From d54f9b543fd36d726360191efaaa2174f4c593d4 Mon Sep 17 00:00:00 2001 From: Kevin Reeuwijk Date: Mon, 19 Aug 2024 12:14:33 +0200 Subject: [PATCH] Adjust net.ipv4.conf.all.rp_filter for CNI compatibility (#257) Sets net.ipv4.conf.all.rp_filter=0 during CIS hardening to ensure CNIs don't break when `sysctl -p` is run at any point later on (such as Stylus Agent upgrades) --- cis-harden/harden.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/cis-harden/harden.sh b/cis-harden/harden.sh index 2e44318..bb04965 100755 --- a/cis-harden/harden.sh +++ b/cis-harden/harden.sh @@ -174,8 +174,11 @@ harden_sysctl() { update_config_files 'net.ipv4.icmp_echo_ignore_broadcasts' 'net.ipv4.icmp_echo_ignore_broadcasts=1' ${config_file} update_config_files 'net.ipv4.icmp_ignore_bogus_error_responses' 'net.ipv4.icmp_ignore_bogus_error_responses=1' ${config_file} - update_config_files 'net.ipv4.conf.all.rp_filter' 'net.ipv4.conf.all.rp_filter=1' ${config_file} - update_config_files 'net.ipv4.conf.default.rp_filter' 'net.ipv4.conf.default.rp_filter=1' ${config_file} + + # CIS hardening requires "net.ipv4.conf.all.rp_filter=1" but this is incompatible with CNIs, hence we set this to 0 instead + update_config_files 'net.ipv4.conf.all.rp_filter' 'net.ipv4.conf.all.rp_filter=0' ${config_file} + + update_config_files 'net.ipv4.conf.default.rp_filter' 'net.ipv4.conf.default.rp_filter=1' ${config_file} update_config_files 'net.ipv4.tcp_syncookies' 'net.ipv4.tcp_syncookies=1' ${config_file} update_config_files 'kernel.randomize_va_space' 'kernel.randomize_va_space=2' ${config_file} update_config_files 'fs.suid_dumpable' 'fs.suid_dumpable=0' ${config_file} @@ -930,4 +933,4 @@ cleanup_cache mv /etc/os-release.bak /etc/os-release -exit 0 \ No newline at end of file +exit 0