We are currently applying the CIS 2.0 security profile to our servers.
The implementation process unfolds as follows:
Downloading the AlmaLinux 9.3 ISO
Adding a kickstart file to the ISO, including:
Partitioning necessary for the security profile
Setting the security profile to the maximum level
Creating a new ISO with the kickstart
Instantiating a VM
Everything is progressing smoothly up to this point. For testing this profile, we temporarily disabled account locking in pam.d. This is the only modified parameter.
Unfortunately, we are experiencing intermittent and random network outages on the server with no apparent reason. During these periods, SSH and HTTPD become unresponsive, although local access via the hypervisor remains possible. I would like to clarify that this issue occurs both before and after the installation of some packages.
I have examined the security profile without finding a plausible explanation for this problem. I have checked the logs in /var/log/messages, /var/log/secure, dmesg, etc., without success.
This problem does not occur without the application of the security profile.
Do you have any idea for resolving this issue?
Additionally, could you inform us whether this profile is suitable for a Web application platform that includes various components (Alfresco, web application, database, etc.)?
Yes, I meant CIS 1.0, but I made a mistake when I wrote it. (I’m correcting my title now )
I quite agree about a possible sysctl origin, it also happens with the ANSSI-BP028 profile… do you want the sysctl configuration? .
The firewalld service doesn’t report any errors, and neither does selinux; connection losses also occur with selinux disabled…
What packages are being installed when it occurs? httpd is not allowed, so maybe its simply removing it? - no packages are deleted when the loss occurs … I got the kickstart directly from /usr/share/scap-security-guide/kickstart/
the ANSSI profile is crazy, it seems more of a risk than even a STIG, whenever i’ve tried it the box won’t even boot.
i’m assuming you’re not running ssh/httpd from containers as this will break those completely - and who ssh’s into containers?!
the SSG only sets these, so maybe look into unsetting some of them until it works, you can probably ignore ipv6 and kernel:
$ grep -hE 'name: .*sysctl' /usr/share/scap-security-guide/ansible/almalinux9-playbook-cis* | sort -u
- name: Ensure sysctl kernel.randomize_va_space is set to 2
- name: Ensure sysctl net.ipv4.conf.all.accept_redirects is set
- name: Ensure sysctl net.ipv4.conf.all.accept_source_route is set
- name: Ensure sysctl net.ipv4.conf.all.log_martians is set
- name: Ensure sysctl net.ipv4.conf.all.rp_filter is set
- name: Ensure sysctl net.ipv4.conf.all.secure_redirects is set
- name: Ensure sysctl net.ipv4.conf.all.send_redirects is set to 0
- name: Ensure sysctl net.ipv4.conf.default.accept_redirects is set
- name: Ensure sysctl net.ipv4.conf.default.accept_source_route is set
- name: Ensure sysctl net.ipv4.conf.default.log_martians is set
- name: Ensure sysctl net.ipv4.conf.default.rp_filter is set
- name: Ensure sysctl net.ipv4.conf.default.secure_redirects is set
- name: Ensure sysctl net.ipv4.conf.default.send_redirects is set to 0
- name: Ensure sysctl net.ipv4.icmp_echo_ignore_broadcasts is set
- name: Ensure sysctl net.ipv4.icmp_ignore_bogus_error_responses is set
- name: Ensure sysctl net.ipv4.ip_forward is set to 0
- name: Ensure sysctl net.ipv4.tcp_syncookies is set
- name: Ensure sysctl net.ipv6.conf.all.accept_ra is set
- name: Ensure sysctl net.ipv6.conf.all.accept_redirects is set
- name: Ensure sysctl net.ipv6.conf.all.accept_source_route is set
- name: Ensure sysctl net.ipv6.conf.all.forwarding is set
- name: Ensure sysctl net.ipv6.conf.default.accept_ra is set
- name: Ensure sysctl net.ipv6.conf.default.accept_redirects is set
- name: Ensure sysctl net.ipv6.conf.default.accept_source_route is set
just tried to remove all sysctl config but still have network loss.
maybe it s related to some firewall rule but i did not see any restriction
also tried to put all sysctl conf to a server without any sec profile and i have no issue.
Seems really because of CIS profile but don t understand what …