_kernel_modules_disabled Ansible remediation#12514

Merged
Mab879 merged 1 commit intoComplianceAsCode:masterfrom
mildas:disable_kernel_modules_disabled_remediation
Oct 18, 2024
Merged

Disable sysctl_kernel_modules_disabled Ansible remediation#12514
Mab879 merged 1 commit intoComplianceAsCode:masterfrom
mildas:disable_kernel_modules_disabled_remediation

Conversation

@mildas
Copy link
Copy Markdown
Contributor

@mildas mildas commented Oct 18, 2024
edited
Loading

Description:

Disable Ansible remediation for sysctl_kernel_modules_disabled.

Rationale:

The remediation causes boot failure for UEFI systems.
The rule already had disabled Bash remediation (#6586) because of the same reason as #12508 .

Fixes #12508

Review Hints:

Run Contest /hardening/ansible/anssi_bp28_high to see if machine boots successfully after ANSSI hardening.

@mildas
Disable sysctl_kernel_modules_disabled Ansible remediation.
fe7fea3 
The remediation causes boot failure for UEFI systems.
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Oct 18, 2024

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Oct 18, 2024

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_modules_disabled'.
--- xccdf_org.ssgproject.content_rule_sysctl_kernel_modules_disabled
+++ xccdf_org.ssgproject.content_rule_sysctl_kernel_modules_disabled
@@ -7,7 +7,7 @@
 To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.modules_disabled = 1
 
 [warning]:
-This rule doesn't come with Bash remediation. Remediating this rule during the installation process disrupts the install and boot process.
+This rule doesn't come with remediation. Remediating this rule during the installation process disrupts the install and boot process.
 
 [reference]:
 R10

New data stream is missing ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_modules_disabled'.

@Mab879 Mab879 self-assigned this Oct 18, 2024
@Mab879 Mab879 added this to the 0.1.75 milestone Oct 18, 2024
@qlty-cloud-legacy
Copy link
Copy Markdown

qlty-cloud-legacy Bot commented Oct 18, 2024

Code Climate has analyzed commit fe7fea3 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.0% (0.0% change).

View more on Code Climate.

@comps
Copy link
Copy Markdown
Collaborator

comps commented Oct 18, 2024

For the record, /hardening/ansible/anssi_bp28_high will not find it, but /hardening/ansible/uefi/anssi_bp28_high added by RHSecurityCompliance/contest#276 will (a warn as waived error if the issue is still present).

@Mab879
Copy link
Copy Markdown
Member

Mab879 commented Oct 18, 2024

Waving Automatus tests as they not related to this PR.

@Mab879 Mab879 merged commit f2d0158 into ComplianceAsCode:master Oct 18, 2024
@mildas mildas mentioned this pull request Oct 22, 2024
Merged
@Mab879 Mab879 added the bugfix Fixes to reported bugs. label Nov 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mab879 Mab879 Mab879 approved these changes

Assignees

@Mab879 Mab879

Labels

bugfix Fixes to reported bugs.

Projects

None yet

Milestone

0.1.75

Development

Successfully merging this pull request may close these issues.

anssi_bp28_enhanced and high fails to boot on UEFI after Ansible remediation

3 participants

@mildas @comps @Mab879