sysctl-34 - fs.protected_hardlinks and fs.protected_symlinks can be nil #173
Description
The sysctl-34 checks are currently failing with the latest amzn linux 2 images from aws (used ami filter amzn2-ami-hvm-*-x86_64-gp2):
CIS-AMZN2.amazon-ebs.amz-ami: × sysctl-34: Ensure links are protected (2 failed)
CIS-AMZN2.amazon-ebs.amz-ami: ✔ Kernel Parameter fs.protected_fifos value is expected to eq 1 or eq 2 or eq nil
CIS-AMZN2.amazon-ebs.amz-ami: × Kernel Parameter fs.protected_hardlinks value is expected to eq 1
CIS-AMZN2.amazon-ebs.amz-ami:
CIS-AMZN2.amazon-ebs.amz-ami: expected: 1
CIS-AMZN2.amazon-ebs.amz-ami: got: nil
CIS-AMZN2.amazon-ebs.amz-ami:
CIS-AMZN2.amazon-ebs.amz-ami: (compared using ==)
CIS-AMZN2.amazon-ebs.amz-ami:
CIS-AMZN2.amazon-ebs.amz-ami: ✔ Kernel Parameter fs.protected_regular value is expected to eq 2 or eq nil
CIS-AMZN2.amazon-ebs.amz-ami: × Kernel Parameter fs.protected_symlinks value is expected to eq 1
CIS-AMZN2.amazon-ebs.amz-ami:
CIS-AMZN2.amazon-ebs.amz-ami: expected: 1
CIS-AMZN2.amazon-ebs.amz-ami: got: nil
The issue triggered by the following lines.
fs.protected_hardlinks:
linux-baseline/controls/sysctl_spec.rb
Line 420 in 81ce2ab
fs.protected_symlinks:
linux-baseline/controls/sysctl_spec.rb
Line 426 in 81ce2ab
A possible fix is similar like the already implemented exceptions for fs.protected_regular and fs.protected_fifos:
describe kernel_parameter('fs.protected_hardlinks') do # include nil because amzn linux does not have this parameter
its(:value) { should eq(1).or eq(nil) }
end describe kernel_parameter('fs.protected_symlinks') do
its(:value) { should eq(1).or eq(nil) } # include nil because amzn linux does not have this parameter
end