From 4dc19266ff3c8e5455246c7b3a3e2e280ff1dae8 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Mon, 22 Jul 2024 13:24:42 +0100 Subject: [PATCH 1/2] Stop changing permissions on files on Rocky 9 A similar change was made for Ubuntu systems in #1119, but it did not apply to Rocky 9 systems. This changes brings the two into line. (cherry picked from commit ef96aa2441db052f295db7260d865cc1c4e4c14a) --- etc/kayobe/inventory/group_vars/overcloud/cis | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/etc/kayobe/inventory/group_vars/overcloud/cis b/etc/kayobe/inventory/group_vars/overcloud/cis index c6adea094..6a31c1d41 100644 --- a/etc/kayobe/inventory/group_vars/overcloud/cis +++ b/etc/kayobe/inventory/group_vars/overcloud/cis @@ -61,6 +61,22 @@ rhel9cis_rule_5_3_4: false # Please double-check yourself with: sudo passwd -S root rhel9cis_rule_5_6_6: false +# Stop the CIS benchmark scanning all files on every filesystem since this +# takes a long time. Related to the changing permissions block below. This +# would normally warn you about violations, but we can use Wazuh to continually +# monitor this. +rhel9cis_rule_6_1_9: false +rhel9cis_rule_6_1_10: false +rhel9cis_rule_6_1_11: false +rhel9cis_rule_6_1_12: false +rhel9cis_rule_6_1_13: false +rhel9cis_rule_6_1_14: false +rhel9cis_rule_6_1_15: false + +# The following rules change permissions on all files on every mounted +# filesystem. We do not want to change /var/lib/docker permissions. +rhel9cis_no_world_write_adjust: false + # Configure log rotation to prevent audit logs from filling the disk rhel9cis_auditd: space_left_action: syslog From 09d226c70ef4b134908b2fed0d6492de3033a3e1 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Fri, 12 Jul 2024 17:58:26 +0000 Subject: [PATCH 2/2] Stop changing permissions on files (#1119) These are causing changes to docker overlay filesystems with possible unintended consequences. It is also really slow to loop through so many files in ansible. (cherry picked from commit 0d1dfe27af2c817c8238586d169b3263a8bf84cb) --- etc/kayobe/inventory/group_vars/overcloud/cis | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/etc/kayobe/inventory/group_vars/overcloud/cis b/etc/kayobe/inventory/group_vars/overcloud/cis index 6a31c1d41..59a7852cf 100644 --- a/etc/kayobe/inventory/group_vars/overcloud/cis +++ b/etc/kayobe/inventory/group_vars/overcloud/cis @@ -161,9 +161,22 @@ ubtu22cis_sshd: deny_users: "" deny_groups: "" -# Do not change /var/lib/docker permissions +# Stop the CIS benchmark scanning all files on every filesystem since this +# takes a long time. Related to the changing permissions block below. This +# would normally warn you about violations, but we can use Wazuh to continually +# monitor this. +ubtu22cis_rule_6_1_9: false +ubtu22cis_rule_6_1_10: false +ubtu22cis_rule_6_1_11: false +ubtu22cis_rule_6_1_12: false +ubtu22cis_rule_6_1_13: false + +# The following rules change permissions on all files on every mounted +# filesystem. We do not want to change /var/lib/docker permissions. ubtu22cis_no_group_adjust: false ubtu22cis_no_owner_adjust: false +ubtu22cis_no_world_write_adjust: false +ubtu22cis_suid_adjust: false # Configure log rotation to prevent audit logs from filling the disk ubtu22cis_auditd: