Rudder

Error still exists if entry exist in file 99rudder.conf, and we set a value with sysctl -w
the method does what is expected, but only reports logs

R: @@technique_id@@log_info@@rule_id@@directive_id@@4330cbac-36e1-4d62-9c2a-d2a2a99b9393@@1.5.2 - Ensure address space layout randomization (ASLR) is enabled@@kernel.randomize_va_space@@2024-03-11 15:04:03+00:00##fb264042-a1b8-4770-b090-a398ea6fbbc3@#Set the string sysctl_var.getkernel_randomize_va_space to the output of '/sbin/sysctl -n kernel.randomize_va_space # Get value (expect 2, option default)' was correct
R: The '/sbin/sysctl -n kernel.randomize_va_space # Get value (expect 2, option default)' command returned '0'
R: @@technique_id@@log_info@@rule_id@@directive_id@@4330cbac-36e1-4d62-9c2a-d2a2a99b9393@@1.5.2 - Ensure address space layout randomization (ASLR) is enabled@@kernel.randomize_va_space@@2024-03-11 15:04:03+00:00##fb264042-a1b8-4770-b090-a398ea6fbbc3@#Ensure line in format key=value in /etc/sysctl.d/99rudder.conf was correct
R: @@technique_id@@log_info@@rule_id@@directive_id@@4330cbac-36e1-4d62-9c2a-d2a2a99b9393@@1.5.2 - Ensure address space layout randomization (ASLR) is enabled@@kernel.randomize_va_space@@2024-03-11 15:04:03+00:00##fb264042-a1b8-4770-b090-a398ea6fbbc3@#Ensure line in format key=value in /etc/sysctl.d/99rudder.conf was correct
    info: Executing 'no timeout' ... '/sbin/sysctl --system  # Reload value kernel.randomize_va_space (expect 2, option default)'
  notice: Q: "...bin/sysctl --sy": * Applying /etc/sysctl.d/10-console-messages.conf ...
Q: "...bin/sysctl --sy": kernel.printk = 4 4 1 7
Q: "...bin/sysctl --sy": * Applying /etc/sysctl.d/10-ipv6-privacy.conf ...
Q: "...bin/sysctl --sy": net.ipv6.conf.all.use_tempaddr = 2
Q: "...bin/sysctl --sy": net.ipv6.conf.default.use_tempaddr = 2
Q: "...bin/sysctl --sy": * Applying /etc/sysctl.d/10-kernel-hardening.conf ...
Q: "...bin/sysctl --sy": kernel.kptr_restrict = 1
Q: "...bin/sysctl --sy": * Applying /etc/sysctl.d/10-link-restrictions.conf ...
Q: "...bin/sysctl --sy": fs.protected_hardlinks = 1
Q: "...bin/sysctl --sy": fs.protected_symlinks = 1
Q: "...bin/sysctl --sy": * Applying /etc/sysctl.d/10-magic-sysrq.conf ...
Q: "...bin/sysctl --sy": kernel.sysrq = 176
Q: "...bin/sysctl --sy": * Applying /etc/sysctl.d/10-network-security.conf ...
Q: "...bin/sysctl --sy": net.ipv4.conf.default.rp_filter = 2
Q: "...bin/sysctl --sy": net.ipv4.conf.all.rp_filter = 2
Q: "...bin/sysctl --sy": * Applying /etc/sysctl.d/10-ptrace.conf ...
Q: "...bin/sysctl --sy": kernel.yama.ptrace_scope = 1
Q: "...bin/sysctl --sy": * Applying /etc/sysctl.d/10-zeropage.conf ...
Q: "...bin/sysctl --sy": vm.mmap_min_addr = 65536
Q: "...bin/sysctl --sy": * Applying /etc/sysctl.d/30-postgresql-shm.conf ...
Q: "...bin/sysctl --sy": * Applying /usr/lib/sysctl.d/50-default.conf ...
Q: "...bin/sysctl --sy": net.ipv4.conf.default.promote_secondaries = 1
Q: "...bin/sysctl --sy": sysctl: setting key "net.ipv4.conf.all.promote_secondaries": Invalid argument
Q: "...bin/sysctl --sy": net.ipv4.ping_group_range = 0 2147483647
Q: "...bin/sysctl --sy": net.core.default_qdisc = fq_codel
Q: "...bin/sysctl --sy": fs.protected_regular = 1
Q: "...bin/sysctl --sy": fs.protected_fifos = 1
Q: "...bin/sysctl --sy": * Applying /usr/lib/sysctl.d/50-pid-max.conf ...
Q: "...bin/sysctl --sy": kernel.pid_max = 4194304
Q: "...bin/sysctl --sy": * Applying /etc/sysctl.d/99-sysctl.conf ...
Q: "...bin/sysctl --sy": * Applying /etc/sysctl.d/99rudder.conf ...
Q: "...bin/sysctl --sy": kernel.randomize_va_space = 2
Q: "...bin/sysctl --sy": * Applying /usr/lib/sysctl.d/protect-links.conf ...
Q: "...bin/sysctl --sy": fs.protected_fifos = 1
Q: "...bin/sysctl --sy": fs.protected_hardlinks = 1
Q: "...bin/sysctl --sy": fs.protected_regular = 2
Q: "...bin/sysctl --sy": fs.protected_symlinks = 1
Q: "...bin/sysctl --sy": * Applying /etc/sysctl.conf ...
    info: Last 38 quoted lines were generated by promiser '/sbin/sysctl --system  # Reload value kernel.randomize_va_space (expect 2, option default)'
    info: Completed execution of '/sbin/sysctl --system  # Reload value kernel.randomize_va_space (expect 2, option default)'
R: @@technique_id@@log_repaired@@rule_id@@directive_id@@4330cbac-36e1-4d62-9c2a-d2a2a99b9393@@1.5.2 - Ensure address space layout randomization (ASLR) is enabled@@kernel.randomize_va_space@@2024-03-11 15:04:03+00:00##fb264042-a1b8-4770-b090-a398ea6fbbc3@#Execute command /sbin/sysctl --system  # Reload value kernel.randomize_va_space (expect 2, option default) was repaired
R: @@technique_id@@log_info@@rule_id@@directive_id@@4330cbac-36e1-4d62-9c2a-d2a2a99b9393@@1.5.2 - Ensure address space layout randomization (ASLR) is enabled@@kernel.randomize_va_space@@2024-03-11 15:04:03+00:00##fb264042-a1b8-4770-b090-a398ea6fbbc3@#Set the string sysctl_var.checkkernel_randomize_va_space to the output of '/sbin/sysctl -n kernel.randomize_va_space # Check value (expect 2, option default)' was correct

PR https://github.com/Normation/ncf/pull/1418

Applied in changeset ncf|54471f460174c8459b7f226928fec08c55007509.

This bug has been fixed in Rudder 7.3.14, 8.0.8 and 8.1.1 which were released today.

• 7.3.14 changelog
• 8.0.8 changelog
• 8.1.1 changelog
• Upgrade manual