5

Using Lubuntu 18.10 Cosmic Cuttlefish

Most commands do stick. However Lynis has repeatedly demonstrated four sysctl parameters are not sticking on reboot. sysctl -p does successfully apply them after the system has started.

fs.suid_dumpable=0 (still haven't figured this out)
net.ipv4.conf.all.rp_filter=1 (Wireguard VPN overruled this; see source 1 below)
net.ipv4.conf.all.log_martians=1 (/etc/ufw/sysctl.conf overruled this)
net.ipv4.conf.default.log_martians=1 (/etc/ufw/sysctl.conf overruled this)

Source 1

The one I am most concerned about is net.ipv4.conf.all.rp_filter, which should be set to 1, but is set to 0... leaving the machine vulnerable to ip spoofing. How can I ensure these are set properly upon boot? Note update: this is disabled automatically by VPN's like Wireguard (possibly openvpn/others) so not to drop legit packets, see source above for details. Disabling Wireguard VPN sysctl boot command resulted in fp_filter=1 working as intended, potentially causing issues for Wireguard. Lynis False positive, I will leave this disabled for functionality. Warning disabling Wireguard after boot does not (as of yet) revert this to the safe setting. sysctl -p required.

Location of all sysctl.conf files via find / -name '*sysctl*.conf'

/usr/share/doc/procps/examples/sysctl.conf
/snap/core/6405/etc/sysctl.conf
/snap/core/6405/etc/sysctl.d/99-sysctl.conf
/snap/core18/719/etc/sysctl.d/99-sysctl.conf
/etc/sysctl.conf
/etc/ufw/sysctl.conf
/etc/sysctl.d/99-sysctl.conf
tutudid
  • 63
  • 1
  • 1
  • 9
  • @please, that the name of the distribution – c4f4t0r Feb 18 '19 at 14:11
  • Lubuntu 18.10 Cosmic Cuttlefish – tutudid Feb 18 '19 at 14:32
  • In case you can't find it, try `grep -rHin fs.suid_dumpable /etc`. Looks like as this is overridden as well. Eventually also grep on `/lib/systemd`. – hargut Feb 18 '19 at 19:20
  • That is one of the most convenient commands I have ever seen in linux, I was wondering if there was a way to search globally inside files for lines; I just wasn't expecting it to happen in mere milliseconds. Amazing! Thank you. Unfortunately it never found what was overruling this setting in those locations. – tutudid Feb 18 '19 at 20:11

3 Answers3

8

If your system is using systemd's systemd-sysctl.service and not sysctl for the setting at boot time then things are a little different than sysctl.

systemd-sysctl sorts all of the configuration file names, ignoring the directory name, and then loads them in that order irrespective of the directory they were in. This means that if you put your setting in /etc/sysctl.d/10-mysysctl.conf and there is another file called /usr/lib/sysctl.d/50-default.conf setting the same variable, that will override your setting.

To ensure your setting isn't overridden you should put it in a config file with a name like /etc/sysctl.d/zzz-mysysctl.conf.

Note: This behaviour was tested on Ubuntu 20.04.1 and openSUSE Leap 15.2

Paranoid
  • 286
  • 2
  • 6
2

I encountered the same issues during implementation of CIS benchmark.

Regarding fs.suid_dumpable, I found this post explaining the exact same issue. It seems apport was overriding the value. Disabling apport did the trick.

log_martians was overwriten by the ufw settings in /etc/ufw/sysctl.conf

Omri-odix
  • 21
  • 2
2

Create a file /etc/sysctl.d/local.conf containing the values you want.

fs.suid_dumpable=0
net.ipv4.conf.all.log_martians=1 
net.ipv4.conf.all.rp_filter=1     
net.ipv4.conf.default.log_martians=1

Reboot.

The scripts load any *.conf files from several directories, in file name collation order. See the sysctl --system option in the man page for the search paths.

In particular, check that any values are not already defined in /etc/sysctl.conf. Consider moving values you want to keep from it to sysctl.d, then removing that file.

John Mahowald
  • 32,050
  • 2
  • 19
  • 34
  • It is sysctl.d, I had systemd style paths on the mind. Fixed. – John Mahowald Feb 18 '19 at 15:00
  • thank you, so etc/sysctl.d.conf/ may be the location for some users? – tutudid Feb 18 '19 at 15:03
  • Added the lines to /local.conf, rebooted, tis did not work for me. Upon reboot those 4 settings are set to default. Feel free to exit/update your suggestion. – tutudid Feb 18 '19 at 15:08
  • I do not see all.rp_filter listed under, /proc/sys/net/ipv4, is this why? – tutudid Feb 18 '19 at 15:13
  • Edit your question and add the contents of every file found by this pattern: `find / -name '*sysctl*.conf'` – John Mahowald Feb 18 '19 at 15:13
  • /etc/ufw/sysctl.conf has conflicting settings with /etc/sysctl.conf log_martains in particular, I successfully fixed those two. fs.suid_dumpable is located under /proc/sys/fs, is set to 0 in multiple sysctl.conf and still does not properly set until sysctl -p run manually. all.rp_filter is not located under /proc/sys/net/ipv4, and does not set until run manually. – tutudid Feb 18 '19 at 16:11
  • After some testing I disabled wireguard VPN on boot and this rectified all.rp_filter; via ubuntu's website: "net.ipv4.conf.all.rp_filter = 1. Checks our routing table against the source address of incoming packets to make sure that they're coming from the interface our routing table says that address is on. Note that this needs to be easily disabled; if some form of advanced routing or policy routing intends traffic from a host to come in one interface and traffic to that host to leave out a different interface, then legitimate packets will be dropped." – tutudid Feb 18 '19 at 16:59