Mirrors/linux-baseline
2
0
Fork 0
mirror of https://github.com/dev-sec/linux-baseline synced 2025-02-16 09:48:25 +00:00
Code Issues Projects Releases Packages Wiki Activity

fix handling of sysctl fs.protected_fifos and fs.protected_regular

Browse source 
our solution with cmp for fs.protected_fifos did not work. Checking for
all possible values combined with an `or` seems more reasonable here.

Also both sysctl parameters are not available in RHEL7. The chosen
solution seems to be the least complex, that also works on all systems.

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
This commit is contained in:
Martin Schurz 2022-07-11 12:05:53 +02:00
parent 34b215b87c
commit 5247b07871
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
controls/sysctl_spec.rb
View file

@ -414,13 +414,13 @@ control 'sysctl-34' do
desc 'Protects against common exploits in regards to links, fifos and regular files created or controlled by attackers'
only_if { !container_execution }
describe kernel_parameter('fs.protected_fifos') do
its(:value) { should match cmp(/(1|2)/) }
its(:value) { should eq(1).or eq(2).or eq(nil) } # include nil because RHEL7 does not have this parameter
end
describe kernel_parameter('fs.protected_hardlinks') do
its(:value) { should eq 1 }
end
describe kernel_parameter('fs.protected_regular') do
its(:value) { should eq 2 }
its(:value) { should eq(2).or eq(nil) } # include nil because RHEL7 does not have this parameter
end
describe kernel_parameter('fs.protected_symlinks') do
its(:value) { should eq 1 }