kernel_parameter logic #43
Comments
|
This Puppet module uses herculesteam's augeasproviders_grub module for the kernel_parameter resource to do the heavy lifting. Complication 1 should/could be fixed in that module, so that this module can also benefit from it. Complication 2 is beyond the scope of the secure_linux_cis module, as the CIS benchmarks it implements already specify which of the 2 GRUB variables should be used for which settings. Adding the parameter to the other GRUB CMDLINE variable would make no sense if complying to the CIS benchmark is your goal. |
|
Thanks for your reply @bjvrielink In that case, there's some inconsistencies in the RHEL 7 & 8 CIS benchmarks & bootmodes this module enforces. For example This module adds How would you like to proceed? |
|
I agree with you that these 2 (and maybe others, I did not check all cases where kernel_parameter is used) do use the wrong GRUB_CMDLINE_*, as all Linux CIS benchmarks specify GRUB_CMDLINE_LINUX, not just RHEL 7 & 8 for these specific parameters. I think a pull request that uses the correct kernel_parameter bootmode (either 'all' (or absent) for GRUB_CMDLINE_LINUX or 'normal' for GRUB_CMDLINE_LINUX_DEFAULT) is the way to go. |
Hey - thanks for all your work on this module. Been very helpful getting us across the line for CIS hardening.
Wondering if you're interested in a pull request & discussion around how your module handles kernel parameters.
Currently, some assumptions are made on whether kernel parameters should live in GRUB_CMDLINE_LINUX or GRUB_CMDLINE_LINUX_DEFAULT & no checks are done on whether each parameter is already set in an alternative boot mode.
This leads to a couple of potential complications
I propose changing the logic to
Happy to supply a pull request, or discuss further- if you're interested in changing this logic.
The text was updated successfully, but these errors were encountered: