this post was submitted on 04 Feb 2025
5 points (77.8% liked)

Linux

5899 readers
690 users here now

A community for everything relating to the GNU/Linux operating system

Also check out:

Original icon base courtesy of [email protected] and The GIMP

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
5
Harden sysctl.conf by Sparrow checks (wp.me)
submitted 5 days ago* (last edited 5 days ago) by [email protected] to c/[email protected]
7 comments fedilink hide all child comments
top 7 comments
sorted by: hot top controversial new old
[–] [email protected] 7 points 5 days ago* (last edited 5 days ago) (2 children)

You definitely shouldn't copy and paste things like this.

[–] [email protected] 2 points 5 days ago (1 children)

sorry, could you please elaborate on "shouldn’t copy" ? thanks

[–] [email protected] 4 points 5 days ago (1 children)

For example if you blindly apply this and forget, you may encounter problems with ipv6 or with your vpn. So it's really depends on your use case and not hardening in general.

[–] [email protected] 2 points 5 days ago* (last edited 5 days ago)

fair enough, however the intention is to show how one could create rules on Sparrow/Raku, not to show rules ... Maybe I should have mentioned that ...

for example this is more interesting example evaluation of net.ipv4.tcp_synack_retries"

regexp: ^^ "net.ipv4.tcp_synack_retries" \s* "=" \s* (\d+) \s* $$

generator: <<RAKU
!raku
if matched().elems {
  my $v = capture()[];
  say "note: net.ipv4.tcp_synack_retries={$v}";
  if $v >= 3 && $v <= 5 {
     say "assert: 1 net.ipv4.tcp_synack_retries in [3..5] range"
  } else {
     say "assert: 0 net.ipv4.tcp_synack_retries in [3..5] range"
  }
} else {
  say "note: net.ipv4.tcp_synack_retries setting not found"
}
RAKU
[–] [email protected] 1 points 5 days ago* (last edited 5 days ago)

you are seemed to have edited your initial reply - "it should be sysctl.conf not syslog.conf " - anyway thanks for that, now it's fixed, this was just overlook typo

[–] [email protected] 1 points 5 days ago (1 children)

So... What is this? It looks like a config file generator? How is this better than Ansible?

[–] [email protected] 1 points 4 days ago* (last edited 4 days ago)

Not generator, validator. It validates configuration files . Ansible is not flexible in comparison with Sparrow, you'd need to write more boilerplate code to do the same ... Also core ansible modules search is limited by "one line" mode, thus it does not allow to search for example within nested structures, like if we want something in between or in nested blocks, or search for sequences, like when we want to search a sequence of strings, a,b,c,d etc, Sparrow does allow al thatl as it has ranges/sequential/SLN search by design. Sparrow allows to generate check rules in runtime as well, Ansible can't