Secure sysctl settings with CFEngine


Here's how to maintain Linux sysctl settings across all hosts in an organization using the Evolve free promise library and CFEngine. ---

Sysctl data is separated from CFEngine policy in its own data file.

# sysctl.txt
# Promise sysctl.conf and live kernel settings

# context(0) ;; sysctl variable name(1)         ;; value(2) ;; promisee(3)
any          ;; net.ipv6.conf.all.accept_ra     ;; 0        ;; ipv6 auto assign
any          ;; net.ipv6.conf.all.autoconf      ;; 0        ;; ipv6 auto assign
any          ;; net.ipv6.conf.default.autoconf  ;; 0        ;; ipv6 auto assign
any          ;; net.ipv6.conf.eth0.accept_ra    ;; 0        ;; ipv6 auto assign
sol          ;; net.ipv6.conf.bond0.accept_ra   ;; 0        ;; ipv6 auto assign

alix         ;; net.ipv6.conf.all.forwarding    ;; 1        ;; Routing
alix         ;; net.ipv4.ip_forward             ;; 1        ;; Routing
neptune      ;; proc.sys.kernel.sysrq           ;; 0        ;; Laptop security

Columns labeled 1 and 2 are the sysctl setting name and the value. Column 3 is the promisee, used for documentation. Column 0 is the class or context that must be true for the sysctl setting to be applied.

The Evolve free promise library has two sysctl bundles. One promises live sysctl settings and the other promises the sysctl.conf file. Use methods promises to call each bundle, passing the same parameter file.


"live sysctl settings"
   usebundle => efl_sysctl_live( "${sys.workdir}/inputs/bundle_params/sysctl.txt" ),
   action    => if_elapsed( "240" );

"sysctl conf settings"
   usebundle => efl_sysctl_conf_file( "${sys.workdir}/inputs/bundle_params/sysctl.txt" ),
   action    => if_elapsed( "240" );

The live bundle calls the sysctl command often. If_elapsed is used to reduce the load from excessive promise evaluation.

It's time to rethink Anti-virus


Anti-virus is always a step behind. It's a good revenue stream for anti-virus software makers. For end users it's a race to the horizon. --- Virus pattern recognition only works on patterns that have been discovered, researched, and added to the pattern database. Recent anti-virus pattern databases now detect more than 22 million patterns. Is it a wonder that anti-virus software kills computer performance? 1

The impossible pattern race is bad. The system crippling false alarms are worse. In the recent past most major anti-virus tools have crippled corporate and person computers by mistakenly quarantining a Windows system or application file.1, 2, 3

I'm not a computer virus expert. But there has to be a better way to protect us. I can think of some.

White listing defines what files are allowed to execute on a system. Any file not on the white list is denied execution. For most corporate workstations this is ideal. A few hundred executable files are white listed and the workstation becomes secure. More generic workstations, like home computers, require longer lists. This is not insurmountable. I'd rather subscribe to a ten thousand item white list than a 22 million item black list. The look ups will be shorter and new threats do not get an automatic free pass.

Mandatory access control. SELinux is the well known form of MAC. MAC is similar to white listing but goes further. Programs are not just denied execution rights. Their rights to access the rest of the system are explicitly defined. For example, a web browser may be allowed to touch printing, browser cache, and other relevant files. Anything else is denied, by default. Viruses cannot run wild on the system because they've not been defined to be allowed to do so. Set up and maintenance of such a systems is no small task. Neither is maintaining a growing list of 22 million virus definitions.

I'm not a computer virus expert. But the arms race between new viruses and new definitions can never be won. It's time for a new approach. Consider that the next time your computer is churning another anti-virus disk scan.