Os immutable fs #864
Closed
Os immutable fs #864
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Martin Schurz <[email protected]> Signed-off-by: James Miller <[email protected]>
Signed-off-by: Martin Schurz <[email protected]> Signed-off-by: James Miller <[email protected]>
Signed-off-by: Martin Schurz <[email protected]> Signed-off-by: James Miller <[email protected]>
Signed-off-by: Martin Schurz <[email protected]> Signed-off-by: James Miller <[email protected]>
Signed-off-by: Martin Schurz <[email protected]> Signed-off-by: James Miller <[email protected]>
Signed-off-by: Martin Schurz <[email protected]> Signed-off-by: James Miller <[email protected]>
Signed-off-by: Martin Schurz <[email protected]> Signed-off-by: James Miller <[email protected]>
Signed-off-by: Martin Schurz <[email protected]> Signed-off-by: James Miller <[email protected]>
Signed-off-by: Martin Schurz <[email protected]> Signed-off-by: James Miller <[email protected]>
Signed-off-by: Martin Schurz <[email protected]> Signed-off-by: James Miller <[email protected]>
Signed-off-by: James Miller <[email protected]>
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Signed-off-by: James Miller <[email protected]>
Signed-off-by: James Miller <[email protected]>
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Signed-off-by: James Miller <[email protected]>
Signed-off-by: James Miller <[email protected]>
Signed-off-by: debbabi <[email protected]> Signed-off-by: James Miller <[email protected]>
Signed-off-by: James Miller <[email protected]>
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Signed-off-by: James Miller <[email protected]>
Signed-off-by: James Miller <[email protected]>
Explicitely stating required permissions is considered best practice. This case was detected by Poutine, see https://github.com/boostsecurityio/poutine/blob/main/docs/content/en/rules/default_permissions_on_risky_events.md. Signed-off-by: Florian Greinacher <[email protected]> Signed-off-by: James Miller <[email protected]>
Signed-off-by: James Miller <[email protected]>
Signed-off-by: Sebastian Gumprich <[email protected]> Signed-off-by: James Miller <[email protected]>
Signed-off-by: Sebastian Gumprich <[email protected]> Signed-off-by: James Miller <[email protected]>
Signed-off-by: James Miller <[email protected]>
* centos7 is eol, remove it Signed-off-by: Sebastian Gumprich <[email protected]> * change workflow to update readmes when meta/main.yml is changed Signed-off-by: Sebastian Gumprich <[email protected]> * remove mention of centos 7 from readme Signed-off-by: Sebastian Gumprich <[email protected]> --------- Signed-off-by: Sebastian Gumprich <[email protected]> Signed-off-by: James Miller <[email protected]>
Signed-off-by: James Miller <[email protected]>
Signed-off-by: James Miller <[email protected]>
Signed-off-by: James Miller <[email protected]>
Signed-off-by: James Miller <[email protected]>
Signed-off-by: James Miller <[email protected]>
Signed-off-by: James Miller <[email protected]>
…openssh.conf.j2 (dev-sec#856) Signed-off-by: Ali Mehraji <[email protected]> Signed-off-by: James Miller <[email protected]>
Signed-off-by: James Miller <[email protected]>
Signed-off-by: James Miller <[email protected]>
Signed-off-by: James Miller <[email protected]>
Signed-off-by: James Miller <[email protected]>
Signed-off-by: James Miller <[email protected]>
Signed-off-by: James Miller <[email protected]>
Signed-off-by: James Miller <[email protected]>
Signed-off-by: James Miller <[email protected]>
Signed-off-by: James Miller <[email protected]>
Signed-off-by: James Miller <[email protected]>
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Signed-off-by: James Miller <[email protected]>
Signed-off-by: James Miller <[email protected]>
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Signed-off-by: James Miller <[email protected]>
Signed-off-by: James Miller <[email protected]>
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Signed-off-by: James Miller <[email protected]>
Signed-off-by: James Miller <[email protected]>
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Signed-off-by: James Miller <[email protected]>
Signed-off-by: James Miller <[email protected]>
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Signed-off-by: James Miller <[email protected]>
Signed-off-by: James Miller <[email protected]>
|
I haven't made any changes to CHANGELOG.md. I presume that is done after a successful merge. |
|
I am having an issue which I am debugging at the moment, where the os_hardening roles 'minimise_access.yml' performs some task and the system's user cgroupManager is no longer systemd, but is set to cgroupfs. This is largely unacceptable for rpm-ostree systems as they are designed to use podman by default, and require cgroups to be managed by systemd. |
Open
1 task
|
Ok, I know now that the podman cgroupmanager requires access to the proc filesystem for the standard user, so when the /proc filesystem is mounted with hidepid=2 then I can add a gid as an option to allow a podman user to be able to have rootless containers. I will update the code in the pull request. Another issue is that I have caused a succesful change to the ansible_pkg module that allows the use of custom action plugins in the ansible_package_use variable. This allows me to make a custom action plugin that can install the package and then reboot immediately. The changes to ansible_pkg won't be available until 2.20 is released, so when it is, I will resubmit the pull request without the changes to make the reboot, but still able to allow immutable fs to work. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I have made minimal changes to the ssh_hardening role and the os_hardening role to add the option to allow the roles to be used with rpm-ostree based systems.